VIRUS-L Digest Sunday, 1 Sep 1996 Volume 9 : Issue 153 Today's Topics: Re: Looking for feedback on Norman NVC Re: DR.Soloman updates Where can I get 'Word file format' specific document? Re: US Army troubled by viruses in Bosnia Re: Use of VIRUS-L Re: Looking for feedback on Norman NVC Re: Use of VIRUS-L Re: DR.Soloman updates Anti-virus Policy & Procedures McAfee Sales Reps (was: Re: Intel LanDesk) Re: US Army troubled by viruses in Bosnia Re: McAfee Scan for Linux? (UNIX) Netscape and printing problems (MAC) Netscape and printing problems (MAC) NTFS Questions (NT) Re: Simple question - please answer? (WIN95) NAV95 and Excel Files (WIN95) Re: Simple question - please answer? (WIN95) Re: Recurrent Tentacles virus following disinfect (WIN) Re: Virus deleting certain .DLL files?? (WIN) Re: Hare virus mini-FAQ (PC) Re: Vesseling Bontchev's paper 'Vircing the InVircible' (PC) Re: NATAS.4744 (PC) Re: How to remove Mongolian Virus in MBR on D: drive? (PC) Re: Can't use clean boot disk (PC) Re: Vacsina virus trouble (PC) Dr. Solomon VS TBAV. (PC) Re: AVP (was: Re: Vesseling Bontchev's paper...) (PC) Re: Hare virus mini-FAQ (PC) Neuroq/Nightfall (5) (PC) Re: Hare virus mini-FAQ (PC) Scanner VS Generic recommendations (PC) Re: Empire.B.Monkey oddity ?? (PC) Re: help required concerning PARITY BOOT B virus (PC) Re: How to remove Mongolian Virus in MBR on D: drive? (PC) Re: Hare virus mini-FAQ (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Fri, 30 Aug 1996 13:29 +0000 From: Graham Cluley Subject: Re: Looking for feedback on Norman NVC X-Digest: Volume 9 : Issue 153 In-Reply-To: <01I8UXKMTNNO1GFVOF@csc.canterbury.ac.nz> patgib@icanect.net writes: > I am in the market for a first rate AV program and a friend of mine > suggested NVC by Norman Data Defence. I have never heard of this > software before and it is not in any reviews. Most of the competent comprehensive anti-virus comparative reviews do include Norman in their tests (eg. University of Hamburg, University of Tampere, Virus Bulletin, etc). You can find a whole pile of independent comparative reviews and links to the above sites at http://www.drsolomon.com/avtk/reviews You'll also find links to other anti-virus vendors. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Fri, 30 Aug 1996 13:30 +0000 From: Graham Cluley Subject: Re: DR.Soloman updates X-Digest: Volume 9 : Issue 153 In-Reply-To: <01I8UXKMTNNO1GFVOF@csc.canterbury.ac.nz> Bob Jones writes: > I just ordered Dr. Soloman virus scanner...are the monthly updates > available via internet? Presently we make all our updates/upgrades available via the regular postal service. This means they land slap-bang in the middle of your desk where you can't ignore them.. it also means you save yourself money because you don't have to keep on checking out a net site. This service is included in the regular price of Dr Solomon's so remember to send in your registration card (otherwise we won't know to send you the updates you've already paid for) However, some people are asking us now for updates over the net so our webmaster is investigating a way of doing this securely in a way everybody will find satisfactory. Anyone with any comments/feedback is invited to contact our webmaster: webmaster@uk.drsolomon.com Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Fri, 30 Aug 1996 11:12:51 +0000 (GMT) From: sesame Subject: Where can I get 'Word file format' specific document? X-Digest: Volume 9 : Issue 153 'cause I want write anti-macro ware, so I have to research Word file format. could any body help me to find the details... thanx... slash <- stscan author... ------------------------------ Date: Fri, 30 Aug 1996 14:28:23 +0100 From: Olivier MJ Crepin-Leblond Subject: Re: US Army troubled by viruses in Bosnia X-Digest: Volume 9 : Issue 153 George Smith <76711.2631@CompuServe.COM> wrote: [...] > Infections by Monkey, AntiEXE and Prank Macro caused computer software > malfunctions and related problems which "forced Army personnel to waste > hundreds of hours finding the viruses and cleaning them from the > systems . . ." This piece of news, if true, is staggering. One would expect that personnel out in the field would have been briefed about the danger of computer viruses and how they propagate; one would have thought that an official policy was out there to prevent this soft of thing from happening. Furthermore, one would have expected any equipment to be used in "active service" to run standard virus shielding programs protecting from at least the most common viruses out there. Olivier C-L - - foobar@ic.ac.uk ocl@gih.com ------------------------------ Date: Fri, 30 Aug 1996 09:53:57 -0400 From: Dwight Tuinstra Subject: Re: Use of VIRUS-L X-Digest: Volume 9 : Issue 153 On Fri, 30 Aug 1996, PO1 Post wrote: [snip] > Virus-l has become a backyard fence so that people with > dissenting veiws of each other, or their products, can yell at each > other! Often for pages and pages. Also, the sounds of hawkers > touting their wares fills the air. I find many of these discussions to be informative --- they aren't just yelling at each other, but often debating technical points. I've learned a good deal about the workings of viruses and anti- virus programs by following these discussions. It also gives me additional information for evaluating/recommending products. > This have made the virus-l digest unessesarily lenthy. I have a > solution. If you want to dispute others work, e-mail them. If you > want to tell everyone how good your companies new program or service > is, rent a billboard. I value the information. If there are lengthy posts that aren't of interest to me, I just scroll past them. Doesn't take that much extra time, at least with my mail program. > I'm sure most people don't have enough time to listen to all > this prattle, I don't. I merely want to know about the latest > viruses and how to combat them. I want to understand what's going on --- not just the technical issues, but the personalities, support policies, responsiveness, etc. of the members of the anti-virus community. --dwight +--dwight tuinstra------------------------tuinstra@clarkson.edu--+ | academic computing consultant voice: (315) 268-2292 | +--clarkson university, potsdam ny----------fax: (315) 268-6570--+ ------------------------------ Date: Fri, 30 Aug 1996 13:44:51 -0400 From: Bill lambdin Subject: Re: Looking for feedback on Norman NVC X-Digest: Volume 9 : Issue 153 patgib@icanect.net writes >I am in the market for a first rate AV program and a friend of mine >suggested NVC by Norman Data Defence. I have never heard of this >software before and it is not in any reviews. > >If anyone is using this software, please email me with your >recommendation. I would like to hear the pro's as well as the con's. I eveluated the scanner, and the behaviour blocker in Norman earlier. I recommend Norman Data Defence as a scanner. It dis detect in excess of 90% of my collection. I refuse to recommend Norman as a generic virus detector. The Behaviour blocker failed to perform as advertized Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Fri, 30 Aug 1996 13:44:55 -0400 From: Bill lambdin Subject: Re: Use of VIRUS-L X-Digest: Volume 9 : Issue 153 PO1 Post writes > Greetings to the assembled host of honoraries. I have been receving >the Virus-l digest for some time and I have noticed a disturbing >trend. I wouldn't consider myself as one of the honoraries, but here is my two cents. > Virus-l has become a backyard fence so that people with >dissenting veiws of each other, or their products, can yell at each >other! Often for pages and pages. Also, the sounds of hawkers >touting their wares fills the air. After reading your post, I am guessing that you are referring to posts concerning Zvi Netiv and myself. I would agree with you about the blatant advertizing. However; I must disagree with you about dissenting views. Are you willing for A-V developers, and agents for a program to make preposterous claims about the effectiveness of said program without permiting unbiased evaluators to report problems in said programs? Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Fri, 30 Aug 1996 14:28:53 -0600 From: George Wenzel Subject: Re: DR.Soloman updates X-Digest: Volume 9 : Issue 153 In article <0005.01I8WKZXOUZK1GG74R@csc.canterbury.ac.nz>, jones4@llnl.gov says... >I just ordered Dr. Soloman virus scanner...are the monthly updates >available via internet? I don't think they are currently, but they may add that service in the future. Currently, you send in your registration card to receive your updates. (they come via regular mail) Regards, George Wenzel ------------------------------ Date: Fri, 30 Aug 1996 16:48:59 -0400 From: Michael Deloughery Subject: Anti-virus Policy & Procedures X-Digest: Volume 9 : Issue 153 I am interested in any sources of information (printed or electronic) on developing Anti-virus Policies & Procedures for an organization. I am also open to any suggestions or advice from those who have gone through the exercise of creating policies and working to implement them. I am giving a seminar in which we discuss anti-virus policy development and would be happy to credit any and all input that I receive. I would also do my best to summarize the input and send it back here for general consumption. Thanks in advance, Michael Deloughery Sensible Security Solutions md@magi.com [Moderator's note: You have, of course, already perused the excellent advice in the FAQ?? 8-) ] ------------------------------ Date: Fri, 30 Aug 1996 14:51:28 -0700 From: dgpile@sprynet.com Subject: McAfee Sales Reps (was: Re: Intel LanDesk) X-Digest: Volume 9 : Issue 153 On 8/30/96 responding to my observations which included the reference to McAfee's Cleveland seminar in March Jimmy cjkuo@mcafee.com wrote: >>Back in March, McAfee announced licenseing of Word file structure (teh exact >>wording escapes me) at a Cleveland seminar and recently M$ has announced the > >The first part is false. We have NOT licensed the Word file structure >or any such thing. > >>inclusion of McAfee code in some of their products. > >This second part is true. Jimmy, your reps who were in Cleveland specifically mentioned an agreement with Microsoft regarding the Word file structure. I have posted several questions to McAfee to follow up on this but no response. Your denial of such an agreement would indicate that the need to ask questions of everyone is as important as I suggested in the previous Intel Landesk thread. Perhaps your remarks earlier regarding the Laroux virus and your Marketing people should be extended to those folks who make the rounds and position McAfee in public. Too bad tape recorders weren't running that day. David G. Pile Network Analyst National City Bank Cleveland, OH "I know enough to know that I don't know enough." ------------------------------ Date: Sat, 31 Aug 1996 00:44:22 +0000 (GMT) From: John Gog Subject: Re: US Army troubled by viruses in Bosnia X-Digest: Volume 9 : Issue 153 George Smith <76711.2631@CompuServe.COM> wrote.. > Writing in an article entitled "US Army Seeks Computer Antivirus Plan" > in the August 26 issue of _Defense News_ magazine, reporter > Pat Cooper reveals the US Army suffered from serious computer virus > infections while deployed in Bosnia. I just left a group working on a contract with the US Army Reserve. If the Army's attitude is anything like USARC's, having virus attacks is hardly surprising. We had numerous infections with Concept, Forms, and, to a lesser extent, Anticmos. Forms is so prevalent at government agencies, it's called the "government virus." The low point came when a group of officers and NCO's in a meeting started passing disks around to load data on their laptops, resulting in 13 laptops being infected with up to three viri each. All this was managed within a few minutes. It took two of us an hour to clean up the mess. - - John Gog ASD Opinions are my fault and certainly not those of my employer or our clients. Advice is worth what it cost. ------------------------------ Date: Fri, 30 Aug 1996 14:35:42 -0400 (EDT) From: Pete Radatti Subject: Re: McAfee Scan for Linux? (UNIX) X-Digest: Volume 9 : Issue 153 Pavel Machek wrote: > Lenz Grimmer (lenzg@ba-mannheim.de) wrote: > : Thanks a lot to all of you guys out there that replied to my query. > : I found Scan for Linux on different sites, but haven t downloaded it > : yet, since it is quite HUGE (1,5M tar-File) for a virus-scanner and I > : just have a modem... (German Telecom sucks!) > : > : IMHO McAfee should also be offering a packed version but I should t > : complain, at least they have a Linux-Version available :-) > > Could you please tell me why do you need scan for linux? I do not thing > they are any viruses under linux, so what do you want to scan for? And if > you want to scan for dos viruses launch dosemu and scan in it! The Typhoid Mary Syndrome is a good reason but on a non-networked Linux system the fact that the CPU and bios are the same as for MSDOS are a better reason. Finally, Boot Sector viruses really don't care what operating system you are running since they execute prior to the OS being loaded. For more information take a look at http://www.cyber.com/papers with special attention to, "The Plausability of UNIX Virus Attacks", http://www.cyber.com/papers/plausibility.html The other white papers may also be worth a quick read. Pete Radatti ------------------------------ Date: Sat, 31 Aug 1996 03:40:23 +0000 (GMT) From: Claay Subject: Netscape and printing problems (MAC) X-Digest: Volume 9 : Issue 153 A couple of days ago I learned of a mirror site that had the recently hacked Justice page on it. Curiosity being the better part of stupidity, I decided to stop in and take a look. The next morning, I booted up Netscape and had it freeze my Mac. Rebooted and tried to use the printer, froze, after which I couldn't get the computer to boot up (would always freeze before finishing). After removing the Desktop Print Monitor, I could start my machine, but had numerous problems: all of my online software was disabled, I couldn't run anything from CD or disk, all large applications would quit immediately with error 1 messages. And the oddest thing: under the apple menu, directly under the "About This Macintosh" heading, was a strip that read "U.S.". It just sat there -- couldn't open it, couldn't get rid of it (until I reinstalled all my system software), have no idea where it came from. Is there any way something could have been in that page, which spent a while in my browser cache? Has anyone ever heard of something like this happening? Thanks, Claay ------------------------------ Date: Sat, 31 Aug 1996 03:40:23 +0000 (GMT) From: Claay Subject: Netscape and printing problems (MAC) X-Digest: Volume 9 : Issue 153 A couple of days ago I learned of a mirror site that had the recently hacked Justice page on it. Curiosity being the better part of stupidity, I decided to stop in and take a look. The next morning, I booted up Netscape and had it freeze my Mac. Rebooted and tried to use the printer, froze, after which I couldn't get the computer to boot up (would always freeze before finishing). After removing the Desktop Print Monitor, I could start my machine, but had numerous problems: all of my online software was disabled, I couldn't run anything from CD or disk, all large applications would quit immediately with error 1 messages. And the oddest thing: under the apple menu, directly under the "About This Macintosh" heading, was a strip that read "U.S.". It just sat there -- couldn't open it, couldn't get rid of it (until I reinstalled all my system software), have no idea where it came from. Is there any way something could have been in that page, which spent a while in my browser cache? Has anyone ever heard of something like this happening? Thanks, Claay ------------------------------ Date: Fri, 30 Aug 1996 20:26:40 +0200 (MET DST) From: Marc Blanchard Subject: NTFS Questions (NT) X-Digest: Volume 9 : Issue 153 I have a simple question about NTFS. Someone can tell me if some BOOT or MBR DOS Viruses can destroy a NTFS partition ? Case N01 : With NT, we can have a dual boot, either booting DOS or booting NT. Case N02 : We can have too a direct NTFS partition and booted on it. I never dump in hexadecimal a partition table FAT + NTFS, so if we take the first case, if I rewrite, in hexadecimal, a DOS partition (FA 33, ....), does my NTFS partition will destroyed ? If Yes, what can I use to ? If somebody has the NTFS boot sector in hexadecimal, thanks to send me by mail. mbl@wanadoo.fr ------------------------------ Date: Fri, 30 Aug 1996 13:30 +0000 From: Graham Cluley Subject: Re: Simple question - please answer? (WIN95) X-Digest: Volume 9 : Issue 153 In-Reply-To: <01I8UXKMTNNO1GFVOF@csc.canterbury.ac.nz> Shane Coursen writes: > Let's assume you are running pure DOS. At this point, you would rely > on the AV's DOS TSR. As long as the TSR is active and configured > properly, the AV product will scan the downloaded file for known > viruses. It should be born in mind that most DOS anti-virus TSRs do not detect as many viruses as their command-line equivalent (this is a problem not usually suffered by anti-virus VxDs). For example, many anti-virus TSRs have difficulties with polymorphic viruses, and I'm not sure of any TSRs that can handle Word macro viruses. And some anti-virus TSR developers have made a conscious decision to only attempt to look for "in the wild" viruses in their TSR. I should make clear this isn't the philosophy of our product. The University of Tampere just did some anti-virus tests, including tests of anti-virus TSRs. Their results can be found at http://www.uta.fi/laitokset/virus/ You will usually have several choices on how to configure the AV TSR, for example - scan when executing the file, scan when creating the file (which occurs (I believe) *after* the file is actually downloaded,) or scan when opening the file. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Fri, 30 Aug 1996 12:20:50 -0400 From: Leslie Pearson Subject: NAV95 and Excel Files (WIN95) X-Digest: Volume 9 : Issue 153 I've got NAV for Windows 95 and the latest (8/96) update . I've set it to autoprotect .xl? files and when ever I open an Excel spread sheet I get a message about Excel writing to the spreadsheet. This doesn't happen with word files. Is this a bug or a feature? Leslie Pearson (lespea@muze.com) ------------------------------ Date: Sat, 31 Aug 1996 07:54:49 +0000 (GMT) From: Robert HULL Subject: Re: Simple question - please answer? (WIN95) X-Digest: Volume 9 : Issue 153 In article <0022.01I8WKZXOUZK1GG74R@csc.canterbury.ac.nz> kmurcray@odin.cair.du.edu "PEREGRINE" writes: > Bob Carroll (carroll@abac.com) wrote: > >Could someone recommend a product for me? [big snip] > >It's for use on my personal home computer. No network. Running Windows 95. > > The nastiest, most diabolical virus ever written in my opinion. Read this > group for a while, and you'll see why I think so (about 95% of the "virus" > attacks on windows 95 machines seem to be windows itself). I would think that Windoze '95 qualifies better as a Trojan than a virus, AFAICT, M$ have not yet made it self-replicating ;-) - - Robert In the interest of greater transparency, my new sig follows: ------------------------------ Date: Fri, 30 Aug 1996 14:03:53 +0000 (GMT) From: "Sean C. Rogers" Subject: Re: Recurrent Tentacles virus following disinfect (WIN) X-Digest: Volume 9 : Issue 153 1234 (1234@raffles.technet.sg) wrote: : Information on this virus is welcomed. My system has been hit by this : virus. Although with each scan Mcafee could detect and clean it, : subsequent scan still reveal its presence. Most of my exe files in my : windows sub-directory have been corrupted and had to be reinstalled. Help : please. get f-prot it should fix it. ------------------------------ Date: Fri, 30 Aug 1996 15:51:05 +0000 (GMT) From: Jerry Clement Subject: Re: Virus deleting certain .DLL files?? (WIN) X-Digest: Volume 9 : Issue 153 In article <0013.01I8THBE1QNQ1GFVOF@csc.canterbury.ac.nz>, cowpks@lisp.com.au wrote: >I have a client who reports strange behaviour on his work and home >computer. Suddenly some of his programs started reporting missing DLL >files. When he checked, all the DLL's started with the letters A,B and C. >This occurred over the 23-26/8/96 period. He reloaded these programs and >haven't yet had the opportunity to check if the problem reoccurred. I've has some UNINSTALL programs do this to me recently. A little arrogant in their thinking that only their programs use the files and just remove them arbtrarily. Jerry Clement gclement@earthlink.net Van Nuys, CA ------------------------------ Date: Fri, 30 Aug 1996 13:29 +0000 From: Graham Cluley Subject: Re: Hare virus mini-FAQ (PC) X-Digest: Volume 9 : Issue 153 In-Reply-To: <01I8UXKMTNNO1GFVOF@csc.canterbury.ac.nz> Zvi Netiv writes: > Booting clean won't help accessing a hard drive that had its MBR > infected with Hare as the partition table data is zeroed by the > virus. That's not quite right. After booting clean you can run an anti-virus product (like Dr Solomon's Anti-Virus Toolkit) to clean up the partition. Even simpler you could restore a backup of the partition sector. > AV software that I tried (Dr. Solomon's FindVirus 7.62 and 7.63, and > F-Prot 2.24a - both recognize Hare) were able to tell that the MBR > was infected by Hare but couldn't recover the MBR from. Shame you didn't use CleanPart in Dr Solomon's Anti-Virus Toolkit. That will clean-up the infected partition sector. We keep telling you this. You keep ignoring us. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Fri, 30 Aug 1996 14:20 +0000 From: Graham Cluley Subject: Re: Vesseling Bontchev's paper 'Vircing the InVircible' (PC) X-Digest: Volume 9 : Issue 153 In-Reply-To: <01I8UXKMTNNO1GFVOF@csc.canterbury.ac.nz> Iolo Davidson writes: > In article <0037.01I8SCLP1T5S1GFVOF@csc.canterbury.ac.nz> > netz@actcom.co.il "Zvi Netiv" writes: >> I am often asked, in this group and else to address the issues in >> 'Vircing the InVircible', a paper written by Vesselin Bontchev, >> shortly before he started working for Frisk Software. > > While he was a graduate student at the University of Hamburg, > with no affiliation to any AV producer, you mean? > >> The following was posted on Compuserve and is brought here with the >> permission of its author. Mr. Green is an independant computers >> specialist working for a US firm. Robert Green has no affiliation with >> NetZ Computing nor with myself. > > Just like Mr. Bontchev when he wrote his paper. > > OK, I've read it, and nowhere does Mr. Green say that you have > fixed the problem Mr. Bontchev reported. > > Why not? > > Seems to me that Mr. Green's excuses do not "address the issues" > in Mr. Bontchev's paper. They do not even address the single > issue that he attempts to address. Fixing the problems would be > the way to address these issues. > > Mr.Green's claims that Dr. Solomon's doesn't detect a particular > virus in memory will no doubt be addressed by S&S by adding > memory detection for that virus, if in fact it hasn't already > been done. Mr Green refers to BootEXE.452, we believe he means the virus we call BootEXE.mp.cav.452. We had an error in our memory-detection for this virus, which has now been fixed. BootEXE.mp.cav.452 was first added to our virus collection in July 1992. I have been unable to find any records of any user of Dr Solomon's ever being infected by this particular virus or ever experiencing the problem he described. As far as I can discern the virus has never been considered to be in the wild either. So, we have added detection in memory of this virus that none of our users have ever been infected by, and that has never been reported to the best of our knowledge in the wild. We apologise for this oversight. I don't believe it is any reason for people to panic however. Bob Green goes on to say that there is no way to quit FindVirus. This is incorrect. There are at least two ways of quitting FindVirus (one documented in our manual, one undocumented but available from our tech support desk). It is also perfectly possible to run FindVirus such that it checks his hard disk's partition sector and boot sector and *doesn't* check any files if he so wishes. Again, this is documented in the manual. If Bob would like some assistance on how to set up FindVirus to do this I invite him to contact our technical support department (details below) so they can direct him to the relevant part of the manual. I'm afraid I'm out of the office for a couple of weeks so will not be emailable. Bob Green also describes his experiences with a virus he calls "Dark Avenger.1020". We can find no trace of a virus with this name, the closest we can discover is a virus called Dark Apocalypse.1020. Dark Apocalypse.1020 was added to our virus collection in February 1994. We repaired infected files okay, apart from one field in the EXE header (the minimum number of paragraphs of memory required is increased by 0x40). This has now been fixed in all three variants. I have been unable to find any records of any user of Dr Solomon's ever being infected by this particular virus or ever experiencing the problem he described. As far as I can discern the virus has never been considered to be in the wild either. So, we have fixed the repair of this virus that none of our users have ever been infected by, and that has never been reported to the best of our knowledge in the wild. We apologise for this oversight. Again, no reason to panic. Summary: 1) A virus which hasn't been seen in the wild, and has never been encountered by our customers was not detected in memory by FindVirus. We fixed the problem. 2) A virus which hasn't been seen in the wild, and has never been encountered by our customers had a minor imperfection in its repair routine within FindVirus. We fixed the problem. 3) A user was unfamiliar with how to run FindVirus. We have advised him to contact technical support for assistance on where to look in the manual. We're grateful for being informed of the two bugs mentioned above. Although neither can be considered worthy of panic we always welcome the opportunity to make our product even better. I think the above also underlines the importance of contacting technical support if people have a problem with software. In this instance, if the user had reported the imperfections to our technical support department rather than posting them to CompuServe (and allowing a competing anti-virus vendor to repost them on the internet) we would have been able to help him find the relevant section of our manual and advise him on how to run our software. Furthermore the imperfections would have been fixed faster. We have an eager team of people on the edge of their seats ready for email to arrive at support@uk.drsolomon.com - why not use it? One way in which users should judge an anti-virus company is by the quality of their technical support, how they react to criticism, etc. Nuff said. BTW, what's all this got to do with "Vircing the InVircible"? Other than it being originally posted by the author of InVircible, of course. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Fri, 30 Aug 1996 15:48:24 +0000 (GMT) From: Jerry Clement Subject: Re: NATAS.4744 (PC) X-Digest: Volume 9 : Issue 153 In article <0040.01I8WKZXOUZK1GG74R@csc.canterbury.ac.nz>, "Chengi J. Kuo" wrote: >Jerry Clement writes: >>This may be old news to some but I just dealt with this virus on my son's >>PC. I initially did a scan c: with V251 Mcafee and it found nothing, then >>used scan c: /all and it found this virus attached to 12 files, mostly >>drivers. The list I found it on is below: ><> > >The 1xe and 2xe files are probably older versions of the same files >you have as exe files, that you saved away. Yes...they did clean up just fine, sorry I didn't mention it. It's a clean sweep now. I was just a little taken back by the types of fines that it was attached to. Jerry Clement gclement@earthlink.net Van Nuys, CA ------------------------------ Date: Fri, 30 Aug 1996 12:02:41 -0400 From: borsos@r1.atki.kfki.hu Subject: Re: How to remove Mongolian Virus in MBR on D: drive? (PC) X-Digest: Volume 9 : Issue 153 William Tan asked: >My PC was badly infected by Mongolian Virus recently. I manage to remove >it from my C drive, but I was not able to remove it from D: drive's MBR. >I have reformatted D: drive, I even deleted the partition and reformatted ^^^^^^^^^^^^^^^^^^^^^ If you deleted the partition with FDISK, then the CODE part remained intact, FDISK deletes only the partition table data (cyl, heads, etc.). If you simply create a new Partition Table you still use the old code where the virus is. It seems (I tested it) that at creating a new partition table FDISK inspects the last two bytes of the MBR sector. If they are HEX 55AA, then it thinks the code is OK, so it writes only the partition table. By spoiling these two bytes you can force FDISK to write a new code as well. Try the following: 1. Delete the Partition with FDISK 2. With some Hexa disk editor (e.g. Norton DiskEdit) edit the Partition Table sector and change the last byte to Hexa BB. 3. Create a new partition table with FDISK in the usual way. 4. Format the disk in the usual way. >again, but the it is still there after formatting. I have also tried >using FDISK /MBR, Scan D: /Boot, and TBUTIL, but these command just will ^^^^^^^^^^^ FDISK /MBR is useless for the second drive, it changes only the first one. >not able to remove Mongolian Virus from the MBR of the D: drive. I don't know the Mongolian but I hope you'll be able now. Good luck! Istvan ------------------------------ Date: Fri, 30 Aug 1996 10:45:00 -0700 From: Don.Edwards@ci.seattle.wa.us Subject: Re: Can't use clean boot disk (PC) X-Digest: Volume 9 : Issue 153 Several things to clarify here. From: Don Rising >I have a Western Digital 540 drive which was originally set up at a time >when DOS could only support about 515 Megs. There never was such a time. DOS originally could support drive partitions up to (if I remember correctly) 32 megs. Somewhere around version 3, that was updated to 2 gigs, which is where it remains today. Supposedly a new update will occur later this year or sometime next year. The problem was a conflict between the IBM-designed BIOS spec (which predates DOS 1) and the IDE drive spec. Either one separately supports drives in the general area of 8-9 gigs, but the two together have a limit of (depending on exactly how you count) around 512 megabytes. An OS change *cannot* fix this in regard to the boot partition. On a machine with an older BIOS, it doesn't matter what you are running, it must be able to boot out of the first 512 meg. **SOME** OSes (no version of DOS, not even Win95, included) then bypass the BIOS and speak IDE directly, achieving full access to the 8 or 9 gig addressable space. A BIOS upgrade *can* fix this. If you have *no* IDE drives but do have SCSI drives, you'll use the BIOS on the SCSI controller. Or you may have a newer BIOS on the motherboard, which supports LBA mode. This mode remaps the 8-gig address space that the BIOS supports into the 8-gig address space that IDE supports. (Then you run into the problem that DOS only supports partitions up to 2 gig.) Or a patch such as the Ontrack software can fix this. This software basically replaces part of the BIOS. It has to load off a BIOS-accessible partition, before the OS loads. Its partition is not a DOS-compatible partition; once it loads, it hides that partition; without it, there are no DOS-accessible partitions. >The drive came with Ontrack software which does a dynamic drive >overlay to get the full 540. > >My understanding is that I cannot repartition this with the current DOS >6.22 capability to read large partitions without losing the information on >the hard drive. There are tools for non-destructive repartitioning of a hard drive (subject to certain limits -- if you have a partition with 500 meg of data actually stored there, and you shrink it to 400 meg, I seriously doubt that you're going to keep all your data). They aren't part of DOS. I have no experience with them and, right now, can't remember any names. >When I make a boot disk and use it, and attempt read drive C:, I get the >message > > "invalid drive specification." That's because you haven't loaded the OnTrack software off the hard disk. It's OK, really. >I recently had the Junkie virus, and found that Norton Antivirus could not >fix the Junkie virus because of the overlay. I attempted to reload DOS >and repartition, but lost the drive and had to restore from a backup. I >also had trouble in installing DOS 6.22, and had to talk to Microsoft, >Ontrack and Western Digital help desks before getting a sucessful >installation. > >Does anyone know of any helpful software in dealing with this kind of >overlay? The best choice is a new motherboard or a BIOS upgrade, then getting rid of the overlay. Unfortunately, that process involves backing up your DOS partitions and repartitioning the drive, which destroys the data on it. In the meantime: (1) on a known virus-free machine, create a boot floppy with current anti-virus software on it. DOS version (>3) doesn't matter, and a DOS anti-virus program will work (for this process) regardless of your DOS/Windows version. Make sure that the software you pick can be told to clean an inaccessible drive. I know that F-Prot can do this with the command F-PROT /HARD /DISINF so I would assume that other products have a similar capability. (2) turn your machine OFF. Accept no substitutes. Turn it back on and immediately (without loading DOS) go into the BIOS settings. Make sure that it is set to boot from A: first and that A: is correctly defined. (3) put the boot floppy into the drive and exit from the BIOS settings. Let it boot off the floppy. C: will not be accessible. Instruct the virus software to check the hard drive anyway. It will check the Master Boot Record only. That's OK. If it reports that it has removed a virus, run it again. (4) pop the floppy out (just enough that it can't be read -- you're going to shove it back in in a moment) and reboot. Watch the screen carefully. At some point in the OnTrack software loading, the possibility exists to boot from floppy and you'll be told how to use that option. Do it. C: will then be accessible. Run the anti-virus software again. Tell it to check all files (since you *know* you had a virus before). (5) When done, reboot strictly from the hard drive -- to a command prompt - - and run the anti-virus software yet again. Repeat until the system comes up clean. If it takes more than three tries, then most likely the OnTrack partition is seriously infected and you'll have to consult OnTrack for instructions on cleaning it up. (6) In this process, all the virus scanning has been from a command prompt. At that point, the DOS, Win3.x, and Win95 versions of any given scanner ought to be equivalent. However, resident anti-virus software -- the kind that sits in the background watching for viruses in files you read, and/or virus-like activity -- are more specific. A DOS TSR -- probably loaded from AUTOEXEC.BAT is sufficient for DOS, and for Windows 3.x, but *not* for Windows 95 or for Windows for Workgroups 3.11. A Windows 3.x DLL -- probably loaded from SYSTEM.INI or WIN.INI, possibly from the Startup group -- is sufficient for any version of Windows 3.x including Windows for Workgroups 3.11. Windows 95 really needs something specifically designed for Windows 95. Any other OS (WindowsNT, OS/2, Linux, etc) really needs something designed for that OS. Using a resident scanner not designed for your OS, leaves you *thinking* you are protected, when in fact you are not. This is worse than the complete absence of AV software. Oh -- and one reminder. Microsoft Anti-Virus (MSAV/MWAV) was very poor anti-virus software when it was released several years ago, and Microsoft has never updated their release. By now, it simply doesn't count. - -------------------------------------- Opinions expressed here do not necessarily represent those of the City of Seattle ------------------------------ Date: Fri, 30 Aug 1996 13:45:12 -0400 From: Bill lambdin Subject: Re: Vacsina virus trouble (PC) X-Digest: Volume 9 : Issue 153 S S International pl writes >Vacsina is a COM infector, not a boot sector virus. [If you run an EXE >file, it converts it to a COM, although the extension doesn't change; the >second time this file is run, it infects it; the conversion adds around >132 bytes, but is not, in itself, infectious]. It's not a polymorphic >virus either. Correct me if I am incorrect about this. But isn't Vacsina a sub family of Vienna, and also non resident? Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Fri, 30 Aug 1996 13:45:02 -0400 From: Bill lambdin Subject: Dr. Solomon VS TBAV. (PC) X-Digest: Volume 9 : Issue 153 PEREGRINE writes >After extensive reading of various reviews, I decided against either of >these. In my _OPINION_, the choice _AT THIS TIME_ is between Dr. Solomon >and ThunderByte. I decided to go with ThunderByte. Here's why: I have evaluated both products, and recommend both. I noticed your comment about false alarms with TBAV. This happens because the Heuristics can not be disabled. My .02 Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Fri, 30 Aug 1996 13:45:17 -0400 From: Bill lambdin Subject: Re: AVP (was: Re: Vesseling Bontchev's paper...) (PC) X-Digest: Volume 9 : Issue 153 Keith Peer writes >I can speak for AVP :-) but not Bill. Touche. ;-) I also speak for the effectiveness of the scanner portion of AVP, but not for the U.S. AVP representative "Keith Peer" >AVP is designed to be the worlds most powerful virus scanner and >cleaner not a generic virus detection tool. Within the AVP virus >scanner is a option to create a CRC database to suppliment the I will vouch for the effectiveness of AVP as a scanner. It detects over 98% of my collection. However: the integrity checker failed my generic A-V test. I recommend AVP for what it does well "Detecting known viruses", and do not recommend AVP as a generic virus detector. Fair enough? Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Fri, 30 Aug 1996 13:45:06 -0400 From: Bill lambdin Subject: Re: Hare virus mini-FAQ (PC) X-Digest: Volume 9 : Issue 153 Zvi Netiv Booting clean won't help accessing a hard drive that had its MBR infected >with Hare as the partition table data is zeroed by the virus. > >AV software that I tried (Dr. Solomon's FindVirus 7.62 and 7.63, and >F-Prot 2.24a - both recognize Hare) were able to tell that the MBR was >infected by Hare but couldn't recover the MBR from. > >The MBR of a Hare infected hard drive can be recovered by any version of >ResQdisk, from 1994. sigh. Zvi: Please leave evaluations to unbiased evaluators. You are the developer of InVircible. RESQDATA, XMONKEY, and Xcaibua. You are a competitor to both F-Prot, and Dr. Solomon's Anti-Virus toolkit, and your comments should should not be treated with much credibility because of ulterior motives. Now to my nitpick with your message. If Hare was present on the hard drive during installation of IV, and preparation of the RESQSISK. The RESQDISK will also be unable to repair the MBR. There are several programs that save a copy of the MBR, and boot sector, and have the ability to repair these system areas if a boot sector /MBR virus infect these system areas. DRFINFO Integrity Master NAB and many many more. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Fri, 30 Aug 1996 16:29:18 -0700 From: Brian Williams Subject: Neuroq/Nightfall (5) (PC) X-Digest: Volume 9 : Issue 153 We use Norton Anti-virus to protect our systems. NAV detected the "Neuroq/Nightfall (5)" but could not clean it. McAfee's latest, nor F-Prot's latest could not detect it. After re-innoculating NAV did not detect it again. The only source for the virus was off our network, our network is rather large and diverse. I need to be sure we're infected before sounding the alarm. Anyone know any sure-fire way to detect and/or clean this virus. HELP! Please. My E-Mail is Williamb@pwgsc.gc.ca ------------------------------ Date: Fri, 30 Aug 1996 11:50:54 -0400 From: Steven Hoke Subject: Re: Hare virus mini-FAQ (PC) X-Digest: Volume 9 : Issue 153 Zvi Netiv wrote: > Doug Muth wrote: > > Hare is a multipartite, stealth, memory resident, polymorphic virus. > > > > Stealth means that attempts to read infected files or boot > > sectors while the virus is in memory will return what the item would have > > looked like if it was not infected. The way around this is to boot from > > a clean floppy and then you will be able to view infected areas of the > > hard disk normally so you can use AV software. > > Booting clean won't help accessing a hard drive that had its MBR infected > with Hare as the partition table data is zeroed by the virus. > > AV software that I tried (Dr. Solomon's FindVirus 7.62 and 7.63, and > F-Prot 2.24a - both recognize Hare) were able to tell that the MBR was > infected by Hare but couldn't recover the MBR from. > > The MBR of a Hare infected hard drive can be recovered by any version of > ResQdisk, from 1994. The MBR of a Hare infected hard drive can be recovered by any antivirus utility that saves a copy of the MBR on an emergency floppy for later restoration. It can even be recovered from with FixUtil6 (1993) or DiskSecureII (1994), both freeware, as long as you have used it before the infection to save a copy of the MBR. - - - -==Steve==-- shoke@baldcom.net steven_hoke@msn.com ------------------------------ Date: Fri, 30 Aug 1996 14:57:58 -0400 From: Bill lambdin Subject: Scanner VS Generic recommendations (PC) X-Digest: Volume 9 : Issue 153 After observing the confusion from my comments about AVP, and Dr. Solomon's Anti-Virus toolkit. I must clarify my position, because several people missed it. There are different methods of detecting viruses. Scanners, and resident scanners use scan strings to detect known viruses. Generic detection detect new and unknown viruses without the use of scan strings. Generic detection uses one or more of the following techniques a. Activity Monitors b. bait files that try to entice viruses to infect them c. behaviour blockers d. integrity checking and others The scanner, and Generic tests, are two completely seperate tests. I recommend all scanners that detect a minimum of 90% of my collection. I recommend AVP, and Dr. Solomon's Anti-Virus toolkit as scanners. The Generic test is comprised of viruses that use a wide variety of techniques in use by most viruses. Here is an abbreviated list of various techniques used in the generic test. Appending companion infectors cavity viruses Entrypoint obscuring viruses Full stealth Multipartite viruses non resident viruses overwriting partial stealth polymorphic Prepending Resident viruses Sector level stealth Tunneling etc There are several programs that I recommend as generic virus detectors that I would never recommend as a scanner. The fact that AVP, and Dr. Solomon's Anti-Virus toolkit failed the generic test was in no way negative comment about the efectiveness about these two programs in regards to what they do extremely well. ie detecting known viruses with scan strings. I hope this clears the air. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Sat, 31 Aug 1996 00:50:57 +0000 (GMT) From: Bruce Burrell Subject: Re: Empire.B.Monkey oddity ?? (PC) X-Digest: Volume 9 : Issue 153 Karsten Ahlbeck (100554.2356@CompuServe.COM) wrote: > Bruce Burell wrote: Hmm. That's "Burrell". Very strange -- this typo has occurred twice in as many days. Surely your software does this automatically? No matter; just odd. > >>> (Mr.Michael Hsu first asked:) > >>>I have two computers; let's call them Computer A and Computer B. I scanned > >>>a floppy disk using F-Prot 2.23a in Computer B. The floppy came up clean. > >>>Then I put it in Computer A and copied a Word document from Computer A's > >>>hard drive on the floppy. > >>>When I put the floppy in computer B and scanned the floppy using F-Prot, > >>>F-Prot said the Boot Sector of the floppy was infected with > >>>"Empire.Monkey.B of the Stoned virus." I used F-Prot on Computer B to > >>>disinfect the floppy. > >>>I scanned the floppy again in Computer B to make sure it was clean. It > >>>was. I went back to Computer A and recopied the Word document. I scanned > >>>the floppy using Computer A's F-Prot 2.23a. The floppy came up clean. But > >>>when I brought the floppy to Computer B and scanned it using F-Prot there, > >>>it told me again that the floppy's Boot Sector was infected with > >>>Empire.Monkey.B. Without disinfecting on Computer B, I brought the floppy > >>>back to Computer A to check it. It came up clean. I brought it back to > >>>Computer B and it came up infected. > >>> > >>>Why is this happening? Is Computer A infected? What should I do? > >> > >> (I, Karsten Ahlbeck, then replied:) > >> Yes, Computer A is infected. Boot clean and run your AV software. Now look > >> at that! Clean your computer (feel free to email me if you have questions) > >> and scan *all* diskettes and clean them too. > >> > >>>I scanned the hard drives of both computers. They both came up clean. > >> > >> Because the virus was in memory already. > > > > (Bruce Burell stated:) > > No, no; F-PROT detects Monkey in memory, so scanning on Computer A > >(which you've snippeds; see original) would have found Monkey before the > >floppy was even accessed. > > Yes, yes; how could you otherwise possibly explain what happened above? I understand your point, but (a) Monkey is the most common virus on my campus, so I have plenty of experience with it, and (b) I've used F-PROT long enough to know that it detects Monkey in memory. How do I explain it? I don't know. Perhaps there is a F-PROT.BAT file - - somewhere in the path before F-PROT.EXE on Computer A, or maybe F-PROT.EXE has been renamed -- that includes a switch to exclude memory scans, but in its default, no-switches mode, F-PROT detects Monkey in memory. and has for years. The only other possibility that occurs to me is that v.2.23a has a bug WRT Monkey -- but it doesn't; I just checked. I infected my laptop with Stoned.Empire.Monkey.B, and after an infected boot F-PROT.EXE from version 2.23a reported Stoned in memory. Since precise identification isn't necessary in an infected environment, the fact that F-PROT didn't detect Monkey precisely is moot. > If a known clean floppy is accessed in another computer and then turns up > with the boot sector infected....well I would become suspicious in any > case. I would, too. I've just used F-PROT enough to know that it can deal very well with Monkey. > Maybe F-prot was installed / activated on computer A after it had been > infected? Good idea, but it wouldn't matter for F-PROT. > Anyway, if I am wrong, maybe you could help that user finding the answer? I could, but it sounds like a job better suited for F-PROT's tech support. I understand those folks are paid to solve situations such as this.... ;-) > (If uncertain about *any* floppy boot sector virus - initialize a clean > floppy with Integrity Master, initialize it. Then copy some files onto it > and check it again with Integrity Master. You will find any floppy boot > virus this way.) Sounds like a good approach. Although I haven't tested it (and might well not be qualified to do a fair examination), I know that IM is well regarded. -BPB ------------------------------ Date: Sat, 31 Aug 1996 01:18:57 +0000 (GMT) From: Bruce Burrell Subject: Re: help required concerning PARITY BOOT B virus (PC) X-Digest: Volume 9 : Issue 153 Arthur (aeb88@usa.pipeline.com) wrote: > On Aug 28, 1996 06:29:25 ROENT-AL ' > wrote: > >Please give me any information how to remove the freaking "PARITY BOOT B" > >-Virus and where to get free anti-virus programs via Internet. > > Cold boot from a clean system diskette and run FDISK /MBR to rewrite your > MBR. No, don't do that. Surely IBMAV can deal with Parity_Boot.B. F-PROT, which is free for individual, non-commercial use, certainly can deal with this virus; other products should be able to do so as well. > Then scan all of your diskettes with an antivirus program that detects and > disinfects this virus. It is not intentionally destructive. Why in the world would you recommend this? You should recommend scanning and disinfecting with AV software. Consider what may happen if your suggestion is followed in the order you specify. What if there are multiple infections, like Monkey before Parity_Boot? What if DDO software is in use? What if a security program has commandeered the MBR? Oh, and where is a pointer to the free AV product the original poster requested? > For OS2 use FDISK /NEWMBR Equally bad advice, unless IBM made FDISK for OS/2 virus-aware. > Art, IBMAV > > [Moderator's note: Loathe as I am to post a blatant FDISK/mumble post > without the warnings, the poster claims to be from IBM--caveat user.] _Caveat_, indeed. This is bad advice, whether it comes from someone at IBM or not. It might work for the current case, but there are certainly others where it will make matters worse. Those interested in why will find details in the alt.comp.virus FAQ, Part 4, Section 14. Art, please read it, whether you're interested or not. -BPB ------------------------------ Date: Sat, 31 Aug 1996 01:42:44 +0000 (GMT) From: Bruce Burrell Subject: Re: How to remove Mongolian Virus in MBR on D: drive? (PC) X-Digest: Volume 9 : Issue 153 William Tan (tanhl@sp.ac.sg) wrote: > My PC was badly infected by Mongolian Virus recently. I manage to remove > it from my C drive, but I was not able to remove it from D: drive's MBR. > > I have reformatted D: drive, I even deleted the partition and reformatted > again, but the it is still there after formatting. I have also tried > using FDISK /MBR, Scan D: /Boot, and TBUTIL, but these command just will > not able to remove Mongolian Virus from the MBR of the D: drive. > > Please advise. Thousands thanks in advance. I think I can walk you through this by hand. Send me email if you don't find a better solution. -BPB ------------------------------ Date: Fri, 30 Aug 1996 22:21:11 -0600 From: George Wenzel Subject: Re: Hare virus mini-FAQ (PC) X-Digest: Volume 9 : Issue 153 >Booting clean won't help accessing a hard drive that had its MBR infected >with Hare as the partition table data is zeroed by the virus. > >AV software that I tried (Dr. Solomon's FindVirus 7.62 and 7.63, and >F-Prot 2.24a - both recognize Hare) were able to tell that the MBR was >infected by Hare but couldn't recover the MBR from. I don't know about F-Prot, but if you were using FindVirus to clean the MBR, you were not using the right program from the Toolkit. I believe the Cleanpar utility is the one that the S&S people would recommend for that situation. >The MBR of a Hare infected hard drive can be recovered by any version of >ResQdisk, from 1994. Are you trying to imply that your program can clean the MBR but other programs cannot? If that is what you imply, your implication is false. >One month before Hare's activation date, 50 PCs and a server at the >university of Auckland, New Zealand were infected by Hare. They were >cleaned by Symantec's NAV and McAfee (from alt.comp.virus and article >published in the NZ edition of ComputerWorld). > >On August 22nd, personal computers were hit again at the university of >Auckland by Hare, in spite of being apparently protected by up to date AV >software. What likely happened was that they used the AV products and cleaned the virus, but didn't realize that they could be re-infected from floppies, so they didn't clean those. I would assume that they weren't using an on-access scanner on the PC's, because that would have caught the Hare- infected floppy when it was accessed. BTW, what would happen to a system "protected" by InVircible if it was infected with Hare on 8/22 or 9/22? Regards, George Wenzel ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 153] ******************************************