From lehigh.edu!virus-l  Mon Jan 29 12:54:15 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Mon, 29 Jan 96 13:50:38 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id MAA23272; Mon, 29 Jan 1996 12:54:15 +0100
Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <215147-4>; Mon, 29 Jan 1996 06:47:20 EST
Message-Id: <01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V9 #6
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: 	Mon, 29 Jan 1996 06:47:13 EST

VIRUS-L Digest   Tuesday, 30 Jan 1996    Volume 9 : Issue 6

Today's Topics:

What happened? (ADMIN)
Lucky?
--> Could you help me write my senior integration paper? <--
Re: Virus Scanner for E-Mail Attachment??
Re: virus damage to companies
Virus concerns while using Netscape/www
were wolf 1996
Usefulness of AV people
Will one virus detector "detect" another one?
Harddrive firmware virus possible?
Re: E-MAIL Viruses.
Re: Can a computer get a virus from the internet?
Re: Java Virus
Re: AntiVirus Developers List
Re: Can a computer get a virus from the internet?
Viruses from the internet
Virus Checker for Macintosh (MAC)
McAfee for protection (MAC)
Excel Macro Virus (MAC?,WIN)
Word Concept Macro Prank Virus (MAC,WIN)
Word Macro Viruses, defences (MAC,WIN)
Word Macro Viruses, the real defence (MAC,WIN)
Re: Word Macro Prank Virus (Concept) (MAC,WIN)
Re: Word Macro Prank Virus (Concept) (MAC,WIN)
Re: Word Macro Prank Virus (Concept) (MAC,WIN)
Re: Windows95 Virus Scanner (WIN95)
Re: a good Anti-Virus for Win95? (WIN95)
Re: F-Prot Pro for Win95 and McAfee VirusScan for Win95 (WIN95)
Re: F-Prot Professional and McAfee ViruScan for Win95 (WIN95)
Info about Form-A (PC)
McAfee says: F-prot contains VCL-virus ? (PC)
TB1 Virus (PC)
Re: McAfee upgrades? (PC)
AVPLITE (PC)
Re: Virus:MONKEY_B + FORM_A (PC)
Re: Mutagen Virus found on CD (PC)
Anti-CMOS Virus? (PC)
Re: Quality Anti-Virus Programs (PC)
Byway virus : how remove it ??? (PC)
Re: Invircible (PC)
Re: Smile (PC)
Re: Invircible (PC)
Re: Invircible (PC)
Sampo (PC)
F-PROT: Request for Help (PC)
COMit or virus? .DR1 explodes on field overflow (PC)
Re: Free (or cheap) protection programs for DOS or WINDOWS? (PC)
How to remove "Ekaterin" virus ? (PC)
Monkey B / Monkey 2 (PC)
I LOVE (PC)
KEEPER-LEMMING (PC)
Re: Need info on MONKEY_A virus (PC)
Re: Need help: AntiEXE virus (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available by anonymous FTP on CS.UCR.EDU.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Mon, 29 Jan 1996 22:05:30 +1300 (NZD)
From: Nick FitzGerald <n.fitzgerald@csc.canterbury.ac.nz>
Subject: What happened? (ADMIN)
X-Digest: Volume 9 : Issue 6

Sorry.

No excuses, but by way of explanation, I was swamped with hundreds of
five-to-ten-day-after "delivery failures", most of which were from sites
that hadn't already sent me "your message has been enqueued..." type
messages.  Add to that moving house, two different system upgrades on the
two big systems I'm dependent on for Email (both variously affecting my
ability to get to my Virus-L mail for a while), helping my partner find a
new car, and I've had a fairly eventful week since the last digest.

There should be a second digest tonight, another two or three tomorrow
and then into a pattern of roughly one per day.

Please remember that -direct-, Email responses to pleas for help are
usually better, though new or "unusual" problems deserve a good public
airing...

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
 n.fitzgerald@csc.canterbury.ac.nz  TEL:+64 3 364 2337, FAX:+64 3 364 2332
	      Virus-L/comp.virus moderator and FAQ maintainer
    PGP fingerprint =  2E 7D E9 0C DE 26 24 4F  1F 43 91 B9 C4 05 C9 83

------------------------------

Date: Fri, 19 Jan 1996 18:27:36 -0500 (EST)
From: William Bebout <wbbebout@evansville.net>
Subject: Lucky?
X-Digest: Volume 9 : Issue 6

I have been using the net and BBS's for 5 years.  I have never
encountered a virus.  I consider myself very fortunate.  I watch with
interest some of the posts here but I have a question.  Where are most
people contracting these nasty programs?  I am using NAV and am unsure
whether it works because of never being infected.

Bill

------------------------------

Date: Sat, 20 Jan 1996 00:33:34 -0500 (EST)
From: David White <white@wycliffe.covenant.edu>
Subject: --> Could you help me write my senior integration paper? <--
X-Digest: Volume 9 : Issue 6

As a senior, I'm required to write two lengthy papers for my senior 
project.  One must be an ethical paper on some moral issue within 
computer science, while the other is a technical literature review 
paper.  

For my ethical paper, I've chosen to write about the morality of software 
piracy and copyright violation on the internet, and for the technical 
paper, I'll be researching viruses - their creation, their authors, and 
ways to counter them.  

Could anyone suggest any books and/or journals that would deal with 
these subjects?  I'm in need of good references and would greatly 
appreciate any help anyone can offer!  Thanks very much.

=-=-= David =-=-=

[Moderator's note:  The FAQ is fairly thin on ethical/moral and legal
issues, but otherwise not a bad starting point...]

------------------------------

Date: Sat, 20 Jan 1996 04:32:41 -0500 (EST)
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Subject: Re: Virus Scanner for E-Mail Attachment??
X-Digest: Volume 9 : Issue 6

>Does anyone know of a product that will scan uuencoded (or mime) 
>attachements on internet (SMTP) e-mail messages??  

I believe that PC-Cillin scans uuencoded e-mail attachments...  but this
really isn't necessary.  Most antivirus programs contain a TSR or a VxD,
which scan files as they are created (or run, or accessed... many ways to
skin the same cat) - these programs would do the same thing, but once the
message has been decoded.  They would likely stop the running of the
program until it has been disinfected.

Regards, 

George Wenzel

------------------------------

Date: Sat, 20 Jan 1996 09:20:23 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: virus damage to companies
X-Digest: Volume 9 : Issue 6

Roy (100451.2341@compuserve.com) wrote:
: I'm looking for information on damage, which has been caused to
: companies by computer viruses. Individual statements are welcome,
: but as well I'm looking for some statistical summaries, if they exist.

I don't have statistical summaries to hand: in any case, this sort of
damage is difficult to quantify, and consequently not always 
trustworthy.

The trouble is, there's a lot more to 'damage' than the figures
estimated for a particular outbreak. This is off the top of my
head: I haven't covered anything like the whole area. It may not be
what you want, either, but it's a crucial concern of mine B-(

	Cost of maintaining virus protection
		Training and maintaining a response team
		Management costs (that covers a lot of ground....)
		Cost of software licences
		Cost in time/productivity/money of maintaining upgrades etc.
		Formulating and enforcing policy
		Educating users in the issues and good hygienic practice
		Cost in time of routine anti-virus measures
		Cost in money and time of servicing false alarms
		Cost of sheepdip systems
		Cost of having part-time A/V people taking time off
			from their 'real' jobs
		Alternatively, the cost of having full-time A/V personnel
		Cost of tracking the product market, technological changes
		Formulating and enforcing a backup policy
		Development of protective systems
		Resource utilisation by undetected viruses

	Cost of specific outbreaks
		Loss of productivity
		Workstation/Server downtime
		Damage to reputation of the organization
		Damage to involved personnel
		Damage limitation
		Time spent cleaning up, examining floppies etc.
		Restoration of backups/reinstallation   
		Replacing unrecoverable data            
		Time and money spent increasing virus protection.....

Basically, corporate virus-management is a balancing act between the two
issues. Maintaining good virus-control can look very expensive. The more
successful it is, the harder it is to convince those who are benefitting
from it that they need it.....

David Harley
Not necessarily speaking for ICRF

------------------------------

Date: Sat, 20 Jan 1996 12:36:26 -0500 (EST)
From: Tim Stewart <timmy@primenet.com>
Subject: Virus concerns while using Netscape/www
X-Digest: Volume 9 : Issue 6

Our company will soon move into the world of the internet, and users 
are asking for the ability to use Netscape and access the www.

In the message I just read through from this list, I saw a paragraph 
which sparked some concern for me about the possibility of viruses 
being introduced into our network through the use of netscape, I 
assume specifically by allowing one of the 'plugin' helper apps to 
automatically execute a sound or video or other file after 
downloading.

Can someone point me to any FAQs you may be aware of which covers 
this in detail?

 TiMoThY
http://www.primenet.com/~timmy

------------------------------

Date: Sat, 20 Jan 1996 15:40:06 -0500 (EST)
From: Super D <perderea@worldnet.net>
Subject: were wolf 1996
X-Digest: Volume 9 : Issue 6

Does anyone know the new virus WEREWOLF 1996 ?

| Cyril Perdereau => perderea@worldnet.net    |
===============================================
|  On se repose le jour, pour dormir la nuit  |
- ----------------------------------------------

------------------------------

Date: Sat, 20 Jan 1996 18:30:14 -0500 (EST)
From: Nacho Man <ht_bui@ece.concordia.ca>
Subject: Usefulness of AV people
X-Digest: Volume 9 : Issue 6

Hello,
I don't mean to sound like an asshole or anything but I'm just wondering
how an anti-virus consultant could be useful. Since I started reading
this newsgroup, I have seen a lot of OBVIOUS advice given by these
so-called virus specialists: "You must reboot from a clean floppy and
then run an anti-virus software" or "Boot from an uninfected floppy
and format disk". I assume that people who ask these questions expect    
more in-depth answers but I guess, giving it to them would be divulging
sensitive information, right?

This brings me to my questions: why do we need so many virus specialists
if they all repeat the same thing? 

[Moderator's note:  Maybe you don't need such "expert" help -because-
such things as "boot clean" are obvious to you, but from your tone you've
obviously never worked on a Help Desk for more than ten minutes of your
life...  8-)]

------------------------------

Date: Sat, 20 Jan 1996 23:41:56 -0500 (EST)
From: Steve640 <steve640@aol.com>
Subject: Will one virus detector "detect" another one?
X-Digest: Volume 9 : Issue 6

When I run a virus checker against my hard disk, are they 
typically just looking for bit patterns in executable files?
If they only check for matching patterns in exe files, will
one virus detector see another virus detectors signatures files
as a virus?

Thanks,
steve
steve640@aol.com

[Moderator's note:  There are -several- Q&A's in the FAQ sheet covering
all the possibilities here.  People, please read the FAQ before
posting...]

------------------------------

Date: Sun, 21 Jan 1996 06:19:10 -0500 (EST)
From: support@vse.ac-copy.com
Subject: Harddrive firmware virus possible?
X-Digest: Volume 9 : Issue 6

Hello All!

Just yesterday I read that the most recent generation of harddrives do no
longer contain the firmware in ROM, but on a reserverd track on the disk,
which is booted on power up. The reason for this, should be, that the
firmware is easily upgradeable.

This is where I got some rather frightening ideas: if this code is
accessible on a regular harddrive already in use, what precautions are
there to prevent access?

Does anyone know more about this? Drive manufactures preferred :-)
What if someone DOES download altered code to the drive. Since the
firmware does some caching, the ultimate dropper is easy to write...
And if the firmware controls the drive motors directly, a few parameter
changes would permanently ruin the drive...

Please tell me that I am just being paranoid.

Guido

------------------------------

Date: Sun, 21 Jan 1996 07:25:22 -0500 (EST)
From: Fred Cohen <fc@all.net>
Subject: Re: E-MAIL Viruses.
X-Digest: Volume 9 : Issue 6

> Although "Good Times" is a "mythical" virus, hysterical
> e-mailing rumours of a "new powerful e-mail virus" can cause
> a real Denial-of-Service attack when the mail spool of
> an organization fills up.  This can cause headaches probably
> equal to a "real" virus for the sys admin of (say) a large
> university computing system.

Internet-based email viruses happen all the time - they are commonly
called mail loops.  In essence, the environm,ent is changed so that
any email to a particular list loops back on itself through circular
subscription.  The cure is to eliminate the subscription circularity.

------------------------------

Date: Sun, 21 Jan 1996 07:25:22 -0500 (EST)
From: Fred Cohen <fc@all.net>
Subject: Re: Can a computer get a virus from the internet?
X-Digest: Volume 9 : Issue 6

> I am using the Dial up Networking with WIN95 to connect my PC to an 
> university account. Can a virus infect a computer by downloading image 
> files, sound files, and other types of files from Web sites? Can you get 
> a virus just by going to a Web site? If so, will a anti-virus program 
> detect it?

There are examples of such things - but not from the files you mentioned.
You can, for example, get a virus from downloading and interpreting a
postscript file with a normal postscript interpreter.  Our web site
provides a test to see if your postscript interpreter is configured and
if so whether it has the most obvious of these vulnerabilities.
(http://all.net/ -> test)

------------------------------

Date: Sun, 21 Jan 1996 07:25:22 -0500 (EST)
From: Fred Cohen <fc@all.net>
Subject: Re: Java Virus
X-Digest: Volume 9 : Issue 6

> My daughter was in Netscape in "Talker" tonight when a message came up
> that she had 54 seconds to shut down before the unstopable JAVA virus
> would infect our hard drive.  I can't find anything about this virus
> in any of the latest programs (F-Prot 221, Thunderbyte 6.51, Viruscan
> 229e)  Does anybody have info on this virus?

Not on this virus - it's likely a hoax, however, Java viruses are possible.
.
> [Moderator's note:  All the technical accounts and opinions of
> security experts I've seen to date suggest that the Java designers
> "did it right", but there is concern that "non-standard extensions"
> may become an expected, albeit unofficial, part of future Java
> developments.  As with the development of HTML, the pressure would
> then be on the developers of "browsers" and service providers to
> support these extensions, so they could keep up with the latest,
> coolest trends.  If these extensions get beyond the control of the
> original developers there is no saying what insecurities they will
> allow...

The Java designers did not "do it right" - you might be interested in
articles in the info-sec super journal on this and closely related
subjects. (http://all.net/
	browse -> (super-journal) Miscellaneous Contributions
	browse -> (super-journal) Articles on Network Security (Dec 95)

[Thanks Fred--Moderator]

------------------------------

Date: Sun, 21 Jan 1996 07:25:22 -0500 (EST)
From: Fred Cohen <fc@all.net>
Subject: Re: AntiVirus Developers List
X-Digest: Volume 9 : Issue 6

As usual, you left out one of the oldest and best anti-virus product
developers.  I won't say which in case there are more than one.

-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236

[Moderator's note:  I received several followups on this, including a
-much- longer one (around 45KB) I will post in a day or two...]

------------------------------

Date: Sun, 21 Jan 1996 14:53:11 -0500 (EST)
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: Can a computer get a virus from the internet?
X-Digest: Volume 9 : Issue 6

In article <0004.01I0AAP9YODQOK8IBB@csc.canterbury.ac.nz>, dmr20a50 writes:
: I am using the Dial up Networking with WIN95 to connect my PC to an 
: university account. Can a virus infect a computer by downloading image 
: files, sound files, and other types of files from Web sites? Can you get 
: a virus just by going to a Web site? If so, will a anti-virus program 
: detect it?

	No, the only way you will be able to get a virus would be to get 
an executable file from a website and run it on your system.  Should you 
download an file that is infected with a virus, just running the usual 
scanners on it, as you would any other software, will do the trick.

	Regards,
- -
- --<Doug Muth>---<dmuth@ot.com>---| Finger dmuth@oasis.ot.com for
- ---<http://www.ot.com/~dmuth>----| PGP public key and geek code
"Privacy is a basic human right, not a government granted priviledge!"
"Mr. Simpson, how do you plead?" - "Innocent, I could not, would not, and 
did not commit this crime." - "Feed him to the Sharkticons!" - "AAAGGHHH!"

------------------------------

Date: Sun, 21 Jan 1996 13:22:44 -0500 (EST)
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Subject: Viruses from the internet
X-Digest: Volume 9 : Issue 6

>I am using the Dial up Networking with WIN95 to connect my PC to an 
>university account. Can a virus infect a computer by downloading image 
>files, sound files, and other types of files from Web sites? Can you get 
>a virus just by going to a Web site? If so, will a anti-virus program 
>detect it?

I'm in exactly the same situation (DUN connecting to a university
account).  I can assure you, with absolute conviction, that you cannot
get get a virus from downloading an image file (pictures of sunsets,
right? B-)), a sound file, or other non-executables.  You can not get
viruses from simply visiting a web site either.  

There is a disclaimer here:  If you download an executable file
(basically any sort of program, a DLL, a screen saver, many others) there
is a possibility of your computer being infected with a virus when you
run the executable.  

It is HIGHLY advisable that you obtain a reputable anti-virus program,
either from the web (which would be less featured, usually with no tech
support) or by buying a commercial program (more expensive, more
featured, more support).  

Two good choices are F-Prot (which is available from the SimTel archives,
the file is called FP-221.zip) and Dr. Solomon's (which has an evaluation
version available on their website - www.drsolomon.com).

Whatever you choose, try your best to update it often - every two months
should be considered a minimum.  If you buy a commercial package (F-Prot
and Dr. Solomon's also have commercial versions) the updates are usually
included in the price of the program.

Regards,

George Wenzel

[Moderator's note:  "executable file" is too nebulous a term.  It is
possible to configure some popular web browsers to automatically load
Word to display .DOC files, which could result in you getting a Word
macro virus.  Some Email programs can be similarly configured.  There has
been quite a bit of discussion of these issues over the last few
digests.]

------------------------------

Date: Fri, 19 Jan 1996 21:17:41 -0500 (EST)
From: Greg Keogh <greg@werple.mira.net.au>
Subject: Virus Checker for Macintosh (MAC)
X-Digest: Volume 9 : Issue 6

I have a colleague who wants a professional high-quality virus checker 
for his Macintosh. I'm a PC specialist, and know almost nothing about 
Macs, but I pomised to help him by posting a news message on his behalf.

I couldn't find a newsgroup devoted to macs, but I'm sure there must be 
one. Please feel free to cross-post this message into the appropriate 
newsgroups if you know where they are.

Cheers to all,
Greg Keogh <greg@werple.mira.net.au>

------------------------------

Date: Sun, 21 Jan 1996 14:36:17 -0500 (EST)
From: "Edward M. Sikorski" <sikorski@tucson.Princeton.EDU>
Subject: McAfee for protection (MAC)
X-Digest: Volume 9 : Issue 6

I read somewhere that McAfee had commercialized Disinfectant. Is this
correct? Will Disinfectant no longer be available/upgraded?
What solutions are available for the Mac (other than SAM, Virex)???

Thanks for any replies!

ed-
sikorski@princeton.edu

------------------------------

Date: Fri, 19 Jan 1996 09:14:20 -0500 (EST)
From: Alan Fraser <100437.2552@CompuServe.COM>
Subject: Excel Macro Virus (MAC?,WIN)
X-Digest: Volume 9 : Issue 6

Has anyone any information on the MS Excel macro virus reported 
in the Windows NT newsletter "ClieNT Server News"? It is supposed 
to turn all 1s in the cells of a spreadsheet to 7s and 
vice-versa, and then save the file, thus corrupting the data.
The newsletter article says the virus is in the wild in Excel 
spreadsheets on the Internet and other on-line services.

Any information very gratefully received.

Alan Fraser

------------------------------

Date: Fri, 19 Jan 1996 16:48:26 -0500 (EST)
From: "T. Schwark" <schwarkt@fox.nstn.ca>
Subject: Word Concept Macro Prank Virus (MAC,WIN)
X-Digest: Volume 9 : Issue 6

I have downloaded a fix to this virus which will automatically check for
the virus when you save a file in Word.  When I use F-Prot to scan a hard
drive it now finds MS Access files infected with this virus.

Any idea on how to clean up those files?

Thanks in advance!

Please e-mail response.

------------------------------

Date: Sun, 21 Jan 1996 09:33:22 -0500 (EST)
From: "A. Padgett Peterson, P.E. Information Security" <PADGETT@hobbes.orl.mmc.com>
Subject: Word Macro Viruses, defences (MAC,WIN)
X-Digest: Volume 9 : Issue 6

The problem is that there is no one true answer (Microsoft even
refuses to tell anyone just how macros work without an NDA - and then
the information they supply is apparently wrong.)

The easy answer would be to disable the automatic execution of macros
found in documents (they are supposed to be only in templates but WORD
does not seem to care so long as the format of the file is correct).

Why do we suddenly have WORD viruses (and Excel for that matter) ? Because
M$ decided to add file manipulation and execution capability to the macro
language (Word 2.0 had macros but they were not so powerful).

Add to the capability of most mail gateways to process binary attachments
and the death of universal readers (remember Central Point's readers and
Lotus "Magellan" ?) and the potential was there.

The easy answer would be the one I mentioned but even M$ seems unable to
accomplish this 

<RANT>
(sometimes I really wonder if anyone there really understands
the code any more. Paul Allen used to but Mr. Gates always seems to have
been a marketeer rather than a programmer - marketeers always are the ones
to get ahead anyway - they can always buy programmers - ask Tim Paterson).
</RANT>

As for SCANDOC.DOT, just read the disclaimers and exclusions in the README.
Then try to find a lawyer who can translate into English. The bottom line
is that if you open a file with the FILE/OPEN command inside WORD, it can
block the WinWord.Concept (known back in August of 95 to M$ as the "Prank
Macro").

If however, you open the file say by double-clicking on an E-Mail attachment
with the extension .DOC from ccMail, all it will do (maybe) is tell you that
you is been had.

Now there are sound business reasons why M$ and others want to be able to
have macros executed when mail is opened. For one thing they can have it
read the version and serial number of the WORD in use, the users E-Mail
name, and E-mail the data back without the user knowing (not saying they
*would*, just that they *could*.)

I use a five-pronged approach for my ccMail/Word usage.

1) Load M$'s SCANDOC.DOT (in WD1215) - didn't say it was bad, just not enough)

2) Open WORD. Pull down TOOLS/OPTIONS, select SAVE, select "Prompt to
   save Normal(.DOT). 

3) Open WORD. Pull down TOOLS/MACRO. Type in "AUTOEXEC" and select "CREATE"
   (if you get "EDIT" instead you already have an autoexec macro. Do you know
   what it does ?).
   beteen "SUB MAIN" and "END SUB" which will appear, enter the two lines:
	DisableAutoMacros
	MsgBox "Automatic Macro Execution Disabled",-1
   Then select FILE/SAVE TEMPLATE
   (the "-1" will cause the message to appear briefly on the status line 
   instead of opening a dialogbx the user will have to clear on every opening)

4) Find your NORMAL (MAC)/NORMAL.DOT (PC) file. (on pc is is usually in the
   \WW\TEMPLATES directory or, if you have M$Office, in the 
   \MOFFICE\WW\TEMPLATES directory. If not there try "dir/s normal.dot". Him
   are somewhere if you have WORD). Back it up. (quickest way to restore
   from infection is via backup. WORD viruses infect the global template
   NORMAL.)

5) Use some other browser to read your E-Mail (I use FTP's KEYVIEW which
   comes with ONNET 2.0 (plug) - MSVIEWER is avalable for free download
   from MS but takes as long as WORD to load - talk about code bloat...

6) Know what is supposed to be in your TOOLS/MACROS listing. Notice if
   something new appears (see 5). Note: while you have a DELETE option
   available, if WORD is infected, can you trust it. See iten (4).

Of course if you, like me, use WordStar 7.0 mostly, you have no problem 8*).

					Warmly,
						Padgett

------------------------------

Date: Sun, 21 Jan 1996 09:41:35 -0500 (EST)
From: "A. Padgett Peterson, P.E. Information Security" <PADGETT@hobbes.orl.mmc.com>
Subject: Word Macro Viruses, the real defence (MAC,WIN)
X-Digest: Volume 9 : Issue 6

Now, I do not know how to do this (so don't ask) but the real
answer to the problems in Windoze would seem to be as follows:

When ccMail (or I would imagine any reader) opens an attachment
using WORD, this is done by creating a temporary file (usu something
like "~<name>.tmp") and then launching WORD with the filename as
part of the command line.

Now if "something" (.VXD or .DLL) existed which would intercept the
TMP file, check for the "TEMPLATE" bit, and if found, poped up a
dialog box that asked the user if he/she/whatever wanted to turn it off...

Would probably never need updating.

					Warmly,
						Padgett

------------------------------

Date: Sun, 21 Jan 1996 18:20:07 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Word Macro Prank Virus (Concept) (MAC,WIN)
X-Digest: Volume 9 : Issue 6

Russ Cox (rsc@research.att.com) wrote:
: Martin Blay <martin.blay@gecm.com> writes:

: >Word Macro Prank Virus (Concept)
: >
: When news of this virus hit back in August, I got the following
:  from this list.  This is just the section on macro virus prevention.
: I will send you the entire digest via e-mail, but am posting this
: for the good of the list.

: - -- begin included text

: PREVENTION

: The Word for Windows manual claims that if you hold down <Shift>
: whilst double-clicking the Word icon in Program Manager, then
: Word will start up with file-related "auto-execute" macros
: disabled. This ought to inhibit the actuation of WinWord-Nuclear,
: which relies on this feature; it didn't work in our test setup.
: Starting up WinWord with the command line "WINWORD.EXE /m" is
: supposed to achieve a similar effect, but failed similarly.

My understanding is that these techniques bypass AUTOEXEC macros:
they are *not* the same as " DisableAutoMacros 1", and will not
inhibit infect by Nuclear (or Concept) since AutoOpen macros will
still run.

: You can also hold down <Shift> whilst opening a document to
: disable any automatic macros in that file, though this too failed
: during our trials.

There does seem to be a problem with this.

: You might wish to use one of Word's auto-execute macros to your
: advantage. Under Tools/Macro, create a macro called AutoExec that
: looks like this:

:    Sub MAIN
:       DisableAutoMacros
:       MsgBox "AutoMacros off!", "Safety First!", 64
:    End Sub

: This macro is triggered whenever Word starts (a serious potential
: hole!), and serves to disable the feature which WinWord-Nuclear
: uses to actuate.

This will block Concept or Nuclear, but not Colours, which exploits
another loophole.

David Harley

------------------------------

Date: Sun, 21 Jan 1996 18:25:28 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Word Macro Prank Virus (Concept) (MAC,WIN)
X-Digest: Volume 9 : Issue 6

Russ Cox (rsc@research.att.com) wrote:
: Martin Blay <martin.blay@gecm.com> writes:

: >Word Macro Prank Virus (Concept)
: >
: The Word for Windows manual claims that if you hold down <Shift>
: whilst double-clicking the Word icon in Program Manager, then
: Word will start up with file-related "auto-execute" macros
: disabled. This ought to inhibit the actuation of WinWord-Nuclear,
: which relies on this feature; it didn't work in our test setup.
: Starting up WinWord with the command line "WINWORD.EXE /m" is
: supposed to achieve a similar effect, but failed similarly.

As I've previously pointed out, this seems to indicate confusion
between Autoexec macros and AutoOpen macros. Also, of course,
this isn't going to work exactly the same way on a Mac (no
command-line, unless you use Applescript etc.). To investigate
the Mac possibilities, check out 'Startup Switches' in WordBasic
Help. However, the information therein is utterly inapplicable to
the version of Word 6 *I'm* running on a Mac!

: You might wish to use one of Word's auto-execute macros to your
: advantage. Under Tools/Macro, create a macro called AutoExec that
: looks like this:

:    Sub MAIN
:       DisableAutoMacros
:       MsgBox "AutoMacros off!", "Safety First!", 64
:    End Sub

: This macro is triggered whenever Word starts (a serious potential
: hole!), and serves to disable the feature which WinWord-Nuclear
: uses to actuate.

This does work on a Mac running Word 6. However, as pointed out before,
this won't block the loophole exploited by Colours.

David Harley

------------------------------

Date: Fri, 19 Jan 1996 19:57:09 -0500 (EST)
From: keith@command-hq.com
Subject: Re: Word Macro Prank Virus (Concept) (MAC,WIN)
X-Digest: Volume 9 : Issue 6

In Article<0006.01I03RRV4IZ6OK843A@csc.canterbury.ac.nz>,
<martin.blay@gecm.com> write:

> Does anybody know of a good way of protecting against and cleaning up 
> this virus, I have tried the Microsoft Scanprot but this clashes with 
> Digital Teamlinks mail Version 2.5, and Norton Anti Virus with the
> latest (January 96) update can only detect it when running a scan from
> DOS but not from the Windows component. Also it cannot repair infected
> files. Any help would be much appreciated.

AntiViral Toolkit Pro has a *FREEWARE* cleaner named AVPWW102 which you
may obtain from the ftp site in my signature.

Keith

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Keith A. Peer                 Phone: 216-273-2820
Central Command Inc.
P.O. Box 856                  USA Distributor for
Brunswick, Ohio 44212        AntiViral Toolkit Pro
E-Mail: keith@command-hq.com
Ftp: ftp.command-hq.com /pub/command
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

------------------------------

Date: Sat, 20 Jan 1996 12:45:31 -0500 (EST)
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Subject: Re: Windows95 Virus Scanner (WIN95)
X-Digest: Volume 9 : Issue 6

In article <0010.01I094E1DXW0OK8IBB@csc.canterbury.ac.nz>,
   Jeff Weyenberg <weyenber@foxvalley.tec.wi.us> wrote:
>Has anyone found a good Virus Scanner for Windows95?
>
Dr. Solomon's, Norton, Thunderbyte, F-Prot, McAfee, and others all
have anti-virus software available for Windows 95.  Do a web search
for their company name, and check out their company websites for info
on how to obtain the software.  Dr. Solomon's and F-Prot are both highly 
respected.

Regards, 

George Wenzel
(who is tired of repeating this message over and over)

[...and I'm getting tired of approving it--Moderator  8-)

Seriously though--it just proves that a large proportion of computer
users can't be bothered reading...]

------------------------------

Date: Sat, 20 Jan 1996 12:36:24 -0500 (EST)
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Subject: Re: a good Anti-Virus for Win95? (WIN95)
X-Digest: Volume 9 : Issue 6

>> Can anyone suggest me a good anti-virus for win95?
>
>The Master Boot record on my PC was infected by
>a FORM_A virus and I tried McAfee AntiVirus for Win95
>and F-Prot for Win95. Both detected the virus but
>neither could clean it.
>
>Norton Antivirus for Win95 was the only one that
>could clean it!

Not to knock down your complements for NAV95, but I would seriously doubt
that McAfee and F-Prot were unable to clean Form.  It is by far the most
common virus out there right now.

Regards, 

George Wenzel

------------------------------

Date: Sun, 21 Jan 1996 13:32:51 -0500 (EST)
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Subject: Re: F-Prot Pro for Win95 and McAfee VirusScan for Win95 (WIN95)
X-Digest: Volume 9 : Issue 6

>I would be very interested in a competent evaluation of F-Prot
>Professional for Win95 and McAffee for Win95.  Do their "TSRs,"
>(F-Prot's is called 'Gatekeeper', I believe.  I don't recall
>the name of McAfee's device) work as advertised?  Any problems?

There currently (to my knowledge) are no comparative reviews and scanner
tests of Win95 anti-virus scanners.  I am in the preliminary stages of
doing just such a review, and both of those products are included in
those being tested.  Keep an eye on the comp.virus and alt.comp.virus
newsgroups, as I will post the results there when finished.  They will
probably be posted on the HAVS anti-virus WWW site as well.

Regards, 

George Wenzel

------------------------------

Date: Sun, 21 Jan 1996 14:22:59 -0500 (EST)
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Subject: Re: F-Prot Professional and McAfee ViruScan for Win95 (WIN95)
X-Digest: Volume 9 : Issue 6

>I would be very interested in a competent evaluation of F-Prot
>Professional for Win95 and McAffee for Win95.  Do their "TSRs,"
>(F-Prot's is called 'Gatekeeper', I believe.  I don't recall
>the name of McAfee's device) work as advertised?  Any problems?

In Windows 95, VxD's are used rather than TSR's.  TSR's are only used
during boot time before Win95 loads.

I will be evaluating most of the Win95 software in my review.  Of course,
it will be a little while before the review is done, as it is just in the
preliminary stages.  It will probably be out by the end of February.  Due
to resource limitations, however, I won't be able to test the VxD
portions of the programs.

I'll be reviewing and testing the following:

Dr. Solomon's AV toolkit for Win95
McAfee ViruScan for Win95
Thunderbyte AV for Win95
Sophos Sweep for Win95
The Doctor AV for Win95
PC-Cillin for Win95
Norton AV for Win95
F-Prot Professional for Win95
VirusSafe For Win95

Regards, 

George Wenzel 

Date: Sat, 20 Jan 1996 00:54:41 -0500 (EST)
From: Robert Grossman <rcg@ix.netcom.com>
To: virus-l@csc.canterbury.ac.nz
Subject: Help antiexe virus (PC)

McAfee reported antiexe was detected in memory.  MS AV found nothing in 
memory, by the checksum on ctl3dv2.dll had been changed.

I run Win95.

Does anyone know what antiexe is and how to get rid of it?

Thanks for any help you might be able to provide!

Bob.

------------------------------

Date: Fri, 19 Jan 1996 07:58:07 -0500 (EST)
From: Koen Van de Velde <proviron@glo.be>
Subject: Info about Form-A (PC)
X-Digest: Volume 9 : Issue 6

This week I found the Form-A virus on one of my boot-floppies.
I immediatly des-infected it with McAfee Scan 2.2.9 (01/96) and it
seems to be clean now.

It is a floppy that I use to boot new pc's and install the network
software with. So I would expect that some of the PC's would be 
infected too, but 'till now I didn't find a thing.

What I was wondering: is it possible for the Form-A virus to get on 
our network (Novell Netware 4.1, VLM-client software) and if so,
how can I check/clean it ?

Thanks for your info,

Koen.
- ----------------------------------------------------------------------
PROVIRON INDUSTRIES N.V.                       "in abundance of water
Koen Van de Velde                               only fools are thirsty"
proviron@glo.be
+32-3.877.22.33

------------------------------

Date: Fri, 19 Jan 1996 07:58:11 -0500 (EST)
From: Koen Van de Velde <proviron@glo.be>
Subject: McAfee says: F-prot contains VCL-virus ? (PC)
X-Digest: Volume 9 : Issue 6

I'm just wondering if this is al normal.

This week I found the Form-A virus on one of my floppies,
as you can read in my previous posting.
I wanted to be sure that none of the computers are infected, 
I started checking them with two different virus-scanners:
    - McAfee Scan 2.2.9 (01-96)
    - F-Prot v 2.20

Here's what happens: First I load f-prot and scan my hard-disk,
then I close it again and run the mcAfee-scan.  This one stops
with the following message : 

<<<<<<
Virus data file  V9601 created 01/04/96  13:06:49
Scanning memory for viruses 288KB

Traces of VCL virus found in memory!
This may be an active virus, or an image left by a previous operation
Turn off your PC, insert a system-bootable diskette into the
A: drive, and turn the power back on before re-running SCAN.

If you still receive this message then your system-bootable
diskette is infected and must be replaced with a virus-free
system-bootable diskette before continuing.
>>>>>>

So I did reboot my computer and re-run the McAfee Scan ...
It didn't find anything. I run the f-prot again, without scanning 
anything, just start the menu and close it again.
When I now run the McAfee scan, it displays the above message again,
telling me there is a VCL-virus in my computer.

Do I have an infected copy of f-prot or is it just a conflict between
those to products that confuses me (or at least my computer). Anywhay,
it means that some part of f-prot stays in memory after running ...
I'm wondering what that can be.

Thanks,

Koen.

- ----------------------------------------------------------------------
PROVIRON INDUSTRIES N.V.                       "in abundance of water
Koen Van de Velde                               only fools are thirsty"
proviron@glo.be
+32-3.877.22.33

------------------------------

Date: Fri, 19 Jan 1996 08:51:42 -0500 (EST)
From: Ron Bombard <bh081@freenet.Buffalo.EDU>
Subject: TB1 Virus (PC)
X-Digest: Volume 9 : Issue 6

Anyone have any info about the TB1 virus?  We located it on one of our 
pc's during a virus scan when we first loaded the new Norton Antivirus 
program.  It didn't have any info about it though.  Just named and removed.

From: bh081@freenet.buffalo.edu
Real name: Ron Bombard
	   Glens Falls, NY

------------------------------

Date: Fri, 19 Jan 1996 09:08:07 -0500 (EST)
From: Lieven Dhaenens <LLDHAE@ccmail.monsanto.com>
Subject: Re: McAfee upgrades? (PC)
X-Digest: Volume 9 : Issue 6

Eldon Greenberg wrote:
> 
> I have recently installed VirusScan and VirusShield from McAfee
> and am curious to know whether folks generally upgrade to each new
> version as it is released or simply download the latest data file
> updates.

Mostly yes, and sometimes it's a must eg. McAfee data files V9512 only 
work correctly with scan V2.2.8

- - 
****************************************************************
* Lieven Dhaenens - MIS Department, Monsanto Gent              *
* LLDHAE@MONSANTO.COM                                          *
****************************************************************
* Opinions expressed are my own and do not necessarily reflect *
* the company's opinions                                       *
****************************************************************

------------------------------

Date: Fri, 19 Jan 1996 10:35:46 -0500 (EST)
From: keith@command-hq.com
Subject: AVPLITE (PC)
X-Digest: Volume 9 : Issue 6

AVPLITE the evaluation version of AVP Professional is available for 
immediate download.

It can be obtained from the following support site:

location:               ftp.command-hq.com
sub-directory:          pub/command/avp
file:                   AVPLITE.ZIP

Also, watch this site for the WEEKLY updates for AVP Professional!

Keith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Keith A. Peer                 Phone: 216-273-2820
Central Command Inc.
P.O. Box 856                  USA Distributor for
Brunswick, Ohio 44212        AntiViral Toolkit Pro
E-Mail: keith@command-hq.com
Ftp: ftp.command-hq.com /pub/command
WWW: http://www.command-hq.com/command
Compuserve e-mail: 102404,3654   
Compuserve support: GO AVPRO   
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

------------------------------

Date: Fri, 19 Jan 1996 17:11:15 -0500 (EST)
From: Wayne Riddle <riddler@megalink.net>
Subject: Re: Virus:MONKEY_B + FORM_A (PC)
X-Digest: Volume 9 : Issue 6

00dcwei@bsuvc.bsu.edu wrote:

>I have the FORM_A and MONKEY_B virii on my IBM Thinkpad 350C.  Due to the
>combination of these two, I cannot access my hard drive.  The computer is,
>however, floppy bootable.  I tried to use KILLMONK.EXE to get rid of the copy
>on my C drive, but it did not work, the computer would not acknoledge the
>existance of C:  

Do you have the latest version of Killmonk (3.0)? When you boot from a
clean floppy you will not see your harddrive. That's okay, just run
killmonk3 from the clean floppy. You can then deal with the Form
virus.

>The BIOS utility for the IBM Thinkpad is by no means complete, and it does not
>allow me to do a low-level format.  Unless, of course, there is another BIOS
>util that IBM doesn't want us users to find so they can make a racket off their
>$2/minute 1-900 number.  

Yoi DO NOT want to do a low level format. There is no need for this
measure in order to deal with viruses.

Wayne Riddle
riddler@megalink.net

------------------------------

Date: Fri, 19 Jan 1996 19:06:24 -0500 (EST)
From: Peggy Sterling <psterling@igc.apc.org>
Subject: Re: Mutagen Virus found on CD (PC)
X-Digest: Volume 9 : Issue 6

Just letting everyone that reads this know that this turned out to be
a false postive.  There is no virus on the CD.

------------------------------

Date: Fri, 19 Jan 1996 20:25:29 -0500 (EST)
From: Simon Grant <ay771@freenet.carleton.ca>
Subject: Anti-CMOS Virus? (PC)
X-Digest: Volume 9 : Issue 6

	My hard drive has just been diagnosed as being infected with an 
"Anti-CMOS" virus on it.  I hadn't heard of this type of virus before, 
and McAffee couldn't even detect it.  

Can anyone tell me something about these things?  
Is it possible to recover the non-currupted sections of my hd?

thanks,
 
Simon 

------------------------------

Date: Fri, 19 Jan 1996 20:26:26 -0500 (EST)
From: keith@command-hq.com
Subject: Re: Quality Anti-Virus Programs (PC)
X-Digest: Volume 9 : Issue 6

In Article<0012.01I06C4XA6HQOK8IBB@csc.canterbury.ac.nz>, <shawn@netcom.com> write:
> Our Man In Havana <donnegan@world.std.com> writes:
> 
> >Is there any single anti-virus package that's regarded as head and
> >shoulders above the rest?  I've used McAfee and am trying Thunderbyte
> >and am just wondering what other packages are around that are
> >considered good.  Not too interested in Norton.

There are many good virus scanners available AVP, Dr. Solomon's, F-Prot, 
and TBAV just to name a few. I can speak for AVP since we are the US 
Distributor. The following is very biased though :-)

Here is just a few features of AVP:

Disinfects known viruses that are resident (Active) in the computers memory.
Is updated *WEEKLY* with new virus information
Can virus scan within ZIP, ARJ, RAR, LHA, ICE, and LZH archives recursively

Hope you find one that suits your needs...

Keith

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Keith A. Peer                 Phone: 216-273-2820
Central Command Inc.
P.O. Box 856                  USA Distributor for
Brunswick, Ohio 44212        AntiViral Toolkit Pro
E-Mail: keith@command-hq.com
Ftp: ftp.command-hq.com /pub/command
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

------------------------------

Date: Fri, 19 Jan 1996 21:06:03 -0500 (EST)
From: Patrick Noyens <patrick.noyens@ping.be>
Subject: Byway virus : how remove it ??? (PC)
X-Digest: Volume 9 : Issue 6

How can the 'Byway' virus be removed ?

F-prot 2.21, AVP 2.2, DSAVTK 7.55 and Sweep 218 reported all that the
system of a friend of mine is infected with BYWAY virus.

All visible symptoms are indicating that the system is *INDEED*
infected :
	- a lot of checksum files are on the system (normaly generated by
	  MSAV or CPAV), while he even doesn't have this scanners on his
	  system.

	- The typical problems with the COM ports : unusual mouse behavior
	  and problems when using his modem.

As F-prot is not able to remove this virus, so I'm looking for another
method.

Any sugestions ?

Thanks,

Patrick Noyens

------------------------------

Date: Sat, 20 Jan 1996 11:38:39 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Invircible (PC)
X-Digest: Volume 9 : Issue 6

Jean-Francois Fortin (jfortin@ulix.net) wrote:
: Does anyone know where Invircible is available?  It is a small
: antivirus program from Israel that uses a new concept in virus
: detection.  Apparently it ranks among the best in detecting viruses. 
: I read somewhere that it detected all the viruses that were submitted
: to it.  It works by setting up the computer in a state in which the
: virus is likely to come into action or become active and if it
: manifests itself it stops the virus.

: Anyone know where I can find this little wonder?

ftp://ftp.invircible.com

However, not all the claims made for Invircible are universally 
accepted.....

: [I read somewhere Elvis was alive and playing in Brazil...-Moderator  8-)]

Exactly ;-)

David Harley

------------------------------

Date: Sat, 20 Jan 1996 12:37:32 -0500 (EST)
From: MR HENRI J DELGER <henri_delger@prodigy.com>
Subject: Re: Smile (PC)
X-Digest: Volume 9 : Issue 6

>From: Vince <vraymond@micronet.fr>
>X-Digest: Volume 9 : Issue 4
>
>I have a Smile virus on my machine that make nothing bad for now
>except laughing in the speaker some time.
>Do you have any ideas to kill him ?

There is a virus known as Smile, or Yesmile.5404, which infects EXE and
COM files (including Command.com) and also infects the Master Boot Record
(MBR) of hard disks.  It is also stealth, thus able to conceal its
changes to files and the MBR while in memory.  It can produce a shrill
laughing sound at boot-up.  If this is the virus, to get rid of it,
you'll need to power down and re-boot from an UNinfected system boot
diskette, then use an anti-virus program to remove the virus from the
hard disk and after verifying it's gone, check for the virus on
diskettes, backups, in compressed files, etc.

Henri Delger
henri_delger@prodigy.com

------------------------------

Date: Sat, 20 Jan 1996 12:42:46 -0500 (EST)
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Subject: Re: Invircible (PC)
X-Digest: Volume 9 : Issue 6

Jean-Francois Fortin <jfortin@ulix.net> wrote:
>Does anyone know where Invircible is available?  It is a small
>antivirus program from Israel that uses a new concept in virus
>detection.  Apparently it ranks among the best in detecting viruses. 
>I read somewhere that it detected all the viruses that were submitted
>to it.  It works by setting up the computer in a state in which the
>virus is likely to come into action or become active and if it
>manifests itself it stops the virus.

Invircible is essentially a generic detector, but this has many problems
with it.  Think about the way that you say it detects viruses - it
'[sets] up the computer in a state in which the virus is likely to...' -
would you really want a virus to infect your system before IV does its
work?  I'd suggest relying on a well-respected scanner (F-Prot, Dr.
Solomon's, AVP, others) to detect viruses in incoming files.  These
programs detect an infected file (or boot sector) before you actually
have to run it.  This allows for much easier removal (you delete the
infected file, or you use the program to clean it).

Regards, 

George Wenzel

------------------------------

Date: Sat, 20 Jan 1996 13:15:42 -0500 (EST)
From: al proulx <aproulx@julian.uwo.ca>
Subject: Re: Invircible (PC)
X-Digest: Volume 9 : Issue 6

Someone (ie. Jean-Francois Fortin) was asking where you can get
'Invircible' for the PC from.  There is a very good download site at
http://ciac.llnl.gov/ciac/ToolsDOSVirus.html (use Netscape) with
Invircible & many other good AV programs & utilities.  You can download a
copy of Invircible from that site.   See ya.
				

Thank you

Al Proulx
UWO - Dept. of Anatomy
519-679-2111  X6836
e-mail: aproulx@julian.uwo.ca

------------------------------

Date: Sat, 20 Jan 1996 17:41:21 -0500 (EST)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Sampo (PC)
X-Digest: Volume 9 : Issue 6

In article <0021.01I03RRV4IZ6OK843A@csc.canterbury.ac.nz>
	   ploon@pc.jaring.my "Leong Pe Loon" writes:

> Greetings, one and all.  Has anybody encountered the Sampo virus?

Sampo is a computer equipment manufacturer.  Maybe the name of 
this virus ought to be changed to avoid upsetting them by a 
noxious association?

- -
HEADLINE NEWS                  NOW IMPROVED
	      FOR FACE                      WITH LANOLIN
		       AND CHIN                          Burma-Shave

------------------------------

Date: Sat, 20 Jan 1996 18:34:49 -0500 (EST)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: F-PROT: Request for Help (PC)
X-Digest: Volume 9 : Issue 6

In article <0021.01I094E1DXW0OK8IBB@csc.canterbury.ac.nz>
	   dbs1@PO4.RV.unisys.com "Shankland, David B RV" writes:

> Is there any way to ensure that PC users have, first of all, installed
> F-PROT for Windows, and secondly, that  they are using/running Dynamic
> Virus Protection (DVP)?  We have been unable to determine how the
> utilization can be required and enforced.
>
> What have other large companies done with F-PROT for Windows and DVP?
> Is there any logging that monitors this situation?

Dunno about F-Prot, but Dr. Solomon's Anti-Virus Toolkit for 
Netware can monitor for and enforce the use of the equivalent 
resident anti-virus program on the workstations. 

- -
HEADLINE NEWS                  NOW IMPROVED
	      FOR FACE                      WITH LANOLIN
		       AND CHIN                          Burma-Shave

------------------------------

Date: Sun, 21 Jan 1996 00:13:27 -0500 (EST)
From: news@dorsai.dorsai.org
Subject: COMit or virus? .DR1 explodes on field overflow (PC)
X-Digest: Volume 9 : Issue 6

	My ZOOM 14.4KBaud modem came with COMit software.  I finally
got all my scripts to work (moving from NightOwl MEx) and started
getting fancy, extending the titles. Well, when it saved one title
from the script into the directory, it lost all the other data, and at
that point it went nuts, making the directory jibberish.  Like a fool,
I deleted the sloppily-typed original title, hoping to keep the one
from the script file in the directory.  It seemed like I first typed
the number into the title field. The DR1 file was humongous and full
of stuff that you find in unexunged deleted disk space (like after
quickunerase). I ran the MS/CPS Anti-Virus that came with my Gateway
Pentium and it said nothing (other than a few complaints about stuff I
had to reinstall until I got right - it thought a virus did that!). Is
it likely a virus? Has anyone else had that with COMit? Do they have
eMail?  I randomly looked thru some text files in other directories
and they look uncorrupted. So far, only the DR1 file was corrupted.

- -
Vasos-Peter John Panagiotopoulos II, Columbia'81+, Bioengineer-Financier, NYC
Bach-Mozart ReaganQuayleGramm  Evrytano-Kastorian  Cit:MarquisWhWFinanc&Indus
    [0003536867@mcimail.com , 76530.1430@CompuServe.Com, vjp2@dorsai.org]
   ---{Nothing herein constitutes advice. Everything fully disclaimed.}---

------------------------------

Date: Sun, 21 Jan 1996 00:26:57 -0500 (EST)
From: Mark West <mwest@earthlink.net>
Subject: Re: Free (or cheap) protection programs for DOS or WINDOWS? (PC)
X-Digest: Volume 9 : Issue 6

Mikal Ziane <ziane@noemie.inria.fr> wrote:

>I have checked the FAQ but I saw no mention of which programs are
>free, or at least cheap.

	For personal use you might want to exaime ARF A-V Utilities
and F-Prot.  Both are top notch packages.

>I would also need to know where to download them.

	You can find links to both at
<URL:http://www.primenet.com/~mwest/av.htm>.  Select "Software".

===
Mark West <mwest@primenet.com>  <mwest@earthlink.net>
PGP FngPnt: 42 98 08 7D F5 AC B0 F7 89 A1 81 1A 97 FC F4 EC

AntiVirus Resources:
http://www.primenet.com/~mwest/av.htm
Report a virus attack:
http://www.primenet.com/~mwest/vir-vrf.htm

------------------------------

Date: Sun, 21 Jan 1996 06:43:08 -0500 (EST)
From: Takashi Hirano <hirano@ti.com>
Subject: How to remove "Ekaterin" virus ? (PC)
X-Digest: Volume 9 : Issue 6

A virus, "Ekaterin", was detected on the two PC of our section by IBMAV 
software.

We tried to remove the virus but failed.

Does anyone know how to remove the virus, "Ekaterin".?
Any information would be appreciated.

Takashi Hirano
hirano@ti.com

------------------------------

Date: Sun, 21 Jan 1996 07:40:22 -0500 (EST)
From: Neeraj Murarka <murarka@sfu.ca>
Subject: Monkey B / Monkey 2 (PC)
X-Digest: Volume 9 : Issue 6

Hi. I have the Monkey B / Monkey 2 Virus on my Hard Drive. How can I
clean it off? The scanners all quit when I run them, saying that I should
boot off a clean system disk, and then rerun the virus scanner to clean
off the virus. But the problem is, this virus, when on a Hard Drive, will
not allow the Hard Drive to be accessed when you use a clean boot disk.
So how do you get rid of the virus? The McAfee documentation says that
the virus is removeable. This is a boot sector virus. How do I get rid of
it!?!?! Help!

Thanks in advance!

------------------------------

Date: Sun, 21 Jan 1996 09:49:38 -0500 (EST)
From: "A. Padgett Peterson, P.E. Information Security" <PADGETT@hobbes.orl.mmc.com>
Subject: I LOVE (PC)
X-Digest: Volume 9 : Issue 6

There used to be a boot sector infector like this (EMPIRE.C I think - 
was an early variation of the EMPIRE series).
						Warmly,
							Padgett

------------------------------

Date: Sun, 21 Jan 1996 10:43:14 -0500 (EST)
From: Peterjon <Peterjon@express.co.nz>
Subject: KEEPER-LEMMING (PC)
X-Digest: Volume 9 : Issue 6

Please can someone provide me with info on this 
beast. Origin, mode of action etc.

Is there an antidote ???

Ta

------------------------------

Date: Sun, 21 Jan 1996 11:04:28 -0500 (EST)
From: MR HENRI J DELGER <henri_delger@prodigy.com>
Subject: Re: Need info on MONKEY_A virus (PC)
X-Digest: Volume 9 : Issue 6

From: "William R. Mangan, Jr." <MANGAN@chplab.chp.edu>
X-Digest: Volume 9 : Issue 5

> I recently ran across the virus MONKEY_A on several diskettes from
> another department. I was able to clean the virus (using McAfee
> VirusScan 2.2.9), but I can not find any information from VSUM 507 on
> this particular virus.

Monkey virus was first discovered in Canada in 1991, and is now a
commonly-reported boot sector virus.  Monkey virus is related to the Stoned
virus, and also infects the hard disk Master Boot Record and diskette boot
sectors.  It infects the PC when a diskette, infected in another PC, is in
the A> drive at boot-up, and writes its code to the first sector of the
hard disk, where the Partition/MBR data are stored.
     Monkey will be in memory after that whenever the PC is on, and infects
floppy diskettes as you use them.  It moves the diskette's original boot
record code to the end of the Directory area, and if the disk has many
files listed in the root (192 or more for a 3.5" HD diskette), this will
cause the loss of perhaps 16 entries of files, deleted files, and
subdirectories in the root.  The data would still be located in the file
storage area of the diskette, recoverable with tthe use of CHKDSK /F, or a
similar utility program.
      While Stoned leaves the partition/MBR data intact when it moves it to
(cylinder&head 0, sector 7) of the hard disk, Monkey does not.  Monkey
copies the data to the third sector to make room for its own code, and does
something sinister: it encrypts the Partition/MBR data. This makes the hard
disk inaccessible when the PC is booted from a diskette, since DOS can't
locate the Partition data.  Attempting to use the hard disk produces only
"Invalid drive specification."
      Monkey is not obvious; it does not activate in any way. CHKDSK or MEM
will show a 1kb reduction in DOS memory, but that is the only sign of its
presence, and that is not even conclusive, since some PC BIOSes allocate a
kilobyte of DOS memory for its own use.  When the computer is booted from
the hard disk, it can be used normally because the virus is executed first.
The hard disk seems to be operating normally, and the virus thus can escape
notice, unless the PC is booted from a diskette to get the virus out of
memory to remove it.

Regards, Henri Delger
email: henri_delger@prodigy.com
http://pages.prodigy.com/X/W/A/XWWC29A

------------------------------

Date: Sun, 21 Jan 1996 11:04:30 -0500 (EST)
From: MR HENRI J DELGER <henri_delger@prodigy.com>
Subject: Re: Need help: AntiEXE virus (PC)
X-Digest: Volume 9 : Issue 6

Networking <networking@aol.com>
X-Digest: Volume 9 : Issue 5

> If anyone has any info on how to get rid of this one, I'd appreciate
> it.  It affects the boot sector and the Norton Virual Protector
> crashes on me.

AntiExe virus is also known as NewBug, and is believed to have originated
in Russia.  It infects the partition/Master Boot sector (cylinder&head 0,
sector 1) of the hard disk, when a boot/re-boot occurs with an infected
floppy in the A> drive, by writing its code there, and moving the
partition/MBR data to (cylinder&head 0, sector 13), which DOS does not use.
 AntiExe is a stealth virus, blocking attempts to read the first sector of
disks if in memory.
      Ordinarily, data are not lost from the hard disk, because the sector
which the virus uses is not used by DOS. If that sector is used by
third-party software to store data, during formatting, or for password
access, or by drivers to access large partitions, problems can result.
AntiExe will be in memory after that whenever the PC is on, and infects
floppy diskettes by writing its code to the Boot sector (sector #0) of
them, moving the boot data there to the last sector in the Directory.
      If the diskette has many files listed in the root (192 or more for a
3.5" HD diskette), this will cause the loss of up to 16 entries of files,
deleted files, and subdirectories in the root.  The data would still be
located in the file storage area of the disk, recoverable with the use of a
disk utility program.
      Every time a disk "read" is performed, Anti-EXE searches for a
particular 8-byte hex code string 4D5A40008801370F, looking for a match for
a specific .EXE file "header," and if found, it will overwrite its first
sector in memory, thus preventing it from running.  These bytes would fit
an EXE file about 196kb in size, but no one knows which EXE it is.  This
peculiarity is how Anti-EXE got its name.
       To get rid of it, you'll need to power down and re-boot from an
UNinfected system boot diskette, then use an anti- virus program to remove
the virus from the hard disk and diskettes.

Regards, Henri Delger
email: henri_delger@prodigy.com
http://pages.prodigy.com/X/W/A/XWWC29A

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 6]
****************************************


