From lehigh.edu!virus-l  Sun Feb  4 13:12:28 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Sun, 04 Feb 96 13:48:38 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id NAA14839; Sun, 4 Feb 1996 13:12:28 +0100
Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39977-16700>; Sun, 4 Feb 1996 07:09:18 EST
Message-Id: <01I0U3NT89X2PVGQEE@csc.canterbury.ac.nz>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V9 #11
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: 	Sun, 4 Feb 1996 07:09:15 EST

VIRUS-L Digest    Monday, 5 Feb 1996    Volume 9 : Issue 11

Today's Topics:

Re: will formatting a floppy kill viruses on it?
Re: will formatting a floppy kill viruses on it?
Re: will formatting a floppy kill viruses on it?
Re: will formatting a floppy kill viruses on it?
Re: Harddrive firmware virus possible?
Re: Lucky?
Re: Usefulness of AV people
Re: --> Could you help me write my senior integration paper? <--
Re: Virus Database
Microsoft is shipping Viruses!
Re: were wolf 1996
Re: Virus concerns while using Netscape/www
Re: Does OS/2 need special treatment? (OS/2)
Re: Virus Checker for Macintosh (MAC)
Re: McAfee for protection (MAC)
Re: McAfee for protection (MAC)
Re: Virus Checker for Macintosh (MAC)
Re: Word Macro Viruses, defences (MAC,WIN)
Re: Word Macro Prank Virus (Concept) (MAC,WIN)
Re: Windows95 Virus Scanner (WIN95)
Chicago/Win95 : the Al Capone effect again? (WIN95)
McAfee Virusscan Windows95 (WIN95)
Re: F-Prot Professional and McAfee ViruScan for Win95 (WIN95)
Is this a virus? (WIN)
Re: How to detect quicksilver derivate ?? (PC)
Re: Info about Form-A (PC)
Re: Info about Form-A (PC)
Re: McAfee says: F-prot contains VCL-virus ? (PC)
Re: TB virus (PC)
Re: McAfee says: F-prot contains VCL-virus ? (PC)
Re: Virus:MONKEY_B + FORM_A (PC)
Re: HELP !!! OneHalf virus (PC)
unashamed virus (PC)
HD Corruption with Dr. Solomon's VirusGuard (PC)
F-prot + Parity_Boot-virus (PC)
Re: Free (or cheap) protection programs for DOS or WINDOWS? (PC)
Re: How to remove "Ekaterin" virus ? (PC)
Re: Anti-CMOS Virus? (PC)
Re: McAfee upgrades? (PC)
B1 virus with a twist (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available by anonymous FTP on CS.UCR.EDU.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Thu, 01 Feb 1996 00:43:19 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: will formatting a floppy kill viruses on it?
X-Digest: Volume 9 : Issue 11

James Owens <ad354@freenet.carleton.ca> writes:

>Will reformatting a floppy kill all viruses on it?
>
>Sorry if this seems like a silly question. I'm almost positive the
>answer's yes. I just need to be completely sure.

Depends on your definition of "kill."

FORMAT A: /U

will.  Just regular format will leave images, or unformat capability.

Jimmy
cjkuo@mcafee.com

[Moderator's note:  It helps if you are running the formatting
program from a clean system too...]

------------------------------

Date: Thu, 01 Feb 1996 04:22:11 -0500 (EST)
From: John Clark <jccomp@srvr.third-wave.com>
Subject: Re: will formatting a floppy kill viruses on it?
X-Digest: Volume 9 : Issue 11

Hint: Be sure to use the following switches:

/u /sys

then, you can reformat using just /u if you don't want it to be a system 
disk.

i.e

format a: /u /sys
format a: /u

the /u doesn't save unformat (VIRUS INFECTED) information, or read any 
file tables, and /sys makes sure the boot sector is rewritten.  The 
second /u just reformats without the boot sector.

Regards,
DiskDoctr
(John Clark)

------------------------------

Date: Thu, 01 Feb 1996 05:16:02 -0500 (EST)
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: will formatting a floppy kill viruses on it?
X-Digest: Volume 9 : Issue 11

In <0002.01I0OMT1IGNYPVG5DD@csc.canterbury.ac.nz> James Owens
<ad354@freenet.carleton.ca> writes:

>Will reformatting a floppy kill all viruses on it?

yes.  However, if the reformatting is done on a machine where a boot
sector virus is currectly active, it may be re-infected immediately.

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

[Moderator's note:  Or if you reformat with the "transfer system
files" option while a file-infecting virus is active it may be
re-infected immediately.

------------------------------

Date: Thu, 01 Feb 1996 05:55:44 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: will formatting a floppy kill viruses on it?
X-Digest: Volume 9 : Issue 11

James Owens (ad354@freenet.carleton.ca) wrote:
: Will reformatting a floppy kill all viruses on it?
: 
: Sorry if this seems like a silly question. I'm almost positive the
: answer's yes. I just need to be completely sure.

Not at all a silly question.

1) You have to be sure you re-format from a clean-booted, uninfected
system, obviously.

2) Use FORMAT with the /U switch (for Unconditional) that comes with DOS
5 and above: otherwise, FORMAT will attempt to save information which
will allow UNFORMAT to restore the previous formatting, which in this
case would not be desirable. For the same reason, you'd want to avoid
safe-formatting utilities like Norton's for a job like this, and I'd
personally avoid using Windows File Manager (if you *do* use it, make
sure the quick format box is unchecked). If you use a third-party
utility such as DiskFactory, make sure you can and do configure it to
do an unconditional format.

3) If you were really in paranoid mode and dealing with a disk
containing infected files (I've been assuming you're thinking about
boot-sector viruses, primarily), you might consider using a utility
such as Norton's WIPEINFO to make sure such files aren't undeleted by
some means.

David Harley

------------------------------

Date: Mon, 29 Jan 1996 12:09:09 -0500 (EST)
From: bit-man@TASA.com.ar
Subject: Re: Harddrive firmware virus possible?
X-Digest: Volume 9 : Issue 11

>Just yesterday I read that the most recent generation of harddrives do no
>longer contain the firmware in ROM, but on a reserverd track on the disk,
>which is booted on power up. The reason for this, should be, that the
>firmware is easily upgradeable.
>
>This is where I got some rather frightening ideas: if this code is
>accessible on a regular harddrive already in use, what precautions are
>there to prevent access?

When I began to work with COMPAQ computers and noted the capability to
download new firmware into motherboards, disks, controllers and so on  (I
don't remember this capability available in other machines) this sounds me
great because you can maintain your firmware up-to-date and correct mayor
problems due to errors in programming, add new funcionalities and so on. On
the other side a virus could alter this firmware in the same way, and ...
well, you know all will be problems.

>Please tell me that I am just being paranoid.
Well, almost there are two with paranoia in VIRUS-L   ;-)

Regards
     Victor A. Rodriguez
     El bit Fantasma
     Bit-Man@Tasa.Com.AR

------------------------------

Date: Mon, 29 Jan 1996 12:09:46 -0500 (EST)
From: William Hugh Murray <0003158580@mcimail.com>
Subject: Re: Lucky?
X-Digest: Volume 9 : Issue 11

>>>I have been using the net and BBS's for 5 years.  I have never
encountered a virus.  I consider myself very fortunate.  I watch with
interest some of the posts here but I have a question.  Where are most
people contracting these nasty programs?  I a

Count your blessings.  

The vector for the most successful virsues is the boot sector of
diskettes.  While the potential for the net and BBS to act as vectors is
high, in practice they have not been the problem.  

William Hugh Murray, CISSP

------------------------------

Date: Mon, 29 Jan 1996 10:40:26 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Usefulness of AV people
X-Digest: Volume 9 : Issue 11

Nacho Man (ht_bui@ece.concordia.ca) wrote:
: I don't mean to sound like an asshole or anything but I'm just wondering
: how an anti-virus consultant could be useful. Since I started reading
: this newsgroup, I have seen a lot of OBVIOUS advice given by these
: so-called virus specialists: "You must reboot from a clean floppy and
: then run an anti-virus software" 

This sounds like a troll, but OK, I'll bite.... ;-) 

As Nick implies, those of us who've worked in support have 
encountered many people to whom that advice is far from
obvious.

: or "Boot from an uninfected floppy
: and format disk". 

I wouldn't have thought this was a common answer at all: not from a
virus-specialist, so-called or otherwise. It's hardly ever necessary
to format a hard disk to eradicate a virus, and frequently doesn't
achieve that aim anyway. It *is* sometimes a quick way to clean a
floppy, in which case all you need is a clean system to do it from,
not a clean floppy boot.

:I assume that people who ask these questions expect    
: more in-depth answers but I guess, giving it to them would be divulging
: sensitive information, right?

People who want in-depth answers tend to ask for them. If they don't 
give enough indication of what they want to know or what their problem
is, maybe they get a sketchier answer. Seems fair enough to me. 

Presumably you don't expect people to post trade secrets to a public
forum? What use would that be to you? And people with virus problems
don't want a crash-course in writing a polymorphic virus toolkit.

: This brings me to my questions: why do we need so many virus specialists
: if they all repeat the same thing? 

With respect, I don't think they do (except when people keep asking the
same questions), and I don't think you've followed this group very 
carefully. May I also point out that most of us are not actually paid
to do this?

: [Moderator's note:  Maybe you don't need such "expert" help -because-
: such things as "boot clean" are obvious to you, but from your tone you've
: obviously never worked on a Help Desk for more than ten minutes of your
: life...  8-)]

I hope he appreciates how lucky he is... B-)

David Harley
Virus Generalist....

------------------------------

Date: Mon, 29 Jan 1996 12:42:10 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: --> Could you help me write my senior integration paper? <--
X-Digest: Volume 9 : Issue 11

: For my ethical paper, I've chosen to write about the morality of software 
: piracy and copyright violation on the internet, and for the technical 
: paper, I'll be researching viruses - their creation, their authors, and 
: ways to counter them.  

: Could anyone suggest any books and/or journals that would deal with 
: these subjects?  I'm in need of good references and would greatly 
: appreciate any help anyone can offer!  Thanks very much.

The alt.comp.virus FAQ (yawn...) is intensely ethical, moral, and legal,
but doesn't deal with piracy and copyright violation. You might try

Computer Crime (Icove, Seger, Von Storch) - O'Reilly
Computer Law & Security Report (periodical) - Elsevier Advanced Technology

Also, try David J. Lundy's E-law paper:

	 http://www.leepfrog.com/E-Law/E-Law/

David Harley
Beginning to feel like an FAQ salesman....

------------------------------

Date: Mon, 29 Jan 1996 13:59:22 -0500 (EST)
From: Michael <mpemberton@boeing.hq.nasa.gov>
Subject: Re: Virus Database
X-Digest: Volume 9 : Issue 11

There is an extensive viral db at the ftp sites for third party
software on www.mcafee.com. The program is called VSUMX ahnd has been
available and continually updated since about 1992 to the best of my
knowledge. It's a DOS based application with an amazing
cross-reference.

Hope this will help.

Mike.

mpembert@hq.nasa.gov

[Moderator's note:  According to expert opinion ensconced in the FAQ for
this list/group VSUM may not be the most accurate of references...]

------------------------------

Date: Mon, 29 Jan 1996 14:13:30 -0500 (EST)
From: chi@bluefin.net
Subject: Microsoft is shipping Viruses!
X-Digest: Volume 9 : Issue 11

About a month ago, I purchased a copy of MS Office '95 Standard, the
disk package.

Went to install it and on the 2nd disk, it crapped out. When I looked on
the disk, there was one file eo@349fj3(or something like that) with a date
of 00/00/21 with 0 bytes.

I have seen this before (long time ago) so I called Microsoft for a
replacement. I tried to install the replacement, however, now disk 4
crapped out. I got another replacement and same thing but different disk.
I got still ANOTHER replacement and disk 2 crapped out. Called them to
send me the CD-ROM version free of charge (which they did).

The vendor whom I purchased the original package from called me and told
me anyone who has purchased software or computers w/ software pre-
installed within the last 30 days could be infected with the virus NEWBUG.
I have a hard time believing that Microsoft wasn't aware of this problem
before I called.

This virus deletes and corrupts the files on floppies.... so far.....  :|

Hopefully the CD-ROM version will be free from this annoyance..

Hope this helps someone!

[Moderator's note:  Serious allegation.  Did you take all the right
antivirus precautions spelled out in the FAQ?  Are you sure you didn't
have an undetected infection before trying to install Office?  Did the
vendor mean -they- had been shipping infected machines/software?  How did
a BSI/MBR infect your PC from installing application software?

No offense intended here, but your whole story sounds slightly hysterical
and as if you do not understand some fairly basic antivirus issues. 
Please read the v2.00 FAQ--ftp:/cs.ucr.edu/pub/virus-l/vlfaq200.txt.]


------------------------------

Date: Mon, 29 Jan 1996 16:25:24 -0500 (EST)
From: "Mikko H. Hypponen" <Mikko.Hypponen@datafellows.com>
Subject: Re: were wolf 1996
X-Digest: Volume 9 : Issue 11

Super D <perderea@worldnet.net> wrote:
> Does anyone know the new virus WEREWOLF 1996 ?

It's a pretty new virus which is apparently written
in France. The variant I've analysed was a resident
infector of COM and EXE files with directory-stealth.

There's a full description in the Virus Description
Database at www.DataFellows.com.

- - 
        Mikko Hermanni Hypponen - Mikko.Hypponen@DataFellows.com  
  Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com
Computer virus information available via web: http://www.DataFellows.com/

------------------------------

Date: Mon, 29 Jan 1996 17:59:19 -0500 (EST)
From: Tom Boldway <jboldway@student.umass.edu>
Subject: Re: Virus concerns while using Netscape/www
X-Digest: Volume 9 : Issue 11

It is possible to get infested without downloading any files. I was 
goofing around on the net using an older version of netscape, went to 
mail and post a reply on a newsgroup, and got the message "no spool 
space," or something like that. On reboot the next day, the computer 
would not boot properly. I found my missing mail message in config.sys, 
and other files in the root directory contained other bits of netscape 
stuff or four squares starting the file. 

Just to let you know. . . .

[Moderator's note:  Thanks Tom, but the original poster asked if you could
get viruses from browsing the net--your story is about software blowing up
and trashing your machine.  If you don't understand the difference, please
desist from posting "helpful" replies (that will rile the real experts
that read and possibly mislead less technically competent readers) until
you understand the full contents of the FAQ for this list/group.]

------------------------------

Date: Thu, 01 Feb 1996 05:13:25 -0500 (EST)
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: Does OS/2 need special treatment? (OS/2)
X-Digest: Volume 9 : Issue 11

In <0006.01I0OMT1IGNYPVG5DD@csc.canterbury.ac.nz> James Owens
<ad354@freenet.carleton.ca> writes:

>I have an OS/2 system (DOS and OS/2 on one hard drive). If I boot
>from a DOS installation diskette and scan (from a scanner on the hard
>drive), does this do everything I need?

With respect to DOS viruses, yes.   As for OS/2 viruses, there is one problem:
a DOS scanner might not be able to find them, if they infect a file with a
"long" filename.  OS/2 scanners will of course not have that problem.

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Mon, 29 Jan 1996 09:56:39 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Virus Checker for Macintosh (MAC)
X-Digest: Volume 9 : Issue 11

Greg Keogh (greg@werple.mira.net.au) wrote:
: I have a colleague who wants a professional high-quality virus checker 
: for his Macintosh. I'm a PC specialist, and know almost nothing about 
: Macs, but I pomised to help him by posting a news message on his behalf.

For a start, try Disinfectant, available from the following sources (and
don't let the fact that it's freeware lead you into underestimating its
quality). Gatekeeper is also highly regarded.

        ftp://ftp.acns.nwu.edu/pub/disinfectant
        CompuServe
        GEnie
        America Online
        Calvacom
        Delphi
        BIX
        sumex-aim.stanford.edu
        rascal.ics.utexas.edu
        comp.binaries.mac

>From the alt.comp.virus FAQ:

"Disinfectant is an excellent anti-virus package: however, it doesn't
catch much in the way of hypercard infectors or trojans, nor does it
detect Word 6 macro viruses.

For other mac packages, try Info-Mac mirrors like:

        ftp://ftp.ucs.ubc.ca/pub/mac/info-mac/vir/

The University of Texas holds the latest versions of Disinfectant and
Gatekeeper, and some documentation on Mac viruses.

        http://wwwhost.ots.utexas.edu/mac/pub-mac-virus.html

Commercial packages include SAM (Symantec) and Virex. Dr. Solomon's
AntiVirus ToolKit for Macintosh is about to be released."

: I couldn't find a newsgroup devoted to macs, but I'm sure there must be 
: one. Please feel free to cross-post this message into the appropriate 
: newsgroups if you know where they are.

There are lots hiding as 

	comp.sys.mac.*

------------------------------

Date: Mon, 29 Jan 1996 10:02:44 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: McAfee for protection (MAC)
X-Digest: Volume 9 : Issue 11

Edward M. Sikorski (sikorski@tucson.Princeton.EDU) wrote:
: I read somewhere that McAfee had commercialized Disinfectant. Is this
: correct? 

There is, apparently, a McAfee-ized version. I have an idea it's supposed
to be optimized for the PowerMac, but initial reports have been 
unenthusiastic. I'm checking this out.

: Will Disinfectant no longer be available/upgraded?

Version 3.6 is still available at North-Western. I don't know the upgrade
situation.

: What solutions are available for the Mac (other than SAM, Virex)???

Once more, from the alt.comp.virus FAQ:

"For other mac packages, try Info-Mac mirrors like:

        ftp://ftp.ucs.ubc.ca/pub/mac/info-mac/vir/

The University of Texas holds the latest versions of Disinfectant and
Gatekeeper, and some documentation on Mac viruses.

        http://wwwhost.ots.utexas.edu/mac/pub-mac-virus.html

Commercial packages include SAM (Symantec) and Virex. Dr. Solomon's
AntiVirus ToolKit for Macintosh is about to be released." (RSN...)

For further info on SAM/CPAV for Mac, try 

	www.symantec.com

For further info on Dr S's, try

	www.drsolomon.com

David Harley
- -----------

------------------------------

Date: Mon, 29 Jan 1996 12:47:49 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: McAfee for protection (MAC)
X-Digest: Volume 9 : Issue 11

Edward M. Sikorski (sikorski@tucson.Princeton.EDU) wrote:
: I read somewhere that McAfee had commercialized Disinfectant. Is this
: correct? Will Disinfectant no longer be available/upgraded?
: What solutions are available for the Mac (other than SAM, Virex)???

In a press release dated December 5th, McAfee say

"Although VirusScan version 1.0 is based upon source code licensed from 
Northwestern University's Disinfectant product, McAfee will support and 
evolve VirusScan independently."

They don't say that NWU will go on developing it, but I guess they 
wouldn't, would they?

DH

------------------------------

Date: Mon, 29 Jan 1996 14:29:59 -0500 (EST)
From: Joerg Erdei <a8101gbb@helios.edvz.univie.ac.at>
Subject: Re: Virus Checker for Macintosh (MAC)
X-Digest: Volume 9 : Issue 11

Greg Keogh <greg@werple.mira.net.au> wrote:
>I have a colleague who wants a professional high-quality virus checker 
>for his Macintosh. I'm a PC specialist, and know almost nothing about 
>Macs, but I pomised to help him by posting a news message on his behalf.
>
>I couldn't find a newsgroup devoted to macs, but I'm sure there must be 
>one. Please feel free to cross-post this message into the appropriate 
>newsgroups if you know where they are.

Most popular commercial virus checker are Virex and Symantic Antivirus for
Macintosh (SAM). Both programs can scan and disinfect, have functions to
look inside compressed files and are more or less able to watch network
incomes. Both have some sort of unknoen-virus-detection by monitoring
the Macs activity and alerting the user if they find something suspicious.
That however needs some knowledge for you will get alerts with certain 
progarams and in certain situations about things that are perfectly normal.

If it is a stand-alone mac, best virus checker is the free Disinfectant
(althought it wont detect trojans or specialities like WordMacro or
HyperCard scripts a la MerryChristmas). The Disinfectant manual however is
worth a look for it contains lots of infos about the different viruses on
macs.  Best shareware protection against unknown virus has been
GateKeeper, but that program is discontinued. Rumor soem months ago was
that a new version will be available soon, but noth till now.

Most newsgroups devoted to mac can be found in the comp.sys.mac* header.
For there is no mac virus group, this should go into the less specialist
groups like comp.sys.mac, comp.sys.mac.misc, alt.sys.mac.newuser-help and
alt.sources.mac.

You may also find aus.computers.mac usefull.

Joerg Erdei

Date: Thu, 01 Feb 1996 05:18:15 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
To: virus-l@csc.canterbury.ac.nz
Subject: Re: Suspected PowerMac virus (maybe PC too) (MAC,PC?)

william pipher (william@vax.library.utoronto.ca) wrote:
: David Harley wrote:

: > I can't help wondering why you tolerate, let
: > alone trade disks with a PC known to be completely infested
: > with viruses. 

: David, student PC labs are a lot like public washrooms in the
: subway metro.  For political reasons they must be provided, but
: there is nothing that staff can do but hold their nose and
: hose 'em down from time to time.  They cannot be secured, they
: cannot be kept very clean, and people cannot be barred from 
: using the facilities on the basis of competence or good manners.

A while ago, there was a thread in alt.comp.virus about whether 
PC support staff felt there were viable analogies between themselves
and medical staff. My main contribution at the time was to suggest
that plumbing was more like it, but perhaps washroom attendant is a
bit nearer.... 

Sorry if I sounded a bit high-minded and censorious: I didn't mean to
be. Reading your note makes me count my blessings: we do have
postgrads on this site, and common-access machines, but nothing like
the problems you evidently have - something to do with older students
who actually have to work for their daily bread, perhaps. Do you
attempt to enforce any access-control procedures - sheepdip Pcs,
diskette-authorisation?

Might be interesting to know what other people do in these circumstances.

David Harley

------------------------------

Date: Mon, 29 Jan 1996 12:10:07 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Word Macro Viruses, defences (MAC,WIN)
X-Digest: Volume 9 : Issue 11

A. Padgett Peterson, P.E. Information Security (PADGETT@hobbes.orl.mmc.com) 
wrote:

: The easy answer would be to disable the automatic execution of macros
: found in documents (they are supposed to be only in templates but WORD
: does not seem to care so long as the format of the file is correct).

Easy, but not altogether effective. The infective mechanism used by Colors
is not dependent on automacros being enabled, but on the infected document
being the default template (as it becomes when it's opened). Nice touch.
Also the fact that it proceeds to re-enable automacros...

I think that technically a document with macros *is* a template: one of
the side effects of macro viruses is that they block attempts to save
a document *as* a document rather than a template. This can generate an
error message in Concept, as I remember.

: Why do we suddenly have WORD viruses (and Excel for that matter) ? Because
: M$ decided to add file manipulation and execution capability to the macro
: language (Word 2.0 had macros but they were not so powerful).

Indeed they weren't, but it wouldn't be impossible to write an infective
macro using Word 2 only. I don't know why 1995 became *the* year of the
macro virus, rather than 1992.

: 2) Open WORD. Pull down TOOLS/OPTIONS, select SAVE, select "Prompt to
:    save Normal(.DOT). 

: 3) Open WORD. Pull down TOOLS/MACRO. Type in "AUTOEXEC" and select "CREATE"
:    (if you get "EDIT" instead you already have an autoexec macro. Do you 
:    know what it does ?).
:    beteen "SUB MAIN" and "END SUB" which will appear, enter the two lines:
: 	DisableAutoMacros
: 	MsgBox "Automatic Macro Execution Disabled",-1
:    Then select FILE/SAVE TEMPLATE
:    (the "-1" will cause the message to appear briefly on the status line 
:    instead of opening a dialogbx the user will have to clear on every 
:    opening)

Yes, but Colors subverts ToolsMacro: this is the problem with a macro 
language that allows you to redefine practically every command available.

'Paranoia strikes deep.....'

: 5) Use some other browser to read your E-Mail (I use FTP's KEYVIEW which
:    comes with ONNET 2.0 (plug) - MSVIEWER is avalable for free download
:    from MS but takes as long as WORD to load - talk about code bloat...

>From recent experience of www.microsoft.com, it probably takes as long as
Word to *down*load, too B-(

: 6) Know what is supposed to be in your TOOLS/MACROS listing. Notice if
:    something new appears (see 5). Note: while you have a DELETE option
:    available, if WORD is infected, can you trust it. See iten (4).

Exactly. You can't trust a subverted command.

: Of course if you, like me, use WordStar 7.0 mostly, you have no problem 8*).

I still have a laptop running WordStar 4: runs off a floppy, if necessary.
That's *my* kind of WP... B-)

David Harley
Professional Paranoid

------------------------------

Date: Mon, 29 Jan 1996 16:54:06 -0500 (EST)
From: Padgett 0sirius <padgett@goat.orl.mmc.com>
Subject: Re: Word Macro Prank Virus (Concept) (MAC,WIN)
X-Digest: Volume 9 : Issue 11

In article <0024.01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz> David Harley
<harley@europa.lif.icnet.uk> writes:

>: You might wish to use one of Word's auto-execute macros to your
>: advantage. Under Tools/Macro, create a macro called AutoExec that
>: looks like this:
>:
>:    Sub MAIN
>:       DisableAutoMacros
>:       MsgBox "AutoMacros off!", "Safety First!", 64
>:    End Sub

Is an excellent solution except would suggest substituting "-1" for the 
"64" - that way the message appears on the status line and the user does
not have to clear a dialogue box.

BTW the "SCANPROT.DOT" Micro$oft includes with WD1215 has two major flaws 
IMNSHO:
1) It allows the user to turn automacros back on
2) Does not check on files opened by a doubleclick on a ccMail attachment
   (think it uses same mechanism as "drag & drop" - see the fine print
   inside the README)

If anyone knows how to write a macro that *will* intercept this kind of
(mail launched) file opening, I would appreciate the information.

			A. Padgett Peterson, P.E.
                        Cybernetic Psychophysicist
		   Totally Obsessed with TransOceanics
		      My other car is a Pontiac too
			   We also walk dogs
	 	       PGP 2.7 Public Key Available

------------------------------

Date: Thu, 01 Feb 1996 04:22:42 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Windows95 Virus Scanner (WIN95)
X-Digest: Volume 9 : Issue 11

Vesselin Bontchev <bontchev@complex.is> writes:
>Jeff Weyenberg <weyenber@foxvalley.tec.wi.us> writes:

>> Has anyone found a good Virus Scanner for Windows95?
>
>Most DOS virus scanners should work pretty well in a DOS box under
>Windows95. Nevertheless, most major anti-virus producers (us uncluded)
>do offer Windows95 versions of their products.

Not necessarily if you are using in combination with a VxD.
The VxD should catch and prevent the DOS scanner from seeing any
infected files.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Thu, 01 Feb 1996 04:22:34 -0500 (EST)
From: "A.Appleyard" <A.APPLEYARD@fs2.mt.umist.ac.uk>
Subject: Chicago/Win95 : the Al Capone effect again? (WIN95)
X-Digest: Volume 9 : Issue 11

Dave.Gymer@lambada.oit.unc.edu wrote to the email circular
djgpp@sun.soe.clarkson.edu (which is about Gnu C/C++ & related
programs):-

> Win95 seems to suffer from the same thing NT does - it can't cope with
> nested DPMI tasks ... you can't run [the Gnu C compiler] from within the
> DJGPPv2 make ... [it] consistently crashes Win95 out cold. If you've got a
> real-mode or Win32 make then you'll probably be okay.

  Re long filenames: "Undocumented DOS, 2nd edition" (ISBN 0-201-63287-X) p423
gives this example of a Chicago (= DOS7/Win95 system) directory that contains
a file THISIS~1.TES (short name) alias `this.is.a.test.of.foo.barsky.tester'
(long name) (and also the usual `.' and `..') :-
  (usual dir format is (N=name, X=extension, A=attrib, R=reserved, T=time,
D=date, C=1st cluster addr, S=size in bytes):-
        n  n  n  n  n  n  n  n  x  x  x  a  r  r  r  r   NNNNNNNNXXXARRRR
        r  r  r  r  r  r  t  t  d  d  c  c  s  s  s  s   RRRRRRTTDDCCSSSS )
  0000  2E 20 20 20 20 20 20 20 20 20 20 10 00 00 00 00  .          _____
  0010  00 00 00 00 00 00 F1 76 2D 1B 02 00 00 00 00 00  _______v-_______
  0020  2E 2E 20 20 20 20 20 20 20 20 20 10 00 00 00 00  ..         _____
  0030  00 00 00 00 00 00 F1 76 2D 1B 00 00 00 00 00 00  _______v-_______
  0040  12 6B 79 2E 74 65 73 74 65 72 00 0F 00 B9 FF FF  _ky.tester______
  0050  FF FF FF FF FF FF FF FF FF FF 00 00 FF FF FF FF  ________________
  0060  01 74 68 69 73 2E 69 73 2E 61 2E 0F 00 B9 74 65  _this.is.a.___te
  0070  73 74 2E 6F 66 2E 66 6F 6F 2E 00 00 62 61 72 73  st.of.foo.__bars
  0080  54 48 49 53 49 53 7E 31 54 45 53 20 00 00 00 00  THISIS~1TES ____
  0090  00 00 2D 1B 00 00 F8 76 2D 1B 03 00 07 00 00 00  __-____v-_______

The long filename can be <=254 chars long. The directory entries that contain
it are attrib'ed as readonly hidden system volumenames, avoiding the first
name byte and the cluster address and the attribute and the first two reserved
bytes. Thus a long filename can occupy up to 10 entry spaces. Several new DOS
interrupts `AH=71h, AL=xx, int21' will do the same as `AH=xx, int21' but using
the longname instead of the short name. This system differs from OS/2's long
name system. It is designed to avoid trouble when Chicago'ed floppies are
operated on by older versions of DOS. (Or if someone doesn't want Win95 after
all and goes back to an older DOS and Windows.) But I can foresee these
troubles, which people may blame on viruses:-
  Anything such as Norton DS (directory sorter) which rearranges directory
entries and/or packs directory entries up eliminating gaps where entries have
been deleted, will make a pig's ear out of the longname system.
  The bulk of the longnames will make directories much longer and will name
directory handling slow.
  Erasing a file under an older DOS or Windows won't erase its longname, but
the longnames will remain as tramp extra volume names, or some other later new
file entry will pick it up.
  The text editors Micro-Emacs and Freemacs (and thus likely many other
programs) do not overwrite the new file onto the old file, but write the new
version onto a workfile, then delete the old file, then rename the workfile to
have the name of the old file. This moves the file's directory entry away from
its longname. (And shuffles the directory entries. @#%$ nuisance trick, if I
edit several files in the same directory.)
  As file entries including their longnames are various lengths, directories
are likely to get long and gappy like a disk which has gone too long without
being DEFRAG'ed. Until someone writes a directory-tidier specially for
Chicago.

------------------------------

Date: Mon, 29 Jan 1996 10:31:41 -0500 (EST)
From: Fredrik B <Fredrik.Bostroem@hugin.stud.hks.se>
Subject: McAfee Virusscan Windows95 (WIN95)
X-Digest: Volume 9 : Issue 11

Hi, I am using McAfee for Windows95 ver.1.20 something and when I run
it it locks( Like totally crashes, dude:) up my system after a while
usually after it had scanned my msoffice folder with including files. 
My question is: 1. What is wrong? 2. What do I do to fix it? 3. Is
there anyone out there with the same problem? 4. How am I going to
pass my next exam if I keep reading all these letters:-) ?

Thanks in advance.

/Fredrik

------------------------------

Date: Mon, 29 Jan 1996 08:07:52 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: F-Prot Professional and McAfee ViruScan for Win95 (WIN95)
X-Digest: Volume 9 : Issue 11

In-Reply-To: <01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz>
George Wenzel <gwenzel@gpu.srv.ualberta.ca> writes:

> I will be evaluating most of the Win95 software in my review.  Of
> course, it will be a little while before the review is done, as it
> is just in the preliminary stages.  It will probably be out by the
> end of February.  Due to resource limitations, however, I won't be
> able to test the VxD portions of the programs.

That's a shame George, as VxDs will be the primary defence against 
viruses for most users.  It would also have been interesting to see which 
products had successfully implemented their full virus-finding engine in 
their VxD on-access scanner (for example, interception of Word macro 
viruses).

Anyway, there's an easy way for you to test the VxDs:

Simply copy the virus-infected files from one directory to another.  A 
working VxD will intercept the file access and prevent any virus it knows 
about.  In the destination directory you end up with all the viruses it 
missed.  Simple!

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Thu, 01 Feb 1996 05:09:07 -0500 (EST)
From: "R.Manuel" <cm6065@ccub.wlv.ac.uk>
Subject: Is this a virus? (WIN)
X-Digest: Volume 9 : Issue 11

Recently we haave had virus problems on out academic network of
about 70 machines. 3 viruses turned up, stoned.angelina, from_e,
& antiexe. However on some machines, whilst running windows 3.11,
letters are being removed from buttons within applications, both
in programs like Power Point & in student programs, using
Toolbook.

I've looked up the results of these viruses, under the web site
http://www.symantec.com/ , & none seem to be able to produce
these effects. My employer & the students believe this to
be a virus problem, but I am unsure wether it might be,
or if it is how to fix it.

I am using mcafee  VirusScan for DOS (Jan 95 release).

Thnak you, rob.

------------------------------

Date: Thu, 01 Feb 1996 00:46:01 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: How to detect quicksilver derivate ?? (PC)
X-Digest: Volume 9 : Issue 11

Erik Lenha <eriklenha@aol.com> writes:

>My PC is infected by a quicksilver or one of its derivates (at least it
	>shows the typical effect of scrolling the DOS-Screen)

Scrolling the screen?  Who/What told you that it was a "typical effect?"
Quicksilver is named so because it has no effects.  It was a word
picked from the dictionary under "Q".

>It is said that McAffee is able to recognize it, but booting from a
>clean Systemdisk neither McAffee 2.2.9 nor F-Prot nor TBAV are able
>to identify or remove it.

Yes, these products should detect it.  It's at least half a year old.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Thu, 01 Feb 1996 04:22:21 -0500 (EST)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: Info about Form-A (PC)
X-Digest: Volume 9 : Issue 11

Koen Van de Velde (proviron@glo.be) wrote:
> This week I found the Form-A virus on one of my boot-floppies.
> I immediatly des-infected it with McAfee Scan 2.2.9 (01/96) and it
> seems to be clean now.
> 
> It is a floppy that I use to boot new pc's and install the network
> software with. So I would expect that some of the PC's would be 
> infected too, but 'till now I didn't find a thing.

   You must live correctly, then!  Somebody up there likes you... I 
suggest that you keep those boot floppies locked from now on, just in  
case your Guardian Angel fall asleep some time.
 
> What I was wondering: is it possible for the Form-A virus to get on 
> our network (Novell Netware 4.1, VLM-client software) and if so,
> how can I check/clean it ?

   Only if you boot the server from an infected floppy; that's the only 
way FORM spreads.  If a server is infected this way, boot from an 
uninfected locked DOS floppy and run your AV software from the floppy to 
disinfect it.  If you usually use the Windows version of McAfee, you'll 
want to use the DOS version here, of course.

   -BPB

------------------------------

Date: Thu, 01 Feb 1996 04:22:57 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Info about Form-A (PC)
X-Digest: Volume 9 : Issue 11

Koen Van de Velde <proviron@glo.be> writes:

>This week I found the Form-A virus on one of my boot-floppies.
>I immediatly des-infected it with McAfee Scan 2.2.9 (01/96) and it
>seems to be clean now.
>
>It is a floppy that I use to boot new pc's and install the network
>software with. So I would expect that some of the PC's would be 
>infected too, but 'till now I didn't find a thing.
>
>What I was wondering: is it possible for the Form-A virus to get on 
>our network (Novell Netware 4.1, VLM-client software) and if so,
>how can I check/clean it ?

It is not possible to get it on the network.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Thu, 01 Feb 1996 04:23:22 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: McAfee says: F-prot contains VCL-virus ? (PC)
X-Digest: Volume 9 : Issue 11

bontchev@complex.is (Vesselin Bontchev) writes:

>Anyway, in version 2.21 we changed the implementation of the decryption
>algorithm slightly, so that it is not matched by that tiny scan string
>that SCAN uses. I was left with the impression that the developers of
>SCAN intended to change their scan string too - obviously they haven't.

Because you were going to address it so easily, and my next opportunity
to address this in code wouldn't be until March, I hadn't done it yet.

If it wouldn't have been as easy for you, I would have done it earlier.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Thu, 01 Feb 1996 04:23:15 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: TB virus (PC)
X-Digest: Volume 9 : Issue 11

Ron Bombard <bh081@freenet.Buffalo.EDU> writes:

>Anyone know anything about a new virus, TB1?  Just detected it on a PC 
>using  Nortons AntiVirus 3.0  It found it, named it, and killed it.  
>There was no information about it though.

It's a known false id from a NAV DAT set from summer of 95.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Thu, 01 Feb 1996 05:19:10 -0500 (EST)
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: McAfee says: F-prot contains VCL-virus ? (PC)
X-Digest: Volume 9 : Issue 11

In <0015.01I0OMT1IGNYPVG5DD@csc.canterbury.ac.nz> bontchev@complex.is
(Vesselin Bontchev) writes:

>"detects", is the part of F-PROT's code (not a scan string) which does
>the generic decryption of the VCL viruses - using the same decryption
>algorithm as them. :-)

Uh, no...not VCL... it was a part of the CLME detection, I think...an entirely
unrelated virus, at least.

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Thu, 01 Feb 1996 06:38:15 -0500 (EST)
From: Arlene Schiffman <arlenes@holly.colostate.edu>
Subject: Re: Virus:MONKEY_B + FORM_A (PC)
X-Digest: Volume 9 : Issue 11

>Try the following:
>
>On a bootable floppy copy fdisk.exe.  Boot from the floppy and 
>enter the command "a:\fdisk /mbr"  this undocumented option 
>(/mbr) will rebuild the master boot record and hopefully get 
>that monkey off your back.  This has worked on other pcs but I 
>have never tried this fix on a thinkpad.  Note: /mbr will not 
>wipe your harddisk.
>
>If this doesn't work try norton disk doctor from a bootable 
>floppy. NDD will also rebuild a corrupted Master boot record.

We have a few computers that were infected by the Monkey Virus.  I
took a suggestion to try making a boot disk and putting fdisk.exe on
it then after booting up with the new disk using the command fdisk
/mbr.  Well it worked on most of the computers but on three they are
now saying invalid partition table.  HELP please!  These can not boot
up and even if you use the boot disk (which is clean) I still can not
find the C: drive due to the virus.

Arlene

[Moderator's note:  The old "hammer" problem...  You need good disk
doctor/recovery software, though, depending on the virus(es) that
were active on the afflicted machines very good professional
assistance may be more important.

Before anyone who reads this list/group -EVER- again uses FDISK /MBR,
-PLEASE- read the warnings about the correct use of it in Q&A C3 in
the V2.0 FAQ]

------------------------------

Date: Thu, 01 Feb 1996 06:51:48 -0500 (EST)
From: NAGY FERENC LaSZLo <NFL@labor.obuda.kando.hu>
Subject: Re: HELP !!! OneHalf virus (PC)
X-Digest: Volume 9 : Issue 11

> From: Noam Graetz <graetz@actcom.co.il>
> Subject: HELP !!! OneHalf virus (PC)

> I have been infected !!!
> by one-half virus which destroyed my MBR.
> can anyone out there heklp me
> reconstract my MBR ? ? ?

     I  know  this  virus  very  well. It's a common virus in Hungary.
(3544 byte version)
     One  Half  doesn't  destroy MBR, but infects it. Also infects EXE
and COM files on floppy or network. When active in MBR it encrypts two
tracks  each  time  when system boots. If you overwrite the virus with
FDISK  /MBR,  you  will lose the encrypted part of the HD, because the
key  is in MBR. Don't do it! And don't use F-PROT! (F-PROT is the best
against  any  other viruses.) There are programs which are uncrypt the
hard disk and kill the virus both.
     I  propose  ONEHALF.EXE instead of my own AV program. ONEHALF.EXE
available at Slovak Antivirus Center (ftp.elf.stuba.sk)
==================================
     My question: Several months ago I got 77-byte hidden files from 2
different  sources.  These appears at each program file, with the name
*._co and *._ex (or something). No recognizable text or code in it. Is
there a virus or AV program what do this?

     Next time I consult my English teacher before I send a letter.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Nagy Ferenc Laszlo                   E-mail: nfl@labor.obuda.kando.hu
PGP key fingerprint= 71 01 22 23 D4 CD 30 04  07 47 EC 81 EF AD 52 65

------------------------------

Date: Wed, 31 Jan 1996 12:05:01 +0000
From: Haymee_Perez_Cogle@angonet.gn.apc.org
Subject: unashamed virus (PC)
X-Digest: Volume 9 : Issue 11

We got the unashamed virus, all disks and the majority of HD are
damaged, I tryied Toolkit, NAV and nothing, they recognize the virus
but don'y clean it
Any help is welcomed. thanks,

haymee

------------------------------

Date: Thu, 01 Feb 1996 07:38:56 -0500 (EST)
From: gbv55375@ibmmail.com
Subject: HD Corruption with Dr. Solomon's VirusGuard (PC)
X-Digest: Volume 9 : Issue 11

Can anyone help with the following problem we are experiencing when
using VirusGuard (Dr. Solomon's AVTK) from version 7.x onwards.

Each PC on the LAN logs into a SCAN id which is set to run VirusGuard
followed by FindVirus.  Everything was fine until we upgraded to
version 7 of AVTK.  PCs from all over the business began experiencing
hard disk corruptions: lost clusters; cross-linked files; etc.

By returning to version 4.57 of VirusGuard the problem disappeared. 
When version 7.5 was received we tried again and once again the
problem returned.  The corruption seems to affect all PCs - 486s,
Pentiums, various models of PCs, various versions of DOS, etc.  No
consistency could be found.

We contacted Dr. Solomon's - but they could not explain the problem. 
They suggested we add the /NOMEM option but it made no difference.  I
believe the problem is related to Windows 3.1/3.11, however I have no
evidence.

Has anyone experienced this situation?

Cheers, Andrew Doble      E-mail: gbv55375@ibmmail.com

------------------------------

Date: Thu, 01 Feb 1996 07:42:22 -0500 (EST)
From: Robert Pietschmann <pietsch@rummelplatz.uni-mannheim.de>
Subject: F-prot + Parity_Boot-virus (PC)
X-Digest: Volume 9 : Issue 11

I used F-prot 2.21 for the first time ever to make a virus-scan.
What happened?

I received the message: Parity_Boot virus in memory.
What am I supposed to do - for F-Prot doesn`t make any efforts to
remove it?

What kind of virus is this anyway?

Thanks.

------------------------------

Date: Mon, 29 Jan 1996 09:57:21 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Free (or cheap) protection programs for DOS or WINDOWS? (PC)
X-Digest: Volume 9 : Issue 11

Mark West (mwest@earthlink.net) wrote:
: Mikal Ziane <ziane@noemie.inria.fr> wrote:

: >I have checked the FAQ but I saw no mention of which programs are
: >free, or at least cheap.

The alt.comp.virus FAQ includes quite a few useful sources and resources. 
It's also very effective in cases of athletes foot.

To ease the strain on Nick's monitor, I've mailed a copy to Mikal
rather than include the relevant sections.

If anyone else wants it, they can get it from

	FTP://ftp.gate.net/pub/users/ris1/acvfaq.zip

or mail me with the subject line

	request a.c.v. FAQ

David Harley
- -----------

[Moderator's note:  Yes--but will it help my recent accelerated hair-
loss?  8-) ]

------------------------------

Date: Mon, 29 Jan 1996 08:08:02 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: How to remove "Ekaterin" virus ? (PC)
X-Digest: Volume 9 : Issue 11

In-Reply-To: <01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz>

Takashi Hirano <hirano@ti.com> writes:

> A virus, "Ekaterin", was detected on the two PC of our section by IBMAV
> software.  We tried to remove the virus but failed.
>
> Does anyone know how to remove the virus, "Ekaterin".?
> Any information would be appreciated.

Ekaterin is more familiarly known as "Russian Flag" or "AntiEXE".  Here 
is some information from Dr Solomon's:

AntiEXE

Aliases: NewBug, D3, CMOS4, Russian Hook, Russian Flag, Ekaterin, Slydell.

Type:  Memory-resident boot and partition sector virus.

Affects:  Write-enabled hard and floppy disks if the computer is booted 
from an infected (not necessarily bootable) floppy.  Some EXE files.

File Growth:  N/A

Description
This boot and partition sector virus infects the hard disk when booted 
from an infected floppy.  Diskettes are infected on read access (eg. DIR 
command).

When a certain (unknown as yet) EXE file is being executed or read from a 
disk (eg. using the COPY command) the virus patches the first byte of the 
in-memory file image, thus causing unpredictable errors.  In most cases 
the computer hangs.

You'll find more information along these lines on our website.  Most good 
anti-virus products should be able to clean up this virus without too 
much trouble.  An evaluation version of Dr Solomon's FindVirus is 
available from our website.  You should also remember to check your 
floppies.  Once you have removed the infection you may care to install a 
TSR/VxD defence which will help prevent reinfection occurring.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Mon, 29 Jan 1996 08:07:54 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Anti-CMOS Virus? (PC)
X-Digest: Volume 9 : Issue 11

In-Reply-To: <01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz>

Simon Grant <ay771@freenet.carleton.ca> writes:

>       My hard drive has just been diagnosed as being infected with an
> "Anti-CMOS" virus on it.  I hadn't heard of this type of virus before,
> and McAffee couldn't even detect it.
>
> Can anyone tell me something about these things?
> Is it possible to recover the non-currupted sections of my hd?

I would be surprised if McAfee was unable to detect this very common 
virus.  Unfortunately you don't tell us which product did tell you you 
were infected with AntiCMOS, so it's hard to tell if you have a false 
alarm or not.

AntiCMOS infects boot sectors of floppy disks and the partition sector 
(MBR) of hard disks.  You catch it by leaving an infected floppy disk in 
the drive and attempting to boot off it.  Every subsequent floppy disk 
you access will be infected.

Any good anti-virus products should be able to clean up your AntiCMOS 
infection with ease.  Certainly Dr Solomon's can (there's an evaluation 
version of FindVirus available from our website), simply FINDVIRU C: 
/REPAIR.  Remember to check your floppy disks as well.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Mon, 29 Jan 1996 14:05:31 -0500 (EST)
From: Michael <mpemberton@boeing.hq.nasa.gov>
Subject: Re: McAfee upgrades? (PC)
X-Digest: Volume 9 : Issue 11

Seems like there products functionality has changed in the versions
that much with the expection is the VS for Windows and the 95 versions.
I've usually downloaded the datafile updates, and then used VSUMX (
latest issue ) to determine if any additional strains have been added.

Mike.
mpembert@hq.nasa.gov

------------------------------

Date: Mon, 29 Jan 1996 14:46:07 -0500 (EST)
From: Jason Oliver <joliver@execpc.com>
Subject: B1 virus with a twist (PC)
X-Digest: Volume 9 : Issue 11

I have a strange breed of the B1 and was hoping that someone might shed 
some light on this for me before I pull all of my hair out.  I have scan 
a machine that I had connected to a network and F-PROT has said that it 
is the B1 virus.  I have tried everything to get rid of it.  I know that 
some of you will probably say that it probably is just a false alarm but 
I know that it is not because I have infected diskettes with this 
machine.  Now here is the real twist, I have FDISKed the whole hard drive 
and still have this virus on this particular machine.  I have no idea of 
how to get rid of this virus.  I never knew that this virus was that 
dynamic.

HEEEELLLLPPPPP!!!!!

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 11]
*****************************************


From lehigh.edu!virus-l  Sun Feb  4 13:12:28 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Sun, 04 Feb 96 13:48:38 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id NAA14839; Sun, 4 Feb 1996 13:12:28 +0100
Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39977-16700>; Sun, 4 Feb 1996 07:09:18 EST
Message-Id: <01I0U3NT89X2PVGQEE@csc.canterbury.ac.nz>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V9 #11
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: 	Sun, 4 Feb 1996 07:09:15 EST

VIRUS-L Digest    Monday, 5 Feb 1996    Volume 9 : Issue 11

Today's Topics:

Re: will formatting a floppy kill viruses on it?
Re: will formatting a floppy kill viruses on it?
Re: will formatting a floppy kill viruses on it?
Re: will formatting a floppy kill viruses on it?
Re: Harddrive firmware virus possible?
Re: Lucky?
Re: Usefulness of AV people
Re: --> Could you help me write my senior integration paper? <--
Re: Virus Database
Microsoft is shipping Viruses!
Re: were wolf 1996
Re: Virus concerns while using Netscape/www
Re: Does OS/2 need special treatment? (OS/2)
Re: Virus Checker for Macintosh (MAC)
Re: McAfee for protection (MAC)
Re: McAfee for protection (MAC)
Re: Virus Checker for Macintosh (MAC)
Re: Word Macro Viruses, defences (MAC,WIN)
Re: Word Macro Prank Virus (Concept) (MAC,WIN)
Re: Windows95 Virus Scanner (WIN95)
Chicago/Win95 : the Al Capone effect again? (WIN95)
McAfee Virusscan Windows95 (WIN95)
Re: F-Prot Professional and McAfee ViruScan for Win95 (WIN95)
Is this a virus? (WIN)
Re: How to detect quicksilver derivate ?? (PC)
Re: Info about Form-A (PC)
Re: Info about Form-A (PC)
Re: McAfee says: F-prot contains VCL-virus ? (PC)
Re: TB virus (PC)
Re: McAfee says: F-prot contains VCL-virus ? (PC)
Re: Virus:MONKEY_B + FORM_A (PC)
Re: HELP !!! OneHalf virus (PC)
unashamed virus (PC)
HD Corruption with Dr. Solomon's VirusGuard (PC)
F-prot + Parity_Boot-virus (PC)
Re: Free (or cheap) protection programs for DOS or WINDOWS? (PC)
Re: How to remove "Ekaterin" virus ? (PC)
Re: Anti-CMOS Virus? (PC)
Re: McAfee upgrades? (PC)
B1 virus with a twist (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available by anonymous FTP on CS.UCR.EDU.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Thu, 01 Feb 1996 00:43:19 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: will formatting a floppy kill viruses on it?
X-Digest: Volume 9 : Issue 11

James Owens <ad354@freenet.carleton.ca> writes:

>Will reformatting a floppy kill all viruses on it?
>
>Sorry if this seems like a silly question. I'm almost positive the
>answer's yes. I just need to be completely sure.

Depends on your definition of "kill."

FORMAT A: /U

will.  Just regular format will leave images, or unformat capability.

Jimmy
cjkuo@mcafee.com

[Moderator's note:  It helps if you are running the formatting
program from a clean system too...]

------------------------------

Date: Thu, 01 Feb 1996 04:22:11 -0500 (EST)
From: John Clark <jccomp@srvr.third-wave.com>
Subject: Re: will formatting a floppy kill viruses on it?
X-Digest: Volume 9 : Issue 11

Hint: Be sure to use the following switches:

/u /sys

then, you can reformat using just /u if you don't want it to be a system 
disk.

i.e

format a: /u /sys
format a: /u

the /u doesn't save unformat (VIRUS INFECTED) information, or read any 
file tables, and /sys makes sure the boot sector is rewritten.  The 
second /u just reformats without the boot sector.

Regards,
DiskDoctr
(John Clark)

------------------------------

Date: Thu, 01 Feb 1996 05:16:02 -0500 (EST)
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: will formatting a floppy kill viruses on it?
X-Digest: Volume 9 : Issue 11

In <0002.01I0OMT1IGNYPVG5DD@csc.canterbury.ac.nz> James Owens
<ad354@freenet.carleton.ca> writes:

>Will reformatting a floppy kill all viruses on it?

yes.  However, if the reformatting is done on a machine where a boot
sector virus is currectly active, it may be re-infected immediately.

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

[Moderator's note:  Or if you reformat with the "transfer system
files" option while a file-infecting virus is active it may be
re-infected immediately.

------------------------------

Date: Thu, 01 Feb 1996 05:55:44 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: will formatting a floppy kill viruses on it?
X-Digest: Volume 9 : Issue 11

James Owens (ad354@freenet.carleton.ca) wrote:
: Will reformatting a floppy kill all viruses on it?
: 
: Sorry if this seems like a silly question. I'm almost positive the
: answer's yes. I just need to be completely sure.

Not at all a silly question.

1) You have to be sure you re-format from a clean-booted, uninfected
system, obviously.

2) Use FORMAT with the /U switch (for Unconditional) that comes with DOS
5 and above: otherwise, FORMAT will attempt to save information which
will allow UNFORMAT to restore the previous formatting, which in this
case would not be desirable. For the same reason, you'd want to avoid
safe-formatting utilities like Norton's for a job like this, and I'd
personally avoid using Windows File Manager (if you *do* use it, make
sure the quick format box is unchecked). If you use a third-party
utility such as DiskFactory, make sure you can and do configure it to
do an unconditional format.

3) If you were really in paranoid mode and dealing with a disk
containing infected files (I've been assuming you're thinking about
boot-sector viruses, primarily), you might consider using a utility
such as Norton's WIPEINFO to make sure such files aren't undeleted by
some means.

David Harley

------------------------------

Date: Mon, 29 Jan 1996 12:09:09 -0500 (EST)
From: bit-man@TASA.com.ar
Subject: Re: Harddrive firmware virus possible?
X-Digest: Volume 9 : Issue 11

>Just yesterday I read that the most recent generation of harddrives do no
>longer contain the firmware in ROM, but on a reserverd track on the disk,
>which is booted on power up. The reason for this, should be, that the
>firmware is easily upgradeable.
>
>This is where I got some rather frightening ideas: if this code is
>accessible on a regular harddrive already in use, what precautions are
>there to prevent access?

When I began to work with COMPAQ computers and noted the capability to
download new firmware into motherboards, disks, controllers and so on  (I
don't remember this capability available in other machines) this sounds me
great because you can maintain your firmware up-to-date and correct mayor
problems due to errors in programming, add new funcionalities and so on. On
the other side a virus could alter this firmware in the same way, and ...
well, you know all will be problems.

>Please tell me that I am just being paranoid.
Well, almost there are two with paranoia in VIRUS-L   ;-)

Regards
     Victor A. Rodriguez
     El bit Fantasma
     Bit-Man@Tasa.Com.AR

------------------------------

Date: Mon, 29 Jan 1996 12:09:46 -0500 (EST)
From: William Hugh Murray <0003158580@mcimail.com>
Subject: Re: Lucky?
X-Digest: Volume 9 : Issue 11

>>>I have been using the net and BBS's for 5 years.  I have never
encountered a virus.  I consider myself very fortunate.  I watch with
interest some of the posts here but I have a question.  Where are most
people contracting these nasty programs?  I a

Count your blessings.  

The vector for the most successful virsues is the boot sector of
diskettes.  While the potential for the net and BBS to act as vectors is
high, in practice they have not been the problem.  

William Hugh Murray, CISSP

------------------------------

Date: Mon, 29 Jan 1996 10:40:26 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Usefulness of AV people
X-Digest: Volume 9 : Issue 11

Nacho Man (ht_bui@ece.concordia.ca) wrote:
: I don't mean to sound like an asshole or anything but I'm just wondering
: how an anti-virus consultant could be useful. Since I started reading
: this newsgroup, I have seen a lot of OBVIOUS advice given by these
: so-called virus specialists: "You must reboot from a clean floppy and
: then run an anti-virus software" 

This sounds like a troll, but OK, I'll bite.... ;-) 

As Nick implies, those of us who've worked in support have 
encountered many people to whom that advice is far from
obvious.

: or "Boot from an uninfected floppy
: and format disk". 

I wouldn't have thought this was a common answer at all: not from a
virus-specialist, so-called or otherwise. It's hardly ever necessary
to format a hard disk to eradicate a virus, and frequently doesn't
achieve that aim anyway. It *is* sometimes a quick way to clean a
floppy, in which case all you need is a clean system to do it from,
not a clean floppy boot.

:I assume that people who ask these questions expect    
: more in-depth answers but I guess, giving it to them would be divulging
: sensitive information, right?

People who want in-depth answers tend to ask for them. If they don't 
give enough indication of what they want to know or what their problem
is, maybe they get a sketchier answer. Seems fair enough to me. 

Presumably you don't expect people to post trade secrets to a public
forum? What use would that be to you? And people with virus problems
don't want a crash-course in writing a polymorphic virus toolkit.

: This brings me to my questions: why do we need so many virus specialists
: if they all repeat the same thing? 

With respect, I don't think they do (except when people keep asking the
same questions), and I don't think you've followed this group very 
carefully. May I also point out that most of us are not actually paid
to do this?

: [Moderator's note:  Maybe you don't need such "expert" help -because-
: such things as "boot clean" are obvious to you, but from your tone you've
: obviously never worked on a Help Desk for more than ten minutes of your
: life...  8-)]

I hope he appreciates how lucky he is... B-)

David Harley
Virus Generalist....

------------------------------

Date: Mon, 29 Jan 1996 12:42:10 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: --> Could you help me write my senior integration paper? <--
X-Digest: Volume 9 : Issue 11

: For my ethical paper, I've chosen to write about the morality of software 
: piracy and copyright violation on the internet, and for the technical 
: paper, I'll be researching viruses - their creation, their authors, and 
: ways to counter them.  

: Could anyone suggest any books and/or journals that would deal with 
: these subjects?  I'm in need of good references and would greatly 
: appreciate any help anyone can offer!  Thanks very much.

The alt.comp.virus FAQ (yawn...) is intensely ethical, moral, and legal,
but doesn't deal with piracy and copyright violation. You might try

Computer Crime (Icove, Seger, Von Storch) - O'Reilly
Computer Law & Security Report (periodical) - Elsevier Advanced Technology

Also, try David J. Lundy's E-law paper:

	 http://www.leepfrog.com/E-Law/E-Law/

David Harley
Beginning to feel like an FAQ salesman....

------------------------------

Date: Mon, 29 Jan 1996 13:59:22 -0500 (EST)
From: Michael <mpemberton@boeing.hq.nasa.gov>
Subject: Re: Virus Database
X-Digest: Volume 9 : Issue 11

There is an extensive viral db at the ftp sites for third party
software on www.mcafee.com. The program is called VSUMX ahnd has been
available and continually updated since about 1992 to the best of my
knowledge. It's a DOS based application with an amazing
cross-reference.

Hope this will help.

Mike.

mpembert@hq.nasa.gov

[Moderator's note:  According to expert opinion ensconced in the FAQ for
this list/group VSUM may not be the most accurate of references...]

------------------------------

Date: Mon, 29 Jan 1996 14:13:30 -0500 (EST)
From: chi@bluefin.net
Subject: Microsoft is shipping Viruses!
X-Digest: Volume 9 : Issue 11

About a month ago, I purchased a copy of MS Office '95 Standard, the
disk package.

Went to install it and on the 2nd disk, it crapped out. When I looked on
the disk, there was one file eo@349fj3(or something like that) with a date
of 00/00/21 with 0 bytes.

I have seen this before (long time ago) so I called Microsoft for a
replacement. I tried to install the replacement, however, now disk 4
crapped out. I got another replacement and same thing but different disk.
I got still ANOTHER replacement and disk 2 crapped out. Called them to
send me the CD-ROM version free of charge (which they did).

The vendor whom I purchased the original package from called me and told
me anyone who has purchased software or computers w/ software pre-
installed within the last 30 days could be infected with the virus NEWBUG.
I have a hard time believing that Microsoft wasn't aware of this problem
before I called.

This virus deletes and corrupts the files on floppies.... so far.....  :|

Hopefully the CD-ROM version will be free from this annoyance..

Hope this helps someone!

[Moderator's note:  Serious allegation.  Did you take all the right
antivirus precautions spelled out in the FAQ?  Are you sure you didn't
have an undetected infection before trying to install Office?  Did the
vendor mean -they- had been shipping infected machines/software?  How did
a BSI/MBR infect your PC from installing application software?

No offense intended here, but your whole story sounds slightly hysterical
and as if you do not understand some fairly basic antivirus issues. 
Please read the v2.00 FAQ--ftp:/cs.ucr.edu/pub/virus-l/vlfaq200.txt.]


------------------------------

Date: Mon, 29 Jan 1996 16:25:24 -0500 (EST)
From: "Mikko H. Hypponen" <Mikko.Hypponen@datafellows.com>
Subject: Re: were wolf 1996
X-Digest: Volume 9 : Issue 11

Super D <perderea@worldnet.net> wrote:
> Does anyone know the new virus WEREWOLF 1996 ?

It's a pretty new virus which is apparently written
in France. The variant I've analysed was a resident
infector of COM and EXE files with directory-stealth.

There's a full description in the Virus Description
Database at www.DataFellows.com.

- - 
        Mikko Hermanni Hypponen - Mikko.Hypponen@DataFellows.com  
  Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com
Computer virus information available via web: http://www.DataFellows.com/

------------------------------

Date: Mon, 29 Jan 1996 17:59:19 -0500 (EST)
From: Tom Boldway <jboldway@student.umass.edu>
Subject: Re: Virus concerns while using Netscape/www
X-Digest: Volume 9 : Issue 11

It is possible to get infested without downloading any files. I was 
goofing around on the net using an older version of netscape, went to 
mail and post a reply on a newsgroup, and got the message "no spool 
space," or something like that. On reboot the next day, the computer 
would not boot properly. I found my missing mail message in config.sys, 
and other files in the root directory contained other bits of netscape 
stuff or four squares starting the file. 

Just to let you know. . . .

[Moderator's note:  Thanks Tom, but the original poster asked if you could
get viruses from browsing the net--your story is about software blowing up
and trashing your machine.  If you don't understand the difference, please
desist from posting "helpful" replies (that will rile the real experts
that read and possibly mislead less technically competent readers) until
you understand the full contents of the FAQ for this list/group.]

------------------------------

Date: Thu, 01 Feb 1996 05:13:25 -0500 (EST)
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: Does OS/2 need special treatment? (OS/2)
X-Digest: Volume 9 : Issue 11

In <0006.01I0OMT1IGNYPVG5DD@csc.canterbury.ac.nz> James Owens
<ad354@freenet.carleton.ca> writes:

>I have an OS/2 system (DOS and OS/2 on one hard drive). If I boot
>from a DOS installation diskette and scan (from a scanner on the hard
>drive), does this do everything I need?

With respect to DOS viruses, yes.   As for OS/2 viruses, there is one problem:
a DOS scanner might not be able to find them, if they infect a file with a
"long" filename.  OS/2 scanners will of course not have that problem.

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Mon, 29 Jan 1996 09:56:39 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Virus Checker for Macintosh (MAC)
X-Digest: Volume 9 : Issue 11

Greg Keogh (greg@werple.mira.net.au) wrote:
: I have a colleague who wants a professional high-quality virus checker 
: for his Macintosh. I'm a PC specialist, and know almost nothing about 
: Macs, but I pomised to help him by posting a news message on his behalf.

For a start, try Disinfectant, available from the following sources (and
don't let the fact that it's freeware lead you into underestimating its
quality). Gatekeeper is also highly regarded.

        ftp://ftp.acns.nwu.edu/pub/disinfectant
        CompuServe
        GEnie
        America Online
        Calvacom
        Delphi
        BIX
        sumex-aim.stanford.edu
        rascal.ics.utexas.edu
        comp.binaries.mac

>From the alt.comp.virus FAQ:

"Disinfectant is an excellent anti-virus package: however, it doesn't
catch much in the way of hypercard infectors or trojans, nor does it
detect Word 6 macro viruses.

For other mac packages, try Info-Mac mirrors like:

        ftp://ftp.ucs.ubc.ca/pub/mac/info-mac/vir/

The University of Texas holds the latest versions of Disinfectant and
Gatekeeper, and some documentation on Mac viruses.

        http://wwwhost.ots.utexas.edu/mac/pub-mac-virus.html

Commercial packages include SAM (Symantec) and Virex. Dr. Solomon's
AntiVirus ToolKit for Macintosh is about to be released."

: I couldn't find a newsgroup devoted to macs, but I'm sure there must be 
: one. Please feel free to cross-post this message into the appropriate 
: newsgroups if you know where they are.

There are lots hiding as 

	comp.sys.mac.*

------------------------------

Date: Mon, 29 Jan 1996 10:02:44 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: McAfee for protection (MAC)
X-Digest: Volume 9 : Issue 11

Edward M. Sikorski (sikorski@tucson.Princeton.EDU) wrote:
: I read somewhere that McAfee had commercialized Disinfectant. Is this
: correct? 

There is, apparently, a McAfee-ized version. I have an idea it's supposed
to be optimized for the PowerMac, but initial reports have been 
unenthusiastic. I'm checking this out.

: Will Disinfectant no longer be available/upgraded?

Version 3.6 is still available at North-Western. I don't know the upgrade
situation.

: What solutions are available for the Mac (other than SAM, Virex)???

Once more, from the alt.comp.virus FAQ:

"For other mac packages, try Info-Mac mirrors like:

        ftp://ftp.ucs.ubc.ca/pub/mac/info-mac/vir/

The University of Texas holds the latest versions of Disinfectant and
Gatekeeper, and some documentation on Mac viruses.

        http://wwwhost.ots.utexas.edu/mac/pub-mac-virus.html

Commercial packages include SAM (Symantec) and Virex. Dr. Solomon's
AntiVirus ToolKit for Macintosh is about to be released." (RSN...)

For further info on SAM/CPAV for Mac, try 

	www.symantec.com

For further info on Dr S's, try

	www.drsolomon.com

David Harley
- -----------

------------------------------

Date: Mon, 29 Jan 1996 12:47:49 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: McAfee for protection (MAC)
X-Digest: Volume 9 : Issue 11

Edward M. Sikorski (sikorski@tucson.Princeton.EDU) wrote:
: I read somewhere that McAfee had commercialized Disinfectant. Is this
: correct? Will Disinfectant no longer be available/upgraded?
: What solutions are available for the Mac (other than SAM, Virex)???

In a press release dated December 5th, McAfee say

"Although VirusScan version 1.0 is based upon source code licensed from 
Northwestern University's Disinfectant product, McAfee will support and 
evolve VirusScan independently."

They don't say that NWU will go on developing it, but I guess they 
wouldn't, would they?

DH

------------------------------

Date: Mon, 29 Jan 1996 14:29:59 -0500 (EST)
From: Joerg Erdei <a8101gbb@helios.edvz.univie.ac.at>
Subject: Re: Virus Checker for Macintosh (MAC)
X-Digest: Volume 9 : Issue 11

Greg Keogh <greg@werple.mira.net.au> wrote:
>I have a colleague who wants a professional high-quality virus checker 
>for his Macintosh. I'm a PC specialist, and know almost nothing about 
>Macs, but I pomised to help him by posting a news message on his behalf.
>
>I couldn't find a newsgroup devoted to macs, but I'm sure there must be 
>one. Please feel free to cross-post this message into the appropriate 
>newsgroups if you know where they are.

Most popular commercial virus checker are Virex and Symantic Antivirus for
Macintosh (SAM). Both programs can scan and disinfect, have functions to
look inside compressed files and are more or less able to watch network
incomes. Both have some sort of unknoen-virus-detection by monitoring
the Macs activity and alerting the user if they find something suspicious.
That however needs some knowledge for you will get alerts with certain 
progarams and in certain situations about things that are perfectly normal.

If it is a stand-alone mac, best virus checker is the free Disinfectant
(althought it wont detect trojans or specialities like WordMacro or
HyperCard scripts a la MerryChristmas). The Disinfectant manual however is
worth a look for it contains lots of infos about the different viruses on
macs.  Best shareware protection against unknown virus has been
GateKeeper, but that program is discontinued. Rumor soem months ago was
that a new version will be available soon, but noth till now.

Most newsgroups devoted to mac can be found in the comp.sys.mac* header.
For there is no mac virus group, this should go into the less specialist
groups like comp.sys.mac, comp.sys.mac.misc, alt.sys.mac.newuser-help and
alt.sources.mac.

You may also find aus.computers.mac usefull.

Joerg Erdei

Date: Thu, 01 Feb 1996 05:18:15 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
To: virus-l@csc.canterbury.ac.nz
Subject: Re: Suspected PowerMac virus (maybe PC too) (MAC,PC?)

william pipher (william@vax.library.utoronto.ca) wrote:
: David Harley wrote:

: > I can't help wondering why you tolerate, let
: > alone trade disks with a PC known to be completely infested
: > with viruses. 

: David, student PC labs are a lot like public washrooms in the
: subway metro.  For political reasons they must be provided, but
: there is nothing that staff can do but hold their nose and
: hose 'em down from time to time.  They cannot be secured, they
: cannot be kept very clean, and people cannot be barred from 
: using the facilities on the basis of competence or good manners.

A while ago, there was a thread in alt.comp.virus about whether 
PC support staff felt there were viable analogies between themselves
and medical staff. My main contribution at the time was to suggest
that plumbing was more like it, but perhaps washroom attendant is a
bit nearer.... 

Sorry if I sounded a bit high-minded and censorious: I didn't mean to
be. Reading your note makes me count my blessings: we do have
postgrads on this site, and common-access machines, but nothing like
the problems you evidently have - something to do with older students
who actually have to work for their daily bread, perhaps. Do you
attempt to enforce any access-control procedures - sheepdip Pcs,
diskette-authorisation?

Might be interesting to know what other people do in these circumstances.

David Harley

------------------------------

Date: Mon, 29 Jan 1996 12:10:07 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Word Macro Viruses, defences (MAC,WIN)
X-Digest: Volume 9 : Issue 11

A. Padgett Peterson, P.E. Information Security (PADGETT@hobbes.orl.mmc.com) 
wrote:

: The easy answer would be to disable the automatic execution of macros
: found in documents (they are supposed to be only in templates but WORD
: does not seem to care so long as the format of the file is correct).

Easy, but not altogether effective. The infective mechanism used by Colors
is not dependent on automacros being enabled, but on the infected document
being the default template (as it becomes when it's opened). Nice touch.
Also the fact that it proceeds to re-enable automacros...

I think that technically a document with macros *is* a template: one of
the side effects of macro viruses is that they block attempts to save
a document *as* a document rather than a template. This can generate an
error message in Concept, as I remember.

: Why do we suddenly have WORD viruses (and Excel for that matter) ? Because
: M$ decided to add file manipulation and execution capability to the macro
: language (Word 2.0 had macros but they were not so powerful).

Indeed they weren't, but it wouldn't be impossible to write an infective
macro using Word 2 only. I don't know why 1995 became *the* year of the
macro virus, rather than 1992.

: 2) Open WORD. Pull down TOOLS/OPTIONS, select SAVE, select "Prompt to
:    save Normal(.DOT). 

: 3) Open WORD. Pull down TOOLS/MACRO. Type in "AUTOEXEC" and select "CREATE"
:    (if you get "EDIT" instead you already have an autoexec macro. Do you 
:    know what it does ?).
:    beteen "SUB MAIN" and "END SUB" which will appear, enter the two lines:
: 	DisableAutoMacros
: 	MsgBox "Automatic Macro Execution Disabled",-1
:    Then select FILE/SAVE TEMPLATE
:    (the "-1" will cause the message to appear briefly on the status line 
:    instead of opening a dialogbx the user will have to clear on every 
:    opening)

Yes, but Colors subverts ToolsMacro: this is the problem with a macro 
language that allows you to redefine practically every command available.

'Paranoia strikes deep.....'

: 5) Use some other browser to read your E-Mail (I use FTP's KEYVIEW which
:    comes with ONNET 2.0 (plug) - MSVIEWER is avalable for free download
:    from MS but takes as long as WORD to load - talk about code bloat...

>From recent experience of www.microsoft.com, it probably takes as long as
Word to *down*load, too B-(

: 6) Know what is supposed to be in your TOOLS/MACROS listing. Notice if
:    something new appears (see 5). Note: while you have a DELETE option
:    available, if WORD is infected, can you trust it. See iten (4).

Exactly. You can't trust a subverted command.

: Of course if you, like me, use WordStar 7.0 mostly, you have no problem 8*).

I still have a laptop running WordStar 4: runs off a floppy, if necessary.
That's *my* kind of WP... B-)

David Harley
Professional Paranoid

------------------------------

Date: Mon, 29 Jan 1996 16:54:06 -0500 (EST)
From: Padgett 0sirius <padgett@goat.orl.mmc.com>
Subject: Re: Word Macro Prank Virus (Concept) (MAC,WIN)
X-Digest: Volume 9 : Issue 11

In article <0024.01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz> David Harley
<harley@europa.lif.icnet.uk> writes:

>: You might wish to use one of Word's auto-execute macros to your
>: advantage. Under Tools/Macro, create a macro called AutoExec that
>: looks like this:
>:
>:    Sub MAIN
>:       DisableAutoMacros
>:       MsgBox "AutoMacros off!", "Safety First!", 64
>:    End Sub

Is an excellent solution except would suggest substituting "-1" for the 
"64" - that way the message appears on the status line and the user does
not have to clear a dialogue box.

BTW the "SCANPROT.DOT" Micro$oft includes with WD1215 has two major flaws 
IMNSHO:
1) It allows the user to turn automacros back on
2) Does not check on files opened by a doubleclick on a ccMail attachment
   (think it uses same mechanism as "drag & drop" - see the fine print
   inside the README)

If anyone knows how to write a macro that *will* intercept this kind of
(mail launched) file opening, I would appreciate the information.

			A. Padgett Peterson, P.E.
                        Cybernetic Psychophysicist
		   Totally Obsessed with TransOceanics
		      My other car is a Pontiac too
			   We also walk dogs
	 	       PGP 2.7 Public Key Available

------------------------------

Date: Thu, 01 Feb 1996 04:22:42 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Windows95 Virus Scanner (WIN95)
X-Digest: Volume 9 : Issue 11

Vesselin Bontchev <bontchev@complex.is> writes:
>Jeff Weyenberg <weyenber@foxvalley.tec.wi.us> writes:

>> Has anyone found a good Virus Scanner for Windows95?
>
>Most DOS virus scanners should work pretty well in a DOS box under
>Windows95. Nevertheless, most major anti-virus producers (us uncluded)
>do offer Windows95 versions of their products.

Not necessarily if you are using in combination with a VxD.
The VxD should catch and prevent the DOS scanner from seeing any
infected files.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Thu, 01 Feb 1996 04:22:34 -0500 (EST)
From: "A.Appleyard" <A.APPLEYARD@fs2.mt.umist.ac.uk>
Subject: Chicago/Win95 : the Al Capone effect again? (WIN95)
X-Digest: Volume 9 : Issue 11

Dave.Gymer@lambada.oit.unc.edu wrote to the email circular
djgpp@sun.soe.clarkson.edu (which is about Gnu C/C++ & related
programs):-

> Win95 seems to suffer from the same thing NT does - it can't cope with
> nested DPMI tasks ... you can't run [the Gnu C compiler] from within the
> DJGPPv2 make ... [it] consistently crashes Win95 out cold. If you've got a
> real-mode or Win32 make then you'll probably be okay.

  Re long filenames: "Undocumented DOS, 2nd edition" (ISBN 0-201-63287-X) p423
gives this example of a Chicago (= DOS7/Win95 system) directory that contains
a file THISIS~1.TES (short name) alias `this.is.a.test.of.foo.barsky.tester'
(long name) (and also the usual `.' and `..') :-
  (usual dir format is (N=name, X=extension, A=attrib, R=reserved, T=time,
D=date, C=1st cluster addr, S=size in bytes):-
        n  n  n  n  n  n  n  n  x  x  x  a  r  r  r  r   NNNNNNNNXXXARRRR
        r  r  r  r  r  r  t  t  d  d  c  c  s  s  s  s   RRRRRRTTDDCCSSSS )
  0000  2E 20 20 20 20 20 20 20 20 20 20 10 00 00 00 00  .          _____
  0010  00 00 00 00 00 00 F1 76 2D 1B 02 00 00 00 00 00  _______v-_______
  0020  2E 2E 20 20 20 20 20 20 20 20 20 10 00 00 00 00  ..         _____
  0030  00 00 00 00 00 00 F1 76 2D 1B 00 00 00 00 00 00  _______v-_______
  0040  12 6B 79 2E 74 65 73 74 65 72 00 0F 00 B9 FF FF  _ky.tester______
  0050  FF FF FF FF FF FF FF FF FF FF 00 00 FF FF FF FF  ________________
  0060  01 74 68 69 73 2E 69 73 2E 61 2E 0F 00 B9 74 65  _this.is.a.___te
  0070  73 74 2E 6F 66 2E 66 6F 6F 2E 00 00 62 61 72 73  st.of.foo.__bars
  0080  54 48 49 53 49 53 7E 31 54 45 53 20 00 00 00 00  THISIS~1TES ____
  0090  00 00 2D 1B 00 00 F8 76 2D 1B 03 00 07 00 00 00  __-____v-_______

The long filename can be <=254 chars long. The directory entries that contain
it are attrib'ed as readonly hidden system volumenames, avoiding the first
name byte and the cluster address and the attribute and the first two reserved
bytes. Thus a long filename can occupy up to 10 entry spaces. Several new DOS
interrupts `AH=71h, AL=xx, int21' will do the same as `AH=xx, int21' but using
the longname instead of the short name. This system differs from OS/2's long
name system. It is designed to avoid trouble when Chicago'ed floppies are
operated on by older versions of DOS. (Or if someone doesn't want Win95 after
all and goes back to an older DOS and Windows.) But I can foresee these
troubles, which people may blame on viruses:-
  Anything such as Norton DS (directory sorter) which rearranges directory
entries and/or packs directory entries up eliminating gaps where entries have
been deleted, will make a pig's ear out of the longname system.
  The bulk of the longnames will make directories much longer and will name
directory handling slow.
  Erasing a file under an older DOS or Windows won't erase its longname, but
the longnames will remain as tramp extra volume names, or some other later new
file entry will pick it up.
  The text editors Micro-Emacs and Freemacs (and thus likely many other
programs) do not overwrite the new file onto the old file, but write the new
version onto a workfile, then delete the old file, then rename the workfile to
have the name of the old file. This moves the file's directory entry away from
its longname. (And shuffles the directory entries. @#%$ nuisance trick, if I
edit several files in the same directory.)
  As file entries including their longnames are various lengths, directories
are likely to get long and gappy like a disk which has gone too long without
being DEFRAG'ed. Until someone writes a directory-tidier specially for
Chicago.

------------------------------

Date: Mon, 29 Jan 1996 10:31:41 -0500 (EST)
From: Fredrik B <Fredrik.Bostroem@hugin.stud.hks.se>
Subject: McAfee Virusscan Windows95 (WIN95)
X-Digest: Volume 9 : Issue 11

Hi, I am using McAfee for Windows95 ver.1.20 something and when I run
it it locks( Like totally crashes, dude:) up my system after a while
usually after it had scanned my msoffice folder with including files. 
My question is: 1. What is wrong? 2. What do I do to fix it? 3. Is
there anyone out there with the same problem? 4. How am I going to
pass my next exam if I keep reading all these letters:-) ?

Thanks in advance.

/Fredrik

------------------------------

Date: Mon, 29 Jan 1996 08:07:52 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: F-Prot Professional and McAfee ViruScan for Win95 (WIN95)
X-Digest: Volume 9 : Issue 11

In-Reply-To: <01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz>
George Wenzel <gwenzel@gpu.srv.ualberta.ca> writes:

> I will be evaluating most of the Win95 software in my review.  Of
> course, it will be a little while before the review is done, as it
> is just in the preliminary stages.  It will probably be out by the
> end of February.  Due to resource limitations, however, I won't be
> able to test the VxD portions of the programs.

That's a shame George, as VxDs will be the primary defence against 
viruses for most users.  It would also have been interesting to see which 
products had successfully implemented their full virus-finding engine in 
their VxD on-access scanner (for example, interception of Word macro 
viruses).

Anyway, there's an easy way for you to test the VxDs:

Simply copy the virus-infected files from one directory to another.  A 
working VxD will intercept the file access and prevent any virus it knows 
about.  In the destination directory you end up with all the viruses it 
missed.  Simple!

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Thu, 01 Feb 1996 05:09:07 -0500 (EST)
From: "R.Manuel" <cm6065@ccub.wlv.ac.uk>
Subject: Is this a virus? (WIN)
X-Digest: Volume 9 : Issue 11

Recently we haave had virus problems on out academic network of
about 70 machines. 3 viruses turned up, stoned.angelina, from_e,
& antiexe. However on some machines, whilst running windows 3.11,
letters are being removed from buttons within applications, both
in programs like Power Point & in student programs, using
Toolbook.

I've looked up the results of these viruses, under the web site
http://www.symantec.com/ , & none seem to be able to produce
these effects. My employer & the students believe this to
be a virus problem, but I am unsure wether it might be,
or if it is how to fix it.

I am using mcafee  VirusScan for DOS (Jan 95 release).

Thnak you, rob.

------------------------------

Date: Thu, 01 Feb 1996 00:46:01 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: How to detect quicksilver derivate ?? (PC)
X-Digest: Volume 9 : Issue 11

Erik Lenha <eriklenha@aol.com> writes:

>My PC is infected by a quicksilver or one of its derivates (at least it
	>shows the typical effect of scrolling the DOS-Screen)

Scrolling the screen?  Who/What told you that it was a "typical effect?"
Quicksilver is named so because it has no effects.  It was a word
picked from the dictionary under "Q".

>It is said that McAffee is able to recognize it, but booting from a
>clean Systemdisk neither McAffee 2.2.9 nor F-Prot nor TBAV are able
>to identify or remove it.

Yes, these products should detect it.  It's at least half a year old.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Thu, 01 Feb 1996 04:22:21 -0500 (EST)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: Info about Form-A (PC)
X-Digest: Volume 9 : Issue 11

Koen Van de Velde (proviron@glo.be) wrote:
> This week I found the Form-A virus on one of my boot-floppies.
> I immediatly des-infected it with McAfee Scan 2.2.9 (01/96) and it
> seems to be clean now.
> 
> It is a floppy that I use to boot new pc's and install the network
> software with. So I would expect that some of the PC's would be 
> infected too, but 'till now I didn't find a thing.

   You must live correctly, then!  Somebody up there likes you... I 
suggest that you keep those boot floppies locked from now on, just in  
case your Guardian Angel fall asleep some time.
 
> What I was wondering: is it possible for the Form-A virus to get on 
> our network (Novell Netware 4.1, VLM-client software) and if so,
> how can I check/clean it ?

   Only if you boot the server from an infected floppy; that's the only 
way FORM spreads.  If a server is infected this way, boot from an 
uninfected locked DOS floppy and run your AV software from the floppy to 
disinfect it.  If you usually use the Windows version of McAfee, you'll 
want to use the DOS version here, of course.

   -BPB

------------------------------

Date: Thu, 01 Feb 1996 04:22:57 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Info about Form-A (PC)
X-Digest: Volume 9 : Issue 11

Koen Van de Velde <proviron@glo.be> writes:

>This week I found the Form-A virus on one of my boot-floppies.
>I immediatly des-infected it with McAfee Scan 2.2.9 (01/96) and it
>seems to be clean now.
>
>It is a floppy that I use to boot new pc's and install the network
>software with. So I would expect that some of the PC's would be 
>infected too, but 'till now I didn't find a thing.
>
>What I was wondering: is it possible for the Form-A virus to get on 
>our network (Novell Netware 4.1, VLM-client software) and if so,
>how can I check/clean it ?

It is not possible to get it on the network.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Thu, 01 Feb 1996 04:23:22 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: McAfee says: F-prot contains VCL-virus ? (PC)
X-Digest: Volume 9 : Issue 11

bontchev@complex.is (Vesselin Bontchev) writes:

>Anyway, in version 2.21 we changed the implementation of the decryption
>algorithm slightly, so that it is not matched by that tiny scan string
>that SCAN uses. I was left with the impression that the developers of
>SCAN intended to change their scan string too - obviously they haven't.

Because you were going to address it so easily, and my next opportunity
to address this in code wouldn't be until March, I hadn't done it yet.

If it wouldn't have been as easy for you, I would have done it earlier.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Thu, 01 Feb 1996 04:23:15 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: TB virus (PC)
X-Digest: Volume 9 : Issue 11

Ron Bombard <bh081@freenet.Buffalo.EDU> writes:

>Anyone know anything about a new virus, TB1?  Just detected it on a PC 
>using  Nortons AntiVirus 3.0  It found it, named it, and killed it.  
>There was no information about it though.

It's a known false id from a NAV DAT set from summer of 95.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Thu, 01 Feb 1996 05:19:10 -0500 (EST)
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: McAfee says: F-prot contains VCL-virus ? (PC)
X-Digest: Volume 9 : Issue 11

In <0015.01I0OMT1IGNYPVG5DD@csc.canterbury.ac.nz> bontchev@complex.is
(Vesselin Bontchev) writes:

>"detects", is the part of F-PROT's code (not a scan string) which does
>the generic decryption of the VCL viruses - using the same decryption
>algorithm as them. :-)

Uh, no...not VCL... it was a part of the CLME detection, I think...an entirely
unrelated virus, at least.

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Thu, 01 Feb 1996 06:38:15 -0500 (EST)
From: Arlene Schiffman <arlenes@holly.colostate.edu>
Subject: Re: Virus:MONKEY_B + FORM_A (PC)
X-Digest: Volume 9 : Issue 11

>Try the following:
>
>On a bootable floppy copy fdisk.exe.  Boot from the floppy and 
>enter the command "a:\fdisk /mbr"  this undocumented option 
>(/mbr) will rebuild the master boot record and hopefully get 
>that monkey off your back.  This has worked on other pcs but I 
>have never tried this fix on a thinkpad.  Note: /mbr will not 
>wipe your harddisk.
>
>If this doesn't work try norton disk doctor from a bootable 
>floppy. NDD will also rebuild a corrupted Master boot record.

We have a few computers that were infected by the Monkey Virus.  I
took a suggestion to try making a boot disk and putting fdisk.exe on
it then after booting up with the new disk using the command fdisk
/mbr.  Well it worked on most of the computers but on three they are
now saying invalid partition table.  HELP please!  These can not boot
up and even if you use the boot disk (which is clean) I still can not
find the C: drive due to the virus.

Arlene

[Moderator's note:  The old "hammer" problem...  You need good disk
doctor/recovery software, though, depending on the virus(es) that
were active on the afflicted machines very good professional
assistance may be more important.

Before anyone who reads this list/group -EVER- again uses FDISK /MBR,
-PLEASE- read the warnings about the correct use of it in Q&A C3 in
the V2.0 FAQ]

------------------------------

Date: Thu, 01 Feb 1996 06:51:48 -0500 (EST)
From: NAGY FERENC LaSZLo <NFL@labor.obuda.kando.hu>
Subject: Re: HELP !!! OneHalf virus (PC)
X-Digest: Volume 9 : Issue 11

> From: Noam Graetz <graetz@actcom.co.il>
> Subject: HELP !!! OneHalf virus (PC)

> I have been infected !!!
> by one-half virus which destroyed my MBR.
> can anyone out there heklp me
> reconstract my MBR ? ? ?

     I  know  this  virus  very  well. It's a common virus in Hungary.
(3544 byte version)
     One  Half  doesn't  destroy MBR, but infects it. Also infects EXE
and COM files on floppy or network. When active in MBR it encrypts two
tracks  each  time  when system boots. If you overwrite the virus with
FDISK  /MBR,  you  will lose the encrypted part of the HD, because the
key  is in MBR. Don't do it! And don't use F-PROT! (F-PROT is the best
against  any  other viruses.) There are programs which are uncrypt the
hard disk and kill the virus both.
     I  propose  ONEHALF.EXE instead of my own AV program. ONEHALF.EXE
available at Slovak Antivirus Center (ftp.elf.stuba.sk)
==================================
     My question: Several months ago I got 77-byte hidden files from 2
different  sources.  These appears at each program file, with the name
*._co and *._ex (or something). No recognizable text or code in it. Is
there a virus or AV program what do this?

     Next time I consult my English teacher before I send a letter.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Nagy Ferenc Laszlo                   E-mail: nfl@labor.obuda.kando.hu
PGP key fingerprint= 71 01 22 23 D4 CD 30 04  07 47 EC 81 EF AD 52 65

------------------------------

Date: Wed, 31 Jan 1996 12:05:01 +0000
From: Haymee_Perez_Cogle@angonet.gn.apc.org
Subject: unashamed virus (PC)
X-Digest: Volume 9 : Issue 11

We got the unashamed virus, all disks and the majority of HD are
damaged, I tryied Toolkit, NAV and nothing, they recognize the virus
but don'y clean it
Any help is welcomed. thanks,

haymee

------------------------------

Date: Thu, 01 Feb 1996 07:38:56 -0500 (EST)
From: gbv55375@ibmmail.com
Subject: HD Corruption with Dr. Solomon's VirusGuard (PC)
X-Digest: Volume 9 : Issue 11

Can anyone help with the following problem we are experiencing when
using VirusGuard (Dr. Solomon's AVTK) from version 7.x onwards.

Each PC on the LAN logs into a SCAN id which is set to run VirusGuard
followed by FindVirus.  Everything was fine until we upgraded to
version 7 of AVTK.  PCs from all over the business began experiencing
hard disk corruptions: lost clusters; cross-linked files; etc.

By returning to version 4.57 of VirusGuard the problem disappeared. 
When version 7.5 was received we tried again and once again the
problem returned.  The corruption seems to affect all PCs - 486s,
Pentiums, various models of PCs, various versions of DOS, etc.  No
consistency could be found.

We contacted Dr. Solomon's - but they could not explain the problem. 
They suggested we add the /NOMEM option but it made no difference.  I
believe the problem is related to Windows 3.1/3.11, however I have no
evidence.

Has anyone experienced this situation?

Cheers, Andrew Doble      E-mail: gbv55375@ibmmail.com

------------------------------

Date: Thu, 01 Feb 1996 07:42:22 -0500 (EST)
From: Robert Pietschmann <pietsch@rummelplatz.uni-mannheim.de>
Subject: F-prot + Parity_Boot-virus (PC)
X-Digest: Volume 9 : Issue 11

I used F-prot 2.21 for the first time ever to make a virus-scan.
What happened?

I received the message: Parity_Boot virus in memory.
What am I supposed to do - for F-Prot doesn`t make any efforts to
remove it?

What kind of virus is this anyway?

Thanks.

------------------------------

Date: Mon, 29 Jan 1996 09:57:21 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Free (or cheap) protection programs for DOS or WINDOWS? (PC)
X-Digest: Volume 9 : Issue 11

Mark West (mwest@earthlink.net) wrote:
: Mikal Ziane <ziane@noemie.inria.fr> wrote:

: >I have checked the FAQ but I saw no mention of which programs are
: >free, or at least cheap.

The alt.comp.virus FAQ includes quite a few useful sources and resources. 
It's also very effective in cases of athletes foot.

To ease the strain on Nick's monitor, I've mailed a copy to Mikal
rather than include the relevant sections.

If anyone else wants it, they can get it from

	FTP://ftp.gate.net/pub/users/ris1/acvfaq.zip

or mail me with the subject line

	request a.c.v. FAQ

David Harley
- -----------

[Moderator's note:  Yes--but will it help my recent accelerated hair-
loss?  8-) ]

------------------------------

Date: Mon, 29 Jan 1996 08:08:02 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: How to remove "Ekaterin" virus ? (PC)
X-Digest: Volume 9 : Issue 11

In-Reply-To: <01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz>

Takashi Hirano <hirano@ti.com> writes:

> A virus, "Ekaterin", was detected on the two PC of our section by IBMAV
> software.  We tried to remove the virus but failed.
>
> Does anyone know how to remove the virus, "Ekaterin".?
> Any information would be appreciated.

Ekaterin is more familiarly known as "Russian Flag" or "AntiEXE".  Here 
is some information from Dr Solomon's:

AntiEXE

Aliases: NewBug, D3, CMOS4, Russian Hook, Russian Flag, Ekaterin, Slydell.

Type:  Memory-resident boot and partition sector virus.

Affects:  Write-enabled hard and floppy disks if the computer is booted 
from an infected (not necessarily bootable) floppy.  Some EXE files.

File Growth:  N/A

Description
This boot and partition sector virus infects the hard disk when booted 
from an infected floppy.  Diskettes are infected on read access (eg. DIR 
command).

When a certain (unknown as yet) EXE file is being executed or read from a 
disk (eg. using the COPY command) the virus patches the first byte of the 
in-memory file image, thus causing unpredictable errors.  In most cases 
the computer hangs.

You'll find more information along these lines on our website.  Most good 
anti-virus products should be able to clean up this virus without too 
much trouble.  An evaluation version of Dr Solomon's FindVirus is 
available from our website.  You should also remember to check your 
floppies.  Once you have removed the infection you may care to install a 
TSR/VxD defence which will help prevent reinfection occurring.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Mon, 29 Jan 1996 08:07:54 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Anti-CMOS Virus? (PC)
X-Digest: Volume 9 : Issue 11

In-Reply-To: <01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz>

Simon Grant <ay771@freenet.carleton.ca> writes:

>       My hard drive has just been diagnosed as being infected with an
> "Anti-CMOS" virus on it.  I hadn't heard of this type of virus before,
> and McAffee couldn't even detect it.
>
> Can anyone tell me something about these things?
> Is it possible to recover the non-currupted sections of my hd?

I would be surprised if McAfee was unable to detect this very common 
virus.  Unfortunately you don't tell us which product did tell you you 
were infected with AntiCMOS, so it's hard to tell if you have a false 
alarm or not.

AntiCMOS infects boot sectors of floppy disks and the partition sector 
(MBR) of hard disks.  You catch it by leaving an infected floppy disk in 
the drive and attempting to boot off it.  Every subsequent floppy disk 
you access will be infected.

Any good anti-virus products should be able to clean up your AntiCMOS 
infection with ease.  Certainly Dr Solomon's can (there's an evaluation 
version of FindVirus available from our website), simply FINDVIRU C: 
/REPAIR.  Remember to check your floppy disks as well.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Mon, 29 Jan 1996 14:05:31 -0500 (EST)
From: Michael <mpemberton@boeing.hq.nasa.gov>
Subject: Re: McAfee upgrades? (PC)
X-Digest: Volume 9 : Issue 11

Seems like there products functionality has changed in the versions
that much with the expection is the VS for Windows and the 95 versions.
I've usually downloaded the datafile updates, and then used VSUMX (
latest issue ) to determine if any additional strains have been added.

Mike.
mpembert@hq.nasa.gov

------------------------------

Date: Mon, 29 Jan 1996 14:46:07 -0500 (EST)
From: Jason Oliver <joliver@execpc.com>
Subject: B1 virus with a twist (PC)
X-Digest: Volume 9 : Issue 11

I have a strange breed of the B1 and was hoping that someone might shed 
some light on this for me before I pull all of my hair out.  I have scan 
a machine that I had connected to a network and F-PROT has said that it 
is the B1 virus.  I have tried everything to get rid of it.  I know that 
some of you will probably say that it probably is just a false alarm but 
I know that it is not because I have infected diskettes with this 
machine.  Now here is the real twist, I have FDISKed the whole hard drive 
and still have this virus on this particular machine.  I have no idea of 
how to get rid of this virus.  I never knew that this virus was that 
dynamic.

HEEEELLLLPPPPP!!!!!

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 11]
*****************************************


