From lehigh.edu!virus-l  Mon Feb  5 10:20:12 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Mon, 05 Feb 96 10:48:15 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id KAA14291; Mon, 5 Feb 1996 10:20:12 +0100
Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <29372-63852>; Mon, 5 Feb 1996 03:52:30 EST
Message-Id: <01I0V99DGEBQPVHY7M@csc.canterbury.ac.nz>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V9 #14
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: 	Mon, 5 Feb 1996 03:06:40 EST

VIRUS-L Digest    Monday, 5 Feb 1996    Volume 9 : Issue 14

Today's Topics:

A Virus found, can anyone identify? (PC)
Re: SMILING virus, help please. (PC?)
Re: Monkey B / Monkey 2 (PC)
B1 virus - what else can it do ? (PC)
Re: How to remove "Ekaterin" virus ? (PC)
Re: McAfee says: F-prot contains VCL-virus ? (PC)
Help with Natas virus (PC)
Re: McAfee says: F-prot contains VCL-virus ? (PC)
Re: TB1 Virus (PC)
MtE Virus (PC)
Re: SMILING virus, help please. (PC?)
Re: SMILING virus, help please. (PC?)
Re: KOH in Mainstream Press (PC)
Re: Anti-CMOS Virus? (PC)
Re: How to remove "Ekaterin" virus ? (PC)
Re: Free (or cheap) protection programs for DOS or WINDOWS? (PC)
Re: TB1 Virus (PC)
Re: Virus:MONKEY_B + FORM_A (PC)
Re: Mysterious hidden files. Virus? (PC)
Re: B1 virus? (PC)
Re: How to remove "Ekaterin" virus ? (PC)
Re: Info about Form-A (PC)
Re: McAfee says: F-prot contains VCL-virus ? (PC)
Re: Anti-CMOS Virus? (PC)
Re: Monkey B / Monkey 2 (PC)
Re: I LOVE (PC)
Re: KEEPER-LEMMING (PC)
Re: SMILING virus, help please. (PC?)
Re: KOH in Mainstream Press (PC)
Re: How to remove "Ekaterin" virus ? (PC
Mutagen Stealth Boot Virus? (PC)
NAtas Virus (PC)
SUSPECTED VIRUS FOR WordPerfect? (PC)
Re: Need help: AntiEXE virus (PC)
Re: Info about Form-A (PC)
Ripper and NYB (PC)
Re: Need info on MONKEY_A virus (PC)
Help with Stoned.empire.monkey (PC)
MTE COFEESHOP Virus (PC)
Chinese Fish virus (PC)
Help...Is this a virus? (PC)
69 Virus (PC)
Re: Anti-CMOS Virus? (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available by anonymous FTP on CS.UCR.EDU.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Mon, 29 Jan 1996 17:35:32 -0500 (EST)
From: Jurgen Schwietering <tweety@ALPcom.it>
Subject: A Virus found, can anyone identify? (PC)
X-Digest: Volume 9 : Issue 14

I've encountered a problem with a possible virus on a portable PC (of 
a friend). It has been activated today (29 Jan 96) and already in the past 
at 29 Oct 95 (The computer hasn't been used on 29.11, this is shure
because their is a programme which keeps track of using the computer, but
on 29.12 without any damage.

One floppy used by the person had the Bye-Virus on it (F-PROT from 1.96
has found it), but it's not on the machine itself, because the Virus
destroyed the bootsector and some directories. So I'm not shure if it has
been the BYE-Virus or an unknown species.

Destroying data is done by changing some bytes in the disk-pages:

Space --> $
  
  S --> T 
  H --> L
  A --> E
  R --> V
  K --> O
  
  C --> G
  B --> F
  I --> M
  P --> T
  S --> W
  P --> T

Maybe it's a case, but recombining some letters gives SHARK, ...

Someone knows a programme which identifies this virus?

Please inform me by email: tweety@torino.alpcom.it

Thanks a lot

Jurgen

------------------------------

Date: Mon, 29 Jan 1996 20:54:25 -0500 (EST)
From: MR HENRI J DELGER <henri_delger@prodigy.com>
Subject: Re: SMILING virus, help please. (PC?)
X-Digest: Volume 9 : Issue 14

> I ran a file "laugh.exe" that I down loaded as "piss.zip" from a 
binaries 
> newsgroup and it printed on my screen "Your partition table is now 

> infected with the smiling virus".  I ran the file from a floppy 
disk, so 
> is that virus on the hard drive?  Is it real?  How do I get rid of 
it?  

I'm updating my previous reply, for two reasons.  First, I believe 
we're going to see more posts relating to this particular virus, because 
the person above is correct.  A "LAUGH.EXE" file (a Trojan horse 
"dropper" program), which contains the virus known as Smile, or
Yesmile.5504, was evidently posted to at least one alt.binaries.*
Newsgroup.  

    Secondly, some current anti-virus software is unable to detect 
this virus correctly and/or to remove it.  The virus infects EXE and COM 
files (including Command.com) and also infects the Master Boot Record
(MBR) of hard disks.  It is also stealth, thus able to conceal its changes
to files and the MBR while in memory, and can produce a shrill laughing
sound. 

    One way to get rid of it is (of course) to power down and re-boot 
from an UNinfected system boot diskette.  F-Prot 2.21 can be used to 
remove the virus from files; it does a perfect job, as far as I can tell.  
However, F-Prot 2.21 cannot remove this virus from the MBR, so one
alternative is to use FDISK /MBR for that.  

    The usual caveat applies: FDISK /MBR is an undocumented DOS 
command, available in DOS5 and up.  It rewrites the Master Boot Record
code in the first sector of the hard disk, without affecting the hard
disk's partition table data, also contained there.  This command will not
do any harm ordinarily (=if= you are able to access the hard disk
normally, after booting from a bootable disk).  =HOWEVER= IF you canNOT
access the hard disk after so doing, do NOT use FDISK /MBR.

    Once the virus is confirmed by a further scan as no longer being 
on the hard disk, check for the virus on diskettes, in backups, and in 
compressed files, etc., and don't forget to delete the down loaded 
file mentioned above, which started it all.

Regards, Henri Delger
http://pages.prodigy.com/X/W/A/XWWC29A
email: henri_delger@prodigy.com

------------------------------

Date: Mon, 29 Jan 1996 21:24:53 -0500 (EST)
From: "Paul E. Sullivan" <sullivan@peterfield.mv.com>
Subject: Re: Monkey B / Monkey 2 (PC)
X-Digest: Volume 9 : Issue 14

Neeraj Murarka wrote:
> 
> Hi. I have the Monkey B / Monkey 2 Virus on my Hard Drive. How can I
> clean it off? The scanners all quit when I run them, saying that I should
> boot off a clean system disk, and then rerun the virus scanner to clean
> off the virus. But the problem is, this virus, when on a Hard Drive, will
> not allow the Hard Drive to be accessed when you use a clean boot disk.
> So how do you get rid of the virus? The McAfee documentation says that
> the virus is removeable. This is a boot sector virus. How do I get rid of
> it!?!?! Help!

You should put your McAfee s/w on a floppy disk as well, preferably on 
the clean system disk you have if there's room enough.  I had a similar 
virus (boot sector) and McAfee would not allow the anti-virus s/w on the 
hard drive to be accessed.  When I ran it off a floppy after booting with 
a clean system disk, the virus was successfully removed.  Good Luck.

------------------------------

Date: Mon, 29 Jan 1996 22:37:39 -0500 (EST)
From: netnews@ix.netcom.com
Subject: B1 virus - what else can it do ? (PC)
X-Digest: Volume 9 : Issue 14

My computer had the B1 virus. I read on a websight that one of the 
symptoms was the read\write head on the floppy drive being sent back and 
forth very fast causing a loud 'banging' noise. Well, I had this problem 
but it was on my hard drive. At midnight, if the hard drive was being 
written to, my computer would lock up and the hard drive would start 
'banging' . I had several diskettes infected also, one of which was left 
in the floppy drive on a reboot, therefore infecting the hard drive.

I'm just wondering how common or rare is it to infect the hard drive 
boot sector and has anyone ever heard their hard drive "knock" ?
It's not fun !

YYZ.@ix.netcom.com
R.K. McSwain

------------------------------

Date: Tue, 30 Jan 1996 03:56:34 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: How to remove "Ekaterin" virus ? (PC)
X-Digest: Volume 9 : Issue 14

Takashi Hirano <hirano@ti.com> writes:

>A virus, "Ekaterin", was detected on the two PC of our section by IBMAV 
>software.
>
>We tried to remove the virus but failed.
>
>Does anyone know how to remove the virus, "Ekaterin".?
>Any information would be appreciated.

This goes by the CAROname of Russian_Flag (and I think it's .A).
Just get an update to any of the AV programs.  It's about at least
half a year old and as far as I know, all the big names remove it
just fine.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Tue, 30 Jan 1996 04:00:54 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: McAfee says: F-prot contains VCL-virus ? (PC)
X-Digest: Volume 9 : Issue 14

Koen Van de Velde <proviron@glo.be> writes:

>I'm just wondering if this is al normal.
>
>This week I found the Form-A virus on one of my floppies,
>as you can read in my previous posting.
>I wanted to be sure that none of the computers are infected, 
>I started checking them with two different virus-scanners:
>    - McAfee Scan 2.2.9 (01-96)
>    - F-Prot v 2.20
>
>Here's what happens: First I load f-prot and scan my hard-disk,
>then I close it again and run the mcAfee-scan.  This one stops
>with the following message : 

[snip: Scan's message indicating traces of VCL found in memory]

>So I did reboot my computer and re-run the McAfee Scan ...
>It didn't find anything. I run the f-prot again, without scanning 
>anything, just start the menu and close it again.
>When I now run the McAfee scan, it displays the above message again,
>telling me there is a VCL-virus in my computer.

A string which catches a lot of VCL viruses is being used by SCAN.  
For some reason FProt 2.20 was leaving this sequence of code in 
memory after it exited.  Frisk and I sat together, looked it over
and FProt 2.21 doesn't have that problem any more.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Tue, 30 Jan 1996 06:54:37 -0500 (EST)
From: CHAN KWANG MIEN <eng30053@leonis.nus.sg>
Subject: Help with Natas virus (PC)
X-Digest: Volume 9 : Issue 14

	Recently my harddisk was infected by the Natas Virus. Does anyone
out there knows the method to get rid of this virus? Pls help.

	Thank you.

Kwang Mien

- -
			  Fri, 04 Aug'95, 01:47:27AM

------------------------------

Date: Tue, 30 Jan 1996 07:00:52 -0500 (EST)
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: McAfee says: F-prot contains VCL-virus ? (PC)
X-Digest: Volume 9 : Issue 14

In <0031.01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz> Koen Van de Velde <proviron@glo.be> writes:

>I'm just wondering if this is al normal.

Well, it is a false alarm, reported by Scan....I guess some people would
call that normal :-)

What happened was that SCAN picked up a piece of code in F-PROT which has
nothing to with VCL...and incorrectly "identified" it.

Although this was not really our problem, we fixed it in 2.21, simply by
swapping two lines in the program code.

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Tue, 30 Jan 1996 07:03:02 -0500 (EST)
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: TB1 Virus (PC)
X-Digest: Volume 9 : Issue 14

In <0032.01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz> Ron Bombard
<bh081@freenet.Buffalo.EDU> writes:

>Anyone have any info about the TB1 virus?

TB1 is not the standard name of any virus....if this was found in just a
single file, it was probably a false alarm.

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Tue, 30 Jan 1996 09:13:54 -0500 (EST)
From: Robert Selby <rselby@ix.netcom.com>
Subject: MtE Virus (PC)
X-Digest: Volume 9 : Issue 14

Using F-Prot 221, I have found the MtE virus on a computer
disk I was preparing to send to over 100 other users.  What
is the MtE virus and what does it do?  How do I get rid of
it?  

[Moderator's note:  MtE is not a virus, per se, but a polymorhic
encryption engine that can be linked into a virus.  If a scanner only
reports detecting MtE it most likely means that you have found a new MtE-
based virus.  As MtE is only the encryption engine, the effects of the
virus are unknown to the scanner/disinfector so it most likely cannot be
disinfected.  Contact your local agent or F-PROT's authors and discuss
this further with them.]

------------------------------

Date: Tue, 30 Jan 1996 10:56:54 -0500 (EST)
From: "M.Torr" <dm7mt@hull.ac.uk>
Subject: Re: SMILING virus, help please. (PC?)
X-Digest: Volume 9 : Issue 14

I would think that running this file from floppy disk would have has no
real affect on your harddrive (unless the virus specifically searches for
the FAT table on the harddrive which I do not believe it does) Running it
from floppy was the best thing you could have done :

[Moderator's note:  This contradict's the usually very reliable Henri
Delger's inormation, posted earlier.  I'm not sure I share Mark's
confidence in this...]

A note in the future is to be very careful what you download from outside
sources since many viruses are released by placing them in areas as
shareware or small utilities. 

[I agree with the caution, but question "many"--do you mean "10 ever", "10
per year", "10 a month"? -- Moderator.]

Mark.

------------------------------

Date: Tue, 30 Jan 1996 14:51:32 -0500 (EST)
From: Lee Brown <lee.brown@ukonline.co.uk>
Subject: Re: SMILING virus, help please. (PC?)
X-Digest: Volume 9 : Issue 14

On 29 Jan 1996 12:25:47 -0000 , bsw@cris.com wrote:

>I ran a file "laugh.exe" that I downloaded as "piss.zip" from a binaries 
>newsgroup and it printed on my screen "Your partition table is now 
>infected with the smiling virus".  I ran the file from a floppy disk, so 
>is that virus on the hard drive?  Is it real?  How do I get rid of it?  

Ouch!!!
Firstly, you should never execute anything without checking it with a
virus scanner.  You don't need to pay for a top of the range virus
scanner you can Freeware ones from the net.

Okay now I did a bit of a search on the smiley Virus and this is what
I can up with:-

SMILEY.1983 is not in the field, but it could be in the future. 
It is somewhat infectious, and results in moderate damage (disk
trashing). COM and EXE files are infected.
The virus has a memory-resident payload. It has minimum stealth
capability. This virus is not encrypted. The virus plays tricks with
the screen.

So what this is saying, is that the virus has not been sighted for a
long time - so it looks like you are one of the first to re introduce
it back into the computer world.  You must now check any disks you
used during the infection, make sure they are not infected then if
they are, get rid of them!!  If you do not, then you will be passing
this virus to your friends and other people who use your disks :(

As I said, don't panic!! most of the damage done these days is not by
the virus itself but the user Panacing!! be calm and download a virus
scanner, trial version or freeware, then follow the instruction
carefully.  Or check out my other thread that I responded to and
follow the same procedures!!

Regards.
*********************************
lee.brown@ukonline.co.uk
*********************************

------------------------------

Date: Tue, 30 Jan 1996 16:30:57 -0500 (EST)
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: KOH in Mainstream Press (PC)
X-Digest: Volume 9 : Issue 14

In article <0008.01I0LP9POC0OPCQYD3@csc.canterbury.ac.nz>, Tom Simondi writes:
: Boardwatch Magazine, January 1996 issue, pg 78 published a very
: favorable article about the KOH virus ("The Other Side of Computer
: Viruses" by Wallace Wang). A few random short quotes:
: Wang goes on to then describe the KOH virus in glowing terms as
: the savior of data from prying eyes the world over: "The KOH
: virus insures that all of your data is protected, not just the files
: you remember to encrypt." And, then goes on to describe how
: harmless it is ("...buy the actual assembler source code and make
: sure...") and where to get it.

	Oh man, just what we need, another moron who thinks that a virus 
has to be used instead of a non-replicating program.  Hasn't he ever 
heard of PGP at all?

: The fun part comes when Wang says all sysops should use KOH to
: protect their computers because the United Nations "...might break
: down your door one day and haul your computer away...."

	Again, that's what most of us tend to use PGP for. :-)

: If you run a help desk and your users read this article and actually
: install KOH, expect your calls to go way high. While KOH has
: interesting properties, if someone forgets their password you have
: real problems; and if the virus is allowed to move from machine to
: machine, you can have worse problems. Despite what the article says,
: KOH is dangerous, if for no other reason than people simply won't
: read the documentation that comes with it. Your corporate data is
: at risk if you let this beast loose. Take it from one who actually
: ran it for several months just to see. It was not as benign and
: "user friendly" as this article would have you believe.

	This is just as bad as the case of that company that allowed 
Yanke Doodle to have free run of their systems so that "the song reminds 
employees of quitting time".  It seems to me that the only people who 
want to RELY on replcating based applications are those who are too lazy 
or too stupid to install software on their own.

	Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code
Anti-virus software and utils:  | The Transformers fanfiction:
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html

------------------------------

Date: Tue, 30 Jan 1996 17:34:32 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Anti-CMOS Virus? (PC)
X-Digest: Volume 9 : Issue 14

Simon Grant <ay771@freenet.carleton.ca> writes:

>My hard drive has just been diagnosed as being infected with an 
>"Anti-CMOS" virus on it.  I hadn't heard of this type of virus before, 
>and McAffee couldn't even detect it.  

The only issue with AntiCMOS I know about is where a couple other
products detect its presence on a floppy disk and we don't.  It
happens that we detect it just fine and that's a known false id
scenario.

What product did you use that said you had AntiCMOS?

>Can anyone tell me something about these things?  

It spreads.  It has code to mess with CMOS that never executes.

>Is it possible to recover the non-currupted sections of my hd?

What corrupted sections?  Please describe in more detail.  Somehow
I don't think it's related to AntiCMOS since AntiCMOS generally
doesn't do that (other than the MBR).  If it's just the MBR, you can
FDISK /MBR.  But as I was saying, I don't think this is your problem.

Jimmy
cjkuo@mcafee.com

[Moderator's note:  Simon--don't be tempted to try FDISK /MBR -unless- you
have read and understood the warnings about its use in the FAQ!!]

------------------------------

Date: Tue, 30 Jan 1996 14:47:05 -0500 (EST)
From: Lee Brown <lee.brown@ukonline.co.uk>
Subject: Re: How to remove "Ekaterin" virus ? (PC)
X-Digest: Volume 9 : Issue 14

On 29 Jan 1996 12:11:56 -0000 , Takashi Hirano <hirano@ti.com> wrote:

>A virus, "Ekaterin", was detected on the two PC of our section by IBMAV 
>software.
>
>We tried to remove the virus but failed.

I'm probably teaching you to suck eggs here, but a good method I have
found in the past is this:-

1.  Find a clean (none infected) boot disk.
2. Switch of the Computer.
3. Place the disk into the drive.
4. Switch computer back on.
5. Run Dos based virus scanner to check memory!!

What this does, is stop the computer from booting from the C drives
boot sector, which is where the virus usualy jumps back to  when the
computer is switched off, that's why it is important to put the boot
disk into drive A after you've switched off and not before, or what
will happen is that the Virus will infect the Boot sector of the A
drive, this will put you back to square one..

[Moderator's note:  What Lee is describing is impossible, and shows an
unfortunate lack of expertise -or- an overly strong desire to simplify
things.  Lee--how can a virus "jump back" to your boot sector (presumably
"from memory") when your PC is switched off?  By definition, if the PC is
off, there is no power so, the virus can't be active or do anything.  If
you think it can detect that the power is going down, bad news--very few
PCs have the necessary detection hardware for this, and the few that do
are safe, because no viruses are known that target generally common UPS
systems.  What Lee is simplifying beyond recognition here is boot sector
and/or MBR stealthing.  Most of the rest of what Lee had to say needed
to be taken with even more sodium chloride than this, so I've deleted it.

The moral of this??  People, there are "real experts" who read this
list/group and there is a real possibility that misinformation posted here
will seriously damage something.  If you think you know an answer, think
again before responding--this isn't kidergarten anymore and there are
people with dozens, hundreds, and more, computers hanging on your possibly
authoritative-sounding replies.  Lee happens to have picked my particular
area of expertise to get wrong--I don't know all about computer viruses
though, so will sometimes post incorrect info that will hopefully be
picked up by others, but if this is acted on in meantime...]

------------------------------

Date: Tue, 30 Jan 1996 17:46:33 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Free (or cheap) protection programs for DOS or WINDOWS? (PC)
X-Digest: Volume 9 : Issue 14

> Well, ours (F-PROT) is free for individual use and costs one dollar
> per machine per year for corporate use ($0.75 for educational
> institutions). I guess that's cheap enough? :-)

It has been pointed out to me that the "one-dollar" registration
policy is available only for the USA, Canada, Australia, South
America, and the German-speaking countries of Europe. In the other
countries the corporate users of our product must buy the Professional
version. Individual users are still allowed to use the shareware
version for free - all over the world.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 17:50:28 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: TB1 Virus (PC)
X-Digest: Volume 9 : Issue 14

Ron Bombard <bh081@freenet.Buffalo.EDU> writes:

>Anyone have any info about the TB1 virus?  We located it on one of our 
>pc's during a virus scan when we first loaded the new Norton Antivirus 
>program.  It didn't have any info about it though.  Just named and removed.

The "TB1 virus" is a corrupted file in a "reviewer's" test set
(who shall remain nameless).

It's a false id from NAV from one of their "summer '95" DAT sets.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Tue, 30 Jan 1996 19:04:55 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Virus:MONKEY_B + FORM_A (PC)
X-Digest: Volume 9 : Issue 14

Steve Glick <steveg@gti.net> writes:

> On a bootable floppy copy fdisk.exe.  Boot from the floppy and 
> enter the command "a:\fdisk /mbr"  this undocumented option 
> (/mbr) will rebuild the master boot record and hopefully get 
> that monkey off your back.  This has worked on other pcs but I 
> have never tried this fix on a thinkpad.  Note: /mbr will not 
> wipe your harddisk.

> If this doesn't work try norton disk doctor from a bootable 
> floppy. NDD will also rebuild a corrupted Master boot record.

First, as the moderator noted, using FDISK/MBR blindly is dangerous,
as it can make your hard disk inaccessible and non-bootable. Second,
in the particular case of Monkey, it *will* make your disk
inaccessible and non-bootable. Fortunately, KillMonk3 will fix that.
Third, the FDISK/MBR trick is COMPLETELY USELESS for removing a DOS
Boot Sector infector like Form.

Fourth, if Monkey + FDISK + user incompetence results in a trashed and
inaccessible hard disk, NDD indeed will fix the problem - provided
that the rest of the disk is a standard DOS partition. NDD happens to
recognize DOS partitions by their DOS Boot Sectors. Unfortunately,
when the Form virus infects the DBS, the latter stops looking as a DBS
from the point of view of NDD, so the disaster is complete. At this
point, the poor (l)user has to ask a virus-competent expert for help.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 19:10:48 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Mysterious hidden files. Virus? (PC)
X-Digest: Volume 9 : Issue 14

Doug Muth <dmuth@oasis.ot.com> writes:

> : 1. There are 5 hidden files on the hard disk instead of the 2 one
> : would expect.
> 
>       Any file can be hidden with the ATTRIB command.  Heck, even 
> ThunderBytre Anti-Virus creates hidden files with its integrity data in 
> them.

However, then he would have had dozens of hidden files, not just five
of them.

>       Hmm...it sounds like system started formatting, and stopped 
> shortly thereafter with a "track 0 bad" error, (am I correct here?), at 
> that point, the disk should be unusable since it was not finished being 
> formatted.

Actually, the formatting *is* finished - it is just the write
operation of the boot sector, the FATs, and the root directory that
has failed (any of them).

> : 4. When a floppy disk is used in the disk drive, a hidden file 
> : subsequently is reported on the floppy by the chkdsk command.

>       Hmmm...this could be a possible companion infector; a virus that 
> creates hidden *.COM files with the same name as *.EXE files, the COMs 
> will be executed first, thus activating the virurs.

Nope, a companion virus wouldn't create a companion body on an empty
disk with no EXEs on it.

>       Might want to get a copy of F-Prot, a very easy to use scanner.  

This is always a good advice. :-) Besides, if he indeed has the virus
I suspect (Byway), F-PROT will detect it.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 19:15:05 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: B1 virus? (PC)
X-Digest: Volume 9 : Issue 14

MR HENRI J DELGER <henri_delger@prodigy.com> writes:

>     "General Failure" messages may occur, and disk utility programs can be
> deceived, reporting (erroneously) that the Boot Record is "invalid," that
> the Media Descriptor Byte is "incorrect," and that File Allocation Tables
> are corrupt. Unfortunately, correcting these non-existent errors will cause
> data loss.

Also, the virus will crash the system if a disk write is attempted
around midnight.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 19:21:58 -0500 (EST)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: How to remove "Ekaterin" virus ? (PC)
X-Digest: Volume 9 : Issue 14

In article <0048.01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz>, hirano@ti.com says...
>
>A virus, "Ekaterin", was detected on the two PC of our section by IBMAV 
>software.
>
>We tried to remove the virus but failed.

Ekaterin, also known as Slydell, Russian Flag, or Ekaterinburg, is a boot
sector and master boot record virus.  It's only known payload is to
display a Russian flag on August 19th.

I am not sure if the IBMAV product can clean this virus, but according to
Joe Wells (an IBMer), he said it should.

Being that I am from Symantec, producer of Norton AntiVirus, I can say
that NAV can both detect and clean.  I suspect most other AV products will 
be able to as well.  Russian Flag (what Norton calls it) has been 
reported in the wild for many months now.

If worst comes to worst, a manual repair may also be attempted (although
it is not recommended).  According to the information I have, the original 
MBR is saved at pysical location 0,0,9.  

- - 
Shane Coursen                                         Symantec Corporation
Computer Virus Researcher   http://www.symantec.com/avcenter/avcenter.html
AntiVirus Research Center                                  CIS:  GO SYMWIN
scoursen@symantec.com                                            GO SYMNEW

------------------------------

Date: Tue, 30 Jan 1996 20:16:47 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Info about Form-A (PC)
X-Digest: Volume 9 : Issue 14

Koen Van de Velde <proviron@glo.be> writes:

> It is a floppy that I use to boot new pc's and install the network
> software with. So I would expect that some of the PC's would be 
> infected too, but 'till now I didn't find a thing.

Probably the disk got infected after the last time you have booted
from it. Such disks are very sensitive; you should keep it permanently
write-protected.

> What I was wondering: is it possible for the Form-A virus to get on 
> our network (Novell Netware 4.1, VLM-client software) and if so,
> how can I check/clean it ?

Form is a boot sector virus and, as such, is unable to spread accorss
a network. However, if you attempt to boot the server from an infected
floppy, the virus will infect its hard disk.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 20:21:40 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: McAfee says: F-prot contains VCL-virus ? (PC)
X-Digest: Volume 9 : Issue 14

Koen Van de Velde <proviron@glo.be> writes:

> I'm just wondering if this is al normal.

It is not.

> This week I found the Form-A virus on one of my floppies,
> as you can read in my previous posting.

This is irrelevant to your problem.

> I wanted to be sure that none of the computers are infected, 
> I started checking them with two different virus-scanners:
>     - McAfee Scan 2.2.9 (01-96)
>     - F-Prot v 2.20

> Here's what happens: First I load f-prot and scan my hard-disk,
> then I close it again and run the mcAfee-scan.  This one stops
> with the following message : 

> <<<<<<
> Virus data file  V9601 created 01/04/96  13:06:49
> Scanning memory for viruses 288KB

> Traces of VCL virus found in memory!

Yep. It was a known problem between F-PROT 2.20 and SCAN 2.2.7. I had
the impression that McAfee had fixed it from their side. Guess not.
Oh, well, we have fixed it from our side. Get version 2.21 of F-PROT
and the problem will go away. It is not a virus; it is two programs
confusing each other.

> Do I have an infected copy of f-prot

Nope.

> or is it just a conflict between
> those to products that confuses me (or at least my computer).

Yep.

> Anywhay,
> it means that some part of f-prot stays in memory after running ...
> I'm wondering what that can be.

One of the scan strings that SCAN uses to detect VCL is very short and
happens to detect the part of our program which does the decryption of
the VCL-encrypted viruses. It is not a scan string that is detected
(F-PROT never leaves scan strings in memory unencrypted); it is part
of F-PROT's code. We changed it in version 2.21.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 20:24:38 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Anti-CMOS Virus? (PC)
X-Digest: Volume 9 : Issue 14

Simon Grant <ay771@freenet.carleton.ca> writes:

>       My hard drive has just been diagnosed as being infected with an 
> "Anti-CMOS" virus on it.  I hadn't heard of this type of virus before, 
> and McAffee couldn't even detect it.  

McAfee's scanner does detect the AntiCMOS virus. If it didn't detect
it on your machine - how do you know that you have this virus?

> Can anyone tell me something about these things?

Read the FAQ before asking such questions. Then find the description
of the virus in one of the sources listed there. For instance, browse

	http://www.datafellows.com

> Is it possible to recover the non-currupted sections of my hd?

Yes.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 20:34:08 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Monkey B / Monkey 2 (PC)
X-Digest: Volume 9 : Issue 14

Neeraj Murarka <murarka@sfu.ca> writes:

> Hi. I have the Monkey B / Monkey 2 Virus on my Hard Drive. How can I
> clean it off? The scanners all quit when I run them, saying that I should
> boot off a clean system disk, and then rerun the virus scanner to clean
> off the virus.

The scanners are right. This is precisely what you should do.

> But the problem is, this virus, when on a Hard Drive, will
> not allow the Hard Drive to be accessed when you use a clean boot disk.

This doesn't matter.

> So how do you get rid of the virus?

That depends on which particular scanner you use. If you use ours
(F-PROT), then the proper command is

	f-prot /hard /disinf /auto

> The McAfee documentation says that
> the virus is removeable.

It is.

> This is a boot sector virus.

Correct. It infects Master Boot Sectors on hard disks and DOS Boot
Sectors on floppy disks.

> How do I get rid of
> it!?!?! Help!

See above.

> Thanks in advance!

You're welcome.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 20:35:05 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: I LOVE (PC)
X-Digest: Volume 9 : Issue 14

"A. Padgett Peterson, P.E. Information Security"
<PADGETT@hobbes.orl.mmc.com> writes:

> There used to be a boot sector infector like this (EMPIRE.C I think - 
> was an early variation of the EMPIRE series).

No, Padgett, ILove is what F-PROT calls the Satria viruses. They have
nothing to do with the Empire.In_Love variants. :-) Ain't virus naming
fun? :-))

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 20:39:25 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: KEEPER-LEMMING (PC)
X-Digest: Volume 9 : Issue 14

Peterjon <Peterjon@express.co.nz> writes:

> Please can someone provide me with info on this 
> beast. Origin, mode of action etc.

For instance, see

	http://www.datafellows.com/v-descs/keeper.htm

(See also the FAQ for other sources of virus information.)

> Is there an antidote ???

For instance, or scanner, F-PROT, can remove it. Most of the other
good scanners - e.g., FindVirus, AVP, etc. probably can remove it too,
although I haven't tested this.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 20:42:27 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: SMILING virus, help please. (PC?)
X-Digest: Volume 9 : Issue 14

bsw@cris.com writes:

> I ran a file "laugh.exe" that I downloaded as "piss.zip" from a binaries 
> newsgroup and it printed on my screen "Your partition table is now 
> infected with the smiling virus".  I ran the file from a floppy disk, so 
> is that virus on the hard drive? 

Yes, it is.

> Is it real? 

Yes, it is.

> How do I get rid of it?

For instance, with an anti-virus program than can remove it. Obvious,
huh?

> [Moderator's note:  Related to the Smile or Yesmile virus mentioned in a
> few other recent posts??  Look for Henri Delger's explanatory post with
> "Subject: Re: Smile (PC)".]

It is *precisely* the virus which Henri Delger described.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 20:49:38 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: KOH in Mainstream Press (PC)
X-Digest: Volume 9 : Issue 14

Tom Simondi <tsimondi@slonet.org> writes:

> Wang goes on to then describe the KOH virus in glowing terms as
> the savior of data from prying eyes the world over: "The KOH
> virus insures that all of your data is protected, not just the files
> you remember to encrypt."

How very useful, isn't it? Kinda what the One_Half virus does. And
when you remove the virus - PUFF! - your data is not accessible any
more. At least the One_Half encryption is weak and can be sometimes
easily broken (finding the key is not a problem; the problem is
finding the size of the encrypted area) - KOH uses IDEA, so you can
forget any hopes to break the cypher.

> The fun part comes when Wang says all sysops should use KOH to
> protect their computers because the United Nations "...might break
> down your door one day and haul your computer away...."

Obviously, Mr. Wang is from the same journalistic school as the bozo
who recently wrote in an English newspaper that PGP was written by a
neo-Nazi sympatisant.

> If you run a help desk and your users read this article and actually
> install KOH, expect your calls to go way high. While KOH has
> interesting properties, if someone forgets their password you have
> real problems; and if the virus is allowed to move from machine to
> machine, you can have worse problems. Despite what the article says,
> KOH is dangerous, if for no other reason than people simply won't
> read the documentation that comes with it. Your corporate data is

Furthermore, it is damn slow, perticularly if you leave the
replication turned on. And, if you turn it off, you have just
demonstrated that you don't need a virus to perform the functions that
you need. People who are interested in bulk disk encryption should get
one of the free and secure packages on the net - SFS, SecureDevice, or
SecureDrive.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 21:29:38 -0500 (EST)
From: sysop@command-bbs.com
Subject: Re: How to remove "Ekaterin" virus ? (PC
X-Digest: Volume 9 : Issue 14

>A virus, "Ekaterin", was detected on the two PC of our section by IBMAV
>software.

Hmmm.... I think IBMAV means Ekaterinburg.

 Ekaterinburg
	     
It's not a dangerous memory resident boot virus. On loading from infected
disk it copies itself into Interrupt Vectors Table and hooks INT 13h. Then
it writes itself into the boot sectors of floppy disks. The MBR (Parition
Sector) of the hard drive is infected when loading from a infected floppy.
Depending on the system timer value the virus erases the screen and waits
for a keystroke. It contains the encrypted text string "Ekaterinburg."

Keith

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.                 USA  Distributor  for
P.O. Box 856                         AntiViral Toolkit Pro
Bruswick, Ohio 44212                 216-273-2820
Internet: info@command-hq.com        Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp       :GO AVPRO
WWW: http://www.command-hq.com/command
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

Date: Tue, 30 Jan 1996 23:53:58 -0500 (EST)
From: "Raymond K. Johnson" <rayj@phoenix.net>
Subject: Mutagen Stealth Boot Virus? (PC)
X-Digest: Volume 9 : Issue 14

I have a question.  Please forgive the "newbie"" for asking stupid
questions.I have unfortunately had no time to read the FAQ for this
newsgroup and need some help. My ISP was dead in the water for a
protracted period of time tonight. I encountered a copy of stealth boot
virus at a customer site. It seems to have a mutagen engine and was
wondering if this was possible? The virus encountered seems to be
processor dependent. On a 486 INTEL processor it causes windows load
problems. On a pentium processor it seems to be innocuous. On a 386
processor it seems to cause protected memory allocation errors.  Have I
found a new strain or am I chasing ghosts in the dark?  I am afraid the
customer in question has transmitted this virus throughout their world
wide offices. Thanks for the help in advance.  Either post to this thread
or email me at rayj@phoenix.net.  

Raymond

------------------------------

Date: Wed, 31 Jan 1996 05:33:24 -0500 (EST)
From: CHAN KWANG MIEN <eng30053@leonis.nus.sg>
Subject: NAtas Virus (PC)
X-Digest: Volume 9 : Issue 14

Does anyone know how to kill Natas Virus?

Kwang Mien

- -
			  Fri, 04 Aug'95, 01:47:27AM

------------------------------

Date: Thu, 01 Feb 1996 10:07:17 -0500 (EST)
From: David Crockett <crockett@UMDNJ.EDU>
Subject: SUSPECTED VIRUS FOR WordPerfect? (PC)
X-Digest: Volume 9 : Issue 14

I need help.   Any suggestions would be appreciated.

My computer in the lab and at home developed identcal problems, that has
led me to believe that I have been infected.  My wife brought home from
her office a copy of F-Prot.  Unforrtunately (or fourtunately?) we did not
detect a virus but I am still suspicious.  Let me outline the problem. 
The exact sam things happend on the two computers!  What are the odds?

First, the when attempting to launch Wordperfect, Quatorpro and several 
orther programs (Micrographx's Designer or Photomagic, SigmaPlot), the
computer would report that it could not read drive C.  Dos programs worked
fine as well as some Windows based prgrams.   So I ran scandisk from DOS. 
Scandisk reported a problem with the FAT; it "fixed" it by truncated ti.

Second, after runing scandisk, Quatropro miraculously works as well as
most of the of the programs.  However, WordPerfect will not launch,
reporting that it can not find shwin20.dll.  This is on both computers!. 
Also, Micrografx's Photomagic does not launch on both computers and the
same is true for SigmaPlot (from Jandell). The coincidence is just too
unbelievable that two computers would develop aproblem with the same
portion of the FAT.  The computers are two different brands and have
different configurations.

Have you heard anything like this before?   I do not know where the 
infection could have come, but most likely throught the WWW at work.

If you have any suggestions, I would be forever in your debt.


**********************************************************
David Crockett, M.A., Ph.D.
Department of Neuroscience and Cell Biology
University of Medicine and Dentistry of New Jersey
Robert Wood Johnson Medical School
675 Hoes Lane
Piscataway, NJ 08854-5635

e-mail:  crockett@umdnj.edu
Fax:  908-235-4029
Voice: 908-235-4522
***********************************************************

------------------------------

Date: Thu, 01 Feb 1996 11:47:46 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Need help: AntiEXE virus (PC)
X-Digest: Volume 9 : Issue 14

Michael Messuri <MMESSURI@SYMANTEC.COM> writes:
>In article <0028.01I0AAP9YODQOK8IBB@csc.canterbury.ac.nz>,
networking@aol.com says...

>>If anyone has any info on how to get rid of this one, I'd appreciate
>>it.  It affects the boot sector and the Norton Virual Protector
>>crashes on me. 

>  To remove this virus from your system with NAV you will need to
>boot your system from a clean (virus free) system floppy disk {you
>will want to check your CMOS settings to verify the setting of your
>disk drives as this virus will make modifications to this area} and

AntiEXE is not AntiCMOS.  And furthermore, AntiCMOS doesn't touch the
CMOS either.

>then run NAV (this will prevent the virus from becomming memory
>resident). Once NAV is up and running, just perform a scan now of
>your hard drive and select the repair option when prompted.

Boot clean, run NAV, choose Repair.  The extra words above are
superfluous and sometimes in error.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Thu, 01 Feb 1996 21:04:59 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Info about Form-A (PC)
X-Digest: Volume 9 : Issue 14

Koen Van de Velde <proviron@glo.be> writes:

> This week I found the Form-A virus on one of my boot-floppies.
> I immediatly des-infected it with McAfee Scan 2.2.9 (01/96) and it
> seems to be clean now.

> It is a floppy that I use to boot new pc's and install the network
> software with. So I would expect that some of the PC's would be 
> infected too, but 'till now I didn't find a thing.

Probably because the infection has occured *after* the last time you
used that floppy to boot from it. Such floppies are very sensitive and
you should keep them write-protected anyway.

> What I was wondering: is it possible for the Form-A virus to get on 
> our network (Novell Netware 4.1, VLM-client software) and if so,
> how can I check/clean it ?

It is a boot sector virus and cannot spread accross a network.
However, if you attempt to boot the server from an infected floppy,
the virus will infect the server's hard disk.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Fri, 02 Feb 1996 01:45:02 -0500 (EST)
From: "Robert E. Hunter" <rxh16504@bayou.uh.edu>
Subject: Ripper and NYB (PC)
X-Digest: Volume 9 : Issue 14

I have the Ripper and NYB on some diskettes and have yet to find a 
antivirus program that will clean it up.  I have Win95 and am currently 
using McAfee for Win95 but it will not clean either one. Help?

------------------------------

Date: Fri, 02 Feb 1996 02:08:31 -0500 (EST)
From: Steven Hoke <shoke@NorthNet.org>
Subject: Re: Need info on MONKEY_A virus (PC)
X-Digest: Volume 9 : Issue 14

Vesselin Bontchev wrote:

> > I recently ran across the virus MONKEY_A on several diskettes from
> > another department. I was able to clean the virus (using McAfee
> > VirusScan 2.2.9), but I can not find any information from VSUM 507 on
> > this particular virus.
> 
> That's kinda strange, but maybe the reason is because your version of
> VSUM is outdated. It is right there in version 9510. And full of
> inaccuracies, as usual. 

Even more outdated than you thought. I've seen version 9512, although I
don't recall what site it was on.
- - 
- -==Steve==--
shoke@northnet.org
steven_hoke@msn.com

------------------------------

Date: Fri, 02 Feb 1996 03:07:16 -0500 (EST)
From: Peter <pmaria@direct.ca>
Subject: Help with Stoned.empire.monkey (PC)
X-Digest: Volume 9 : Issue 14

Help if you can...  I have an older 386SX25 AST Exeutive laptop.   I
had a Monkey_A and Monkey_B infection, after I cleaned them I had a
Stoned.empire.monkey virus.  I could not remove it leaving my files
intact, so I ended up FDISKing my HD.  I discovered 10 non-dos
partitions, which I removed.  The HD works fine now, except I can't
boot from it. I have to boot from a floopy. Is it possible that the
boot sector of the HD was permenantly damaged by a virus? Even after
several FDISKs?  Did I do something wrong?  Maybe my HD just choose a
bad time to die.  In my past expierience though, if a HD dies, it is
dead. Plain and simple.  Mine works fine, with no probs, as long as I
boot off a floopy. That is a real pain in the ass....  Thank's in
advance for any help.  

Could responses be e-mailed to me?  I don't get the chance to check on
USENET alot. E-mail:   pmaria@direct.ca 

------------------------------

Date: Fri, 02 Feb 1996 07:20:49 -0500 (EST)
From: Sanjeev Bhutt <bhutt@odie.ee.wits.ac.za>
Subject: MTE COFEESHOP Virus (PC)
X-Digest: Volume 9 : Issue 14

I am in need of a virus remover for the MTE COFEESHOP virus.
Is anyone out there able to help ?

Thanks.

------------------------------

Date: Fri, 02 Feb 1996 07:52:11 -0500 (EST)
From: Long Live PBS <t.voo@ic.ac.uk>
Subject: Chinese Fish virus (PC)
X-Digest: Volume 9 : Issue 14

Any one know about "Chinese Fish virus"
which attact our PC this morning?

Anything to scan this virus.

Thanks in advance.

------------------------------

Date: Fri, 02 Feb 1996 11:01:25 -0500 (EST)
From: chi@bluefin.net
Subject: Help...Is this a virus? (PC)
X-Digest: Volume 9 : Issue 14

Today I turned on my computer and I received this message,

CMOS Checksum Invalid
Press Enter to Boot, Esc to run setup

I pressed Esc and the system continued to boot in the same way it has 
everyday.  Nothing has changed on my system, between yesterday and today. 
Except I have been on the Internet.....
I ran McAfee Virus Scan 2.6 but nothing was found. 
Could this be a virus that McAfee isn't picking up?
McAfee's home page isn't working apparently to get an upgrade.

If so, what other Anti-Virus program would you suggest?
Thanks for your help.

[Moderator's note:  It is most unlikely this is virus-related.  I see
dozens of machines a year with this "problem" and they are always either
"just one of those things" or an early warning that the machine's CMOS
battery is approaching the end of its life.  There are viruses that tangle
with your CMOS settings however, and you just may have contracted a new
virus your scanner doesn't know about.  If paranoid enough, find another
scanner to check your system with.]

------------------------------

Date: Fri, 02 Feb 1996 12:41:40 -0500 (EST)
From: Christopher Hill <chris@minkus.compulink.co.uk>
Subject: 69 Virus (PC)
X-Digest: Volume 9 : Issue 14

Recently I caught the 69 virus and wiped my hard-drive to get rid of it.
What does it do?
What programmes get rid of it?

Chris

Tel:01206 868634

[Moderator's note:  Assuming this is the PC virus known as 69, it is
probably better known as Sampo.  I'll leave the experts to answer the
other questions...]

------------------------------

Date: Fri, 02 Feb 1996 12:49:32 -0500 (EST)
From: Ken Stieers <kens@ontrack.com>
Subject: Re: Anti-CMOS Virus? (PC)
X-Digest: Volume 9 : Issue 14

Anti-CMOS is a master boot record virus that versions 2.2 and above of
McAfee should be able to detect and remove.  Note, if you are using the
windows version this won't be able to find it.  Since WSCAN doesn't
scanmemory, and ANTI-CMOS has stealth capabilities, it won't find it.  Get
the DOS version, cold boot the machine from a known clean bootable floppy
and run SCAN C: /CLEAN. 

Ken 

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prarie, MN           |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 14]
*****************************************


