From lehigh.edu!virus-l  Mon Feb  5 12:51:23 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Mon, 05 Feb 96 13:51:52 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id MAA00816; Mon, 5 Feb 1996 12:51:23 +0100
Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <29463-63852>; Mon, 5 Feb 1996 05:14:05 EST
Message-Id: <01I0VDLJNR1UPVHY7M@csc.canterbury.ac.nz>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V9 #15
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: 	Mon, 5 Feb 1996 05:14:03 EST

VIRUS-L Digest    Monday, 5 Feb 1996    Volume 9 : Issue 15

Today's Topics:

Re: HELP (PC)
F-PROT: Request for Help (PC)
F-PROT: Request for Help (PC)
Re: Is this a virus? (PC)
Re: Prity Boot (PC)
Re: HELP !!! OneHalf virus (PC)
Re: Virus that damages hardware (PC)
Help. Fdisk doesn't remove... (PC)
ARFAV24A antivirus software? (PC)
Re: Monkey B / Monkey 2 (PC)
Re: B1 virus? (PC)
Re: NATAS Virus (PC)
Re: NATAS Virus (PC)
Re: Sampo (PC)
Re: F-PROT: Request for Help (PC)
Re: Quality Anti-Virus Programs (PC)
Infected Network, HELP! (PC)
Re: Virus that damages hardware (PC)
Re: Help: Goldbug (PC)
Re: DH2 Virus (PC)
Re: ONE HALF.3544 Virus Detected (PC)
Re: ANTICMOS A / Boot Sector question (PC)
Re: What does SHZ do? (PC)
Re: TBWEEDER - A duplicate file checker (PC)
Re: parity boot b? (PC)
Re: Viruses on floppy diskettes (PC)
Re: telecom 2 virus (PC)
Re: Free or Cheap Virus Scanners (PC)
Re: Is this a virus? (PC)
Re: EXE_BUGD -bad news- (PC)
Re: F-PROT: Request for Help (PC)
Is this a virus? (PC)
Re: Invircible (PC)
Re: Virus that damages hardware (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available by anonymous FTP on CS.UCR.EDU.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Fri, 02 Feb 1996 13:01:47 -0500 (EST)
From: Michael Messuri <MMESSURI@SYMANTEC.COM>
Subject: Re: HELP (PC)
X-Digest: Volume 9 : Issue 15

>While doing an install to my hard drive NAV alerted me that something was
>attempting to write to the diskette.  This was at a point in the installation
>that nothing should have been writing to the diskette.

Ginger:

  Please try booting from a clean (virus free) system floppy disk and then
run NAV from the original install disk with the command line:

	NAV A: /B+ /M+ /REPAIR

  The running of NAV in this manner will allow NAV to scan both your
systems memory, Master Boot Record (a.k.a. partition sector) and the
bootsector.  If this virus is known to NAV, the product will detect it at
this time and attempt a repair.

  Should the scan result in no virus detected or any other unexpected
problem please let me know.

  Thanks.

- - 
==========================================================================
Michael Messuri                                       Symantec Corporation
Virus Specialist            http://www.symantec.com/avcenter/avcenter.html
AntiVirus Research Center                                  CIS:  GO SYMWIN
mmessuri@symantec.com                                            GO SYMNEW
US Support:  541-465-8420                                   AOL:  SYMANTEC
European Support:  31-71-353-111        Australian Support:  61-2-879-6577
==========================================================================

------------------------------

Date: Fri, 02 Feb 1996 17:17:09 -0500 (EST)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: F-PROT: Request for Help (PC)
X-Digest: Volume 9 : Issue 15

In article <0031.01I0R33FGIF6PVGQEE@csc.canterbury.ac.nz>
	   msa@us.dynix.com "Mike Ashcraft" writes:

 > Someone (from UNISYS I think) asked how to force everyone to run some
 > type of active tsr type virus protection on DOS machines.  In a
 > Novell environment you can put it in the System login script.

Do NOT run any TSR in the Netware login script.  It fragments 
your conventional memory into two parts. 

 > All PC's were configured to automaticaly connect to the
 > server, run scan, load vshield and then login.

That is the best sequence.

 > If users have physical access to their machine
 > they can do just about anything.

Dr. Solomon's can be configured to dump people off the network if 
they are not running the VirusGuard TSR when they try to login.  
Doesn't much matter what they do to their own machine then.

- -
NO LADY LIKES               ACCOMPANIED BY
	     TO DANCE                     A PORCUPINE
		     OR DINE                         Burma-Shave

[Moderator's note:  If you -must- load a TSR at NetWare login time, use
the "exit" command with a parameter to spawn a batch and get the latter to
load the TSR--this avoids the memory problems Iolo referred to.]

------------------------------

Date: Fri, 02 Feb 1996 18:38:37 -0500 (EST)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: F-PROT: Request for Help (PC)
X-Digest: Volume 9 : Issue 15

In article <0039.01I0R33FGIF6PVGQEE@csc.canterbury.ac.nz>
	   Richard_Bodor@msn.com "Richard Bodor" writes:

 > All
 > employees are to scan diskettes brought in or carried out of the
 > building. All alarms are recorded in a log and documentation
 > provided. We have not had an infection from our engineering
 > department since - and the auditors were satisfied. This is should
 > only be a problem if your engineers are bringing executables into
 > the building - a questionable practice.

Not quite right.  "Data-only" diskettes can carry boot sector 
viruses.  Scan them all, no excuses.

- -
NO LADY LIKES               ACCOMPANIED BY
	     TO DANCE                     A PORCUPINE
		     OR DINE                         Burma-Shave

------------------------------

Date: Sat, 03 Feb 1996 02:12:40 -0500 (EST)
From: Kenneth Albanowski <kjahds@kjahds.com>
Subject: Re: Is this a virus? (PC)
X-Digest: Volume 9 : Issue 15

On Tue, 23 Jan 1996, Bruce Peck wrote:

> An administrator at a remote site in my company reported these 
> conditions on some of her PCs and cannot find evidence of a virus by 
> using the latest versions of Norton, McAfee, F-Prot, and Thunderbyte.
> In a population of about 50 PCs on a Novell network, 5 or 6 of them 
> will on occaision have trouble booting with the result being a screen 
> full of random ascii characters and the PC locks.  A hard boot is 
> required and may take 2 or 3 tries to sucessfully boot.  The problem 
> may not surface on this PC again for several weeks or even a month or 
> two.  The PCs are all Compaq but are different models and were 
> purchased at different times.  These symptoms did not appear all at 
> once.  First it was only one PC and then others began showing this 
> problem over about a years time.  Could this be some sort of virus?  
> Is there another technique we should use to help determine what this 
> is?

I am not familiar with various virus symptoms, so I cannot comment on whether
this is a particular virus. 

I can offer some general advice, however: most "weird" problems with PC's
are not viruses. If this happens immediately on turning on the computer,
it is likely not a virus, but a hardware problem. I'd first try swapping
around any hardware that is shared by all the affected PC's to see if the
problem moves with the hardware -- given your networked environment, the
network cards seem to be an excellent first guess. The next steps would
probably be the CMOS battery (although I doubt it would cause such visual
and decisive symptoms), miscellaneous boards (disk controller, etc.) and
finally the motherboard itself.  Cleaning the contacts on the various
boards (rub gently with a clean eraser) and reseating the various socketed
ICs (push down gently on them) couldn't hurt either. 

However, if it is a virus, none of this would help matters. Obtaining and
using a shareware virus-checker, like F-PROT, might be a good place to
start on checking that side of matters. 

- -
Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126)

------------------------------

Date: Sat, 03 Feb 1996 09:24:37 -0500 (EST)
From: MR HENRI J DELGER <henri_delger@prodigy.com>
Subject: Re: Prity Boot (PC)
X-Digest: Volume 9 : Issue 15

>Does anyone have any expierience with the Parity .Boot
>Virus? I have a couple of disks infected, and I would
>like to know exactly what it does.

(X-Digest: Volume 9 : Issue 10)
- -----------------------------
Parity Boot infects both 1.44M and 720K diskettes, and is a 
memory-resident stealth virus, which uses 2048 bytes of DOS 
memory.  If an infected diskette is in A> drive at boot/re-boot,
the virus will infect the hard disk.  It will be memory resident
after that and any read access to the boot sector of a diskette
will result in the virus infecting the floppy diskette.  
     Also, if a non-write-protected diskette is in A> drive 
when the system is warm booted by using the Ctrl-Alt-Del 
combination, the diskette will be infected, because this 
virus is one (of only a few) which is programmed to 
intercept such a warm boot command.
     For 720K diskettes, the original boot data are copied 
to the last sector of the root directory.  For 1.44M disks, 
the boot data are copied to the fourth sector of the root 
directory.  Thus the virus will overwrite file entries on 
diskettes with many files listed in the root.  On the hard 
disk, the MBR data are relocated to cyl&head 0, sector 14.
     Ordinarily, data are not lost from the hard disk, 
because the sector which the virus uses is not used by DOS.
If that sector is used by third-party software to store 
data, during formatting, or for password access, or by 
drivers to access large partitions, obvious problems can 
result, however.
     Since Parity Boot is a "stealth" virus, it is able, 
when resident, to redirect attempts to view the first 
sector of the hard disk, where it copies its code, to the 
sector to which the MBR data were moved.  It gets its name 
from its ability to output a simulated parity error message 
to the monitor screen after an hour of operation plus an 
additional hour for each infection.  The more infections, 
the longer the interval between displays of the parity 
check message.
     Since Parity Boot can intercept a warm boot (Ctrl-Alt-
Del) command (see above), the only way to be sure that the 
virus is not resident is to power down, by turning the PC
off at the switch, then place a write-protected DOS system 
boot diskette in A> drive and turn power back on, before 
attempting to remove the virus.  Once it is gone from the 
hard disk, diskettes should be checked.

Regards, Henri Delger
http://pages.prodigy.com/XWWC29A
email: henri_delger@prodigy.com

------------------------------

Date: Sat, 03 Feb 1996 09:24:40 -0500 (EST)
From: MR HENRI J DELGER <henri_delger@prodigy.com>
Subject: Re: HELP !!! OneHalf virus (PC)
X-Digest: Volume 9 : Issue 15

 (X-Digest: Volume 9 : Issue 8)
>I have been infected !!!  by one-half virus which destroyed
>my MBR. can anyone out there heklp me reconstract my MBR ? ? ?

- ----------------------------- and in
Subject: ONE HALF.3544 Virus Detected (PC)
Lee Cooper <leec@kuwait.net> wrote:

(X-Digest: Volume 9 : Issue 10)
>Pleaes can somebody advise me how I can remove the ONEHALF.3544
>virus from PCs without deleting .COM or .EXE files.
>McAfee has detected it, but will not remove it.

- ----------------------------- and in
Subject: Onehalf Virus Problem (PC)
Stelios Tziras <zoid@matrix.kapatel.gr> wrote:

(X-Digest: Volume 9 : Issue 10)
>I'm using v.227 of scan for Dos.
>When I run it I get a message that there are traces of onehalf.mbr
>virus in the memory. When I boot from a floppy boot disk there isn't 
a
>virus in the memory but, as reported by scan, the master boot 
record
>of my two hard disks is infected (all the files in the disks are 
clean).
>How can I fix the error in the master boot record of the hard disks?

>Is format the only solution or even this will not help me?

- -----------------------------
One Half virus is believed to be from Europe, and was 
first noticed in 1994.  It gets its name from "Dis is one 
half" text which appears in it.  It is a "multipartite" 
virus, which overwrites code in the Master Boot Record as 
well as infecting COM and EXE files.
    To get rid of it, you'll need to power down and re-boot 
from an UNinfected system boot diskette to get the virus out
of memory, then use your anti-virus program to remove the
virus from the hard disk and then check for infected files
on diskettes, backups, and in compressed file archives.
     An infected MBR (cylinder&head 0, sector 1) will 
contain the letters "BK," believed by some to be the 
initials of the virus writer.  Its code, as well as 
various text messages, will be located in (cyl.&head 0, 
sectors 11-17).
     Ordinarily, data are not lost from the hard disk, 
because the sectors which the virus uses are not used by 
DOS.  If those sectors are used by third-party software 
to store data, during formatting, or for password access, 
or by drivers to access large partitions, obvious problems 
can result, however.
     One Half spreads by infecting COM and EXE files as 
they are copied to floppy disks, but leaves the originals 
on the hard disk untouched.  When infecting COM files, the 
virus replaces the first three bytes with a jump to itself,
then adds its code to the end.  When infecting EXEs, the 
virus places itself at the beginning.  The virus code in 
infected files is encrypted, including various text messages
otherwise visible in (cylinder&head 0, sectors 11-17).
     When the disk with the copied/infected files is placed
in another PC's drive, and the files are run, One Half first
checks memory, to see if certain anti-virus software is 
resident, then writes its code to the hard disk, and goes 
memory resident, taking control of Interrupt 13h.
     One Half uses a crude "stealth" technique to hide 
increases in file sizes while it's in memory, by interfering
with the CHKDSK command.  Renaming CHKDSK to another
name (anything else will do) defeats this, producing a report
of "Allocation error, size adjusted" for all infected files; 
however CHKDSK (run as "CHKDSK") reports no errors.
     The virus is potentially destructive, since it encrypts
data on the hard disk, two tracks at a time, starting at the
end, each time the PC is powered up (the encryption routine 
does not activate on a "warm boot").  If the virus is just
"removed" (incorrectly, with FDISK /MBR, for example) the 
encrypted data will remain encrypted, and be unusable.  
Anti-virus software capable of recognizing and removing this
virus should be able to de-crypt any files encrypted by it.
     If you have a problem, try another program, such as
F-Prot 2.21, but a clean boot from an UNinfected system
boot disk is a prerequisite, and formatting is not only a
last resort, but will not remove many viruses, including
this one.

Regards, Henri Delger
http://pages.prodigy.com/XWWC29A
email: henri_delger@prodigy.com

------------------------------

Date: Sat, 03 Feb 1996 09:26:50 -0500 (EST)
From: Jean-Francois Fortin <jfortin@ulix.net>
Subject: Re: Virus that damages hardware (PC)
X-Digest: Volume 9 : Issue 15

X-Digest: Volume 9 : Issue 10
>Excuse me for asking this question, but I'm asking for a friend.
>Are there any PC viruses out there that can damage your BIOS and also
>damage PC peripherals (disk drive, chips, tape drive, etc...)  which
>would require replacement hardware to fix?  
>
>[Moderator's note:  These viruses exist mainly in the land of Nod... 
>The best response to this question will be used as the basis of a new
>Q&A in the FAQ!]

I don't know what the land of Nod means, if anything other than an
acknowledgement but I know my Godmother has had (1) her modem friend on
one occasion and just yesterday (2) her HDD fragmented into pieces (not
physically of course) by the URKEL virus.  The answer, to my knowledge,
is YES.

[Moderator's notes:  The land of Nod is "never-never land", a dream world
or fantasy place.  Jean-Francois--hard facts please.  What physical damage
did Urkel do to your godmother's hard-drive?  Degauss it?  Break the head
off the arm?  ???  And what virus "fried" her modem?  Or was she using it
during an electrical storm and after the modem died she found she had a
virus?]

------------------------------

Date: Sat, 03 Feb 1996 06:40:54 -0500 (EST)
From: RALSTRA@sara.cc.utu.fi
Subject: Help. Fdisk doesn't remove... (PC)
X-Digest: Volume 9 : Issue 15

Help. A device driver (think it as a virus) seems to be
impossible to delete by any means.

I tried deleting all the partitions using *FDISK*, creating
new partitions and formatting, but that device driver
did not disappear from the hdd. I do not have a hard disk
low level formatting utility in cmos setup or on a disk...

(The driver must be installed in order to get there, so the
reason is not an infected bootdisk. Of course there are no
manuals for the #@&5*^!=BD (disk?) driver...)

Now I would need some help to delete it, because it is
causing me some problems...

Thanx

------------------------------

Date: Sat, 03 Feb 1996 10:08:11 -0500 (EST)
From: ROBERT APPLETON <robert.appleton@sol.kiss.de>
Subject: ARFAV24A antivirus software? (PC)
X-Digest: Volume 9 : Issue 15

Just downloaded this anti-virus program.  Has anybody seen any
comments about it?  I don't want to add it yet since it changes files
by 'injecting' codes into them.  I use F-PROT and INVIRCIBLE now
but was thinking of adding this Freeware product to my anti-virus
arsenal.  Would appreciate pointers to some reviews of this product.

TIA             Bob A.
- ----------------------------------------------
	 robert.appleton@sol.kiss.de

[Moderator's note:  I have no experience of that s/w, but you may like to
read Q&A F8 in the FAQ on the general inadvisability of adding self
checking code to existing executables and part of C6 on why modifying
existing programs in other ways maynt be very clever either...]

------------------------------

Date: Sat, 03 Feb 1996 10:21:09 -0500 (EST)
From: Robby Havasy <rhavasy@vt.edu>
Subject: Re: Monkey B / Monkey 2 (PC)
X-Digest: Volume 9 : Issue 15

In article <0049.01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz>, murarka@sfu.ca 
says...

>Hi. I have the Monkey B / Monkey 2 Virus on my Hard Drive. How can I
>clean it off? The scanners all quit when I run them, saying that I should
>boot off a clean system disk, and then rerun the virus scanner to clean
>off the virus. But the problem is, this virus, when on a Hard Drive, will
>not allow the Hard Drive to be accessed when you use a clean boot disk.
>So how do you get rid of the virus? The McAfee documentation says that
>the virus is removeable. This is a boot sector virus. How do I get rid of
>it!?!?! Help!

I had an infection of Monkey-B a few months ago, luckily it was only on one 
system, not both of them.  Norton Disk Doctor has a command switch 
"/REBUILD" which should clean upi your problem.  Boot from a clean floppy 
that has a copy of NDD and run NDD /REBUILD.  It  will then search your 
drive for active partitions.  When it finds partitions that are the correct 
size as your old ones, have it restore them.  Once it is complete, reboot 
from the hard drive, run your scanner again to make sure things are cleaned 
up, and run NDD to make sure that there's no reciprocal damage.

I have heard since that there are also special cleaners specifically for 
Monkey-B, but I have never tried them.  The above instructions worked for 
me.

[Moderator's note:  Probably better to let real AV s/w do the fixing. 
Tools like NDD can be like an unguided missile if let lose in "suspect"
circumstances!]

------------------------------

Date: Sat, 03 Feb 1996 10:45:07 -0500 (EST)
From: MR HENRI J DELGER <henri_delger@prodigy.com>
Subject: Re: B1 virus? (PC)
X-Digest: Volume 9 : Issue 15

(X-Digest: Volume 9 : Issue 10)
Gateway Japan Project <gwjapan@umd5.umd.edu> wrote:

>On 29 Jan 1996, MR HENRI J DELGER wrote:
>> B1 is also known as NYB, and is a Boot Sector Virus, which starts

>One of our PCs apparently has this and I can't seem to get a clean 
boot,
>even with a DOS distribution disk (write-protected).  (Of course 
I'm
>cycling the power to boot and not using ctl-alt-del.)  I'm using F-
PROT
>shareware version 2.21 on a write-protected disk in drive B: and 
write-
>protected boot disk in A: (unfortunately, the A: disk is the old 5" 
type
>- - too small for F-PROT).  Despite this, it still keeps telling me 
to
>reboot with a clean disk before running F-PROT.  How could the virus 
get
>into memory from a cold boot off a clean, write-protected boot disk?


It cannot.  If this virus is in memory, it got there because the disk
or diskette from which the boot occurred is infected.  Check your
CMOS setup to see if the PC is configured to boot from C> first,
then A> (in case that change was made subsequent to the virus
infection).  If not, check the bootable floppy in an UNinfected PC.
A third possibility is that it isn't in memory, and F-Prot is in 
error, but I doubt that.

>Or is it getting in when I access drive B: (not from the B: disk,
>though, since it's also clean and write-protected)?

That's =not= a possibility.

>A while back, another of our PCs had the virus such that it 
wouldn't
>boot from C: anymore.  I ran F-PROT 2.17 and it said it couldn't
>disinfect the master boot record (MBR) but did offer to rewrite a 
new
>MBR, which I confirmed.  That machine is AOK now.  I noticed that 
it
>rewrote the MBR with "generic code" that involved FDISK /MBR.  I'm 
not
>sure what else was in that command, so I'm uneasy about just 
entering
>this, lest I completely lose the data on the drive.  Does anyone 
know
>what the line is to rewrite the MBR without affecting the rest of 
the
>disk contents?

FDISK /MBR is an undocumented DOS command, available in
DOS5 and up.  It will re-write the Master Boot Record code in the
first sector of the hard disk, without affecting the hard
disk's partition table data, also contained there.  It has  
been widely suggested as a method to remove those viruses
which infect the hard disk's Master Boot sector, located 
in cylinder&head 0, Sector 1.
     There is a catch, however.  While one can reasonably 
be sure that FDISK /MBR will not do any harm =if= you are 
able to access the hard disk normally after booting from an 
UNinfected bootable diskette, IF you canNOT access the hard 
disk, do =not= try FDISK /MBR.

Regards, Henri Delger
http://pages.prodigy.com/XWWC29A
email: henri_delger@prodigy.com 

------------------------------

Date: Sat, 03 Feb 1996 10:56:23 -0500 (EST)
From: MR HENRI J DELGER <henri_delger@prodigy.com>
Subject: Re: NATAS Virus (PC)
X-Digest: Volume 9 : Issue 15

(X-Digest: Volume 9 : Issue 10)
Robert Dizon <dizon@ix.netcom.com> wrote:

>My friend's company system is infected by NATAS virus and warned 
that
>if a debugger is launched it will do some damage to the system. Can
>anyone help us out on this virus; description and removal program.

Natas ("Satan" spelled backwards), is classified as "Multi-
partite," since it can infect the hard disk Master Boot 
Record, diskette boot sectors, and *.EXE and *.COM files, 
including Command.com  It can spread to an uninfected PC 
when a diskette, infected in another PC, is in the A> drive 
at boot-up, or when a *.COM or *.EXE file which was infected
in another PC, is run.  
     Natas writes the first part of its code to the first 
sector of the hard disk, where the Master Boot/Partition 
data are stored.  It also writes the rest of its code to 
(cyl.&head 0, sectors 8 through 16 (7-16 for one variant).
     Ordinarily, data are not lost from the hard disk, 
because the sectors which the virus uses are not used by 
DOS.  If those sectors are used by third-party software 
to store data, during formatting, or for password access, 
or by drivers to access large partitions, obvious problems 
can result, however.
     Natas will be in memory after that whenever the PC
is on, and infects floppy diskettes by writing its code to 
the Boot sector (sector #0) of them.  It also writes its 
code to the last 9 sectors of infected diskettes, and to 
protect its code, alters the boot sector data to show those 
sectors as not existing.
     Natas can spread quickly, because it will infect disks 
on any access, even when just read, such as if the DIR 
command is used.  In addition, it infects *.COM and *.EXE 
files as they are run or even if they're copied or closed, 
such as during an anti-virus scanning process.  It's a large
virus, adding 4744 - 4988 bytes to infected .COM/.EXE files.
     It's also a "stealth" virus, and if in memory, is able 
to re-direct reads away from its MBR/Boot code, and to 
produce an incorrect DIRectory listing, showing file sizes 
as if they were not increased.  It also marks files by
changing their date 100 years in the future, ordinarily not 
seen by users, but if a special utility is used, its stealth
feature can hide that also.  It's also a destructive virus, 
with a 1 in 512 chance of overwriting data on the hard disk.
    To get rid of it, you'll need to power down and re-boot 
from an UNinfected system boot diskette, then use an anti-  
virus program to remove the virus from the hard disk and    
diskettes.  

Regards, Henri Delger
http://pages.prodigy.com/XWWC29A
email: henri_delger@prodigy.com 

------------------------------

Date: Sat, 03 Feb 1996 13:13:14 -0500 (EST)
From: Andrew Scadding <andrew@scadding.demon.co.uk>
Subject: Re: NATAS Virus (PC)
X-Digest: Volume 9 : Issue 15

In article <0024.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>, Robert Dizon
<dizon@ix.netcom.com> writes
>My friend's company system is infected by NATAS virus and warned that
>if a debugger is launched it will do some damage to the system. Can
>anyone help us out on this virus; description and removal program.

I have used f-prot to remove NATAS without triggering the defence
mechanism.  

Be sure to use V2.21 - it seems to be more effective on NATAS than
earlier versions.  (This advice courtesy of V Bontchev, who kindly
pointed me in that direction only this morning).

Andrew Scadding
andrew@scadding.demon.co.uk

------------------------------

Date: Fri, 02 Feb 1996 08:58:12 +0000
From: Haymee@angonet.gn.apc.org
Subject: Re: Sampo (PC)
X-Digest: Volume 9 : Issue 15

>> Leong Pe Loon wrote:
>> > 
>> > Greetings, one and all.  Has anybody encountered the Sampo 
>> > virus?  I saw it on a friend's machine.  Nothing could 
>> > remove it.  It apparently affects the boot sector, is 
>> > identified most of the time but f-prot, like the rest, says 
>> > it wouldn't try to remove it.  Help?

>> I've removed it succesfully with mcaffee 2.17

 > To the original poster (I seem to have missed the original 
 > message): which version of F-PROT did you try? I'm pretty sure 
 > that 2.21 should be able to remove it without problems from 
 > the hard disks. On floppies it should offer you to do generic 
 > disinfection.

I've removed it sucessfully with Dr Salomon's Toolkit 1.53, which also
removes Unashsmed

Regards,

haymee

------------------------------

Date: Sat, 03 Feb 1996 15:09:02 -0500 (EST)
From: PJN.-.TSA@news.flinet.com
Subject: Re: F-PROT: Request for Help (PC)
X-Digest: Volume 9 : Issue 15

In article <0025.01I0R33FGIF6PVGQEE@csc.canterbury.ac.nz>,
s.widlake@rl.ac.uk says...

>In article <0021.01I094E1DXW0OK8IBB@csc.canterbury.ac.nz> 
>"Shankland, David B RV" <dbs1@PO4.RV.unisys.com> writes:
>
>>We have an installation of over 1500 PCs on Novell file servers, and
>>are having difficulty installing F-PROT for Windows (V 2.19a.1) and
>>Dynamic Virus Protection (DVP--runs in background under Windows) with
>>a pilot group of engineers.  Each PC is configured somewhat
>>differently, and the PC users have said that they cannot install these
>>products  without memory contention, system hangs, and random reboots.
>
>We have got lots of PC's (and other computers too) and required an 
>anti-virus product that could be made available to all of the PC 
>users.
>
>We descided to go for F-Prot and tried to register the _shareware_
>version for all of our PC's. Nope - Frisk Software in Iceland said
>that registration wasn't available in the .UK and we must purchase
>the "pro" version from a local distributor. All of a sudden, the 
>price shoots up - ten fold - but we get "more" for our money... 

With Pro version, you get 24hour product support, support lines via BBS, 
email, toll-free number for U.S./canada residents, upgrades sent, access
to ftp/bbs, availablility of interface for Windows 95, Windows NT and
OS/2 platforms, MBR utility, integrity checking utility, updated product 
information on www.commandcom.com, volume discounts available for 
corporations.

>                  ^^^^^^^^
>[ Another post tomorrow, perhaps ]
>
>F-Prot for DOS and VIRSTOP - PLUS a toolkit for windoze with Dynamic
>Virus Protection and something called Gatekeeper. The point is that:

see above

>1) We didn't want all of this additional stuff.
>
>2) It made windoze much more unstable (and slower). [ You might
>   have guessed that I'm not a great fan of windoze but everyone 
>   and his dog uses it. ] Removing all of this extra stuff made
>   most of these problems just go away.

There will be a better way of doing the real-time detection/protection in
the near future. Currently using .DLL's but the push is for virtual device
drivers not so DOS dependent.

>3) When I tested it with a REAL infectious nasty it just didn't
>   work ! It was supposed to provide active protection against
>   all(?) known viruses including polymorphic ones - although we
>   have never even seen one of those - but it failed a much more
>   simple test and let a known virus straight through.

Any problems of this type should be reported to the developer to maintain 
high product quality.

>[ Snip ]
>
>>Is there any way to ensure that PC users have, first of all, installed 
>>F-PROT for Windows, and secondly, that they are using/running Dynamic
>>Virus Protection (DVP)?  We have been unable to determine how the
>>utilization can be required and enforced. 

Yes.

>>What have other large companies done with F-PROT for Windows and DVP? 

Many corporations use it.

>>Is there any logging that monitors this situation?

Yes.

>Pass - But for my 37p worth I'd just say that you probably don't
>really need these extras. The windoze interface looks quite nice,
>though a bit over complicated for the average user, but viruses
>are in general a BIOS/DOS problem and the first thing that gets
>affected is often windoze - it simply won't start ;-) 
>
>The only thing that's missing is perhaps a windoze routine that
>"intercepts" VIRSTOP's "let's-scramble-the-screen-whenever-it
>encounters-a-BIOS/DOS-virus" function and instead pop up a real
>windoze alert box.      

This feature is now available with v2.21.

>Anyway, F-PROT [ without the "pro" stuff ] get's my vote as the
>second best (and still the cheapest) single anti-virus package.  

It is the only product that is recognized by the NCSA as detecting 100% of 
viruses in the wild.

>Glad to see that this group is at long last back on-line - many
>thanks to the moderators old and new - though am already rather
>disappointed with the amount of junk being posted...
>
>[Moderator's note:  I'm working on it...  Right now I'm still battling
>some very odd, persistent bounces.  Hopefully by the end of this week
>I'll have all my mechanisms in place for dealing with submissions that
>are FAQs...]
>
>Say, how's about spitting the group into comp.virus - moderated
>just to discard "harmful" posts - and "comp.virus.tech" for just
>the more technical discussions for Vess. et. al. 

I like the idea also

------------------------------

Date: Sat, 03 Feb 1996 15:25:44 -0500 (EST)
From: rwhutch@nr.infi.net
Subject: Re: Quality Anti-Virus Programs (PC)
X-Digest: Volume 9 : Issue 15

I should like to see something along the lines of the following, based on
a distinction between "viruses ever encountered", and viruses "actively
propagating."

1) Proportion of "viruses ever encountered" DETECTED.
2) Proportion of "actively propagating in the wild" REMOVED. The
   proportion of"viruses actively propagating in the wild" DETECTED should
   be 100%.

R.W. Hutchinson. | rwhutch@nr.infi.net

------------------------------

Date: Sat, 03 Feb 1996 17:06:06 -0500 (EST)
From: Stephen McVey <smcvey@pipeline.com>
Subject: Infected Network, HELP! (PC)
X-Digest: Volume 9 : Issue 15

I have a Netware 3.12 system and a virus that is undetected by Innoculan
network software.  The symptoms are:

1.  Partitions first 2 to 3 MB of the hard drive on the client PC's and
moves everything outward.  Partition is non-DOS 

2.  Attacks *.EXE files, and causes Windows 3.1 driver files to get "lost"
by the system.ini file. 

3.  Infected non-DOS partition cannot be removed using FDISK and format,
and sys.com unless you first partition the harddrive, then re-FDISK it
with no partitions.  The first time to FDISK and format it re-booted with
the entire "original" contents of the HD intact, including the non-DOS
partition!!!! 

4.  It has attacked MSAV.EXE when being executed on an infected unit.  It
locks the PC up. 

5.  Can be spotted by DOS 6.2 MSAV in RAM, and not on the HD. 

6.  Cannot be found by Innoculan. 

Thank you GREATLY for ANY help ahead of time. 
- - 
Stephen McVey 

------------------------------

Date: Sat, 03 Feb 1996 17:07:48 -0500 (EST)
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: Virus that damages hardware (PC)
X-Digest: Volume 9 : Issue 15

In article <0028.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>, Andrew Lee writes:
: Excuse me for asking this question, but I'm asking for a friend.
: Are there any PC viruses out there that can damage your BIOS and also
: damage PC peripherals (disk drive, chips, tape drive, etc...)  which
: would require replacement hardware to fix?  

	Well, most of the stuff about viruses damaging hardware is myth.  
The reason why many people get scared about this is that software can be 
restored relatively easily while hardware cannot.

	With modern hardware created by someone who knows what they are 
doing, hardware damage is unlikely to happen.  Two possible cases of 
damage applied to older hardware out there: hard drives and monitors.  
With older hard drives, if you would try to move the read/write head to a 
track that did not exist, you would ruin the calibration and the disk 
would have to be sent back to the factory to be recalibrated.  With older 
video hardware, it was possible to set the refresh rate to 0 hz.  What 
would then happen is that the beam of electrons would be hitting the same 
row of phosphurs repeatidly and burning them out.  From then on, the 
monitor would have a black line of inoperative phosphurs. :)

	Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code
Anti-virus software and utils:  | The Transformers fanfiction:
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html
"Piss off a government, practice civil disobedience TODAY!"

------------------------------

Date: Sat, 03 Feb 1996 17:13:17 -0500 (EST)
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: Help: Goldbug (PC)
X-Digest: Volume 9 : Issue 15

In article <0031.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>, Victoria M.
Brasseur writes:

: My computer was acting a bit oddly, so I got my hands on an updated copy 
: of F-Prot.  It found the Goldbug virus resident in my memory and in 11 
: (so far) executable files.  The filenames were changed to prevent 
: execution, but I'd still like to get rid of the bloody thing.  F-Prot is 
: unable to disinfect my files.

	Were you sure to boot from a floppy?  If I remember correctly, 
Goldbug is multi-partite so it will most definately be in memory when you 
boot from an infected HD.

	Regards,        

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code
Anti-virus software and utils:  | The Transformers fanfiction:
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html
"Piss off a government, practice civil disobedience TODAY!"

------------------------------

Date: Sat, 03 Feb 1996 17:15:56 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: DH2 Virus (PC)
X-Digest: Volume 9 : Issue 15

Keh Ngen Fatt Raymond <cwckehr@leonis.nus.sg> writes:

> Pkzip all the infected files using recursive subdirectory option
> booting up from a clean hard disk and Unzip it again. I think

While based on a correct idea, your instructions are a bit terse and
might misinform the user. It should be explicitely emphasized that the
virus *must* be active in memory when you are archiving the files and
must *not* be when you are unarchiving them. In order to achieve the
former, the user has to run an infected program, while in order to
achieve the latter, they must boot clean. This method works against
almost all file infectors which are at least read-stealth.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Sat, 03 Feb 1996 17:16:55 -0500 (EST)
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: ONE HALF.3544 Virus Detected (PC)
X-Digest: Volume 9 : Issue 15

In article <0033.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>, Lee Cooper writes:
: Pleaes can somebody advise me how I can remove the ONEHALF.3544 virus
: from PCs without deleting .COM or .EXE files.
: McAfee has detected it, but will not remove it.

	One_half is multi-partite, so it will be in memory if you boot 
from the (infected) hard disk.  Since it uses a transparent type of 
encryption on the hard drive, thus making some files appear garbled when 
booting from a floppy, you may have to backup your encrypted files or 
copy them to floppy before disinfecting.

	You can also get a special utility designed to deal with one_half 
and to decrypt the files; it is availible on my virus homepage and is 
called onehalf.zip or something similar.

	Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code
Anti-virus software and utils:  | The Transformers fanfiction:
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html
"Piss off a government, practice civil disobedience TODAY!"

------------------------------

Date: Sat, 03 Feb 1996 17:20:18 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: ANTICMOS A / Boot Sector question (PC)
X-Digest: Volume 9 : Issue 15

"David A. Laatz" <dlaatz@iscgi.com> writes:

> protable. Now the floppies I used to move Mcafee to the portabel are
> infected with the ANTICMOS A virsu in the boot sector.  Mcaffe cannot
> seem to remove the virus.  All is does is report the virus with no
> actions taken.  Are these disks permanently infected and of no use or
> am I missing something.  Any explaination would be of hreat help.  

SCAN should be able to remove this particular virus. If it doesn't,
there might be several reasons for this. It might be a new variant of
the virus, or the virus might be active in memory, or you might be
using an obsolete version of the scanner. Make sure you get the latest
version of the anti-virus product. A few other scanners which are able
to do exact virus identification - like ours (F-PROT, plug) or
FindVirus will be very helpful too - they will tell you whether you
indeed have this particular variant. Finally, don't forget to boot
from a clean floppy before trying to remove the virus.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Sat, 03 Feb 1996 17:21:13 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: What does SHZ do? (PC)
X-Digest: Volume 9 : Issue 15

"Jeoffrey D. Regino" <jregino@enterprise.engg.upd.edu.ph> writes:

> My computer (PC) is infected by this SHZ virus.

No, it is not. You are getting a false positve from an obsolete
version of McAfee's SCAN. Get the latest version of their product and
the problem will go away.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Sat, 03 Feb 1996 17:24:02 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: TBWEEDER - A duplicate file checker (PC)
X-Digest: Volume 9 : Issue 15

Bill Moblin <bmoblin@moblin.iexpress.com> writes:

> I'm looking for a program called TBWEEDER, a duplicate file checking
> utility - it's written by the same people who produce ThunderByte
> Anti-Virus, so I figured this would be a good place to ask about it.

This program was designed for internally use only; I was not aware
that it was publicly available.

> If you have any information on where I might find a copy of this
> program let me know...

Why don't you just contact the company that produces TBAV and ask
them?

> Please cc: bmoblin@moblin.iexpress.com when responding to this
> message beacause I don't follow this newsgroup regularly...

Done, but you're advise to follow it, if you are interested in
computer viruses.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Sat, 03 Feb 1996 17:26:09 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: parity boot b? (PC)
X-Digest: Volume 9 : Issue 15

Roland Geier <geier@forwiss.uni-passau.de> writes:

> A friend of mine discovered a virus named "parity boot b" on his
> system.

Indeed, this is the most widespread virus in your country.

> Does anybody know the effects of this species?

It is a not intentionally destructive boot sector infector which
attempts to survive warm reboot. When it activates, it displays a
"parity error" message and hangs the system. For more information,
check Data Fellows' web page - http://www.datafellows.com.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Sat, 03 Feb 1996 17:27:19 -0500 (EST)
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: Viruses on floppy diskettes (PC)
X-Digest: Volume 9 : Issue 15

In article <0049.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>, Bill lambdin
writes:

: Yes, formatting a floppy diskette will kill all viruses; but if this is a
: boot sector, and the virus is resident (ie active in RAM) the diskette has
: a great possibility of being re-infected after the format process.

	Also, it is helpful to keep in mind that if you are dealing with 
kernel infectors (MSDOS.SYS, IO.SYS) or *.com infectors that infect 
COMMAND.COM which are memory when you format a disk with the /s switch, you 
will only spread the infection to there as well.

	Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code
Anti-virus software and utils:  | The Transformers fanfiction:
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html
"Piss off a government, practice civil disobedience TODAY!"

------------------------------

Date: Sat, 03 Feb 1996 17:28:18 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: telecom 2 virus (PC)
X-Digest: Volume 9 : Issue 15

Had 25 <had25@aol.com> writes:

> While using the virus scan feature in Winzip, I came across an
> infection of the telecom 2 virus.  I tried to eleminate it with
> McAfee windows program but the virus didn't show up and isn't on the
> list included with it.  How serious is it and what the heck should I
> do about it?

I advise you to try to confirm the infection with a few other scanners
as well - there is a chance that you are victim of a false positive.
There is a file infecting virus with a similar name, but it is not
widespread. What is widespread is the boot sector virus it drops - but
you can't get this from a ZIP file.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Sat, 03 Feb 1996 17:30:09 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Free or Cheap Virus Scanners (PC)
X-Digest: Volume 9 : Issue 15

Stephen M Baines (stephen@vollans.demon.co.uk) wrote:
: I'm thoroughly confused now. In the last digest we had Vesselin 
: Bontchev confirming that F-Prot costs $1 per computer, and by mail I 
: had a message from Mikko Hypponen saying that this doesn't apply in 
: the UK. Which is true? 

Both, I'm afraid. I seem to have missed this one, but Vesselin was
presumably talking about the licence price-structure for the shareware
version, which is free to private non-commercial users. Site licences
are available very cheaply, including an academic discount, but only in
countries where there isn't an agent for F-Prot Professional, which is
not shareware. In the UK, you can get F-Prot Pro from Portcullis 
representing DataFellows, or from Command Software UK, so you have to
buy it from one of them. 

While DataFellows and Command have been doing joint development, the two
products are not identical, particularly in their approach to protecting
networks, so you may want to talk to Portcullis *and* Command Software.
Contact info is, AFAIR, in the documentation for the shareware version.

If I am to get the school I work for to 
: purchase the software it is important that I know how much it costs. 
: If it isn't the $1 per computer I may have big problems getting them 
: to stump up.

$1 per PC is pushing your luck.... However, both vendors offer a very
advantageous pricing structure for academic institutions: if you buy
enough licences, you can find yourself paying #2.50 or less per PC.
The problem is, there's no way that virus-management can ever be
made to look like a profit-centre. However well-managed it is,
it's an expensive trade-off between the hidden costs of prophylactics
and the not-necessarily quantifiable costs of post-infection cleanups.

I have a certain amount of (mostly bitter) experience in virus management
in academic environments in the UK: mail me if you want to discuss the
issues.

David Harley
Not representing Frisk, Command Software, Datafellows or Portcullis.
There again, none of them represent me, either.....

------------------------------

Date: Sat, 03 Feb 1996 17:31:07 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Is this a virus? (PC)
X-Digest: Volume 9 : Issue 15

Bruce Peck <bruce_peck@aici.com> writes:

> An administrator at a remote site in my company reported these 
> conditions on some of her PCs and cannot find evidence of a virus by 
> using the latest versions of Norton, McAfee, F-Prot, and Thunderbyte.

Chances are that there are no viruses on the machines, then. :-)

> In a population of about 50 PCs on a Novell network, 5 or 6 of them 
> will on occaision have trouble booting with the result being a screen 
> full of random ascii characters and the PC locks.  A hard boot is 
> required and may take 2 or 3 tries to sucessfully boot.  The problem 
> may not surface on this PC again for several weeks or even a month or 
> two.  The PCs are all Compaq but are different models and were 
> purchased at different times.  These symptoms did not appear all at 
> once.  First it was only one PC and then others began showing this 
> problem over about a years time.  Could this be some sort of virus?

Unlikely. Very unlikely. Looks like a hardware problem to me -
possibly faulty memory chips or video controllers.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Sat, 03 Feb 1996 17:33:41 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: EXE_BUGD -bad news- (PC)
X-Digest: Volume 9 : Issue 15

David Savill <david@healey.com.au> writes:

> Im writing to warn about a variation of EXE_BUG D or W-BOOT virus (Im
> not sure which). It infects the boot sector if you boot with the
> infected disk in the drive (otherwize dormant). At the time I was
> using F-PROT 2.19a and it did not pick it up at all!!! After
> infecting the boot sector I found it screwing up the disk drives (if
> it was detected. And it seemed to stop F-PROT from fixng it.

All this probably happens because the virus is active in the memory of
the machine at the time you are trying to disinfect it. You need to
boot from a clean environment, in order to do it properly.
Unfortunately, with EXE_Bug, "booting clean" is far from a trivial
task. I suggest that you read the new FAQ of this newsgroup; it
addresses this question.

> Those using drive overlays watch out, this little bugger seems to only be
> gone if you format the boot sector (sometimes it still survives that.)

It will survive it if the virus is active in memory - and that's kinda
difficult to prevent, since this virus "survives" even a cold
reboot...

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Sat, 03 Feb 1996 17:49:54 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: F-PROT: Request for Help (PC)
X-Digest: Volume 9 : Issue 15

"S. Widlake" <s.widlake@rl.ac.uk> writes:

> We descided to go for F-Prot and tried to register the _shareware_
> version for all of our PC's. Nope - Frisk Software in Iceland said
> that registration wasn't available in the .UK and we must purchase
> the "pro" version from a local distributor. All of a sudden, the 
> price shoots up - ten fold - but we get "more" for our money... 

That's true, for corporate users the shareware registration is
available only in some companies. I posted a list of them but it
hasn't appeared yet. I'll try to get this information go in the
documentation of the shareware version.

> 2) It made windoze much more unstable (and slower). [ You might
>    have guessed that I'm not a great fan of windoze but everyone 
>    and his dog uses it. ] Removing all of this extra stuff made
>    most of these problems just go away.

That's strange... Have you tried to contact the local technical
support? Also, which was the stuff that caused problems?

> 3) When I tested it with a REAL infectious nasty it just didn't
>    work !

Wow! That's bad. :-( How exactly did you test it?

>  It was supposed to provide active protection against
>    all(?) known viruses including polymorphic ones - although we

No, it is not. No anti-virus program can provide protection against
all known viruses. If you hear anybody claiming the opposite - even if
they are our marketoids - don't believe them. New viruses appear with
the rate of averagely five per day.

>    have never even seen one of those - but it failed a much more
>    simple test and let a known virus straight through.

You still haven't told us what exactly the test consisted in.

> Pass - But for my 37p worth I'd just say that you probably don't
> really need these extras. The windoze interface looks quite nice,
> though a bit over complicated for the average user, but viruses

Complicated?! That is, of course, a matter of taste but, AFAIK, it is
the version of the Windows interface developped by Command Software
that is sold in the UK - and it is extremely easy to operate.

> are in general a BIOS/DOS problem and the first thing that gets
> affected is often windoze - it simply won't start ;-)

That's right - this is why you have to have a write-protected system
diskette. However, with the professional version you also get a
DOS-based version of F-PROT.

> The only thing that's missing is perhaps a windoze routine that
> "intercepts" VIRSTOP's "let's-scramble-the-screen-whenever-it
> encounters-a-BIOS/DOS-virus" function and instead pop up a real
> windoze alert box.

HUH?! This is precisely one of the ways in which the Professional
version differs from the shareware one - in the Professional version
VirStop is Windoze-aware, while in the shareware version it is not and
causes exactly the video effect you describe. Could it be that you
have messed parts of the Professional and the shareware version of the
product?

> Say, how's about spitting the group into comp.virus - moderated
> just to discard "harmful" posts - and "comp.virus.tech" for just
> the more technical discussions for Vess. et. al. 

I fail to see what is wrong with posting the technical discussions in
the current (moderated) newsgroup.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Sat, 03 Feb 1996 19:19:14 -0500 (EST)
From: Glenn Wilkewitz <hawkey29@hawkey29.rabbit.net>
Subject: Is this a virus? (PC)
X-Digest: Volume 9 : Issue 15

I have tried mcafee program looking for this virus.  My floppy will only
read a disk and copy from it if the write protect in on.  The moment I
make the disk write able I get General fail on the floppy. Does anyone
else have this problem???

E-mail me please with the solution.

------------------------------

Date: Sat, 03 Feb 1996 20:56:29 -0500 (EST)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Invircible (PC)
X-Digest: Volume 9 : Issue 15

In article <0041.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz> nns@ndl.co.uk
writes:

 > Vesselin Bontchev <bontchev@complex.is> wrote about InVircible:
 >
 > >More precisely, it waits for the virus to infect your computer and
 > >then attempts to detect that it has been infected. Sometimes it even
 > >succeeds. The problem is, most people seem to prefer programs that
 > >would prevent the viruses from infecting their machine in the first
 > >place.
 >
 > I'm surprised to find Bontchev problems with such a simple concept.
 > Payload versus propagation. Any virus which damages your system
 > immediately upon infection is doomed to an early death.

Propagation is payload.  Lots of viruses don't do any deliberate 
damage, but that does not mean that they are acceptable on ones 
computer.

 > And if that's
 > the best argument to rely on scanning then I'm unconvinced.

Vesselin's point was that "most people seem to prefer" not that 
this was technically the best argument.  Scanners may not be the 
best solution, but they are far and away the most popular.  That 
Invircible does something most customers won't prefer is not 
going to get it widely used.  You can argu yourself blue in the 
face about it and stay poor, or you can pay attention to the 
customer's preferences and sell software.

 > Of course, scanners haven't stopped viruses from 'infecting my
 > machine in the first place,' because the virus has x number of
 > month's free reign before it gets incorporated into the database.

That doesn't bother customers as much as you think, and is 
countered by regular update programs by all the scanner 
producers.

 > If I've got to wait until the next time I boot my computer to detect
 > a virus or wait until the AV industry catches up with it, I know
 > which alternative I prefer.

Then you are a very unusual customer.

 > If scanners do such a good job of stopping a virus before it gets
 > onto a system, why is there still a virus problem? 

If Invircible does such a good job, why is there still a virus 
problem?

 > Without the means
 > to propagate itself no virus would spread at all. I'd rather cut
 > their propagation window down to the next time a I boot up, than wait
 > till the scanner database's catch up.

But Invircible also had to be updated recently, did it not?  Are 
you saying that it coped with the Word macro viruses without any 
changes?  Scanner users expect to upgrade regularly, so took this 
in their stride, as part of their normal practice.

- -
NO LADY LIKES               ACCOMPANIED BY
	     TO DANCE                     A PORCUPINE
		     OR DINE                         Burma-Shave

------------------------------

Date: Sat, 03 Feb 1996 21:01:35 -0500 (EST)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Virus that damages hardware (PC)
X-Digest: Volume 9 : Issue 15

In article <0028.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>
	   asl00@eng.amdahl.com "Andrew Lee" writes:

 > Excuse me for asking this question, but I'm asking for a friend.
 >
 > Are there any PC viruses out there that can damage your BIOS and also
 > damage PC peripherals (disk drive, chips, tape drive, etc...)  which
 > would require replacement hardware to fix?

Well, I don't know the answer myself, but a friend of mine says 
it's impossible.

(That ought to do it.)

- -
NO LADY LIKES               ACCOMPANIED BY
	     TO DANCE                     A PORCUPINE
		     OR DINE                         Burma-Shave

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 15]
*****************************************


