From lehigh.edu!virus-l  Wed Feb  7 11:18:18 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Wed, 07 Feb 96 12:50:51 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id LAA05619; Wed, 7 Feb 1996 11:18:18 +0100
Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39059-35081>; Wed, 7 Feb 1996 05:12:54 EST
Message-Id: <01I0Y6DLM17GPVHY7M@csc.canterbury.ac.nz>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V9 #17
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: 	Wed, 7 Feb 1996 05:09:54 EST

VIRUS-L Digest Wednesday, 7 Feb 1996    Volume 9 : Issue 17

Today's Topics:

Screwed up messages (ADMIN)
First (?) Win95 virus -- Boza (ADMIN)
Re: Viruses from the internet
Re: Scaning Zip files
i_m261a.zip Integrity Master anti-virus + data integrity
Flash BIOS Virus...
Re: Harddrive firmware virus possible?
Re: Shareware beasties
Re: Harddrive firmware virus possible?
Virus in commercial software ? Not my experience!
Re: Virus Protection Policy
Re: Will one virus detector "detect" another one?
Re: Shareware beasties
Re: Help with Word macro virus on network (MAC,WIN)
Re: Word Macro Prank Virus (Concept) (MAC,WIN)
Re: Word Macro Viruses, defences (MAC,WIN)
Win95.Boza (WIN95)
Microsoft's Macro Virus Protection Tool? (WIN95)
Re: Word 6 macro virus in WordPerfect (WIN)
Dr.Solomon's latest (PC)
EPBR Virus ? (PC)
WelcomB Virus (PC)
TBAV and v-sum (PC)
Re: ANTICMOS A / Boot Sector question (PC)
Re: Help: Goldbug (PC)
Re: F-prot 2.21 NUL virus (PC)
HELP - Still having problems with ANTIEXE virus (PC)
Re: ONE HALF.3544 Virus Detected (PC)
An aftereffect of Natas (PC)
Azuza Virus, How do I get rid of it? (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available by anonymous FTP on CS.UCR.EDU.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Wed, 07 Feb 1996 21:21:37 +1300 (NZD)
From: Nick FitzGerald <n.fitzgerald@csc.canterbury.ac.nz>
Subject: Screwed up messages (ADMIN)
X-Digest: Volume 9 : Issue 17

My deepest apologies to both Fred Cohen and Ruben Arias.  I am still
unsure how it happened, but Fred's Email address was included at the top
of Ruben's item with the Subject: line "Re: What are the best Integrity
Checkers?".  It seems my digestifier ran amok and decided to associate
Fred's address with Ruben's item as well as with Fred' item on Java
viruses, but I haven't had time to closely test this yet.

I also owe Timo Salmi an apology for unintentionally replacing the
Subject: line of an upload announcement of his with a Subject: from a
completely unrelated thread a few digests back.

Regards,

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
 n.fitzgerald@csc.canterbury.ac.nz  TEL:+64 3 364 2337, FAX:+64 3 364 2332
	      Virus-L/comp.virus moderator and FAQ maintainer
   PGP fingerprint =  2E 7D E9 0C DE 26 24 4F  1F 43 91 B9 C4 05 C9 83

------------------------------

Date: Wed, 07 Feb 1996 21:25:03 +1300 (NZD)
From: Nick FitzGerald <n.fitzgerald@csc.canterbury.ac.nz>
Subject: First (?) Win95 virus -- Boza (ADMIN)
X-Digest: Volume 9 : Issue 17

Please, please, please, please, please...

No more requests for a description of the new Win95-specific virus, Boza. 
I will post NO such requests, so save your time and mine and don't
Email/post them.  If you have significant information to post about this
virus, please do (although it would seem to be quite ordinary aside from
being the first Windows 95 only virus).  I am posting the first reasonably
comprehensive description that has been submitted.

I haven't sent "rejection" notes to those who have posted and asked--
please take this as it!  8-)

Regards,

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
 n.fitzgerald@csc.canterbury.ac.nz  TEL:+64 3 364 2337, FAX:+64 3 364 2332
	      Virus-L/comp.virus moderator and FAQ maintainer
   PGP fingerprint =  2E 7D E9 0C DE 26 24 4F  1F 43 91 B9 C4 05 C9 83

------------------------------

Date: Sun, 04 Feb 1996 16:04:19 -0500 (EST)
From: Thomas O'Donohoe <mayo@dircon.co.uk>
Subject: Re: Viruses from the internet
X-Digest: Volume 9 : Issue 17

On 4 Feb 1996 14:30:50 -0000, Lee Brown <lee.brown@ukonline.co.uk>
wrote:

>[Moderator's note:  Following the thread so far, there is a question as to
>whether PC-Cillin will in fact stop you downloading anything infected--
>what about UU- or MIME Base64- encoded Email?  Presumably it will pull up
>when you decode these, but that hasn't stopped a form of them getting onto
>your machine, which is the strong claim Lee is making here.]

I seem to remember that PC-cillin95 does scan UUencoded files. I'm not
sure about MIME though.

- - 
Thomas O'Donohoe <mayo@dircon.co.uk>
http://www.users.dircon.co.uk/~mayo/

------------------------------

Date: Sun, 04 Feb 1996 18:01:22 -0500 (EST)
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: Scaning Zip files
X-Digest: Volume 9 : Issue 17

In article <0002.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>, Sean Burgess writes:
: Are there any products that will scan .ZIP files for viruses?

	AVP will, and so will Dr. Soloman's AVTK, I believe.  You could 
also use THD Proscan, which is a shell program designed for doing "batch 
scanning".

	Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code
Anti-virus software and utils:  | The Transformers fanfiction:
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html
"Piss off a government, practice civil disobedience TODAY!"

------------------------------

Date: Fri, 02 Feb 1996 15:31:28 +0200 (EET)
From: Timo Salmi <ts@UWasa.Fi>
Subject: i_m261a.zip Integrity Master anti-virus + data integrity
X-Digest: Volume 9 : Issue 17

Thank you for your contribution.  This upload is now available as
 391598 Jan 31 02:59 ftp://garbo.uwasa.fi/pc/virus/i_m261a.zip

: Date: 02 Feb 96 06:29:52 EST
: From: Stiller Research <74777.3004@compuserve.com>
: To: <pc-up@uwasa.fi>
: Subject: i_m261a.ZIP: Integrity Master 2.61a uplo
:
: I have just uploaded i_m261a.zip to the garbo /PC archives
:
:  File name: i_m261a.zip
:  One line description: Integrity Master antivirus + data integrity system
:  Replaces: i_m260b.zip
:  Suggested Garbo directory: pc/virus
:  Uploader name & email: Wolfgang Stiller <74777.3004@CompuServe.COM>
:  Author or company: Wolfgang Stiller, Stiller Research
:  Email address: 74777.3004@compuserve.com  (***NEW EMAIL ADDRESS ***)
:  Surface address: 2625 Ridgeway Street, Tallahasse, Florida 23310 USA
:  Special requirements: none (DOS 2.0 or later, 250kb RAM)
:  Shareware payment required from private users: yes
:  Shareware payment required from corporates: yes
:  Demo: no
:  Nagware: no
:  Self-documenting: yes (run setupim)
:  External documentation included: yes (i-m.doc)
:  Source included: no
:  Size: 391697  (before Garbo replace the Zip comment with their own)
:  10 lines description:
:    Integrity Master scans for viruses but also provides complete protection for
:    the PC.  It is a high performance (100% assembler) program offering virus
:    protection, data integrity, security, CMOS protection, and change management
:    all in one easy to use package.  It detects hardware glitches, software
:    bugs, and even deliberate sabotage to your data.  If a virus strikes, IM
:    identifies it by name and (unlike other programs) also identifies any damage
:    caused by the virus.  Although it scans for known viruses, it will reliably
:    detect new, unknown viruses. IM is certified by National Computer Security
:    Association (NCSA) as a virus scanner.  Integrity Master provides both a
:    command line interface as well as menus with extensive on-line help.

   All the best, Timo

...................................................................
Prof. Timo Salmi   Co-moderator of news:comp.archives.msdos.announce
Moderating at ftp:// & http://garbo.uwasa.fi archives  193.166.120.5
Department of Accounting and Business Finance  ; University of Vaasa
ts@uwasa.fi http://uwasa.fi/~ts BBS 961-3170972; FIN-65101,  Finland

------------------------------

Date: Sun, 04 Feb 1996 19:49:09 -0500 (EST)
From: support@vse.ac-copy.com
Subject: Flash BIOS Virus...
X-Digest: Volume 9 : Issue 17

>From my last post (harddrive firmware virus), I have learned something:
ther seems to be a consensus that flash BIOSes ARE vulnerable to virus
attacsk if the corresponding flash-enable jumper is not correctly set...

My questions are now:
	how often is this jumper set incorrectly without the end-user
knowing ?

your guess is as good as mine, I presume.
	how do you think, the standard end-user, you know which one: the
one who forgets a floppy in drive A: and doesn't consider this as
booting...How will she verfiy, that this jumper IS set correctly,
presuming that she has actually received a mainboard-manual with her
desktop box...
	so, the real question:
Has this happend yet? And what will we do, when the first unemployed
Bulgarian programmer or spoilt jr-high student gets the same ides I have
now and actually turns it into code?

Ciao, Guido

------------------------------

Date: Sun, 04 Feb 1996 18:47:38 -0500 (EST)
From: Alan Shutko <ats@hurd193.wustl.edu>
Subject: Re: Harddrive firmware virus possible?
X-Digest: Volume 9 : Issue 17

>>>>> "DM" == Doug Muth <dmuth@oasis.ot.com> writes:

DM>     I think what you are referring to are the drivers stored on
DM> IDE disks greater than 540 MB because an IDe controller can
DM> noramlly access only 540 MB.  Anything past that requires a
DM> special driver loaded at bootup.

I think this is only necessary if you have an old IDE-only BIOS.  With
an EIDE BIOS, there are no drivers whioch need to be loaded to run.

I also think this is DOS-specific: using another OS such as Linux may
not need it.  Could someone confirm?

- -
Alan Shutko <ats@hubert.wustl.edu> - The Few, the Proud, the Remaining.
Oxymoron: Baby Grand.

------------------------------

Date: Sun, 04 Feb 1996 20:54:34 -0500 (EST)
From: John Elsbury <jelsbur@clear.co.nz>
Subject: Re: Shareware beasties
X-Digest: Volume 9 : Issue 17

"Thomas F. Hosmer Sr." <thosmer@epix.net> wrote:

>     I have been lurking and learning for some time now and thanks to 
>some of the posts I have read have been able to detect and remove one 
>virus from my system and am still learning from you guys.
>
>     I have one question thats been bothering me.  Like many others
>who have an affinity for the web I like trying shareware.  Usually
>only keeping one out of a couple of dozen, deleting the rest.  The
>other day some one told me many of the shareware programs I deleted
>left small programs hidden on my hard drives...
<snip>

I am not a shareware writer - maybe one will respond to your post -
but I think this is mostly wrong, with a grain of truth.  I suspect
that many shareware programs create hidden DATA files which are used
to hold information about date installed etc, which the program will
check when it runs.  I don't believe installed shareware is going to
leave small programs lying around...there would be no easy way to
cause them to be executed anyway.

There may be a system performance implication if you add and delete
large numbers of small  programs and files - this arises from what is
called fragmentation and is inherent in the way file space is
allocated by DOS.  Tools exist to defragment hard drive partitions. 

There may also be bits and pieces left over when you install and
remove shareware - this can also leave your hard disk with lots of
odds and ends which you can never get rid of safely as they are not
documented, and you don't know what they do.  Commercial software is
not a lot better.  I believe there are uninstall-type programs around
which can help with this, but I have so far managed by buying bigger
hard disks.

There is, of course, a risk that any program you run may contain a
virus which will infect your PC - but this is not something that
shareware writers are going to encourage.

John (I am still trying to persuade my employer to adopt my opinions)
Elsbury

------------------------------

Date: Sun, 04 Feb 1996 19:29:16 -0500 (EST)
From: support@vse.ac-copy.com
Subject: Re: Harddrive firmware virus possible?
X-Digest: Volume 9 : Issue 17

>Date: Tue, 30 Jan 1996 19:40:18 -0500 (EST)
>From: Vesselin Bontchev <bontchev@complex.is>

>If you are referring to the special drivers used to access hard disks
>larger than 528 Mb on computers without built-in LBA translation in
>the BIOS, then this concept is rather obsolete; not "the most recent
>generation".

No Vesselin, I am referring to things like the Quantum Fireball series of
harddisk drives. Rumour has it, that these things no longer use a real
firmware EPROM or EEPROM, but use a bootstrap code in their
microcontroller to boot to load their "operating system" from a resevered
track of the disk itself.  However, I have no confirmation from Quantum
about this. But the reason for doing this, saving he cost for the EEPROM
and to be able to upgrade the firmware code long after manufacturing, with
this being able to "renew" stock items seem quite convincing to me.,

This brings me to the question: how well guarded is the access mechanism
to this code?

Now what..    :-)

>You are right to be frightened. People with such disks who get
>infected with a boot sector virus are usually in serious trouble. What
>can be done? First, avoid such environments. Second, boot the machine
>rom a floppy and make a backup copy of the contents of track zero -
>or at least of that part of it that you can read after booting from a
>floppy. Third, contact the company that produces the driver and ask
>their technical support how to restore the driver if it becomes
>damaged. (Do not mention the word "virus" when talking to them.)

Yes , I know! Exactly this has happend to one of my clients. He had to use
this software (you know the manufacturer), and he experienced a Tequila 
infection. The manufacturer of NO help " Easy, just reinstall the
software, bla, bla ..." which it just did not!! "Error xxyyz: please
contact manufacturer"

After four hours, we decided to repartition with clean DOS, reinstall the
software, and roll in the backups (another 3 hours...)

Ciao, Guido

------------------------------

Date: Sun, 04 Feb 1996 19:09:26 -0500 (EST)
From: support@vse.ac-copy.com
Subject: Virus in commercial software ? Not my experience!
X-Digest: Volume 9 : Issue 17

>Date: Tue, 30 Jan 1996 15:56:44 -0500 (EST)
>From: Doug Muth <dmuth@oasis.ot.com>
>
>       Well, I don't have the numbers to back this up, but I believe 
>that the most infections come through commercial packages.  Probally 
>because people who buy them think that becuase they come from some big 
>company that they are virus free.

WHAT?

Excuse my shouting, but this seems like genuine bovine excrements  to me.
Although I cannot come up with any statistically relevant numbers, I can
tell from

my local (Western Europe) experience:
Nine out of ten contaminations are of the boot sector variety, either
booting accidentaly  a "data diskette" or some (pirated) games...
Over 75% of all infections I have seen, are Tequila and ParityBoot.B
viruses. Most of the rest are (for this hood) less common boot sector
infectors, and very occasionaly a leftover cascade variant. In fact this
is the only file infector I have ever encountered ITW.

And, yes, I have encountered viruses on manufacturers diskettes, but all
of them were on some obscure drivers of even more obscure far east cheap
hardware add-ons. Except for a well known macro virus, which was in
Germany distributed (accidentaly) by the manufacturer of the corresponding
macro-able product...

Ciao, Guido

------------------------------

Date: Mon, 05 Feb 1996 02:36:51 -0500 (EST)
From: Samson Luk <gu_jc3@uxmail.ust.hk>
Subject: Re: Virus Protection Policy
X-Digest: Volume 9 : Issue 17

MR HENRI J DELGER (henri_delger@prodigy.com) wrote:

: breached.  Anti-virus security means minimal "privileges" 
: for each user, to avoid a virus "epidemic."   One infected
: computer is bad enough, a thousand can spell disaster.
:      Only those who need full write access privilege, such 
: as the Administrator, should be able to access the server 
: with write intent.

Any one tried Spohos' Sweep of Windows NT with InterCheck?  This 
product actually required the Windows NT Server that running the 
anti-virus scanner/monitor to create a directoty with public write 
access.  Base on the above reason I have great doubt in the 
implementation of such a loophole.

Regards
Samson

------------------------------

Date: Mon, 05 Feb 1996 05:12:59 -0500 (EST)
From: Trent Waddington <s337240@student.uq.edu.au>
Subject: Re: Will one virus detector "detect" another one?
X-Digest: Volume 9 : Issue 17

Steve640 (steve640@aol.com) wrote:
: When I run a virus checker against my hard disk, are they 
: typically just looking for bit patterns in executable files?
: If they only check for matching patterns in exe files, will
: one virus detector see another virus detectors signatures files
: as a virus?

: [Moderator's note:  There are -several- Q&A's in the FAQ sheet covering
: all the possibilities here.  People, please read the FAQ before
: posting...]

Moderator doesnt like answering the question does he/she ? 

Most AV packages keep the strings (if they use them.. which most do) in 
an encrypted file.. that way they dont detect the file as a virus and 
no-one can change the strings..

L8r
Trent

------------------------------

Date: Mon, 05 Feb 1996 05:57:42 -0500 (EST)
From: Patrick.Nolan@news.flinet.com
Subject: Re: Shareware beasties
X-Digest: Volume 9 : Issue 17

In article <0009.01I0R33FGIF6PVGQEE@csc.canterbury.ac.nz>, thosmer@epix.net 
says...
>
>     I have been lurking and learning for some time now and thanks to 
>some of the posts I have read have been able to detect and remove one 
>virus from my system and am still learning from you guys.
>
>     I have one question thats been bothering me.  Like many others
>who have an affinity for the web I like trying shareware.  Usually
>only keeping one out of a couple of dozen, deleting the rest.  The
>other day some one told me many of the shareware programs I deleted
>left small programs hidden on my hard drives keeping track to make
>sure I never use them for more then the alloted shareware time.  My
>question is this: If there are little programs hidden, running
>always checking to see if the program is reinstalled could
>these have a negetive effect on ones system, like a virus?
>
>     I recently reformated my "C" drive because I seemed to be
>running a little slower and had a little less memory then I thought I
>should.  I scanned for viruses with 3 programs and they showed a
>clean system, memory, boot sector, files etc. Is it possable an
>accumulation of these small shareware leftovers could have caused the
>problem.
>
>     I hope this question is appropriate to this group and look
>forward to your responces.  Thanks for all the info I've already
>gleaned from this group.

The next time your system runs a bit slow, try running a hard disk utility 
program (like scandisk) to check for lost clusters. Also run a
defragmenter in case your drive has fragmented files on the drive.

------------------------------

Date: Sun, 04 Feb 1996 17:17:58 -0500 (EST)
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Subject: Re: Help with Word macro virus on network (MAC,WIN)
X-Digest: Volume 9 : Issue 17

In article <0014.01I0R33FGIF6PVGQEE@csc.canterbury.ac.nz>, Zvi
Netiv <netz@actcom.co.il> wrote:
>Clean the NORMAL.DOT template(s) and change its attributes to
read-
>only so that it won't get modified. For a shared NORMAL
template (in
>a network), also remove the users' modify rights so that they
cannot
>change it back.

This is really a poor way of going around the problem of macro
viruses.  There are legitimate reasons for changing the
normal.dot template, such as changing some of Word's
configuration options.  Installing a VxD that detects macro
viruses would be a more proactive approach.  I believe that Dr.
Solomon's Winguard detects macro virus infections and prevents
infected documents from being loaded.  Dr. Solomon's also has
the capability of cleaning the infected documents.

Regards, 

George Wenzel

------------------------------

Date: Sun, 04 Feb 1996 18:06:43 -0500 (EST)
From: Steven Hoke <shoke@NorthNet.org>
Subject: Re: Word Macro Prank Virus (Concept) (MAC,WIN)
X-Digest: Volume 9 : Issue 17

Padgett 0sirius <padgett@goat.orl.mmc.com> was heard to say:

>>:    Sub MAIN
>>:       DisableAutoMacros
>>:       MsgBox "AutoMacros off!", "Safety First!", 64
>>:    End Sub

>Is an excellent solution except would suggest substituting "-1" for the
>"64" - that way the message appears on the status line and the user does
>not have to clear a dialogue box.

Thanks. That button has been annoying to have to get rid of it before it 
opens the document. You sure do have to look quickley for that message to 
appear on the status line though. Blink, and its gone.

>BTW the "SCANPROT.DOT" Micro$oft includes with WD1215 has two major flaws
>IMNSHO:
>1) It allows the user to turn automacros back on
>2) Does not check on files opened by a doubleclick on a ccMail attachment
>   (think it uses same mechanism as "drag & drop" - see the fine print
>   inside the README)

I read the documentation with scanprot.dot that it won't work on a
document that you open by double clicking, but are you also implying that
the above macro to turn off autoexec macros will check files opened that
way (I know very little about Word macros)?

- -==Steve==--

shoke@northnet.org
steven_hoke@msn.com

------------------------------

Date: Sun, 04 Feb 1996 20:26:45 -0500 (EST)
From: ak8188@CNSVAX.ALBANY.EDU
Subject: Re: Word Macro Viruses, defences (MAC,WIN)
X-Digest: Volume 9 : Issue 17

In article <0018.01I0U3NT89X2PVGQEE@csc.canterbury.ac.nz>, David Harley
<harley
>A. Padgett Peterson, P.E. Information Security wrote:
>    [in a list of steps that users ought to take to protect themselves
against some of the macro viruses]

>: 6) Know what is supposed to be in your TOOLS/MACROS listing. Notice if
>:    something new appears (see 5). Note: while you have a DELETE option
>:    available, if WORD is infected, can you trust it. See iten (4).
>
>Exactly. You can't trust a subverted command.

i agree with this warning in principle; but i was just wondering, whether
a user familiar with the word basic macro language, might be able to read
all of the macro viruses and verify the integrity of his "delete" command
before deleting; i suspect that this is a feasible step with the existing
versions of the virus

one day, somebody will write a version of the virus that subvert the
"edit" command; of course, so this option will no longer be available

so how about it?  can we disinfect this sucker using the "delete" command?

alfredo b goyburu

------------------------------

Date: Tue, 06 Feb 1996 22:29:42 -0500 (EST)
From: sysop@command-bbs.com
Subject: Win95.Boza (WIN95)
X-Digest: Volume 9 : Issue 17

Win95.Boza
	   
It's not a dangerous parasitic NewEXE(PE)-virus. It searches for
EXE files, checks the files for the PE signature, then creates in the
EXE file a new section named ".vlad", and writes its code into
that section.

When infection occurs the virus uses calls to functions GetDir, SetDir,
FindFirst, FindNext, OpenFile, LSeek, Read, Write, and CloseFile. First,
it gets the current directory, and checks the Windows95 kernel for some
specific code. Then the virus searches for .EXE files, and checks them for
the PE signature. Then the virus increases NumberOfSections field in
PE header, writes into the file new Section Header that describes
the new Sections in the file, and writes itself to the end of the file.

When executution occurs the virus infects up to 3 files, and looks for
EXE files in parent directories, if there are no more .EXE files in the
current one. Before returning to the host program the virus restores the
current directory.

The virus checks some data (the system date?) and in some cases displays 
the messages:

 Bizatch by Quantum / VLAD
 The taste of fame just got tastier!
 VLAD Australia does it again with the world's first Win95 Virus
 From the old school to the new..
 Metabolis
 Qark
 Darkman
 Automag
 Antigen
 RhinceWind
 Quantum
 Absolute Overlord
 CoKe


The virus also contains the internal text strings:

 .vlad
 Please note: the name of this virus is [Bizatch] written by Quantum of VLAD

The virus is not bug free, and in some cases Windows95 displays a error 
message while executing of infected EXE-files.

Keith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.                 USA  Distributor  for
P.O. Box 856                         AntiViral Toolkit Pro
Bruswick, Ohio 44212                 216-273-2820
Internet: info@command-hq.com        Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp       :GO AVPRO
WWW: http://www.command-hq.com/command
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

Date: Mon, 05 Feb 1996 01:55:27 -0500 (EST)
From: CHIU Chong Kan <ckchiu@cs.cuhk.hk>
Subject: Microsoft's Macro Virus Protection Tool? (WIN95)
X-Digest: Volume 9 : Issue 17

    I've installed ``mvtool10.exe'' in Word 7.0.  The tool works fine
in most cases.  But when I click the Office shortcut bar to `Start a 
New Document' or `Open a Document',  Win95 prompts an error message 
like `MSOW Error'.  I followed the document to uninstall the protection 
tool, but the problem still remains.  Is this a bug in the protection
tool ?  Or am I doing something wrong ?
    Please reply via email.  Thanx.

C.K.
- -
Chong-kan Chiu                          Dept.of Computer Science & Enginerring
E-mail : ckchiu@cs.cuhk.hk              The Chinese University of Hong Kong
Phone  : (852) 2609-8394                Shatin, Hong Kong

------------------------------

Date: Mon, 05 Feb 1996 05:58:49 -0500 (EST)
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: Word 6 macro virus in WordPerfect (WIN)
X-Digest: Volume 9 : Issue 17

In <0016.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz> Gerard Petersen
<gerard.petersen@pi.net> writes:

>If i get an infected Word document and i normally use WP 6.1 for 
>windows. Do i still have a virus if i convert the document to a 
>wp6-format and delete the word document.

no.  Word Perfect does not support the macros that make virus writing
under Word possible.

on the subject of Word Perfect and viruses, there is one interesting
observation I have made.  It seems that a master diskette for WP 6.1 for
Windows was infected with AntiCMOS, and the incorrectly cleaned (using
SCAN), which left a part of the virus on the diskette - not enough for
other scanners to identify the virus, but enough to trigger "suspicious
code in the boot sector" type detection.

Needless to say, the Word Perfect folks want to ignore the problem, and
even refuse to admit that there ever was a virus on the disk.

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Sun, 04 Feb 1996 13:32:47 -0500 (EST)
From: mporadzi@maildrop.srv.ualberta.ca (Monkey is Cindy)
Subject: Dr.Solomon's latest (PC)
X-Digest: Volume 9 : Issue 17

What's with Dr.solomon's. First I have a hard time scanning it's files,
then it reports funny warnings with all my other virus scanning programs.
I have removed the program for now, but is anyone else having the same
problem?

mporadzi@pop.srv.ualberta.ca

------------------------------

Date: Sun, 04 Feb 1996 16:36:35 -0500 (EST)
From: Glen Robinson <gtr@qld.mim.com.au>
Subject: EPBR Virus ? (PC)
X-Digest: Volume 9 : Issue 17

Can anyone tell me what the EPBR virus does ?  I found it with FProt 
2.21 which identified and removed it.  I couldn't find any description 
of it in any virus database.  (FPROT or VSUM).

Thanks
Glen

------------------------------

Date: Sun, 04 Feb 1996 17:06:02 -0500 (EST)
From: Mark Player <playerm@helix.nih.gov>
Subject: WelcomB Virus (PC)
X-Digest: Volume 9 : Issue 17

Has anyone ever had any problems with the WelcomB Virus.  McAfee for Win 
95 detected it but couldn't clean it , I had better luck with NAV which 
did clean it.  Has this virus been around for a long time?  What does it 
typically do?

------------------------------

Date: Sun, 04 Feb 1996 17:15:31 -0500 (EST)
From: Adam Vissing <Adam.Vissing@bonn.netsurf.de>
Subject: TBAV and v-sum (PC)
X-Digest: Volume 9 : Issue 17

Why isn't TBAV taken into account in
v-sum? I heard it's because the creator of
v-sum thinks it's unfair to use heuristic scan methods
to detect viruses, but why unfair? F-prot does that
to, I think. I use tbav 6.51 and mcafee 2.2.9, and
i definitely think that those two are the best antivirus
programs ever.

Adam Vissing
www.geocities.com/siliconvalley/3321/

------------------------------

Date: Sun, 04 Feb 1996 21:04:58 -0500 (EST)
From: John Elsbury <jelsbur@clear.co.nz>
Subject: Re: ANTICMOS A / Boot Sector question (PC)
X-Digest: Volume 9 : Issue 17

"David A. Laatz" <dlaatz@iscgi.com> wrote:

>I found a virus on a Toshiba prtable runing Windows 3.11.  I
>downlaoed McAfee from the Net and cleaned the problem on the
>protable. Now the floppies I used to move Mcafee to the portabel are
>infected with the ANTICMOS A virsu in the boot sector. 

That's why we are supposed to use the write protect tab on our
diskettes.  As I am sure you now realise, when the virus was active on
the laptop it overwrote the boot sector on the diskettes you put in,
even though you meant only to read them.  If you had slid the little
slider, it wouldn't have been able to write the diskettes.  Any other
diskettes accessed on the Toshy are also probably infected.

> Mcaffe cannot seem to remove the virus.  All is does is report the virus with no
>actions taken.  Are these disks permanently infected and of no use or
>am I missing something.  Any explaination would be of hreat help.

Have you got the latest version, and are you using the /CLEAN option?
If all else fails copy the data files from the diskette onto another
medium (hard disk) then reformat them.  Data files are not infected by
viruses (but see other postings re Word 6 documents).  
DON'T use the File Manager format, use DOS format with the U option,
i.e FORMAT A: /U.

This is a good time to look into the CMOS settings of your computer
and fix it, if possible, so that it doesn't try to boot from the A
drive.  THIS IS THE NUMBER ONE ZERO-COST PROTECTIVE MEASURE against
boot sector viruses. 


John Elsbury

------------------------------

Date: Mon, 05 Feb 1996 00:53:57 -0500 (EST)
From: Patrick.Nolan@news.flinet.com
Subject: Re: Help: Goldbug (PC)
X-Digest: Volume 9 : Issue 17

In article <0031.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>, 
brasseur@acm.cps.msu.edu says...

>My computer was acting a bit oddly, so I got my hands on an updated copy 
>of F-Prot.  It found the Goldbug virus resident in my memory and in 11 
>(so far) executable files.  The filenames were changed to prevent 
>execution, but I'd still like to get rid of the bloody thing.  F-Prot is 
>unable to disinfect my files.

If the virus was found in memory, the best way for detecting/removing all 
viruses is to remove it from memory, or boot from a clean floppy disk
(like the setup disks for DOS) and scan from a floppy disk.

------------------------------

Date: Mon, 05 Feb 1996 01:12:56 -0500 (EST)
From: pjn-tsa@news.flinet.com
Subject: Re: F-prot 2.21 NUL virus (PC)
X-Digest: Volume 9 : Issue 17

In article <0042.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>, 
news@cdf.toronto.edu says...
>
>On 31 Jan 1996, Vesselin Bontchev wrote:
>
>> Usenet News <news@cdf.toronto.edu> writes:
>> 
>> > When I used F-prot 2.21 and with Heuristics scan (no /PARANOID option) 
and
>> > scan NUL, it reports my computer is infected by an active Stealth virus. 
>> 
>> Thou shalt not use undecumented options, unless instructed so by the
>> producer! :-) Otherwise you deserve everything that happens to you.
>
>/PARANOID option IS documented!  Besides I DID NOT use it. (Nor the 
>/INT_IO option for that matter.)
>

also, if you scan a .zip file with heuristic scan, it shows an "active" 
stealth virus found in memory, just a bug that's all

------------------------------

Date: Mon, 05 Feb 1996 03:58:42 -0500 (EST)
From: Espen Ottar <Espen.Ottar@si.sintef.no>
Subject: HELP - Still having problems with ANTIEXE virus (PC)
X-Digest: Volume 9 : Issue 17

I have a PC infected with what Scan reports as the AntiEXE virus.
The problem is that it is resident in memory even after booting
from a clean discette (or so it seems)

I have tried to boot the system with a clen diskette contasining 
McAfees Scan and then hoped to remove it by scan /clean

Buit the scan program reports the virus to be active in memory!
Why??????
What can i do to get rid of it??????

All help is apreciated!!!

Espen Ottar
eot@si.sintef.no

------------------------------

Date: Mon, 05 Feb 1996 04:23:12 -0500 (EST)
From: pjn-tsa@news.flinet.com
Subject: Re: ONE HALF.3544 Virus Detected (PC)
X-Digest: Volume 9 : Issue 17

In article <0033.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>, leec@kuwait.net 
says...

>Pleaes can somebody advise me how I can remove the ONEHALF.3544 virus
>from PCs without deleting .COM or .EXE files.
>
>McAfee has detected it, but will not remove it.

that virus overwrites part of the code of the file; not sure if any
product can disinfect that one

------------------------------

Date: Mon, 05 Feb 1996 06:34:13 -0500 (EST)
From: "A.Appleyard" <A.APPLEYARD@fs2.mt.umist.ac.uk>
Subject: An aftereffect of Natas (PC)
X-Digest: Volume 9 : Issue 17

I have had attacks of NATAS in some PC's that students use. It seems that
when NATAS has infected a file and McAfee SCAN has cleaned it out, there
remains an odd effect:

  `DIR' (at least DOS 5.00, and probably DOS 6.**) prints its date as
correct.  The DOS interrupts `AX=4E00, int21' & `AX=4F00, int21' read its
date as 128 years in the future from correct.  `DIR /OD' sorts affected
filenames by date as if the date was 128 years in the future from correct,
but yet prints their dates as correct. Why is this?

Is there a bug in DIR's date-printing routine? Or what? Why can't DOS's
DIR print the date properly??? Why DIR's silly antic of ignoring the 128-
years bit?!? If a file's date is wildly wrong, I want to know about it!!!

------------------------------

Date: Mon, 05 Feb 1996 07:21:52 -0500 (EST)
From: Harland Roades <EZYU67A@prodigy.com>
Subject: Azuza Virus, How do I get rid of it? (PC)
X-Digest: Volume 9 : Issue 17

The Azuza virus on an old 68 meg IDE hard disk is not easy to get rid of. 
 I have tried Norton Anti-Virus 3.0 and it locks up when it tries to 
clean up the virus.  McAfee Anti-Virus did not find it at all. I find the 
virus when I boot from a clean floppy and then try to load NAV. 
Formatting does not get rid of it. I am using DOS 5.0.  Any hints?

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 17]
*****************************************


