From lehigh.edu!virus-l  Thu Feb  8 13:30:59 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Thu, 08 Feb 96 13:48:10 GMT
	for mikael
Received: from mn6.swip.net by mn3.swip.net (8.6.8/2.01)
	id NAA11274; Thu, 8 Feb 1996 13:30:59 +0100
Received: from fidoii.CC.Lehigh.EDU by mn6.swip.net (8.6.8/2.01)
	id NAA15421; Thu, 8 Feb 1996 13:31:43 +0100
Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39594-52495>; Thu, 8 Feb 1996 07:15:51 EST
Message-Id: <01I0ZP1M7BUSPVIUA3@csc.canterbury.ac.nz>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V9 #18
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: 	Thu, 8 Feb 1996 07:14:56 EST

VIRUS-L Digest    Friday, 9 Feb 1996    Volume 9 : Issue 18

Today's Topics:

Re: Viruses from the internet
Re: 100 year stealth virus?
Re: Microsoft is shipping Viruses!
Re: Virus Database
Re: Scaning Zip files
Re: will formatting a floppy kill viruses on it?
Scanning .zip files
Re: What are the best Integrity Checkers?
Re: Harddrive firmware virus possible?
Re: Quality Anti-Virus Programs
Re: Virus concerns while using Netscape/www
Re: Viruses from the internet
Re: will formatting a floppy kill viruses on it?
Re: What are the best Integrity Checkers?
Re: Harddrive firmware virus possible?
Re: Will one virus detector "detect" another one?
Re: Does OS/2 need special treatment? (OS/2)
Re: Question: Linux viruses? (UNIX)
MBDF B Virus on CD-ROM (MAC)
Re: Word macro "viruses" - clarification? (MAC,WIN)
WORD Macro Viruses - Why them is. (MAC,WIN)
Word Macro Colors Virus (MAC?,WIN)
Does Concept always infect? (MAC,WIN)
Re: Word Macro Viruses, defences (MAC,WIN)
Possible Win95 Virus (WIN95)
Re: Windows95 Virus Scanner (WIN95)
Re: Word 6 macro virus in WordPerfect (WIN)
Should I NOT have programs open except for the one(s) curr. used? (WIN)
Re: Free or Cheap Virus Scanners (PC)
Re: How to remove "Ekaterin" virus ? (PC)
Re: ONE HALF.3544 Virus Detected (PC)
Re: How can I eliminate HAVOC 2? (PC)
Re: Is this a virus? (PC)
Need info about Sentry virus (PC)
Da'Boys (PC)
Suspicious Unidentified Activity? (PC)
Re: SUSPECTED VIRUS FOR WordPerfect? (PC)
Re: F-Prot shareware version status? (PC)
Re: Virus that damages hardware (PC)
What do i have? how do i get rid of it? (PC)
Re: B1 virus with a twist (PC)
Re: B1 virus with a twist (PC)
Re: How to remove "Ekaterin" virus ? (PC)
Re: F-prot + Parity_Boot-virus (PC)
Re: B1 virus with a twist (PC)
Re: HELP !!! OneHalf virus (PC)
Re: Virus:MONKEY_B + FORM_A (PC)
Re: B1 virus with a twist (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available by anonymous FTP on CS.UCR.EDU.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Mon, 05 Feb 1996 08:57:03 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Viruses from the internet
X-Digest: Volume 9 : Issue 18

> As Virus begins for Winword and Excel via Macro languages, I believe 
> surfing around WWW pages will also generate virus onto ones own PC as 
> newer features are added to Web browser like the Java applets which is 
> actually a small program build-in the page and execute at your PC when 
> you are viewing that page.
>
> Am I correct?

Not quite. It depends on how your web browser is configured. If it is
configured to launch WinWord or Excel or whatever when you click on a
link containing a .DOC or a .XLS file - then yes, you can infected
this way. That's why, browsers MUST NOT be configured to launch
applications with macro languages.

As to Java, IMO it is virus-proof. I might be wrong, but I have yet to
be convinced that it is possible to write a virus in it.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Mon, 05 Feb 1996 09:13:47 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: 100 year stealth virus?
X-Digest: Volume 9 : Issue 18

Dan Kirkwood <dpkirkwo@dangogh.edaco.ingr.com> writes:

> Has anyone heard of a "100 year stealth virus"?

This is probably the Frodo virus.

> I can get more details,  just want to know first off if it's a known
> virus, and if there's a cure...

Yes, it is a well-known virus and most good scanners can remove it.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Mon, 05 Feb 1996 09:32:06 -0500 (EST)
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: Microsoft is shipping Viruses!
X-Digest: Volume 9 : Issue 18

In <0010.01I0U3NT89X2PVGQEE@csc.canterbury.ac.nz> chi@bluefin.net writes:

>The vendor whom I purchased the original package from called me and told
>me anyone who has purchased software or computers w/ software pre-
>installed within the last 30 days could be infected with the virus NEWBUG.

As far as I know, Microsoft did NOT ship any virus-infected diskettes.
Every single report of disk #2 being virus-infected has been traced to
a pre-existing active virus infection on the machine, which corrupts
the (non-standard format) disk #2.

>I have a hard time believing that Microsoft wasn't aware of this problem
>before I called.

Well - basically, this is almost 100% certainly your problem, not
Microsoft's.

-frisk
- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Mon, 05 Feb 1996 09:35:11 -0500 (EST)
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: Virus Database
X-Digest: Volume 9 : Issue 18

In <0009.01I0U3NT89X2PVGQEE@csc.canterbury.ac.nz> Michael
<mpemberton@boeing.hq.nasa.gov> writes:

>knowledge. It's a DOS based application with an amazing
>cross-reference.

Amazing indeed :-) .....unfortunately neither accurate nor complete.

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Mon, 05 Feb 1996 09:55:17 -0500 (EST)
From: sysop@command-bbs.com
Subject: Re: Scaning Zip files
X-Digest: Volume 9 : Issue 18

>Are there any products that will scan .ZIP files for viruses?

AntiViral Toolkit Pro (AVP) can virus scan recursively within ZIP, ARJ,
ICE, LHA and LZH archives.

Keith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.                 USA  Distributor  for
P.O. Box 856                         AntiViral Toolkit Pro
Bruswick, Ohio 44212                 216-273-2820
Internet: info@command-hq.com        Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp       :GO AVPRO
WWW: http://www.command-hq.com/command
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

Date: Mon, 05 Feb 1996 12:58:31 -0500 (EST)
From: "Chris K. Skinner" <ve3ggw@igs.net>
Subject: Re: will formatting a floppy kill viruses on it?
X-Digest: Volume 9 : Issue 18

James Owens <ad354@freenet.carleton.ca> wrote:

>Will reformatting a floppy kill all viruses on it?

Yes, unless the PC you're using is infected and updates
the diskette quickly with a boot sector virus.

Regards, Chris K. Skinner, Nepean/Kanata, Ontario

------------------------------

Date: Mon, 05 Feb 1996 12:42:09 -0500 (EST)
From: kmahesh@CENTRALHOUSE.COM
Subject: Scanning .zip files
X-Digest: Volume 9 : Issue 18

>Date: Thu, 25 Jan 1996 12:10:55 -0500 (EST)
     >From: Sean Burgess <mickey@zoom.com>

     >Are there any products that will scan .ZIP files for viruses?

     MIMEsweeper is a 100% software solution designed to facilitate network 
     protection from virus infection via e-mail.
     
     MIMEsweeper uses a set of container recognition methods to identify 
     e-mail contents. Each one is supplied in the form of a DLL, and the 
     specific configuration information allows certain handlers as 
     catch-alls (e.g. unknown binary). The list of container types 
     supported includes :
     
     * Plain text
     * Unknown binary
     * PKZIP (including nested and self-exploding PKZIPed files)
     * UUEncoded (including nested files)
     * MIME encapsulated
     
     For more information, please contact us at Central House Technologies. 
     We handle marketing, sales and support for MIMEsweeper which is 
     developed by Integralis, Ltd. (UK).
     
     
     Kolar Mahesh
     Technical Support
     Central House Technologies
     
     Phone : (209)-245-5900
     Fax   : (209)-245-5919
     Email : kmahesh@centralhouse.com

------------------------------

Date: Mon, 05 Feb 1996 13:59:17 -0500 (EST)
From: Tom Simondi <tsimondi@slonet.org>
Subject: Re: What are the best Integrity Checkers?
X-Digest: Volume 9 : Issue 18

In article <0012.01I0U87ANNAYPVGQEE@csc.canterbury.ac.nz>,
Robert Michael Slade <rslade@freenet.vancouver.bc.ca> penned:
[edited]
> Some general guidelines.  Change detection is the one type of antiviral 
> software which will catch all viral programs--*if* it is sufficiently 
> broadly based, and run properly.  When asessing a program, make sure that 
> it checks for changes not only in files, but in system areas of the disk, 
> memory and interrupts (for MS-DOS machines).  The "image" of the clean 
> system (and you do have to start clean) should have an integrity check of 
> its own, preferrably have an encryption option, and most preferrably have 
> on option for offline storage (usually on a diskette).

Agreed with one caveat. Unless it has a good scanner component,
change detection will not detect slow infectors. These infect only
when files are changed in the normal course of computer operation
(when integrity programs would be expected to update their database)
and so will not be detected by integrity checking alone. Indeed, the
slow infector was invented specifically to circumvent integrity
checkers.

Integrity Master (which you recommended) does have a scanner. I find
it to be a very useful program.

- - 
=-=- Tom Simondi -=-= Visit the Computer Knowledge home page -=-=
=-=- http://ourworld.compuserve.com/homepages/ck -=-=-=-=-=-=-=-=
=-=- E-mail: 75655.210@compuserve.com -or- tsimondi@slonet.org -=

------------------------------

Date: Mon, 05 Feb 1996 11:58:33 -0500 (EST)
From: Maurice Hilarius <maurice@ellpspace.math.ualberta.ca>
Subject: Re: Harddrive firmware virus possible?
X-Digest: Volume 9 : Issue 18

Let's not forget that SCSI drives have had code on them for years, 
available/writable with mode sense commands.. Still, haven't seen any 
virus take advantage of it (yet). It would be very device specific, tho'.

------------------------------

Date: Mon, 05 Feb 1996 11:46:56 -0500 (EST)
From: Maurice Hilarius <maurice@ellpspace.math.ualberta.ca>
Subject: Re: Quality Anti-Virus Programs
X-Digest: Volume 9 : Issue 18

Yes, it's called f-prot, and the author is from Iceland, not Britain.
Try the simtel archives at oak.oakland.edu under 
msdos/virus/f-prot221.zip for the shareware version...

- - 
+------------------------------------------------------------------------
- -+
| Maurice Hilarius                   | #include<campfire.h>              
  |
| Proprietor / Chief Consultant      |       for(beer=100;beer>1;beer++){ 
 |
| Hard Data                          |           take_one_down();        
  |
|                                    |           pass_it_around();       
  |
| 403-456-1510 / FAX 403-457-1338    |       }                           
  |
| maurice@ellpspace.math.ualberta.ca |  back_to_work(); /*never reached 
*/ |
+------------------------------------------------------------------------
- -+

------------------------------

Date: Mon, 05 Feb 1996 15:13:05 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Virus concerns while using Netscape/www
X-Digest: Volume 9 : Issue 18

Tom Boldway <jboldway@student.umass.edu> writes:

> It is possible to get infested without downloading any files.

No, it is *not*. In fact, it is not even possible to browse the Web
without downloading any files. All these nice pictures that you see
are downloaded as GIF files to your local machine.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Mon, 05 Feb 1996 16:26:46 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Viruses from the internet
X-Digest: Volume 9 : Issue 18

George Wenzel <gwenzel@gpu.srv.ualberta.ca> writes:

> Macro viruses CANNOT be distributed simply by surfing web
> pages.

Yes, they can be.

> You must download an infected document file and open it
> within its respective program to become infected.

If your browser is sloppily configured - like, if it is configured to
launch WinWord when you click on a link containing a .DOC file - then
a macro virus can infect your system if you just click on a web link.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Mon, 05 Feb 1996 16:31:10 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: will formatting a floppy kill viruses on it?
X-Digest: Volume 9 : Issue 18

> [Moderator's note:  As others have poinetd out, you have to use the "/u"
> switch with MS-DOS 5 and later.]

I dispute that this is necessarily important. Even without this
switch, the FORMAT program will overwrite the boot sector of the
floppy (thus overwriting any boot sector virus on it). It will also
write empty FATs and root directory, thus removing any links from any
infected executable files. I maintain that making the virus code
inaccessible is sufficient to "kill" it. Indeed, it is possible to
undelete infected files if the /u switch is not used - but then, after
you do an undelete, the floppy is not formatted clean any more. :-)
After all, you can re-infect a freshly disinfected file too. It all
depends on how you define "kill".

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

[Moderator's note:  Using the "/u" switch ensures virus "fragments" which
could be scattered aroung the diskette will not cause ghost positives when
seen by a scanner in disk buffers in future...  I agree, that technically,
to "kill" a virus on a diskette doesn't -require- "/u", but it reduces the
number of possible future headaches.]

------------------------------

Date: Mon, 05 Feb 1996 16:33:30 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: What are the best Integrity Checkers?
X-Digest: Volume 9 : Issue 18

Robert Michael Slade <rslade@freenet.vancouver.bc.ca> writes:

> Change detection 
> will detect *all* viral programs

That depends on how well the change detection software is written. Few
integrity checkers are prepared to deal with the DOS file
fragmentation attack and will therefore miss a 3APA3A infection. For
more information about such caveats, the reader should refer to

ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/attacks.zip

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Mon, 05 Feb 1996 17:27:41 -0500 (EST)
From: Ken Stieers <kens@ontrack.com>
Subject: Re: Harddrive firmware virus possible?
X-Digest: Volume 9 : Issue 18

Just a note.  This data written to the hard drive isn't hard drive
firmware, its equivalent to the CMOS settings.  We haven't seen anything
like this yet, and chances are, we will see it before most consumers. 

Ken Stieers

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prarie, MN           |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Mon, 05 Feb 1996 17:30:15 -0500 (EST)
From: Ken Stieers <kens@ontrack.com>
Subject: Re: Will one virus detector "detect" another one?
X-Digest: Volume 9 : Issue 18

Not usually, but it does happen on once in a great while.  Most recently 
McAfee called F-Prot infected with VCL.  The full description is posted
here somewhere by Vesselin.  All of the major AV companies encrypt their
scan string data so as not to cause false alarms. 

Ken

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prarie, MN           |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Mon, 05 Feb 1996 09:19:13 -0500 (EST)
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: Does OS/2 need special treatment? (OS/2)
X-Digest: Volume 9 : Issue 18

>>I have an OS/2 system (DOS and OS/2 on one hard drive). If I boot
>>from a DOS installation diskette and scan (from a scanner on the hard
>>drive), does this do everything I need?

I replied:

>With respect to DOS viruses, yes.   As for OS/2 viruses, there is one problem:
>a DOS scanner might not be able to find them, if they infect a file with a
>"long" filename.  OS/2 scanners will of course not have that problem.

I have to correct my reply...If you are using the HPFS file system, you
can only scan it if tou boot OS/2 normally...in that case the "long
filename" problem holds.

If you are using the FAT file system, the long file name problem does not
matter.

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Mon, 05 Feb 1996 09:01:16 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Question: Linux viruses? (UNIX)
X-Digest: Volume 9 : Issue 18

Pete Radatti <radatti@cyber.com> writes:

> > first is "Are there viruses that operate under Linux?"  If so, is
> 
> All of the boot sector viruses will work.

No, they will *not*. They will only infect the Linix machine and could
also cause damage, if their payload is activated at boot time, but
they will be unable to spread further.

> If a ms-dos program will run on your Linux system then
> so will a ms-dos based virus.

That depends on how exactly the program is run. If it is a MS-DOS
executable run under DOS-Emu, then the virus in it might or might not
work - depending on how "well-behaved" it is. Furthermore, the file
protections in Linux cannot be bypassed by the DOS programs run under
the emulator. Finally, you can't run a boot sector virus under the
emulator.

Of course, if you have a dual-boot partition and occasionally boot
MS-DOS, then the viruses will work - but then you will be running
MS-DOS; not Linux.

> I believe that both my product (VFind) and Dr Solomon's toolkit run on 
> Linux.  I don't know of any other anti-virus for Linux.

We are considering the possibility to make a Linux port of F-PROT. Do
you think that there will be a demand for it?

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Mon, 05 Feb 1996 13:18:09 -0500 (EST)
From: Richard.Prairie@UC.Edu
Subject: MBDF B Virus on CD-ROM (MAC)
X-Digest: Volume 9 : Issue 18

I recently received "Software of the Month 2/96" CD-ROM from the Software
of the Month Club.  A "Bonus" file was intercepted by Disinfectant 3.6 as
containing the "MBDF B Virus" when I tried to execute it.

Fortunately, the disk also contains Disinfectant 3.6 in the "Utilities"
folder, so runing that program and chosing the "Protect" feature will
prevent infection by "Bonus" if the Macintosh has been rebooted prior to
executing "Bonus".  The other 1014 Mac files on the disk scanned clean.

Rick Prairie

------------------------------

Date: Mon, 05 Feb 1996 09:13:51 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Word macro "viruses" - clarification? (MAC,WIN)
X-Digest: Volume 9 : Issue 18

Alexis Manning <Alexis.Manning@durham.ac.uk> writes:

> I have heard of WinWord.Concept and WinWord.Nuclear. I take it that
> these are not one and the same,

Right, they are not.

> so what are WinWord.Nuclear's
> effects?

See http://www.datafellows.com/macrovir.htm.

> Are any other prank macros like these known to exist?

Yes; there are also Colors, DMV, and Hot (all for WinWord) and
Green_Stripes (for AmiPro).

> There
> is no reason why this form of virus couldn't be written under, say,
> Access, or any other language which supports scripting to such an
> extent.

Correct.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Mon, 05 Feb 1996 10:19:34 -0500 (EST)
From: "A. Padgett Peterson, P.E. Information Security" <PADGETT@hobbes.orl.mmc.com>
Subject: WORD Macro Viruses - Why them is. (MAC,WIN)
X-Digest: Volume 9 : Issue 18

In understanding how to stop WOID macro viruses amd other such infections
as well as why WD1215 is a poor answer it is necessary to understand how
such a virus propagates.

The process looks like this:

1) A document is sent through E-mail
2) With a binary attachment
3) That is associated with WOID (or Excel or Access, or AmiPro -
whatever).
4) On doubleclick, the mailer is configured to
5) Create a Windows ~<name>.TMP file
6) Launch the application (e.g. WOID)
7) Which runs the macros in the attachment.
8) You is been had.

Now why cannot the problem be handled inside WOID specifically ? Reason
is because WOID will run two macros automatically in this instance:
1) AutoExec (if present) when the application starts
2) AutoOpen (when the .TMP file is opened).

The problem with AutoExec is that even though it runs before the file
opens and you can do *anything* with it, it also runs before WORD knows
what the ~<name>.TMP is - FileOpen$() returns a null string and
FileOpen$(1) returns the *last* file to be open, not the current one.

AutoOpen on the other hand does have the correct value available in 
FileOpen$() however it to has a fatal flaw which is found on page 33
of the Microsoft (R) WORD Developer's Kit, Document number WB51159-1093
(which I found for $3.98 on the clearance bin in an outlet mall 8*).
However the copyright notice is so draconian that I will not quote.
- The bottom line is that WOID looks in the document *first* and if it
finds an AutoOpen macro there, it will run that in stead of the one
you put inside the global template.

Thus at the first chance to stop a virus, you cannot find what file to
check, and at the second chance, the document already has control. Lose-
Lose.

This does not mean that such viruses cannot be controlled, just not from
inside WOID.

Now if you look back at my chart, there is such an opportunity for
control-between items 5 & 6 when the mailer first writes the attachment to
disk and before the launch of WOID. A resident program could intercept the
disk write, check the document for the presence of macros, pop a dialogue
box if any are found, and turn them off if the user wants (one bit in the 
document) before writing so that WOID does not think it has any Macros.

Options possible would be to:
1) List the macros by name
2) Examine for known viruses
3) Remove Known viruses
4) Check macros heuristically for "nasties".

However after some deep study, testing, and burning out a co-worker, I
have come to the conclusion that this is the best way to address the
problem. So who is going to add this feature ? Have yet to see it
anywhere.

					Warmly,
						Padgett

------------------------------

Date: Mon, 05 Feb 1996 11:12:04 -0500 (EST)
From: Ralf Grisard <ralf@lexis-nexis.com>
Subject: Word Macro Colors Virus (MAC?,WIN)
X-Digest: Volume 9 : Issue 18

All the references in this group to the Word macro Colors virus
have made me nervous, especially since none that I've seen say
anything about how to protect against or clean it. If there are
any known defenses against it, I'd appreciate hearing about them,
as well as a brief description of this virus' effects. Thank you.
- - 
Ralf Grisard
ralf@lexis-nexis.com
LEXIS-NEXIS, Technical Communications, P.O. Box 933, Dayton, OH 45401
voice: 513-865-7314  fax: 513-865-1655

------------------------------

Date: Mon, 05 Feb 1996 13:31:16 -0500 (EST)
From: Bill Bracco <wmbracco@smtpgate.read.tasc.com>
Subject: Does Concept always infect? (MAC,WIN)
X-Digest: Volume 9 : Issue 18

The Win Word Macro virus (Prank) is alledged to infect unprotected
word apps from any infected docs.  We have seen that this to be the
case.  We have also seen that creation of new or the opening of
uninfected docs in an infected word app will also infect that
document.  However this observation is not 100%.  We have seen that a
computer (confirmed infected) has sent docs to other computers and
they have not been infected.  Whats more, the document is infected on
the "creator's" computer but not on the reciver's computer.  This
seems to suggest that we don't know all the information about this
virus.  The docs have all been transfered via Novell's group wise
e-mail system.  It seems that sometimes it will pass the infection,
sometimes it will not.  

Could someone please explain this?

Bill Bracco
WMBracco@tasc.com

------------------------------

Date: Mon, 05 Feb 1996 15:20:36 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Word Macro Viruses, defences (MAC,WIN)
X-Digest: Volume 9 : Issue 18

David Harley <harley@europa.lif.icnet.uk> writes:

> : The easy answer would be to disable the automatic execution of macros
> : found in documents (they are supposed to be only in templates but WORD
> : does not seem to care so long as the format of the file is correct).
> 
> Easy, but not altogether effective. The infective mechanism used by Colors
> is not dependent on automacros being enabled, but on the infected document
> being the default template (as it becomes when it's opened). Nice touch.

I think you have misunderstood Padgett. He didn't mean "to disable the
execution of the auto macros"; he meant "to disable the (automatic)
execution of *any* macros found in the document".

The reason why the trick that Colors uses works is because if a system
macro (say, FileSaveAs) exists in the loaded document, when you try to
execute the respective command (say, File/SaveAs) it will be the macro
in the document that will be executed - it will take precedence to the
system command, simply because it uses the same name.

As Padgett wrote, it would be nice to be possible to turn this default
behaviour off.

> I think that technically a document with macros *is* a template: one of

Correct; non-templates can, technically speaking, contain macros but
the macros in them are inaccessible.

> the side effects of macro viruses is that they block attempts to save
> a document *as* a document rather than a template. This can generate an

That's not quite precise. If you are infected with a macro virus,
create a new document, and try to save it - you can save it anywhere
you want. It will seem to you that you are saving it as a document
(because the virus will display the appropriate dialog box). However,
before the document is saved (in the place specified by you), the
virus will change its type to template.

Now, if you are *already* infected, then load yet another infected
document that _already exists_ (as opposed to creating a new one), and
try to save that - WinWord will try to force you to save it in the
template directory (all other choices will be dimmed) - because the
document is already a template. You still can save it whereever you
want (if you enter the full path in the file name field) but it's a
dead giveaway that you are infected. Currently all known macro viruses
have this problem. It is possible to solve it, however, so do not rely
on this as a sure-fire way to tell whether you are infected or not -
future macro viruses might be more intelligent.

> Indeed they weren't, but it wouldn't be impossible to write an infective
> macro using Word 2 only. I don't know why 1995 became *the* year of the
> macro virus, rather than 1992.

Or 1989, when Prof. Highland's paper demonstrating that macro viruses
are possible, was published.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Mon, 05 Feb 1996 12:13:02 -0500 (EST)
From: John Tabor <jtabor@ids2.idsonline.com>
Subject: Possible Win95 Virus (WIN95)
X-Digest: Volume 9 : Issue 18

Symptoms:

File name misallocation and crosslinked clusters - ONLY in the Win95
directory.

This first happened to me about two weeks ago even though I was
running MS AntiVirus.  I did not catch it until it had already
destroyed my Windows directory leaving four files - two of which had a
smiley-face extension.

I downloaded McAffee VirusScan 95 and installed it.  It, too, said my
system was clean.  I reinstalled Win95 and carried on with my life.  

Then it struck again last night.  Luckily, I was able to catch it and
shut down before too much damage was done.  I caught it by noticing
error messages saying something to the effect of "DLL initialization
failure."  One of those DLL's was the DoubleSpace driver for
DriveSpace 3.  Seeing how one of my two hard drives is compressed with
DriveSpace 3, this was of paramount concern to me.  

In the attempt to reinstall the DS3 drivers from MS Plus!, I found
that other DLL's had been affected.  I ran ScanDisk which promptly
found a plethora of misallocated filenames and crosslinked clusters.
ALL of the affected files were once again in the Windows directory.

The latest McAffee and Microsoft virus scanners seem unable to detect
a virus, but I've never heard of a file system corrupting so many
files so quickly and never have all the affected files been limited to
a single directory.

Any help would be VERY much appreciated.

Thanks!

John Tabor
jtabor@ids2.idsonline.com
http://www.idsonline.com/userweb/jtabor

------------------------------

Date: Mon, 05 Feb 1996 15:58:01 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Windows95 Virus Scanner (WIN95)
X-Digest: Volume 9 : Issue 18

"Chengi J. Kuo" <cjkuo@alumnae.caltech.edu> writes:

> >Most DOS virus scanners should work pretty well in a DOS box under
> >Windows95. Nevertheless, most major anti-virus producers (us uncluded)
> >do offer Windows95 versions of their products.

> Not necessarily if you are using in combination with a VxD.
> The VxD should catch and prevent the DOS scanner from seeing any
> infected files.

I'm not sure what you mean exactly. If the on-demand scanner is by the
same producer as the VxD, then they have a way to communicate between
themselves and not cause double alerts. If they are from different
companies, a problem will arise only if there *is* a virus and the VxD
*does* detect it - then it will raise an alert before the scanner has
the chance to scan the file. However, the virus will be detected
anyway - so it's not a problem, right? Finally, do you mean that a VxD
which is from a different producer and does *not* detect the virus
might make the DOS scanner not see the file? I don't think so, unless
the VxD is sloppily written.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Mon, 05 Feb 1996 09:01:22 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Word 6 macro virus in WordPerfect (WIN)
X-Digest: Volume 9 : Issue 18

> If i get an infected Word document and i normally use WP 6.1 for 
> windows. Do i still have a virus if i convert the document to a 
> wp6-format and delete the word document.

No, you do not.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Mon, 05 Feb 1996 09:45:33 -0500 (EST)
From: myran <era.eraat@memo.ericsson.se>
Subject: Should I NOT have programs open except for the one(s) curr. used? (WIN)
X-Digest: Volume 9 : Issue 18

Will that at all prevent any "intruder" from doing damage or at least 
limit damage.

Provided of course that any AV-program detects the virus instantly and
actions are taken accordingly...

My guess is that "it depends"... Is anyone willing to comment this?

(couldn't really find this in any FAQ - maybe it's too obvious...?)
regs /// myran

------------------------------

Date: Mon, 05 Feb 1996 08:11:28 -0500 (EST)
From: "Bob Witham Jr." <Robert.L.Witham.Jr@STATE.ME.US>
Subject: Re: Free or Cheap Virus Scanners (PC)
X-Digest: Volume 9 : Issue 18

This would better be titled "low cost virus scanners" or "$1 or less virus 
scanners".  I must admit, I was one of the skeptics that quality AV 
software cannot be obtained for a dollar.  I may be wrong.  I am currently 
evaluating AVP anti-virus toolkit from Command Software.  So far, the 
software looks good, and Virus Bulletin found it was the tops in their 
January issue.  The company has a VERY agressive pricing structure.  While 
I don't believe I should discuss pricing (I will leave that to them), I 
must say I now believe that a $1 (or less) software does exist.  Oh, I am 
looking at a 6,000 unit license with them.  Also, another attractive 
feature is that their license covers their products regardless of the 
platform.  DOS (they have), WIN 3.1, WIN95, NT (soon to be out), OS/2 (in 
the works), or MacIntosh (on hold for awhile).  I was impressed.  You can 
contact Keith Peer at keith@command-hq.com  He should have a pretty good 
handle on what's going on there, he's the head & horns of the outfit.  
Very nice fellow too, and he seems to know what he is talking about. :)

Bob W.

------------------------------

Date: Mon, 05 Feb 1996 09:32:09 -0500 (EST)
From: Kenneth Albanowski <kjahds@kjahds.com>
Subject: Re: How to remove "Ekaterin" virus ? (PC)
X-Digest: Volume 9 : Issue 18

On Tue, 30 Jan 1996, Lee Brown wrote on how to prevent a virus from 
loading when you switch on a machine:

> 1.  Find a clean (none infected) boot disk.
> 2. Switch of the Computer.
> 3. Place the disk into the drive.
> 4. Switch computer back on.
> 5. Run Dos based virus scanner to check memory!!

This isn't too far off the mark, as such things go, but one step is
missing from the above list: 

 1.5. Bring up the computers BIOS setup screen (usually ESC or DEL while
it's booting) and make sure that it is set to boot drives "A: before C:". 
(This is usually in the "extended setup" screen. Older machines don't have
this, and don't have to worry about this issue.)

Without this, some viruses _will_ manage to load into memory when you
apparently boot off of the clean floppy. The virus doesn't "jump back" to
the hard drive when you shut off the computer (no software on a PC is
capable of that, and the virus is already on the hard drive) but it can
arrange so that the hard drive is booted even when a floppy disk is in the
drive. 

I have no idea what percentage of viruses "in the wild" can use this
trick, but another ounce of prevention can't hurt.

- -
Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126)

------------------------------

Date: Mon, 05 Feb 1996 09:55:06 -0500 (EST)
From: sysop@command-bbs.com
Subject: Re: ONE HALF.3544 Virus Detected (PC)
X-Digest: Volume 9 : Issue 18

>Pleaes can somebody advise me how I can remove the ONEHALF.3544 virus
>from PCs without deleting .COM or .EXE files.

AntiViral Toolkit Pro can remove the virus for you and also, I think there
is a FREEWARE specific Onehalf virus removal tool.

Keith

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.                 USA  Distributor  for
P.O. Box 856                         AntiViral Toolkit Pro
Bruswick, Ohio 44212                 216-273-2820
Internet: info@command-hq.com        Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp       :GO AVPRO
WWW: http://www.command-hq.com/command
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

Date: Mon, 05 Feb 1996 09:55:14 -0500 (EST)
From: sysop@command-bbs.com
Subject: Re: How can I eliminate HAVOC 2? (PC)
X-Digest: Volume 9 : Issue 18

>A friend a mine was recently infected with the HAVOC 2 virus.  He has
>tried using Norton Anti-Virus (I don't know what version) and it
>detects the virus but cannot eliminate it.  Has anyone been able to
>eliminate this virus?  Norton says that it infects the boot sectors.
>I have, in the past, over-written the boot sectors on infected disks
>(hard and floppy drives) with good boot sectors from bootable
>floppies.  This is extreme of course but so is having to recreate
>everything.  Is this an option here?  Any help would be greatly
>appreciated.

We recently helped a large university clean up the Havoc II virus and
prevent the reinfection process so common with Boot Sector viruses. Please
contact us for more information. AntiViral Toolkit Pro can detect and
remove this virus for you. 216-273-2820 x2000

Keith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.                 USA  Distributor  for
P.O. Box 856                         AntiViral Toolkit Pro
Bruswick, Ohio 44212                 216-273-2820
Internet: info@command-hq.com        Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp       :GO AVPRO
WWW: http://www.command-hq.com/command
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

Date: Mon, 05 Feb 1996 09:59:22 -0500 (EST)
From: Lars Renman <lars@amc.chalmers.se>
Subject: Re: Is this a virus? (PC)
X-Digest: Volume 9 : Issue 18

In article <0024.01I0R33FGIF6PVGQEE@csc.canterbury.ac.nz> Bruce Peck 
<bruce_peck@aici.com> writes:
>An administrator at a remote site in my company reported these 
>conditions on some of her PCs and cannot find evidence of a virus by 
>[snip]
>In a population of about 50 PCs on a Novell network, 5 or 6 of them 
>will on occaision have trouble booting with the result being a screen 
>full of random ascii characters and the PC locks.  A hard boot is 
>required and may take 2 or 3 tries to sucessfully boot.  The problem 
>may not surface on this PC again for several weeks or even a month or 
>two.  The PCs are all Compaq but are different models and were 
>purchased at different times.  These symptoms did not appear all at once.  
>[snip]

Maybe not a virus problem; we have had problems like this with newer PCs 
(Pentiums) when we have used old network adapters (16-bit AT bus) and old 
drivers. In some cases it has helped to update the drivers, and in some
cases we have had to buy new adapaters (for the PCI bus). This has helped
in most cases. Some of the new Plug-And-Play BIOSes may also buggy, which
we have seen on at least one Compaq Pentium.

/Lars Renman

------------------------------

Date: Mon, 05 Feb 1996 10:14:15 -0500 (EST)
From: ASCOLI Martino <s850427@student.ulg.ac.be>
Subject: Need info about Sentry virus (PC)
X-Digest: Volume 9 : Issue 18

I would like to know if there is an antivirus for the Sentry virus ?

ASCOLI Martino
s850427@student.ulg.ac.be

------------------------------

Date: Mon, 05 Feb 1996 10:40:15 -0500 (EST)
From: "Charles A. Plater" <cplater@rattlehead.pass.wayne.edu>
Subject: Da'Boys (PC)
X-Digest: Volume 9 : Issue 18

HELP!  We are having a major problem with the Da'Boys virus.  I have
tried several scanning with fprot, but it is unable to remove the virus.
Any help would be appreciated.  Please reply by e-mail, as I rarely get
a chance to check the newsgroups.

	Charles A. Plater, Lab Supervisor, Wayne State University

------------------------------

Date: Mon, 05 Feb 1996 11:12:07 -0500 (EST)
From: Jonathan Baker-Bates <jonathan@theframe.com>
Subject: Suspicious Unidentified Activity? (PC)
X-Digest: Volume 9 : Issue 18

We have been using a 486DX-66 8/540 dual booting with WWG 3.11 and 95 for
testing purposes here in London, UK, that has recently exhibited the
following behaviour:

Win 3.11 suddenly started to consistently hang shortly after the Windows
splash screen disappeared and before Program Manager came up. The hang was
accompanied by a brief error "bleep" similar to that of MSAV's warning
signal. Once MSAV line was rem'd out in  autoexec.bat, windows booted
happily.

Subsequent virus scans with MSAV, F-PROT and McAfee's VirusScan for 95
revealed no named virus, but reported a large number of files had changed.
These were both .EXE files (mostly in the Windows directory, including
EMM386.EXE, but also NOTEPAD.EXE and other non-system related files), as
well as data files including various .DLL and .FON files.

The entire system then seemed gradually to slow down (both in Win 3.11 but
particulalry in 95), with a great dial of HD activity and long (up to 3 or
4 second) periods during procedures such as program launching or window
opening, where nothing happened at all. At present the machine is
operating at about half the speed it was previously.

The only significant event that occured before the trouble started was
that we downloaded and installed Sun's Hot Java browser.

If anybody has any suggestions, I would be grateful.

JJ

------------------------------

Date: Mon, 05 Feb 1996 13:59:14 -0500 (EST)
From: Tom Simondi <tsimondi@slonet.org>
Subject: Re: SUSPECTED VIRUS FOR WordPerfect? (PC)
X-Digest: Volume 9 : Issue 18

In article <0033.01I0V91M1894PVHY7M@csc.canterbury.ac.nz>,
David Crockett <crockett@UMDNJ.EDU> penned:
[edited]
> First, the when attempting to launch Wordperfect, Quatorpro and several 
> orther programs (Micrographx's Designer or Photomagic, SigmaPlot), the
> computer would report that it could not read drive C.  Dos programs worked
> fine as well as some Windows based prgrams.   So I ran scandisk from DOS. 
> Scandisk reported a problem with the FAT; it "fixed" it by truncated ti.
> 
> Second, after runing scandisk, Quatropro miraculously works as well as
> most of the of the programs.  However, WordPerfect will not launch,
> reporting that it can not find shwin20.dll.  This is on both computers!. 
> Also, Micrografx's Photomagic does not launch on both computers and the
> same is true for SigmaPlot (from Jandell). The coincidence is just too
> unbelievable that two computers would develop aproblem with the same
> portion of the FAT.  The computers are two different brands and have
> different configurations.

I doubt you have a virus and actually, the probability of the problems
you encountered happening on two different computers appears rather
high. You seem to be one of the few people who have almost exact
software configurations on two different computers. So, if the software
has a bug and you try to do the same thing on both computers, the
same bug is fairly likely to appear and do the same thing.

In this case, since SCANDISK fixed some files by truncating them it
would seem that you did get hit with the same bug and that it
crosslinked the same file(s) on both machines. SCANDISK then fixed
both machines the same way: by effectively making one or more of the
crosslinked files unusable on both machines.

This is a classic case where in integrity checker would be of great
help to you. With it you would have a complete database on the
structure of your disk and the files on it. You could find out
instantly exactly what files SCANDISK changed and therefore know
which files you are likely going to have to replace from backups.

- - 
=-=- Tom Simondi -=-= Visit the Computer Knowledge home page -=-=
=-=- http://ourworld.compuserve.com/homepages/ck -=-=-=-=-=-=-=-=
=-=- E-mail: 75655.210@compuserve.com -or- tsimondi@slonet.org -=

------------------------------

Date: Mon, 05 Feb 1996 11:47:07 -0500 (EST)
From: Maurice Hilarius <maurice@ellpspace.math.ualberta.ca>
Subject: Re: F-Prot shareware version status? (PC)
X-Digest: Volume 9 : Issue 18

Look in the simtel archives (oak.oakland.edu) under msdos/virus/.
This is now the official distribution site..

------------------------------

Date: Mon, 05 Feb 1996 14:05:27 -0500 (EST)
From: The Radio Gnome <V2002A@VM.TEMPLE.EDU>
Subject: Re: Virus that damages hardware (PC)
X-Digest: Volume 9 : Issue 18

>From: Doug Muth <dmuth@oasis.ot.com>
>       With modern hardware created by someone who knows what they are
>doing, hardware damage is unlikely to happen.  Two possible cases of
>damage applied to older hardware out there: hard drives and monitors.
[snip]
>...With older
>video hardware, it was possible to set the refresh rate to 0 hz.  What
>would then happen is that the beam of electrons would be hitting the same
>row of phosphurs repeatidly and burning them out.  From then on, the
>monitor would have a black line of inoperative phosphurs. :)

     I see warnings in the setup programs for video cards not to set the
refresh rate too *high* for VGA monitors.  Conceivably, a virus could take
just such an action, but it would have to be aware of all the major
monitor brands out there and the specific commands for altering resolution
and refresh rates...  not exactly the smallest/easiest thing to code.

------------------------------

Date: Mon, 05 Feb 1996 13:59:12 -0500 (EST)
From: Dexter Reid <dexter@best.com>
Subject: What do i have? how do i get rid of it? (PC)
X-Digest: Volume 9 : Issue 18

<sigh> My computer used to start... it won't start now. it won't
boot from the floppy and the screen is absolutely blank.

if i had not seen it happen to another computer i would guess that the
video card died--but the sequence of events is way too similar.

It seems as though the CMOS tables are completely wiped. I don't care
at all about the data on the machine--i just want to get it running 
again. 

please help. dexter@best.com

how can i reset the factory defaults?

------------------------------

Date: Mon, 05 Feb 1996 15:00:38 -0500 (EST)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: B1 virus with a twist (PC)
X-Digest: Volume 9 : Issue 18

>I have a strange breed of the B1 and was hoping that someone might shed 
>some light on this for me before I pull all of my hair out.  I have scan 
>a machine that I had connected to a network and F-PROT has said that it 
>is the B1 virus.  I have tried everything to get rid of it.  I know that 
>some of you will probably say that it probably is just a false alarm but 
>I know that it is not because I have infected diskettes with this 
>machine. Now here is the real twist, I have FDISKed the whole hard drive 
>and still have this virus on this particular machine.  I have no idea of 
>how to get rid of this virus.  I never knew that this virus was that 
>dynamic.

The latest shareware version -2.21- , does have the ability to detect 
and generically repair B1 (also commonly known as NYB).

HOWEVER...

Attempts to repair while the virus is in memory will fail. This 
includes attempting to repair via the "FDISK /MBR" command.

Are you sure you are booting from a known clean boot disk?

- - 
Shane Coursen                                         Symantec Corporation
Computer Virus Researcher   http://www.symantec.com/avcenter/avcenter.html
AntiVirus Research Center                                  CIS:  GO SYMWIN
scoursen@symantec.com                                            GO SYMNEW
      US Support:  541-465-8420                             AOL:  SYMANTEC
European Support:  31-71-353-111        Australian Support:  61-2-879-6577

------------------------------

Date: Mon, 05 Feb 1996 11:52:12 -0500 (EST)
From: Maurice Hilarius <maurice@ellpspace.math.ualberta.ca>
Subject: Re: B1 virus with a twist (PC)
X-Digest: Volume 9 : Issue 18

Use f-prot. It will work, but you might lose the infected directory..

- - 
+------------------------------------------------------------------------
- -+
| Maurice Hilarius                   | #include<campfire.h>              
  |
| Proprietor / Chief Consultant      |       for(beer=100;beer>1;beer++){ 
 |
| Hard Data                          |           take_one_down();        
  |
|                                    |           pass_it_around();       
  |
| 403-456-1510 / FAX 403-457-1338    |       }                           
  |
| maurice@ellpspace.math.ualberta.ca |  back_to_work(); /*never reached 
*/ |
+------------------------------------------------------------------------
- -+

------------------------------

Date: Mon, 05 Feb 1996 15:22:48 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: How to remove "Ekaterin" virus ? (PC)
X-Digest: Volume 9 : Issue 18

Graham Cluley <sandspm@cix.compulink.co.uk> writes:

> Ekaterin is more familiarly known as "Russian Flag" or "AntiEXE".  Here 

No! Russian_Flag (a.k.a. Ekaterinburg) and AntiEXE are two
*completely* different viruses. Descriptions of both of them can be
found at http://www.datafellows.com.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Mon, 05 Feb 1996 15:25:09 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: F-prot + Parity_Boot-virus (PC)
X-Digest: Volume 9 : Issue 18

Robert Pietschmann <pietsch@rummelplatz.uni-mannheim.de> writes:

> I received the message: Parity_Boot virus in memory.
> What am I supposed to do - for F-Prot doesn`t make any efforts to
> remove it?

F-PROT will remove it - however, it will refuse to do so as long as
the virus is active in memory. Cold boot (this is important;
Alt-Ctrl-Del won't do) from a virus-free, write-protected, system
diskette and run F-PROT again.

> What kind of virus is this anyway?

The most widespread virus in Germany. MBR, stealth infector. Attempts
to survive a warm reboot. Occasionally displays the message "parity
error" and halts the computer.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Mon, 05 Feb 1996 15:27:41 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: B1 virus with a twist (PC)
X-Digest: Volume 9 : Issue 18

Jason Oliver <joliver@execpc.com> writes:

> machine.  Now here is the real twist, I have FDISKed the whole hard drive 
> and still have this virus on this particular machine.  I have no idea of 

Make sure that the virus is not active in memory at the time when you
try to remove it. The only foolproof way to do so is to cold-boot from
a write-protected system diskette. Read the FAQ of this newsgroup (the
new one) if you don't know how to do this.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E


------------------------------

Date: Mon, 05 Feb 1996 15:35:27 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: HELP !!! OneHalf virus (PC)
X-Digest: Volume 9 : Issue 18

NAGY FERENC LaSZLo <NFL@labor.obuda.kando.hu> writes:

>      My question: Several months ago I got 77-byte hidden files from 2
> different  sources.  These appears at each program file, with the name
> *._co and *._ex (or something). No recognizable text or code in it. Is
> there a virus or AV program what do this?

If by "or something" you actually mean *.CO_ and *.EX_ extensions,
then yes, there is such an anti-virus program. It was an archaic
version (1.0) of Norton Anti-Virus which did this incredibly stupid
thing. The 77-byte files are supposed to contain integrity checking
information for the respective executable files.

>      Next time I consult my English teacher before I send a letter.

Your English is very understandable.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Mon, 05 Feb 1996 15:35:33 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Virus:MONKEY_B + FORM_A (PC)
X-Digest: Volume 9 : Issue 18

Arlene Schiffman <arlenes@holly.colostate.edu> writes:

> We have a few computers that were infected by the Monkey Virus.  I
> took a suggestion to try making a boot disk and putting fdisk.exe on
> it then after booting up with the new disk using the command fdisk
> /mbr.  Well it worked on most of the computers but on three they are
> now saying invalid partition table.  HELP please!  These can not boot

Arlene already posted this request of hers in alt.comp.virus and got
the explanation why she shouldn't listen to such advices. Here I am
going only to repeat (for the benefit of the rest) that the program

	ftp://ftp.coast.net/SimTel/msdos/virus/killmnk3.zip

can handle the situation nicely - it will repair the damage caused by
running FDISK/MBR on a Monkey-infected hard disk.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Mon, 05 Feb 1996 17:22:02 -0500 (EST)
From: Bryan Lewis <bryan@world.std.com>
Subject: Re: B1 virus with a twist (PC)
X-Digest: Volume 9 : Issue 18

Jason Oliver <joliver@execpc.com> writes:

>I have a strange breed of the B1 and was hoping that someone might shed 
>some light on this for me before I pull all of my hair out.  I have scan 
>a machine that I had connected to a network and F-PROT has said that it 
>is the B1 virus.  I have tried everything to get rid of it.  I know that 
>some of you will probably say that it probably is just a false alarm but 
>I know that it is not because I have infected diskettes with this 
>machine.  Now here is the real twist, I have FDISKed the whole hard drive 
>and still have this virus on this particular machine.  I have no idea of 
>how to get rid of this virus.  I never knew that this virus was that 
>dynamic.

Sounds like what happened to me.  I tried FDISK /MBR.  Norton AV reported it
but couldn't fix it.  Win95 installation detected that there was a virus 
(so it couldn't install its 32-bit file system boot-record driver), but 
didn't know which.  MS AntiVirus was clueless.  Finally I bought(!) 
McAfee VirusScan, after seeing good things said about it in this newsgroup
(is it providence that this newsgroup revived itself the very day I needed 
it? :-).  It detected the NYB (aka B1) virus and removed it, no problem.

Bryan Lewis

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 18]
*****************************************


