From Lehigh.EDU!virus-l  Sat Feb 10 10:46:26 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Sun, 11 Feb 96 17:00:39 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id KAA12931; Sat, 10 Feb 1996 10:46:26 +0100
Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39035-46043>; Sat, 10 Feb 1996 04:41:44 EST
Message-Id: <01I12C7JTDDGPVIUA3@csc.canterbury.ac.nz>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V9 #21
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: 	Sat, 10 Feb 1996 04:40:15 EST

VIRUS-L Digest  Saturday, 10 Feb 1996    Volume 9 : Issue 21

Today's Topics:

Questions about the FAQ (ADMIN)
Virus Calendar
Re: Microsoft is shipping Viruses!
Re: Usefulness of AV people
Firewall scanners
Re: Flash BIOS viruses?
A-V Software Trade show
Re: Not providing examples of Java viruses
Re: Flash BIOS viruses?
Re: Scaning Zip files
Re: Status of AV-Scanner for NOVELL Netware 4.1? (NW)
Re: Question: Linux viruses? (UNIX)
Re: Macintosh - MBDF B & MBDF A/B (MAC)
Re: Virus Checker for Macintosh (MAC)
Re: Reg.dat corruption (WIN)
Scrambled MS App Files (WIN)
Re: Microsoft Registration Virus (WIN)
re: Microsoft Registration Virus (WIN)
Re: Ack! Newest NAV update causes serious lockups! (WIN)
spartan? (PC)
Need help with diskette / Tai-Pan (PC)
Re: Microsoft is shipping Viruses! (PC)
DIEHARD (PC)
Re: V-SIGN (PC)
Re: Was this a virus? (PC)
HELP: Problem with January NAV update (PC)
Unknown Virus (PC)
Re: Help. Fdisk doesn't remove... (PC)
McAfee Software how do I obtain? (PC)
Sampo Virus - Help! (Disinfect??) (PC)
PS/2 boot sector problems-Virus? (PC)
Re: A Virus found, can anyone identify? (PC)
Re: 69 Virus (PC)
FREE virus protection (PC)
Re: Ripper and NYB (PC)
Re: Is this a virus? (PC)
Three questions (PC)
Re: TB1 Virus (PC)
Re: Viruses on floppy diskettes (PC)
Vshield vs Netshield (PC)
Re: Microsoft is shipping Viruses! (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available by anonymous FTP on CS.UCR.EDU.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Sat, 10 Feb 1996 14:43:12 +1300 (NZD)
From: Nick FitzGerald <n.fitzgerald@csc.canterbury.ac.nz>
Subject: Questions about the FAQ (ADMIN)
X-Digest: Volume 9 : Issue 21

Quite a few people have written asking where the "new FAQ" that keeps
being mentioned, is.  Especially if you read along in News you will know
where the "old" FAQ is--the RTFM autoposter keeps posting it into the
group every month.

We are trying to persuade the powers that be at RTFM that I am now the
virus FAQ "owner", but until we succeed in that, if you want to look at
the "new" FAQ, use Archie (or some other search engine) to search for the
file "vlfaq200.txt".  The official Virus-L archive is guaranteed to hold
a copy, so try

   ftp://cs.ucr.edu/pub/virus-l/vlfaq200.txt

but you may get faster transfers if you find a site closer to you.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
 n.fitzgerald@csc.canterbury.ac.nz  TEL:+64 3 364 2337, FAX:+64 3 364 2332
	      Virus-L/comp.virus moderator and FAQ maintainer
   PGP fingerprint =  2E 7D E9 0C DE 26 24 4F  1F 43 91 B9 C4 05 C9 83

------------------------------

Date: Tue, 06 Feb 1996 09:39:35 -0500 (EST)
From: News Group <news@zippo.com>
Subject: Virus Calendar
X-Digest: Volume 9 : Issue 21

Does anyone know of a list that contains dates of when known viruses will
be executed?

Thank You.

------------------------------

Date: Tue, 06 Feb 1996 10:23:24 -0500 (EST)
From: Ken Stieers <kens@ontrack.com>
Subject: Re: Microsoft is shipping Viruses!
X-Digest: Volume 9 : Issue 21

Here's what really happend:

You got a machine that was infected at the store (as your store told you).  
Since Office '95 is shipped on MFT formated diskettes, Newbug (better
known as ANTIEXE), hammered them.  Clean your system using the info in the
FAQ. 

Ken

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prarie, MN           |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Tue, 06 Feb 1996 11:19:40 -0500 (EST)
From: Nacho Man <ht_bui@ece.concordia.ca>
Subject: Re: Usefulness of AV people
X-Digest: Volume 9 : Issue 21

Since I have received quite a few replies on this subject, I will have
this one message cover whatever I have to say.

The reason for my first posting was perhaps because I expected a technical
discussion when I joined this newsgroup. I understand completely your
point of view, saying that people were uninformed and don't bother reading
the manual.. the thing is, by answering their questions and not simply
pointing to the FAQ, you are not helping them. The next time they have a
question, they will simply come running to you and expect another quick
answer. 

Someone pointed out that there are many anti-virus specialists because
there were a lot of virus writers. This is only partially true. Most of
the viruses coming out nowadays are badly written gunk of codes that
couldn't spread through a directory even if their lives depended on it.
The good virus authors usually don't infect other people and so, they
aren't much of a threat.  

As for working on a help line, I must admit that I never had the
opportunity to do that. 

Another person said something about not wanting to give out 'tricks of the
trade'. To tell you the truth (this MIGHT sound offensive but it isn't
its purpose, I assure you), I don't think that an anti-virus expert
needs to know that much. Anyone with limited knowledge in viruses and a
little programming experience would be able to look through a file, tell 
if it's infected and even remove it (whenever possible). Looking at the
interrupts to see if it has been hooked, looking at the boot sector via
the ports to check for infection (avoid int13h hookup) and the all-mighty
'boot-from-an-uninfected-floppy', etc. This is basically what an anti-
virus specialist needs to know and there isn't that much to it. There is
one real difficulty to being an AV researcher.. polymorphism. Then again,
from what I've gathered, there hasn't been a SURE way to detect it so 
there ar no tricks of the trade to be given here (without false positives
that is).

Well, anyhow, I just had a few questions that I needed cleared and most of
you have been quite helpful. Hopefully, we will be able to engage in
more technical discussions some time in the near future.

[Moderator's note:  Technical discussions are most welcome--in fact,
encouraged--in this forum.  Witness the recent (and ongiong) exploration
of measures to take against Word macro viruses.  It seems however, that we
are seeing more and more of the "How do you get rid of the XYZ virus?"
type questions.]

------------------------------

Date: Tue, 06 Feb 1996 12:04:51 -0500 (EST)
From: A Bruce Peck <bruce_peck@aici.com>
Subject: Firewall scanners
X-Digest: Volume 9 : Issue 21

Forgive me if I have just missed this subject on the list.  Is it 
feasible to think that we could have a virus scanning product that 
would look at packets as they were coming in to, say, a corporate 
network via a firewall and SMTP gateway and act upon the files at that 
one point of entry?  Are there such products?

I understand the obvious counters such as simply make sure everyone 
has a good scanner/TSR package on the workstation, however, in a large 
distributed corporate environment like ours, this is very hit-or-miss 
to maintain.  I also understand that most of our viruses are going to 
be boot viruses that will come in only on diskette, however, it would 
be nice to think that I could be efficient by monitoring that one 
point of entry for file infectors and other obvious trojans or 
droppers that are recognizable (perhaps also the WORD macro viruses).

Bruce_Peck@aici.com

------------------------------

Date: Tue, 06 Feb 1996 14:56:38 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Flash BIOS viruses?
X-Digest: Volume 9 : Issue 21

Mark Olson <molson@apollo.tricord.com> writes:

>   A quick check on PC's in use here shows me that most
> people leave the jumper in flash-bios motherboards in
> the "allow programming" position.

This is a very bad practice. Not just because of viruses - even a
buggy application would cause trouble it if manages to corrupt the
BIOS.

>   This brought up the question: Is a virus possible that
> could alter the contents of flash memory on popular 
> motherboards (such as the Intel series) to infect the
> machine?

Yes - provided that the writing to the Flash EPROM is enabled.

> Do such viruses already exist?

No. There is one which tries to do that for AMI Flash BIOS, but it
does not succeed.

>   Perhaps it is prudent to make sure the jumpers
> on these motherboards are always set to "off".

Of course.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 06 Feb 1996 15:10:44 -0500 (EST)
From: Doug Geiste <geiste@hsi.com>
Subject: A-V Software Trade show
X-Digest: Volume 9 : Issue 21

While surfing looking at AV software pages one day, I came across
a site that had advirtised some sort of AV software tradeshow in the 
Washington DC area. Since then, I can't find the page or any information
about it. I remember it was being held April 1st and 2nd.

Can some one please point in the right direction for information?

Thanks!
doug

- - 
Doug Geiste                             3M Health Information Systems
E-mail: geiste@hsi.com                  Wallingford, CT  USA  
	dgeiste@aol.com
			Bill Gates: The Lemming King

------------------------------

Date: Tue, 06 Feb 1996 16:18:11 -0500 (EST)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Not providing examples of Java viruses
X-Digest: Volume 9 : Issue 21

In article <0001.01I0WU2LIE4YPVHY7M@csc.canterbury.ac.nz>
	   fc@all.net "Fred Cohen" writes:

> The reason I don't provide examples of Java viruses is that it is pretty
> dangerous to do so.  I am especially astonished to see Vess seemingly
> ask me to give source to viruses out since he has long stood against the
> open disclosure of viruses.

There is a difference between "open disclosure" and supplying 
research material to selected, trusted, anti-virus researchers.  
One must decide for oneself who is trustworthy, of course.

- -
NO LADY LIKES               ACCOMPANIED BY
	     TO DANCE                     A PORCUPINE
		     OR DINE                         Burma-Shave

------------------------------

Date: Tue, 06 Feb 1996 17:36:52 -0500 (EST)
From: "Denis Parslow (Almo Distributing)" <dgp@world.std.com>
Subject: Re: Flash BIOS viruses?
X-Digest: Volume 9 : Issue 21

Mark Olson <molson@apollo.tricord.com> wrote in Digest: Volume 9 :
Issue 10:

>  A quick check on PC's in use here shows me that most
>people leave the jumper in flash-bios motherboards in
>the "allow programming" position.
>
>  This brought up the question: Is a virus possible that
>could alter the contents of flash memory on popular 
>motherboards (such as the Intel series) to infect the
>machine?  Do such viruses already exist?
>
>  Perhaps it is prudent to make sure the jumpers
>on these motherboards are always set to "off".

Yes, it is possible to create a virus that infects a particular type 
of FLASH CMOS.  However, Plug n Play requires updating that 
FLASH BIOS (assuming the BIOS is a PnP BIOS), so it is usually
not possible to merely write protect the BIOS.

Denis Parslow
Engineering Mgr
Almo Distributing, Trademark Computers
dgp@world.std.com
http://www.almo.com
http://world.std.com/~dgp/

------------------------------

Date: Tue, 06 Feb 1996 20:35:59 -0500 (EST)
From: JMD139 <jmd139@aol.com>
Subject: Re: Scaning Zip files
X-Digest: Volume 9 : Issue 21

>Are there any products that will scan .ZIP files for viruses?

Try THD pro...it has a program with that pack which will enable you to
scan ZIP files (other archives too).

JMD

------------------------------

Date: Tue, 06 Feb 1996 10:28:49 -0500 (EST)
From: Ken Stieers <kens@ontrack.com>
Subject: Re: Status of AV-Scanner for NOVELL Netware 4.1? (NW)
X-Digest: Volume 9 : Issue 21

Novell doesn't write a scanner for Netware, but most of the major AV 
companies do.  These include:

Netshield by McAfee
Norton AV for Netware by Symantec
Dr. Solomon's AV ToolKit for Netware by S&S Intl. 
Sweep for Netware by Sophos
NetProt by Frisk Software
Inoculan by Cheyanne

I'm sure there are others that I'm missing, but these are the ones that
come to mind right now. 

The only one that may be close to free is NetProt, but then again that
policy only applies to single users, which you obviously aren't.  All of
the others are commercial packages. 

Ken 

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prarie, MN           |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Tue, 06 Feb 1996 10:04:14 -0500 (EST)
From: Alan Shutko <ats@hurd193.wustl.edu>
Subject: Re: Question: Linux viruses? (UNIX)
X-Digest: Volume 9 : Issue 21

>>>>> "DM" == Doug Muth <dmuth@oasis.ot.com> writes:

DM> [Moderator's note: Most likely yes, but so what?  File infectors
DM> will have gone out to disk and infected as many targets as they
DM> can find (which may be limited by Linux' seciurity features...).]

Most of the typical virus tricks won't work in a UNIX environment.
Normal users don't have direct access to disk.  A process can only see
its own memory space, so it can't watch over the user to see what
files they access.  It could, presumably, scan your home directory and
infect any binary files it sees... but most users have few binaries.
And there's no real way

However, I would say that there is a vast potential for viruses for
Linux, because so many people run untrusted binaries as root.  Many
people run solely as root (bad practice anyway), and don't have a
problem running any new program they pulled off of sunsite as root.
But they may be more trojans than viruses, because the people who
download and run binaries as root aren't generally the people who
upload them, and most people don't go swapping binaries.

- -
Alan Shutko <ats@hubert.wustl.edu> - The Few, the Proud, the Remaining.
IBM stands for "Inferior But Marketable"

[Moderator's note:  I agree with what Alan says here, but my comment was
directed specifically at Doug's comments that implied DOS viruses running
in a DOS emulator under Linux were less worriesome because they were in a
separate, virtual machine.]

------------------------------

Date: Tue, 06 Feb 1996 12:49:59 -0500 (EST)
From: Joerg Erdei <a8101gbb@helios.edvz.univie.ac.at>
Subject: Re: Macintosh - MBDF B & MBDF A/B (MAC)
X-Digest: Volume 9 : Issue 21

John Barrymore <jb@barrymore.com> wrote:
>I have come across 2 strains of the MBDF virus on Macintosh more than once
>each lately. One is MBDF B and the other is MBDF A/B. They both seem to
>infect the system, and other applications.
>
>Does anyone have any information on these viruses?
>
>[Moderator's note:  The Macophiles I know seem to like Disinfectant's
>virus database...]

Yes, we do. And we like Kevin Harris Virus Reference (a HyperCard stack).
Here it is what Disinfectant says:

- ----------------------------------------------------------------------
The MBDF Virus

The MBDF virus was first discovered in Wales in February, 1992. Several
popular Internet archive sites contained some infected games for a short
period of time, so a number of people around the world were affected. The
games were named =8410 Tile Puzzle=BE and =84Obnoxious Tetris.=BE

In addition to these two games, a third game named =84Tetricycle=BE or
=84tetris-rotating=BE was a Trojan horse which installed the virus.

Two undergraduate students at Cornell University were quickly
apprehended shortly after the virus was discovered. They pleaded guilty
to charges of second-degree computer tampering for writing and
spreading the MBDF virus. They were sentenced to community service and
restitution of damages. A third student at Cornell also pleaded guilty to
a charge for helping to spread the virus, and was sentenced to community
service.

Disinfectant identifies both infected files and the Trojan horse as being
infected by the MBDF virus. Repairing an infected file removes the virus
and returns the file to the state it was in before being infected. Repairing
the Trojan horse renders it ineffective and inoperable.

The MBDF virus infects both applications and the System file. It also
usually infects the Finder and several other system files. The System file
is infected as soon as an infected application is run. Other applications
become infected as soon as they are run on an infected system.

The MBDF virus is non-malicious, but it can cause damage. In particular,
the virus takes quite a long time to infect the System file when it first
attacks a system. The delay is so long that people often think that their
Mac is hung, so they do a restart. Restarting the Mac while the virus is in
the process of writing the System file very often results in a damaged
System file which cannot be repaired. The only solution in this situation is
to reinstall a new System file from scratch.

We also have reports that the MBDF virus causes problems with the
=84BeHierarchic=BE shareware program, and reports of other menu-related
problems on infected systems.

The MBDF virus is named after the type of resource it uses to infect files.
MBDF resources are a normal part of the Macintosh system, so you should
not become alarmed if you see them with ResEdit or some other tool.

Special thanks to the people at Claris who included self-check code in their
Macintosh software products.  Their foresight resulted in an early
detection of the virus, and has thus helped the entire Mac community.  We
strongly encourage other vendors to consider doing the same with their
products.

There are two known strains of the MBDF virus, MBDF A and MBDF B.
There are no significant differences between the two strains.
- ----------------------------------------------------------------------

And now to the Virus Reference Stack:

- ----------------------------------------------------------------------
MBDF A:
-Infects both applications and System files.
-System file is infected as soon as infected application is run.

! The virus takes a long time to infect System file and
  as it is writing, can make the Mac appear to have hung
  up. Restarting the Mac at this point could damage the
  System file, and any data files that may be open at the
  time.


MBDF B:
-A variant of the MBDF A virus
-Spreads on all Mac types except MacPlus and possibly MacSE systems.
-Does not intentionally cause damage, but spreads widely.
-May cause application crashes.
-Claris applications will notify you they have been altered.
-BeHierachic will stop functioning

- ----------------------------------------------------------------------

Hope that help you

Joerg Erdei

------------------------------

Date: Tue, 06 Feb 1996 13:09:53 -0500 (EST)
From: Joerg Erdei <a8101gbb@helios.edvz.univie.ac.at>
Subject: Re: Virus Checker for Macintosh (MAC)
X-Digest: Volume 9 : Issue 21

Phillip Steck <NUHS@oro.net> wrote:
>He can buy a program from MAC WHAREHOUSE called SAM that is made for the 
>Mac.    The same compant that make Norton Utilities for the Mac makes it. 
>I think version 3.5 is the latest Mac version.   There are also a lot of 
>freware and shareware virus protection programs for the Mac.  Have him 
>look at some of the Mac BBS's and FTP sites.   TTYL  Phil

Latest version of SAM (Symantec Antivirus for Macintosh) is 4.0.7 .

Joerg Erdei

------------------------------

Date: Tue, 06 Feb 1996 14:56:42 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Reg.dat corruption (WIN)
X-Digest: Volume 9 : Issue 21

"Flores,C Cont MSIC" <FloresCa@fordpo.mpc.af.mil> writes:

>  IBMAV v2.4 is run at boot every Monday morning and a couple of the   
> affected PCs have had F-Prot 2.21.1 run on them as well (using a bootable   
> diskette), but neither reports a virus.

Then you almost certainly do not have a virus. Buggy application can
corrupt files too; you don't necessarily need a virus to do that.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 06 Feb 1996 15:02:18 -0500 (EST)
From: Richard Haley <writch@nmia.com>
Subject: Scrambled MS App Files (WIN)
X-Digest: Volume 9 : Issue 21

We have been getting a rash of MS Application (word & powerpoint) files
corrupted.  This seems to be the case whether they are marked as such or
not (in some cases they are *.pro files).

The files no longer contain valid data, but they all seem to have the same
signature 12 bytes at the start of the file.  They are (in hex):
       4C 53 47 53 69 67 E6 E0 E9 01 01 00
text:  L  S  G  S  i  g     _  _  _  _  _   (_ is unprintable)

Any ideas?

Richard Haley
writch@nmia.com
HaleyR@phs.org

------------------------------

Date: Tue, 06 Feb 1996 17:13:55 -0500 (EST)
From: Robert Michael Slade <rslade@freenet.vancouver.bc.ca>
Subject: Re: Microsoft Registration Virus (WIN)
X-Digest: Volume 9 : Issue 21

Eduardo Haddad Filho (ehaddadf@home.iis.com.br) wrote:
: I don't know if this is already in a FAQ.

Speaking as one of the FAQsters (sigh) I do not look forward to it, but 
maybe it should be.

: Since Microsoft has the ability and does snoop around your disk for
: hardware and software information, I suppose it could also put a
: virus in your disk.

I assume that ... well, maybe I'd better not assume anything.  There have 
been numerous, and generally spurious, reports about "snooping" going on 
with the registration program/function on Microsoft's Windows 95 
package.  Some have gone so far as to say that there *is* a virus in the 
registration program.  While I hate to say anything in defence of MS, 
there is no evidence of a virus in the registration program.  During the 
setup of Windows 95, certain information about the hardware and software 
on the computer is collected.  There is no confirmed evidence that any 
information is collected that is not necessary to the operation or 
support of the operating system.  At the user's choice and discretion, 
all, part or none of this information can be registered with Microsoft 
via modem.

Microsoft cannot snoop on your system any more than anybody else can.  As 
Nick pointed out, if you run a program on your system and don't know what 
it is supposed to do, it will do whatever it is programmed to do, whether 
you want that particular function or not.

: As it is, I believe any Internet site could do it, if you have a 
: PPP or SLIP connection.
: Am I right?

You are wrong.  If you have a dial-up IP (SLIP or PPP) connection then 
you are temporarily part of the Internet while you are so connected.  If 
you run server software on your machine, people can get certain access to 
your computer.  (That's what server software is for.)  If you don't run 
server software, nobody can get at your machine.  (The Internet being an 
open network, some people *can* get at what you send, but they can't 
"snoop" on your computer.)

: Is there any kind of protection?

Education is a good defence.  Do some more study in these fields.

======================
roberts@decus.ca   rslade@vanisl.decus.ca  Rob.Slade@f733.n153.z1.fidonet.org
		    Frequent advice to Internet newcomers:
 State your business, avoid eye contact, leave quietly, and no one gets hurt.
Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER)

------------------------------

Date: Tue, 06 Feb 1996 20:38:46 -0500 (EST)
From: Grahame Grieve <g.grieve@pgrad.unimelb.edu.au>
Subject: re: Microsoft Registration Virus (WIN)
X-Digest: Volume 9 : Issue 21

Eduardo Haddad Filho <ehaddadf@home.iis.com.br> wrote 

>Since Microsoft has the ability and does snoop around your disk for
>hardware and software information, I suppose it could also put a
>virus in your disk.

ftp://ftp.ora.com/pub/examples/windows/win95.update/regwiz.html has a very
interesting and thorough evaluation of this part of win95. Read it.

>Is there any kind of protection?

Send additional data. Mix bytes around. Whoever maintains the M$ database
will love you forever!

Grahame.

------------------------------

Date: Tue, 06 Feb 1996 20:41:59 -0500 (EST)
From: Lynn <ggaziano@capecod.net>
Subject: Re: Ack! Newest NAV update causes serious lockups! (WIN)
X-Digest: Volume 9 : Issue 21

I have installed the Dec & Jan update for NAV95 and have had no
problems???   

------------------------------

Date: Tue, 06 Feb 1996 06:00:58 -0500 (EST)
From: DDenoncour <ddenoncour@aol.com>
Subject: spartan? (PC)
X-Digest: Volume 9 : Issue 21

All of sudden I had no disk space. There is a file in my root directory
called 386spart.par occupying 28,311,552 bytes of my hard drive. I called
Compusa tech support and he thought it was some kind of partition file. (I
never saw it before. It is a hidden or system file   -  dir /a     - to
find it.Then, I called my tech support (DEC for Starion 500) and after
waiting 40 minutes on hold, the tech guy told me he thought I had the
spartan virus. The file date was today and time was 8:39 this
morning...just after I had exited the WWW via AOL. 

THe techie suggested I get McAFee and run it.

I ran out and got it; installed it. Didn't show any virus.

ANy ideas? Is this how 'Spartan' works?

Does 386spart.par sound like a virus? 

Could it be some kind of partition thing? A swap file? I would like to
just delete it, but, I don't know what it is.

Thanks for your help
Fran in Reno

------------------------------

Date: Tue, 06 Feb 1996 06:17:12 -0500 (EST)
From: Mike Dunn <Mike_Dunn@mindlink.bc.ca>
Subject: Need help with diskette / Tai-Pan (PC)
X-Digest: Volume 9 : Issue 21

A few years ago I bought the game "Might and Magic: Clouds of Xeen", I
played it, finished it, and deleted it, keeping the original disks, etc.  A
few months ago I decided I wish to reinstall and replay the game.  Apon
running the INSTALL.EXE file it came up with the "Error in EXE file" and
refused to run.  I was upset - my disks had gone bad.  Norton Disk Doctor
could not find or solve (I don't remember which) the problem.  There is no
free bytes on the disk.

I do not regularly check my HD for viruses, just every month or so, when I
remember.  Approximently a month after that incident I used F-Prot.  I
found I had the Tai-Pan virus on my system (Tai-Pan.438.A and Tai
Pan.666), and using F-Prot, I cleaned my system.  I do not regularly use
diskettes, but I did check all of the ones I had lieing around.  A week
later Tai-Pan had not reappeared, and it was gone and forgotten.

Now I've picked up my Clouds of Xeen disks again.  I still have the "Error
in EXE file" problem.  Taking a look at the EXE file I found it ended
with:

> Your version of DOOM2.EXE matches the illegal RAZOR release of DOOM2
> Say bye-bye HD
> The programmer of DOOM II DEATH is in no way affiliated with ID
> software. ID software is in no way affiliated with DOOM II DEATH.

Which F-Prot says is something that the 666 varient has.  Obviously, the
file got infected.  I copied the INSTALL.EXE file to the HD, played around
with it a bit.  Then I ran F-Prot, which claimed I had Tai-Pan in memory.
I rebooted using a normal boot (not a clean boot), and ran F-Prot again.
This time it did not complain of a virus in memory.  I checked my HD (and
the disk with INSTALL.EXE).  F-Prot found:

> C:\TEMP\INSTALL.EXE  Infection: New or modified variant of Tai-Pan
> No attempt made to disinfect the variant.

Anyway, my problem is this.  I need a working copy of the EXE file in
order to install my game.  For some reason F-Prot is refusing to
"disinfect the variant".  Could it be that there was not enough room on
the disk to copy the whole virus to the EXE file, and I only have half a
virus, which F-Prot doesn't like?  How can I clean up INSTALL.EXE?

All replies would be appreciated.  Replies via email would be nice, but
replies in this forum will also reach me.

- -
- -------------------------------------------------------------------------
"They hung in the air just like brick don't" - HHGTTG

- -------------------     mike_dunn@mindlink.bc.ca     --------------------

------------------------------

Date: Tue, 06 Feb 1996 07:43:30 -0500 (EST)
From: "Bob Witham Jr." <none@web.ddp.state.me.us>
Subject: Re: Microsoft is shipping Viruses! (PC)
X-Digest: Volume 9 : Issue 21

chi@bluefin.net wrote:
>About a month ago, I purchased a copy of MS Office '95 Standard, the
>disk package.
>
>Went to install it and on the 2nd disk, it crapped out. When I looked on
>the disk, there was one file eo@349fj3(or something like that) with a date
>of 00/00/21 with 0 bytes.
>
>I have seen this before (long time ago) so I called Microsoft for a
>replacement. I tried to install the replacement, however, now disk 4
>crapped out. I got another replacement and same thing but different disk.
>I got still ANOTHER replacement and disk 2 crapped out. Called them to
>send me the CD-ROM version free of charge (which they did).
>
>The vendor whom I purchased the original package from called me and told
>me anyone who has purchased software or computers w/ software pre-
>installed within the last 30 days could be infected with the virus NEWBUG.
>I have a hard time believing that Microsoft wasn't aware of this problem
>before I called.
>
>This virus deletes and corrupts the files on floppies.... so far.....  :|

You'd better scan your hard drive, you have a boot sector virus.  Another 
way to prevent this from happening is to write protect your install 
diskettes.

The MS install diskettes (at least WIN95 diskettes), are in a special 
"extra-density" format, and contain about 1.68 Meg each.  While they are 
DOS readable, they apparently do not use the same sector layout as DOS 
disks.  I know that ANITEXE will corrupt WIN95 disks EXACTLY as you 
describe above.  The problem is likely NOT the diskettes, but your PC.  It 
is infected with a boot sector virus.

Bob Witham

------------------------------

Date: Tue, 06 Feb 1996 09:45:35 -0500 (EST)
From: Piet Taal <ptaal@ibm.net>
Subject: DIEHARD (PC)
X-Digest: Volume 9 : Issue 21

How do I remove DIEHARD from W95?

McAFEE 95 sees the virus but cannot kill it.

------------------------------

Date: Tue, 06 Feb 1996 11:11:05 -0500 (EST)
From: MR HENRI J DELGER <henri_delger@prodigy.com>
Subject: Re: V-SIGN (PC)
X-Digest: Volume 9 : Issue 21

Mic Chow <zen@ubd1.vdospk.com> wrote:
(in X-Digest: Volume 9 : Issue 16)

> I have ran across a virus in which McAfee 2.2.6 had named
> V-SIGN.  I have check with VSUM 9512.  It has nothing on
> this virus.  What the heck does this thing do?  How does it
> infect things?  what's teh scoop on it?

The V-Sign virus (also called "Cansu") is believed to have
originated in Turkey, in 1992, and can spread to a hard disk
when an infected diskette (bootable or not) is in the A> 
drive, and the PC is booted/re-booted.  
     The name V-Sign refers to the fact that after the virus
has been on a hard disk long enough to infect 64 diskettes,
the virus will hang the PC while displaying a large white 
graphic letter "V."
     If an infected diskette is in A> drive at boot-up, its 
Boot Sector (Sector 0) which contains part of the virus 
"program" will be read into memory.  The virus then takes 
control of memory, and will infect any disk, including the 
hard disk, upon next access.  
     This makes V-Sign different from most such viruses, 
which infect the hard disk immediately.  V-Sign copies part
of its code to (cylinder&head 0, sector 1), and the rest to 
(cylinder&head 0, sectors 4&5).  
     It does not copy the actual Partition/MBR data from the
first sector elsewhere, unlike most such viruses, but leaves
it intact.  It's encrypted, and can produce altered copies 
of itself, though not it's not considered polymorphic.
     Ordinarily, data are not lost from the hard disk, 
because the sectors which the virus uses are not used by 
DOS.  If those sectors are used by third-party software 
to store data, during formatting, or for password access, 
or by drivers to access large partitions, obvious problems 
can result, however.
     At every boot-up thereafter, V-Sign becomes resident, 
using 2Kb of RAM, just as many such viruses do.  V-Sign 
infects diskettes in both A> and B> drives.  Unlike most 
such viruses, while infecting diskettes not already 
infected, or write-protected, it doesn't move the diskette's
original Boot record code elsewhere.  Also, because of a 
programming error, diskettes which were infected in the B>
drive cannot infect a PC, because with the disk in A>, the
virus tries to load the rest of its code from the B> drive.
     However, it does store the rest of its code to the last
two sectors in the area used by the Directory, and this 
can cause loss of entries of files, deleted files, and sub-
directories in the Root, which were listed in those 
Directory sectors.                  
     The files can still be located in the file storage area
of the disk, and could be recovered with a disk editing 
utility, but since they are no longer listed in the Root
Directory, they may be overwritten, as other files are later
stored on the diskette.

Regards, Henri Delger
http://pages.prodigy.com/XWWC29A
email: henri_delger@prodigy.com 

------------------------------

Date: Tue, 06 Feb 1996 12:26:53 -0500 (EST)
From: "Chris K. Skinner" <ve3ggw@igs.net>
Subject: Re: Was this a virus? (PC)
X-Digest: Volume 9 : Issue 21

Gary Navitsky <gary.navitsky@telops.gte.com> wrote:

>I would like to see if anyone can help me out here.  My home PC
>seemed to have been infected while using my AOL Web Browser.
>
>Here is a description of the problem:
>
>Everything looks OK until the PC tries to load windows, I get a
>PROGRAM TOO BIG FOR MEMORY error.  The only thing unusual from what I
>can tell is that my WIN.COM file was changed the very last time I
>used the PC.  The thing is that I know I did not change any windows
>settings.  Another unusual thing is that I just remembered that when
>I shut down the last time before all this happened, it said it is now
>ok to turn of your pc (like Win95 always does); only this time the
>message was in just plain dos text, not in big letters and color like
[snip]

Hi, I had a problem similar to yours in WFW 3.11.  I had a Gravis
Ultrasound Max sound card whose drivers would only load up 
properly in one hardware configuration.

If I changed the hardware configuration and ran the system in a different
way, the message "Not enough room for environment" (or something
equally as cryptic) would be displayed and windows would immediately
quit out to MS-Dos.  The installation of that driver screwed up my
Win3.11 operation completely.  While still running in that HW
configuration, I commented out the SYSTEM.INI references to 
driver="that sound card stuff" and any other references to that 
sound card's driver files, and voila!--the same hardware 
configuration worked again--loading windows and running as before.

Is it possible that the virus adjusted some parameters in your
windows95 configuration that would screw up your memory usage?

Hope you have a tape backup or something!

Best of luck!  Regards, Chris K. Skinner, Bytown Marine Ltd.
Nepean/Kanata, Ontario, Canada.

------------------------------

Date: Tue, 06 Feb 1996 13:46:37 -0500 (EST)
From: Jon Martin <cs95469@wolfcreek.cs.ualberta.ca>
Subject: HELP: Problem with January NAV update (PC)
X-Digest: Volume 9 : Issue 21

I just installed the latest NAV3.0 update (updateme.exe for dos/win3.1), 
and I found I have a serious problem.  When I try to scan more than one 
'thing' per session it locks and crashes.  For example:

- I start up NAV (in DOS).

- I select the directory c:\sopwith (for example) for scanning.

- NAV scans(mem, boot records, then the dir itself), and finds no viruses.

- I then select c:\waaplay (for example) for scanning.

- NAV scans the memory and boot records, dies (apparently just as it
  begins to scan the directory), and exits to DOS with this message:

    Fatal Error eca0001: .RTLink CACHE - Save File Handling
    DOS Function code 0042, Error code 4204

- DOS is now quite unstable, and if I start up other things (including
  NAV) it totally locks.

This will happen no matter what two 'things' I try to scan.  Two
directories, a dir and a disk, or two disks (one at a time).

Ugly eh?  Just so you know, I have things set up as NAV wants them (in
fact the latest update made only one change to my autoexec.bat).  I
noticed that this always happens if files=40 (as it used to be), but
files=15 (the new setup, but not enough to run a lot of other things
Ihave) and scanning only program files appears to be a bit more random
(sometimes I can do _three_ scans per session).

Either I have serious problems with my system (which is doubtful, as I
have never had a single problem with NAV before) or there is a serious
problem with NAV (I hope not, I need it), or a small, easy change needs to
be made that I am not aware of.  If anybody can help, let me know.  I
would hate to have to call tech support.
- - 
Serve Gonk.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jon Martin  cs95469@wolfcreek.cs.ualberta.ca  http://www.ualberta.ca/~jomartin/
Entering Department of Computing Science at University of Alberta.

------------------------------

Date: Tue, 06 Feb 1996 14:12:10 -0500 (EST)
From: zaford@airnet.net
Subject: Unknown Virus (PC)
X-Digest: Volume 9 : Issue 21

I have contracted an unknown virus and I was hoping someone out there
might know something about it.  I have run the latest version of
Norton Anti Virus with the new virus definition files, as well as the
lates version of macafee scan and vsafe.  None of these programs can
find anything on my system.  However,  Vsafe will pop up and give the
the "program trying to write to hd boot sector" warning.  And if I let
the write go through I lose my boot sector info and have to reformat
my hard drive.  I seems only vsafe can detect the attempt to write to
the boot sector as NAV and Macafee do nothing.  Any suggestions?
If so please e-mail me!!!

Thanks.

------------------------------

Date: Tue, 06 Feb 1996 14:56:33 -0500 (EST)
From: zaford@airnet.net
Subject: Re: Help. Fdisk doesn't remove... (PC)
X-Digest: Volume 9 : Issue 21

RALSTRA@sara.cc.utu.fi wrote:

>Help. A device driver (think it as a virus) seems to be
>impossible to delete by any means.
>
>Now I would need some help to delete it, because it is
>causing me some problems...

Do you have a disk editor, like the one that comes with norton utilities?
if so, maybe you could access the location directly and write it to
zeros.

Just a thought.

[Moderator's note:  Potentially very dangerours!]

------------------------------

Date: Tue, 06 Feb 1996 15:21:45 -0500 (EST)
From: WXMBX@CUNYVM.CUNY.EDU
Subject: McAfee Software how do I obtain? (PC)
X-Digest: Volume 9 : Issue 21

I need a virus scanning software for my PC. A coworker told be about a
vendor called McAfee. He said it was free with free downloads. I find this
hard to believe but I am here to ask.

Can someone in this group please inform me about this.

Thanks,
Bill

------------------------------

Date: Tue, 06 Feb 1996 15:31:18 -0500 (EST)
From: News Group <news@zippo.com>
Subject: Sampo Virus - Help! (Disinfect??) (PC)
X-Digest: Volume 9 : Issue 21

  It looks like the Sampo virus is running rampant on three of my
machines. One of my systems is crashing constantly and it seems files
are being created continously. (This may be another Virus??) On the
system I'm on currently I haven't noticed any effects other than the
system slowing down.

  How do I disinfect this machine? Scan won't clean it unless you run
it off a clean floppy, but I don't HAVE any clean boot floppies
anymore and this machine doesn't have a floppy drive.

  Are there any utilities I can use to eradicate Sampo without booting
off a clean floppy??
 
Thanks for the help/info!!

spencer@boron.wsc.mass.edu

------------------------------

Date: Tue, 06 Feb 1996 16:09:50 -0500 (EST)
From: pdbarcl@usa1.com
Subject: PS/2 boot sector problems-Virus? (PC)
X-Digest: Volume 9 : Issue 21

Recently I started having problems starting my 
computer (IBM PS/2 Model). At first I thought it was 
my controller card, floppy or my harddrive.  Yesterday 
I used an old copy of my IBM antivirus program which 
found and removed the Joshi virus.  However I am still 
having problems starting my computer.  Is it possible 
for a virus to prevent my computer from starting?  
When I used my Reference Diskette (PS/2 use this 
modify changes such as card additons), it returned an 
error that my boot sector could not be read.

Any help or suggestions would be greatly appreciated.

------------------------------

Date: Tue, 06 Feb 1996 16:09:58 -0500 (EST)
From: Steven Hoke <shoke@NorthNet.org>
Subject: Re: A Virus found, can anyone identify? (PC)
X-Digest: Volume 9 : Issue 21

Jurgen Schwietering <tweety@ALPcom.it> was heard to ponder:

> One floppy used by the person had the Bye-Virus on it (F-PROT from 1.96
								     ^^^^
> has found it), but it's not on the machine itself, because the Virus
> destroyed the bootsector and some directories. So I'm not shure if it has
> been the BYE-Virus or an unknown species.

Since there are new viruses being written every day, I think that one of
my first thoughts if I thought I had a virus that my scanner couldn't
identify, would be "how current is my virus scanning software?". The
scanner you're using, F-Prot 1.96, is several version old. The current
version is 2.21, and its available at 

ftp://ftp.coast.net/simtel/msdos/virus/ and at 
ftp://garbo.uwasa.fi/pc/virus/

- - 
- -==Steve==--

shoke@northnet.org
steven_hoke@msn.com

------------------------------

Date: Tue, 06 Feb 1996 16:26:35 -0500 (EST)
From: Ken Stieers <kens@ontrack.com>
Subject: Re: 69 Virus (PC)
X-Digest: Volume 9 : Issue 21

I'm curious, what AV software are you using??  I'm guessing its an old
version of VirusScan by McAfee.  This virus is also known as SAMPO and
most of the major AV players can kill it, including current versions of
VirusScan. 

Ken 

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prarie, MN           |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Tue, 06 Feb 1996 17:14:00 -0500 (EST)
From: John Elsbury <jelsbur@clear.co.nz>
Subject: FREE virus protection (PC)
X-Digest: Volume 9 : Issue 21

There is a common thread running through postings to this group - 
sort of "help, I have been infected by the xxxx virus".

I have had to sort out a LOT of virus infections over the last couple
of years.  Most of these have been caused by Boot Sector Viruses.

FREE protection:

(1)  Fix your CMOS settings so the PC does NOT try to boot from the 
"A" drive.  (obviously, if you have to boot from diskettes regularly,
this can be a pain).  This will stop all Boot Sector Infectors DEAD.

(2) Use the write-protect tab on your 3.5" diskettes.  It is
IMPOSSIBLE for ANY program or virus to force data onto a diskette
if it is physically write-protected.

John Elsbury

------------------------------

Date: Tue, 06 Feb 1996 17:42:04 -0500 (EST)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: Ripper and NYB (PC)
X-Digest: Volume 9 : Issue 21

In article <0036.01I0V99DGEBQPVHY7M@csc.canterbury.ac.nz>,
rxh16504@bayou.uh.edu says...

>I have the Ripper and NYB on some diskettes and have yet to find a 
>antivirus program that will clean it up.  I have Win95 and am currently 
>using McAfee for Win95 but it will not clean either one. Help?

I cannot speak for the McAfee Win95 product, but since both Ripper and 
NYB (aka: B1) have both been found in the wild for quite some time now, 
I would be very surprised to find that it does not repair.  You might 
want to contact their TS for more information.

I can tell you that Norton AntiVirus for DOS, Windows, and Win95 (a
commercial product) will will detect and repair both viruses without any
problems.

- -- 
Shane Coursen                                         Symantec Corporation
Computer Virus Researcher   http://www.symantec.com/avcenter/avcenter.html
AntiVirus Research Center                                  CIS:  GO SYMWIN
scoursen@symantec.com                                            GO SYMNEW
      US Support:  541-465-8420                             AOL:  SYMANTEC
European Support:  31-71-353-111        Australian Support:  61-2-879-6577

------------------------------

Date: Tue, 06 Feb 1996 18:23:02 -0500 (EST)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: Is this a virus? (PC)
X-Digest: Volume 9 : Issue 21

In article <0032.01I0V92BM730PVHY7M@csc.canterbury.ac.nz>, 
hawkey29@hawkey29.rabbit.net says...

>I have tried mcafee program looking for this virus.  My floppy will only
>read a disk and copy from it if the write protect in on.  The moment I
>make the disk write able I get General fail on the floppy. Does anyone
>else have this problem???

There are a boot sector viruses that can cause a diskette's to become 
corrupted, or no longer readable.

The most common reason is because the virus overwrites a small section
of the disk's boot sector called the BIOS parameter block (the BPB).

The BPB no longer contains the information which defines bytes per 
sector, sectors per alloc. unit, etc., and so subsequent read attempts 
to the disk are usually met with the General fail... error.  

Of course, a faulty diskette drive can also have the same effect.  

With the information you've given us, it is difficult to say what 
virus you have, or even if you really do have a virus.

- - 
==========================================================================
Shane Coursen                                         Symantec Corporation
Computer Virus Researcher   http://www.symantec.com/avcenter/avcenter.html
AntiVirus Research Center                                  CIS:  GO SYMWIN
scoursen@symantec.com                                            GO SYMNEW
      US Support:  541-465-8420                             AOL:  SYMANTEC
European Support:  31-71-353-111        Australian Support:  61-2-879-6577
==========================================================================

------------------------------

Date: Tue, 06 Feb 1996 18:34:23 -0500 (EST)
From: Tim H <timh@carroll.com>
Subject: Three questions (PC)
X-Digest: Volume 9 : Issue 21

Hello.  I have three questions:

1) I know that if a diskette is infected with a boot sector virus, trying
to boot from that diskette (even without system files) will cause the hard
drive to be infected.  Can a boot sector virus be transferred simply by
accessing a diskette, ie if I do a DIR on the diskette?

2) How effective is McAfee's Vshield in preventing infection?  I know it 
doesn't have a chance to work if you boot up from an infected diskette. 
But what if you run a program that has a virus?  Will Vshield prevent
infection or just notify you after-the-fact?

3) What is the low-down on detecting viruses on a 32-bit system like
Win95?  I know for a fact that Vshield will recognize viruses on
diskettes, even when you are running Win95.  Will McAfee's scan not
recognize an infect boot sector?  Will SCAN recognize infected 32-bit
programs?

Thanks in advance!

Tim

[Moderator's note:  The answer to your first question is in the FAQ, Q&A
E10--"Can I contract a virus on my PC by performing a "DIR" of an infected
floppy disk?"]

------------------------------

Date: Tue, 06 Feb 1996 18:49:22 -0500 (EST)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: TB1 Virus (PC)
X-Digest: Volume 9 : Issue 21

>Ron Bombard <bh081@freenet.Buffalo.EDU> writes:

>Anyone have any info about the TB1 virus?  We located it on one of our 
>pc's during a virus scan when we first loaded the new Norton Antivirus 
>program.  It didn't have any info about it though.  Just named and removed

In article <0017.01I0V99DGEBQPVHY7M@csc.canterbury.ac.nz>, 
cjkuo@alumnae.caltech.edu says...
>>The "TB1 virus" is a corrupted file in a "reviewer's" test set
>>(who shall remain nameless).
>>
>>It's a false id from NAV from one of their "summer '95" DAT sets.
>>
>>Jimmy

Ron,

The limited information I have on TB1 is that it is a very small 
non-resident EXE infector, and there is no known payload.  As 
Jimmy has stated, what you are seeing is probably a false id.  

The faulty detection string was removed as of 08/95, but somehow 
found its way back in.  It will be repaired for the March 96
NAV definition update.

Thank you for the report, and apologies for any inconvenience.

- - 
Shane Coursen                                         Symantec Corporation
Computer Virus Researcher   http://www.symantec.com/avcenter/avcenter.html
AntiVirus Research Center                                  CIS:  GO SYMWIN
scoursen@symantec.com                                            GO SYMNEW
      US Support:  541-465-8420                             AOL:  SYMANTEC
European Support:  31-71-353-111        Australian Support:  61-2-879-6577

------------------------------

Date: Tue, 06 Feb 1996 18:50:33 -0500 (EST)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: Viruses on floppy diskettes (PC)
X-Digest: Volume 9 : Issue 21

In article <0026.01I0V92BM730PVHY7M@csc.canterbury.ac.nz>,
dmuth@oasis.ot.com says...

>In article <0049.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>, Bill lambdin 
>writes:
> Yes, formatting a floppy diskette will kill all viruses; but if this is a
> boot sector, and the virus is resident (ie active in RAM) the diskette 
> has a great possibility of being re-infected after the format process.
>
>>        Also, it is helpful to keep in mind that if you are dealing with 
>>kernel infectors (MSDOS.SYS, IO.SYS) or *.com infectors that infect 
>>COMMAND.COM which are memory when you format a disk with the /s switch, you
>>will only spread the infection to there as well.

The virus does not have to be in memory in order to transfer it 
to a disk.

For example, a multipartite virus that is unable to propagate 
from its resident portion (most common with Windows 95) can still 
be transferred to a diskette via the FORMAT command.  

How?  

Assume the initial infection of the computer's hard drive caused: 

	1) The MBR to become infected.
	2) COMMAND.COM to become infected

Now we restart the computer.  The MBR loads, thus the virus loads 
into memory.  Then Win95 loads.  Win95 effectively "disables" the 
resident portion of the virus

At this point, accessing a diskette from Win95 or a DOS box will not 
produce an infected diskette.  BUT formatting a diskette will cause 
the infected COMMAND.COM to be transferred to that diskette.

This situation can be played out on computers with an OS other than 
Win95.  I used Win95 as an example, that's all.

- - 
Shane Coursen                                         Symantec Corporation
Computer Virus Researcher   http://www.symantec.com/avcenter/avcenter.html
AntiVirus Research Center                                  CIS:  GO SYMWIN
scoursen@symantec.com                                            GO SYMNEW
      US Support:  541-465-8420                             AOL:  SYMANTEC
European Support:  31-71-353-111        Australian Support:  61-2-879-6577

------------------------------

Date: Tue, 06 Feb 1996 20:13:26 -0500 (EST)
From: Kent Cheatham <cheatham@ionet.net>
Subject: Vshield vs Netshield (PC)
X-Digest: Volume 9 : Issue 21

Is McAfee's Vshield adequate protection for onliners? Or do I need a
net shield such as Norton's?

I run Win95 on a P-100.

Thanks,
Kent
Kent Cheatham

Please respond via email to
cheatham@ionet.net

------------------------------

Date: Tue, 06 Feb 1996 20:14:20 -0500 (EST)
From: Todd Purifoy <tpurifoy@airmail.net>
Subject: Re: Microsoft is shipping Viruses! (PC)
X-Digest: Volume 9 : Issue 21

In article <0010.01I0U3NT89X2PVGQEE@csc.canterbury.ac.nz>,
   chi@bluefin.net wrote:

>The vendor whom I purchased the original package from called me and told
>me anyone who has purchased software or computers w/ software pre-
>installed within the last 30 days could be infected with the virus NEWBUG.
>I have a hard time believing that Microsoft wasn't aware of this problem
>before I called.
>
>This virus deletes and corrupts the files on floppies.... so far.....  :|
>
>Hopefully the CD-ROM version will be free from this annoyance..

Completely untrue...MS is not shipping virii.  The second disk of Office
and of Win95 is the first disk of DMF format.  Some people cannot read
these and claim to have a virus.  

More than likely the problem here is that you already had a virus.  The
second disk is also the only disk your computer writes too.  It writes out
your name and company info to the disk for future installs.  So, if you
are infected, you are going to infect the second disk of the Office
copyset.  Then you hose it, and find a virus on it.  

You need to clean your own system before trying to install any more.  
Microsoft is NOT shipping a virus.  I have seen this hundreds of times. 
In EVERY case, we cleaned the machine, then tried a new disk (Since we
infected the 2nd disk before) and we were cool.

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 21]
*****************************************


