From lehigh.edu!virus-l  Sun Feb 11 12:02:12 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Sun, 11 Feb 96 17:00:49 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id MAA01389; Sun, 11 Feb 1996 12:02:12 +0100
Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39105-67230>; Sun, 11 Feb 1996 06:00:23 EST
Message-Id: <01I13T9JMX4OPVIUA3@csc.canterbury.ac.nz>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V9 #22
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: 	Sun, 11 Feb 1996 05:59:43 EST

VIRUS-L Digest    Sunday, 11 Feb 1996    Volume 9 : Issue 22

Today's Topics:

Re: Testing AntiVirus software
Group idea
Re: Virus in commercial software ? Not my experience!
Re: Flash BIOS viruses?
Re: Virus Protection Policy
Software evaluation doc needed
Re: were wolf 1996
NetWare/Boot Sector Question (NW)
Virus On a Unix Computer (UNIX)
Re: Word Macro Prank Virus (Concept) (MAC,WIN)
Re: Word Macro Virus -- Help??? (MAC,WIN)
Re: Re: Word Macro Prank Virus (Concept) (MAC,WIN)
McAfee antivirus for Win95... (WIN95)
Re: Win95.Boza (WIN95)
Re: Win95.Boza (WIN95)
Re: Re: Windows95 Virus Scanner (WIN95)
Re: Word 6 macro virus in WordPerfect (WIN)
DOS Antivirus software under Windows? (WIN)
Re: virus scanner recommendations for wfw3.11 (WIN)
win.com nulled - swaprand bug ? (WIN)
Re: How to remove "Ekaterin" virus ? (PC)
Re: Help...Is this a virus? (PC)
Need help with BUPT virus recovery (PC)
Re: TBWEEDER - A duplicate file checker (PC)
Re: Quality Anti-Virus Programs (PC)
Re: Virus detection with NFS?? (PC)
Re: Dr.Solomon's latest (PC)
Re: V-SIGN (PC)
Re: Chinese Fish virus (PC)
Re: Virus that damages hardware (PC)
Re: ONE HALF.3544 Virus Detected (PC)
Taking Virus off ZIP Drive problem (PC)
nokernel virus (PC)
Re: Help with Natas virus (PC)
EPBR Virus ? (PC)
Re: Virus:MONKEY_B + FORM_A (PC)
Re: HELP - Still having problems with ANTIEXE virus (PC)
Re: 100 year stealth virus? (PC)
Re: KOH in Mainstream Press (PC)
Re: Ripper and NYB (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Tue, 06 Feb 1996 22:19:04 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Testing AntiVirus software
X-Digest: Volume 9 : Issue 22

MLookabaug <mlookabaug@aol.com> writes:

>In article <0005.01I06C4XA6HQOK8IBB@csc.canterbury.ac.nz>, Iolo Davidson
><iolo@mist.demon.co.uk> writes:

>>The only valid way to test the detection ability of anti-virus is 
>>with real viruses.  Obtaining a comprehensive collection of real 
>>viruses for testing is beyond the resources of most people.  
>>
>>Put those two statements together, and you have: It is not 
>>possible for most people to conduct a valid test of the detection 
>>capabilities of anti-virus software.
>
>  It seems to me that a *valid* test of AV software is one that uses
>viruses that have been found ITW, or are reasonably likely to be found
>there.  Therefore,  I dispute your stand that it is not possible for those
>outside of  the AV industry to conduct a valid test.

A valid test is defined to always be correct for the first person
but never valid for the third person.  That is, "my test" is always
valid *for me*!  But nothing you do in your test can be claimed to
be valid for me.

>  It is far too easy to obtain common viruses.  As you pointed out,
>obtaining a *comprehensive* collection of viruses is a different matter
>entirely.  I would argue that your comprehensive collection includes
>viruses that could not recreate themselves in any significant numbers ITW.
> I wonder how much programming time has been spent to classify and remedy
>strains that will only exist in the AV archives, or the HD of the
>creator...

Too much time is spent on detection of "research viruses."  We just spent
days on Boza.  Lucky that we did because it hit the news.  But it didn't
really serve any of our customers.

Jimmy
cjkuo@mcafee.com

PS.  You talked about viruses that could "likely" get in the wild.  There
is a term coined by Dave Chess of IBM, which is, "getting lucky."  (I
know, some of you have used the phrase when you were younger.)  This is
the concept that a virus just happens to be at the right place at the
right time and gets on some kind of distribution, and thus becomes ITW. 
There is no virus attribute that makes this "likely."  There are some
attributes that might make some viruses *so unlikely* to get in the wild,
that it most likely won't.  But it's also been proven that given certain
conditions, even such viruses could get in the wild.

------------------------------

Date: Wed, 07 Feb 1996 08:05:37 -0500 (EST)
From: "S. Widlake" <s.widlake@rl.ac.uk>
Subject: Group idea
X-Digest: Volume 9 : Issue 22

>>[Moderator's note:  I'm working on it...  Right now I'm still battling
>>some very odd, persistent bounces.  Hopefully by the end of this week
>>I'll have all my mechanisms in place for dealing with submissions that
>>are FAQs...]

I don't know how much you want to moderate this group though I did
notice that you bounced at least one stupid answer but I don't see
how you can justify bouncing even the most stupid question because
they need the help ;-( unless you answer them all youself. ;-) And
that is why a, maybe crossposted, ".tech" group of discussions may 
be helpful - lusers and sellers, sorry helpers, in one and experts
and lurkers in the other :-)  Whadaya think ?    

>>Say, how's about spitting the group into comp.virus - moderated
>>just to discard "harmful" posts - and "comp.virus.tech" for just
>>the more technical discussions for Vess. et. al. 
>
>I like the idea also

How much support do we need ?

S.

[Moderator's note:  I don't post roughly duplicate questions if asked
within a week or two, if a reasonable response to the earlier question has
been posted.  In the last week I could have posted more than one digest of
"Is Good Times real?", "Email virus warning", "What's Parity Boot?", "What
is AntiEXE?", "How does Concept work?", "What's Monkey?", "What's this new
Win95 virus?" and "What's Form?" messages.  I send the submitters of these
duplicates a brief note explaining their question has recently been asked
and answered and suggest they look for followups in similar threads.]

------------------------------

Date: Wed, 07 Feb 1996 09:45:21 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Virus in commercial software ? Not my experience!
X-Digest: Volume 9 : Issue 22

support@vse.ac-copy.com wrote:
: >Date: Tue, 30 Jan 1996 15:56:44 -0500 (EST)
: >From: Doug Muth <dmuth@oasis.ot.com>
: >
: >       Well, I don't have the numbers to back this up, but I believe 
: >that the most infections come through commercial packages.  Probally 

Don't know about most: some certainly do.

: >because people who buy them think that becuase they come from some big 
: >company that they are virus free.

Certainly a factor.

: WHAT?

: Excuse my shouting, but this seems like genuine bovine excrements  to me.
: Although I cannot come up with any statistically relevant numbers, I can
: tell from

But I'm afraid there's more than a grain of truth in it.

: my local (Western Europe) experience:
: Nine out of ten contaminations are of the boot sector variety, either

Yes, many infections are boot-sector, though the spread of macro viruses
may have altered the proportions of file virus to BSI significantly.

: booting accidentaly  a "data diskette" or some (pirated) games...

The type of diskette (whether it's bootable and what type of files it
contains) is not really germane to this issue. Informed opinion seems to
be that the implication of pirated software is overstated. Apart from
anything else, I'm sure antivirus software gets pirated, too....

I have personal experience of three incidents involving disks containing
games. One was second-hand: one was a brand-new commercial package: one
was probably pirated, but the fact that it happened to be a game isn't
really relevant. It could just as easily have been QEMM, or WordStar, or..

: Over 75% of all infections I have seen, are Tequila and ParityBoot.B
: viruses. Most of the rest are (for this hood) less common boot sector
: infectors, and very occasionaly a leftover cascade variant. In fact this
: is the only file infector I have ever encountered ITW.

: And, yes, I have encountered viruses on manufacturers diskettes, but all
: of them were on some obscure drivers of even more obscure far east cheap
: hardware add-ons. Except for a well known macro virus, which was in
: Germany distributed (accidentaly) by the manufacturer of the corresponding
: macro-able product...

I can't comment about the virus incidents you've encountered personally,
of course. However, major manufacturers *have* distributed viruses.
Microsoft are known to distributed FORM and Concept (and I've heard
reports of them distributing other viruses). Aldus and Novell are other
names which have been quoted in this context. Bear in mind that major
manufacturers don't necessarily duplicate their own diskettes/CDs. A disk
image may be contaminated between leaving the maker and undergoing the
duplication  process. A number of magazines, at least one of them still in
business, have inadvertantly distributed viruses.

There are also instances of preformatted disks being infected. Again,
this relates to a contaminated disk image.

I have a packet of pre-formatted disks at home from a major high-street 
dealer with a high European profile. Each disk emerged from the packet
with 3 (harmless) files on it.

I've seen not only infected disks from major manufacturers, but brand-new
PCs from reputable dealers arriving already infected (one of them was
mine, and the virus was Michelangelo). In the US, I believe returned 
software is frequently re-shrinkwrapped and sold on by computer stores.

Most of the infections round here come from reputable third-parties:
engineers, trainers etc. 

Paranoid, me? Yep....

David Harley

------------------------------

Date: Wed, 07 Feb 1996 10:34:09 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Flash BIOS viruses?
X-Digest: Volume 9 : Issue 22

Mark Olson <molson@apollo.tricord.com> writes:

>  A quick check on PC's in use here shows me that most
>people leave the jumper in flash-bios motherboards in
>the "allow programming" position.

"Ease of use" and "Security exposure" usually go hand in hand.

>  This brought up the question: Is a virus possible that
>could alter the contents of flash memory on popular 
>motherboards (such as the Intel series) to infect the
>machine?  Do such viruses already exist?

Some code was published in a virus writers' magazine to do this.
This code did not work.  It required too much free space to insert
itself.

There is a problem with flash bios viruses.  Primarily, one would
need to be a directed virus.  The bios is so full of required things,
it would be near impossible for a virus to "add" itself to the bios,
as was shown with the previous attempt.

>  Perhaps it is prudent to make sure the jumpers
>on these motherboards are always set to "off".

"Ease of use" and "Security exposure" usually go hand in hand.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Wed, 07 Feb 1996 10:43:03 -0500 (EST)
From: Jonathan Burt <jonathan@jaburt.demon.co.uk>
Subject: Re: Virus Protection Policy
X-Digest: Volume 9 : Issue 22

In article <0003.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz>,
netwise@hevanet.com writes
>I am in search of a sound policy which deals specifically with the
>protection of an organization information resources through the
>introduction of both internal and external Viruses.  The policy will 
>include: procedures for users to follow, administrators actions
>required, Internet usage, workstation and network based software
>solution, and any other relevant issues that need to be addressed.

Well the policy I have is that all PC's connected to the network have
their floppy drives removed.  There is a dunk tank PC in my office,
which if someone needs software/file son the network, it comes though me
via the dunk tank, and I place the files onto the server.

This makes sure noone except me has access to floppies, and everyone
know that, it's not a bind, as most transfer of file snormally happens
in house, so that what the networks for.

This has worked fine for just about a year now, and I have caught 3
virus coming into the building from external sources (even though one of
them denied having a virus problem).

Hope this helps,
  Jonathan
- - 
Jonathan Burt
IT Manager
Medina Housing Association Limited

------------------------------

Date: Wed, 07 Feb 1996 11:56:39 -0500 (EST)
From: "Dr. Gerry Santoro" <gms@psu.edu>
Subject: Software evaluation doc needed
X-Digest: Volume 9 : Issue 22

Sorry if this is an obvious question, I just read and reread the FAQ
without finding the answer.  (I've also searched dozens of WWW
virus sites to no avail.)

I am looking for a document, article or whatever that lists,
compares and evaluates (if possible) the current best antivirus
packages for different platforms.

With such a document (if it exists) we can provide our users with
a set of recommendations for antivirus software.

If any such item exists, could someone please send me email
with a reference?

Many Thanks

gerry santoro
academic computing/speech communication
penn state university

[Moderator's note:  Hopefully the recent posting of Rob Slade's ongoing
reviews of popular AV s/w has helped.  Also, there is quite a discussion
of using a layered approach to solving "the virus problem" in the FAQ,
which takes the view that no single product or form of AV s/w is likely to
be close to adequate (but -you- have to decide what level of residual risk
you are prepared to stand -before- you can make a final decision on what
combination of methods and products suits your situation).

Also, see Graham Cluley's comments in "Re: virus scanner recommendations
for wfw3.11 (WIN)", elsewhere in this digest.]

------------------------------

Date: Wed, 07 Feb 1996 12:25:36 -0500 (EST)
From: Francois PAGET <le10@calvanet.calvacom.fr>
Subject: Re: were wolf 1996
X-Digest: Volume 9 : Issue 22

Super D <perderea@worldet.net> writes:
> Does anyone know the new virus WEREWOLF 1996 ?

I know 7 viruses written by a (french ?) guy nicknamed WEREWOLF.

Virus Name: SWEAP HOME.658 
Discovered:  November, 1995
Origin:      France
Eff Length:  658 - 674 Bytes
Type Code:   Parasitic Resident .EXE infector 

Virus Name: CLAWS 
Discovered:  December, 1995
Origin:      France
Eff Length:  684 - 700 Bytes
Type Code:   Crypted Parasitic Resident .EXE infector 

Virus Name: CLAWS.FANGS 
Discovered:  December, 1995
Origin:      France
Eff Length:  685 - 701 Bytes
Type Code:   Crypted Parasitic Resident .EXE infector 

Virus Name: SWEAP HOME.678 
Discovered:  January, 1996
Origin:      France
Eff Length:  678 - 694 Bytes
Type Code:   Crypted Parasitic Resident .EXE infector

Virus Name: BEAST.1208
Discovered:  January, 1996
Origin:      France
Eff Length:  1208 Bytes
Type Code:   Parasitic Resident .COM and .EXE infector 

Virus Name: SCREAM.1152
Discovered:  January, 1996
Origin:      France
Eff Length:  1152 Bytes
Type Code:   Parasitic Resident .COM and .EXE infector

Virus Name: FULLMOON.1367
Discovered:  January, 1996
Origin:      France
Eff Length:  1367 Bytes
Type Code:   Crypted and Polymorphic Parasitic Resident 
COM and .EXE infector 

Perhaps your virus is the SCREAM.1152 virus because it contains the 
string WEREWOLF 1996, the others one contain 1994 or/and 1995.

Francois
le10@calvanet.calvacom.fr
Francois PAGET
McAfee France
Tel : +33 1 44 90 87 46
Fax : +33 1 45 22 75 54

------------------------------

Date: Wed, 07 Feb 1996 14:08:30 -0500 (EST)
From: A Bruce Peck <bruce_peck@aici.com>
Subject: NetWare/Boot Sector Question (NW)
X-Digest: Volume 9 : Issue 22

A subsidiary company in our organization ran across an interesting 
situation on a NetWare (I believe 3.12) server recently and I am 
curious as to why this occurred and should we have been concerned.
The server was taken down for maintenance and when brought back up 
Norton AV NLM scanned the DOS memory and boot sectors and warned that 
Michelangelo was present.  I instructed the administrator to take the 
server down and cold boot from a clean, write-protected diskette and 
scan the server drives, treating it basically like a normal PC 
infection.  NAV found nothing in this scan. Neither did McAffee nor 
Thunderbyte.  Brought the server back up and NAV NLM still said 
Michelangelo was there.  Cold booted again and used a copy of F-Prot 
which found and cleaned the virus.

Since then someone told me that it is common on NetWare servers for 
the DOS boot sector NOT to be at track zero on the server drive(s) but 
can be moved elsewhere.  Since the NAV NLM is loaded in NetWare it 
knows where this boot sector is and saw Michelangelo.  This person 
also said that I should not be concerned about this infection since 
Michelangelo could never activate since it was not on the track zero 
boot sector.  

Questions:
1) Why did NAV for DOS, McAfee, and TBAV *not* find Michelangelo when 
scanning from a cold boot?  Do they only look for boot info at track 
zero?  How did F-Prot find it?
2) How does the DOS boot sector get moved?  Does NetWare installation 
do this?
3) Should be I be concerned about the infection if not in a track zero 
boot sector?
4) How the heck did Michelangelo get to the boot sector if it was not 
at track zero?

Bruce_Peck@aici.com

------------------------------

Date: Wed, 07 Feb 1996 02:38:15 -0500 (EST)
From: John w Pruitt <pruittj@world.std.com>
Subject: Virus On a Unix Computer (UNIX)
X-Digest: Volume 9 : Issue 22

Last night, I went to my project management class
I was told by a computer security expert who works
for the Army that unix computers can not be attacked by 
viruses.  So I mentioned, what about the worm
That attacked the internet.  He said that Virus
is a Virus and Worm is a Worm.  There like 
Apples and Oranges he said.

I was wondering if there are any unix virus out there?
Do host managers use a virus checker when they boot
there hosts?

And what computer Language is unix written in.  I
have always assumed it was written in C. 

Thanks for your help

John W. Pruitt
 
(Forever Learning is a great way to be) 

[Moderator's note:  You may have learnt quicker had you looked in the FAQ
first!  8-)  Q&A C7 deals with UNIX viruses and comments on "mainframe"
viruses in E7 are also relevant to your question.]

------------------------------

Date: Wed, 07 Feb 1996 09:37:52 -0500 (EST)
From: A Bruce Peck <bruce_peck@aici.com>
Subject: Re: Word Macro Prank Virus (Concept) (MAC,WIN)
X-Digest: Volume 9 : Issue 22

Based on this discussion, FWIW I add the following comments below:

>>:    Sub MAIN
>>:       DisableAutoMacros
>>:       MsgBox "AutoMacros off!", "Safety First!", 64
>>:    End Sub
>>
>Is an excellent solution except would suggest substituting "-1" for 
>the "64" - that way the message appears on the status line and the 
>user does not have to clear a dialogue box.
>>
>>Thanks. That button has been annoying to have to get rid of it 
>>before it opens the document. You sure do have to look quickley for 
>>that message to appear on the status line though. Blink, and its 
>>gone.

Prior to protection macros being distributed by Microsoft (i.e., 
scanprot.dot), we wrote our own for internal company use.  It uses the 
"DisableAutoMacros" as the basic device (although we know that this 
will not stop everything) but did not display a message box nor 
display a message on the status line.  We instead installed a 
two-button toolbar at the bottom of the WORD window which lets the 
user know that the protection is active upon loading WORD.  The 
buttons, when clicked, allow the user to deactivate and then 
reactivate the macro protection.  This is necessary as WORD "Wizards" 
are considered auto-macros and are not available when automacros are 
turned off.  Many people in our company use the Wizards.  We also have 
a Legal Document database system that uses WORD as its text processor 
and uses automacros extensively to automate tasks in that system.  The 
protection must be turned off when using that system.

>BTW the "SCANPROT.DOT" Micro$oft includes with WD1215 has two major 
>flaws IMNSHO:
>1) It allows the user to turn automacros back on
>2) Does not check on files opened by a doubleclick on a ccMail 
>attachment (think it uses same mechanism as "drag & drop" - see the 
>fine print inside the README)

1) IMHO in a corporate environment, there are legitimate reasons that 
a user may need to turn automacros back on (see above).
2) Don't know about other mail systems, but when using cc:Mail anyway, 
double clicking on a WORD document attachment and "running" WORD 
causes cc:Mail to make a temporary copy of the attachment on the local 
drive.  WORD is then launched using the temp file name as an input.  
This bypasses the normal File/Open sequence so protection items like 
scanprot do not work there.  For macro viruses like Concept you are 
still OK however, because upon closing WORD (after looking at the 
infected attachment document) scanprot sees that the normal template 
contains the concept macros and gives you an opportunity to close WORD 
and save normal.dot without the Concept macros.  This will only work 
for Concept however as the scanprot macros are looking specifically 
for the Concept macro names.

This is all from my own modest testing in our corporate environment.
Take it FWIW.

Bruce_Peck@aici.com

------------------------------

Date: Wed, 07 Feb 1996 11:59:46 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Word Macro Virus -- Help??? (MAC,WIN)
X-Digest: Volume 9 : Issue 22

In-Reply-To: <01I0WU2LIE4YPVHY7M@csc.canterbury.ac.nz>

Al Proulx <aproulx@julian.uwo.ca> writes:

> I know this will sound like a very simple question, but maybe if
> someone has answers for me they can reply by e-mail instead of
> cluttering up the newsgroup.  I've been hearing so much about
> this MS Word Macro virus

Which one?  There are several - eg. Concept, Nuclear, Hot, Colors, DMV.  
I suspect you mean Concept which is the most common macro virus by a long 
way.

> -- I've read all the recent articles on comp.virus.  But I really
> don't know WHAT IT IS EXACTLY??  Does it only acivate if you read mail
> with MS Word; Can it be activated by running other macros; etc...???
> I don't mean to bother everyone with what might seem like a rhetorical
> question, but every posting I've read only deals with how to avoid the
> virus, & doesn't really tell me what it is!  Thanks!

Basically you catch Concept by reading an infected document.  When the 
document loads into MS Word the word-processor sees that it has an 
auto-executing macro and runs that.  This is how the infection activates. 
You'll find a full and detailed description of the various Word macro 
viruses and trojans (and the new AmiPro macro virus, GreenStripe) on our 
webpage:

   http://www.drsolomon.com
   
Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Wed, 07 Feb 1996 11:59:43 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Re: Word Macro Prank Virus (Concept) (MAC,WIN)
X-Digest: Volume 9 : Issue 22

In-Reply-To: <01I0WU2LIE4YPVHY7M@csc.canterbury.ac.nz>
Robert Michael Slade <rslade@freenet.vancouver.bc.ca> writes:

> Feng Chen (phys91@menudo.uh.edu) wrote:
> : virus.  It was found by McAfee 2.0e (1/4/96 version) and can only
> : be deleted.  Using f-prot 211 only tells me it "contains WordMacro
> : search string Concept".
>
> This is to be expected.  Because of the data structures of OLE files (as
> Vesselin has found out at some cost), disinfection of Word data files
> infected with Word Macro viruses is a significant problem.  It isn't a
> simple task, and the best solution *is* to delete the infected data
> file.  (You can save the data, although not the formatting, by saving as
> a "text only" file.  Unless someone has now written a macro virus that
> takes over that too?)

Dr Solomon's FindVirus (an evaluation version is available from our 
website) can identify and clean-up Concept and other macro viruses 
properly.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Wed, 07 Feb 1996 07:47:09 -0500 (EST)
From: CHIU Chong Kan <ckchiu@cs.cuhk.hk>
Subject: McAfee antivirus for Win95... (WIN95)
X-Digest: Volume 9 : Issue 22

I've just noticed that McAfee has released ViruScan 2.3.0 beta.  Anyone
knows if there exists a version for Win95 ?  Seems that the removal of
MS-Word Macro virus is supported only in this new engine with new virus
datafile v96-02.  Thanx.

C.K.

------------------------------

Date: Wed, 07 Feb 1996 10:59:33 -0500 (EST)
From: Dmitry Gryaznov <er86@dial.pipex.com>
Subject: Re: Win95.Boza (WIN95)
X-Digest: Volume 9 : Issue 22

sysop@command-bbs.com wrote:
> 
> Win95.Boza
> 
> The virus checks some data (the system date?) and in some cases 

Yes, it's the system date. And the virus triggers on 31st of any month.

> displays the messages:

The message is displayed in a dialogue box.

- - 
Sincerely,                    | VirusLab, S & S International PLC.
     Dmitry O. Gryaznov       | Alton House, Office Park, Gatehouse Way,
Senior Virus Research Analyst | Aylesbury, Bucks HP19 3XU, United Kingdom
E-mail: grdo@ibmpcug.co.uk    | Tel: +44 (0)1296 318700 Fax: +44 (0)1296 
318734

------------------------------

Date: Wed, 07 Feb 1996 11:59:44 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Win95.Boza (WIN95)
X-Digest: Volume 9 : Issue 22

In-Reply-To: <01I0Y6DLM17GPVHY7M@csc.canterbury.ac.nz>
sysop@command-bbs.com (Keith Peer) writes:

> The virus checks some data (the system date?) and in some cases displays
> the messages:

The date you are looking for is the 31st of any month.  You will find 
further information about this virus at our website:

   http://www.drsolomon.com/vircen/boza.html

We also have a screenshot of what the dialog looks like there, AND a 
detection driver which allows users of Dr Solomon's to detect this virus 
(not that there is any reason to believe this virus is in the wild of 
course)

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Wed, 07 Feb 1996 11:59:47 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Re: Windows95 Virus Scanner (WIN95)
X-Digest: Volume 9 : Issue 22

In-Reply-To: <01I0WU2LIE4YPVHY7M@csc.canterbury.ac.nz>
wna <wna@wna.net> writes:

> I have used McAfee's and Dr. Solomon. I am more impressed with Dr.
> Solomon. It found the ANTIEXE.A strain on some floppies that McAfee
> did not find. The interface was good and the manuals excellent. )

Dr Solomon's uses the same virus-finding engine in its Win95 (and NT, 
OS/2, Win 3.x, NetWare, etc etc) versions as the DOS version.  So all 
platforms find precisely the same number of viruses.  Obviously this is 
pretty handy when new threats like the macro viruses come along.

> Except the Anti-Exe is not on page 80 as the index says.

Ooops - we're working on a new version of our paperback Encyclopedia.  
We'll obviously have to fix the index. :-)

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Tue, 06 Feb 1996 22:32:28 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Word 6 macro virus in WordPerfect (WIN)
X-Digest: Volume 9 : Issue 22

Gerard Petersen <gerard.petersen@pi.net> writes:

>If i get an infected Word document and i normally use WP 6.1 for 
>windows. Do i still have a virus if i convert the document to a 
>wp6-format and delete the word document.

No.  The macro language between the two are different.  And the
macro concept is different too.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Tue, 06 Feb 1996 23:14:41 -0500 (EST)
From: ggreco@netcom.com
Subject: DOS Antivirus software under Windows? (WIN)
X-Digest: Volume 9 : Issue 22

I have a PC with Windows 3.1, and I use F-Prot antivirus software
for DOS. I know that F-Prot is set-up ok for DOS. I have "Virstop"
set-up as a TSR im memory, and Virstop will halt the system if it
detects a virus while loading a DOS file (.exe, .cmd, etc).

Does an antivirus like F-Prot for DOS also protect against a virus
while I am operating Windows 3.1....will F-Prot halt the system
if it finds a virus while running a Window 3.1 file? 

Does McAfee antivirus also need to have the "Windows antivirus files"
active in order to protect while in Windows 3.1, or is that only so that
a "possible virus message" will appear while in Windows 3.1.

I have ran F-Prot "Scan" on my Hard Drive and the Hard Drive is clean.
I am NOT having any virus problems....but I am curious to know if I need
a Windows 3.1 antivirus software in addtion to my DOS antivirus software.

Any knowledgable comments would be greatly appreciated.

Why was Window95 released without antivirus software...just wondering.

Thanks for your comments.

Regards....................Gerald Greco
					ggreco@netcom.com

------------------------------

Date: Wed, 07 Feb 1996 12:25:33 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: virus scanner recommendations for wfw3.11 (WIN)
X-Digest: Volume 9 : Issue 22

In-Reply-To: <01I0VDLJNR1UPVHY7M@csc.canterbury.ac.nz>
Scott Eggleston <scotte@ix.netcom.com> writes:

> i wish to know what the consensus is (if there is one) of what the
> best virus scanning software is for wfw3.11.

This is a really difficult question to answer.  The problem being, what 
do you mean by best?  

Best at virus detection?  Best at virus identification (different from 
detection)?  Best at not giving false alarms?  Best at scanning inside 
compressed and archived files?  Best at finding new and unknown viruses?  
Best in terms of memory requirement?  Best in terms of on-access virus 
interception?  Best at repairing virus infections?  Best technical 
support?  Best at administration in a corporate environment?  Best user 
interface? etc etc

You can see that it's not that simple.  But most people tend to mean 
"best at detecting viruses".  There are a number of independent 
comparative reviews done by the likes of Virus Bulletin, University of 
Tampere etc on the web.  Some of these can be found at our website, and 
we also have links (gasp!) to other anti-virus vendors who are no doubt 
providing similar information.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Wed, 07 Feb 1996 12:56:21 -0500 (EST)
From: Ben of Bens <b.halstead@ic.ac.uk>
Subject: win.com nulled - swaprand bug ? (WIN)
X-Digest: Volume 9 : Issue 22

I'm running W4W 3.11 on my home machine and one at work (both 486's).
Last night windows gave an error message on loading
	32 bit disk access driver failed to load
	the address for hard drive addressing has changed

Mcafee found the virus v-sign but apparently that doesn't act this way.
(And has been removed)

However win.com was altered to a 0 byte file.

On starting up at work this morning I had the same problem.

Dr Solomon finds no virus' on this machine.

Both machines have been running Swaprand - a shareware program that
alters the windows start-up display.  This program does alter the size
of win.com.

I have removed swaprand form the work hard drive and windows does now
appear to be running normally so hopefully it was just a bug in swaprand,
however I would appreciate reassurance/any useful information.

Thanks

Ben

[Moderator's note:  V-Sign, being a BSI/MBR infector, -is- likely to upset
Windows' 32-bit disk driver.  You should be able to fix the "broken"
WIN.COM by running the Windows Setup program (SETUP.EXE) from the Windows
dir in DOS.]

------------------------------

Date: Tue, 06 Feb 1996 22:47:49 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: How to remove "Ekaterin" virus ? (PC)
X-Digest: Volume 9 : Issue 22

Graham Cluley <sandspm@cix.compulink.co.uk> writes:
>In-Reply-To: <01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz>
>Takashi Hirano <hirano@ti.com> writes:
>
>> A virus, "Ekaterin", was detected on the two PC of our section by IBMAV
>> software.  We tried to remove the virus but failed.
>>
>> Does anyone know how to remove the virus, "Ekaterin".?
>> Any information would be appreciated.
>
>Ekaterin is more familiarly known as "Russian Flag" or "AntiEXE".  Here 
>is some information from Dr Solomon's:
>
>AntiEXE
>
>Aliases: NewBug, D3, CMOS4, Russian Hook, Russian Flag, Ekaterin, Slydell.

Whoa!

AntiEXE has a code check against a certain EXEHDR.

Russian Flag shows a Russian flag on the screen.

I hope my memory isn't leaving me.  But I recall the naming issues
when the latter came up for naming (Ekaterin:IBMAV, Slydell:old McAfee,
Russian Flag:most).  And AntiEXE was already a virus for a year by that
time.

It may be that you or another product detects them as the same.  But
it's not the same virus.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Tue, 06 Feb 1996 23:33:09 -0500 (EST)
From: DGoth39899 <dgoth39899@aol.com>
Subject: Re: Help...Is this a virus? (PC)
X-Digest: Volume 9 : Issue 22

We are using the PC-cillin anti-virus protecting software and it seems to
be doing just fine.  It is pretty economical and you get one year of free
virus updates.

------------------------------

Date: Wed, 07 Feb 1996 01:03:57 -0500 (EST)
From: Louis Benton Sr <tinker@waynesworld.ucsd.edu>
Subject: Need help with BUPT virus recovery (PC)
X-Digest: Volume 9 : Issue 22

Trying to recover from "BUPT 9146, Beijing!" virus.  Rebuilt MBR including
constructing a Partition Table to create a single partition using 16 hds,
38 sectors, and 684 tracks.  Although FDISK from a floppy booted disk
shows the correct partition, it also says total disk size is 12 MB.

Using Norton, the first 32 sectors are ok, the next three show disk
errors, and sector 36 becomes the first sector of the next "head".  The
disk is a Toshiba MK2224FC Rev 1.0513 and the computer is a Toshiba T4600
laptop.  The physical parameters from the disk are as expected with 3251
cylinders, 32 sectors, and 4 heads.  According to Toshiba, the logical
setting should be 16 hds , 38 sectors, and 684 tracks.

The parameters for the HDD are set up automatically in this system. 
Toshiba reps seem to think the problem is a hardware problem, but since it
occurred at the same time as the virus, I think that is unlikely.  The
appearance is as if the physical parameters are being used by DOS instead
of the logical parameters.

I would like to save the contents of the drive, but even abandoning them,
it appears that there is no way to circumvent this new 12 MB limit.  Does
anyone have any ideas?

Louis Benton

------------------------------

Date: Wed, 07 Feb 1996 01:54:23 -0500 (EST)
From: James Milne <milnejr@dpi-gw.ind.dpi.qld.gov.au>
Subject: Re: TBWEEDER - A duplicate file checker (PC)
X-Digest: Volume 9 : Issue 22

Bill Moblin <bmoblin@moblin.iexpress.com> writes:

> I'm looking for a program called TBWEEDER, a duplicate file checking
> utility - it's written by the same people who produce ThunderByte
> Anti-Virus, so I figured this would be a good place to ask about it.

Norton's (V9.0) Space Wizard (SpaceWzd.exe) will do this.  It detects 
duplicate files on you hard disk and a few other things.

Regards,
James.

------------------------------

Date: Wed, 07 Feb 1996 04:04:20 -0500 (EST)
From: Henrik Stroem <hstroem@hood.ed.unit.no>
Subject: Re: Quality Anti-Virus Programs (PC)
X-Digest: Volume 9 : Issue 22

In article <0027.01I0OMT1IGNYPVG5DD@csc.canterbury.ac.nz>,
Vesselin Bontchev  <bontchev@complex.is> wrote:

>> I don't want to incite a flame war here, but when did F-Prot become 
>> freeware or even $1 ware? 
> 
> Quite a long time ago - in version 2.00, if not even earlier.

But then it stopped somewhere around 2.1x ?

>> I just recently got quotes from several AV 
>> manufacturers, and the makers of F-Prot were willing to sell me a 2,000 PC
>> license for around $17,000 which is a long way from $1 per computer.  I 
> 
> You have got the *commercial* version of our product - which is more
> expensive, but also contains more. The freeware version (which is
> freeware only for individual use and costs one dollar per machine per
> year for corporate use - $0.75 for educational institutions) contains
> only an on-demand scanner (F-PROT) and a memory-resident scanner
> (VirStop). The professional version contains also an integrity checker
> (F-CHECK), an integrity shell (CheckStop), a Windows version of the
> on-demand scanner, a scheduler, a VxD implementation for Windows, etc.

Well, actually Vesselin, I've been trying to purchase the English
shareware version of F-Prot for years now, without succeeding. Frisk
does not reply, and sales@complex.is says I cannot PAY for the
"shareware" version. They say I ***MUST*** buy the Commercial,
Norwegian, F-Prot Professional (some other product, as you say
yourself). In fact it seems like the "Shareware" version of F-Prot is
not actually Shareware at all. At least not if you are accessing the
Internet from e.g., Norway, or most other countries in the world which
happens to have some agreement with Frisk Software International.

A couple of years ago (if not more), I advised the University of
Trondheim to purchase a site license for the Shareware version of
F-Prot. It being on the Internet makes it very easy to get upgrades in
a timely manner. It contains a scanner and a resident scanner. Nothing
more. Which is exactly what we want. The scanner.

They followed the instructions that comes with the "shareware" version
of F-Prot, and sent their order, and their money, directly to Iceland.
  (Even the current order.doc file contains instructions on how to 
  send the money if you are located in e.g., Europe... )
After a while, Frisk Software International returned the money, or
rather transfered them to the Norwegian distributor of F-Prot
Professional. The Norwegian distributor called the University and
asked for the "rest of the money"! They, of course, wanted an amount
ten times more than the cost of the "Shareware" version. In the end
the University just asked to get their money back, and they purchased
another anti-virus program, from another company.

Still today I am trying to get the University to buy the "Shareware"
version of F-Prot, which is still a good scanner. And, I think they
would still be interested. Now I don't have to send E-Mail to Frisk 
(He doesn't reply anyway ;-0), I can just send mail to sales@complex.is!

And they actually replied (to my first E-Mail anyway ;-0). They apologized 
for any inconvenience it may cause me, but they do NOT _sell_ the 
"shareware" version of F-Prot!

They refused to take my order (for 2500 machines), and told me to go buy
this other product (F-Prot Professional), from some other company (PDI
Gruppen AS), in some other Country (Norway).

I was not too pleased with this, so I sent them another mail, wanting
them to confirm that what they label and distribute on the Internet
and on lots of BBSes, and other places, as a "Shareware" version, can
not actually be bought! Of course, they never replied...

So, remember next time you post to comp.virus, that F-Prot might not
actually be bought for $ 1.00 or less. Actually it cannot be bought at
all, according to Frisk Software International. This is valid for most
people in the world today. I think only a couple of well known
countries are excluded from this "inconvenience". The documentation
claims that people in the USA can buy the "Shareware" version, but the
same documentation also includes instructions on how to send your
money to Iceland if you are located in Europe... 

Fed up,

Henrik Stroem

- --
Not speaking for anybody but himself

------------------------------

Date: Wed, 07 Feb 1996 05:58:41 -0500 (EST)
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: Virus detection with NFS?? (PC)
X-Digest: Volume 9 : Issue 22

In <0018.01I0SMTI9C6YPVGQEE@csc.canterbury.ac.nz> Duncan Phillips
<cmtdmp@mail.soc.staffs.ac.uk> writes:

>number of files infected with the KBUG1720 virus.

sounds like a standard SCAN false alarm to me....

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Wed, 07 Feb 1996 11:59:42 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Dr.Solomon's latest (PC)
X-Digest: Volume 9 : Issue 22

In-Reply-To: <01I0Y6DLM17GPVHY7M@csc.canterbury.ac.nz>
mporadzi@maildrop.srv.ualberta.ca (Monkey is Cindy) writes:

> What's with Dr.solomon's. First I have a hard time scanning it's files,
> then it reports funny warnings with all my other virus scanning
> programs. I have removed the program for now, but is anyone else
> having the same problem?

Err.. you're not very clear as to what the problem is.  Could you tell us 
which version of Dr Solomon's FindVirus you are using, which command-line 
options are you using, and the precise message displayed on the screen.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Wed, 07 Feb 1996 12:05:38 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: V-SIGN (PC)
X-Digest: Volume 9 : Issue 22

In-Reply-To: <01I0WU2LIE4YPVHY7M@csc.canterbury.ac.nz>

Mic Chow <zen@ubd1.vdospk.com> writes:

> I have ran across a virus in which McAfee 2.2.6 had named V-SIGN.
> I have check with VSUM 9512.  It has nothing on this virus.
>
> What the heck does this thing do?  How does it infect things?  what's
> teh scoop on it?

Here's some information from Dr Solomon's:

V-Sign

Aliases: Cansu, Sigalit

Type:  Memory-resident boot and partition sector virus.

Affects:  Floppy and hard disks.

File Growth:  N/A

Description:    
This boot and partition sector virus infects hard disk and diskettes on 
read and write access (e.g. DIR command).  V-Sign is slightly 
polymorphic: it changes order of some instructions on every infection, 
resulting in six slightly different "incarnations".  The virus is able to 
detect disks infected with Stoned virus. In this case V-Sign removes 
Stoned from the disk to reinfect it with itself.  If the virus succeeds 
in infecting 64 disks since the last system boot, it triggers: a big 
V-sign is displayed on the screen and computer hangs.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Wed, 07 Feb 1996 12:38:23 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Chinese Fish virus (PC)
X-Digest: Volume 9 : Issue 22

In-Reply-To: <01I0V91M1894PVHY7M@csc.canterbury.ac.nz>

Long Live PBS <t.voo@ic.ac.uk> writes:

> Any one know about "Chinese Fish virus" which attact our PC
> this morning?

Here is some information from Dr Solomon's:

Chinese Fish

Alias: Fish Boot

Type:  Memory-resident boot and partition sector virus.

Affects:  Floppy and hard disks.

File Growth: N/A

Description:
This boot and partition sector virus infects hard disk when booted from 
an infected floppy. Then it infects diskettes on read or write access 
(e.g. DIR command).

When active in memory, the virus stealthes both infected partition sector 
and infected boot sectors on floppies.

If a disk infected with Chinese Fish is then infected with Stoned virus, 
Chinese Fish removes Stoned from the disk, leaving it infected with just 
itself.

Starting from 1992, on 1st, 11th, 21st and 31st of every month when a PC 
is booted from an infected disk, Chinese Fish displays the following 
message:

Hello! I am FISH, please don't kill me. Congratulate 80th year of the 
Republic Of China Building,Fish will help to kill stone Written by 
Fish in NTIT. TAIWAIN  80.10.18

> Anything to scan this virus.

Dr Solomon's can identify reliably, clean-up and intercept this virus.  
You can download an evaluation version of Dr Solomon's FindVirus from our 
website.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Wed, 07 Feb 1996 13:02:53 -0500 (EST)
From: Claus Leth Gregersen <leth@daimi.aau.dk>
Subject: Re: Virus that damages hardware (PC)
X-Digest: Volume 9 : Issue 22

>[Moderator's notes:  The land of Nod is "never-never land", a dream world
>or fantasy place.  Jean-Francois--hard facts please.  What physical damage
>did Urkel do to your godmother's hard-drive?  Degauss it?  Break the head
>off the arm?  ???  And what virus "fried" her modem?  Or was she using it
>during an electrical storm and after the modem died she found she had a
>virus?]

Well i don't know if any existing virus actually do this, but it is
possible to blow up some monitors with wrong settings of vga registers. 
Just look at the warnings about setting up X for linux :)
A friend of mine blew up his monitor while trying to set up mode x
himself. So physical damage on some monitors should be possible.

/Claus Leth Gregersen.

[Moderator's note:  Another poster has also suggested that the X-Free
documentation mentions the possibility of diong such damage.  Is there
someone who is truly a monitor expert who would like to comment on these
suggestions?]

------------------------------

Date: Wed, 07 Feb 1996 15:10:55 -0500 (EST)
From: Dmitry Gryaznov <er86@dial.pipex.com>
Subject: Re: ONE HALF.3544 Virus Detected (PC)
X-Digest: Volume 9 : Issue 22

Lee Cooper wrote:
> 
> Pleaes can somebody advise me how I can remove the ONEHALF.3544 virus
> from PCs without deleting .COM or .EXE files.
> 
> McAfee has detected it, but will not remove it.

With One_Half it is very important to decrypt the part of the hard disk 
the virus encrypted. FindVirus of Dr.Solomon's AVTK can do the job - it 
should remove the virus from infected files, MBR and decrypt the hard 
disk. You can download an evaluation copy of FindVirus ver. 7.56 from 
http://www.drslomon.com or ftp://ftp.drsolomon.com .

And yes - don't forget to boot clean (oh well, FindVirus would have 
reminded you anyway...)

- - 
Sincerely,                    | VirusLab, S & S International PLC.
     Dmitry O. Gryaznov       | Alton House, Office Park, Gatehouse Way,
Senior Virus Research Analyst | Aylesbury, Bucks HP19 3XU, United Kingdom
E-mail: grdo@ibmpcug.co.uk    | Tel: +44 (0)1296 318700 Fax: +44 (0)1296 
318734

------------------------------

Date: Wed, 07 Feb 1996 16:57:19 -0500 (EST)
From: Ron Jackson <rentech@infohwy.com>
Subject: Taking Virus off ZIP Drive problem (PC)
X-Digest: Volume 9 : Issue 22

I have tried to remove the NYB virus off my ZIP disks with
no luck.  McAfee cannot access the ZIP drive.  I have had 
success with floppies and the hard drive, but not the ZIP.

Any solutions?  Thanks in advance...

Ron

virushelp@rentech.com

------------------------------

Date: Wed, 07 Feb 1996 17:00:52 -0500 (EST)
From: Elaine Ashton <elaine@wueconb.wustl.edu>
Subject: nokernel virus (PC)
X-Digest: Volume 9 : Issue 22

anyone hear of the nokernel virus?

it showed up in some oem disks i have and none of the usual boot virus 
cleaners will work...it also came up as the xenix.chaos virus

ideas anyone?

------------------------------

Date: Wed, 07 Feb 1996 19:22:38 -0500 (EST)
From: Gerry Ross <gwross@gsfi.on.ca>
Subject: Re: Help with Natas virus (PC)
X-Digest: Volume 9 : Issue 22

F-PROT or the latest version of Cheyenne Inoculan will detect and
remove it.

------------------------------

Date: Wed, 07 Feb 1996 19:27:11 -0500 (EST)
From: Glen Robinson <gtr@qld.mim.com.au>
Subject: EPBR Virus ? (PC)
X-Digest: Volume 9 : Issue 22

I have been unable to find a description of this virus that we received 
on some floppy disks.  All FPROT said is that it was "EPBR ?", a boot 
block virus.  Can anyone tell me what it does ?

Thanks
Glen

------------------------------

Date: Wed, 07 Feb 1996 20:42:59 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Virus:MONKEY_B + FORM_A (PC)
X-Digest: Volume 9 : Issue 22

Arlene Schiffman <arlenes@holly.colostate.edu> writes:

>>Try the following:
>>
>>On a bootable floppy copy fdisk.exe.  Boot from the floppy and 
>>enter the command "a:\fdisk /mbr"  this undocumented option 
>>(/mbr) will rebuild the master boot record and hopefully get 
>>that monkey off your back.  This has worked on other pcs but I 
>>have never tried this fix on a thinkpad.  Note: /mbr will not 
>>wipe your harddisk.
>>
>>If this doesn't work try norton disk doctor from a bootable 
>>floppy. NDD will also rebuild a corrupted Master boot record.
>
>We have a few computers that were infected by the Monkey Virus.  I
>took a suggestion to try making a boot disk and putting fdisk.exe on
>it then after booting up with the new disk using the command fdisk
>/mbr.  Well it worked on most of the computers but on three they are
>now saying invalid partition table.  HELP please!  These can not boot
>up and even if you use the boot disk (which is clean) I still can not
>find the C: drive due to the virus.
>
>[Moderator's note:  The old "hammer" problem...  You need good disk
>doctor/recovery software, though, depending on the virus(es) that
>were active on the afflicted machines very good professional
>assistance may be more important.
>
>Before anyone who reads this list/group -EVER- again uses FDISK /MBR,
>-PLEASE- read the warnings about the correct use of it in Q&A C3 in
>the V2.0 FAQ]

Sorry to quote so much of the above.  But if you get to this point of
not being able to recover your harddisk after a Monkey infection, you
need something like Norton Disk Doctor.  You would first zero out the
partition table and then use ndd /rebuild.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Wed, 07 Feb 1996 20:49:50 -0500 (EST)
From: Mike McCarty <jmccarty@spdmail.spd.dsccc.com>
Subject: Re: HELP - Still having problems with ANTIEXE virus (PC)
X-Digest: Volume 9 : Issue 22

In article <0027.01I0Y6DLM17GPVHY7M@csc.canterbury.ac.nz>,
Espen Ottar  <Espen.Ottar@si.sintef.no> wrote:
)I have a PC infected with what Scan reports as the AntiEXE virus.
)The problem is that it is resident in memory even after booting
)from a clean discette (or so it seems)
)
)I have tried to boot the system with a clen diskette contasining 
)McAfees Scan and then hoped to remove it by scan /clean
)
)Buit the scan program reports the virus to be active in memory!
)Why??????
)What can i do to get rid of it??????

I have two observations to make. First, are you really, really, REALLY
sure the diskette is clean, and how do you know? Second, did you power
down the machine rather than use CTRL-ALT-DEL to reboot?

It the answer to either of these questions is "no" or "I don't know"
then you may not have actually booted "clean".

Mike

- ---
char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}

I don't speak for DSC.         <- They make me say that.

------------------------------

Date: Wed, 07 Feb 1996 20:51:33 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: 100 year stealth virus? (PC)
X-Digest: Volume 9 : Issue 22

Dan Kirkwood <dpkirkwo@dangogh.edaco.ingr.com> writes:

>Has anyone heard of a "100 year stealth virus"?  I don't have a full
>description of how it was detected, but I know Norton AntiVirus is
>used regularly on this system (actually, a small network).  There is
>some suspicion that a virus is the cause of many problems recently
>encountered on this network.

There is a virus which someone calls "100 years" which also goes by
"4096" which CAROname is likely to be "Frodo.Frodo.A".

However, there are also a number of viruses which change the file
timestamps to be one hundred years into the future.  So, if you have
a product identifying this as "100 years," it's likely to be the
former.  If you don't, get one and tell us what it says.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Wed, 07 Feb 1996 20:57:41 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: KOH in Mainstream Press (PC)
X-Digest: Volume 9 : Issue 22

Doug Muth <dmuth@oasis.ot.com> writes:
>In article <0008.01I0LP9POC0OPCQYD3@csc.canterbury.ac.nz>, Tom Simondi
>writes:
>: Boardwatch Magazine, January 1996 issue, pg 78 published a very
>: favorable article about the KOH virus ("The Other Side of Computer
>: Viruses" by Wallace Wang). A few random short quotes:
>: Wang goes on to then describe the KOH virus in glowing terms as
>: the savior of data from prying eyes the world over: "The KOH
>: virus insures that all of your data is protected, not just the files
>: you remember to encrypt." And, then goes on to describe how
>: harmless it is ("...buy the actual assembler source code and make
>: sure...") and where to get it.
>
>       Oh man, just what we need, another moron who thinks that a virus 
>has to be used instead of a non-replicating program.  Hasn't he ever 
>heard of PGP at all?
>
>: The fun part comes when Wang says all sysops should use KOH to
>: protect their computers because the United Nations "...might break
>: down your door one day and haul your computer away...."

>       Again, that's what most of us tend to use PGP for. :-)

Having talked directly with the author of this article, he said that
he wrote that article as a farce.  Looks like you only found one area
that you thought was funny, though.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Wed, 07 Feb 1996 21:02:19 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Ripper and NYB (PC)
X-Digest: Volume 9 : Issue 22

"Robert E. Hunter" <rxh16504@bayou.uh.edu> writes:
>I have the Ripper and NYB on some diskettes and have yet to find a 
>antivirus program that will clean it up.  I have Win95 and am currently 
>using McAfee for Win95 but it will not clean either one. Help?

If it's a floppy, you can use the DOS version and apply the command
SCAN A: /CLEAN /FORCE

That will clean any floppy boot sector.

Jimmy
cjkuo@mcafee.com

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 22]
*****************************************


