From Lehigh.EDU!virus-l  Sun Feb 11 13:37:45 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Sun, 11 Feb 96 17:00:53 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id NAA25245; Sun, 11 Feb 1996 13:37:45 +0100
Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39552-14236>; Sun, 11 Feb 1996 06:40:22 EST
Message-Id: <01I13TTVRFYQPVIUA3@csc.canterbury.ac.nz>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V9 #23
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: 	Sun, 11 Feb 1996 06:17:31 EST

VIRUS-L Digest    Monday, 12 Feb 1996    Volume 9 : Issue 23

Today's Topics:

WWW Virus Scanners
Student use of PCs
Info on Manzon
NYB Virus MAC to PC (MAC,PC)
Re: Word Macro Colors Virus (MAC?,WIN)
Re: Word Macro Colors Virus (MAC?,WIN)
Re: Win95 23.3 of 24MB memory allocated at startup?? (WIN95)
Re: Win95.Boza (WIN95)
NAV says MBR has been changed following reinstall (WIN95)
Virus affecting memory? (WIN)
Re: McAfee VirusScan 2.2 Upgrade (WIN)
SaveAs write-protect error after cleaning Concept (WIN)
Re: TBAV and v-sum (PC)
Simultaneous ANTIEXE and _512 infection (PC)
Re: Virus that damages hardware (PC)
Re: VET as an anti-bugger (PC)
Clock losing time--new virus? (PC)
Re: WelcomB Virus (PC)
Re: HELP - Still having problems with ANTIEXE virus (PC)
Re: Azuza Virus, How do I get rid of it? (PC)
Re: F-PROT: Request for Help (PC)
Removing multiple boot sector viruses? (PC)
Unknown bootsector virus (PC)
EXE files growing (PC)
WIN.COM being trashed--New virus? (PC)
How to eradicate Concept from Word docs and templates (WIN)
LAN-wide antivirus s/w solution? (PC)
Help on "A" virus (PC)
kbug1720 remover or disinfection? (PC)
Re: TBAV and v-sum (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Thu, 08 Feb 1996 09:03:02 -0500 (EST)
From: Rik V Flor/ADD_LAKE_HUB/ADD_HUB/ADD/US <Rik_V_Flor/ADD__LAKE__HUB/ADD__HUB/ADD/US.ADD@NOTES.ABBOTT.COM>
Subject: WWW Virus Scanners
X-Digest: Volume 9 : Issue 23

It looks like McAfee has released a product called "WebScan" which
apparently automatically scans downloaded files for viruses.  Any
prevailing opinions on this product or any others of its type that will
most likely be relased?  How useful are they if used in additional to a
regular scanning regimen?

Rik Flor

------------------------------

Date: Thu, 08 Feb 1996 09:25:20 -0500 (EST)
From: Pat Gannon-Leary <PMGANNON@MSUMUSIK.MURSUKY.EDU>
Subject: Student use of PCs
X-Digest: Volume 9 : Issue 23

Hope this request is not too basic: I'm (obviously) a novice on this
list:-

We're just introducing PCs as public access catalogs in our small
University library. There is a facility on the PAC which allows the
down-loading of booklists etc. to a floppy. Bearing in mind our limited
funds, how do we best protect our PCs from the introduction of viruses -
virus protection software, virus scanner, or what?

TIA
Pat

Dr. Pat Gannon-Leary,
Head of Circulation Dept.,
Murray State University Libraries,
Murray,
KY42071
U.S.A.

------------------------------

Date: Thu, 08 Feb 1996 14:45:23 -0500 (EST)
From: George Weah <dao@unixg.ubc.ca>
Subject: Info on Manzon
X-Digest: Volume 9 : Issue 23

Need your help here....I got a virus called Manzon, can someone tell me 
what will it do to my computer and can I remove this from my computer?...

	Thanks for any help

Eric

------------------------------

Date: Wed, 07 Feb 1996 23:04:35 -0500 (EST)
From: ZSO <zso1@voicenet.com>
Subject: NYB Virus MAC to PC (MAC,PC)
X-Digest: Volume 9 : Issue 23

I tried to format a floppy the other day on my PC and could not format the
disk. Did I virus scan with McAfee and found the NYB virus, Cleaned it out
okay. However, this really bothered me how the pc got infected. I knew
that I had done left a disk in twice last week while booting up the pc. So
it had too be one of two disks. After checking, they both were infected
with the virus. I traced one to a another pc at work, but the pc was
clean, Although I heard that it once had the NYB virus and since had been
cleaned. The other disk came from a Mac, which was formated using Apple
file Exchange. I had the person who gave me the disk format another new
floppy. And sure enough, he gave me two  formated disks and both were
infected. I have heard that there is no such thing as a cross platform
virus? Is this true? My Mac knowledge is limited. Could the Mac be
infected? Or is it just the Apple file Exchange program that is spreading
this. 

Any help would be appreciated   

- - 
ZSO 
- ------------------------------------------
http://www.voicenet.com/~zso1/
zso1@voicenet.com

[Moderator's note:  Are you sure the Mac owner was not using the FORMAT
command of DOS in a DOS emulator like Soft Windows, -or- otherwise
accessing the diskettes from a DOS emulator after formatting them with
AFE?

I have seen this before--the "emulated" PC hard drive (which is just a big
file to MacOS) can be "infected" with BSI/MBR viruses by leaving an
infected diskette in the Mac's floppy drive when starting up the emulator
environment.  This happens because the emulator, "just like a standard
PC", will try to boot from a floppy in preference to the HD and DOS is
emulated sufficently well that its hard drive can be infected by most MBR
viruses.]

------------------------------

Date: Thu, 08 Feb 1996 10:00:38 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Word Macro Colors Virus (MAC?,WIN)
X-Digest: Volume 9 : Issue 23

In-Reply-To: <01I0Y6DLM17GPVHY7M@csc.canterbury.ac.nz>

Ralf Grisard <ralf@lexis-nexis.com> writes:

> All the references in this group to the Word macro Colors virus
> have made me nervous, especially since none that I've seen say
> anything about how to protect against or clean it. If there are
> any known defenses against it, I'd appreciate hearing about them,
> as well as a brief description of this virus' effects. Thank you.

Dr Solomon's FindVirus can detect and clean-up Colors infections.  You 
can download an evaluation version of FindVirus from our website.

Dr Solomon's WinGuard, our 32-bit VxD, can intercept a Colors-infected 
document and thus stop an outbreak dead in its tracks.  If you install 
WinGuard on your PC you cannot be infected by Colors (or indeed Concept, 
Nuclear, etc) and furthermore you cannot infect anybody else!

Here's a description of Colors from Dr Solomon's (you'll find more 
information at http://www.drsolomon.com):

Colors

Alias: WordMacro.Colors

Type: Word macro virus.

Description:
When an infected document is opened under Microsoft Word (Word for Win95, 
Word for NT, Word for Windows 3.x, MacWord, ...), the virus infects the  
global template (usually NORMAL.DOT). Then every document being created  
via File/New or saved via Save or File/SaveAs is infected by the virus.   
The virus contains the following ten macros:

AutoOpen, AutoClose, AutoExec, FileNew, FileExit, FileSave, FileSaveAs,  
ToolsMacro and other macros.

If macros with such names existed prior to infection, they are 
overwritten by the virus.

Surprisingly enough, AutoExec macro in the virus is an empty one - it 
does nothing. The possible aim of it could be overwriting existing 
AutoExec  macro which could contain anti-virus routines.

The virus can propagate even with AutoMacros being disabled (e.g. by  
invoking Word as WINWORD.EXE /mDisableAutoMacros). As soon as a user  
chooses File/New, File/Save, File/SaveAs, File/Exit or Tools/Macro, the  
virus gets control and infects NORMAL.DOT.  Moreover, unlike other known  
Word viruses (such as Concept, Nuclear, DMV), Colors virus cannot be 
spotted by using Tools/Macro to list active macros. The virus intercepts 
Tools/Macro and effectively disables it, while still using it for 
infection. This way Colors can be called the first macro virus with 
some stealth capabilities. Nevertheless, one can use 
File/Templates/Organizer/Macros to view the names of virus' macros and  
even to delete them. 

As in the case of Nuclear (the first encrypted macro virus), all macros  
in Colors are Execute-Only and thus cannot be viewed/edited by means of  
Microsoft Word.

The virus also enables AutoMacros (just in case the user had disabled it) 
and disables Word's prompt to save changes to NORMAL.DOT.

The virus maintains a counter named 'countersu' in [windows] section of  
WIN.INI file. Every time a virus macro is called (with the exception of  
AutoExec) the counter is incremented by one. That is, every time a user  
opens, creates, saves, closes a document, attempts to use Tools/Macro or  
exits Word, the counter is incremented. When the counter reaches 299 and  
each 300th time thereafter (i.e. 299, 599, 899 and so on) the virus  
triggers. It then changes Windows colours settings (text, background,  
buttons, borders, etc.) to randomly selected colours. So that the next  
time Windows are started the user is puzzled by a most unusual colour 
palette.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Thu, 08 Feb 1996 12:12:48 -0500 (EST)
From: Dmitry Gryaznov <er86@dial.pipex.com>
Subject: Re: Word Macro Colors Virus (MAC?,WIN)
X-Digest: Volume 9 : Issue 23

Ralf Grisard wrote:

> All the references in this group to the Word macro Colors virus
> have made me nervous, especially since none that I've seen say
> anything about how to protect against or clean it. If there are
> any known defenses against it, I'd appreciate hearing about them,
> as well as a brief description of this virus' effects. Thank you.

Check out http://www.drsolomon.com for both cure and descriptions.
- - 
Sincerely,                    | VirusLab, S & S International PLC.
     Dmitry O. Gryaznov       | Alton House, Office Park, Gatehouse Way,
Senior Virus Research Analyst | Aylesbury, Bucks HP19 3XU, United Kingdom
E-mail: grdo@ibmpcug.co.uk    | Tel: +44 (0)1296 318700 Fax: +44 (0)1296 
318734

------------------------------

Date: Thu, 08 Feb 1996 03:36:56 -0500 (EST)
From: Stefan Kurtzhals <kurtzhal@wrcs3.urz.uni-wuppertal.de>
Subject: Re: Win95 23.3 of 24MB memory allocated at startup?? (WIN95)
X-Digest: Volume 9 : Issue 23

Mark Andrew <markda@phoenix.net> wrote:

>RAM and the other w/16MB.  We recently noticed that both computers 
>started doing a lot of disk chatter, so checked the System Monitor to 
>see how much swap file was being used.  On the smaller machine we were 
>well into virtual memory, which is understandable given everything 
>running at the time.  On the bigger machine we were using a bit less 
>swap file.  

Try using the Win95 HDD defrag tool.
If the swap file clusters are spread over the whole HDD
it surely slow down Windows95.

>I started checking the System Monitor more regularly and found today 
>that, immediately after startup, with no applications running except 
>System Monitor and Resource Monitor (no background apps, TSRs or 
>anything) that 23+MB out of 24 were allocated.  If I am remembering 
>correctly, the System Monitor also showed 3+MB free and 0 swap file in 
>use.  Doesn't add up, does it?

This is normal for Windows95!

The new virtual memory management (VMM) allocates almost ALL the memory
it can get and dynamically free space when you start a new application.

bye, Stefan

------------------------------

Date: Thu, 08 Feb 1996 04:56:38 -0500 (EST)
From: Steve Loughran <slo@hplb.hpl.hp.com>
Subject: Re: Win95.Boza (WIN95)
X-Digest: Volume 9 : Issue 23

sysop@command-bbs.com wrote:
> 
> Win95.Boza
> 
> It's not a dangerous parasitic NewEXE(PE)-virus. It searches for
> EXE files, checks the files for the PE signature, then creates in the
> EXE file a new section named ".vlad", and writes its code into
> that section.
> 
> When infection occurs the virus uses calls to functions GetDir, SetDir,
> FindFirst, FindNext, OpenFile, LSeek, Read, Write, and CloseFile. First,
> it gets the current directory, and checks the Windows95 kernel for some
> specific code. Then the virus searches for .EXE files, and checks them for
> the PE signature. Then the virus increases NumberOfSections field in
> PE header, writes into the file new Section Header that describes
> the new Sections in the file, and writes itself to the end of the file.

I have two questions:

1. Does it also patch the P-Exe's linker fixup table so that these
functions are all added to it, or does it rely on LoadLibrary/
GetProcAddress already existing in the linker table? It may have hard
coded in the virtual addresses of these KERNEL32 functions, which means it
is effectively "bound" to the current build of win95.

2. What happens when you run an infected app under NT? 

	-Steve

(It doesn't seem to have enough functions to qualify for win95 logo: no
OLE/PnP or network/email awareness :-)

[Moderator's note:  It also fails for logo-ing because it doesn't fail-
over gracefully under NT!  8-) ]

------------------------------

Date: Thu, 08 Feb 1996 05:06:38 -0500 (EST)
From: myran <era.eraat@memo.ericsson.se>
Subject: NAV says MBR has been changed following reinstall (WIN95)
X-Digest: Volume 9 : Issue 23

I had to uninstall and then reinstall WIN95 due to a crash, probably 
because of a bad driver for a NEC 610plus printer. I say probably...

BEFORE uninstallation (in SAFE mode) AND after reinstallation I ran NAV.
NAV found no virus neither before nor afterwards. I have updated to the 
february NAV files.

However, when I ran NAV afterwards it alerted that the MBR had changed.

I looked in the documention I've gathered in this group and on the web 
and of course in NAV's manual. But I couldn't find any guidance on this
particular "problem". But I tried to reason a little and finally decided
that the change was due to the reinstall and NOT any virus. So I told
NAV to re-protect MBR. 

Maybe this is obviuos for many people with a lot of experience.

My question is of course: Did I make the right assumption or could it in 
fact be a virus? 'd be grateful for comments, thanks in advance 

regs myran 

------------------------------

Date: Thu, 08 Feb 1996 00:19:39 -0500 (EST)
From: Octavio Warnock-Graham <octaboy@pipeline.com>
Subject: Virus affecting memory? (WIN)
X-Digest: Volume 9 : Issue 23

About two days ago I downloaded Win32 from NCSA's website so as to install
Mosaic.  Less than 12 hour later I tried to open Word 6.0 and got an error
message saying, "unable to start this application. Insufficient memory." 
I have 300 megs on HD and 12 megs of ram.  No other programs were running. 
I ran Mcafees scan and no viruses were reported.   I can't run scanprot as
it requires word 6.0.  Any ideas 

TIA 
Octavio

------------------------------

Date: Thu, 08 Feb 1996 00:56:56 -0500 (EST)
From: "Bruce P. Burrell" <bpb@umich.edu>
Subject: Re: McAfee VirusScan 2.2 Upgrade (WIN)
X-Digest: Volume 9 : Issue 23

scallon.fam@midplains.net wrote: 
> Hi I recently purchased McAfee VirusScan 2.2 for Windows 3.1.  The 

   The most recent version is 2.2.9e, so you certainly should upgrade.

> problem I am having is that after I loaded the scan it tells me that my 
> data files are out of date.

   As it should -- keeping AV software current is very important.

> I went to the internet bulletin board for McAfee and downloaded the
> software there - this changed my licensed version to an evaluation copy. 

   The site I provide below has an area for registered users, but I 
haven't examined it.  Perhaps you can find registered versions of the 
software there; I didn't look.

> It also told me that "VShield was corrupt" and did not perform the scan
> when I first booted up the computer.  First I'm not sure I'm downloading
> the correct files and

   I believe you want to point your web browser to McAfee's site:
ftp://mcafee.com/pub/antivirus/ and get the files wsc-229e.zip (the 
Windows version of SCAN), scn-229e.zip (DOS version of same), and 
vsh-229e.zip, the TSR VSHIELD.  If you have to use anonymous ftp instead, 
make sure to use binary mode.  In either event, you'll want to use 
PKUNZIP version 2.04g to expand the files.  Before you do this, however, 
be sure to read section (4) below.

> second I don't know which directory under McAfee to unzip them to.

   That's hard to say; it's a function of where you set them up in the 
first place.  I suggest that you look in your AUTOEXEC.BAT file to see 
where the originals reside.  Might well be called C:\MCAFEE or C:\VIRUS; 
who knows?

> Can you help?  So far I have found McAfee Support less than adequate.  
> The manual tells me that they have online help (all mail returned).  I 
> have sent them a fax (not answered).  I called their support desk (long 
> hold time) then connected to sales rep (who didn't help) put back on hold 
> to talk to technical assistance (took too long and I gave up).

   I can't comment about their tech support.  Did you try email?  Their 
address is support@mcafee.com

> Please help if you can.  This month my husband's hard drive went down - 
> after scanning his disk we found Monkey B, Antiexe, and 
> stoned.michaelangelo. 

   All at once?!?  While this is possible, it seems pretty unlikely.  All 
three are Master Boot Record infectors, and they could coexist -- each 
moves the current MBR to a different place.  If this report is accurate, 
though:
  1. It may require expert help to disinfect your drive -- a "by hand"
     job.  Software would have to be pretty clever to remove a triple
     infection, though in this particular case it could be done. 
     [If you need such help, try McAfee first.  It could be a lengthy
     phone call, so I suggest that you try email.  If they are unable to
     help you, you have several options, including trying other AV
     products or paying an AV guru to fix your drive.  The guru approach
     can be pricey or, depending on the altruism of the responder, free. 
     Hard to say in advance, but definitely go to the tech support you've
     paid for first.]
  2. You've probably had at least one virus on your machine for a long
     time.  Therefore almost all of your floppies will be infected.  You
     *must* disinfect each and every one, once your machine is back to
     normal.  If you don't, you'll get to repeat this little exercise in 
     the future.
  3. To remove at least some of these viruses, you'll to use the DOS
     version of McAfee, instead of the Windows one.  While it might not
     be strictly necessary, you'll be well advised to do this after the
     canonical "clean floppy boot".  Run the software from floppy as well. 
  4. But since all your floppies may well be infected, you should create
     the clean boot floppy _and_ download and install McAfee on another,
     uninfected computer. 

   Of course, you may have meant that you had had three infections at 
separate times over the past month.  No matter; I still suggest that you 
follow the above procedure.

> I don't want this to happen again!

   Neither do we.  To help prevent this from happening in the future, do 
the following as well:

  5. If your computer allows it, set the CMOS so that it boots directly 
     from the hard drive without trying to boot from A:  That's how all
     of the viruses you mention above spread -- by being on a diskette in
     the A:  drive when the machine reboots.  If you get the "Non system
     disk or disk error" message, it's already infected. 

   Unfortunately, there is no standard way to set up CMOS; often there is
a message on screen at bootup that says something like "Press <Del> to
enter Setup".  If so, great; if not, you might need some other key
combination or have to run a program on a diskette.  Even when you can
modify the CMOS, sometimes the boot option isn't included.  Nonetheless,
this is a very wise thing to do, if your computer allows it.  It's free,
reversible, and very powerful to help prevent Boot Sector Infectors. 

   In any event, good luck!

This message also sent as private email.

   -BPB

[Moderator's note:  And I've posted it because it contains a lot of good
advice.]

------------------------------

Date: Thu, 08 Feb 1996 14:31:00 -0500 (EST)
From: JCarroll <csc_jhc@pip.shsu.edu>
Subject: SaveAs write-protect error after cleaning Concept (WIN)
X-Digest: Volume 9 : Issue 23

I am running Word60 off a network.  My system became infected with the
Concept virus.  I cleaned it with IBM's AntiVirus.  Now everytime that I
do a SAVEAS in Word, I get an error message that my disk is write
protected.  However, the path in the dialogue box is the normal.dot
on the network drive.  It is indeed write protected.  However, the error
tells me that my a: drive is write protected.  If I change to the c:
drive, again it tells me that my c: drive is write protected.

I have deleted my installation of Word and reinstalled it -- same problem. 
I deleted Windows and reinstalled it -- same problem.  I have scanned ALL
my files with the latest of IBM's AntiVirus, F-Prot, McAfee & Assoc;  they
all tell me my system is clean.

My colleagues that are running Word from the same network are not having
these problems. Therefore, I conclude that the problem is strictly with my
system.

Anybody got any suggestions?  Is this a  new version of the Concept Virus?

Thanks,
JCarroll

------------------------------

Date: Thu, 08 Feb 1996 00:00:48 -0500 (EST)
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Subject: Re: TBAV and v-sum (PC)
X-Digest: Volume 9 : Issue 23

In article <0023.01I0Y6DLM17GPVHY7M@csc.canterbury.ac.nz>, Adam Vissing <Adam.Vissing@bonn.netsurf.de> wrote:
>Why isn't TBAV taken into account in
>v-sum? I heard it's because the creator of
>v-sum thinks it's unfair to use heuristic scan methods
>to detect viruses, but why unfair? F-prot does that
>to, I think. I use tbav 6.51 and mcafee 2.2.9, and
>i definitely think that those two are the best antivirus
>programs ever.

I won't comment on the quality of VSUM (that's a totally different thread)
but I'm not sure what you mean that it's 'unfair' to use heuristics to
detect viruses.  Are the viruses complaining that the scanners aren't
using fair play?

As far as TBAV and McAfee being the best anti-virus programs ever, that's 
certainly a matter of personal preference.  There are numerous impartial 
reviews of AV programs on the web.  Several of the better ones are
available at www.drsolomon.com (yes, they're impartial, even though their
on the Dr. Solomon's website).

Regards, 

George Wenzel

George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Student of Criminology & Wado Kai Karate
U of A Karate Club Home Page: http://www.ualberta.ca/~gwenzel/
"Who's General Failure & why is he reading my disk?"

------------------------------

Date: Thu, 08 Feb 1996 00:08:18 -0500 (EST)
From: David Perrault <perrault@interlog.com>
Subject: Simultaneous ANTIEXE and _512 infection (PC)
X-Digest: Volume 9 : Issue 23

I need help getting rid of a dual infection of 
ANTIEXE and _512.

Scan 2.28 is finding them and claiming to clean
them (clean boot disk, etc.) but they still re-
appear.

What am I doing wrong?

Thanks,

DP

------------------------------

Date: Thu, 08 Feb 1996 01:41:05 -0500 (EST)
From: Stuart Lamble <sjlam1@MFS01.cc.monash.edu.au>
Subject: Re: Virus that damages hardware (PC)
X-Digest: Volume 9 : Issue 23

Doug Muth <dmuth@oasis.ot.com> writes:

[snip]
>would have to be sent back to the factory to be recalibrated.  With older 
>video hardware, it was possible to set the refresh rate to 0 hz.  What 
>would then happen is that the beam of electrons would be hitting the same 
>row of phosphurs repeatidly and burning them out.  From then on, the 
>monitor would have a black line of inoperative phosphurs. :)

To quote from the XFree86 Howto (Linux):

. Attempting to use a configuration file which doesn't correspond to your 
hardware could drive the monitor at a frequency which is too high for it; 
there have been reports of monitors (especially fixed-frequency monitors) 
being damaged or destroyed by using an incorrectly configured XF86Config 
file. ...

In other words: there may or may not be viruses (virii?) that damage 
hardware; however, it is _plausible_ that somebody could create one that 
does damage monitors. Depending on how it was written, it may damage one 
person's monitor, but not another. You would have to have some sort of 
VGA card (possibly SVGA?) or higher for this to be a problem, however - 
EGA and earlier cards had (AFAIK) specific frequencies which could not be 
overriden in software.

Other hardware? I simply do not know enough about it to be able to answer 
for certain.

+---------------------------------+   _--_|\   +-----------------------------+
| Stuart Lamble: 2nd yr Sci/Eng   |  /      \  | Monash University, Clayton, |
|  lamble@yoyo.cc.monash.edu.au   |  \_,--.*/  | Melbourne, Australia        |
+---------------------------------+        v   +-----------------------------+

------------------------------

Date: Thu, 08 Feb 1996 01:45:06 -0500 (EST)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: VET as an anti-bugger (PC)
X-Digest: Volume 9 : Issue 23

Siew y. Lim (limsy@lion.cs.latrobe.edu.au) wrote:
[snip]
> PS2:  A question.  If i was able to SAVE my MBR into a file ... and
> upon detecting a MBR virus ... if i BOOT from clean disk ... then
> load back MBR info from file ... will that do the job ?

   That depends on which MBR infector you have. For some, it will work
fine (e.g., Stoned; AntiEXE).  For others, it will fail (One_Half; Ripper)
- - the virus is removed from the MBR, but the damage to the rest of the
hard drive is not.  ExeBug can fake a cold floppy boot, if you're not
careful.  Still others (e.g., Monkey) may make it difficult to access the
hard drive if you or your utility for writing the MBR isn't sufficiently 
clever.  There's even a virus (whose name escapes me at the moment) that 
prevents floppy boots for sufficiently high versions of DOS.

   So in general, the answer is "No, it does not suffice."

> OR do i
> still have to use an antivurs to clean virus from HD ?  I was
> assuming since virus (MBR) writes itself unto original place of MBR
>  won't be writing back the original MBR erases the virus ?

   Except for the experts, it's always a better idea to use a high 
quality, current AV product to remove infections.  They are almost always 
more cautious than humans, and therefore less likely to make matters worse.

>       If the above doesn't work ... does it mean that IF one don't
> have a antivirus that can handle a particular MBR virus ... THEY can
> never remove the virus ?

   If I understand you correctly here, the answer is still no.  It merely
means that the version of the product you're using can't remove it.  Get a
more recent version, notify the vendor if you *are* using the current
version, or try another product.  A MBR virus can *always* be removed; 
the damage it has caused, however, may be a different matter. 

>       Oh ya! i remember in the FAQ i came across usinf FDISK
> /(something) that can help in this situation.  Is this a fullproof
> plan ?  If i use this option, will everything in my HD stay the same
> (no data loss)
> 
> [Moderator's note:  Re-read the FAQ and read it -carefully-.  The
> FDISK "trick" is -far- from foolproof.]

   Let me reiterate that.  In fact, I'll go further and suggest that you
never use that trick unless an acknowledged expert, after having exhausted
all other options, suggests it to you via private email. 

   -BPB

------------------------------

Date: Thu, 08 Feb 1996 02:10:06 -0500 (EST)
From: "R. Andres Gorigoitia" <rgorigoi@lonestar.jpl.utsa.edu>
Subject: Clock losing time--new virus? (PC)
X-Digest: Volume 9 : Issue 23

The clock on my pc has been running fast for the past 2 months.  The time 
and date are incorrect and keep getting further off until i reset them.  
To the best of my recollection, this started around the time i defragged 
my hard drive.  Everytime I restart my pc, the time/date seem to get more 
advanced.  I have run Norton AV and Mcafee but they don't find anything.  

Any help is appreciated.  TIA.

------------------------------

Date: Thu, 08 Feb 1996 02:37:18 -0500 (EST)
From: MR HENRI J DELGER <henri_delger@prodigy.com>
Subject: Re: WelcomB Virus (PC)
X-Digest: Volume 9 : Issue 23

Mark Player <playerm@helix.nih.gov> writes:
in (X-Digest: Volume 9 : Issue 17)

>Has anyone ever had any problems with the WelcomB Virus.
>McAfee for Win 95 detected it but couldn't clean it , I had
>better luck with NAV which did clean it.  Has this virus been
>around for a long time?  What does it typically do?

Beijing (also known as BUPT9146 and WelcomB) is believed to 
be from China, and gets its name from the text it contains, 
which reads:  Welcome to BUPT9146,Beijing!
(this is a reference to the student-Red Army confrontation
 in China, June 4, 1991).  
     The virus infects the partition/Master Boot sector 
(cylinder&head 0, sector 1) of the hard disk, when a 
boot/re-boot occurs with an infected floppy in A> drive, 
writing its code there, and moving the partition/MBR data 
to the (cylinder&head 0, sector 4).
     Ordinarily, data are not lost from the hard disk, 
because the sector which the virus uses is not used by DOS.
If that sector is used by third-party software to store 
data, during formatting, or for password access, or by 
drivers to access large partitions, obvious problems can 
result, however.
     The virus is then resident in memory, infecting disks 
by writing its code to the Boot sector (sector #0) of them, 
moving the the diskette's original Boot record code to the
area used by the Directory, and if the disk has files listed
in the overwritten sector, this will cause loss of entries
of files, deleted files, and sub-directories in the root.  
     The files could still be located in the file storage 
area of the disk, and could be recovered using a utility 
program, but since they are no longer listed in the 
Directory, they may be overwritten, as other files are 
later stored on the diskette.

Regards, Henri Delger
henri_delger@prodigy.com
http://pages.prodigy.com/XWWC29A

------------------------------

Date: Thu, 08 Feb 1996 02:37:18 -0500 (EST)
From: MR HENRI J DELGER <henri_delger@prodigy.com>
Subject: Re: HELP - Still having problems with ANTIEXE virus (PC)
X-Digest: Volume 9 : Issue 23

Espen Ottar <Espen.Ottar@si.sintef.no> writes:
in (X-Digest: Volume 9 : Issue 17)

>I have a PC infected with what Scan reports as the AntiEXE
>virus. >The problem is that it is resident in memory even after
>booting from a clean discette (or so it seems)

Are you sure it is?  Check if the PC's CMOS configured to
boot from C, then A> - if so, reverse that temporarily.
AntiExe virus is also known as NewBug, and is believed to 
have originated in Russia.  It infects the partition/Master 
Boot sector (cylinder&head 0, sector 1) of the hard disk,
when a boot/re-boot occurs with an infected floppy in the 
A> drive, by writing its code there, and moving the 
partition/MBR data to (cylinder&head 0, sector 13), which
DOS does not use.  AntiExe is a stealth virus, blocking 
attempts to read the first sector of disks if in memory.
     Ordinarily, data are not lost from the hard disk, 
because the sector which the virus uses is not used by DOS.
If that sector is used by third-party software to store 
data, during formatting, or for password access, or by 
drivers to access large partitions, problems can result.
     AntiExe will be in memory after that whenever the
PC is on, and infects floppy diskettes by writing its code
to the Boot sector (sector #0) of them, moving the boot data
there to the last sector in the Directory.                
     If the diskette has many files listed in the root (192 
or more for a 3.5" HD diskette), this will cause the loss of
up to 16 entries of files, deleted files, and subdirectories
in the root.  The data would still be located in the file 
storage area of the disk, recoverable with the use of a disk
utility program.
    Every time a disk "read" is performed, Anti-EXE searches
for a particular 8-byte hex code string 4D5A40008801370F, 
looking for a match for a specific .EXE file "header," and 
if found, it will overwrite its first sector in memory, 
thus preventing it from running.  These bytes would fit an 
EXE file about 196kb in size, but no one knows which EXE it 
is.  This peculiarity is how Anti-EXE got its name.

Regards, Henri Delger
henri_delger@prodigy.com
http://pages.prodigy.com/XWWC29A

------------------------------

Date: Thu, 08 Feb 1996 02:37:18 -0500 (EST)
From: MR HENRI J DELGER <henri_delger@prodigy.com>
Subject: Re: Azuza Virus, How do I get rid of it? (PC)
X-Digest: Volume 9 : Issue 23

Harland Roades <EZYU67A@prodigy.com> writes:
in (X-Digest: Volume 9 : Issue 17)

>The Azuza virus on an old 68 meg IDE hard disk is not easy
>to get rid of.  I have tried Norton Anti-Virus 3.0 and it locks
>up when it tries to clean up the virus.  McAfee Anti-Virus did
>not find it at all. I find the virus when I boot from a clean
>floppy and then try to load NAV. Formatting does not get rid
>of it. I am using DOS 5.0.  Any hints?

To get rid of a memory-resident virus, turn power off, and
re-boot with an UNinfected system boot disk in A>, then
remove the virus from the hard disk, check to see it's
gone, and then check for infected diskettes.
Azusa is a Boot Sector virus which also infects the hard 
disk's Master Boot Record, and is one of many viruses 
related to the Stoned virus.  Some programs call "Azusa" 
the Hong Kong virus, since that's where it's believed to be 
from originally; it was first detected in the U.S. in 1991.
     Azusa infects the Boot Sector (first sector, number 0) 
of diskettes (like "Stoned" and other such viruses do), and 
if such an infected diskette is in the A> drive at boot-up, 
the virus goes resident at the top of Conventional Memory, 
and infects the hard disk.
    Like Stoned, Azusa copies itself to the Master Boot 
sector (cylinder&head 0, sector 1), incorporating Partition
data, but overwriting the Master Boot data.  Unlike Stoned, 
it does not "save" an intact copy of the Partition/MBR data 
elsewhere, and when first discovered, wasn't easily removed.
However, the DOS5/6 command FDISK /MBR will overwrite the 
virus, and leave the Partition data intact.
     Once it has infected the hard disk, Azusa will always 
be in memory, since the Partition/MBR sector is always the 
first disk sector read, at every boot-up.  The virus will 
monitor disk accesses via Interrupt 13, and then can infect 
diskettes accessed after that in either A> or B> drives, 
unless the diskettes are write-protected.
     Unlike Stoned and other similar viruses, Azusa will not
infect diskettes just because they're accessed.  The DIR 
command won't cause the diskette to become infected, for 
example.  However, if a file on the disk is "opened," either
to be read (with the TYPE command, for example) or written 
to, the virus will infect the diskette.  Although it didn't 
save the hard disk's MBR data, it does save the diskette's 
boot sector data.
     Unfortunately, Azusa can cause data loss in doing so, 
because it was not skillfully written, which is true of many
viruses.  It was written to copy itself from RAM to sector 0
of a floppy, and move the boot data from there to Sector 718
which is at the very end of a 360K disk.
   Unless file data are stored there, no data are lost. This
may not be a problem very often with 360K diskettes, but on 
diskettes of other sizes, the relocated boot data will be 
placed in a 512-byte sector in the middle of the disk, thus
making it likely that a file will be partially overwritten.
     One effect Azusa has is to disable temporarily COM1 and
LPT1 ports, after 32 re-boots, interfering with printing.  
In addition, the virus interferes with the disk change line 
signal, and the directory of a previously read diskette will
be shown on the screen when the next diskette is used.

Regards, Henri Delger
henri_delger@prodigy.com
http://pages.prodigy.com/XWWC29A

------------------------------

Date: Thu, 08 Feb 1996 07:55:55 -0500 (EST)
From: "S. Widlake" <s.widlake@rl.ac.uk>
Subject: Re: F-PROT: Request for Help (PC)
X-Digest: Volume 9 : Issue 23

Vesselin Bontchev <bontchev@complex.is> writes:
>"S. Widlake" <s.widlake@rl.ac.uk> writes:

>That's true, for corporate users the shareware registration is
>available only in some companies. I posted a list of them but it
>hasn't appeared yet. I'll try to get this information go in the
>documentation of the shareware version.

While I think it's great to have the shareware free for everyone
at home I don't think not being able to register this version for
use at work in some countries and having to pay considerably more
money (even though you get more) for the "pro" version is so good.
I believe you are losing sales here, but the way you market F-Prot
is up to you [ With "you" here being FSI and not you ;-) ]   

>> 2) It made windoze much more unstable (and slower). [ You might
>>    have guessed that I'm not a great fan of windoze but everyone 
>>    and his dog uses it. ] Removing all of this extra stuff made
>>    most of these problems just go away.

>That's strange... Have you tried to contact the local technical
>support? Also, which was the stuff that caused problems?

Sad to report that the local support people are not "up to speed"
as it were... In fact, "they" just plain lied to me when I first
contacted them :-( I've been reading this list for some years and
these marketing droids obviously have not. I don't know how much
of the $$$$ we paid them went to FSI but I'd rather have sent a
(euro?)cheque direct - let me know for next year if you want all
of this couple of grand or just "some" ;-) 

>> 3) When I tested it with a REAL infectious nasty it just didn't
>>    work !

>Wow! That's bad. :-( How exactly did you test it?

I won't give any details here as it points to a hole (maybe only
a small hole, but a hole never-the-less) in the product's defence
against already existing viruses and I'm not going to help any of
the "bad guys". This may have already been corrected but I can't
repeat the test right now since I don't have any viruses at the
moment :-) Feel free to contact me direct if you want details...

[ Note that if I don't recognise who "you" are... No reply ]  

>>  It was supposed to provide active protection against
>>    all(?) known viruses including polymorphic ones - although we

>No, it is not. No anti-virus program can provide protection against
>all known viruses. If you hear anybody claiming the opposite - even if
>they are our marketoids - don't believe them. New viruses appear with
>the rate of averagely five per day.

It's too bad that we will continue to see such claims everywhere
we go - though not often around here ;-)

>>    have never even seen one of those - but it failed a much more
>>    simple test and let a known virus straight through.

>You still haven't told us what exactly the test consisted in.

Sorry, not here. 

>> Pass - But for my 37p worth I'd just say that you probably don't
>> really need these extras. The windoze interface looks quite nice,
>> though a bit over complicated for the average user, but viruses

>Complicated?! That is, of course, a matter of taste but, AFAIK, it is
>the version of the Windows interface developped by Command Software
>that is sold in the UK - and it is extremely easy to operate.

Viruses are not a big problem around here and when we do get the
occasional one it's easily sorted. You see, general lusers just
don't want (or really need?) to be bothered by this issue. They
just want something to monitor their systems and alert them if
they get a problem so they can call "someone" over. That's just 
the way it is - They believe a simple TSR is enough (for them). 

>> are in general a BIOS/DOS problem and the first thing that gets
>> affected is often windoze - it simply won't start ;-)

>That's right - this is why you have to have a write-protected system
>diskette. However, with the professional version you also get a
>DOS-based version of F-PROT.

Wow ;-)

>> The only thing that's missing is perhaps a windoze routine that
>> "intercepts" VIRSTOP's "let's-scramble-the-screen-whenever-it
>> encounters-a-BIOS/DOS-virus" function and instead pop up a real
>> windoze alert box.

>HUH?! This is precisely one of the ways in which the Professional
>version differs from the shareware one - in the Professional version
>VirStop is Windoze-aware, while in the shareware version it is not and
>causes exactly the video effect you describe. Could it be that you
>have messed parts of the Professional and the shareware version of the
>product?

That's just what I'm looking for - a tiny windoze-aware add on for
the *registered* shareware version so that this video effect (can
you say "bug" ;-) can be correctly interpreted. Someone's got our
$$$$, so how's about it ? 

>> Say, how's about spitting the group into comp.virus - moderated
>> just to discard "harmful" posts - and "comp.virus.tech" for just
>> the more technical discussions for Vess. et. al. 

>I fail to see what is wrong with posting the technical discussions in
>the current (moderated) newsgroup.

There is nothing wrong in this but it might be better if there was
some method of obtaining all of the really useful stuff without any
of the "junk"... you know, the stuff from the people that have got 
the problems <G> ;-)

Cheers,

S.till lurking :-)

- --
sig II Found and Restored ...

------------------------------

Date: Thu, 08 Feb 1996 08:03:13 -0500 (EST)
From: Jeff Kerr <jkerr@harley.fcmr.forestry.ca>
Subject: Removing multiple boot sector viruses? (PC)
X-Digest: Volume 9 : Issue 23

How do you disinfiect a diskette with multiple boot sector viruses? 
F-Prot finds one virus, prompts to remove it, then doesn't because it
finds other virus code where it expects the original boot sector code to
be.  I've seen F-Prot replace the boot sector with generic code before,
and I was wondering how to do this or force F-Prot to do it... or any
other way to clean such disks...

thanks,

Jeff
jkerr@harley.fcmr.forestry.ca
http://www.lookup.com/Homepages/74371/home.html

------------------------------

Date: Thu, 08 Feb 1996 09:53:01 -0500 (EST)
From: zaford@airnet.net
Subject: Unknown bootsector virus (PC)
X-Digest: Volume 9 : Issue 23

I'm  having trouble with an unknown virus.  I have ran the latest
versions of McAfee, as well as Norton Anit-Virus (with the latest
virus definiton tables), and neither of them will detect it.  However
I know it existes because Vsafe keeps giving me a message that says:
"Program trying to write to HD boot sector"  and if I let the write go
through, I loose my bootsector and have to reformat the drive!  NAV
and McAfee can't even detect the attempts to write to the HD and I had
those options turned on for NAV.  Anyone have any ideas as to what it
could be?  If so please post  your suggestions or email me at
zaford@airnet.net

Thanks.

------------------------------

Date: Thu, 08 Feb 1996 10:04:51 -0500 (EST)
From: Alon Hazay <alon@gate.radnet.co.il>
Subject: EXE files growing (PC)
X-Digest: Volume 9 : Issue 23

A few computers in our company had a problem of EXE files getting larger.
Does anyone encounterd this problem and knows the reason?
The latest update of NAV(norton antivirus) didn't find any virus.

Alon

------------------------------

Date: Thu, 08 Feb 1996 11:21:51 -0500 (EST)
From: Phil Showalter <showalter@Harding.edu>
Subject: WIN.COM being trashed--New virus? (PC)
X-Digest: Volume 9 : Issue 23

We're having an apparent virus problem in one of our labs here at Harding
University. The following message appears "c:\windows\win.com has been
infected with the (this is followed by 3 or 4 lines of trash characters)
virus". Once in a while it seems to infect command.com rather than
win.com. Strangely, it's local to this lab. The virus's we've had in the
past usually infect the entire campus. I've tried every virus detection
program that I can find, f-prot, McAfee, Dr.Solomon, Thunderbyte, Norton,
etc., (the most up to date version of each, BTW) and they find nothing.
Win.com is reported as being the correct size after the infection, and
moving the file to an uninfected machine and executing works just fine.
Could it be a boot sector virus that is infecting the program in memory
rather than on the disk? We're at wits end and could sure use some help.

Thanx for you time and trouble

Phil Showalter
showalter@harding.edu

------------------------------

Date: Thu, 08 Feb 1996 14:10:21 -0500 (EST)
From: m <markda@phoenix.net>
Subject: How to eradicate Concept from Word docs and templates (WIN)
X-Digest: Volume 9 : Issue 23

Eradicate the WordMacro.Concept "virus" from your Word documents and
templates.  Here are a couple of macros to help you do the job.

The Concept "virus" is an annoying set of WordBasic macros written by some 
buttwipe with perhaps a few more brains but no more sense or sanity than 
Beavis.  The macros have the effect of changing your Word documents into 
templates when you execute a  "Save As".  Once you have done this, you
cannot change the file type back to a Word Document and the FileSaveAs
dialog directory is locked on the winword/template directory.  

By installing themselves into the global (normal.dot) template, the macros
are able to infect all documents opened by Word.  If you remove the macros from your normal.dot template and then open an infected file, the
normal.dot is reinfected.  Even if you set the read-only attribute on
normal.dot (which is a very good idea), Word maintains the macros in
memory as global template macros until the application is closed.  

To fix a document, you must first remove the macros from both the global
and active templates.  The Concept macros are AAAZAO, AAAZFS, AutoOpen,
FileSaveAs, and PayLoad.  Then copy the entire contents of the document
into the clipboard and close the file without saving. Then create a new
file using the now clean Normal template, paste the file contents into the
new file, and save it over the old file as a Word Document.  

If you have a bunch of infected files, this can get tedious.  Here are a
couple of macros to help you do the job a little faster.  You can identify
infected files easily by doing a search on your disk for files containing
the string "PayLoad".  You only need to search for Word documents and
templates, i.e. *.doc, *.dot. 

The first thing you need to do is create a clean global template file. 
Open the template file normal.dot (in winword/template).  Remove the
offending macros; AAAZAO, AAAZFS, AutoOpen, FileSaveAs, and PayLoad.  Then
install these macros by creating new macros and pasting the code into
them.  You access macros via the Tools|Macro... menu.  Then save the
template as norm1.dot and exit Word.  Using your FileManager or Explorer,
delete the old normal.dot and rename norm1.dot to normal.dot.  Then set
the read-only attribute to true via the file properties dialog.  This will
prevent your new normal.dot file from becoming reinfected.

Once you have the clean normal.dot, open Word and clean infected files one
at a time by opening the file, running the appropriate macro, and then
closing the file.

Good luck.

Mark Andrew
Dixon Software Services


Sub MAIN
REM Macro: RemoveConceptFromDocument

REM Removes Concept macros from active and global template.
REM Creates a new document containing the contents of the current document and 
saves it as a Word
REM Document, rather than as a template.

Dim FileSaveAsDialog As FileSaveAs
Dim FileSummaryInfoDialog As FileSummaryInfo

REM Delete concept macros from active document
	iMacroCount = CountMacros(1)
	If iMacroCount > 0 Then
		For i = iMacroCount To 1 Step - 1
			szMacroName$ = MacroName$(i, 1)
			Select Case szMacroName$
			Case "AAAZAO", "AAAZFS", "AutoOpen", "FileSaveAs", 
"PayLoad"
				ToolsMacro .Name = szMacroName$, .Show = 0, 
Delete
			Case Else
				REM do nothing
			End Select
		Next
	End If

REM Delete concept macros from global template
	iMacroCount = CountMacros(0)
	If iMacroCount > 0 Then
		For i = iMacroCount To 1 Step - 1
			szMacroName$ = MacroName$(i, 0)
			Select Case szMacroName$
			Case "AAAZAO", "AAAZFS", "AutoOpen", "FileSaveAs", 
"PayLoad"
				ToolsMacro .Name = szMacroName$, .Show = 0, 
Delete
			Case Else
				REM do nothing
			End Select
		Next
	End If

REM Get needed file data
	GetCurValues FileSaveAsDialog
	GetCurValues FileSummaryInfoDialog
	szFileName$ = FileName$()

REM Copy entire file to clipboard
	EditSelectAll
	EditCopy

REM Close and delete file
	FileClose 2
	Kill szFileName$

REM Create new file with Normal template
	FileNew .Template = "Normal", .NewTemplate = 0

REM Paste contents of clipboard
	EditPaste

REM Set summary info, set file format to document (0), and save
	FileSummaryInfo FileSummaryInfoDialog
	FileSaveAsDialog.Format = 0
	FileSaveAs FileSaveAsDialog

End Sub


Sub MAIN
REM Macro: RemoveConceptFromTemplate

REM Removes Concept macros from active and global template.
REM Saves the current file.

REM Delete concept macros from active document
	iMacroCount = CountMacros(1)
	If iMacroCount > 0 Then
		For i = iMacroCount To 1 Step - 1
			szMacroName$ = MacroName$(i, 1)
			Select Case szMacroName$
			Case "AAAZAO", "AAAZFS", "AutoOpen", "FileSaveAs", 
"PayLoad"
				ToolsMacro .Name = szMacroName$, .Show = 0, 
Delete
			Case Else
				REM do nothing
			End Select
		Next
	End If

REM Delete concept macros from global template
	iMacroCount = CountMacros(0)
	If iMacroCount > 0 Then
		For i = iMacroCount To 1 Step - 1
			szMacroName$ = MacroName$(i, 0)
			Select Case szMacroName$
			Case "AAAZAO", "AAAZFS", "AutoOpen", "FileSaveAs", 
"PayLoad"
				ToolsMacro .Name = szMacroName$, .Show = 0, 
Delete
			Case Else
				REM do nothing
			End Select
		Next
	End If

REM Save File
	FileSave

End Sub

------------------------------

Date: Thu, 08 Feb 1996 14:31:04 -0500 (EST)
From: Clark Dowding <cdowding@dfcu.com>
Subject: LAN-wide antivirus s/w solution? (PC)
X-Digest: Volume 9 : Issue 23

I've got a Netware 4.1 network with Windows 3.1, Windows 95, and DOS
work stations.  I want to run some network wide anti-virus software.

Any suggestions?

- -------------------------------------------------------------
 Clark Dowding, DP Manager         Snail mail:
 Phone: 801.535.0514               Deseret First Credit Union
 Fax:   801.535.0568               147 North 200 West
 Email: cdowding@dfcu.com          Salt Lake City, Utah 84103
- -------------------------------------------------------------

------------------------------

Date: Thu, 08 Feb 1996 15:47:10 -0500 (EST)
From: Betty Ann Feeley <75330.2407@CompuServe.COM>
Subject: Help on "A" virus (PC)
X-Digest: Volume 9 : Issue 23

I work in PC Services at Avon Products in Rye, NY and recently 3 
users unearthed the "A" virus on their PCs.  We use a Novell 
product called LANDesk Virus Protect 2.13 that notifies the user 
of the virus name, and location of the corrupted file.  All 3 
users attempted to delete the virus with VProtect; upon doing so, 
the C drive can no longer be recognized.  

We've called Novell for support; they informed us that they've 
never encounted a virus with this name, but that most likely it's 
a boot sector virus.  We've used Norton Disk Doctor on one of the 
infected PCs and although it recovers the boot partition, none of 
the files previously saved to the C drive are listed using DIR.  
Using the FDISK utility shows one DOS partition on the C drive, 
but at only 1% usage, not the normal 100%.  The DIR command only 
shows 3mgs of total space on the hard drive.

If anyone has heard of this virus or has any suggestions, please 
reply.   

Thanks very much,
Betty Ann Feeley
PC Services - Avon/Rye

------------------------------

Date: Thu, 08 Feb 1996 17:01:05 -0500 (EST)
From: mail04797@pop.net
Subject: kbug1720 remover or disinfection? (PC)
X-Digest: Volume 9 : Issue 23

I am running into a number of infections with the kbug1720 virus on a
Windos NT (3.1) Advanced Server machine and, though being identified by
McAfee Viruscan, the report indicates that no remover is available for the
thing.

Is anyone aware of software out there that will remove the KBUG1720 from a
NT v 3.1 advanced server?  Please post or email to my address.   Thanks

Paul Thomas

------------------------------

Date: Thu, 08 Feb 1996 18:38:33 -0500 (EST)
From: Wayne Riddle <riddler@agate.net>
Subject: Re: TBAV and v-sum (PC)
X-Digest: Volume 9 : Issue 23

Adam Vissing <Adam.Vissing@bonn.netsurf.de> wrote:

>Why isn't TBAV taken into account in
>v-sum? I heard it's because the creator of
>v-sum thinks it's unfair to use heuristic scan methods
>to detect viruses, but why unfair? F-prot does that
>to, I think. I use tbav 6.51 and mcafee 2.2.9, and
>i definitely think that those two are the best antivirus
>programs ever.

Here is the official answer from ThunderByte:
+++++++++++++++++++++++++++++++++++++++++

Many people have asked us why TBAV isn't listed in Patricia Hoffman's
VSUM. The reason is that we don't agree about the way the scanner
should be tested.

Patricia Hoffman states that we have to implement an option to disable
heuristic analysis completely. Otherwise she will refuse to test TbScan.
She thinks it isn't fair that TbScan detects viruses using heuristic
analysis while other products have to do it without heuristics. She also
told us that she only wants to count results which have been achieved by
using signatures.

We view things differently. In our opinion, it is solely up to the
developer of the scanner which method he uses to detect viruses. Whether
he uses signatures, detecting algorithms, or code analyzers simply isn't
your or her business. But Patricia Hoffman requires us to handicap our
product, by implementing a switch to disable heuristics. For you, the
end-user, such an option to suppress the detection of something that is
obviously a virus wouldn't make sense at all.

TbScan uses four methods to detect viruses (if we do not count CRC
checking). The four methods are:

-   Signature searching (for 'standard' viruses)
-   Specific algorithmic detection (for complex polymorphic viruses)
-   Generic algorithmic detection (for the 'Trivial' family of viruses).
-   Heuristic analysis. (to detect trivial and unknown viruses).

Another method, NOT used by TbScan, is the detection of new viruses by
searching for some very generic signatures, also a type of heuristics.
According to Patricia Hoffman, this is allowed, since it makes use of
signatures. We can of course explain to Patricia Hoffman that our
heuristics actually consists of the detection of many one-byte
signatures, but it simply isn't her business, and we don't want to have
to discuss and defend our product just to get it tested anyway.

It isn't clear to us why methods 1,2, and 3 are allowed, while we have to
disable method 4. Is it because we have the only products which uses
some degree of heuristics by default? Who was the first one who used
specific algorithmic detection to detect the 'Washburn' related viruses?
Did he also have to disable this because it wasn't fair that the other
ones were not yet able to implement algorithmic detection?

Anyway, we have not been able to convince Patricia Hoffman that she
should test a product 'as is'. If you want to see our product tested
in VSUM, feel free to send a complaint to Patricia Hoffman.


Wayne Riddle
riddler@agate.net

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 23]
*****************************************


