From lehigh.edu!virus-l  Tue Feb 13 09:48:05 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Tue, 13 Feb 96 10:48:19 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id JAA11022; Tue, 13 Feb 1996 09:48:05 +0100
Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39234-20325>; Tue, 13 Feb 1996 03:44:09 EST
Message-Id: <01I16GXHX8REPVJF8M@csc.canterbury.ac.nz>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V9 #24
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: 	Tue, 13 Feb 1996 03:39:42 EST

VIRUS-L Digest   Tuesday, 13 Feb 1996    Volume 9 : Issue 24

Today's Topics:

All those Good Times questions... (ADMIN)
Good Times Virus Hoax Mini FAQ
AWARD BIOS security risk
Re: Scanning Zip files
Look here first!!
Re: Dr. Solomon's Anti-Virus Toolkit (DOS/Windows)
Re: Microsoft is shipping Viruses?
Re: When Harry met Sally Orgasm Scene Virus (MAC)
Re: a good Anti-Virus for Win95? (WIN95)
McAfee Virus Checker Screwed up my Office installation! (WIN95)
Re: Possible Win95 Virus (WIN95)
Re: 69 Virus (PC)
F-Prot Pro? (PC)
AntiCMOS.A Virus Scan/Clean Software Reqd (PC)
Re: WelcomB Virus (PC)
Conventional memory loss--virus?? (PC)
NAV Scheduler problems (PC)
RE: VET as an anti-bugger (PC)
Re: B1 virus with a twist (PC)
Integrity Checking (PC)
A-V software on system diskette (PC)
Boot Sector viruses (PC)
testing scanners (PC)
GOLDBUG (PC)
Azusa (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Tue, 13 Feb 1996 20:11:24 +1300 (NZD)
From: Nick FitzGerald <n.fitzgerald@csc.canterbury.ac.nz>
Subject: All those Good Times questions... (ADMIN)
X-Digest: Volume 9 : Issue 24

If you've posted and asked -anything- about the "Good Times Email virus"
in the last week or so, PLEASE read the next item (in the digest form) by
Les Jones.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
 n.fitzgerald@csc.canterbury.ac.nz  TEL:+64 3 364 2337, FAX:+64 3 364 2332
	      Virus-L/comp.virus moderator and FAQ maintainer
   PGP fingerprint =  2E 7D E9 0C DE 26 24 4F  1F 43 91 B9 C4 05 C9 83

------------------------------

Date: Wed, 07 Feb 1996 23:01:07 -0500 (EST)
From: Les Jones <lesjones@usit.net>
Subject: Good Times Virus Hoax Mini FAQ
X-Digest: Volume 9 : Issue 24

	       The Good Times email virus is a hoax!
	If anyone repeats the hoax, please show them the FAQ.



	     G o o d  T i m e s  V i r u s  H o a x 
			   --------
			 M i n i  F A Q 


			  by Les Jones 
			 macfaq@aol.com
		       lesjones@usit.net

			February 6, 1996



      This information can be freely reproduced in any medium,
	    as long as the information is unmodified.

A FAQ, if you're new to the Internet, is a document that answers
Frequently Asked Questions. This Mini FAQ is a summary of, and a
reference to, the full FAQ, which has much more information about this
and other hoaxes. Instructions for retrieving the full FAQ are at the
end of this message. The Mini FAQ is short enough for faxes, message
boards, company memos, and people with short attention spans. 

Is the Good Times email virus a hoax?
- ------------------------------------

Yes. It's a hoax.

America Online, government computer security agencies, and makers of
anti-virus software have declared Good Times a hoax. See Online
References at the end of the FAQ.

The hoax has been around since at least November of 1994. Since that
time, no copy of the alleged virus has ever been found, nor has there
been a single verified case of a viral attack.

I'm new to the Internet. What is the Good Times virus hoax?
- ----------------------------------------------------------

The story is that a virus called Good Times is being carried by email.
Just reading a message with "Good Times" in the subject line will
erase your hard drive, or even destroy your computer's processor.
Needless to say, it's a hoax, but a lot of people believed it.

Some of the companies that have reportedly fallen for the hoax include
AT&T, CitiBank, NBC, Hughes Aircraft, Microsoft, Texas Instruments,
and dozens or hundreds of others. There have been outbreaks at
numerous colleges.

The U.S. government has not been immune. Some of the government
agencies that have reportedly fallen victim to the hoax include the
Department of Defense, the FCC, and NASA. 

The full Good Times Virus Hoax FAQ has more information about the
origins of the hoax, and variations on the text of the hoax.

What was the CIAC bulletin? 
- --------------------------

On December 6, 1994, the U.S. Department of Energy's CIAC (Computer
Incident Advisory Capability) issued a bulletin declaring the Good
Times virus a hoax and an urban legend. The bulletin was widely quoted
as an antidote to the hoax. The original document can be found at the
address in Online References at the end of the mini FAQ, and is
included verbatim in the full FAQ. CIAC issued another bulletin on
April 24, 1995 to reiterate that Good Times is a hoax.

Online References
- ----------------

**CIAC Notes 94-05, 95-09, and especially 94-04**

http://ciac.llnl.gov/ciac/notes/Notes04c.shtml
http://ciac.llnl.gov/ciac/notes/Notes05d.shtml
http://ciac.llnl.gov/ciac/notes/Notes09.shtml

Data Fellows' description of Good Times
http://www.datafellows.fi/v-descs/goodtime.htm

Australian Cert Note
ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-95.02.virus.hoax.returns

Where can I find this FAQ and the complete FAQ?
- ----------------------------------------------

**The Good Times Virus Hoax FAQ and Mini FAQ**

The mini FAQ is a greatly simplified version of this FAQ. At two
pages, it's short enough for message boards, faxes, mailing lists, and
people with short attention spans.

http://www.usit.net/public/lesjones/goodtimes.html 
http://www.usit.net/public/lesjones/gtminifaq.html 
http://users.aol.com/macfaq/goodtimes.html
http://users.aol.com/macfaq/gtminifaq.html

Via FTP:

ftp://usit.net/pub/lesjones/good-times-virus-hoax-faq.txt
ftp://usit.net/pub/lesjones/good-times-virus-hoax-mini-faq.txt
ftp://users.aol.com/macfaq/good-times-virus-hoax-faq.txt
ftp://users.aol.com/macfaq/good-times-virus-hoax-mini-faq.txt

On America Online:

In the file libraries at keyword VIRUS.

------------------------------

Date: Fri, 09 Feb 1996 02:01:18 -0500 (EST)
From: Clyde Meli <cmeli@jaguar.is.unimt.mt>
Subject: AWARD BIOS security risk
X-Digest: Volume 9 : Issue 24

We have stumbled on two passwords which work on all recent AWARD
BIOSes we have tried.

I believe this is quite a security risk since it makes the CMOS
password protection and bios virus protection useless if the
AWARD backdoor passwords are known. Some PC's are protected
at CMOS level so no unauthorised users may use them, so this
makes such protection useless if the passwords are known.

I hope that AWARD will change present BIOSes which are at risk,
to avoid any potential security problems.

Regards,

Clyde Meli

- -
Assistant Lecturer, Computer Information Systems Dept, Univ. of Malta, Malta.
I.C.A.R.O. Support - Malta, AntiVirus Conference Host on AccessNet
http://www.is.unimt.mt/Staff/cmeli/cmeli.html

------------------------------

Date: Fri, 09 Feb 1996 05:22:06 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Scanning Zip files
X-Digest: Volume 9 : Issue 24

In-Reply-To: <01I0ZQJ93R4YPVIUA3@csc.canterbury.ac.nz>
Massimo Villa <max_vil@iol.it> writes:

> How does a virus in a .zip file act ?
>
> I mean, is it possible that, just unzipping the .zip file (without
> executing any of the now unzipped file )  the virus has already
> infected your PC ?

The virus can not infect you until the virus code has been executed.  
Unzipping the virus does not execute the code.  To execute the code you 
need to run the program (or in the case of macro viruses, load the 
document)

It is, however, useful to have a scanner which can scan inside compressed 
and archived files.  Imagine for instance that you had a CD full of 
compressed files.  It would be extremely time-consuming to unpack each 
file manually and then scan it.  A scanner which can search inside 
compressed files can avoid this large amount of tedium.

On a side note, it's also attractive if a scanner can scan *recursively* 
inside compressed and archived files.  We have come across instances 
where viruses have been distributed in nested archives (eg. ZIPs within 
ZIPs within ARJs).

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Fri, 09 Feb 1996 05:41:44 -0500 (EST)
From: Lee Brown <lee.brown@ukonline.co.uk>
Subject: Look here first!!
X-Digest: Volume 9 : Issue 24

Below is a nice site for anyone interested in looking up or learning
about certain viruses.  It has a huge database of viruses and has
lists of practical ways to get rid of most (not all) known viruses.
It's a good starting point for any questions you may have.
I've found lots of answers at this site and avoided having to post in
this newsgroup.

http://www.antivirus.com

It also contains information on the PC-Cillin Anti Virus software,
which in an earlier thread I mentioned checked for Viruses on the
internet.

Hope this helps most people out.

	     lee.brown@ukonline.co.uk
View My Home-Page Using MicroSofts Internet Explorer
       http://www.tripod.com/~brownl/index.htm

------------------------------

Date: Fri, 09 Feb 1996 05:45:07 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Dr. Solomon's Anti-Virus Toolkit (DOS/Windows)
X-Digest: Volume 9 : Issue 24

In-Reply-To: <01I0ZQJ93R4YPVIUA3@csc.canterbury.ac.nz>
"Rob Slade, the doting grandpa of Ryan Hoff" <roberts@mukluk.hq.decus.ca> 
writes:

> PCDSAVT.RVW  950604 Comparison Review

Thanks to Rob for reposting his review of Dr Solomon's Anti-Virus 
Toolkit. A few things have changed since he conducted this review a year 
ago, so I thought I'd just make some comments.

> Company and product:
>
> S&S International plc.
> Alton House, Gatehouse Way
> Aylesbury, Bucks   HP19 3XU
> England
> support@sands.co.uk

That should be:

  Support:  support@uk.drsolomon.com
  Info:     info@uk.drsolomon.com

> S&S Software International, Inc.
> 17 New England Executive Park
> Burlington, MA   01803
> USA
> Tel: +1-617-273-7412
> Fax: +1-617-273-7474
> Toll-free: +1-800-595-9175
> support@sands.com

We've expanded to larger offices.  Our new address is the same apart from 
it is now

  S&S Software International, Inc.
  1 New England Executive Park
  Burlington, MA   01803
  USA
  Tel: +1-617-273-7400
  Fax: +1-617-273-7474
  Toll-free: +1-800-595-9175
  Support: support@us.drsolomon.com
  Info:    info@us.drsolomon.com
  
> A handy feature is the inclusion of a card of installation instructions
> actually packed with the disks, but these are not quite enough for the
> novice.  The instruction call for using the FINDVIRU program to check
> for infections before doing the installation (which is good) but don't
> say which disk it is on.  (The file actually resides on the Toolkit DOS
> disk #2, so it is not intuitively obvious.)

The disk's label now makes clear that it contains FindVirus.  So we're 
happy to say this has been fixed.

> Note that online help is currently the only source of information about
> the American offices.

We have had a full American version with American packaging, manuals etc 
etc for a while now.  So we're happy to say this has been fixed.

> NetWare and OS/2 versions are also available.  Mac, NT and Windows 95
> versions are in development.

Since Rob's review was conducted we have finished developing some of 
these.  We currently have shipping versions for DOS, Windows 3.x, Windows 
95, Windows NT, OS/2, Novell NetWare, Unix.  A version of FindVirus for 
the Macintosh is also now available.

> The TKUTIL program can remove references to CPAV, MSAV and NAV in
> startup files.  Normally I would deplore a hostile action against a
> competing antiviral product, but I'm not sure that principle applies
> here.  The action is not taken by default, and the user must find the
> refernce in the manual and specifically request the action.  Also,
> these products have given such a high rate of false alerts that
> many antiviral researchers recommend against their use.

The actual purpose of this utility is to aid corporates who are upgrading 
from other anti-virus products to Dr Solomon's.  This tool helps them 
de-install the previous anti-virus package with the minimum of fuss.  
It's actually there because users have requested it.  We've since added 
an option to deinstall McAfee as well by popular demand from US customers 
:-) [wink!]

> The company seems to have become more responsive on the Internet, and
> from a call on VIRUS-L for review programs was the first to arrive.  In
> addition, the East Coast office in the US provides both a World Wide Web 
> site (http://www.sands.com) and ftp (ftp://ftp.sands.com).

Actually that website is based in the UK.  The correct URL is

  http://www.drsolomon.com   and ftp://ftp.drsolomon.com

A USA mirror should be up and running in the next few days which will be 
based in our East Coast office.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Fri, 09 Feb 1996 05:58:36 -0500 (EST)
From: Zvi Netiv <netz@actcom.co.il>
Subject: Re: Microsoft is shipping Viruses?
X-Digest: Volume 9 : Issue 24

chi@bluefin.net wrote:

> About a month ago, I purchased a copy of MS Office '95 Standard, the
> disk package.
>
> Went to install it and on the 2nd disk, it crapped out. When I looked on
> the disk, there was one file eo@349fj3(or something like that) with a date
> of 00/00/21 with 0 bytes.
>
> I have seen this before (long time ago) so I called Microsoft for a
> replacement. I tried to install the replacement, however, now disk 4
> crapped out. I got another replacement and same thing but different disk.
> I got still ANOTHER replacement and disk 2 crapped out. Called them to
> send me the CD-ROM version free of charge (which they did).
>
> The vendor whom I purchased the original package from called me and told
> me anyone who has purchased software or computers w/ software pre-
> installed within the last 30 days could be infected with the virus NEWBUG.
> I have a hard time believing that Microsoft wasn't aware of this problem
> before I called.
>
> This virus deletes and corrupts the files on floppies.... so far.....  :|

Your hard drive was most probably infected with AntiEXE (aka Newbug)
before you started the installation.

Microsoft had recently introduced a new high density format of 1.68
megabytes on 3.5" floppies, Unfortunately, it seems that they have never
heard of boot viruses at Redmond. Unlike other floppy formats, DMF has
just a single sector for the root directory, allowing only 16 entries at
the most being contained in the root of a DMF floppy. 

Many boot infectors, and Newbug-AntiEXE among them, relocate the
uninfected boot sector to the last sector of the root directory. With the
DMF format, the last sector is also the only sector allocated for the
root. Therefore, an infection overwrites all entries and you are left with
garbage on the floppy. FYI, floppy #1 in these sets is a standard 1.44 meg
one, containing the driver that lets read the special DMF format. This is
why floppy #2 "crapped out" as you say, you simply ruined them, one after
the other, by unprotecting them, as they require personalization in the
installation process. 

NetZ developed a special toolkit for repairing Win95 setup floppies from
such occurrence (Win95 setup were the first to use the DMF format and had
that problem). The same kit can be used (and had actually been used) to
repair Microsoft's Office setup kit that get on 1.68 meg DMF floppies. The
kit also contains a utility to clean your hard drive from the boot
infector that is already there. 

In addition, the kit has a driver and a utility that will let you prepare
backups of your DMF floppies. 

The filename is IV4WIN95.ZIP and it is available from any of our sites,
below.

Regards, Zvi
- --------------------------------------------------------------------
NetZ Computing Ltd, Israel          Producer of InVircible & ResQdisk
Voice +972 3 532 4563, +972 52 494 017 (mobile)   Fax +972 3 532 5325
Web sites:  http://invircible.com/     http://www.NewCastlteIntl.com/
E-mail: netz@actcom.co.il netz@invircible.com  Compuserve: 76702,3423
Ftp:  ftp.datasrv.co.il/pub/usr/netz/  ftp.invircible.com/invircible/
- --------------------------------------------------------------------

------------------------------

Date: Fri, 09 Feb 1996 00:05:12 -0500 (EST)
From: DavidPwrMc <davidpwrmc@aol.com>
Subject: Re: When Harry met Sally Orgasm Scene Virus (MAC)
X-Digest: Volume 9 : Issue 24

	In article <0013.01I0WU2LIE4YPVHY7M@csc.canterbury.ac.nz>, Trenton
Cladouhos <clad@u.washington.edu> wrote:

>My Powerbook 540 seems to be infected with Meg Ryan's fake
>orgasm from the movie "When Harry Met Sally."  Whenever the 
>computer wakes from sleep, the audio portion of the scene 
>starts as well.  It may be causing some damage also as I am 
>having some unexplained crashes and the Volume Info File (as 
>noticed by Norton Utilities) is often incorrect.

>Has anyone else heard of this virus?  Disinfectant does not 
>identify it.

	      The reason that Disinfectant doesn't identify it is because
that's not a virus.  You've got some kind of extension loaded that plays
sound on startup/wake.  To verify this, *restart* the PowerBook with the
SHIFT key held down (to keep extensions from loading).  If you don't hear
the sound play, then you should be able to do a simple troubleshooting
session to discern which extension is causing the sound to play.

	      The disk problems you're experiencing may or may not be
related to the sound playing.  If the extension that's playing that sound
is not entirely compatible with the setup you have on your PowerBook, then
this could, indeed, cause some freezes or crashes.  I would suggest that
you discover the software responsible for the "Harry Met Sally" sound
playing, and once you neutralize that, see if the crashes and VIF problems
continue.  

	   If the crashes *do* continue after you manage to turn off the
sound, then that will obviously warrant further investigation since the
crashing problem would not appear to be connected to the sound playing
problem.

		     -David Miller
		       Orlando, Florida   USA

------------------------------

Date: Thu, 08 Feb 1996 19:04:32 -0500 (EST)
From: "Mikko H. Hypponen" <Mikko.Hypponen@datafellows.com>
Subject: Re: a good Anti-Virus for Win95? (WIN95)
X-Digest: Volume 9 : Issue 24

Vesselin Bontchev <bontchev@complex.is> wrote:
> I am not familiar with F-PROT for Win95 (it is not
> produced here and I do not use Win95) 

I am (it is, and I don't).

> however, didn't Win95 have a setting (the default, maybe?) that
> prevented the programs run under i to do sector-level disk access?

Yeah, but I don't think this is relevant in this case. If the user wants
to disinfect Form from his hard drive from Windows 95, it's highly
likely that he has not booted clean. In this case F-PROT's 95 version
will behave just like the DOS and Win 3.x versions: complain about the
virus in memory and ask the user to boot clean.

When disinfecting boot sector viruses from Win95 machines, I prefer
booting from a DOS floppy, not Win95 floppy. Win95 complains about
low-level access, which is something you just have to do in a case like
this.

- - 
	Mikko Hermanni Hypponen - Mikko.Hypponen@DataFellows.com  
  Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com
Computer virus information available via web: http://www.DataFellows.com/

------------------------------

Date: Thu, 08 Feb 1996 21:03:17 -0500 (EST)
From: "R. S. Ratner" <rsr@aimnet.aimnet.com>
Subject: McAfee Virus Checker Screwed up my Office installation! (WIN95)
X-Digest: Volume 9 : Issue 24

Win 95 on a fast Pentium.  Installed Microsoft Office OK.  Installed 
McAfee's 32bit virus scan stuff.  During the installation it asked me "do 
you want to install protection into Word for the Concept virus and any 
similar ones?"   (Or something like this quote)  I said, sure, go ahead. 
 It installed and scanned and did its thing, and all of a sudden an 
"illegal instruction" message appeared, and the whole thing died and 
disappeared.  

>From that time on, whenever I click on the "blank document" in the 
Microsoft Office window, I get an illegal instruction message and word 
doesn't load.  Word loads fine any other way, start menu, clicking on 
normal.dot, etc.  I don't know what's wrong or how to fix it.  The blank 
doc icon in Office is just a shortcut to normal.dot, and clicking on 
normal.dot works fine.  Also switched to a pre-mcafee normal.dot but it 
didn't help.

Anyone got a clue what's going on here?

Appreciate any help I can get.

Bob

ratner.r@svpal.org

------------------------------

Date: Fri, 09 Feb 1996 05:56:51 -0500 (EST)
From: riley@acsu.buffalo.edu
Subject: Re: Possible Win95 Virus (WIN95)
X-Digest: Volume 9 : Issue 24

John Tabor wrote:

> File name misallocation and crosslinked clusters - ONLY in the Win95
> directory.
> 
> ...  I ran ScanDisk which promptly
> found a plethora of misallocated filenames and crosslinked clusters.
> ALL of the affected files were once again in the Windows directory.
> 
> The latest McAffee and Microsoft virus scanners seem unable to detect
> a virus, but I've never heard of a file system corrupting so many
> files so quickly and never have all the affected files been limited to
> a single directory.

This might not be a virus.

Are you using any old (pre win95) drive utilities?  Versions of PcTools,
Norton Utilities, and other similar packages that are not written
specifically for Win95 or NT can seriously trash a file system that is
using long file names.

In particular, utilities that sort the files in a directory and
utilities that re-organize file locations will both cause the long file
names to be corrupted, if the program is not designed to handle the long
file names.

Lirey

- - 
=========================== Michael A. Riley ============================
WWW: http://shalom.eng.buffalo.edu/~riley/   Email: riley@eng.buffalo.edu
Telephone: (716) 645-2114 ext 2416                    Fax: (716) 645-3733
========= ... a hurricane triggered by a butterfly's wings ... ==========

------------------------------

Date: Thu, 08 Feb 1996 18:51:26 -0500 (EST)
From: "Mikko H. Hypponen" <Mikko.Hypponen@datafellows.com>
Subject: Re: 69 Virus (PC)
X-Digest: Volume 9 : Issue 24

Christopher Hill <chris@minkus.compulink.co.uk> wrote:
> Recently I caught the 69 virus and wiped my hard-drive to get rid of it.
> What does it do?

Here's the description available in the virus description database at
www.DataFellows.com:


		     COMPUTER VIRUS INFORMATION PAGES
				       
Virus description

NAME:      Sampo
ALIAS:     69, Wllop, Sanpo
ORIGIN:    Philippines ?
TYPE:      Resident MBR Boot OS Boot

The Sampo virus, also known as '69', seems to come originally
from the Philippines. This boot sector virus was discovered
in England and Norway in November 1994. After that, it has
been reported in Hong Kong, Singapore, Australia, Finland,
Belgium, USA...generally world-wide.

Sampo can infect a computer's hard disk only if the computer
is booted from an infected diskette, in which case the virus
infects the hard disk's Main Boot Record. Virus stays
resident after the floppy boot. The virus also goes
resident in memory the next time the computer is booted from
the hard disk. Once in memory, Sampo infects all non-write
protected diskettes used in the computer.

Sampo takes hold of the interrupts 08h, 09h and 13h (clock,
keyboard and disk operations). When Ctrl-Alt-Del is pressed,
the virus will attempt to fake a warm boot, keeping itself
resident.

Sampo activates on the 30th of November, after the machine has
been used for a couple of hours. Then it displays a blue box on
the screen's upper corner. In the box, Sampo prints in cyan
the following text :

		 S A M P O
		"Project X"
	  Copyright (c)1991 by the
	  SAMPO X-Team. All rights
	  reserved.
	   University Of The East
		   Manila

Sampo incorporates also one peculiarity; it carries the old
Kampana virus with it, and it will make clean write-protected
diskettes appear to be infected with it, if they are examined
while Sampo is resident. It probably does this to fool users
to remove write-protection from floppies and to try to disinfect
Kampana, so Sampo can infect the floppies.

Sampo virus can also be disinfected manually by cold-booting the infected
machine from a boot diskette with MS-DOS 5 or 6. The FDISK utility
should be copied to the boot diskette beforehand. After booting the
machine, test that all hard disk partitions are visible with with DIR
command. If you receive an error message like "Invalid drive
specification", do not try to use FDISK to remove the virus. If all
partitions can be seen then the command FDISK /MBR will overwrite the
virus in the master boot record. After a succesful disinfection the
machine can be booted normally again. Floppy disks can be disinfected
manually by SYSing them on a clean machine.

F-PROT is able to detect, identify and disinfect Sampo.

[Analysis by Jeremy Gumbley/Command Software & Mikko Hypponen/Data 
Fellows Ltd]

<F-PROT-Support@DataFellows.com>

Hope this helps,
MHH

- - 
	Mikko Hermanni Hypponen - Mikko.Hypponen@DataFellows.com  
  Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com
Computer virus information available via web: http://www.DataFellows.com/

------------------------------

Date: Thu, 08 Feb 1996 22:26:32 -0500 (EST)
From: "Timothy W. Boynton" <tboynton@acpub.duke.edu>
Subject: F-Prot Pro? (PC)
X-Digest: Volume 9 : Issue 24

I currently have a site-license for f-prot, the shareware version, to 
protect the roughly seventy computers that I am responsible for. It has 
served us very well, and is a real bargain at the educational rate of 
less than $1 per computer. Are there compelling reasons to go to the 
"Pro" version? 

------------------------------

Date: Thu, 08 Feb 1996 22:40:17 -0500 (EST)
From: "MICHAEL G. EASTON" <a27322@mindlink.bc.ca>
Subject: AntiCMOS.A Virus Scan/Clean Software Reqd (PC)
X-Digest: Volume 9 : Issue 24

Which Scan/Clean/Detect Software will work on AntiCMOS.A (I believe thats
the correct way to refer to it)

Please reply by email (soon if possible)

------------------------------

Date: Thu, 08 Feb 1996 23:04:47 -0500 (EST)
From: Bryan Lewis <bryan@world.std.com>
Subject: Re: WelcomB Virus (PC)
X-Digest: Volume 9 : Issue 24

Mark Player <playerm@helix.nih.gov> writes:

>Has anyone ever had any problems with the WelcomB Virus.  McAfee for Win 
>95 detected it but couldn't clean it , I had better luck with NAV which 
>did clean it.  Has this virus been around for a long time?  What does it 
>typically do?

Same thing happened to us.  McAfee was able to clean it, after I upgraded
to their latest (2.2.9?) version and was kindly told the secret word
(scan c: /clean /FORCE) by Chengi Jimmy Kuo.

Still, we never did see any symptoms from it that we know of.  I was
asking the same thing, "What does it do?"  Then again, that machine did
seem to crash and hang mysteriously, occasionally. 

------------------------------

Date: Thu, 08 Feb 1996 23:41:31 -0500 (EST)
From: Reggie Knowles <rktk@ix.netcom.com>
Subject: Conventional memory loss--virus?? (PC)
X-Digest: Volume 9 : Issue 24

I share files with my son. He detected conv. memory loss, ran fprot, 
detected and cleaned antiexe virus. He is running P5 under win3.1. 
I am having similar conv. memory loss. I ran fprot-"no virus". Clean 
boot from DOS 6.2 disk #1, clean unzipped fprot, "no virus." I am 
running under win95, 486DX2-66mhz, 8meg RAM, C: is master 850 meg HD, 
D: is slave 250 meg HD, (neither compressed), when I load from DOS #1 
dskette, recognizes my slave HD as my C: and will not access master HD. 

Therefore, I have not been able to fprot check from clean boot my 
master HD. Why do I think I have a virus?  I have attached a copy of my
"mem /c" for your review. Missing about 80k. Also I ran a download of
Astealth, a stealth virus detection program, which indicated a boot sector
virus. 

It only detects, does not clean (that I am aware of). Developed by 
machek@k332.feld.cuut.cz, I'm not completely sure of my running the 
program correctly, but it worked fine under my win 3.1. 

On my win95 system it indicated, "virus at bios level (difference 
between read by IDE and bios)." Next line was C:/76654 ! "stupid 
stealth virus detected"!

I've been trying to rid myself of this pest for 2 weeks now. Have any 
tips??? Appreciate any help you can spare...

	      TOTAL            CONV.            UPPER
MSDOS      78,512 (77K)     78,512 (77K)         0
COMMAND    10,064 (10K)     10,064 (10K)         0
FREE      557,360 (544K)   557,360 (544K)        0

SUMMARY       TOTAL           USED           FREE
CONV.        646,144         88,784         557,360
UPPER              0              0               0
RESERV.      140,288         140,288              0
EXT.(XMS)  7,602,176       7,602,176              0
TOTAL      8,388,608       7,831,248        557,360
TOTAL 
UNDER 1MB    646,144          88,784        557,360
LGST EXEC:  557,280 (544K)

I'm sending you the information because I was unsure if the lgst 
executable amount should be the same as the free memory. You can see a 
difference of 80. I have booted from a clean dos 6.2 #1 disk, ran 
f-prot and had no virus protection. A cloud rained on my no virus 
report by saying it is possible that if f-prot was expanded on an 
infected computer it may not detect a boot sector virus. I know 
anything is possible, but at a clean boot, would this be feasible???  
Any thoughts??  I greatly appreciate your previous response and any 
advise you may have here. One Q-should I have 655K total? A friend with 
win95 says he does. My work system does also??

RK

tkrk@ix.netcom.com

------------------------------

Date: Fri, 09 Feb 1996 05:11:59 -0500 (EST)
From: John Kellner <jkellner@freenet.calgary.ab.ca>
Subject: NAV Scheduler problems (PC)
X-Digest: Volume 9 : Issue 24

I have NAV 95 and just recently upgraded to version 2.0a from Symantec's 
website.  I cannot seem to get the Scheduler to run an unattended virus 
scan as there is not the "virus scan" option in the pull-down box.

I did not try the Scheduler before I upgraded so I don't really know if 
that is the cause.

Perhaps other people who have this problem (upgrade or not) would respond.

Thanks.
			     John Kellner  
		    jkellner@freenet.calgary.ab.ca
		     bt777@freenet.toronto.on.ca
			      CARPE DIEM

------------------------------

Date: Fri, 09 Feb 1996 05:12:51 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: RE: VET as an anti-bugger (PC)
X-Digest: Volume 9 : Issue 24

limsy@lion.cs.latrobe.edu.au writes:

> I do however have some stats on Vet ... they are :-
>
>                   In Wild    Boot Sector  Standard   Polymorphic
>    VET V7.825     95.2%      100%         98.3%       98.6%
>
> The stats are quoted from Jan 1995 issue of a UK Virus Bullentin Mag
>
> It was the top rater of the list BUT both F-prot and Dr. Soloman
> Antivirus TK wasn't IN the list i had ... so i duuno which fared
> better.
>
> [ Note:  I don't know how accurate the stats are and there are
> released by Cybec ... so ... ]

The full review can be found on our website (http://www.drsolomon.com).  
Dr Solomon's and F-Prot were included in the Jan 95 review you quote, but 
they don't seem to have made it into the statistics Cybec are 
distributing :-)

So, here's how F-Prot and Dr Solomon's fared in the same test:

		   In Wild    Boot Sector  Standard   Polymorphic
    Dr Solomon's   100.0%     100.0%       100.0%     99.5%
    AVTK v7.03
    F-Prot v2.14a  96.8%      100.0%       99.6%      94.6%

Dr Solomon's found the most viruses in this test.  You can find the full 
report on our website.
    
Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Fri, 09 Feb 1996 05:58:35 -0500 (EST)
From: Zvi Netiv <netz@actcom.co.il>
Subject: Re: B1 virus with a twist (PC)
X-Digest: Volume 9 : Issue 24

Jason Oliver <joliver@execpc.com> wrote:

> I have a strange breed of the B1 and was hoping that someone might shed 
> some light on this for me before I pull all of my hair out.  I have scan 
> a machine that I had connected to a network and F-PROT has said that it 
> is the B1 virus.  I have tried everything to get rid of it.  I know that 
> some of you will probably say that it probably is just a false alarm but 
> I know that it is not because I have infected diskettes with this 
> machine.  Now here is the real twist, I have FDISKed the whole hard drive 
> and still have this virus on this particular machine.  I have no idea of 
> how to get rid of this virus.  I never knew that this virus was that 
> dynamic.

There is a way to remove stealth boot infectors, and B1 is in this
category, from an infected hard drive without needing to boot clean. This
is on condition that your hard drive is an IDE / EIDE. 

InVircible implements a unique anti boot stealth that takes advantage of
these virus behavior for both detecting them and removing them. 

As boot infectors are the most prevalent ones (80% by some estimates) then
it could be worth installing IV's probe and disinfector in your autoexec.
It takes just a couple of seconds to run, it isn't memory resident (and
won't interfere with other applications) and will alert from boot
infections and offer to remove them right at start up.

IV can be downloaded from any of the sites in my sig.

Regards, Zvi
- --------------------------------------------------------------------
NetZ Computing Ltd, Israel          Producer of InVircible & ResQdisk
Voice +972 3 532 4563, +972 52 494 017 (mobile)   Fax +972 3 532 5325
Web sites:  http://invircible.com/     http://www.NewCastlteIntl.com/
E-mail: netz@actcom.co.il netz@invircible.com  Compuserve: 76702,3423
Ftp:  ftp.datasrv.co.il/pub/usr/netz/  ftp.invircible.com/invircible/
- --------------------------------------------------------------------

------------------------------

Date: Fri, 09 Feb 1996 06:32:18 -0500 (EST)
From: Bill lambdin <vfreak@skn.net>
Subject: Integrity Checking (PC)
X-Digest: Volume 9 : Issue 24

PJN.-.TSA@news.flinet.com writes

Command Software has an integrity checker simply named CHECK.EXE and comes 
with a DOS tsr, CS-TSR.COM. It notifies when file has changed or is not in 
the database of allowable programs. There is the option to ignore the
warning or to stop the program from executing. The use of such a product
will depend on the user's knowledge of his or her own software; there are

Your comments here are about the integrity checker in F-Prot Professional.
 
I recommend the following generic A-V programs. The asterisks below
indicate A-V software that use integrity checking.
 
 ARF A-V utilities
*F-Prot Professional
*Integrity Master
 PC-cillin
 PC-Rx
*TBAV
*Untouchable (No longer supported in the U.S.)
*Victor Charlie

	Bill Lambdin

- --------------------------------------------------------------------------
vfreak@skn.net                     PGP fingerprints 9C CD 47 F3 C7 65 CA 33
102524.2206@compuserve.com                          C7 7D 69 8B 26 0C F8 08

------------------------------

Date: Fri, 09 Feb 1996 06:32:25 -0500 (EST)
From: Bill lambdin <vfreak@skn.net>
Subject: A-V software on system diskette (PC)
X-Digest: Volume 9 : Issue 24

"Paul E. Sullivan" <sullivan@peterfield.mv.com> wwites

>You should put your McAfee s/w on a floppy disk as well, preferably on 
>the clean system disk you have if there's room enough.  I had a similar 
>virus (boot sector) and McAfee would not allow the anti-virus s/w on the 
>hard drive to be accessed.  When I ran it off a floppy after booting with 
>a clean system disk, the virus was successfully removed.  Good Luck.

This is bad advice!

1. If the Hard drive is infectede with a boot sector or MBR virus. this
clean system diskette will be infected.

2. If there is a fast infector like Frodo, Jerusalem, Green Catepillar,
etc, the files will be infected as the files are copied to the diskette.

The system diskette that comes with DOS should be left write protected at
all times to prevent such problems.

The users can always prepare another bootable diskette for A-V software.

	Bill Lambdin

- --------------------------------------------------------------------------
vfreak@skn.net                     PGP fingerprints 9C CD 47 F3 C7 65 CA 33
102524.2206@compuserve.com                          C7 7D 69 8B 26 0C F8 08

------------------------------

Date: Fri, 09 Feb 1996 06:32:24 -0500 (EST)
From: Bill lambdin <vfreak@skn.net>
Subject: Boot Sector viruses (PC)
X-Digest: Volume 9 : Issue 24

Iolo Davidson <iolo@mist.demon.co.uk> writes

>Not quite right.  "Data-only" diskettes can carry boot sector 
>viruses.  Scan them all, no excuses.

Correct. but allow mt to add two cents.

diskettes (even preformatted diskettes) can carry boot sector viruses.
These infectious diskettes do NOT need to be bootable, or have any
executable files.

	Bill Lambdin

- --------------------------------------------------------------------------
vfreak@skn.net                     PGP fingerprints 9C CD 47 F3 C7 65 CA 33
102524.2206@compuserve.com                          C7 7D 69 8B 26 0C F8 08

------------------------------

Date: Fri, 09 Feb 1996 06:32:20 -0500 (EST)
From: Bill lambdin <vfreak@skn.net>
Subject: testing scanners (PC)
X-Digest: Volume 9 : Issue 24

rslade@freenet.vancouver.bc.ca writes

>It is relatively easy to evaluate scanners: just get a good "zoo" and see 
>how many viruses are identified by the respective products.  (Maintaining
>a good "zoo", on the other hand, is the problem.)  This is also easy for 
>users to judge, since it gives a numerical rating.  The numerical rating 

You are right. It is relatively easy to perform a good ZOO test. All the
users need are two things.
 
1. a good ZOO of viruses. 
2. a few hours of time.
 
However; ZOO tests do not tell the whole story. A scanner that detects
more of the ZOO, but detects less of the ITW (In The Wild) viruses will
appear better than another scanner that detects all of the ITW viruses,
and less of the ZOO viruses.

Scanner tests should be broken up into a minimum of two sections, abd even
better three or four.

ITW (This sections is of most importance because users are more likely to
encounter these viruses than viruses in the ZOO.

ZOO. (This should contain viruses from as many families, and variants as
possible.)

Polymorph (The Polymorphic viruses can mutate into billions of patterns,
and not all scanners detect all or even most of the possible permutations)
There are several polymorphic viruses in the wild.

Generic ( There are several different ways to detect new viruses and
variants genericly, and unfortunately not all of them work well enough to
be recommended.

	Bill Lambdin

- --------------------------------------------------------------------------
vfreak@skn.net                     PGP fingerprints 9C CD 47 F3 C7 65 CA 33
102524.2206@compuserve.com                          C7 7D 69 8B 26 0C F8 08

------------------------------

Date: Fri, 09 Feb 1996 06:32:22 -0500 (EST)
From: Bill lambdin <vfreak@skn.net>
Subject: GOLDBUG (PC)
X-Digest: Volume 9 : Issue 24

It has been a long time since I have looked at GOLDBUG. I believe it is
only a  companion infector. 

I believe the virus copies the .EXE files to no extention, then Goldbug
generate a file of the same name with the .EXE extenstion.

There is text inside Goldbug "Da'Boys", and the Da'Boys virus is a boot
sector virus. This may be why some think Goldbug is a multipartite.

IMHO. Goldbug needs too much, and I doubt that it can survive in the wild.
It needs Upper memory blocks available to work, which means that it needs
the following in place.

1. a 286 or higher
2. DOS 5.0 or higher
3. DOS stored in upper memory blocks
4. HIMEM.SYS loaded in the COMFIG.SYS
5. EMM386.EXE loaded in CONFIG.SYS.

This is from memory about a virus I have not examined in about a year, and
may not be completely correct.

	Bill Lambdin

- --------------------------------------------------------------------------
vfreak@skn.net                     PGP fingerprints 9C CD 47 F3 C7 65 CA 33
102524.2206@compuserve.com                          C7 7D 69 8B 26 0C F8 08

------------------------------

Date: Fri, 09 Feb 1996 06:33:17 -0500 (EST)
From: Bill lambdin <vfreak@skn.net>
Subject: Azusa (PC)
X-Digest: Volume 9 : Issue 24

Harland Roades <EZYU67A@prodigy.com> writes

>The Azuza virus on an old 68 meg IDE hard disk is not easy to get rid of. 
> I have tried Norton Anti-Virus 3.0 and it locks up when it tries to 
>clean up the virus.  McAfee Anti-Virus did not find it at all. I find the 
>virus when I boot from a clean floppy and then try to load NAV. 
>Formatting does not get rid of it. I am using DOS 5.0.  Any hints?

Azusa is a boot sector / MBR virus.

Azusa does not save a copy of the uninfected MBR, so many computers crash
after an Azusa infection.

If possibe; write the MBR image over the virus if you have one. If not,
run F-Disk and re-partition the hard drive.

	Bill Lambdin

- --------------------------------------------------------------------------
vfreak@skn.net                     PGP fingerprints 9C CD 47 F3 C7 65 CA 33
102524.2206@compuserve.com                          C7 7D 69 8B 26 0C F8 08

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 24]
*****************************************


