From lehigh.edu!virus-l  Sat Feb 17 04:46:39 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Sat, 17 Feb 96 04:49:17 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id EAA26911; Sat, 17 Feb 1996 04:46:39 +0100
Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39077-62774>; Fri, 16 Feb 1996 22:44:07 EST
Message-Id: <01I1BRQ6MJ8SQKFBM4@csc.canterbury.ac.nz>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V9 #25
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: 	Fri, 16 Feb 1996 22:41:24 EST

VIRUS-L Digest  Saturday, 17 Feb 1996    Volume 9 : Issue 25

Today's Topics:

Network av
John Lenon Virus
Re: Shareware beasties
Re: Scanning Zip files
Re: Virus Database
Re: Virus Database
Re: Microsoft is shipping Viruses!
Re: Not providing examples of Java viruses
Re: Firewall scanners
Re: Virus Calendar
Anti-virus information and the great unwashed
Re: Flash BIOS viruses?
Re: Virus Calendar
Re: Virus Calendar
antivirus software for Windows NT? (NT)
Re: Status of AV-Scanner for NOVELL Netware 4.1? (NW)
Re: Word Macro Virus (MAC,WIN)
Re: Word Macro Virus (MAC,WIN)
Re: Word Macro Colors Virus (MAC?,WIN)
Excel Virus (MAC,WIN)
Re: Microsoft Registration Virus (WIN)
Vet said it can't remove Jumper_B (PC)
Hooking the `different floppy in drive' condition (PC)
Re: Infected Network, HELP! (PC)
Re: WelcomB Virus (PC)
checking write-protection on floppys (PC)
Re: Nomenklature Virus (PC)
Re: V-SIGN (PC)
Re: unashamed virus (PC)
Re: Quality Anti-Virus Programs (PC)
Re: Da'Boys (PC)
Stealth Boot virus - Help!! (PC)
Windows with dos=umb will not load (PC)
RE: spartan? (PC)
Integrity checking (PC)
Viruses in .ZIP files (PC)
Re: McAfee Software how do I obtain? (PC)
Re: spartan? (PC)
Re: Sampo Virus - Help! (Disinfect??) (PC)
Re: Three questions (PC)
Re: spartan? (PC)
Re: spartan? (PC)
Re: What do i have? how do i get rid of it? (PC)
Re: HELP: Problem with January NAV update (PC)
Re: EXE files growing (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Fri, 09 Feb 1996 11:46:15 -0500 (EST)
From: "Janet M. Simons" <70570.510@CompuServe.COM>
Subject: Network av
X-Digest: Volume 9 : Issue 25

My employer is looking at three different av packages for our 
network:

	Thompson's The Doctor
	F-PROT Professional
	Dr. Solomon's AVTK

We would like to hear from _users_ of these packages.  What are 
your experiences?  Problems?  Recommendation(s)?

TIA for your responses.

Janet Simons

------------------------------

Date: Sat, 10 Feb 1996 00:11:16 -0500 (EST)
From: netonnow@freenet.edmonton.ab.ca
Subject: John Lenon Virus
X-Digest: Volume 9 : Issue 25

If anyone has information regarding the John Lenon Virus (possibly called 
the John Lenon Logic Bomb), then please inform me by mail.

- -
http://www.tic.ab.ca/~gracewas/home.html
Karl Waskiewicz
Edmonton, Alberta, Canada

------------------------------

Date: Sat, 10 Feb 1996 01:46:06 -0500 (EST)
From: Aryeh Goretsky <goretsky@netcom.com>
Subject: Re: Shareware beasties
X-Digest: Volume 9 : Issue 25

A few shareware programs do create "metering" files for tracking
evaluation time.  In all instances I have heard of this "key" is
a data file and contains no executable code.  

If the "key" file is kept in the same directory as the rest of 
the program removing that directory should get rid of the file.

A more likely reason for your slow-down is the fragmentation of
space on your hard disk caused by the repeated installation and
removal of programs.  This is perfectly normal and can be fixed
by running a disk defragmentation program.  Backing up the hard
disk, reformatting, and reloading the backup works, too.  

Regards,

Aryeh Goretsky

P.S.  It probably wouldn't be a bad idea to make a back up
      anyways.  You do perform regular backups, don't you? :-)

______________________________________________________________________________
Aryeh Goretsky					EMAIL goretsky@netcom.com
627 W Midland Ave				CompuServe     76702,1714
Woodland Park, CO				TEL     +1 (719) 687-0480
USA    80863-1100				FAX     +1 (719) 687-0716

------------------------------

Date: Sat, 10 Feb 1996 02:00:13 -0500 (EST)
From: sysop@command-bbs.com
Subject: Re: Scanning Zip files
X-Digest: Volume 9 : Issue 25

>How does a virus in a .zip file act ?
>
>I mean, is it possible that, just unzipping the .zip file (without
>executing any of the now unzipped file )  the virus has already
>infected your PC ?

The only way you can get a problem with unzipping a ZIP file is if the
comment was written with ANSI escape sequences to remap the key board.
Other than that you won't have a problem. Get PKSFANSI from PKWARE and it
will disable the ANSI remapping functions of the driver and prevent even
that from occuring. The likely hood of you actually getting a ZIP Trojan
like the one described above is VERY, VERY slim though. Also, there are
antivirus products that can virus scan within ZIP files for you.

Our product AVPLITE can virus scan within ZIP, RAR, ARJ, ICE, LHA and LZH
archives. Get a copy form the ftp below.

Keith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.                 USA  Distributor  for
P.O. Box 856                         AntiViral Toolkit Pro
Bruswick, Ohio 44212                 216-273-2820
Internet: info@command-hq.com        Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp       :GO AVPRO
WWW: http://www.command-hq.com/command
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

Date: Sat, 10 Feb 1996 02:00:25 -0500 (EST)
From: sysop@command-bbs.com
Subject: Re: Virus Database
X-Digest: Volume 9 : Issue 25

>> Can anyone point my to a good database of all known virus, with
>> descriptions and such.
>
>Try VSUM that's available on most of the on-line services and also
>from most AV makers.

Most AV makers? Naaa.... most have their own Virus Database's There are 3
I recommend. AntiViral Toolkit Pro Virus Encyclopedia (AVPVE),  F-Prot's
internal database and Dr. Solomon's virus book...

Keith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.                 USA  Distributor  for
P.O. Box 856                         AntiViral Toolkit Pro
Bruswick, Ohio 44212                 216-273-2820
Internet: info@command-hq.com        Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp       :GO AVPRO
WWW: http://www.command-hq.com/command
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

Date: Sat, 10 Feb 1996 08:24:42 -0500 (EST)
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: Virus Database
X-Digest: Volume 9 : Issue 25

In <0003.01I0ZQJ93R4YPVIUA3@csc.canterbury.ac.nz> costigan
<costigan@enter.net> writes:

>Try VSUM that's available on most of the on-line services and also
>from most AV makers.

Sorry.  Wrong answer.  The question was about a *good* database of *all*
viruses .... VSUM is neither.

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Sat, 10 Feb 1996 09:41:21 -0500 (EST)
From: ruben@ralp.satlink.net
Subject: Re: Microsoft is shipping Viruses!
X-Digest: Volume 9 : Issue 25

Ken Stieers <kens@ontrack.com> wrote:

>Here's what really happend:
>
>You got a machine that was infected at the store (as your store told you).  
>Since Office '95 is shipped on MFT formated diskettes, Newbug (better
>known as ANTIEXE), hammered them.  Clean your system using the info in the
>FAQ. 

Yes Ken. Thats really happen so often.
Last month I bought some modem card and the diskettes result infected with 
Antiexe virus.

I always take care to Write protect any disk that will be read in my
computer.

I advise the people of the store who sold me the Modem card and they said 
that they "need" to open all the packages to controll them (here in my 
country is necessary to check import stamps and thing like this) and
verify if the software works fine. 

The moral of the story is:

Software companies takes all the necesary cautions when they distribute 
diskettes.

Do any person believe that IMPORTANT companies will release virus in 
diskettes ???
(Again, -Sorry moderator I insist in this!- We must check other points of 
distribution as well the very known CD problems)

Regards

Ruben Arias

- ------------------------------------------------------------------------------
 Ruben M. Arias                                _   _      _                   
                                              | ) |_| |  |_)                   
                                              | \ | | |_ |                     
 E-Mail: Ruben@RALP.Satlink.net                                                
 Buenos Aires - ARGENTINA            RALP - Computer Security - Virus          
- ------------------------------------------------------------------------------

------------------------------

Date: Sat, 10 Feb 1996 09:41:24 -0500 (EST)
From: ruben@ralp.satlink.net
Subject: Re: Not providing examples of Java viruses
X-Digest: Volume 9 : Issue 25

Iolo Davidson <iolo@mist.demon.co.uk> wrote:

>In article <0001.01I0WU2LIE4YPVHY7M@csc.canterbury.ac.nz>
>       fc@all.net "Fred Cohen" writes:
>
>> The reason I don't provide examples of Java viruses is that it is pretty
>> dangerous to do so.  I am especially astonished to see Vess seemingly
>> ask me to give source to viruses out since he has long stood against the
>> open disclosure of viruses.
>
>There is a difference between "open disclosure" and supplying 
>research material to selected, trusted, anti-virus researchers.  
>One must decide for oneself who is trustworthy, of course.

Yes Iolo, but this is an OLD question. Who is Who ??
What may a person do to be considered as "professional" or virus
researcher???  Take part of a group, write a lot about viruses, help
people, what ???

Then, all depends on the person who have the "infected files" and what
he/she wants to do with them.

My own policy about this is NO request infected files to any "famous"
person.

I ever talk directly with the person who have the problem (common users)
and if any Researcher ask me for somethig -You miss the point here Fred
:-) - I reply him/her in private not in public.

Kind regards

Ruben Arias

- ------------------------------------------------------------------------------
 Ruben M. Arias                                _   _      _                   
                                              | ) |_| |  |_)                   
                                              | \ | | |_ |                     
 E-Mail: Ruben@RALP.Satlink.net                                                
 Buenos Aires - ARGENTINA            RALP - Computer Security - Virus          
- ------------------------------------------------------------------------------

------------------------------

Date: Sat, 10 Feb 1996 11:27:40 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Firewall scanners
X-Digest: Volume 9 : Issue 25

A Bruce Peck (bruce_peck@aici.com) wrote:
: Forgive me if I have just missed this subject on the list.  Is it 
: feasible to think that we could have a virus scanning product that 
: would look at packets as they were coming in to, say, a corporate 
: network via a firewall and SMTP gateway and act upon the files at that 
: one point of entry?  Are there such products?

It's not technically impossible, by any means. But I'm not convinced
it can be done so efficiently as to be worth the overhead. Examining
individual packets is one thing: checking a reassembled packet 
stream for search strings or suspect code is another. Consider the
diversity of packet streams that might get passed through a corporate
firewall. Even looking at mail only, you have to capture the packet
stream, decode attachments in MIME, uuencode etc. formats, then scan.

: I understand the obvious counters such as simply make sure everyone 
: has a good scanner/TSR package on the workstation, however, in a large 
: distributed corporate environment like ours, this is very hit-or-miss 
: to maintain.  

Nonetheless, you might find it less hassle than overloading the firewall,
even if you had suitable software.

: I also understand that most of our viruses are going to 
: be boot viruses that will come in only on diskette, however, it would 
: be nice to think that I could be efficient by monitoring that one 
: point of entry for file infectors and other obvious trojans or 
: droppers that are recognizable (perhaps also the WORD macro viruses).

Unfortunately, that 'one point of entry' is only a single point of entry
in a routing diagram. What you're actually looking at is innumerable
points of entry, potentially, all of which fan in and out of a single
gateway: FTP, HTTP, SMTP.... If you don't want to turn your point of
entry into a bottleneck, you have to either trust/educate your users,
or concentrate on armouring your PCs (and remember that scanners are 
not the only way of doing this). A further possibility which isn't
discussed much is to move filtering for viruses/trojans etc. off-line,
so that dubious incoming packet streams can be examined at leisure
without overloading the gateway. I believe MIMEsweeper does something
of the sort with mail: it does something like undecode mail then
hand it over to a suitable scanner for checking. I don't know of a
vendor application which does the same thing for FTP, for example,
though you could certainly roll your own on (say) a Unix system. 
There are one or two Unix-hosted scanners which might be used to 
examine quarantined files, for instance, cooperating with a stricter
than usual FTP daemon. Does anyone know of commercial products which
take this approach? (I know about DSAVTK for SCO Unix/Linux: I was
wondering about products with a broader Unix base. Also, Unix
integrity checkers, useful though they are, don't seem to me to have
an obvious relevance to PC files on a Unix server, unless, maybe you're
running some sort of emulation....)

David Harley

------------------------------

Date: Sat, 10 Feb 1996 11:36:58 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Virus Calendar
X-Digest: Volume 9 : Issue 25

News Group (news@zippo.com) wrote:
: Does anyone know of a list that contains dates of when known viruses will
: be executed?

There was a thread about this on a.c.v. a while ago. I believe S&S got
to a point where there were only about 18/365 days that weren't 
associated with a virus payload, and they gave up. When you think about
it, there isn't much practical you can do with this information. If you
know that you have a given virus on your system, it's better to remove
it than to keep the PC switched off that day, and it's not a good idea
to turn off virus-protection on a day when no known viruses trigger!
Of course, if you discover Michelangelo in memory at 23.55 on
March 6th, this might have some influence on your subsequent actions...

David Harley

------------------------------

Date: Sat, 10 Feb 1996 17:44:02 -0500 (EST)
From: Gamin <gamin@gol1.gol.com>
Subject: Anti-virus information and the great unwashed
X-Digest: Volume 9 : Issue 25

This is in response to the "Who needs AV experts?" thread, and especially 
to those posters who feel that having to support the panicked ordinary 
user is a serious pain, and life was better when only the cogniscenti 
could access, understand and use AV materials.

I work at an ISP, and, although i do not work in support right now, I end 
up doing a lot of basic support when all the lines are busy.  And, due to 
the fact i have spent a lot of time lurking in alt.comp.virus and 
comp.virus, I am considered the resident "AV expert".  (Thank you, Storm 
Bringer, Yves, Henri, Frisk, Vess, and all.)

Yes, it is true, the ordinary user doesn't understand, panics, and calls 
with the *same* question the last panicked ordinary user called with.  It 
can definitely drive you crazy.

*But*, that same ordinary user is the one paying our salaries, one way or 
the other, or buying our products, once they wise up and realize that 
they need to learn some things to protect themselves.  Most of them are 
incredibly grateful for a calm, semi-knowledgeable response, and, once 
their problem is solved, they will sing your praises to everyone they 
meet.  We do not have a big advertising budget, be we are the fastest 
growing ISP in our area, purely on word of mouth.  And that word of mouth 
says we *helped* when they needed it, and went the extra mile.

Sure, as Ken suggests, they could read the manual.  Some of them even 
do.  But, most manuals are, i fear, seriously daunting books, that most 
people do not understand.  I read the manual all the time, and after all 
these years, i wonder who writes some of them, or whether they were 
translated from some obscure altaic tongue.  And, most manuals do not 
include information on viruses.  So, RTFM is not always a useful response.

What I wish would occur, is that a couple of really good AV companies 
would get into bundling arrangements with hardware manuacturers, so that 
AV programs and AV knowledge, would come with a system.  If not with the 
hardware manufacturers, then with a few other non-AV software firms.

Eventually, the "ordinary user" can and does learn.  At least, I did.  
But I learned because people took the time to help, and point me in the 
direction of what I needed.  And, I still learn, every day, by reading 
these groups, and checking out the references that people like Dr. 
Solomon and George (the Cat) Wenzel supply.

Like it or not, the ordinary user is here to stay.  We can sneer at 
him/her all we want in private, but he/she is our audience, our customer 
and might someday be our colleague.  So, I *still* appreciate the fact 
that the DSAVTK people and the Datafellows people and whoever else is 
posting basic responses to basic questions.

Speaking of which, I have one.  I have never seen the address for 
subscribing to the virus-l list actually posted (not all of the messages 
get to our feed, I suspect, as we are far abroad from their origins).  
So, if the moderator has time, could he post it again.

And, if he decides to use this, he may edit to his heart's content, as 
long as he keeps the tone friendly:-)

------------------------------

Date: Sun, 11 Feb 1996 02:30:50 -0500 (EST)
From: Steven Hoke <shoke@NorthNet.org>
Subject: Re: Flash BIOS viruses?
X-Digest: Volume 9 : Issue 25

Vesselin Bontchev <bontchev@complex.is> wrote:

> Mark Olson <molson@apollo.tricord.com> writes:
>
> >   A quick check on PC's in use here shows me that most
> > people leave the jumper in flash-bios motherboards in
> > the "allow programming" position.
>
> This is a very bad practice. Not just because of viruses - even a
> buggy application would cause trouble it if manages to corrupt the
> BIOS.

You may not always have a choice though, depending on your system, and OS.
My system uses a Micronics motherboard, and according to Micronics, The
Intel PnP specification specifies that the system must have access to
write to the flash BIOS for full PnP compliance, and that if you have
Win95 installed, the BIOS should be jumpered to allow writes. I had called
their tech support because of errors messages I was getting (I don't
remember what they were, it was a while ago now) after installing Win95.
Sure enough, after jumpering the BIOS to allow writes, the errors stopped.
I don't really like the situation though. As you said, even a buggy
application can corrupt the BIOS if its jumpered for writes, and mine is
one of the systems (Micron) that is specifically mentioned in Win95's
documentation that the install can corrupt the flash BIOS on.
- -
- -==Steve==--

shoke@northnet.org
steven_hoke@msn.com

------------------------------

Date: Sun, 11 Feb 1996 02:30:48 -0500 (EST)
From: Steven Hoke <shoke@NorthNet.org>
Subject: Re: Virus Calendar
X-Digest: Volume 9 : Issue 25

An unidentified Person (News Group) wrote:

> Does anyone know of a list that contains dates of when known viruses will
> be executed?

The hypertext database VSUM, By Patricia Hoffman, has one in the appendix.
While I've often seen the program taken to task for numerous errors, I
don't recall any other list by date. There is also a virus encyclopedia
(AVPVE) by Eugene Kaspersky, the author of AVP, but I don't think it has a
listing or sorting by activation date (at least I didn't find one in a
quick look through the menus).
- - 
- -==Steve==--

shoke@northnet.org
steven_hoke@msn.com

------------------------------

Date: Sun, 11 Feb 1996 06:48:39 -0500 (EST)
From: Bill lambdin <vfreak@skn.net>
Subject: Re: Virus Calendar
X-Digest: Volume 9 : Issue 25

News Group <news@zippo.com> writes

>Does anyone know of a list that contains dates of when known viruses will
>be executed?

Don't waste your time with a virus calendar. Many viruses do not have a
set date to activate.

Azusa activates on the 32nd boot up
One Half activates when half of the hard drive is encrypted.
Lehigh activates on the 4th boot up.
Lovechild activates when the counter reaches 0. There was a book called
"approaching 0" about this virus, and quite a bit of other info.

	Bill Lambdin

- --------------------------------------------------------------------------
vfreak@skn.net                     PGP fingerprints 9C CD 47 F3 C7 65 CA 33
102524.2206@compuserve.com                          C7 7D 69 8B 26 0C F8 08

------------------------------

Date: Fri, 09 Feb 1996 15:37:43 -0500 (EST)
From: Gerry Santoro <gms@psu.edu>
Subject: antivirus software for Windows NT? (NT)
X-Digest: Volume 9 : Issue 25

I am looking for recommendations on antivirus software for Windows
NT systems (servers and workstations).    It appears (at least with
the version we have) that F-Prot does not work with NTFS formatted
drives.

Please email me with any information and my apologies if this
is  an extremely simple question.

gerry

------------------------------

Date: Sat, 10 Feb 1996 09:58:57 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Status of AV-Scanner for NOVELL Netware 4.1? (NW)
X-Digest: Volume 9 : Issue 25

Ken Stieers (kens@ontrack.com) wrote:

: Netshield by McAfee
[snipped]
: NetProt by Frisk Software
[snipped]

: The only one that may be close to free is NetProt, but then again that
: policy only applies to single users, which you obviously aren't.  All of
: the others are commercial packages. 

Isn't Netshield shareware? Anyway, Net-Prot is definitely not freeware or
shareware, and it's marketed by Command Software as a companion package
to their version of F-Prot Pro.

DH

------------------------------

Date: Fri, 09 Feb 1996 13:05:25 -0500 (EST)
From: Joerg Erdei <a8101gbb@helios.edvz.univie.ac.at>
Subject: Re: Word Macro Virus (MAC,WIN)
X-Digest: Volume 9 : Issue 25

Grahame Grieve <g.grieve@pgrad.unimelb.edu.au> wrote:

>All the queries I have seen about Word viruses relate to windows.
>Is the Macintosh affected... WordBasic is a cross-platform language,
>after all.

The best discussion of the Word Macro viruses with some hints towards
Macintosh I have found at:

   http://ciac.llnl.gov/ciac/bulletins/g-10a.shtml

That part may interest you most:

Joerg Erdei

------------------------------

Date: Fri, 09 Feb 1996 14:17:45 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Word Macro Virus (MAC,WIN)
X-Digest: Volume 9 : Issue 25

Grahame Grieve (g.grieve@pgrad.unimelb.edu.au) wrote:
: Just a few queries about word macro viruses in general.

: All the queries I have seen about Word viruses relate to windows.
: Is the Macintosh affected... WordBasic is a cross-platform language,
: after all.

: Several generic solutions have been proposed.
: 1. Use scanners i.e. F-Prot. With word virus scanners, Do they use
:    generic detection, or specific detection of known viruses?
:    Is there mac scanners?

What do you mean by Word virus scanners? There are Word 6 templates 
which are essentially antivirus measures specific to Word viruses,
but describing them as scanners is at best confusing. I'd have said 
that the nearest such a document is likely to come to generic detection
is to alert the user to the fact that a .DOC file is actually a template
containing macros. Applying heuristic detection techniques to distinguish
between legitimate and possibly illegitimate  macros would probably 
be best done with a general scanner (like F-Prot) using a more appropriate
programming language than WordBasic.

: 2. Write-protect your Normal.dot. Vessalin pointed out that it is
:    easy to change this... but not from a macro in word (try it!
:    it is locked (vshare.386), and you can't change it. Is this right?)

If this is the case, a Word macro would not necessarily have to use
WordBasic functions to change the file attribute. 

:    What about Mac's?

No word macro virus I've seen is specifically aimed at Macs, as far as 
the payload is concerned (and I can think of several reasons why not).
However, most of the infective routines will work on Word 6 on the Mac
(earlier versions of Word Mac don't have WordBasic).

: 3. Set tools -- options -- save --- Prompt to save normal.dot...
:    I can't find a word statement to test for this, as opposed to set it.
:    (I have the word developers kit in front of me...) A test would be nice.
:    Same for the status of disableautomacros.

I don't have the info to hand. It wouldn't surprise me, on the strength
of past experiments, to find that it was easier to set than to test for.

: 4. Does the M$ word virus detector provide generic detection or just 
:    against Concept?

M$ have tried to provide generic detection and/or prevention, but not, I
would have said, altogether successfully.

: 5. Is M$ (and similar developers - whoever gets WP, for instance) able
:    to build real protection into further versions? And are they going to?

I don't know if they intend to. It would be very difficult to do *and*
retain backwards macro compatibility . In essence, just about any command
in WordBasic can, in principle, be replaced by a macro. Blocking this
loophole and automacros would be quite a change of direction.

David Harley

------------------------------

Date: Sat, 10 Feb 1996 02:00:22 -0500 (EST)
From: sysop@command-bbs.com
Subject: Re: Word Macro Colors Virus (MAC?,WIN)
X-Digest: Volume 9 : Issue 25

>All the references in this group to the Word macro Colors virus
>have made me nervous, especially since none that I've seen say
>anything about how to protect against or clean it. If there are
>any known defenses against it, I'd appreciate hearing about them,
>as well as a brief description of this virus' effects. Thank you.

There are a number of removal tools available from Microsoft, Command
Software (F-Prot Pro) and AntiViral Toolkit Pro (AVPWW103.ZIP). I can
speak for ours sinces we don't support the others. AVPWW103 can detect and
disinfect the Word Macro viruses for you and the best of all it totally
FREE. Yoo can download a copy from the ftp below.

Keith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.                 USA  Distributor  for
P.O. Box 856                         AntiViral Toolkit Pro
Bruswick, Ohio 44212                 216-273-2820
Internet: info@command-hq.com        Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp       :GO AVPRO
WWW: http://www.command-hq.com/command
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

Date: Sat, 10 Feb 1996 08:23:49 -0500 (EST)
From: Massimo Villa <max_vil@iol.it>
Subject: Excel Virus (MAC,WIN)
X-Digest: Volume 9 : Issue 25

I read about possible virus in Excel files.
Can somebody tell me how they work ?
How can they be detected ?
What are the know Excel virus ?

Thanx.

Max

------------------------------

Date: Sat, 10 Feb 1996 18:17:55 -0500 (EST)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Microsoft Registration Virus (WIN)
X-Digest: Volume 9 : Issue 25

In article <0017.01I12C7JTDDGPVIUA3@csc.canterbury.ac.nz>
           rslade@freenet.vancouver.bc.ca "Robert Michael Slade" writes:

 > Microsoft cannot snoop on your system any more than anybody else can.

Well, registration wizard aside, according to Guy Kewney, writing 
in the UK edition of PC Direct, the Microsoft Network access 
software uses a version of remote access server with all the 
client end security options removed.  Connecting to the MSN 
therefore gives Bill's end complete access to your machine.

- -
FIRST MEN BUY IT                      THEIR FRIENDS
                THEN APPLY IT                      TO TRY IT
                             THEN ADVISE                    Burma-Shave

------------------------------

Date: Fri, 09 Feb 1996 07:25:38 -0500 (EST)
From: "A.Appleyard" <A.APPLEYARD@fs2.mt.umist.ac.uk>
Subject: Vet said it can't remove Jumper_B (PC)
X-Digest: Volume 9 : Issue 25

  I am in charge of 22 public use PC's on a Novell net. Its current VET is
thus:-
    2048 1995 Sep 28 16.47.40 M:\VET\VET.CFG
   68656 1995 Sep 28 16.47.56 M:\VET\VET.DAT
  103232 1995 Sep 28 16.47.50 M:\VET\VET.EXE
     766 1995 Sep 28 16.48.08 M:\VET\VET.ICO
      42 1995 Oct  4 13.14.10 M:\VET\VET.INI
     545 1995 Sep 28 16.48.08 M:\VET\VET.PIF

Today when I called VET from the net (i.e. clean), it said that a PC had
Jumper.B and said it couldn't remove it. But McAfee Scan removed the
Jumper.B (from the MBR) OK. That has happened twice so far today here. VET
has so far removed Jumper OK. What is the difference between Jumper and
Jumper.B?

------------------------------

Date: Fri, 09 Feb 1996 07:54:21 -0500 (EST)
From: "A.Appleyard" <A.APPLEYARD@fs2.mt.umist.ac.uk>
Subject: Hooking the `different floppy in drive' condition (PC)
X-Digest: Volume 9 : Issue 25

The interrupt INT13h (low-level disk access) returns error 6 if called on
a floppy drive where the floppy has been changed since last time. Is it
possible to hook INT13h so that (whether the INT13h was called directly or
by a higher level disk access interrupt) if it finds a different floppy in
a drive, it automatically calls the user's desired antiviral on that
floppy and then goes on to whatever it was going to do before?

------------------------------

Date: Fri, 09 Feb 1996 11:21:58 -0500 (EST)
From: Ken Stieers <kens@ontrack.com>
Subject: Re: Infected Network, HELP! (PC)
X-Digest: Volume 9 : Issue 25

In article <0017.01I0V92BM730PVHY7M@csc.canterbury.ac.nz>,
smcvey@pipeline.com says...

>I have a Netware 3.12 system and a virus that is undetected by Innoculan
>network software.  The symptoms are:
>
>1.  Partitions first 2 to 3 MB of the hard drive on the client PC's and
>moves everything outward.  Partition is non-DOS 

Sounds like the non-Dos partition that Compaq puts on all of their
machines.  Its not viral.  They put CMOS type stuff in there. 

>2.  Attacks *.EXE files, and causes Windows 3.1 driver files to get "lost"
>by the system.ini file. 
>
>3.  Infected non-DOS partition cannot be removed using FDISK and format,
>and sys.com unless you first partition the harddrive, then re-FDISK it
>with no partitions.  The first time to FDISK and format it re-booted with
>the entire "original" contents of the HD intact, including the non-DOS
>partition!!!! 
>
>4.  It has attacked MSAV.EXE when being executed on an infected unit.  It
>locks the PC up. 
>
>5.  Can be spotted by DOS 6.2 MSAV in RAM, and not on the HD. 

What does it say you have??  It really doesn't matter because MSAV from
dos 6.2 can't be trusted. 

>6.  Cannot be found by Innoculan. 

Maybe you don't have anything??

You don't say what the virus is, but I'll give you some instructions to
follow EXACTLY!!!!: 

1.  Get a real AV product, be it Dr Solomon, F-Prot, McAfee, TBAV,
anything except MSAV.
2.  Disable login on the server.
3.  Find a known clean machine and create a boot disk.  Put the AV on it. 
4.  Go to a workstation attached to the network and copy MAP.EXE and 
ATTACH.EXE from the server.  They're in SYS:\PUBLIC.  
5.  Cold boot this workstation from your clean floppy and run the AV. 
6.  Clean up anything you find. 
7.  Run the net drivers, ATTACH to the server as supervisor, MAP to the
root of each volume.
8.  Scan each of your mapped drives, and clean anything up. 
9.  Go to each workstation and do number 5 and 6. 
10  Re-Enable Login

- -
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prarie, MN           |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Fri, 09 Feb 1996 11:24:51 -0500 (EST)
From: Ken Stieers <kens@ontrack.com>
Subject: Re: WelcomB Virus (PC)
X-Digest: Volume 9 : Issue 25

With McAFee for Win95 you have to cold boot from a known clean floppy and 
run the DOS scanner with the following command line to clean it:

SCAN C: /CLEAN 

The docs explain all this. 

Ken

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prarie, MN           |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Fri, 09 Feb 1996 12:32:51 -0500 (EST)
From: Denis McKeon <galway@chtm.eece.unm.edu>
Subject: checking write-protection on floppys (PC)
X-Digest: Volume 9 : Issue 25

In <4e1bu5$bk1@banani.complex.is>, in alt.comp.virus,
Vesselin Bontchev <bontchev@complex.is> wrote:
>jk93@mail.erols.com (jk93@mail.erols.com) writes:
>
>>Is there any reason for the average user to keep an AV program on their clean 
>>bootable floppy (most AV programs wouldn't fit on one, anyway).  To clean a 
>
>Yes, there is. Then you can write-protect the floppy and be sure that
>you have at least one virus-free anti-virus program. And most of them
>*can* fit on a single 1.44 Mb floppy.

This thread reminds me of a question about AV programs on floppies:

Is there a way in software to check if a floppy is write-protected
that would return an errorlevel for use in a DOS batch file, 
and that does not offer the user an opportunity to switch floppies?

(Yes, one could try to write a file to the disk, but if the disk is
write-protected then the user has a chance to switch floppies.)

I've looked in the SimTel archives, at Ralf Brown's interrupt list, in
the FAQ for comp.os.msdos.programmer, and on the DejaNews search site,
all to no avail.  Maybe I've been searching for the wrong strings.

It looks like one could call INT13 AH=01h (get status), but I think I
would have to do some fancy hooking to prevent the user seeing:

    Not ready reading drive A
    Abort, Retry, Fail?

and having a chance to change disks, reboot, etc. (Discussion below).

I'd rather not re-invent the wheel at the assembly level.
Any suggestions or pointers are welcome.
I will post a summary of e-mail and posted responses.
Thanks in advance, etc.

- ------

Why do I want to check for write-protection on the floppy?

I am trying to build a stand-alone boot disk
that runs a virus scan on all hard drive partitions.

So far I have a solid config.sys and autoexec.bat and a batch file front
end for the F-Prot virus scanner, which makes it easy for me to cold
boot most systems from the floppy disk and scan the hard drives.

But, to be more sure that the floppy itself is clean, I either need to
scan it every time I use it, or write protect it and confirm that it is
still write-protected every time I boot from it (or have it scan itself).  
(Yes, there is still a possible infection path - make writable, infect,
write-protect - I am willing to accept that risk.)

I could remove the sliding tab on a 3.5" floppy to make it "permanently"
write protected, but that makes it hard to update the scanner version
(except by taping over the corner).

Since the F-Prot.exe does an internal consistency check on itself, I
believe I can trust F-Prot to not infect anything else when it runs,
so one approach is to have the copy of F-Prot on the floppy disk scan
the floppy before it scans the hard drives.  But that is somewhat slow.

In all cases, I want to mimimize the chance that the user will interrupt
the process, and risk having a writable/infectable floppy.

Again, thanks in advance for any suggestions or pointers,

- -
Denis McKeon 
dmckeon@swcp.com

------------------------------

Date: Fri, 09 Feb 1996 13:46:58 -0500 (EST)
From: "Mr. Access" <beheim@telepost.no>
Subject: Re: Nomenklature Virus (PC)
X-Digest: Volume 9 : Issue 25

bruce9@delphi.com wrote:

> we have this virus on 4 of our PC's which seems to originate
> from a disk brouht on to site in 1992.
> 
> Could anyone give me information on the background of this
> virus and how serious it is.

Nomenklatura

Alias			-
From:			Bulgaria
First reg:		1990
Isolited		1991
Infects:		COM & EXE files.
File lenght:		1024 bytes
Resident		Yes
Stealth			No / minimum.
			

This is a filevirus that are going to infect all EXE and COM files 
that are executed after the virus is recident.

The virus becomes recident when a infected COM or EXE file runs. 

It is quite infectious, and results in severe damage (undetectable
data corruption)  It has minimum stealth capability.

The virus has a unencrypted message:  Nomenklatura. 
Only files bigger than 1024 bytes would  be infected. 
COM files must be smaler than 64.000 bytes to be infected.

It can be repaired by Dr. Solomon

Happy Hunting.

------------------------------

Date: Fri, 09 Feb 1996 13:47:08 -0500 (EST)
From: "Mr. Access" <beheim@telepost.no>
Subject: Re: V-SIGN (PC)
X-Digest: Volume 9 : Issue 25

Mic Chow wrote:

> I have ran across a virus in which McAfee 2.2.6 had named V-SIGN.  I have
> check with VSUM 9512.  It has nothing on this virus.
> 
> What the heck does this thing do?  How does it infect things?  what's teh
> scoop on it?

It may not be the answer you wanted, but this is all i`v got !!

V-SIGN
It is quite infectious, and results in trivial damage.
Boot and/or partition sectors can be infected.
It has minimum stealth capability. The whole virus is encrypted,
and it has a variable loader. The virus plays tricks with the screen.
The virus has a memory-resident payload and infection system.

There are 2 aliases for this virus:
Cansu and Sigalit.

Lars.

------------------------------

Date: Fri, 09 Feb 1996 13:47:12 -0500 (EST)
From: "Mr. Access" <beheim@telepost.no>
Subject: Re: unashamed virus (PC)
X-Digest: Volume 9 : Issue 25

Haymee_Perez_Cogle@angonet.gn.apc.org wrote:

> We got the unashamed virus, all disks and the majority of HD are
> damaged, I tryied Toolkit, NAV and nothing, they recognize the virus
> but don'y clean it
> Any help is welcomed. thanks,

You have to use an uninfected boot disk, run any AV or NAV from the
floppy. 

Remember to write protect all the disks.

Good Luck !

Lars.

------------------------------

Date: Sat, 10 Feb 1996 02:00:07 -0500 (EST)
From: sysop@command-bbs.com
Subject: Re: Quality Anti-Virus Programs (PC)
X-Digest: Volume 9 : Issue 25

>Take a look at Patricia Hoffman's VSUM listing that's available as a
>trial package in the public domain.  It show's whose system found and
>cleaned  what viruses.  While this is a lab benchmark, it's a good
>rule of thumb.
>
>I agree with the guy from SYMANTEC, the good packages are all good, In
>my opinion, what separates them is ease of use.  They're all quite
>inexpensive to try so just look at the top sellers and top performers
>in VSUM and pick the one you like best.

There are other quality tests done by highly respected people and
organzations. The Virus Bulletin is regarded as being one of the best
antivirus publications available anywhere in the world. They do
comparitive tests roughly every 6 months and test far more products than
Patricia Hoffman does. Also, Vesselin Bontchev produced a good comparison
back in 1994.

Keith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.                 USA  Distributor  for
P.O. Box 856                         AntiViral Toolkit Pro
Bruswick, Ohio 44212                 216-273-2820
Internet: info@command-hq.com        Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp       :GO AVPRO
WWW: http://www.command-hq.com/command
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

Date: Sat, 10 Feb 1996 02:00:15 -0500 (EST)
From: sysop@command-bbs.com
Subject: Re: Da'Boys (PC)
X-Digest: Volume 9 : Issue 25

>HELP!  We are having a major problem with the Da'Boys virus.  I have
>tried several scanning with fprot, but it is unable to remove the virus.
>Any help would be appreciated.  Please reply by e-mail, as I rarely get
>a chance to check the newsgroups.

 DaBoys
       
It's not a dangerous memory resident boot virus. On loading from a
infected disk it copies itself into the interrupt vectors table and hooks
INT 13h. Then it overwrites the boot sectors of disks that are accessed.
It contains the internal text string: "DA'BOYS".

Most good virus scanners can remove this virus for you, our's just being
one. You may also, be able to remove this virus using the SYS C: command
using the correct boot disk for the machine and booting clean.

Keith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.                 USA  Distributor  for
P.O. Box 856                         AntiViral Toolkit Pro
Bruswick, Ohio 44212                 216-273-2820
Internet: info@command-hq.com        Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp       :GO AVPRO
WWW: http://www.command-hq.com/command
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

Date: Sat, 10 Feb 1996 04:34:51 -0500 (EST)
From: Jon Detroy <jdetroy@newstand.syr.edu>
Subject: Stealth Boot virus - Help!! (PC)
X-Digest: Volume 9 : Issue 25

    I recently got the Stelboo or Stealth Boot virus, and it really 
messed my computer up! I have since gotten rid of the virus, or so I 
thought. The sectors it infected  now pass virus detection, but my 
computer is still messed up. . .My cd-rom drive is not recognized by my 
start up files, my compter is sluggish, and while in windows my computer 
pauses every minute for about 10 seconds!!! Does anyone have any advice 
for this? Will deleting my hard-drive fix this? Is there a way to repair 
boot sectors??? PLease give me a hand. Later....

------------------------------

Date: Sat, 10 Feb 1996 09:11:48 -0500 (EST)
From: rcl@onramp.net
Subject: Windows with dos=umb will not load (PC)
X-Digest: Volume 9 : Issue 25

When Dos=umb is loaded in the Config.sys and I am running WFW 3.11
Windows loads the startup screen then goes blank and locks up
everything at the time of switchover to GUI.  

I got dos to load by eliminating dos=umb but this leaves me short on
memory handles.

This problem has been ongoing.  I had this and fixed it with a dos
vscan or another program about 2 months ago but can not find the
program again.   The program found a virus in the FAT or somewhere in
that area.  

I was playing with and loading an old version of NETSCAPE 1.0 and
experimenting with the load process and got the problem back.  I had
been working with several other programs at the time and am not sure
which one caused the problem.  I am wondering if it is in a wild bad
DLL program that loads with Windows?

Any Ideas?

Thanks
Roy Lewis
rcl@onramp.net

------------------------------

Date: Sat, 10 Feb 1996 09:39:39 -0500 (EST)
From: BIRKETT <BIRKETT@calgary.geoquest.slb.com>
Subject: RE: spartan? (PC)
X-Digest: Volume 9 : Issue 25

> Does 386spart.par sound like a virus?

Its a permanent swap file for MS windows.  Go into windows, change your 
swap file to something else... or just delete the file (386spart.par) and
have windows scream and complain... if you are still having problems i.e.
its out of control in its growth etc, turn OFF 32 bit disk access.

And if you don't have MS windows.... someone has been screwing with your 
machine... delete the file

Let me know..

TTYL

------------------------------

Date: Sat, 10 Feb 1996 09:53:32 -0500 (EST)
From: Bill lambdin <vfreak@skn.net>
Subject: Integrity checking (PC)
X-Digest: Volume 9 : Issue 25

Tom Simondi <tsimondi@slonet.org> writes

>Agreed with one caveat. Unless it has a good scanner component,
>change detection will not detect slow infectors. These infect only
>when files are changed in the normal course of computer operation
>(when integrity programs would be expected to update their database)
>and so will not be detected by integrity checking alone. Indeed, the
>slow infector was invented specifically to circumvent integrity
>checkers.

What is wrong with using a quality integrity checker, then using another
scanner like F-Prot AVP, or TBAV?
	Bill Lambdin

- --------------------------------------------------------------------------
vfreak@skn.net                     PGP fingerprints 9C CD 47 F3 C7 65 CA 33
102524.2206@compuserve.com                          C7 7D 69 8B 26 0C F8 08

------------------------------

Date: Sat, 10 Feb 1996 09:54:26 -0500 (EST)
From: Bill lambdin <vfreak@skn.net>
Subject: Viruses in .ZIP files (PC)
X-Digest: Volume 9 : Issue 25

Massimo Villa <max_vil@iol.it> writes

>I mean, is it possible that, just unzipping the .zip file (without
>executing any of the now unzipped file )  the virus has already
>infected your PC ?

viruses in .ZIP files are no concern until you unzip and run the infected
files.

Scanners that scan archives have to expand the archives for scanning.

	Bill Lambdin

- --------------------------------------------------------------------------
vfreak@skn.net                     PGP fingerprints 9C CD 47 F3 C7 65 CA 33
102524.2206@compuserve.com                          C7 7D 69 8B 26 0C F8 08

------------------------------

Date: Sat, 10 Feb 1996 10:16:18 -0500 (EST)
From: Wayne Riddle <riddler@agate.net>
Subject: Re: McAfee Software how do I obtain? (PC)
X-Digest: Volume 9 : Issue 25

WXMBX@CUNYVM.CUNY.EDU wrote:

>I need a virus scanning software for my PC. A coworker told be about a
>vendor called McAfee. He said it was free with free downloads. I find this
>hard to believe but I am here to ask.
>
>Can someone in this group please inform me about this.

If I recall correctly, McAfee is not freeware. You do have to pay a
registration fee if you choose to use it. For a link to various
anti-virus vendors check out this site:

http://www.nha.com

Wayne Riddle
riddler@agate.net

------------------------------

Date: Sat, 10 Feb 1996 15:26:30 -0500 (EST)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: spartan? (PC)
X-Digest: Volume 9 : Issue 25

DDenoncour (ddenoncour@aol.com) wrote:
> All of sudden I had no disk space. There is a file in my root directory
> called 386spart.par occupying 28,311,552 bytes of my hard drive. I called
> Compusa tech support and he thought it was some kind of partition file. (I
> never saw it before. It is a hidden or system file   -  dir /a     - to
> find it.Then, I called my tech support (DEC for Starion 500) and after
> waiting 40 minutes on hold, the tech guy told me he thought I had the
> spartan virus. The file date was today and time was 8:39 this
> morning...just after I had exited the WWW via AOL. 

   It's the Windows swapfile.  If you want to remove or resize it, go to 
the Control Panel, choose 386 Enhanced, then Virtual memory, then 
Change.  Probably about 8MB is the size you want.

> THe techie suggested I get McAFee and run it.

   And this fellow is a techie in what? Stage lighting?

> I ran out and got it; installed it. Didn't show any virus.

   Not to belabor the point, but that's because there was none.

> ANy ideas? Is this how 'Spartan' works?

   I hope you'll agree that the point is moot.

> Does 386spart.par sound like a virus? 

   No.

> Could it be some kind of partition thing? A swap file? 

   Good for you. :-)  Perhaps *you* should be the techie.

> I would like to just delete it, but, I don't know what it is.

   You could, but then Windows would complain.  Better to do it through 
the Control Panel.

Moderator, I propose that this topic be a candidate for the comp.virus 
FAQ.  I offer my response as an interim answer until something [much] 
better can be written.

   -BPB

[BTW, there's nothing "wrong" with being a stage lighting technician...
- -Moderator.]

------------------------------

Date: Sat, 10 Feb 1996 16:52:25 -0500 (EST)
From: richardb@mistral.co.uk
Subject: Re: Sampo Virus - Help! (Disinfect??) (PC)
X-Digest: Volume 9 : Issue 25

On 10 Feb 1996 10:25:00 -0000, News Group <news@zippo.com> wrote:

>  It looks like the Sampo virus is running rampant on three of my
>machines. One of my systems is crashing constantly and it seems files
>are being created continously. (This may be another Virus??) On the
>system I'm on currently I haven't noticed any effects other than the
>system slowing down.
>
>  How do I disinfect this machine? Scan won't clean it unless you run
>it off a clean floppy, but I don't HAVE any clean boot floppies
>anymore and this machine doesn't have a floppy drive.
>
>  Are there any utilities I can use to eradicate Sampo without booting
>off a clean floppy??

you need to clean your boot sector (mbr) on your hdd(s), dont forget
to do a clean dos boot up (i use my msdos 6.22 setup disk). Then use
cleanboo.exe or cleanpar.exe from dr solomons toolkit, you can use any
ver of dr sols, they all have these programs.

good luck, akira 

------------------------------

Date: Sat, 10 Feb 1996 17:03:16 -0500 (EST)
From: richardb@mistral.co.uk
Subject: Re: Three questions (PC)
X-Digest: Volume 9 : Issue 25

On 10 Feb 1996 10:25:47 -0000, Tim H <timh@carroll.com> wrote:

[snip]
>3) What is the low-down on detecting viruses on a 32-bit system like
>Win95?  I know for a fact that Vshield will recognize viruses on
>diskettes, even when you are running Win95.  Will McAfee's scan not
>recognize an infect boot sector?  Will SCAN recognize infected 32-bit
>programs?

re q3:- win95 will tell you if a program has changed your boot sector
on boot up (unless a new virus is written to stealth this). mcafee is
still effective at finding bsv's  on floppys in dos mode.
you really need a win95 specific av. program for all those win32
programs though. 

------------------------------

Date: Sat, 10 Feb 1996 17:21:09 -0500 (EST)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: spartan? (PC)
X-Digest: Volume 9 : Issue 25

In article <0020.01I12C7JTDDGPVIUA3@csc.canterbury.ac.nz>
           ddenoncour@aol.com "DDenoncour" writes:

 > Does 386spart.par sound like a virus?

No.  It's the name of the Windows 3.x swap file.  I am surprised 
that *two* technical help lines failed to twig.  Or am I?

- -
FIRST MEN BUY IT                      THEIR FRIENDS
                THEN APPLY IT                      TO TRY IT
                             THEN ADVISE                    Burma-Shave

------------------------------

Date: Sat, 10 Feb 1996 18:22:05 -0500 (EST)
From: Kenneth Albanowski <kjahds@kjahds.com>
Subject: Re: spartan? (PC)
X-Digest: Volume 9 : Issue 25

On Tue, 6 Feb 1996, DDenoncour wrote:

> All of sudden I had no disk space. There is a file in my root directory
> called 386spart.par occupying 28,311,552 bytes of my hard drive. I called
> Compusa tech support and he thought it was some kind of partition file. (I
> never saw it before. It is a hidden or system file   -  dir /a     - to
> find it.Then, [...]
> THe techie suggested I get McAFee and run it.
> 
> I ran out and got it; installed it. Didn't show any virus.
> 
> ANy ideas? Is this how 'Spartan' works?
> 
> Does 386spart.par sound like a virus? 

No.

> Could it be some kind of partition thing? A swap file? I would like to
> just delete it, but, I don't know what it is.

Bingo in two. It's Windows' swap file. To free up the disk space, just
delete the file (outside of Windows!), first using "attrib -h -s
386spart.par" to make it accesible. Then delete it. Windows will complain
when you start it up next time, but this won't be fatal. 

You can reconfigure your Windows swap file by going into Control Panel, 
choosing the "386" icon, and then clicking on the Virtual Memory button. 
Since virtual memory is added to your physical RAM, but consumes disk 
space, only allocate as much as you need.

> Thanks for your help
> Fran in Reno

- -
Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126)

------------------------------

Date: Sat, 10 Feb 1996 22:15:58 -0500 (EST)
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Subject: Re: What do i have? how do i get rid of it? (PC)
X-Digest: Volume 9 : Issue 25

In article <0040.01I0ZP1M7BUSPVIUA3@csc.canterbury.ac.nz>, Dexter Reid
<dexter@best.com> wrote:
><sigh> My computer used to start... it won't start now. it won't
>boot from the floppy and the screen is absolutely blank.

If there is absolutely nothing on the screen, I'd say your video card died
or your monitor is turned off. 

>if i had not seen it happen to another computer i would guess that the
>video card died--but the sequence of events is way too similar.

I wouldn't rule it out -- you may wish to take your system into a repair
shop and get them to swap out the video card with one of theirs; this
should tell you for sure if it's a problem with the video card or the
CMOS.

>It seems as though the CMOS tables are completely wiped. I don't care
>at all about the data on the machine--i just want to get it running 
>again. 

Check your motherboard manual.  If you _really_ want to reset your CMOS 
settings (this could easily make your HD unaccessable) there should be a 
hardware switch to do it.  It'd also be a good idea to check if the CMOS 
battery still has some life in it.

Regards, 

George Wenzel

------------------------------

Date: Sat, 10 Feb 1996 23:16:40 -0500 (EST)
From: A Bruce Peck <bruce_peck@aici.com>
Subject: Re: HELP: Problem with January NAV update (PC)
X-Digest: Volume 9 : Issue 25

On 06 Feb, Jon Martin wrote:

>I just installed the latest NAV3.0 update (updateme.exe for 
>dos/win3.1), and I found I have a serious problem.  When I try to 
>scan more than one 'thing' per session it locks and crashes.  

We use NAV in a corporate environment and have corporate support so we 
can questions quickly.  This is a known problem with the 
"updateme.exe" patch file (along with others).  This update was put 
out rather quickly to get repair features for WORD Macro viruses in 
the product and it appears they didn't get everything tested.  A new 
patch is supposed to be available in the next couple of weeks.

One note: the lockup problem (in my tests) only occurs in the DOS 
scan. The Windows scan seems to be OK as does the Win95 version.

The other problems with this patch:
1) The WORD macro virus repair does not remove all of the Concept 
macros from the normal.dot template if infected.
2) Auto-Protect in Windows (in "Scan upon Open" mode) causes a 
"sharing violation" error when opening any message in cc:Mail.  

Again, these are all known problems and are being worked currently.

Bruce_Peck@aici.com
Indianapolis

------------------------------

Date: Sun, 11 Feb 1996 12:25:46 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: EXE files growing (PC)
X-Digest: Volume 9 : Issue 25

In-Reply-To: <01I13T9JMX4OPVIUA3@csc.canterbury.ac.nz>
Alon Hazay <alon@gate.radnet.co.il> writes:

> A few computers in our company had a problem of EXE files getting
> larger. Does anyone encounterd this problem and knows the reason?
> The latest update of NAV(norton antivirus) didn't find any virus.

This isn't really enough information to work out what is happening.  Can 
you tell us how many bytes files are increasing by?  You may also like to 
try some of the better anti-virus products (eg. Dr Solomon's, F-Prot, and 
AVP) and see what they report.

You can download an evaluation version of Dr Solomon's FindVirus from our 
website.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 25]
*****************************************


