From Lehigh.EDU!virus-l  Fri Mar  1 18:49:10 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Fri, 01 Mar 96 22:52:56 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id SAA17796; Fri, 1 Mar 1996 18:49:10 +0100
Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <40017-37161>; Fri, 1 Mar 1996 06:42:31 EST
Message-Id: <01I1UEAXR4OMQKI9KO@csc.canterbury.ac.nz>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V9 #33
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: 	Fri, 1 Mar 1996 06:41:31 EST

VIRUS-L Digest    Friday, 1 Mar 1996    Volume 9 : Issue 33

Today's Topics:

Re: Computer Viruses - A Dying Art???
New Anti-Virus WWW Page
Re: weapons of war
Re: Computer Viruses - A Dying Art???
Re: word perfect virus???
Re: weapons of war
dos/linux virus? (UNIX)
Re: Network av
Re: Who writes viruses?
Virus Information Project
Re: weapons of war
Re: weapons of war
New WWW Address for Tom Simondi
Re: OS2 HPFS corrupted by Monkey-A Virus (OS/2)
Re: OS2 HPFS corrupted by Monkey-A Virus (OS/2)
Re: OS2 HPFS corrupted by Monkey-A Virus (OS/2)
Re: Q: state of viruses on Windows NT Alpha (NT)
Re: antivirus software for Windows NT? (NT)
Re: Virus on Novell Netware 3.11 (NW)
Re: Virus on Novell Netware 3.11 (NW)
MS Excel Virus ?? (MAC,WIN)
Re:Word Macro Virus
Re: a good Anti-Virus for Win95? (WIN95)
Re: a good Anti-Virus for Win95? (WIN95)
What detects BOZA virus? (WIN95)
MY DOCUMENTS folder virus? (WIN95)
Re: Help...weird keyboard problems possible virus? (PC)
McAffee Word Virus Utility (PC)
Re: AntiExe- What are the sysptoms? (PC)
Re: How Do I Get Rid of Form_A? (PC)
Re: PMBS virus from F-Prot (PC)
Re: MSAV flase alarm on 10B7?? (PC)
Re: Stealth_Boot.C (PC)
How to reenable GUARD? (PC)
Re: DOOM2 DEATH (PC)
NYB Virus (PC)
Help: Joshi Virus (PC)
EPBR Virus ? (PC)
Re: MSAV flase alarm on 10B7?? (PC)
Stealth_B (PC)
Re: Help with Monkey Virus problem (PC)
Re: AntiExe/Form_A combo - Can't clean/floppy boot (PC)
Re: Jackal virus problems (PC)
Re: Junkie Virus (PC)
Re: Volume Name "AP" (PC)
Re: Help me rid the Stonced Empire Mokney virus (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Sat, 24 Feb 1996 23:27:23 -0500 (EST)
From: Debbie Peabody <bradinca@ix.netcom.com>
Subject: Re: Computer Viruses - A Dying Art???
X-Digest: Volume 9 : Issue 33

Computer Viruses are NOT a dying art - here's why:

First off, (as stated in other articles) viruses can be written in just
about any language under the sun.  Although assembler is the most
powerful.  Also, assembler can be used on all platforms, though it may
be a difficult undertaking.

The bit about Win95 and OS/2 being virus proof does have some truth to
it, but it's still way off.  Win95, OS/2, etc., are protected mode
operating systems. And in protected mode, certain parts of memory have
attributes, and can only be modified by certain programs.  This makes
it hard, but not impossible, to make a virus in protected mode.

My guess is this.  Since computers are starting to get easier to
program with, (e.g., QBasic, WordBasic, Macros, Batch Languages, etc.)
I think there will be a new generation of viruses.  They will work on a
different level, they will work way above the OS, not with or below it
like those made in assembler.  There will also be a lot more of them,
seeing as they are easier to program.  Also, the impossible
multi-platform virus will probably appear.  I think it is a rather lame
way to make a virus - one that spreads as source code - however, it's a
lot easier.

This is just my predition, and doesn't mean anything, but, it's rather
inevitable, I think.

The first of these viruses has alreay appeared - Concept.  It is a
WordBasic virus, I'm not to swift on the specs of this virus, but it's
supposed to infect documents, and stays resident in your "normal"
template.

I think many more of these will show up just because it's written in
BASIC.

How many of you agree?

Brad

PS: I don't know if MAC-PC viruses will be to big - I heard that Apple
is getting bought out, is it true?

------------------------------

Date: Sun, 25 Feb 1996 00:18:55 -0500 (EST)
From: Computer Virus Help Desk <vhd@indy.net>
Subject: New Anti-Virus WWW Page
X-Digest: Volume 9 : Issue 33

I'm pleased to announce the opening of a new Anti-Virus oriented Web Page.

			  http://www.a1.com/cvhd

This page allows the download of the latest versions of ALL the popular
DOS, WINDOWS and WIN95 Anti-Virus Software as well as links to EVERY major
Anti-Virus software developer or distributor in the world. On Line Virus
Encylopedia, Anti-Virus Tutorials and other utilities are available as
well.

The page also contains VERY extensive links to Encryption, Privacy,
Military, Intelligence, Government and Law Enforcement Web Pages.

Look for the addition of a new "On Line" real-time Anonymous Pre-mailer
with remailer chaining capabilities to be added in the very near future.

		   Allen Taylor, Moderator, VIRUS_INFO
       SysOp, CVRC BBS, (317) 887-9568, Indianapolis, Indiana, USA
			  http://www.a1.com/cvhd

------------------------------

Date: Sun, 25 Feb 1996 20:12:35 -0500 (EST)
From: "Nathan R. Yergler" <nayerg@gibson.cioe.com>
Subject: Re: weapons of war
X-Digest: Volume 9 : Issue 33

> Although I have never read anything about it, the government probably
> writes at least some of them and tests them on the unwitting public, much
> like the atomic tests of the 1970's.

I am yet to fully understand some people's seemingly endless paranoia
about government conspiracy and evils.  The idea that the government tests
viruses on the public is perposterous; for one thing, if they had a virus
destined for the "enemy," how would they make it identify their machines? 
Do they have the IP addresses of "enemy" government machines?  Maybe we
should just have faith that those we elect really have our best interests
in mind until we have evidence to the contrary. 

'nuff said.

NaYerg

------------------------------

Date: Sun, 25 Feb 1996 23:12:19 -0500 (EST)
From: David L Evens <devens@uoguelph.ca>
Subject: Re: Computer Viruses - A Dying Art???
X-Digest: Volume 9 : Issue 33

R Ribeiro (rff-ribe@csm.uwe.ac.uk) wrote:
:       A virus is a program that can replicate itself and append to zones of
: disk or files... (if it replicates only on memory it's called a worm).

Wait a moment, I think that if it's a worm then it propogates 
independently of infecting disks/programs, instead travelling 
independently over networks.  (For instance, the infamous Internet Worm 
travelled from system to system on the 'net, by gaining remote access, 
sending it's own sourcecode, compiling it, and executing it.  This was 
NOT a virus because it never attached itself to another piece of software.)

------------------------------

Date: Mon, 26 Feb 1996 01:54:23 -0500 (EST)
From: Tom Simondi <tsimondi@slonet.org>
Subject: Re: word perfect virus???
X-Digest: Volume 9 : Issue 33

In article <0014.01I1JAW8C1VOQKFBM4@csc.canterbury.ac.nz>,
Frank Seljee <franks@hol.chem.uva.nl> penned:
> Anybody heard about Word Perfect Virusses???

No, at least not in WP documents. It is, of course, possible to
infect the WP executable program(s>. WP macros are files unto
themselves and so don't get sent with documents so the type of
virus infecting Word documents won't work with WP. (In fact, in
order to make certain I don't pick up any new Word viruses I
routinely port all new Word documents I get into WP first in order
to read them and see if I even want to deal with the document
at all.)

> A Word Perfect document has changed in a
> "Single Character Per Page"  document.
> 
> Bug   or   virus   ???????????????????????????

Bug. Happens to me now and again. Have never been able to
completely isolate the conditions.

- - 
=-=- Tom Simondi -=-= Visit the Computer Knowledge home page -=-=
=-=- http://ourworld.compuserve.com/homepages/ck -=-=-=-=-=-=-=-=
=-=- E-mail: 75655.210@compuserve.com -or- tsimondi@slonet.org -=

------------------------------

Date: Mon, 26 Feb 1996 02:16:36 -0500 (EST)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: weapons of war
X-Digest: Volume 9 : Issue 33

Steve Thomas (sthoma10@ford.com) wrote:
[snip]
> Although I have never read anything about it, the government probably
> writes at least some of them and tests them on the unwitting public, much
> like the atomic tests of the 1970's.

  A virus written in ADA?  Now _that's_ scary.
 
> If anybody has read anything about this please forward the citation.

   Well, there was the so-called "printer virus", but that was a hoax.  I 
certainly won't claim that no government (US or otherwise) has had 
someone write a virus, but I suspect that a directed attack would be a 
much more fruitful.  After all, how would you make the virus trigger 
against your enemy (and perhaps others) at an appropriate time?  And if 
such a virus had actually been written, wouldn't it be likely that it 
would have been detected and that the AV companies would have discovered 
its behavior?  Since those companies are multinational, it would be 
difficult to keep such a discovery quiet.

   Now if you're talking about a government agency running a ftp site
intentionally containing viruses, that's been documented, sadly.  But I
don't think there were any new viruses there; just a collection of the
same old same old.  [Aside to the Moderator -- I believe this was
documented in VIRUS-L a few years ago.]

   -BPB

------------------------------

Date: Mon, 26 Feb 1996 00:24:27 -0500 (EST)
From: Chris Gibbs <chrisg@annie.campbellsvil.edu>
Subject: dos/linux virus? (UNIX)
X-Digest: Volume 9 : Issue 33

Has anyone had any experience with a DOS virus infecting Linux?  Recently 
I had an old 5 1/4 inch diskette infected with Monkey_B mounted on my 
linux system.  (At least McAfee Scan said it was Monkey_B.  Monkey_B is 
fairly common on my campus.)  When the disk was mounted, the characters 
on the screen became garbled into characters you normally cannot type 
(still part of the ASCII character set, but ASCII graphics, not the 
normal typing symbols.)  Has anyone else had this happen?  I'm going to 
try to repeat the effect again.

------------------------------

Date: Mon, 26 Feb 1996 22:03:43 -0500 (EST)
From: Edward Fenton <ris1@gate.net>
Subject: Re: Network av
X-Digest: Volume 9 : Issue 33

Janet M. Simons (70570.510@CompuServe.COM) wrote:
: My employer is looking at three different av packages for our 
: network:
: 
:       Thompson's The Doctor
:       F-PROT Professional
:       Dr. Solomon's AVTK
: 
: We would like to hear from _users_ of these packages.  What are 
: your experiences?  Problems?  Recommendation(s)?

Janet, a scanner (even as excellent as those you're considering) is not
the 'whole' of a complete anti-virus defense strategy. Complementary to a
scanner is a Targeted Integrity Checker like ChekMate.  It is worth
evaluating.  For source, please see my signature.  Ed Fenton

 +---------------------+------------------------+----------------------+
 | Ed Fenton | U.S./Canadian agent for ChekMate | ris@transit.nyser.net|
 +---------------------+------------------------+----------------------+
 | ChekMate - a Generic Anti-Virus Utility that works under DOS, OS/2  |
 | and Windows (3.x, 95 and NT).  Detects Known and UNKNOWN Viruses.   |
 | Support (UK) chekmate@salig.demon.co.uk  (US) ris@transit.nyser.net |
 +---------------------------------------------------------------------+
  Download it from our FTP site: ftp.gate.net/pub/users/ris1/cm200.zip

------------------------------

Date: Tue, 27 Feb 1996 00:40:58 -0500 (EST)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Who writes viruses?
X-Digest: Volume 9 : Issue 33

In article <0016.01I1NWAI06W6QKGRP8@csc.canterbury.ac.nz>
	   a000@gate.net "a000" writes:

> because some professor encouraged it,

Speaking of ethics...

- -
MAN PASSES                      DOG GETS OUT
	  DOG HOUSE                         MAN GETS IN
		   DOG SEES CHIN                       Burma-Shave

------------------------------

Date: Tue, 27 Feb 1996 01:23:42 -0500 (EST)
From: "Viruses and the WPI campus computer communit - IQP." <virus@tardis.res.wpi.edu>
Subject: Virus Information Project
X-Digest: Volume 9 : Issue 33

To whom it may concern,

    We are a group of students at Worcester Polytechnic Institute who are
working on our  Interactive Qualifying  Project.  Our  project  includes
a study into how viruses affect the computer community as a whole.

Along these lines, we are looking for how viruses affect the quality and
productivity of any person or business that uses a computer as a tool.

    Also, as part  of this  project, we are compiling a history of viruses
(going as far back as anyone can remember and on ANY computer system and
operating system).

    If you have ANY information, amusing stories, or the like pertaining
to computer virues, trojan horses, worms, etc - we would appreciate if you
either e-mailed us a WWW link to the information or the information itself
to: virus@tardis.res.wpi.edu

    For all infomation submitted, we plan on quoting the source directly.
If you would like to remain anonymous in the report - but still will allow
us to use the information, please state that in the email.

  Thank you very much for your time and your cooperation.

- -
IQP: Viruses @ WPI      | Interactive Qualifying Project on the study of
how  
100 Institute Road      | viruses effect the computer community.
Worcester, MA  01609    | Email:     virus@tardis.res.wpi.edu
			| WebSite:   http://tardis.res.wpi.edu/~virus
			 
			The Viruses@Wpi team: 
Benjamin Higgins (rogue@wpi.edu)              Joe Krzeszewski
(jski@wpi.edu)
John West        (jwest@wpi.edu)              Jonathan Tanner (jtanner@wpi.edu)

**************************** DISCLAMIER
***************************************
All submitted material is subject to direct quotation in the final
report 
unless otherwise stated by the author of the material.  If requested,
source's
author will remain anonymous while the information will be used in the
report.
*******************************************************************************

------------------------------

Date: Tue, 27 Feb 1996 01:39:17 -0500 (EST)
From: Bruce Ediger <bediger@csn.net>
Subject: Re: weapons of war
X-Digest: Volume 9 : Issue 33

In article <0011.01I1NWAI06W6QKGRP8@csc.canterbury.ac.nz> Steve Thomas
<sthoma10@ford.com> writes:

:Although I have never read anything about it, the government probably
:writes at least some of them and tests them on the unwitting public, much
:like the atomic tests of the 1970's.
:
:If anybody has read anything about this please forward the citation.

"Computer Virus Countermeasures - A New Type of EW", byt Dr Myron L.
Cramer and Stephen R. Pratt appeared in the October, 1989 issue of
"Defense Electronics" magazine.  This also appeared in "Rogue Programs:
Viruses, Worms and Trojan Horses", ISBN 0-442-00454-0, Van Nostrand
Reinhold 1990, edited by Lance J. Hoffman.

"Aviation Week" of May 14, 1990 carried a small article titled "Army to
Award Contract for Studying Potential of Computer Viruses as Electronic
Countermeasure".  I've never heard what became of this contract, or the
resulting study.

"Stealth Viruses... Weapon System of Tommorrow" by Raymond M. Glath, Sr.
appeared in the May-June 1990 issue of "Defense Computing"

"Computer Warfare Weapons are Target of Researchers" by Robert H. Williams
appeared in the February, 1991 issue of "Signal".  There are several
magazines and journals that go by the name of "Signal".  The one I refer
to is the "Official Publication of AFCEA", and billed itself as the
magazine of "C3-I".

Hope this helps,
Bruce Ediger

------------------------------

Date: Tue, 27 Feb 1996 06:30:44 -0500 (EST)
From: "Bob Witham Jr." <robert.l.witham.jr@state.me.us>
Subject: Re: weapons of war
X-Digest: Volume 9 : Issue 33

Steve Thomas <sthoma10@ford.com> wrote:

>Although I have never read anything about it, the government probably
>writes at least some of them and tests them on the unwitting public, much
>like the atomic tests of the 1970's.
>
>If anybody has read anything about this please forward the citation.

Here are some basic truths of life.

1.  The "government" does not write viruses to test on the public.
2.  There are no UFOs.
3.  Elvis is dead.

I work for Maine State Government, and I face skepticism similar to
Steve's everyday.  We are not accused of writing computer viruses, of
releasing HIV as a test, or of hiding proof that UFOs exist, but we are
often accused of hiding SOMETHING.  Despite all efforts to convince the
public otherwise, they are convinced that we must be "up to something".

If you stop and think about it, the government is composed of all of us.
One of the few in the world that when we say "the government" we mean
"us".

Give yourself a break, and don't spread such nonsense.  There are enough 
paranoid types out there, we don't need more.

------------------------------

Date: Tue, 27 Feb 1996 17:49:12 -0500 (EST)
From: Tom Simondi <tsimondi@slonet.org>
Subject: New WWW Address for Tom Simondi
X-Digest: Volume 9 : Issue 33

Just a note for anyone contemplating downloading the freeware
Windows Help-format virus tutorial I've published. Due to both
a busy server and now a complete downing of the upload capabilities
of the CompuServe web server I've moved my web pages to a local
provider.

Please use the address:  http://slonet.org/~tsimondi/ck.htm

Look on the product page.

Also, version 1.1 is now available. I took the main tutorial
material and condensed it for presentation in briefing chart
format. Added a couple of "guides" to make it more visual as well.

Enjoy...

- - 
=-=- Tom Simondi -=-= Visit the Computer Knowledge home page -=-=
=-=- http://slonet.org/~tsimondi/ck.htm          -=-=-=-=-=-=-=-=
=-=- E-mail: 75655.210@compuserve.com -or- tsimondi@slonet.org -=

------------------------------

Date: Mon, 26 Feb 1996 02:27:51 -0500 (EST)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: OS2 HPFS corrupted by Monkey-A Virus (OS/2)
X-Digest: Volume 9 : Issue 33

Yok pang Ngo - INEN/W94 (dn@acs.ryerson.ca) wrote:
[details of Monkey on HD containing DOS, OS/2, and Boot Manager snipped]

> My questions are:
> 
> 1. Is there any utilities or virus scanner that can fix the HPFS partition 
>    table so that I can retrieve some important files stored there? 

   Since you've already "corrected" things with Norton, you'll probably 
have to decrypt the original boot sector.
    
> 2. Is there any way to make a HPFS partition without reformat, since I
>    don't want lose all information already on the drive, by re-installing
>    OS2 or booting to OS2 from floppies and apply certain procedures to
>    revitalize the partition? 

   Almost surely, since Cylinder 0, Head 0, Sector 3 shouldn't be used by 
DOS, OS/2, OR Boot Manager.
 
> 3. If all above fail, since I have Norton Disk Editor, How do I re-
>    construct the partition table values of HPFS and what kind of Hard Disk
>    information is needed? Or need to know how the Monkey-A virys encrypt
>    to MBR.

   If you send me copies of (0, 0, 1) and (0, 0, 3) as captured with
Norton Disk Editor either as binary attachments or uuencoded, I'd be happy
to see whether it contains the necessary info and return a patched up MBR
that you could reinstall (no charge).  Of course, if you feel more
comfortable doing this with an AV vendor, please do so. 

> Any suggestions are greatly appreciated as I am a new OS2 user who have
> not enough knowlegdes to solve this tricky problem.

   I suspect most users of OS/2 and DOS don't have that knowledge, so no 
need to feel inferior. :-)

   -BPB

------------------------------

Date: Mon, 26 Feb 1996 09:12:26 -0500 (EST)
From: "Jay H. Miller" <jhmiller@helix.nih.gov>
Subject: Re: OS2 HPFS corrupted by Monkey-A Virus (OS/2)
X-Digest: Volume 9 : Issue 33

In reference to the Monkey-A virus on OS/2.  I have two comments.  IBM 
has anti-virus software that works on FAT and HPFS partitions.  Also, 
there is a program called Partition Magic which can change partitions 
between FAT and HPFS on the fly without destroying data.  This might be 
able to help you recover your HPFS partition.  Indelible Blue sells the 
anti-virus and probably the Partition Magic.  They have a web site that I 
think is www.indelible-blue.com.                

------------------------------

Date: Mon, 26 Feb 1996 11:50:12 -0500 (EST)
From: Zvi Netiv <netz@actcom.co.il>
Subject: Re: OS2 HPFS corrupted by Monkey-A Virus (OS/2)
X-Digest: Volume 9 : Issue 33

Yok pang Ngo - INEN/W94 <dn@acs.ryerson.ca> wrote:

> My hard drive (1002 cylinders,16 heads, 52 sectors) is partitioned as
> follow:
> 
> 255 MB (1024x1024) for DOS
> 146 MB for HPFS
> 1 MB BOOT MANAGER at end of disk 
> 
> When the hard drive was infected by the Monkey-A virus, I was not aware of
> it and use a DOS TSR to access the HPFS, it is "dos_eng.exe" which allow
> "write" to the HPFS, and when I boot to OS2 later, it did not boot. I
> tried to use F-prot from a non-infected boot disk to clean it, but it did
> not work on my hard drive, but was able to clean the 2nd attached hard
> drive which I borrowed from a friend and other infected floppies as well.
> When the hard drive was infected, FDISK show corrupted non-ascii values
> under " 4. Display Partition Information ". and reported with more than 3
> entries (ie. DOS, HPFS and Boot Manager). Since the latest F-prot and
> Mcafee Scan didn't work. I tried Norton Disk Doctor, it worked and
> completely revitalize the DOS partition only after I deleted the first two
> entries in FDISK. After the fix, when I Fdisk, only 1 entry was shown for
> the DOS partition. HPFS partition and Boot Manager were gone. and loading
> "dos_eng.exe" or booting OS2 from floppy can not find and HPFS either. 

>         Readings from F-Prot virus informations indicated that the Monkey-A
> virus move the Mater Boot Record to the " Third " sector and encrypt it.
> But all other information on disk are not damaged. I am quite sure that
> when I use HPFS access utility, Monkey-A also moved and encrypted the HPFS
> partition table, maybe corrupting the Boot Manager as well which I am not
> sure of.

> My questions are:

> 1. Is there any utilities or virus scanner that can fix the HPFS partition 
>    table so that I can retrieve some important files stored there? 

I believe ResQdisk (standard or the professional version) can recover your
first drive, provided you didn't mess too much with disk editors.  
    
> 2. Is there any way to make a HPFS partition without reformat, since I
>    don't want lose all information already on the drive, by re-installing
>    OS2 or booting to OS2 from floppies and apply certain procedures to
>    revitalize the partition? 

As stated above, there is a fair chance to recover it all, so, don't hurry
formatting anything!

First, download InVircible from one of the sites in my signature. Boot from
a floppy and run RESQDISK. If you are lucky and didn't mess too much with
DiskEdit, then there is a fair chance that you will find the original MBR in
sector 0,0,3. There is a minor problem, as it was encrypted by Monkey before
being relocated. Yet, ResQdisk will fix this too.

While watching sector 0,0,3, press ^E (edit) and select "Decrypt". The
original MBR should emerge. Press ^A (analyze) and "As partition". You
should see the original MBR data. The HPFS partition should show type 7
and the Boot Manager one is type 10. 

Rewrite the MBR to sector 0,0,1 by pressing Home (go to sector 1), ^E and
then "Write", and Enter. 

Now reboot and the drive should return to life.

In case the data in sector 0,0,3 was corrupted, it is still possible to
recover all partitions with ResQdisk Professional. Read in the online
hypertext (Alt+G when in ResQdisk) from where to get assistance.

Next time, prepare an IV rescue diskette before getting hit by a
boot-partition infector. You can then afford boot infections as many times
as you wish. :-)

Regards, Zvi Netiv
- --------------------------------------------------------------------
NetZ Computing Ltd, Israel          Producer of InVircible & ResQdisk
Voice +972 3 532 4563, +972 52 494 017 (mobile)   Fax +972 3 532 5325
Web sites:  http://invircible.com/  Anonymous ftp: ftp.invircible.com
E-mail: netz@actcom.co.il netz@invircible.com  Compuserve: 76702,3423
- --------------------------------------------------------------------

------------------------------

Date: Sat, 24 Feb 1996 13:09:51 -0500 (EST)
From: Cliff and Diana Morrison <d_morrisons@earthlink.net>
Subject: Re: Q: state of viruses on Windows NT Alpha (NT)
X-Digest: Volume 9 : Issue 33

If you take a look at http://www.symantec.com, their anti-virus 
section has a fair amount of information about Windows NT and viruses.  
They are supposedly working on an anti-virus product for Windows NT at
this time.

<Cliff>
d_morrisons@earthlink.net

------------------------------

Date: Mon, 26 Feb 1996 08:04:40 -0500 (EST)
From: Lawrence Davies <Lawrence_Davies@sophos.com>
Subject: Re: antivirus software for Windows NT? (NT)
X-Digest: Volume 9 : Issue 33

>I am looking for recommendations on antivirus software for Windows
>NT systems (servers and workstations).

You could try Sweep for Windows NT.

It's available for free 30 day evaluation from our Web site:

      http://www.sophos.com

Regards,

Lawrence Davies
Technical Support
SOPHOS Plc.
Oxford, UK

------------------------------

Date: Sun, 25 Feb 1996 01:19:13 -0500 (EST)
From: Mike Leduc <mleduc@newforce.ca>
Subject: Re: Virus on Novell Netware 3.11 (NW)
X-Digest: Volume 9 : Issue 33

Ben Tseng wrote:

> We have a network set up with Novell Netware 3.11 and now we find that
> there is a virus identified as AntiExe.
> 
> Anyone have any ideas how to get rid of it without having to reformat the
> hard drive and reinstall all the software?
> 
> [Moderator's note:  Read it as you will, but I get the feeling Ben means
> the server is infected, hence me tagging it (NW).]

the latest version of Mcafee has done a good job of cleaning infected
systems on our network.  I have never had a virus on the file server
itself but if you remove DOs from memory this should keep this from
happening again. Down the server and boot from a clean floppy and run
mcafee's scan.exe with the /clean option. Hopefully you have a recent
backup.

good luck
mike
mleduc@newforce.ca

------------------------------

Date: Mon, 26 Feb 1996 11:04:53 -0500 (EST)
From: Ken Stieers <kens@ontrack.com>
Subject: Re: Virus on Novell Netware 3.11 (NW)
X-Digest: Volume 9 : Issue 33

You don't have to format the harddrive to get rid of this virus.  In fact, 
formating it WON'T remove the virus at all.   

Get a decent scanner (McAfee, Solomon's, F-Prot, Nav.....) , cold boot the 
machines from a known clean bootable floppy and run the scanner against it.  

That's all it takes. 

Ken 

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Mon, 26 Feb 1996 17:12:37 -0500 (EST)
From: dford@ut801.homestar.net
Subject: MS Excel Virus ?? (MAC,WIN)
X-Digest: Volume 9 : Issue 33

Has anyone heard if there is a new virus like the winword macro
viruses that are attacking Microsoft Excel ?

Any information would be greatly appreciated

Dave Ford

------------------------------

Date: Tue, 27 Feb 1996 13:32:58 -0500 (EST)
From: szapi@ludens.elte.hu
Subject: Re:Word Macro Virus
X-Digest: Volume 9 : Issue 33

In article <0020.01I1F2UO359AQKFBM4@csc.canterbury.ac.nz>,
szapi@ludens.elte.hu writes:
> In article <0005.01I0ZQJ93R4YPVIUA3@csc.canterbury.ac.nz>, Grahame Grieve
> <g.grieve@pgrad.unimelb.edu.au> writes:
> 
>> 3. Set tools -- options -- save --- Prompt to save normal.dot...
>>    I can't find a word statement to test for this, as opposed to set it.
>>    (I have the word developers kit in front of me...) A test would be nice.
>>    Same for the status of disableautomacros.
> 
> The first problem can be solved by the following code:
> 
> Dim dlg As ToolsOptionsSave
> GetCurValues dlg
> promptsave=dlg.GlobalDotPrompt
> 
> The variable promptsave will be 1 if Prompt to save normal.dot is
> selected, 0 otherwise. I don't see any solutions for the second problem.

That is there is no easy or elegant solution. You can still do the
following:

Create a document with any name (for example test.doc). Create an AutoOpen
macro in it containing

   SetProfileString("your_name_here","AutoMacroStatus","ON")

Then from your macro do the following:

   AutoMacroStatus="OFF"
   dim dlg as FileOpen
   dlg.name="test.doc"
   Dialog(dlg) 

The variable AutoMacroStatus will be "ON" if auto macros are enabled,
"OFF" if disabled.

Szapi

------------------------------

Date: Mon, 26 Feb 1996 05:38:24 -0500 (EST)
From: "Mikko H. Hypponen" <Mikko.Hypponen@datafellows.com>
Subject: Re: a good Anti-Virus for Win95? (WIN95)
X-Digest: Volume 9 : Issue 33

David Stoner <dstoner@marlin.utmb.edu> wrote:
> > Try out F-Prot Professional for Windows 95. Go to 
> > http://www.datafellows.com for more information.
>
> Is there a freeware version for Windows 95 existing or planned?

No, the Windows 95 version of F-PROT is part of the commercial
suite only - just like the Windows, Windows NT, OS/2 and NetWare
versions.

The DOS version is free for private use everywhere, and you can
run it in a DOS box under Windows 95.
 
- - 
	Mikko Hermanni Hypp nen - Mikko.Hypponen@DataFellows.com  
  Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com
Computer virus information available via web: http://www.DataFellows.com/

------------------------------

Date: Tue, 27 Feb 1996 01:27:30 -0500 (EST)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: a good Anti-Virus for Win95? (WIN95)
X-Digest: Volume 9 : Issue 33

In article <0031.01I1NWAI06W6QKGRP8@csc.canterbury.ac.nz>
	   robertc@exo.com "Robert K. Chu" writes:

> Will putting a path statement in the autoexec.bat on a
> bootable floppy cause a virus to load into memory?

No.  There are some virus issues that are affected by the path,
such as companion viruses, but the PATH command itself does not
run any additional executable.

> Is it safe to use a Win95 bootable
> floppy as a clean boot disk for virus removal?

I would say yes.  It doesn't boot straight into Windows, but only
into DOS, pretty much as floppy boots always did.  There is some
question about the version of DOS that underlies Win95 doing
extra things we don't know all about at this time (it has some
extra configuration files like MSDOS.SYS), but it is still DOS,
despite the camoflage.

My Win95 computer boots into DOS and stays there, until I enter
Windows of my own free will.  I wouldn't be doing that if I
wasn't writing software for Win95.

- -
MAN PASSES                      DOG GETS OUT
	  DOG HOUSE                         MAN GETS IN
		   DOG SEES CHIN                       Burma-Shave

------------------------------

Date: Tue, 27 Feb 1996 10:05:26 -0500 (EST)
From: news@dub-news-svc-5.compuserve.com
Subject: What detects BOZA virus? (WIN95)
X-Digest: Volume 9 : Issue 33

Which virus scanner can find this virus and can remove it ?

------------------------------

Date: Wed, 28 Feb 1996 01:42:31 -0500 (EST)
From: Jerry Meyers <jerrym@winternet.com>
Subject: MY DOCUMENTS folder virus? (WIN95)
X-Digest: Volume 9 : Issue 33

Noticed that word occasionally cant save to MY DOCUMENTS folder but can
save as to anywhere else on the disk. This is a sometimes occurance.
One minute word can save to MY DOCUMENTS and the next it locks up trying
to do it. I have reinstalled word to no avail. Works after the intall
(saves to mydocuments) then the next minute it will not, but the rest of
win95 is ok. I have run various older anti-virus software to no avail.
Anyone else experience this? Is it a virus, it sure acts like one.
Alas I can only delete MY DOCUMENTS from NT. That will be my last
resort. A virus or not?

Jerry
jerrym@winternet.com

------------------------------

Date: Sun, 25 Feb 1996 11:41:38 -0500 (EST)
From: Glen D Moffitt <glenm@seanet.com>
Subject: Re: Help...weird keyboard problems possible virus? (PC)
X-Digest: Volume 9 : Issue 33

Joel Elliot Slotkin wrote:

> Hi...I'm running a PC with win95 and I've been having a problem which
> Gateway 2000's tech support suggested might be a virus.
> 
> It started a few days ago. Basically, the keyboard just started
> generating lots of backslashes at the maximum repeat rate (changing t
> 
> The key appeared fine physically, and still was perfectly responsive.
> Unplugging the keyboard made it stop. Turning off the computer and
> turning it back on did NOT, however...on boot-up, the pc speaker started
> making noises as if the keyboard buffer were being overloaded, and this
> often prevented win95 from loading properly. This occurred *very* early
> in the boot process. Unfortunately, I can't remember if it was before or
> after the hard drive got initialized.
[snip]

If that's a Gateway 2000 486...and one of those damned programmable
keyboards..we bought a bunch of those some time ago and slowly but surely
the keyboards go bonkers. Sometimes the ctrl-alt-suspend macro works.  If
not swap in a generic keyboard..that's what we usually do.

Glen Moffitt
glenm@seanet.com

------------------------------

Date: Sun, 25 Feb 1996 12:49:50 -0500 (EST)
From: Eric Choiniere <choua@graf.polymtl.ca>
Subject: McAffee Word Virus Utility (PC)
X-Digest: Volume 9 : Issue 33

	I installed the latest version of McAffee Anti-Virus and answered
yes when asked if I wanted to insall the anti-"Word macro Virus" utility.
Unfortunately, it does not work. Not only that but whenever I double-
click a '.doc' file in Explorer to open a document in word, Word says
something like: "Unreckognized macro or instruction 324". Does anybody
know how to disable this McAffee utility so that Word works fine again?
Does this work for any of you?

Thanks!

------------------------------

Date: Mon, 26 Feb 1996 06:36:50 -0500 (EST)
From: "Bob Witham Jr." <robert.l.witham.jr@state.me.us>
Subject: Re: AntiExe- What are the sysptoms? (PC)
X-Digest: Volume 9 : Issue 33

"Michael J. Shepherd" <ux365@freenet.victoria.bc.ca> wrote:
>In a previous article, rhiscock@public.compusult.nf.ca (Robert Hiscock) says:
>
>>Has anyone had any experiance with AntiEXE?  If so can you tell me what
>>the symptoms are.  My virus scanner picked it up on some of my floppies
>>but I didn't seem to be having any problems with my computer.
>>
>Hmm, I had to chase that virus from a system I worked on.  A couple 
>symptoms I saw were, Windows would not run, and if I booted from floppy, 
>the HDD was not visible and not accessible.  I hope your scanner got rid 
>of it before it infected your HDD.
>

Actually, my experience has been that 32-bit disk access under windows 
does not work.  I don't remember the exact error, but essentially windows 
complains about using 32-bit.

Also, booting from a clean floppy should be no problem.  If anything, 
booting from an infected floppy might cause the HDD to become 
inaccessible.  I have never seen this as a problem with ANTIEXE.

Bob Witham Jr.
State of Maine

------------------------------

Date: Mon, 26 Feb 1996 08:04:44 -0500 (EST)
From: Lawrence Davies <Lawrence_Davies@sophos.com>
Subject: Re: How Do I Get Rid of Form_A? (PC)
X-Digest: Volume 9 : Issue 33

>I have just installed Windows95, then two days later I installed McAfee 
>VirusScan95 (30-day evaluation copy) and discovered I picked up the 
>Form_A virus.  Now I need to get rid of it.  I can't figure out how to 
>do it using McAfee.  I did try booting from a system disk and running 
>fdisk /mbr as an earlier article recommended, but no effect.

Form-a infects the *DOS* boot sector of your hard disk, and "fdisk /mbr" 
will not touch this.

To remove Form-a you need to boot from a clean DOS system floppy, then 
use the command "sys c:" to copy a new DOS boot sector over the virus.

Make sure that the DOS version on the floppy matches that on the HD.

Regards,

Lawrence Davies
Technical Support
SOPHOS Plc.
Oxford, UK

------------------------------

Date: Mon, 26 Feb 1996 09:35:32 -0500 (EST)
From: "Mikko H. Hypponen" <Mikko.Hypponen@datafellows.com>
Subject: Re: PMBS virus from F-Prot (PC)
X-Digest: Volume 9 : Issue 33

Ric Smith <rsmithii@cris.com> wrote:
> Does anyone know where I can get more info on a virus "PMBS" as reported
> to me from F-Prot? 

You can find this alias from the virus description database at
http://www.DataFellows.com/.

> Is it a variaton of another virus or is there another
> name that I can search for? 

You probably have the Stealth_Boot.C virus or another variant from the
same family. F-PROT detects it in the boot sectors by it's CARO name
'Stealth_boot.C', but if the virus is already in the memory, F-PROT
detects it as 'PMBS'. This will change in the future.

> It appears to be resistant to removal thus far.

You need to boot from a clean floppy first. Consult the FAQ on
how to do this correctly.

- - 
	Mikko Hermanni Hypponen - Mikko.Hypponen@DataFellows.com  
  Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com
Computer virus information available via web: http://www.DataFellows.com/

------------------------------

Date: Mon, 26 Feb 1996 10:18:42 -0500 (EST)
From: "Mikko H. Hypponen" <Mikko.Hypponen@datafellows.com>
Subject: Re: MSAV flase alarm on 10B7?? (PC)
X-Digest: Volume 9 : Issue 33

"livewire@in.the.house"@cc.usu.edu wrote:
> Some punk at work is using the MSAV program to say that we have
> a virus called 10b7. F-prot says it is a fluke but microsoft is
> saying it is a real virus

We've seen this before several times: it's a false alarm from MSAV.
There is no '10b7' virus. Ignore it, get rid of MSAV, etc.

- - 
	Mikko Hermanni Hypponen - Mikko.Hypponen@DataFellows.com  
  Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com
Computer virus information available via web: http://www.DataFellows.com/

------------------------------

Date: Mon, 26 Feb 1996 11:49:46 -0500 (EST)
From: Ken Stieers <kens@ontrack.com>
Subject: Re: Stealth_Boot.C (PC)
X-Digest: Volume 9 : Issue 33

In article <0026.01I1JAW8C1VOQKFBM4@csc.canterbury.ac.nz>,
tborck@netcom.com says...

>Try using the scan a: /clean [stealth_c] command.

You don't need the [stealth_c].  SCAN doesn't recognize it. 

>Don't use the scan a:\ /clean [stealth_c] command.

>Don't know why, but if I don't put in the backslash after the a:,
>stealth_c goes away from the boot record.

SCAN A:\  tells scan to just look at A:\.  Period.  It doesn't scan the 
boot sector or any sub-directories.  

Ken

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Mon, 26 Feb 1996 12:12:14 -0500 (EST)
From: Patrick Noyens <patrick.noyens@ping.be>
Subject: How to reenable GUARD? (PC)
X-Digest: Volume 9 : Issue 33

How can GUARD.COM (TSR scanner from Dr. Solomon AVTK) be 'reenabled'
after loading other TSR programs ? (network drivers, smartdrive,
CD-rom drivers,....)

I just did forget the command line switch to do so : I thougt it was
GUARD /RECONNECT.... but this doesn't work.

Please E-mail to : patrick.noyens@ping.be

Thanks,

Patrick

------------------------------

Date: Mon, 26 Feb 1996 12:25:34 -0500 (EST)
From: Steven Hoke <shoke@baldcom.net>
Subject: Re: DOOM2 DEATH (PC)
X-Digest: Volume 9 : Issue 33

Jimmy Kuo was overheard to say:

> Matthew Bradley <purple@swmonster.com> writes:
> 
> >Could some kind soul please tell me details of the DOOM2 DEATH virus.
> >It infected many EXE files on my hard drive and I can't seem to shake
> >it. 
> You obviously are running McAfee's Scan.  So you can just run the
> program with the /CLEAN switch.

If he has the virus, and it keeps showing up, without being able to track
its source, he may have a known dropper for the virus. There is a dropper
that received wide circulation after it was distributed on Night Owl 15
(Night Owl is a series of "BBS ready" CD-ROM's popular with BBS's, and I
believe it was also found on at least one of the Doom CD-ROM collections
that are widely available). I originally reported it back on 1 March 95 in
comp.virus. The dropper was infected with Taipan.666, packed with PKLite,
and the header was hacked to make it more difficult to detect by
preventing the scanner from determining the packing method and
successfully scanining the packed executable (so it was obviously an
intentional attempt by someone to cause damage). The dropper file is
NETCHEAT.EXE in the archive DMNCHEAT.ZIP (supposedly a Doom II cheat to
allow use of cheat codes during network play). 

To determine if that is the problem you have (there may be legitimate,
uninfected copies of the Doom cheat utility, so you couldn't positively
identify it just by the presence of that file), you need to scan with
F-Prot or AVP, because McAfee's SCAN does not identify the original
dropper (neither does NAV, DSAVTK, or TBAV). When I identified that
dropper some time ago, I sent McAfee a copy of it, but they never added
detection of it to SCAN (before Jimmy Kuo started there), while F-Prot did
add detection of the dropper after I sent a copy to Mikko Hypponen at Data
Fellows (AVP was the only program I ever tested against it which was able
to identify it without modification). If you have the dropper, and don't
identify it as such and delete it, you will continue the chase thevirus,
cleaning up infections, but never removing the original source.

- - 
- -==Steve==--

shoke@baldcom.net
steven_hoke@msn.com

------------------------------

Date: Mon, 26 Feb 1996 15:34:53 -0500 (EST)
From: John Balliew <jballie@primenet.com>
Subject: NYB Virus (PC)
X-Digest: Volume 9 : Issue 33

I downloaded virus scan from C:net web page when I installed and ran it,
it gave me a message that there are traces of the NYB virus. At this point
I reformated my hard drive and reinstalled Windows95. I downloaded
viruscan from PRODIGY thinking that this had less chance of being
infected. The Message came up again. The only problem I have had is that
when I try to run a program on CD-ROM I will get the message that the D:
drive is not available. Do I really have the NYB virus, or is this a
Windows95 problem, or a Viruscan Problem. Viruscan scan suggest that I
boot up from a clean disk and then run scan, but when I do that, I get the
message that Himem.sys didn't load so therefor I can't run windows 95. 

Help!!!

------------------------------

Date: Mon, 26 Feb 1996 16:51:45 -0500 (EST)
From: David Flanzenbaum <dflanz@pipeline.com>
Subject: Help: Joshi Virus (PC)
X-Digest: Volume 9 : Issue 33

I've got the JOSHI on my boot record.  Can't tell what 
damage it's causing/caused.  Anybody know the symptons? 

McAfee recognizes it but has no cleaner (as of 01/04/96 at least).  Any
known cleaners out there? 

Thanks.

------------------------------

Date: Mon, 26 Feb 1996 17:41:14 -0500 (EST)
From: Glen Robinson <gtr@qld.mim.com.au>
Subject: EPBR Virus ? (PC)
X-Digest: Volume 9 : Issue 33

Can anyone tell me what it does ?  I found it with F-PROT which 
identified it with a '?' after the name.

[Moderator's note:  Vgrep tells me that what F-PROT calls Epbr in their
collection most of the other big-name scanners call Stoned.Kiev.]

------------------------------

Date: Mon, 26 Feb 1996 20:37:32 -0500 (EST)
From: ruben@ralp.satlink.net
Subject: Re: MSAV flase alarm on 10B7?? (PC)
X-Digest: Volume 9 : Issue 33

Sat, 24 Feb 1996 11:46:58 -0500 (EST) "livewire@in.the.house"@cc.usu.edu
wrote:

>I am sure this problem has been addressed before but I have a pretty big 
>problem.  Some punk at work is using the MSAV program to say that we have 
>a virus called 10b7.  If this is truly a virus, which microsoft says it 
>is we are in deep dodoooo... this virus has been reported on every file 
>type known on our servers.  It crossed server lines, infects  our 
>groupwise...everything.  F-prot says it is a fluke but microsoft is 
>saying it is a real virus any help?

Well. I convinced to trust F-prot rather than MSAV.
		     ^^^^^
		      
F-prot is a good product and Maybe that this is another MSAV false alarm. 

To be shure of this try to check Your system with other reputed AV
package. (This is only to clear away all of Your doubts)


>I personally think it is just scummy programming on microsoft's part.  It 
>is just matching wierd checksums and calling them 10b7... so far it has 
>been detected on every machine, home work and school that I have tested. 

Again, I think its a false positive.
BTW, check file's growing, memory decrease, etc.

I discount that You know how to check Your system but I (again) refresh
all.

- Check Your CMOS start sequence (May be A: C:)
- Boot Your computer with a Bootable_Clean_Write-Protected diskette.
- Execute the AV program.
  
- (If You find infection) Check EVERY diskette.
- Advise in Your Work, School, etc (If You find something!)

Kind Regards

Ruben Arias
- ------------------------------------------------------------------------------
 Ruben M. Arias                                _   _      _                    
					      | ) |_| |  |_)                   
					      | \ | | |_ |                     
 E-Mail: Ruben@RALP.Satlink.net                                                
 Buenos Aires - ARGENTINA            RALP - Computer Security - Virus          
- ------------------------------------------------------------------------------

------------------------------

Date: Mon, 26 Feb 1996 20:47:42 -0500 (EST)
From: John P Mahoney <jmahoney@star.net>
Subject: Stealth_B (PC)
X-Digest: Volume 9 : Issue 33

My Dell laptop was infected with the Stealth_B virus this 
morning and managed to trash my HD.  FDisk finds no DOS 
partitions.  Apparently, this virus was more harmful than 
expected as in my research I have yet to find anyone evidence of 
this virus trash drive partitions.  Tried FDISK /MBR to no 
avail...any ideas or do I have to rebuild my drive from 
scratch.

Please post and mail me and thanks in advance.

jmahoney@star.net

[Moderator's note:  How many times do we have to say "You do *NOT*
FDISK/MBR an HD that has -any- partitioning "problems", be they virus
induced or otherwise!" ??]

------------------------------

Date: Mon, 26 Feb 1996 21:05:42 -0500 (EST)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Help with Monkey Virus problem (PC)
X-Digest: Volume 9 : Issue 33

In article <0027.01I1OVIDD4Q4QKG2H9@csc.canterbury.ac.nz>
	   satoshi@hpp.stanford.edu "Satoshi Nishimura" writes:

> A friend of mine had the same problem. Ultimately, he sent his
> machine back to Dell, where they ended up giving him a new
> machine, because they wanted to play around with his.

Uh, oh.  The virus groupies will claim this as an example of a 
"beneficial" virus.

- -
MAN PASSES                      DOG GETS OUT
	  DOG HOUSE                         MAN GETS IN
		   DOG SEES CHIN                       Burma-Shave

------------------------------

Date: Mon, 26 Feb 1996 21:44:31 -0500 (EST)
From: ruben@ralp.satlink.net
Subject: Re: AntiExe/Form_A combo - Can't clean/floppy boot (PC)
X-Digest: Volume 9 : Issue 33

Wed, 21 Feb 1996 15:12:02 -0500 (EST) gandalf <gandalf@eden.com>
wrote:

>i have a machine that has a combination of the ANTIEXE and 
>FORM_A viruses. i know, because the latest version of mcafee 
>can clean the disk that gave it the infection. unfortunately, 
>the hard drive became infected.
>i was going to try cleaning it from a floppy boot, but the 
>machine won't boot off the floppy anymore (nor does it allow 
>copying of files, or executing of files from the floppy). 
>does either virus have the symptoms that i've described?

First of all You may take a closer look to the diskette.
The diskette should be Bootable_Clean and Write-protected.
You should probably have an infection in Your bootable diskette too.
Try to create a GOOD bootable disk in a CLEAN machine.
Also check CMOS configuration in order to stablish the boot sequence (A: C:)

The symptoms of Antiexe (known as D3 too) are malfunction of some .exe 
programs.

>if i do a low-level format and repartition of my hard drive 
>will i be able to boot again?

NEVER. Re-format It's not safe and probably You'll have a lot of errors (lost 
chains) in Your Hard Disk if You perform this.
Low-level format is not recommended by many HD manufacturers.

Then You'll not have a real problem to erradicate them of Your machine.
Try to use:

- Integrity Master v 2.61 (Stiller Research)
- F-prot v 2.21           (Frisk)

Regards

Ruben Arias
- ------------------------------------------------------------------------------
 Ruben M. Arias                                _   _      _                    
					      | ) |_| |  |_)                   
					      | \ | | |_ |                     
 E-Mail: Ruben@RALP.Satlink.net                                                
 Buenos Aires - ARGENTINA            RALP - Computer Security - Virus          
- ------------------------------------------------------------------------------

------------------------------

Date: Mon, 26 Feb 1996 22:22:40 -0500 (EST)
From: Fucking Addict <dkewlest1@news-e2a.gnn.com>
Subject: Re: Jackal virus problems (PC)
X-Digest: Volume 9 : Issue 33

Dr.Solomons v7.57 (newest ver. i think) successfully removed JACKAL from
my infected bott sectors and files.

------------------------------

Date: Mon, 26 Feb 1996 22:56:44 -0500 (EST)
From: Zvi Netiv <netz@actcom.co.il>
Subject: Re: Junkie Virus (PC)
X-Digest: Volume 9 : Issue 33

Trevor <trevorc@bconnex.net> wrote:

> I was just wondering if anyone had any information about removing the
> Junkie virus...I detected it with TBAV 7.00, and am having difficulty
> removing it from the boot sector of the hard disk (c:).I tried deleting
> the partition, formatting, and repartitioning, yet it still shows up and
> infects several .com files.  Any help would be welcome.

Disinfecting from Junkie can be tricky because of its multipartite nature.
It's easy getting caught in its little vicious circle as explained below.
Once you get the idea you'll see that it's quite easy to remove Junkie,
even without needing to boot clean.

BTW, there is no need to format a drive, certainly not to repartition, in
order to remove a virus. It was said a thousand times and will probably
need to be repeated as many times in the future. :-(

The key to success is in knowing that Junkie becomes memory resident ONLY
after booting from an infected MBR. You can run a COM file infected by
Junkie (usually command.com is the first one to get infected) and it won't
start infecting files, only the MBR, and wait for rebooting from the hard
drive.

Therefore, start by cleaning the MBR (with either an antivirus or with
fdisk/mbr - the latter only if you are running under DOS or Win95, not NT,
not Boot Manager and no MBR security program installed, and you are sure
that you have Junkie and nothing else). If in doubt then use InVircible's
ResQdisk for a visual inspection and analysis of the MBR. Then reboot,
without running anything else.

Junkie won't now be resident, although the MBR WAS RE INFECTED because
command.com ran, and it has most probably Junkie. You can now clean all
the infected files with your scanner (IVscan will clean Junkie from files
too) without interference from a memory-resident Junkie.

Finally, repeat the cleaning of the MBR and reboot. That's it, Junkie will
be gone. IV can be downloaded from any of the sites in my sig.

Regards, Zvi
- --------------------------------------------------------------------
NetZ Computing Ltd, Israel          Producer of InVircible & ResQdisk
Voice +972 3 532 4563, +972 52 494 017 (mobile)   Fax +972 3 532 5325
Web sites:  http://invircible.com/  Anonymous ftp: ftp.invircible.com
E-mail: netz@actcom.co.il netz@invircible.com  Compuserve: 76702,3423
- --------------------------------------------------------------------

------------------------------

Date: Tue, 27 Feb 1996 06:12:21 -0500 (EST)
From: support@vse.ac-copy.com
Subject: Re: Volume Name "AP" (PC)
X-Digest: Volume 9 : Issue 33

From: "Keith L. Clement" <keithc@cyberlink.bc.ca>

> Recently, I've notice that my volume name on my C-drive has changed to 
> AP, I've been trying to change it and can't seem to.  Does anybody know 
> if this is a virus?  If theres a solution please let me know.

Keith,I think you forgot to tell us a few things:

1st: you are using Windows95
2nd: you did not have a volume label before installation of 95

How do I know that?

Windows 95 stores the long filenames (LFN) in additional directory entries
marked as volume labels. These will usually start with the characters "aP"
(notice the non-capital "a"!) Any utility designed to show "the" volume
label of disk will now show the first LFN and capaitalize this (since
volume labels are defined to be) to "AP". Fortunately most utilities will
not allow you to alter this, which would lead to filesystem corruption.

Just ignore it.

And again: no virus here.

Ciao, Guido

[Moderator's note:  Thanks to several other posters who also provided
similar responses.]

------------------------------

Date: Tue, 27 Feb 1996 10:10:59 -0500 (EST)
From: Ken Stieers <kens@ontrack.com>
Subject: Re: Help me rid the Stonced Empire Mokney virus (PC)
X-Digest: Volume 9 : Issue 33

Getting rid of this virus is just like getting rid of any other.  Do the 
following:

1. Cold boot from a known clean bootable floppy.  If you type C: at this
point you should get an "Invalid drive specification" error.  
2. Run the scanner of your choice (needs to be on a floppy).  Command
lines for some of the top ones are:
   McAfee:  SCAN C: /CLEAN
   S&S:  FINDVIRU C: /REPAIR
   F-PROT:  F-PROT C: /DISINF /HARD
3. Reboot
4. Copy AV software to the hard drive. 
5. Scan and clean all of your floppies.  
   McAfee:   SCAN A: /CLEAN /MANY
   I don't remember the ones for the other vendors, but they have similar 
functionality. 

After a successful cleaning the diskettes are fine.  If you are really 
paranoid about them, you can run SYS A: against them.  This will make them 
bootable, but it will also put on a new boot sector. 

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 33]
*****************************************


