From lehigh.edu!virus-l  Sun Mar  3 11:25:51 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Sun, 03 Mar 96 13:48:44 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id LAA13221; Sun, 3 Mar 1996 11:25:51 +0100
Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39149-69346>; Sun, 3 Mar 1996 05:25:04 EST
Message-Id: <01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V9 #34
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: 	Sun, 3 Mar 1996 05:22:26 EST

VIRUS-L Digest    Sunday, 3 Mar 1996    Volume 9 : Issue 34

Today's Topics:

Hard drive hardware write protection
Virus Damage Statistics
What I need in an enterprise-wide scanner
Merry Xmas Strain, What are the Symptoms?
Re: Flash BIOS viruses?
Mac Virus "FNDR ERIK" ?? (MAC)
Aug, 27 1956 Virus? (MAC)
A Bunch of False-Positives? (WIN95)
Re: TBAV 6.51 (WIN95)
New Windows 95 virus or joke? (WIN95)
Re: What detects BOZA virus? (WIN95)
Re: What detects BOZA virus? (WIN95)
Re: MY DOCUMENTS folder virus? (WIN95)
Windows 3.1 goes blind to icons, dies (WIN)
Leap Year date bugs and Michelangelo--Check by Monday (PC)
Re: Viruses that damages hardware (PC)
Re: Ripper and NYB (PC)
Re: What to do with suspected virus? (PC)
FORM_D boot sector virus (PC)
Help me rid the Stonced Empire Mokney virus (PC)
How to boot clean (was: How to remove "Ekaterin" virus?) (PC)
"FOOP" sound familiar to anyone? (PC)
Re:PC-Cillin AV (PC)
PKZ300 Virus (PC)
Divide overflow on floppy access (PC)
MATURITA virus (PC)
Re: Possible Virus? Windows95 (PC)
Re: kbug1720 remover or disinfection? (PC)
Wordperfect 6.1 Virus? (PC)
Problems accessing floppy drive (PC)
How to get rid of Stoned Empire Monkey virus (PC)
FRENCH readers : read this NOW (PC)
Re: DOOM2 DEATH (PC)
Re: McAffee Word Virus Utility (PC)
Re: Possible Virus? Windows95 (PC)
Re: Norton AntiVirus (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Wed, 28 Feb 1996 09:01:39 -0500 (EST)
From: Dave Pearce <dpearce@flash.net>
Subject: Hard drive hardware write protection
X-Digest: Volume 9 : Issue 34

I'm looking for information on the following:

1) Is it possible to take a stock IDE or SCSI controller and write-protect 
the hard disk, i.e., so that all writes fail?

2) Is it possible to take a stock IDE or SCSI hard drive and write protect 
it?  I know some SCSI hard drives have write protect jumpers but I haven't 
found any in the 200 - 500 meg range.

Why do I want to do this?  Our company has a "self-service" dedicated
virus scanning PC for floppies.  I have jumpered the write protect switch
for the floppies so I can't infect floppies.  I have also installed a TSR
that write-protects through software the hard drive but would like
hardware protection.

Anybody done this or know how to do it?  Anybody have a SCSI drive (200 -
500 meg) with a write-protect junmper they want to sell?

------------------------------

Date: Wed, 28 Feb 1996 11:55:45 -0500 (EST)
From: Jeff Beaubien <AnarchyX@charger.newhaven.edu>
Subject: Virus Damage Statistics
X-Digest: Volume 9 : Issue 34

I am interested in obtaining statistical information regarding PC
virus damage.  Examples include: how many viruses are there?  what is the
estimated amount of financial cost incurred by computer viruses?  etc.
If someone could provide a reference to an article or book (relatively
recent), I would greatly appreciate it.

I am presenting a training session on how to avoid/determine if you have
a computer virus.  Such information would be esstential to
"drive the point home" that viruses cause a great deal of financial
damage to corporations, universities, etc.  Therefore, this information
would give the training participants an incentive to apply the
knowldege/skills they learned to the actual workplace.

Thanks in advance for any help provided.

Jeff Beaubien
AnarchyX@charger.newhaven.edu

------------------------------

Date: Thu, 29 Feb 1996 18:58:59 -0500 (EST)
From: jim@numill.com (Jim Richardson)
Subject: What I need in an enterprise-wide scanner
X-Digest: Volume 9 : Issue 34

I have been trying for some time to find a viable enterprise virus
protection solution.  My network consists of Windows NT servers, with Mac
and Win 95 clients.  Important issues to me are:

1. Real time file scanning of files being read to or from the NT Server,
that would include copies not only executes.
2. Scanning of Macintosh files on NT volumes, this seems to be a real
problem.  Intel did it for NetWare, why not for NT.
3. Virus alerts when either Mac or PC clients execute or copy viruses to
or from the server.
4. Selectable prescheduled scans of NT volumes, the Administrator should
be able to schedule scans easily and efficiently.
5. Single server management for the NT Server domain, the Inoculan product 
from Cheyenne seems to do this very well.
6. User friendly clients for Windows 95 and Macintosh.
7. In my opinion I am more concerned with the integrity of the NT File
Server first and foremost then the stability of the clients.

So far I've looked at Intel VirusProtect, Cheyenne Inoculan, McAfee 
VirusScan,and  Symantics products.  I'm trying to get Dr. Soloman, and
F-Prot.

Has anyone found a solution that answers these issues?

[Moderator's note:  I'm sure you've thought of this too, but expert
opinion is that you shouldn't depend upon just one form of antivirus
software in putting your enterprise or corporate AV policy in place. 
Issues of "layering" different approaches to improve overall protection
are discussed in the FAQ and elsewhere.]

------------------------------

Date: Fri, 01 Mar 1996 12:12:56 -0500 (EST)
From: Michael D Warner <mwarner@embryriddle.k12.az.us>
Subject: Merry Xmas Strain, What are the Symptoms?
X-Digest: Volume 9 : Issue 34

Recently while running SAM Intercept, 4.0.1, the disc doctor detected 
a strain of merry xmas virus on Arena of Death v1.3.2 which I obtained 
from a CD Software of the Month Club. The report says not protected by 
SAM so I trashed the program. Can I expect any side effects, 
additional infestations or future problems as a result of this virus 
and what symptoms does it display? I haven't noticed anything unusual 
that I'm aware of. Any info would be greatly appreciated.

Michael Warner

mwarner@embryriddle.k12.az.us
Embry Riddle Aeronautical University

------------------------------

Date: Fri, 01 Mar 1996 15:32:34 -0500 (EST)
From: "Derek V. Giroulle" <Dirk.Giroulle@ping.be>
Subject: Re: Flash BIOS viruses?
X-Digest: Volume 9 : Issue 34

Steven Hoke <shoke@NorthNet.org> wrote:

>Rodney Korn was heard to say:

>> Also it should be noted that every flash bios has an area of
>> non-volitile memory which is used to reporgram the chip to a known
>> default state by jumpering and and powering.  This would allow the user
>> to boot and apply the correct flash bios update.

>This isn't really true. I've had a flash BIOS fail an update, and had to
>have the chip replaced by the system vendor.

Some board don't even provide the facility to switch off the flash-rom
update

A quick check on board in use here confirmed that there is no such
switch/jumper - flash roms and board are wide open ... however we're
at ease as long as there is no such virus - a prospect I really
dislike... (based on murphy's law your see...)

Anyway that leads me to another question is there some kind of
flash-rom Bios backup/restore  utility , if it still helps after an
infection ...?

This sure is a porsepct I don't like...

Dirk.Giroulle@ping.be
http://www.ping.be/~ping0010
Life is like a peepshow, through a little window you never get to see what
you went in for (based on fvu's definition of panning)

------------------------------

Date: Fri, 01 Mar 1996 19:09:02 -0500 (EST)
From: Greg Robb <gmr@sirius.com>
Subject: Mac Virus "FNDR ERIK" ?? (MAC)
X-Digest: Volume 9 : Issue 34

I 've been wondering about the file "Desktop FNDR ERIK" for some time. 
It's been on my hard drive and for a while I thougt it was a possible 
virus when I was having a lot of screen freezes. I've reformated my hard 
drives and now it is not on them. 

Below is the results of a Disk Wizard scan of a few Syquest cartridges 
and a couple of floppys. As you can see, "ERIK" is on only one of the 
Syquests and on both of the floppys - it's also on my brand new 
preformatted floppys. 

The "ERIK" on the "#4-44MB" has no modification date - and last year 
when I was investigating "ERIK" as a possible virus, the size, and I 
think the dates too would change on successive FileBuddy scans for 
invisable files on both my hard drive and on my floppys.

"ERIC" is on some but not all of the commercial floppys I've looked at.

Does anyone know about or have this file on their media or drives?



Desktop   FNDR   ERIK   60K    9/10/93   2/29/96   MISC
Desktop   FNDR   ERIK   286    1/19/95   ?         GREG #4- 44 MB
Desktop   FNDR   ERIK   286    2/20/96   2/20/96   Untitled

Desktop DB   BTFL   DMGR   44K    3/1/94   2/20/96   SyQuest 1- ROBB
Desktop DB   BTFL   DMGR   20K    3/1/94   2/21/96   SyQuest 2 - ROBB
Desktop DB   BTFL   DMGR   28K    2/7/95   3/24/95   SyQuest 3 - ROBB
Desktop DB   BTFL   DMGR   60K   1/19/95   2/20/96   GREG #4- 44 MB

Desktop DF   DTFL   DMGR  148K    2/7/95   3/24/95   SyQuest 3 - ROBB
Desktop DF   DTFL   DMGR  515K   1/19/95   2/20/96   GREG #4- 44 MB
Desktop DF   DTFL   DMGR  108K    3/1/94   2/21/96   SyQuest 2 - ROBB
Desktop DF   DTFL   DMGR  332K    3/1/94   2/20/96   SyQuest 1- ROBB

------------------------------

Date: Sat, 02 Mar 1996 19:01:30 -0500 (EST)
From: <uv923@freenet.victoria.bc.ca>
Subject: Aug, 27 1956 Virus? (MAC)
X-Digest: Volume 9 : Issue 34

Does anyone know of a virus that sets the date & time control panel back 
to aug 27 1956 when ever you boot up the computer? We have had this 
computer for many years and it never did that before, but now no matter 
how many times we change the date it just goes back to aug 27 1956 next 
time we turn on the computer.

I have tried disinfectant 3.6 and gatekeeper 13 but they didnt find 
anything.

Can anyone give me some ideas on what to do next?

Thanks, email me at uv923@freenet.victoria.bc.ca

Joe Abbott

------------------------------

Date: Wed, 28 Feb 1996 13:28:00 -0500 (EST)
From: Pete Turner <Pete_Turner@bakerbotts.com>
Subject: A Bunch of False-Positives? (WIN95)
X-Digest: Volume 9 : Issue 34

An acquaintance sent me the message below (on her behalf, I apologize for
the spelling and grammatical errors).  I checked the resources mentioned
in the FAQ, and several other AV web sites, but I haven't been able to
find anything helpful.  I'm also sorry for the dearth of specifics she was
able to provide; it seems she panicked and failed to write down all the 
information the various AV scanners gave her.

Based on my limited knowledge, I'm guessing she encountered a couple of
false-positives.  Is it possible the changes she found were caused by NAV
or some other product "inoculating" files?  She just installed Win95 over
Win3.1 - could previous AV products have modified her files so that they
now appear infected to TBAV (this was the first time she used TBAV)? 
Since the details are so lacking, I guess her question should have be: "is
it likely a virus caused this?"

FYI - I did confirm the three AV products she mentioned are Win95
compatible and her PC never exhibited any "odd behavior" (other than TBAV
flagging most of her executables as infected).

Any help or suggestions would be greatly appreciated.  TIA.

(PS. Sorry this turned out to be so long.)

- ----

I ran Thunderbyte AV and it found my .COMs and .EXEs infected. Some
contained encryption code. The "high sensitivity heuteristic" option came
on for thunderbyte and it began flagging perfectly good .EXEs as infected.
I know for sure that some .COMs were infected because one program whose
CRC was different was written by me and I haven't recompiled the source
for four years. All this time McAfee vshield was oblivious to what was
going on.

I exited to DOS and ran Norton AV for DOS. It halted the computer after
finding "Avisp" in memory. I rebooted, went into DOS and it found another
virus in memory. A third reboot revealed nothing in memory or on disk. I 
momentarily took leave of my senses and began deleting folders (sans
recycle bin) whose main .EXEs Thunderbyte said were infected. I sent Sid
Meir's Civilisations, MS Office and a few other apps to the great CPU in
the sky before sanity returned and I realised I should keep a copy of the
virus.

It is possible I have removed all traces of it (I hope) but I doubt it.
Have you ever heard of such a virus?

------------------------------

Date: Tue, 27 Feb 1996 19:32:43 -0500 (EST)
From: Wayne Riddle <riddler@agate.net>
Subject: Re: TBAV 6.51 (WIN95)
X-Digest: Volume 9 : Issue 34

Erik Verreth <Erik.Verreth@ping.be> wrote:

>Does anybody knows how I can prevent TBAV to start avery time I boot 
>my PC??
>
>I'm using W95 and already checked the start-up directory...

The following is suppose to work for version 7.0, give it a try for
version 6.51.

Using regedit, find the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Place a ; (semi-colon) in front of the TBAV command line value of the
key.

BTW, I did send the poster an e-mail, I posted for the information of
others reading this.

Wayne Riddle
riddler@agate.net
http://ourworld.compuserve.com/homepages/riddler

[Moderator's note:  Thanks.  A word of warning though--be carefull when
using regedit, it can be a dangerous tool in inexperienced hands...]

------------------------------

Date: Fri, 01 Mar 1996 10:52:03 -0500 (EST)
From: "Marijn E. Brummer" <brummer@isltoy.eushc.org>
Subject: New Windows 95 virus or joke? (WIN95)
X-Digest: Volume 9 : Issue 34

On Februari 29 (sic!) at night I noticed small icons, depicting some
document or device being zapped by a lightning bolt, appearing
in the menu bar of the active program in Windows 95.  I did not
have a screen capture utility so I could not collect its
droppings for lab analysis.  I turned the computer off and
back on and I did not see it again (so far). No damage to documents
or disk was immediately apparent.  

Does anyone know anything about this bug?  The boza patch in
McAfee's SW did not detect it (but it did not answer its discription
anyways).

Please let me know if you have anything about this!

Sincerely,

Marijn Brummer

------------------------------

Date: Fri, 01 Mar 1996 11:04:36 -0500 (EST)
From: Jeff Oler <Jeff_Oler@byu.edu>
Subject: Re: What detects BOZA virus? (WIN95)
X-Digest: Volume 9 : Issue 34

news@dub-news-svc-5.compuserve.com wrote:

> Which virus scanner can find this virus and can remove it ?

Symantec just released a NAV update to detect and clean the BOZA virus
(2/22/96).  The update can be obtained from ftp.symantec.com
(02NAV96C.ZIP).

Jeffrey J. Oler
Brigham Young University
Jeff_Oler@byu.edu

------------------------------

Date: Fri, 01 Mar 1996 11:24:01 -0500 (EST)
From: S and S Internationa <sands@cix.compulink.co.uk>
Subject: Re: What detects BOZA virus? (WIN95)
X-Digest: Volume 9 : Issue 34

Dr solomons AVTK will detect and repair Boza for 7.58. For current
versions we can supply an extra driver that will also detect and repair
it.

Paul Simms
Tech Support
S & S

------------------------------

Date: Fri, 01 Mar 1996 11:24:05 -0500 (EST)
From: S and S Internationa <sands@cix.compulink.co.uk>
Subject: Re: MY DOCUMENTS folder virus? (WIN95)
X-Digest: Volume 9 : Issue 34

Sorry, I have no information of a virus of that desciption, it sounds
more  like a problem with windows95 than a virus. Try defragmented the
hard disk to consolidate your free space.

Regards

Paul Simms
S & S 
Tech Support 

Date: Sat, 02 Mar 1996 00:37:13 -0500 (EST)
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
To: virus-l@csc.canterbury.ac.nz
Subject: Re: What detects BOZA virus? (WIN95)

In article <0025.01I1UEAXR4OMQKI9KO@csc.canterbury.ac.nz>,
news@dub-news-svc-5.compuserve.com wrote:
>Which virus scanner can find this virus and can remove it ?

I believe that NAV, McAfee 95, and Dr. Solomon's 95 can find and remove
the Boza virus, but this really should not be a concern.  Boza isn't in
the wild, and it isn't expected to be any time soon.

Regards, 

George Wenzel

 ("`-''-/").___..--''"`-._       George Wenzel <gwenzel@gpu.srv.ualberta.ca>
  `6_ 6  )   `-.  (    ).`-.__.`)Student of Wado Kai Karate
  (_Y_.)'  ._   )  `._ `.``-..-' U of A Karate Club
 _..`--'_..-_/  /--'_.' ,'       HTTP://www.ualberta.ca/~gwenzel/
(il),-''  (li),'  ((!.-'         PGP Public key available on request

------------------------------

Date: Thu, 29 Feb 1996 23:45:53 -0500 (EST)
From: Jim Brady <brady@interaccess.com>
Subject: Windows 3.1 goes blind to icons, dies (WIN)
X-Digest: Volume 9 : Issue 34

I'm not one to cry wolf, but here's what happened:

First, the background (marble.bmp) disappeared, except for two horizontal 
strips. Next, couple days later, "Main" and "Accessories" groups
disappeared, including some executables that should have been in the
\windows directory. One more day, and now all the groups disappeared from
the graphical display, and background consisted of tiny black dots over
blue. Then I got read errors.

Scandisk found some broken chains and crossed files. Norton found lots of 
compression errors (disk is MILDLY compressed).

Any ideas for cures, avoidance would be helpful.

(Oh, and I did run McAfee virus scan, dated 1/96. Is there a new plague
out there for Windows? Shall we blame it all on compression?)

Thanks, all.

- - JIm

------------------------------

Date: Thu, 29 Feb 1996 15:22:20 -0500 (EST)
From: "Rob Slade, the doting grandpa of Ryan Hoff" <roberts@mukluk.hq.decus.ca>
Subject: Leap Year date bugs and Michelangelo--Check by Monday (PC)
X-Digest: Volume 9 : Issue 34

Mark Brader, SoftQuad Inc., wrote in:
>RISKS-LIST: Risks-Forum Digest  Thursday 29 February 1996  Volume 17 : Issue 81
>
>Subject: Risks of Leap Years and Dumb Digital Watches [quadrennial posting]
>
>All right now, how many people reading this...
> -> saw a previous appearance of this message in Risks 6.34 or 13.21,
> -> have watches that need to be set back a day because they went 
>    directly from February 28 to March 1,
> -> and *hadn't realized it yet*?

OK, I'll admit it.  Both of my watches are OK (although one will need to
be changed tomorrow), but one of my computers wasn't.  Which reminds me
that I sent out a warning about the Michelangelo virus last week, and
forgot to add that to the warning.  Many computers (how many I have no
idea) automatically skip from "Wednesday, February 28, 1996" to "Friday,
March 1, 1996".  It is quite likely that a number of people will fail to
notice this, and get hit by Michelangelo on Tuesday, rather than
Wednesday, next week.

And now, if you'll excuse me, I'll go and check all the digital *clocks*
around the house ...

====================== 
ROBERTS@decus.ca  rslade@vanisl.decus.ca  Rob.Slade@f733.n153.z1.fidonet.org
    If you can tell good advice from bad advice, you don't *need* any advice
Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER)

------------------------------

Date: Tue, 27 Feb 1996 14:58:26 -0500 (EST)
From: "Denis Parslow (Almo Distributing)" <dgp@world.std.com>
Subject: Re: Viruses that damages hardware (PC)
X-Digest: Volume 9 : Issue 34

[snipping out a nice description on how it could be possible to 
target a single adapter card, or chipset, or even, sometimes, family 
of chipsets for damaging the monitor]

>This is similar to the "risk" of having a Flash BIOS on your PC. Although
>it is possible that such a virus could be written, it doesn't seem
>plausible that a virus writer would spend the time to produce a virus that
>would, of necessity, be fairly large. 
>
>Compare the number of Video Drivers used with Windows or WIn95 (or OS/2
>for that matter) and you realize that the virus would have to either be
>VERY LARGE or the number of cards attacked would have to be VERY SMALL.
>Not a very fertile soil for those virus writers (may they all be hung by
>close friends) to sow.

The problem is that if the person is writing a virus to be malicious, 
and isn't targetting an AVpackage as in a 'game', this would be a 
rational way to stage an attack.  You can make a virus that acts only 
marginally slowly perhaps, so that it spreads quickly if not 
detected.  However, if it is spreading through a system without the 
targetted chip, it wouldn't be noticed (you can determine the chipset 
through a BIOS call usually, so if it isn't the target, do not 
react).  The only reason to slow it down is if it gets into a network 
of similar computers with the target, that it might get more than one
card.  The only drawback to this plan is that the monitor gets 
damaged, not the card.

The same concept would work for FLASH BIOS, although one would 
probably target a particular BIOS mfgr and chipset, to try to narrow 
down to systems it would be more likely to succeed on.  Perhaps 
choosing a system maker and a model, and using the BIOS info from 
there.

The fact that it has fewer targets would lend to it being a more 
'successful' virus by allowing it more chance to spread before being 
noticed.

Make sense to anyone?

Denis Parslow
Engineering Mgr
Almo Distributing, Trademark Computers
dgp@world.std.com
http://www.almo.com
http://world.std.com/~dgp/

------------------------------

Date: Tue, 27 Feb 1996 17:14:20 -0500 (EST)
From: Cheryl Garfin <GarfinChe@Cheers.niacc.cc.ia.us>
Subject: Re: Ripper and NYB (PC)
X-Digest: Volume 9 : Issue 34

I'm still having trouble with the Ripper Virus. This time it crippled the
computer so that you couldn't boot up at all.  I was told to boot with a
clean boot disk and then run a:f-prot /hard /disinf.  What will this do.
I tried to do this and it said that it didn't have a virus at all.  I
need help on this one we have 10 laptops that have both Windows 95 and
Windows 3.11 for Workgroups on it.  Seems like they are having an awful
time with this virus.

  Cheryl - Technician 
  North Iowa Area Community College

[Moderator's note:  Ripper is a "data diddler", slowly but surely
corrupting the contents of any media written to in infected machines.  The
existence of such viruses and widespread occurrence of one of them
(Ripper) makes good AV precautions an absolute necessity, because if left
long enough you may not have unaffected backups to go back to...]

------------------------------

Date: Tue, 27 Feb 1996 17:21:52 -0500 (EST)
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: What to do with suspected virus? (PC)
X-Digest: Volume 9 : Issue 34

In article <0040.01I1OVIDD4Q4QKG2H9@csc.canterbury.ac.nz>, Richard and
Valerie McKay writes:

: Are there any GOOD programs for virus detection and removal that the
: average idiot can use, or is this perhaps something that is best left to a
: computer tech somewhere?  Are the programs available in stores such as
: Egghead, for example, or are there some GOOD programs out as shareware?

	F-Prot is pretty easy to use.  It can be found on Simtel mirrors.

: Certain things that have happened to my system since last Friday include 
: misreporting of file sizes (prior to running defrag), resizinge and
: redating of many .dll files, sudden lost clusters appearing, most of which
: WERE part of programs that I use, altered words in my e-mail configuration
: grid for the mailhost on this system (one morning it said mailtsoh or
: something similar... no wonder I couldn't connect with the server!).  My
: e-mail program is now  displaying any word with a capital T with the T
: immediately under the next letter in the word.  Many little irritating
: things are happening here!

	Hmm...looks like massive file corruption.  While a virus could be 
doing this, it may be caused by other things, such as a very buggy 
program or a conflict between devices.

: Also, I was under the impression that viruses were mainly found attached
: to executable files... can they actually come over to one's system in a
: graphic file, or attached to e-mail these days?

	In theory, you could use some hex-editing programs and palce a 
virus in a GIF or similar file, but who would execute a GIF file??  As 
for the e-mail, an infected program or a document with an infected macro 
could be attached to an e-mail and sent, but there is no infection as 
long as the recipient does not execute the program or the macro.

	Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code
Anti-virus software and utils:  | The Transformers fanfiction:
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html
-=-=-=-=-=-"Linux - The choice of a GNU generation"-=-=-=-=-=-

------------------------------

Date: Tue, 27 Feb 1996 21:41:51 -0500 (EST)
From: James Paul LaCas <jlacas@alaska.net>
Subject: FORM_D boot sector virus (PC)
X-Digest: Volume 9 : Issue 34

How do you get rid of the FORM_D boot sector virus?

------------------------------

Date: Tue, 27 Feb 1996 22:02:19 -0500 (EST)
From: David Meyer - Osaka IS Office <meyer@ohsun01.sumitomo-chem.co.jp>
Subject: Help me rid the Stonced Empire Mokney virus (PC)
X-Digest: Volume 9 : Issue 34

I found Stoned-Empire-Monkey-B on a Compaq notebook PC hard disk MBR and
several floppies' boot sectors (no file infection) a few weeks ago and
cleaned it up without great difficulty.

Peter Neilley <neilley@ucar.edu> wrote:

   >I think that even the original boot 
   >diskette that came with my PC is infected as it was not write 
   >protected and I recently booted off of it.

The floppy will NOT be infected IF it was not accessed while the virus
was resident in memory. That is, if you powered-off the PC, inserted the
floppy, and then powered-on to boot, your floppy is safe.

   >I could use some advise on how to rid myself of this virus
   >from anyone who has gone through this process.

F-PROT detects this virus and removes it from hard disks and (most)
floppies. 

F-PROT was not able to disinfect some floppies with an unusual format
(1.2 MB). I disinfected most of these by copying system files from an
uninfected hard disk to the floppies (DOS SYS command) in order to
overwrite the floppies' boot sector. (I then deleted IO.SYS, MSDOS.SYS,
and COMMAND.COM from the floppies as I did not wish to make the floppies
bootable.) This removed the virus and left floppies' data files intact. 

For floppies that were too full to accept system files, I first copied
all files from the infected floppy (copy in file units: use DOS COPY
command, *NOT* DISKCOPY) to the hard disk of an uninfected system, and
then copied the files from the hard disk to a new (clean) floppy. Note
that the old floppy remains infected and should NOT be used (disinfection
may be possible by reformatting the floppy, but I haven't tried this).

   >Also, should I be successful in cleaning my system, is it safe to
   >ever use any of the diskettes I have again, even if they are just
   >data (and not bootable) disks?  

Non-bootable floppies ARE infectable and can spread the virus to other
PCs. However, if the virus is completely removed from floppy, the floppy
again becomes safe to use. Read the FAQ for more details.

Sincerely,

David Meyer
Osaka, Japan

------------------------------

Date: Wed, 28 Feb 1996 04:20:43 -0500 (EST)
From: Otto Stolz <Otto.Stolz@uni-konstanz.de>
Subject: How to boot clean (was: How to remove "Ekaterin" virus?) (PC)
X-Digest: Volume 9 : Issue 34

On Tue, 30 Jan 1996, Lee Brown wrote on how to prevent a virus from
loading when you switch on a machine:
> 1.  Find a clean (none infected) boot disk.
> 2. Switch of the Computer.
> 3. Place the disk into the drive.
> 4. Switch computer back on.
> 5. Run Dos based virus scanner to check memory!!

On Mon, 05 Feb 1996 09:32:09 -0500 (EST) Kenneth Albanowski
<kjahds@kjahds.com> said:

> one step is missing from the above list:
> 1.5. Bring up the computers BIOS setup screen (usually ESC or DEL while
> it's booting) and make sure that it is set to boot drives "A: before C:".

Another important step is missing: You have to make sure that the A drive
is correctly configured, in the BIOS setup (step 4, below).

The correct procedure is:
1. Switch the power off.
2. Insert a Known Clean Boot Diskette into drive A.
3. Switch the power on, and enter the BIOS Setup Menu.
   (Consult the pertinent user's manual for the specific procedure.
   If the computer requires to load the setup menu from a disk, you
   may have to tinker with the hardware before you can boot clean.)
4. In the BIOS Setup Menu, check the specification of drive A, and
   correct it if necessary.
5. If the BIOS allows to set up the Boot Sequence, specify A as the 1st
   (or only) drive to boot from.
6. If you are going to remove a MBR infector from your HD, and if the
   BIOS allows to set up any Boot-Sector Protection (aka MBR Pro-
   tection), then disable such protection.
7. Store these settings to the CMOS, and leave the Setup Menu;
   the computer will now be booted from the diskette in drive A.

Note: A Known Clean Boot Diskette (required in step 2) is
      either a DOS distribution disk from a trustworthy vendor, that has
             been write-protected from its very beginning,
      or     a DOS bootable disk prepared on a computer that has been
             booted clean, immedeately before the disk was prepared,
             and write-protected ever since.

Good luck,
             Otto Stolz

------------------------------

Date: Wed, 28 Feb 1996 13:49:52 -0500 (EST)
From: Tim Adamec <TAdamec@smtplink.simsci.com>
Subject: "FOOP" sound familiar to anyone? (PC)
X-Digest: Volume 9 : Issue 34

This seems to be virus-like behavior to me. I've run McAfee (apologies if
I can't spell :) against _EVERY_ file on the three drives I have and it
comes up negative.

Every once in a while a file will be created in my root drive called FOOP.
It's a 5 byte file with the text:

hiya!

Anybody ever seen this before? I've deleted the file and it reappears at a
later date, but I can't seem to find which program(s) trigger the
"infection". As an aside, I had a _BAD_ cross-linking problem last night
shortly after noticing the FOOP file had reappeared. I don't think it's
related, but...

Thanks for any help!

Timothy M. Adamec
tadamec@simsci.com
tadamec@earthlink.net

(please CC tadamec@earthlink.net, my POP account seems to filter out
anything with an address remotely like "listserv".)

------------------------------

Date: Wed, 28 Feb 1996 14:56:58 -0500 (EST)
From: Bill lambdin <vfreak@skn.net>
Subject: Re:PC-Cillin AV (PC)
X-Digest: Volume 9 : Issue 34

"Chengi J. Kuo" <cjkuo@alumnae.caltech.edu> writes

>But seeing as it's a new retail entrant, we asked VSUM to check its
>detection level.  While the big names that appear in this forum
>register detection levels on the VSUM tests greater than 95%,
>PC-Cillin came in at around 80% (Feb results).

Jim:

PC-cillin is not a new entrant. PC-cillin has been around for years.

I do not recommend PC-cillin as a scanner, but I do recommend PC-cillin as
a generic A-V program.

	Bill Lambdin

- --------------------------------------------------------------------------
vfreak@skn.net                     PGP fingerprints 9C CD 47 F3 C7 65 CA 33
102524.2206@compuserve.com                          C7 7D 69 8B 26 0C F8 08

------------------------------

Date: Wed, 28 Feb 1996 20:19:02 -0500 (EST)
From: Erwin Loewen <eloewen@edc.gov.ab.ca>
Subject: PKZ300 Virus (PC)
X-Digest: Volume 9 : Issue 34

I suppose this is old news to most of you, but some of my network clients
are getting a new posting from NewbieNews listserv about the PKZ300 virus. 
I've checked CERT and various other sources and nothing new has been
listed about PKZ300 anywhere recently.  It first showed up around June
last year, as I recall.

Is there some new threat regarding this virus?  Has it been recently
posted in new areas?  Or is NewbieNews just a little behind the times in
getting their warnings out?  Or is it just me; maybe because I don't
regularly visit this group I've missed a great thread on this very topic a
couple of weeks ago?

Anyways, any light shed on this will obviously be more than I have now. 
Thanks for whatever.


Erwin Loewen
Network Analyst
Alberta Education

email: eloewen@edc.gov.ab.ca

------------------------------

Date: Thu, 29 Feb 1996 00:34:32 -0500 (EST)
From: Johnny Chung <chungj@is2.nyu.edu>
Subject: Divide overflow on floppy access (PC)
X-Digest: Volume 9 : Issue 34

I am not sure if anyone has experienced the following phenomenon.

I disinfected 3.5" HD floppies containing, Urkel or ANTIEXE viruses using 
McAfee's Win95 virus scan 2.01.  It seems to CLEAN it fine, but when I 
try to access the floppies, it gives me a DIVIDE OVERFLOW error.  I've 
tried it on several machines with the same result.  

NDD and Disk Editor will not touch it.  As soon as the diskette is being 
accessed, I get the DIVIDE OVERFLOW.  Does anyone have any clues as to 
why this is happening?  I am sure I can just go ahead and reformat it, 
but I would like to know the cause of the DIVIDE OVERFLOW.  

Thanks in advance.

-Johnny

------------------------------

Date: Thu, 29 Feb 1996 02:40:27 -0500 (EST)
From: Peter Cingel <CINGEL@doktor.jfmed.uniba.sk>
Subject: MATURITA virus (PC)
X-Digest: Volume 9 : Issue 34

I have discovered the MATURITA virus by using McAfee VirusScan. I know
nothing about that virus. What should I do to remove that virus from my
hard disk and diskets?

Please advise soonest! Thanks a lot

Peter Cingel cingel@doktor.jfmed.uniba.sk

------------------------------

Date: Thu, 29 Feb 1996 04:20:48 -0500 (EST)
From: MARSat <marsat@aol.com>
Subject: Re: Possible Virus? Windows95 (PC)
X-Digest: Volume 9 : Issue 34

Sounds more like you have hit the IDE 520,barrier.  Check you controller
card if it can support drives larger than 520. If it can't all is still
not lost. You will need software support something like Ontrack
DriveManager that handles the problem. Of course you can also consider
changing your I/O card to one that handle the larger diver volume (
currently up to about 2 Gigabytes, I think ). They are usually called EIDE
(Enhanced Integrated Drive Electronics ) card. This may be best as they
also are multi I/O that usually have the 16550 UART ( Hi-speed serial port
)chips and The EPP ( Enhance Parrell Port) that will improve the
proformance of your computer.  A key sign is if your modem seems to be too
slow, This amy not be the fault of the reception but the older UART serial
chip cannot keep up with the moden ( External of course. ) 

Abdul Sattaur ( MARSat @ aol.com )

------------------------------

Date: Thu, 29 Feb 1996 09:09:18 -0500 (EST)
From: Michael Gurr <mgurr@cix.compulink.co.uk>
Subject: Re: kbug1720 remover or disinfection? (PC)
X-Digest: Volume 9 : Issue 34

Kbug-1720 is in the Cheyenne Inoculan Software I am running under WinNT
3.51 - I downloaded an evaluation copy & removed a number of
Winword.Concept infestations caused by accepting files from a Client.

------------------------------

Date: Thu, 29 Feb 1996 11:08:16 -0500 (EST)
From: Joe Marshall <joe@imperial.cc.ca.us>
Subject: Wordperfect 6.1 Virus? (PC)
X-Digest: Volume 9 : Issue 34

I am a technician at a community college and we are having troble with
Wordperfect 6.1 for Windows going down.  It seems that files are being
deleted in Windows as well as other different applicaitons.

Windows kernel becomes damaged and parts if not all of Wordperfect become
damaged.

We have tried that latest versions of McAfees Vshield and Scan and have
also tried F-prot, both of which have been very succesful in the past at
locating viruses, but neither one of these find any viruses on the
computers with the problems.

If anyone out there has any info I'd appreciate the help.

Thanks

------------------------------

Date: Thu, 29 Feb 1996 11:37:27 -0500 (EST)
From: Philipp Stampfu <stampfu@urix8.uni-muenster.de>
Subject: Problems accessing floppy drive (PC)
X-Digest: Volume 9 : Issue 34

I have a problem with my floppy-disk-drive and I think its a virus. Here
my problem:

If I boot the computer with OS/2:
  I copy files to a disk and compare them with COMP. Then there are always
  some files on the disk, wich are different form the original files.
  These problem does not occur, if I copy the files from the hard-disk to
  another directory of the harddisk.

If I boot the computer with DOS:
  If I compress files with PKZIP and I copy the file NAME.ZIP to the
  floppydisk and then back to the harddisk, I can't uncompress the file.

And now, why I think its a virus:
  If I start my computer with a DOS bootdisk, the problem doesn't occur.

But I have not found any virus with McAfee.

Philipp

------------------------------

Date: Fri, 01 Mar 1996 06:28:54 -0500 (EST)
From: Alexander Stanton <a.stanton1@ic.ac.uk>
Subject: How to get rid of Stoned Empire Monkey virus (PC)
X-Digest: Volume 9 : Issue 34

I can't get rid of this no matter how hard I try. I've already
resigned to repartitioning my harddrive, but I can't even get that
to work.

The virus loads in before the floppy is activated for booting, and
will only boot if the floppy is write-enabled. If it is write-
protected it just hangs. Using fdisk or format from an infected
disk has no effect.

The only way I can get  the machine to boot from a clean floppy
is to disable the hard drive in the bios.

fprot and norton antivirus won't disinfect the drive while the
virus is in memory and want a clean boot.

So how do I get rid of it? Is my hard drive good for the dumpster?

Any help would be appreciated.

Alexander Stanton
as7@ee.ic.ac.uk

------------------------------

Date: Fri, 01 Mar 1996 10:07:31 -0500 (EST)
From: Gerard Mannig <mannig@world-net.sct.fr>
Subject: FRENCH readers : read this NOW (PC)
X-Digest: Volume 9 : Issue 34

Hi French readers !

This mail is to inform you about the spread of up to 10 viruses from
December 95 to nowadays mainly via French BBS channel.

Those viruses are called 'WereWolf' and are unfortunately detected by only
few AV packages and disinfected by none, except by AVP, as far as I know.

Those viruses are both TSR and 'direct action' ones and practically all of
them ramdomly wipe out HD sector. currently, mainly BBS SysOps have been
hit but, due to AV editors reaction time, some companies began to report
WereWolf.

I made AVP routines available for all these virus. Please, Email me for
further datails.

Regards,

- ---------------------------------------------------------------------------
- ------------
Gerard MANNIG                                             Virus Consultant 
    Phone : +33 (16) 3559-9344     Fax     : +33 (16) 3560-5011               
Report a virus attack: http://www.primenet.com/~mwest/vir-vrf.htm
Member of   R . E . C . I . F 
data +33 1 3415-4959                Voice machine +33 1 3072-9443
=-=-=- I do NOT speak for RECIF unless otherwise specified -=-=-

[Moderator's note:  I'd also draw your attention to an earlier thread on
this virus family in digests 11,12,13 and a brief description of each
virus in the family in digest 22.]

------------------------------

Date: Fri, 01 Mar 1996 18:49:15 -0500 (EST)
From: Kevin Marcus <datadec@cs.UCR.EDU>
Subject: Re: DOOM2 DEATH (PC)
X-Digest: Volume 9 : Issue 34

In article <0017.01I1OVIDD4Q4QKG2H9@csc.canterbury.ac.nz>,
Chengi J. Kuo <cjkuo@alumnae.caltech.edu> wrote:
>>Could some kind soul please tell me details of the DOOM2 DEATH virus.
>
>Other AV products will call this Taipan.666, which is the CARO name.

Just curious - why does scan persist on using a naming scheme which
greatly diverges from the rest of the community?  Most certainly it
improved from the 1.x to 2.x series, but ??

- - 
Kevin Marcus:                            http://www.cs.ucr.edu/~datadec
  CS Dept, U/CA, Riverside:              mailto:datadec@cs.ucr.edu
  Virus-L archives:                      ftp://ftp.cs.ucr.edu/pub/virus-l
  OKRA net.citizen Directory Services:   http://okra.ucr.edu/okra

------------------------------

Date: Sat, 02 Mar 1996 11:33:34 -0500 (EST)
From: Powerless <greendm@tiac.net>
Subject: Re: McAffee Word Virus Utility (PC)
X-Digest: Volume 9 : Issue 34

Eric Choiniere <choua@graf.polymtl.ca> wrote:

>Does anybody
>know how to disable this McAffee utility so that Word works fine again?

I have had NOTHING but troubole with my Mcafee product.  I bought
VirusScan and plan to bring it back for a refund.  The virus data base
it outdated, and Mcafee will not respond to my inquiries.

------------------------------

Date: Sat, 02 Mar 1996 15:44:42 -0500 (EST)
From: Ed Epstein <eepstein@gate.net>
Subject: Re: Possible Virus? Windows95 (PC)
X-Digest: Volume 9 : Issue 34

Adam Hughes wrote:

> I am having a lot of problems with my system.  I am getting weird drive
> space results on my File Explorer and System Information (Norton
> Utilities95).  I have a 850Mb HD partioned in two.  My C: drive should
> read 430Mbs total disk
> 
> 
> I don't know if I have some sort of virus or if there is a problem with
> Norton Utilities, Windows95 or a some kind of bug.
> 
> If any one has any ideas on what this might be and/or any solutions it
> would be greatly appreciated!

Just make sure that you are running the most recent Norton Anti-virus
files. Check Symantecs Web site...they just posted new releases to the
WIN95 anti-virus program on Feb 9th which includes innoculations for
the Boza virus.

------------------------------

Date: Sat, 02 Mar 1996 22:25:28 -0500 (EST)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Norton AntiVirus (PC)
X-Digest: Volume 9 : Issue 34

Al Kimel (akimel@awod.com) wrote:
: b161 <b161@admn.shs.nebo.edu> writes:
: > How does any/everyone rate The Norton Antivirus, for windows or dos and
: > any version???

: I'm no expert, so all I can rely on are the various tests that I
: have seen.  Norton consistently ranks below the the major scanners
: available.  

On number of viruses detected. This isn't the only relevant criterion,
though.

: Since there seem to be better products available (e.g.,
: F-Prot, Dr. Solomon's, AVP, Sweep, McAfee), I would personally avoid
: Norton and turn to one of the others.  

Also depends on criteria.

: On the other hand, my impression
: is that Norton has gotten better over the past year or so (though I'd
: like to hear the opinions of the experts on this).

ditto * 2

Trouble is, evaluating an a/v package calls for a specialist....

DH

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 34]
*****************************************


