From Lehigh.EDU!owner-virus-l  Wed Mar 13 06:06:53 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Wed, 13 Mar 96 07:49:44 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id GAA22487; Wed, 13 Mar 1996 06:06:53 +0100
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39216-45701>; Wed, 13 Mar 1996 00:05:52 EST
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39058-45701>; Wed, 13 Mar 1996 00:03:43 EST
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id AAA76818 for <virus-l@lehigh.edu>; Wed, 13 Mar 1996 00:03:34 -0500
Received: from 132.181.30.50 ("port 1039"@nick.csc.canterbury.ac.nz)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I2ARWWXYCMRI5O92@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Wed,
 13 Mar 1996 18:02:58 +1300
Message-Id: <01I2ARWWZ0YWRI5O92@csc.canterbury.ac.nz>
Date: 	Wed, 06 Mar 1996 02:13:11 +1300 (NZD)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #35
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest Wednesday, 6 Mar 1996    Volume 9 : Issue 35

Today's Topics:

Administrivia (ADMIN)
Re: Flash BIOS viruses?
(Fwd) Boza virus: knee-jerk media response more hazardous to wallet (from RISKS DIGEST 17.74)
Re: Hard drive hardware write protection
Re: Virus Damage Statistics
Re: Student use of PCs
Technicalities of scanning Email in multi-OS network??
Re: Hard drive hardware write protection
Re: Mac Virus "FNDR ERIK" ?? (MAC)
Re: Mac Virus "FNDR ERIK" ?? (MAC)
Re: Mac Virus "FNDR ERIK" ?? (MAC)
Macintosh Ram Virus?? (MAC)
Re: Mac Virus "FNDR ERIK" ?? (MAC)
Re: Aug, 27 1956 Virus? (MAC)
Re: Aug, 27 1956 Virus? (MAC)
Re: Aug, 27 1956 Virus? (MAC)
Re: Effects of Word.Concept Virus? (MAC,WIN)
WinWord.Nuclear (MAC,WIN)
Wierd thing happens with McAfee when booting up (WIN95)
Win95 calculator virus? (WIN95)
Possible Virus!! (WIN95)
McAfee 2.0 for Win95 "feature" (WIN95)
Re: DOS Antivirus software under Windows? (WIN)
Nov 17th virus (PC)
Re: Divide overflow on floppy access (PC)
F-PROT, Opinions? (PC)
Mystery Virus(PC)
Unknown virus (PC)
Re: Problems accessing floppy drive (PC)
Re: Wordperfect 6.1 Virus? (PC)
Virus MATRIOSKA! Who knows it? (PC)
Re: Divide overflow on floppy access (PC)
Re: How to get rid of Stoned Empire Monkey virus (PC)
keeper ck.777 need some help????? Please (PC)
Re: PKZ300 Virus (PC)
Found a virus on my HDD.. (PC)
Podaj hasLo? (PC)
Virus in Memory--sometimes (PC)
Modem snag: Virus or NAV? (PC)
Re: DOOM2 DEATH (PC)
Re: Divide overflow on floppy access (PC)
Re: Ripper and NYB (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Wed, 13 Mar 1996 18:00:50 +1300 (NZD)
From: Nick FitzGerald <n.fitzgerald@csc.canterbury.ac.nz>
Subject: Administrivia (ADMIN)
X-Digest: Volume 9 : Issue 35

Sorry for the brief cessation in postings there--first the Virus-L
subscriber list was trashed and then I had to wait while the Listserv
software was changed over to v7.2.  I am assured the new listserv s/w
would not cause any problems but it didn't quite like all the headers
as I had been sending to the earlier version.   Please report anything
"odd" you think may be relaetd to the listserv upgrade to my personal
Email address (n.fitzgerald@csc.canterbury.ac.nz) rather than to the list.
 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
 n.fitzgerald@csc.canterbury.ac.nz  TEL:+64 3 364 2337, FAX:+64 3 364 2332
	      Virus-L/comp.virus moderator and FAQ maintainer
   PGP fingerprint =  2E 7D E9 0C DE 26 24 4F  1F 43 91 B9 C4 05 C9 83

------------------------------

Date: Mon, 04 Mar 1996 04:48:56 -0500 (EST)
From: Oeyvind Pedersen <Oyvind.Pedersen@capella.no>
Subject: Re: Flash BIOS viruses?
X-Digest: Volume 9 : Issue 35

In article <0005.01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz>,
   "Derek V. Giroulle" <Dirk.Giroulle@ping.be> wrote:

>Anyway that leads me to another question is there some kind of
>flash-rom Bios backup/restore  utility , if it still helps after an
>infection ...?

There is no such thing, As you can telle from the name, the BIOS does the 
"Basic Input/Output". If you wipe your Flash BIOS, it will act like
another a motherboard with the BIOS ripped off the board. The only thing
that works will be your power LED. 

Personnaly I think the whole idea of Flash BIOS on standard MB is a bad
idea. (not talking about portables with lots of fancy powersaving
features) It is an excuse for sending customers beta-versions of hardware.
I've had to upgrade BIOS'es a few times, and I don't think that the
process of updating the BIOS physically was such hard work. I spent much
more time to realize that I needed the BIOS upgrade :-(

The worst thing that could happen is that they agree on a "Universal Flash
BIOS standard". Then people will start upgrading their BIOS when anything
happens to their system. Then people will make shareware tools to make
your customized BIOS. And people will ofcourse write viruses for them...

-oep

------------------------------

Date: Mon, 04 Mar 1996 10:50:50 +0000
From: Otto Stolz <Otto.Stolz@uni-konstanz.de>
Subject: (Fwd) Boza virus: knee-jerk media response more hazardous to wallet (from RISKS DIGEST 17.74)
X-Digest: Volume 9 : Issue 35

- -- Forwarded mail from RISKS List Owner <risko@CSL.SRI.COM>

Date: Thu, 15 Feb 1996 15:46:29 -0600 (CST)
From: Crypt Newsletter <crypt@sun.soci.niu.edu>
Subject: Boza virus: knee-jerk media response more hazardous to wallet

Recently, the Associated Press newswire triggered another round of
ridiculous computer virus alarms with a story on the Boza/Bizatch
computer virus, an admittedly barely infectious parasite on Win95
executables.  Attributed to the VLAD Australian virus-writing group,
due to the equivalent of a computer underground press release embedded
in the virus extolling VLAD members and their technical virtuosity
vis-a-vis writing them, Associated Press reporter Sue Leeman
issued a news brief and it echoed internationally.

In a pattern of action and reaction that has become standard for
many computer virus stories reported in the mainstream press, the
Boza piece generated countless questions from on-line users who thought
they were in danger from it, although realistically they were
statistically more likely to be hit by an automobile than the virus in
their lifetime.  The original Associated Press attributed Sophos' Paul
Ducklin saying the Boza virus wasn't on the loose, but most subsequent
news stories and fragments derived from it, including copycat
press releases from other vendors, stripped this from the original.
The Associated Press story wound up being printed in toto or in
fragments in countless newspapers around the country that subscribe
to the newswire.

A good example, but only one of many, was a prominently displayed bulletin
mounted on the Compuserve "What's New" public announcement board.  This
board is displayed to callers everyday and it contained a warning about
the Boza virus and a tip to head to Thunderbyte Anti-virus's spot on the
service for a cure.  However, the fact that the virus wasn't in
circulation or even likely to be so, while present in the original seed AP
piece, was gone.

The results were predictably confusing.  Some PC users on Compuserve who
did not even have Windows 95 installed on machines concluded they might
have been exposed to Boza. I noted similar results on other networks like
FIDO and in Usenet newsgroups.

The Boza mini-panic, coming as it does close to the Michelangelo virus
anniversary on March 6, illustrated the need for consistent media
criticism, particularly when it comes to certain varieties of technology
stories, like those dealing with computer viruses.  A few rules of thumb
to keep in mind when dealing with this type of thing are:

1. Computer virus stories are the best vehicle in which software
developers selling cures can pimp for their products. Even if the virus is
shown to be pathetic as a public menace, interest in those cited will
always peak transiently during the run of the story. This amounts to
software sales and on-line time spent through commercial services offering
information or software fixes through download, even if it's unnecessary.

2. Being the first vendor mentioned in a story like Boza throws
competitors immediately on the defensive, scrambling to recover and
fueling the story in the process.  Even though competing companies may
have known of a virus weeks previously and quietly written cures into
software as the usual course of business, the average PC user - after
reading this type of story - is given the impression everyone else was
asleep at the wheel.  This sets off a chain reaction in which competitors
quickly release copycat press releases which drive developments and strip
more information from the primary seed in an effort to maximize exposure.
Those vendors who don't do this often face tons of witless support
questions from those needlessly frightened by the news in on-line computer
help forums. They also face a transient image that they've been caught
flat-footed by competing vendors who've been more successful at generating
publicity. From a consumer standpoint, this leads to counter-productive
behavior in which some vendors, burned by the lack of exposure, gear up to
generate even more press releases on potential future threats _before_
they materialize.

3. It encourages some vendors to increase their contact with known active
virus-writers and their groupies so that they will be the first to receive
new viruses which, may or may not (more often "not"), work.  This is a
nasty spiral which tends to encourage virus-writers to produce more than
they usually would for their "audience." Having written a book on virus-
writers, I've seen this happen more than a few times since 1992.

George Smith, Crypt Newsletter

- --End of forwarded mail from RISKS List Owner <risko@CSL.SRI.COM>

------------------------------

Date: Mon, 04 Mar 1996 05:17:20 -0500 (EST)
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: Hard drive hardware write protection
X-Digest: Volume 9 : Issue 35

In <0001.01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz> Dave Pearce
<dpearce@flash.net> writes:

>I'm looking for information on the following:
>
>1) Is it possible to take a stock IDE or SCSI controller and write-protect 
>the hard disk, i.e., so that all writes fail?

should be possible to cut one vire in the cable....haven't done it
though...

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Mon, 04 Mar 1996 05:20:23 -0500 (EST)
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: Virus Damage Statistics
X-Digest: Volume 9 : Issue 35

In <0002.01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz> Jeff Beaubien
<AnarchyX@charger.newhaven.edu> writes:

>I am interested in obtaining statistical information regarding PC
>virus damage.  Examples include: how many viruses are there? 

nobody knows for sure.  AV producers can tell you how many viruses their
products identify, but there are probably quite a few viruses floating 
around in private collections, that have never been shared with anybody.
A reasonable estimate is "between 9.000 and 10.000 PC viruses"

Of those, around 100 are a "real" problem.

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Mon, 04 Mar 1996 10:17:57 -0500 (EST)
From: Pavel Machek <machek@d12.novell.karlin.mff.cuni.cz>
Subject: Re: Student use of PCs
X-Digest: Volume 9 : Issue 35

: Most viruses are boot sector viruses.
: 
: Most PCs can be set so that they will not boot from a floppy. This will
: protect them from being infected by boot sector viruses. The procedure for
: this varies between different types of PCs. Therefore
: look up in your PC manual, about SETUP.

  Yes. And Qemm 7.5 with quickboot enabled happily boots from A:. If you
want to disable this, you have to ask qemm to display menu, which is even
more annoying than spinning-up floppies all the time and loading viruses
sometimes.

  Is there a way to disable that qemm's behaviour? (Maybe patch?) 

------------------------------

Date: Mon, 04 Mar 1996 10:38:21 -0500 (EST)
From: The Bank of Bermuda <edean@bobda.bm>
Subject: Technicalities of scanning Email in multi-OS network??
X-Digest: Volume 9 : Issue 35

At the Bank of Bermuda, we are on the verge of providing our internal 
users access to the internet via email.  Before we make that step we 
would like to know that we have taken the proper precautions to protect 
ourselves from unauthorised access and viruses within enclosures.  

What are you using to protect your company from these threats?

Are you allowing enclosures?   
Are you checking them for viruses before they reach the users?

If you aren't allowing enclosures, how are you blocking them?

We are currently testing MIMEsweeper, a product the uncodes all 
enclosures and sends them to a virus checker for scanning before letting 
them through to our users.  Infected or unfamiliar messages are blocked.

Have you tested MIMEsweeper?  
Have you had any problems with it?  
We had problems stopping BinHex.  Have you had that problem?

For MIMEsweeper, which runs on NT, to work for us, we would need a cross 
platform virus checker that runs on NT.  Have you heard of any cross 
platform virus checkers?

Please feel free to include any other information that you feel will be 
useful to us.  Thank you for taking the time to address our request.

Eugene Dean
Applied Research & Technology

------------------------------

Date: Tue, 05 Mar 1996 07:59:56 -0500 (EST)
From: Padgett 0sirius <padgett@goat.orl.mmc.com>
Subject: Re: Hard drive hardware write protection
X-Digest: Volume 9 : Issue 35

In article <0001.01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz> Dave Pearce
<dpearce@flash.net> writes:

>1) Is it possible to take a stock IDE or SCSI controller and write-protect 
>the hard disk, i.e., so that all writes fail?
>
>2) Is it possible to take a stock IDE or SCSI hard drive and write protect 
>it?  I know some SCSI hard drives have write protect jumpers but I haven't 
>found any in the 200 - 500 meg range.

For SCSI it is just a matter of tying the write enable line (6 on an
ST-506, forget which for SCSI) high through about a 10k resistor. IDE is
more complicated since the controller is on the drive. You need logic for
this but there were a few devices floating around a few years ago (were
around U$200 and had few takers) to write protect all or part of an IDE.

			A. Padgett Peterson, P.E.
			Cybernetic Psychophysicist
		   Totally Obsessed with TransOceanics
		      My other car is a Pontiac too
			   We also walk dogs
		       PGP 2.7 Public Key Available

------------------------------

Date: Sun, 03 Mar 1996 07:38:40 -0500 (EST)
From: Al Varnell <al@varnell.colospgs.co.us>
Subject: Re: Mac Virus "FNDR ERIK" ?? (MAC)
X-Digest: Volume 9 : Issue 35

In article <0006.01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz>, Greg Robb
<gmr@sirius.com> wrote:

>I 've been wondering about the file "Desktop FNDR ERIK" for some time. 

It is the old desktop file used by system 6 (and also floppies).  It was
replaced by the db & df pairs when system 7 came out.

-Al-
- -
Al Varnell                       |              Voice: 719.488.0219              
e-mail: al@varnell.colospgs.co.us|              Work:  719.598.8081
AOL: AlVarnell                   |              Fax:   719.594.6695
- --------------------------------|---------------------------------

------------------------------

Date: Sun, 03 Mar 1996 16:19:37 -0500 (EST)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: Mac Virus "FNDR ERIK" ?? (MAC)
X-Digest: Volume 9 : Issue 35

Greg Robb (gmr@sirius.com) wrote:
> I 've been wondering about the file "Desktop FNDR ERIK" for some time. 
> It's been on my hard drive and for a while I thougt it was a possible 
> virus when I was having a lot of screen freezes. I've reformated my hard 
> drives and now it is not on them. 
[snip]
   Under System 6 and before, the Desktop file kept track of information
about the Mac Desktop -- what icons were associated with each application
and data file, comments entered in the GetInfo box, and a few other
resources.  Perhaps you've heard of "rebuilding the Desktop"  when you
have problems with your Mac -- one does this by depressing the <Command>
and <Option> keys when the computer is restarted until asked whether the
user would like to rebuild the Desktop.

   Under System 7.x, the Desktop file was replaced by two files, Desktop
DF and Desktop DB.  While these have similar functions to the single
Desktop file, I'll defer to others to provide the details. 

   On the Macintosh, all files have two attributes called TYPE and 
CREATOR; both of these are case sensitive four character strings.  For 
instance, MicroSoft Word documents are of TYPE WDBN, and of CREATOR MSWD, 
while Word itself is of TYPE APPL and has the CREATOR MSWD.  Typically, 
all document kinds associated with a particular application will have 
the same CREATOR; for example, Word documents, temporary files, 
textfiles, and dictionary files all have CREATOR of MSWD.  All 
applications have a type of APPL.  This system is designed to enable 
opening documents via double-cliching, rather than having to use <File> 
<Open> after launching the appropriate application.

   All this leadup is to explain a simple answer to your question -- the
Desktop file has a TYPE of FNDR and a CREATOR of ERIK.  No cause for
alarm; if you're using System 7.x, you may delete it safely.  That's what
happened when you reinitialized your hard drive; the file wasn't recreated
because you weren't running under System 6, although at some time it had
been. 

   So in fact, it had *always* been on your hard drive, but perhaps you'd 
never noticed it before.  Since you reformatted, it's gone, but it never 
was a virus, and therefore never a cause for concern.

   -BPB

------------------------------

Date: Mon, 04 Mar 1996 02:12:11 -0500 (EST)
From: Derek Chee <dchee@uci.edu>
Subject: Re: Mac Virus "FNDR ERIK" ?? (MAC)
X-Digest: Volume 9 : Issue 35

Greg Robb <gmr@sirius.com> writes:
>I 've been wondering about the file "Desktop FNDR ERIK" for some time. 
>It's been on my hard drive and for a while I thougt it was a possible 
>virus when I was having a lot of screen freezes. I've reformated my hard 
>drives and now it is not on them. 

This is the normal Desktop file that the Mac creates.  It isn't a
virus.  The Desktop files keeps track of your file icons and which
files belong to which applications.

- - Derek
- -
___________________________________________________________________________
Derek Chee (dchee@uci.edu)        |  This signature is in need of repair.
Office of Analytical Studies      |  Accepting contractor bids now.
University of California, Irvine  |

------------------------------

Date: Mon, 04 Mar 1996 02:49:45 -0500 (EST)
From: Thomas Vincent <runner12@ix.netcom.com>
Subject: Macintosh Ram Virus?? (MAC)
X-Digest: Volume 9 : Issue 35

Does this sound like a Virus hiding? I start up my Mac and I try to open
Netscape. It tells me that it doesn't have enough memory. I only have
four extentions loaded. According to my addition in the about Macintosh
menu, I am using 13 MB's of RAM out of 16 MB's. Though it says I only
have one megabyte left of free RAM.

Thomas Vincent
runner12@ix.netcom.com

------------------------------

Date: Mon, 04 Mar 1996 11:58:44 -0500 (EST)
From: ~rob <showkave@well.com>
Subject: Re: Mac Virus "FNDR ERIK" ?? (MAC)
X-Digest: Volume 9 : Issue 35

In article <0006.01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz>, Greg Robb
<gmr@sirius.com> wrote:

> I 've been wondering about the file "Desktop FNDR ERIK" for some time. 
> It's been on my hard drive and for a while I thougt it was a possible 
> virus when I was having a lot of screen freezes. I've reformated my hard 
> drives and now it is not on them. 
> 
> Below is the results of a Disk Wizard scan of a few Syquest cartridges 
> and a couple of floppys. As you can see, "ERIK" is on only one of the 
> Syquests and on both of the floppys - it's also on my brand new 
> preformatted floppys. 
> 
<deletia>

This is a normal file.  It contains the "desktop database" for these
volumes.  Normally, this file is hidden, meaning it is present, but
doesn't show up in the Finder.  Inside Macintosh Volume VI has a chapter
on "The Finder Interface" (chapter 9).  This chapter has a section on the
desktop database.  Within this section is a section on the "history of the
desktop database" that may be helpful.

The "Def" viruses (MDEF, WDEF and CDEF) can INFECT the Desktop files, but
you don't necessarily have them just because you have a Desktop file.

------------------------------

Date: Mon, 04 Mar 1996 12:02:19 -0500 (EST)
From: ~rob <showkave@well.com>
Subject: Re: Aug, 27 1956 Virus? (MAC)
X-Digest: Volume 9 : Issue 35

In article <0007.01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz>,
<uv923@freenet.victoria.bc.ca> wrote:

> Does anyone know of a virus that sets the date & time control panel back 
> to aug 27 1956 when ever you boot up the computer? We have had this 
> computer for many years and it never did that before, but now no matter 
> how many times we change the date it just goes back to aug 27 1956 next 
> time we turn on the computer.
> 
> I have tried disinfectant 3.6 and gatekeeper 13 but they didnt find 
> anything.

There is a small possibility that you have a malfunction in your parameter
RAM or clock.  Try this:  boot from a floppy that is known to be
uninfected (say the "Disk Tools" disk that came with your Mac).  If the
clock DOESN'T change back when you do this, you have a software problem of
some sort (possibly a new virus).  If the clock DOES change when you boot
from this clean floppy, I imagine you have a hardware problem (NOT a
virus).

------------------------------

Date: Tue, 05 Mar 1996 01:40:06 -0500 (EST)
From: Joerg Erdei <a8101gbb@helios.edvz.univie.ac.at>
Subject: Re: Aug, 27 1956 Virus? (MAC)
X-Digest: Volume 9 : Issue 35

<uv923@freenet.victoria.bc.ca> wrote:
>Does anyone know of a virus that sets the date & time control panel back 
>to aug 27 1956 when ever you boot up the computer? We have had this 
>computer for many years and it never did that before, but now no matter 
>how many times we change the date it just goes back to aug 27 1956 next 
>time we turn on the computer.
>
>I have tried disinfectant 3.6 and gatekeeper 13 but they didnt find 
>anything.

That is not an virus, its the Lithium battery (that backs up your PRAM)
going down. Take a look at

   http://www.academ.com/info/macintosh/

if you need assistance in replacing it.

Joerg Erdei

------------------------------

Date: Tue, 05 Mar 1996 04:49:34 -0500 (EST)
From: "John P. Speno" <speno@swarthmore.edu>
Subject: Re: Aug, 27 1956 Virus? (MAC)
X-Digest: Volume 9 : Issue 35

In <0007.01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz>
<uv923@freenet.victoria.bc.ca> writes:

>Does anyone know of a virus that sets the date & time control panel back 
>to aug 27 1956 when ever you boot up the computer? We have had this 
>computer for many years and it never did that before, but now no matter 
>how many times we change the date it just goes back to aug 27 1956 next 
>time we turn on the computer.

I believe that is 'Your Battery is Dead Virus'.

Hope this helps.
- - 
John P. Speno, speno@swarthmore.edu, Swarthmore College Computing Center
	     "There is no wisdom greater than kindness."

------------------------------

Date: Tue, 05 Mar 1996 04:10:13 -0500 (EST)
From: scary kevin <isildur@abulafia.st.hmc.edu>
Subject: Re: Effects of Word.Concept Virus? (MAC,WIN)
X-Digest: Volume 9 : Issue 35

In article <0018.01I1JAW8C1VOQKFBM4@csc.canterbury.ac.nz>,
Ray Ennis  <ennis@ix.netcom.com> wrote:
>likely was changed due to the effects of the Word.Concept virus, but one
>of the Word documents thinks it is a Template file and won't be Saved As a
>normal document file.

..

>       Could this be an effect of the Word.Concept MacroVirus?

Yes.  Though it has the *.doc extension, Word 6 is finding macro commands in
the file, and thinks it must therefore be a template.  I can't seem to fix
it; my workaround is:

New document
Select all
Copy
Paste to new document
close old document
save the new document with the same name as the old one.

-Kevin (i just found and killed this damn thing today, after four weeks of
	thinking my copy of W6 was broken, and three re-installs.  Arrgh!)

------------------------------

Date: Tue, 05 Mar 1996 07:49:48 -0500 (EST)
From: Ian Elrick <j.s.elrick@forth.stir.ac.uk>
Subject: WinWord.Nuclear (MAC,WIN)
X-Digest: Volume 9 : Issue 35

I have just had an outbreak of WinWord.Concept at my site and have cured 
it with wvfix.exe. My question is will this cure WinWord.Nuclear as well 
or is there another fix for this nasty.

Thanks in advance

Ian

------------------------------

Date: Sun, 03 Mar 1996 15:55:08 -0500 (EST)
From: "S. Barger" <wlberch@icon-stl.net>
Subject: Wierd thing happens with McAfee when booting up (WIN95)
X-Digest: Volume 9 : Issue 35

If you are an experienced user of McAffee and would be willing to shed
some insight, your reply to this post would be appreciated.

I recently downloaded a copy of McAfee's Anti Virus.  This is the
first time I have used a Virus protection application, so please
excuse me if my questions seem trite.

Upon booting up, I receive the McAffee logo screen just as my
wallpaper and startup programs are initialized.  I then get a big blob
of icons on the right hand side of my desktop for about 6 seconds or
so.  Then they disappear.  Is this normal, what can I do to stop this?

Next, the VShield icon is located in my tray next to the yellow
speaker (WIN95) as opposed to the taskbar itself.  The help file says
it is to be on the taskbar. Where should it be?

Finally, please let me know if this is correct:  VShield is a program
running all the time to scan as you work, and the anti virus program
is used to scan, at will, any part of your system.

Any input on helping me better understand this software would be
appreciated.  

The help files for this program aren't that great for someone with
limited computer knowledge.

------------------------------

Date: Sun, 03 Mar 1996 16:01:21 -0500 (EST)
From: Richard Martinolich <gmargino@direct.ca>
Subject: Win95 calculator virus? (WIN95)
X-Digest: Volume 9 : Issue 35

I just contracted a virus that is turnng all my win95 aplications to 
calculator I heard it was from mcafee and i cant get rid of it any advice 
would by apreciated

email me at martinol@max-net.com

------------------------------

Date: Sun, 03 Mar 1996 22:22:16 -0500 (EST)
From: "Mike W." <mhw1@ix.netcom.com>
Subject: Possible Virus!! (WIN95)
X-Digest: Volume 9 : Issue 35

I have windows 95 and NAV 95.  I have scaned my HD many times but it
has not come up with a virus.  The problem I have is that everytime I
start up my computer I get into windows but then my computer freezes. 
I hit CTRL-ALT-DEL and it says "MMTASK" (not responding)  I hit end
task and then usally it will let me back into windows and it works
fine.  I have no idea if it is a virus or it is just a software
conflict within my computer.  

I had this problem when I first installed windows then I installed a
program in my computer and then it worked fine for a wile then I
installed many more programs and now it is what I have now.  

PLEASE HELP

Thank you

Matt
mhw1@ix.netcom.com
mhw1@bc.cybernex.net

[Moderator's note:  Do you have an AWE32 sound card??  Running the Win31
setup program for installing its drivers under Win95 is known to cause
similar problems.]

------------------------------

Date: Mon, 04 Mar 1996 10:40:44 -0500 (EST)
From: jgrant@namsa.nato.int
Subject: McAfee 2.0 for Win95 "feature" (WIN95)
X-Digest: Volume 9 : Issue 35

	For those of you who haven't yet noticed, there is an interesting 
"feature" in McAfee 2.0 for Windows 95.  It is the following:

	McAfee95 2.0 uses the DOS scan.exe to detect viruses in the 
autoexec.bat during boot prior to loading windows, and includes a very 
nicely integrated Vshield for Windows 95.  Both of these features are 
improvements and seem logical.

	However, when scanning in a DOS Window with scan.exe (as is possible 
now that it is included with McAfee95 v2...) it seems that McAfee
regularly gives false positive results!  I have tried this a few times and
have detected different viruses during different boots, leading me to
believe that it is indeed Vshield in memory that is being detected...  I
have yet to test this exhaustively, but have verified without doubt that
the results of the DOS box scan are false positive.  The Win95 scan
continues to function properly.

In short, use the DOS scan.exe only when running in MS-DOS mode for
reliable scans.

I guess the old command line junkies like me will sooner or later have to
move entirely to GUI based operations!  (Pity that I find command line
work to be more efficient for some operations...)

------------------------------

Date: Mon, 04 Mar 1996 10:30:26 -0500 (EST)
From: Pavel Machek <machek@d12.novell.karlin.mff.cuni.cz>
Subject: Re: DOS Antivirus software under Windows? (WIN)
X-Digest: Volume 9 : Issue 35

Kenneth Albanowski (kjahds@kjahds.com) wrote:
: On Mon, 19 Feb 1996, Kenneth Albanowski wrote:

: Good point, thank you. To clarify (or modify, at least): DOS/Windows has
: little or no memory protection, so one program can modify another while it
: is running. Any AV software is therefore a bit of a game of one-upsmanship
: to see whether the virus or AV wins.

: In just about any OS which has some pretense of "security", you are likely
: to find some degree of memory protection, which keeps one program from
: stomping on another.

: None of this necessarily means that an OS with memory protection is going
: to be "virus proof", but only that AV software can be a bit more sure of
: where it stands.

  If anti-virus software changes at least a bit (for example by turning
various optimalizations on/off), it will be very hard for virus to
attack its code. One program can not easily decode second program's
code...

  BTW had someone ever seen virus activelly changing specific antivirus?

------------------------------

Date: Sun, 03 Mar 1996 08:47:15 -0500 (EST)
From: William Yeung <wcfyeung@infolink.net>
Subject: Nov 17th virus (PC)
X-Digest: Volume 9 : Issue 35

Does anyone know a virus called Nov 17th and how it can be killed? 
Recently my WIndows 3.1 permanent swap file was infected by it.

I use McAfee's viruscan regularly. It found it but was unable to remove.

Thank you in advance on any advice given.

[Moderator's note:  Your Windows swap file cannot be "infected" by a virus
as it is not executed.  If only your swap file is reported as infected and
especially if no other antivirus software says you have the virus, you
most likely have a false positive.]

------------------------------

Date: Sun, 03 Mar 1996 09:58:49 -0500 (EST)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Divide overflow on floppy access (PC)
X-Digest: Volume 9 : Issue 35

In article <0025.01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz>
	   chungj@is2.nyu.edu "Johnny Chung" writes:

 > but I would like to know the cause of the DIVIDE OVERFLOW.

An Intel machine level divide instruction leaves the result in 
two registers, one for the quotient and one for the remainder.  
These registers are each half the size (in number of bits) of the 
register that holds the original number being divided.  If this 
original number is large, and the divisor small, the result may 
be too large to fit in the register that it is supposed to go in.  
That gives rise to a Divide Overflow exception, which is reported 
through an interrupt routine, either the system default, or one 
installed by an application.

- -
MAN PASSES                      DOG GETS OUT
	  DOG HOUSE                         MAN GETS IN
		   DOG SEES CHIN                       Burma-Shave

------------------------------

Date: Sun, 03 Mar 1996 11:09:18 -0500 (EST)
From: George Kalemanis <georgek@TSO.Cin.IX.net>
Subject: F-PROT, Opinions? (PC)
X-Digest: Volume 9 : Issue 35

I have been working as a tech. for quite some time, and been using F-PROT.
While F-PROT is not 100% fool proof, I do believe it is the best, and even
install it in all machines that get configured or serviced free of charge,
whether it needs it or not.  How many people agree, or are there better
scanners out there that people use -  I haven't been real impressed with
McAfee (some viruses pass though McAfee using the latest version, while
older F-PROT copies still detect).

George Kalemanis
georgek@tso.cin.ix.net

------------------------------

Date: Sun, 03 Mar 1996 14:09:08 -0500 (EST)
From: ECMoody <ecmoody@aol.com>
Subject: Mystery Virus(PC)
X-Digest: Volume 9 : Issue 35

I have a suspected virus that nothing recognizes.  It seems to infect
different files, and I think that it is multiparate.  I am running Win95. 
I get a lot of Fatal Exeption errors and some GPF's and Page Faults. I
also occasionally get errors about memory, such as there is none
available.  I have 12 meg and nothing other than WIN95 is running.  I
can't do anything, because it just GPF's out when I try.  Any help or
insight would be greatly appreciated.  I have read some on a virus by the
name of Tai-Pai, not Tia-Pan or Doom2 Death, that matches this
description.

ECMoody

------------------------------

Date: Sun, 03 Mar 1996 14:35:16 -0500 (EST)
From: Sven Peters <peters@uni-oldenburg.de>
Subject: Unknown virus (PC)
X-Digest: Volume 9 : Issue 35

Does anyone know of a virus that sets the date & time control to back by
contigency.

And deletes Windows 3.11 .ini and .dat files (as far as i noticed) in
the same way, that means without any order.

I have scanned with fprot without success.

I need emergency help.

Thankful for the smallest clue is

Sven Peters 

e-mail peters@hrz.uni-oldenburg.de
- - 
Glueklich ist,
wer wollen kann,
was er muessen muss.

------------------------------

Date: Sun, 03 Mar 1996 15:04:18 -0500 (EST)
From: Glen D Moffitt <glenm@seanet.com>
Subject: Re: Problems accessing floppy drive (PC)
X-Digest: Volume 9 : Issue 35

Philipp Stampfu wrote:

> I have a problem with my floppy-disk-drive and I think its a virus. Here
> my problem:
> 
> If I boot the computer with OS/2:
>   I copy files to a disk and compare them with COMP. Then there are always
>   some files on the disk, wich are different form the original files.
>   These problem does not occur, if I copy the files from the hard-disk to
>   another directory of the harddisk.
> 
> If I boot the computer with DOS:
>   If I compress files with PKZIP and I copy the file NAME.ZIP to the
>   floppydisk and then back to the harddisk, I can't uncompress the file.
> 
> And now, why I think its a virus:
>   If I start my computer with a DOS bootdisk, the problem doesn't occur.
> 
> But I have not found any virus with McAfee.

You're a little light on details, such as how are the files different
(size?), what error message you get when you can't unzip the zip file, or
how you scanned with Mcafee.  Sounds like it has some potential of a
virus, though.  Download (to another pc, preferrably) some shareware
copies of other antivirus apps, such as Dr. Solomon, F-Prot, Thunderbyte,
or Norton Antivirus (not sure that they all have a shareware copy
available).  Copy the dos scan program and virus signature file to a
bootable floppy.  I usually just put in the command line necessary to run
the virus scan with the appropriate command line switches in the
autoexec.bat to auto-run the scan.  Make sure the diskette is write
protected ***before*** you insert it into the potentially infected pc
diskette drive.  Boot the system and see what happens.  Good luck!

Glen

------------------------------

Date: Sun, 03 Mar 1996 15:08:57 -0500 (EST)
From: Kenneth Albanowski <kjahds@kjahds.com>
Subject: Re: Wordperfect 6.1 Virus? (PC)
X-Digest: Volume 9 : Issue 35

On Thu, 29 Feb 1996, Joe Marshall wrote:

> I am a technician at a community college and we are having troble with
> Wordperfect 6.1 for Windows going down.  It seems that files are being
> deleted in Windows as well as other different applicaitons.
> 
> Windows kernel becomes damaged and parts if not all of Wordperfect become
> damaged.
> 
> We have tried that latest versions of McAfees Vshield and Scan and have
> also tried F-prot, both of which have been very succesful in the past at
> locating viruses, but neither one of these find any viruses on the
> computers with the problems.
> 
> If anyone out there has any info I'd appreciate the help.

In order of likelyhood when files start disappearing at random. 

 1. Malicious damage (somebody running around deleting files.)

 2. Bad software (are you running BETA versions of anything?)

 3. A bad disk.

 4. A Virus.

It seems you've ruled out #4 (but of course you should try any other virus
checked you come across) so what about the rest of the list?  

- -
Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126)

------------------------------

Date: Sun, 03 Mar 1996 17:54:34 -0500 (EST)
From: Marcello Adduci <adduci@pop.systemy.it>
Subject: Virus MATRIOSKA! Who knows it? (PC)
X-Digest: Volume 9 : Issue 35

It creates subdirectory nested until the space on hard dish has finished.
It stays in boot sector and it's impossible to destroy it.

Someone knows it? 

------------------------------

Date: Sun, 03 Mar 1996 21:49:31 -0500 (EST)
From: "Bruce P. Burrell" <bpb@umich.edu>
Subject: Re: Divide overflow on floppy access (PC)
X-Digest: Volume 9 : Issue 35

In comp.virus/VIRUS-L v9i34, Johnny Chung <chungj@is2.nyu.edu> wrote:

> I am not sure if anyone has experienced the following phenomenon.
> 
> I disinfected 3.5" HD floppies containing, Urkel or ANTIEXE viruses using 
> McAfee's Win95 virus scan 2.01.  It seems to CLEAN it fine, but when I 
> try to access the floppies, it gives me a DIVIDE OVERFLOW error.  I've 
> tried it on several machines with the same result.  

   This is probably the result of an incomplete disinfection.  Within the
first sector on the diskette (DOS Boot Sector; DBS) is a data structure
(BIOS Parameter Block) that keeps track of various information about the
diskette.  Included in the BPB is a field that records the number of heads
(sides) on the diskette; if this is set to zero, DOS gets very confused,
and gives a Divide Overflow error. Based on your report, my guess is that
this field (at least) is probably set to the wrong value. 

> NDD and Disk Editor will not touch it.  As soon as the diskette is being 
> accessed, I get the DIVIDE OVERFLOW.  Does anyone have any clues as to 
> why this is happening?  I am sure I can just go ahead and reformat it, 
> but I would like to know the cause of the DIVIDE OVERFLOW.  

   Actually, Norton Disk Editor probably _will_ touch it, but you have to
use special techniques to access it.  Try DISKEDIT A: /M to look at A:  in
Maintenance mode; this should load the DBS.  Change to View as Boot Record
(F7); then edit the fields so that they contain correct info and write the
changes.  If you don't know what values should be present, just examine a
diskette of the same capacity and form factor (e.g., 3.5" High Density
Double Sided) in the same fashion discussed above. 
   An alternative way to get to this position is to run DISKEDIT, then 
use <Alt>-D to open the drive menu.  Switch to Physical (rather than 
Logical), and select Floppy Drive A: (or B:, as the case may be.)  
Although you should be accessing it directly by either method above, you 
want to examine Physical Cylinder 0, Head 0, Sector 1.

   If the procedure above doesn't work, you can sometimes "fool" DISKEDIT
by accessing a readable diskette, then swapping it for a damaged one. 
Then examine the physical sector 0, 0, 1, or its logical equivalent ,
Sector 0. 

> Thanks in advance.

   Sure.  Be sure to practice on diskettes that are unimportant first, so 
that any errors you make won't trash important data.  If you can make a 
DISKCOPY or a bitcopy first and work on the image, so much the better.

-BPB

------------------------------

Date: Sun, 03 Mar 1996 22:47:09 -0500 (EST)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: How to get rid of Stoned Empire Monkey virus (PC)
X-Digest: Volume 9 : Issue 35

Alexander Stanton (a.stanton1@ic.ac.uk) wrote:
> I can't get rid of this no matter how hard I try. I've already
> resigned to repartitioning my harddrive, but I can't even get that
> to work.

   I don't think that will be necessary....  If you can, back up to a
network or tape; that way the virus won't spread (as it would were you to
do a floppy backup). 

> The virus loads in before the floppy is activated for booting, and
> will only boot if the floppy is write-enabled. If it is write-
> protected it just hangs. Using fdisk or format from an infected
> disk has no effect.

   Since Monkey "stealths" the Master Boot Record, FDISK will have no 
effect when Monkey is active; FORMAT doesn't affect the MBR anyway.  
Hence this is the expected behavior.

> The only way I can get  the machine to boot from a clean floppy
> is to disable the hard drive in the bios.

   Are you sure that the CMOS is set up to boot from floppy first?  It 
must have been at some time, of course; that's how Monkey infected in the 
first place.  But have you reset it to boot from C: ?  After making sure 
that your machine _is_ set to boot from A:, try the floppy boot again.

> fprot and norton antivirus won't disinfect the drive while the
> virus is in memory and want a clean boot.

   Right; that's the conservative approach, and it's a good one.
 
> So how do I get rid of it? Is my hard drive good for the dumpster?

   Surely not dumpster material.

   1. Go to e.g., ftp://oak.oakland.edu/SimTel/msdos/virus/killmnk3.zip 
      to get KILLMONK.EXE; it can remove Monkey when the virus is active 
      in memory.
   2. If that fails, check your boot sequence to make sure that A: is 
      accessed first, and change it if it is not.
   3. Assuming the subsequent clean floppy boot succeeds, use
	 F-PROT /HARD /DISINF  for F-PROT (don't know the NAV equivalent).
      Don't be concerned if F-PROT says "Error: No hard drive"; just 
      reboot from floppy and repeat the above command.
   4. If neither of these steps work, contact me or your AV vendors for 
      tech support; the virus should be removable by hand.

> Any help would be appreciated.

   Hope this reaches you in time!

   -BPB

------------------------------

Date: Mon, 04 Mar 1996 03:48:23 -0500 (EST)
From: Kyle.McPhedran@zeke.ebtech.net
Subject: keeper ck.777 need some help????? Please (PC)
X-Digest: Volume 9 : Issue 35

Has anyone heard of this virus..... Keeper ck.777  ????  I have it on one
of my machines, and I cannot seem to fix the problem.  I am running WIN95,
with the latest McAfee..  It gets detected at boot, but when I do a scan I
do not get an error.  I have booted with a clean floppy and the latest DOS
McAfee, and it does not detect it.  

Any comments or suggestions???  Please e-mail me .  Thanx,

Kyle McPhedran

------------------------------

Date: Mon, 04 Mar 1996 05:22:28 -0500 (EST)
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: PKZ300 Virus (PC)
X-Digest: Volume 9 : Issue 35

In <0024.01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz> Erwin Loewen
<eloewen@edc.gov.ab.ca> writes:

>Is there some new threat regarding this virus?

it is not a virus...the PKZIP 3.00 file is a Trojan.

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Mon, 04 Mar 1996 09:41:49 -0500 (EST)
From: Pow <KRISTS@r1g.edu.lv>
Subject: Found a virus on my HDD.. (PC)
X-Digest: Volume 9 : Issue 35

I found a virus on my HDD. System speed was 3x slower than it
should be. I booted from clean diskette and found out that my c: disk
is encrypted. I can't find anything on my HD while it's not in
memory..

The virus is polymorphic full memory stealth, I think. Infects
COM/EXE/BS/MBR/SYS. It takes 10Kb memory. What can I do? Can someone
help me?

				Kermit

------------------------------

Date: Mon, 04 Mar 1996 10:09:48 -0500 (EST)
From: saai <saai@passport.ca>
Subject: Podaj hasLo? (PC)
X-Digest: Volume 9 : Issue 35

This came up on one of our pc's yesterday. MS Anti-virus didn't find any
viruses (virii?). Where can I get information about this?

Please e-mail.

Thanks.
Paul Egan @ Scott Associates.

------------------------------

Date: Mon, 04 Mar 1996 10:55:34 -0500 (EST)
From: Margaret Proctor <m_proctor@ncsu.edu>
Subject: Virus in Memory--sometimes (PC)
X-Digest: Volume 9 : Issue 35

I got a call  last Friday from a user with a virus message on her PC. She
boots up, logs into the server, the server checks her machine for viruses
with F-Prot Professional v 2.21.1(running from DOS) and displays a virus
warning.    

I come down, boot from a clean floppy, check her computer with f-prot and
find the "Yankee_Doodle.2885.A" virus in 13 files.   F-prot says it
removed the virus from all files.  I boot from a clean floppy, run f-prot
again, machine is clean. Reboot, letting the normal routine run, log into
the server, server runs its virus program and finds a virus in memory. I
check the computer again, immediately, with the (same version) virus
software loaded on her harddrive, machine checks out clean.  If I run the
same virus-checker (off the server) from another PC, I get nothing.

Any way, to make a long story short, I have checked her machine, and the
server from every angle I can think of and they always come out clean
except when running the checker from the server when she logs on her PC.
Then I get a virus-in-memory message.

Any help you could give would be greatly appreciated.

I've learned a lot from you folks over the years. Thanks a bunch.

Margaret
Margaret Proctor
N C S U College of Veterinary Medicine
Computing Resources
m_proctor@ncsu.edu
(919) 821-9677

------------------------------

Date: Mon, 04 Mar 1996 17:36:35 -0500 (EST)
From: John Higgins <higgins@dorsai.dorsai.org>
Subject: Modem snag: Virus or NAV? (PC)
X-Digest: Volume 9 : Issue 35

I've got this odd snag with my Windows communications programs. Three
times now, stuff like AOL, Trumpet Winsock, and even Terminal all stop
working. Either they can't recognize my modem or they reboot my machine
whenerver I try to logon. Procomm Plus for DOS works just fine, so it
isn't the modem. The MIS guys have "fixed" the problem but have
never been able to tell me exactly what they did in the past to resolve
it.

The only pattern I can see is that it might be happening after I
innoculate files via Norton Anti-Virus. That's absolutely the case today
So am I the victim of a) some sort of virus; b) Norton or c) some other
mishap I can't identify?

*-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-*
* John M. Higgins                 *                   For Multichannel's *  
* Multichannel News               *             Cable Regulation Digest  *
* higgins@dorsai.dorsai.org       *      E-MAIL - To: listerv@netcom.com *
* v)212-887-8390/f)212-887-8384   *          Body: Subscribe cablereg-l  *
*-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-*

------------------------------

Date: Mon, 04 Mar 1996 21:35:50 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: DOOM2 DEATH (PC)
X-Digest: Volume 9 : Issue 35

Kevin Marcus <datadec@cs.UCR.EDU> writes:
>In article <0017.01I1OVIDD4Q4QKG2H9@csc.canterbury.ac.nz>,
>Chengi J. Kuo <cjkuo@alumnae.caltech.edu> wrote:
>>>Could some kind soul please tell me details of the DOOM2 DEATH virus.

>>Other AV products will call this Taipan.666, which is the CARO name.

>Just curious - why does scan persist on using a naming scheme which
>greatly diverges from the rest of the community?  Most certainly it
>improved from the 1.x to 2.x series, but ??

I came along starting 2.2.x.  I try to maintain CARO naming when I
can.  I don't necessarily go back to fix old names unless there is
specific confusion caused by the existence of the other name.

I figure if the name has been in use for a long time, it's better not to
rock the boat.  Just the other day, I was informed as a followup to this
message that SCAN doesn't detect WHISPER any more.  It's no longer in
the VIRLIST.  Well, that's because I changed the name to its Taipan
family name.  So, if I can't win either way, I'd like to not lose effort
in doing so.

But where new viruses are concerned, I try.  Either right from the start
or I fix it in the next version.  Before the non-standard name gets a
chance to become entrenched.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Mon, 04 Mar 1996 22:16:59 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Divide overflow on floppy access (PC)
X-Digest: Volume 9 : Issue 35

Johnny Chung <chungj@is2.nyu.edu> writes:
>I am not sure if anyone has experienced the following phenomenon.
>
>I disinfected 3.5" HD floppies containing, Urkel or ANTIEXE viruses using 
>McAfee's Win95 virus scan 2.01.  It seems to CLEAN it fine, but when I 
>try to access the floppies, it gives me a DIVIDE OVERFLOW error.  I've 
>tried it on several machines with the same result.  
>
>NDD and Disk Editor will not touch it.  As soon as the diskette is being 
>accessed, I get the DIVIDE OVERFLOW.  Does anyone have any clues as to 
>why this is happening?  I am sure I can just go ahead and reformat it, 
>but I would like to know the cause of the DIVIDE OVERFLOW.  

Divide Overflow occurs from a bunch of zeros in the wrong places in the
BPB of the floppy.

This would indicate that the Win95 diskette remover may have some
problems.  All the more reason that I keep suggesting that virus
removal be conducted with the DOS version.  But I will have QA verify
your results and get it fixed.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Tue, 05 Mar 1996 07:50:51 -0500 (EST)
From: ABM User <ABM@admin.abmsystems.ns.ca>
Subject: Re: Ripper and NYB (PC)
X-Digest: Volume 9 : Issue 35

In article <0017.01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz>, Cheryl Garfin
<GarfinChe@Cheers.niacc.cc.ia.us> says:

>I'm still having trouble with the Ripper Virus. This time it crippled the
>computer so that you couldn't boot up at all.  I was told to boot with a
>clean boot disk and then run a:f-prot /hard /disinf.  What will this do.
>I tried to do this and it said that it didn't have a virus at all.  I
>need help on this one we have 10 laptops that have both Windows 95 and
>Windows 3.11 for Workgroups on it.  Seems like they are having an awful
>time with this virus.

Macafee scan c: /boot /force should get rid of the virus. Similar to an fdisk /mbr

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 35]
*****************************************


