From Lehigh.EDU!owner-virus-l  Sun Mar 17 00:00:40 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Sun, 17 Mar 96 10:47:27 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id AAA04564; Sun, 17 Mar 1996 00:00:40 +0100
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39830-30719>; Sat, 16 Mar 1996 17:59:35 EST
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39826-30719>; Sat, 16 Mar 1996 17:55:38 EST
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id RAA42376 for <virus-l@lehigh.edu>; Sat, 16 Mar 1996 17:55:18 -0500
Received: from 172.31.30.201 ("port 1035"@misc9003.tacacs.canterbury.ac.nz)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I2G07ZUC5ERI5O92@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Sun,
 17 Mar 1996 11:54:38 +1300
Message-Id: <01I2G0808C12RI5O92@csc.canterbury.ac.nz>
Date: 	Sun, 17 Mar 1996 10:36:12 +1200 (NZD)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #36
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest    Sunday, 17 Mar 1996    Volume 9 : Issue 36

Today's Topics:

Administrivia (ADMIN)
Help!Youth-Silence
Virus problems on the net?
Re: Hard drive write protection
"Alive" mailing list (related resource)
Re: Hard drive hardware write protection
Re: What I need in an enterprise-wide scanner
Re: Virus Damage Statistics
Dr Solomon's Virus Stats (Feb 96)
What REALLY matters in Commercial Anti-Virus Software
What REALLY matters in Commercial Anti-Virus Software
Computer viruses in UNIX networks (UNIX)
Re: Macintosh Ram Virus?? (MAC)
Re: Macintosh Ram Virus?? (MAC)
Excel macro virus? (MAC,PC)
Re: MY DOCUMENTS folder virus? (WIN95)
Re: Win95 calculator virus? (WIN95)
Re: Windows 3.1 goes blind to icons, dies (WIN)
Re: Windows 3.1 goes blind to icons, dies (WIN)
Pieck. How to remove? (PC)
MS Macro Virus Tool (PC)
Stoned.Empire.Monkey_B (PC)
Re: Found a virus on my HDD.. (PC)
Possible virus--adds to command.com (PC)
I need info about HOT virus please (PC)
Re: McAffee Word Virus Utility (PC)
Please Help with BOOT-437 (PC)
Re: Problems accessing floppy drive (PC)
Re: Podaj hasLo? (PC)
Dir-2.a Virus - Please Help!!! (PC)
Greenstripe (PC)
Re: F-PROT, Opinions? (PC)
Help w/ possible boot sector virus (PC)
Re: Wordperfect 6.1 Virus? (PC)
CD Powerplay, Feb 1996, issue 10 - Virus infected? (PC)
Re: CD Powerplay, Feb 1996, issue 10 - Virus infected? (PC)
Virus Utility recommendation (PC)
Can't identify Virus, need help thanks (PC)
IBM APTIVA possible VIRUS (PC)
Re: What to do with suspected virus? (PC)
Natas on a Digital Computer (PC)
Re: Modem snag: Virus or NAV? (PC)
Re: Virus in Memory--sometimes (PC)
March Virus (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Thur, 16 Mar 1996 16:01:18
From: Nick FitzGerald <n.fitzgerald@csc.canterbury.ac.nz>
Subject: Administrivia (ADMIN)
X-Digest: Volume 9 : Issue 36

I seem to have resolved my problems with the new listserv software at
Lehigh and would like to say a big thank-you to Jim at the Computer Centre
there for all his patient help!

Thank-you to all the people who have replied about divide overflow errors
on PC floppy access or about the PRAM battery problem causing date/time
resets on Macs or about Netscape and RAM settings on Macs.  There have
been too many to send individual notes to, so please take this as a thank
you if you haven't/don't see your submission in the list/group.  I may
also have dropped a few submissions in other threads that are effectively
duplicates of postings I've OK'ed--I apologize here for not having sent
you a note if you authored one of these "unposted duplicates".

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
 n.fitzgerald@csc.canterbury.ac.nz  TEL:+64 3 364 2337, FAX:+64 3 364 2332
              Virus-L/comp.virus moderator and FAQ maintainer
   PGP fingerprint =  2E 7D E9 0C DE 26 24 4F  1F 43 91 B9 C4 05 C9 83

------------------------------

Date: Tue, 05 Mar 1996 08:11:01 -0500 (EST)
From: Fredrik Sundstr m <Fredrik.Sundstrom@hadar-gw.ideon.se>
Subject: Help!Youth-Silence
X-Digest: Volume 9 : Issue 36

WE ve gotten a bad new(?)virus displaying itself as:  signature of 
                                                       Youth-Silence   
       It infects .dll-files.   Can somebody help us with it

				 Fredrik

------------------------------

Date: Tue, 05 Mar 1996 13:01:08 -0500 (EST)
From: Kerstin Muehle <muehle01@fsuni.rz.uni-passau.de>
Subject: Virus problems on the net?
X-Digest: Volume 9 : Issue 36

has anybody heard of any virus problems on the Net? I recently read an
article about it (sounded dramatically) and wonder now, whether there
is something new (a new problem) oder whether the magazine has just
made a story about things that are known for years?

Thanks a lot for your answers

Kerstin

[Moderator's note:  Assuming this might be a reference to the so-called Good Times "Email virus", there can be no better time to reprint the URLs for Les Jones' Good Times FAQ:

On the WWW:

   http://www.usit.net/public/lesjones/goodtimes.html
   http://www.usit.net/public/lesjones/gtminifaq.html
   http://users.aol.com/macfaq/goodtimes.html
   http://users.aol.com/macfaq/gtminifaq.html

Via FTP:
 
   ftp://usit.net/pub/lesjones/good-times-virus-hoax-faq.txt
   ftp://usit.net/pub/lesjones/good-times-virus-hoax-mini-faq.txt
   ftp://users.aol.com/macfaq/good-times-virus-hoax-faq.txt
   ftp://users.aol.com/macfaq/good-times-virus-hoax-mini-faq.txt]

------------------------------

Date: Tue, 05 Mar 1996 13:01:30 -0500 (EST)
From: Kenneth VanWyk <Kenneth_VanWyk@cpqm.saic.com>
Subject: Re: Hard drive write protection
X-Digest: Volume 9 : Issue 36

Dave Pearce <dpearce@flash.net> asks:
> 1) Is it possible to take a stock IDE or SCSI controller and write-protect 
> the hard disk, i.e., so that all writes fail?

IMHO, one of the quickest and easiest ways of doing that is to use a
Syquest (or similar) removable drive.  Syquest has a 270 Mb drive that I
believe will accomplish what you're looking for, and it's almost as fast
as an entry-level hard drive (data throughputs of ~1300 Kb/sec are
normal).  They have IDE and SCSI versions, and can be used as the default
boot device.  Street price on the drive is, I believe, in the upper
US$300's, and the cartridges run about US$80.  Extremely useful (again
IMHO) for setting up test versions of numerous operating systems in a lab
environment.  (I'm sure that other non-Syquest drives will work just as
well.)  We have a lab system that we can quickly boot NT, Linux, Novell,
Win95, Win3.11, etc., just by popping in a different Syquest cartridge. 
Oh, and each Syquest cartridge was loaded from CD-ROM media.

Cheers,

Ken van Wyk

P.S. I have no affiliation with Syquest...

[Moderator's note:  Along that line, if better performance or greater
capacity is more important (and cost less so!), the new Jaz cartridge
drives from Iomega (500MB and 1GB) may be worth investigating too.  I have
no affiliation with Iomega.]

------------------------------

Date: Tue, 05 Mar 1996 13:48:53 -0500 (EST)
From: "Rob Slade, the doting grandpa of Ryan Hoff" <roberts@mukluk.hq.decus.ca>
Subject: "Alive" mailing list (related resource)
X-Digest: Volume 9 : Issue 36

MLALIVE.RVW   950508
 
"Alive 0, Alive 1", Suzana Stojakovic-Celustka, 1994
%A   Suzana Stojakovic-Celustka celustka@sun.felk.cvut.cz
%B   Alive Ejournal
%C   Prague/Zagreb
%D   March 1994, July 1994
%E   Suzana Stojakovic-Celustka celustka@sun.felk.cvut.cz
%P   Alive 0, 25K   Alive 1, 100K
%S   Alive
%T   Alive 0, Alive 1

Suzana Celustka is part of the international virus research community. 
She became active in research while attending university in Prague, but
comes originally from Croatia and is currently resident in Zagreb.  In
1993 she attempted to spur development of a proper definition of a viral
program (which still eludes researchers and writers) by promoting a virus
definition contest.  (She did put a bit of life into the proceedings by
calling for definitions not only in text and mathematical forms, but also
jokes and poetry.)

The lack of success in this area will be familiar to workers in the field
of artificial life, who have had similar difficulties in delineating life. 
As it happens, this is another area of Ms. Celustka's interests, and in
1994 she started "Alive" magazine, distributed electronically, in order to
examine the relation between computer viral programs and artificial life.

Two editions of the magazine have been published so far, with a third now
in process.  (The move back to Croatia and a period of ill health
contributed to the delay.)  "Alive 0" is stated to be the zeroth, or beta,
edition, and explains the background of the project.  It also contains the
results of the first contest the definition of a computer virus in the
technical categories.  There are also articles on the "lifelike"
characteristics of code for LAN token regeneration and on Cohen's theorem
of the "undecidability" of viral detection.

In "Alive 1", Ms. Celustka contributes two articles herself, one on the
nature and limitations of language (in regard to the problem of technical
definition), and another on the "Grand Debate" about the benefits versus
dangers of viral programs.

In addition to the feature and invited articles, each edition includes an
interview with at least one (and usually more) researcher prominent in the
field.  The participants in "The Great Debate", for example, were Fred
Cohen (cf BKSHRTVR.RVW and BKITSALV.RVW), Mark Ludwig (cf BKLUDWIG.RVW)
and Vesselin Bontchev.  The questions asked are incisive and insightful.

Alive is available in a number of ways.  Subscriptions requests should be sent to celustka@sun.felk.cvut.cz.  Back issues are available from
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/alive,
ftp://ftp.demon.co.uk/pub/antivirus/journal/alive,
ftp://ftp.elte.hu/pub/virnews, ftp://ftp.u.washington.edu/public/Alive,
gopher://saturn.felk.cvut.cz, and gopher://ursus.bke.hu.  Send your
contributions and comments to celustka@sun.felk.cvut.cz.

Alive represents very real explorations in both virus and artificial life
research.  The opinions and thought presented are sometimes radical
departures from mainstream discussion.  With careful moderation and
editing, however, there is no chance of the "high noise/low signal"
traffic one usually sees in many more well known fora.  Alive is highly
recommended for any interested in viral or artificial life studies.

copyright Robert M. Slade, 1995   MLALIVE.RVW   950508

Postscriptum: As this review was being written, anti-personnel rounds were
falling on Zagreb.  Although the situation seems to have eased,
momentarily, Croatia still does not seem to be a preferred situation for
raising a family.  Although Ms. Celustka does not know I am adding this
message, I have reason to believe that she would appreciate any assistance
with employment or immigration which those in safer parts of the world
could give her.

============= 
Vancouver      ROBERTS@decus.ca             | "The only thing necessary
Institute for  Robert_Slade@sfu.ca          |  for the triumph of evil
Research into  Rob_Slade@mindlink.bc.ca     |  is for good men to do
User           slade@freenet.victoria.bc.ca |  nothing."
Security       Canada V7K 2G6               |            - Edmund Burke

------------------------------

Date: Tue, 05 Mar 1996 21:12:31 -0500 (EST)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Hard drive hardware write protection
X-Digest: Volume 9 : Issue 36

In article <0007.01I202XWQI3ARANAG7@csc.canterbury.ac.nz>
           padgett@goat.orl.mmc.com "Padgett 0sirius" writes:

> In article <0001.01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz> Dave Pearce
> <dpearce@flash.net> writes:
> >
> >2) Is it possible to take a stock IDE or SCSI hard drive and write protect
> >it?  I know some SCSI hard drives have write protect jumpers but I haven't
> >found any in the 200 - 500 meg range.
>
> For SCSI it is just a matter of tying the write enable line (6 on an
> ST-506, forget which for SCSI) high through about a 10k resistor. IDE is
> more complicated since the controller is on the drive. You need logic for
> this but there were a few devices floating around a few years ago (were
> around U$200 and had few takers) to write protect all or part of an IDE.

Some Fujitsu IDE drives have a write-protect jumper.  At least 
there is a pair of pins documented as write-protect.  I haven't 
tried fiddling with them.  Maybe you could fit a switch on a 
pair of leads.

If you want a hard disk you can never write to, just get a CDROM 
burnt.

- -
MAN PASSES                      DOG GETS OUT
          DOG HOUSE                         MAN GETS IN
                   DOG SEES CHIN                       Burma-Shave

------------------------------

Date: Wed, 06 Mar 1996 00:59:43 -0500 (EST)
From: Jan Hruska <Jan_Hruska@sophos.com>
Subject: Re: What I need in an enterprise-wide scanner
X-Digest: Volume 9 : Issue 36

Our SWEEP/InterCheck client-server solution available on just about
anything that computes including Mac/Win 95 clients and Windows
NT server probably fits the bill.

Answers to the wishlist:

>1. Real time file scanning of files being read to or from the NT Server,
>that would include copies not only executes.

Yes, at InterCheck client level.

>2. Scanning of Macintosh files on NT volumes, this seems to be a real
>problem.  Intel did it for NetWare, why not for NT.

Yes.

>3. Virus alerts when either Mac or PC clients execute or copy viruses to
>or from the server.

Yes.

>4. Selectable prescheduled scans of NT volumes, the Administrator should
>be able to schedule scans easily and efficiently.

Using the AT command.

>5. Single server management for the NT Server domain, the Inoculan product 
>from Cheyenne seems to do this very well.

To be released released late Q2 96 at the same time as the GUI version.

>6. User friendly clients for Windows 95 and Macintosh.

Yes.

>7. In my opinion I am more concerned with the integrity of the NT File
>Server first and foremost then the stability of the clients.

Quite right.

>So far I've looked at Intel VirusProtect, Cheyenne Inoculan, McAfee
>VirusScan,and  Symantics products.  I'm trying to get Dr. Soloman, and
>F-Prot.

>Has anyone found a solution that answers these issues?

SWEEP for Windows NT is *not* a GUI (it runs as a 32-bit command line
app). By popular demand the GUI is under way and will be similar to our
SWEEP for Windows 95.

Look at http://www.sophos.com/. Evaluation copies of SWEEP for Windows
95/Windows NT/DOS etc plus InterCheck are available there.

Oh, SWEEP actually discovers viruses, it is not just an application with a
superb interface but not actually doing much.

------------------------------

Date: Wed, 06 Mar 1996 05:03:38 -0500 (EST)
From: Pavel Machek <machek@d12.novell.karlin.mff.cuni.cz>
Subject: Re: Virus Damage Statistics
X-Digest: Volume 9 : Issue 36

Jeff Beaubien (AnarchyX@charger.newhaven.edu) wrote:
: I am interested in obtaining statistical information regarding PC
: virus damage.  Examples include: how many viruses are there?  what is the
: estimated amount of financial cost incurred by computer viruses?  etc.
: If someone could provide a reference to an article or book (relatively
: recent), I would greatly appreciate it.

  I think that more damage is done by people trying to remove virus than
by viruses. I heard about many people formating harddisk because of some
virus. Some of loses are because they are users, which see virus even when
no virus is there.

------------------------------

Date: Thu, 07 Mar 1996 05:28:38 -0500 (EST)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Dr Solomon's Virus Stats (Feb 96)
X-Digest: Volume 9 : Issue 36

In-Reply-To: <01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz>

Here are some statistics from the United Kingdom technical support
department of S&S International (developers of Dr Solomon's Anti-Virus
Toolkit).  These stats are for general interest and should not be treated
as gospel regarding which viruses are causing the largest problem (for
example, many corporate users dealing with Form, for example, will not
need to call us up for hand-holding and advice).

Virus Stats for February 1996

  EMPIRE MONKEY      17
  WINWORD.CONCEPT    16
  PARITY.B           15
  FORM               12
  ANTICMOS/D3        7
  MANZON 1400        6
  RIPPER             6
  TELEFONICA         6
  EXEBUG             5
  ANTIEXE            5
  SAMPO              3
  JUNKIE             3
  PETER II           3
  SHEHAS             2
  UNASHAMED          2
  VSIGN              2
  ANGELINA           1
  BARCELONA          1
  BEIJING            1
  BOOT.451           1
  CASCADE            1
  DIR.BYWAY          1
  FLOSS              1
  FRODO.4096         1
  IHC                1
  JOSHI              1
  JUMPER             1
  MTE                1
  NATAS              1
  NOINT              1
  SF2                1
  SPANISH            1
  TAIPAN             1
  TROJECTOR          1
  WORD MACRO.DMV     1
  WONKA              1

These figures are only for the UK.  They do not include data from our 
offices in the USA, Germany, or our distributors worldwide.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Fri, 08 Mar 1996 04:50:25 +0000 (GMT)
From: wallewek@cadvision.com
Subject: What REALLY matters in Commercial Anti-Virus Software
X-Digest: Volume 9 : Issue 36

I've been installing McAfee at client sites lately, and have come to
the conclusion that it has significant problems.  Oh, I'm not talking
about _technical_ problems (well, there's a problem with slow floppy
access, but...).

The problems is that the average user site doesn't have a hope in hell
of updating their own software and/or data files.  Even if they PAY
for 2 YEARS of software updates, who is going to obtain and install
those updates?

Even if they have a modem, I'll bet dollars to donuts they don't know
how to use it to download software. Or have an Internet account.  Or
are willing to download those massive files at low modem speeds at
long distance daytime toll charges. Or can figure out how to apply the
updates.  Or have the time to figure all that stuff out, and not screw
it up!

All you anti-virus gurus have got it all wrong.  Those esoteric
technical arguments, and who's software detects a few more oddball
viruses, really doesn't matter in the workaday world.  What counts is
what can be installed and maintained by the typical secretary.

Any recomendations?

/kenw
Ken Wallewein
Calgary, Alberta
wallewek@cadvision.com
(403)274-7848

------------------------------

Date: Thur, 16 Mar 1996 16:01:18
From: Nick FitzGerald <n.fitzgerald@csc.canterbury.ac.nz>
Subject: What REALLY matters in Commercial Anti-Virus Software
X-Digest: Volume 9 : Issue 36

Ken Wallewein (wallewek@cadvision.com) wrote:

[snip]
> All you anti-virus gurus have got it all wrong.  Those esoteric
> technical arguments, and who's software detects a few more oddball
> viruses, really doesn't matter in the workaday world.  What counts is
> what can be installed and maintained by the typical secretary.

Not having any commercial ax to grind here, let me jump in first...   8-)

I spend a reasonable amount of time on Help Desk duties and it's not
uncommon to encounter viewpoints similar Ken's (though often expressed in
different realms than antivirus software configuration difficulties).

I am strongly of the opinion that a lot of these complaints are from well
meaning people who have an unfortunately simplistic view of what computers
are about and how they (should) work.  Put very simply, I think a lot of
the "problems" I hear described, along with the attendant expectation that
any computer user should be able to fix them, are akin to expecting any
car owner to be able to fix anything that may go wrong with their car (and
only using a screwdriver at that!).

Unfortunately, the computer industry only has itself to blame for this. 
The people who have made fortunes hocking off third rate implementations
of second-rate computing ideas over the the last ten years or so of the
"computer revolution" have mercilessly pushed the notion that computers
are a "consumer item", buy-and-go, plug-and-play--a bit more expensive
than, but essentially no different from, your typical toaster.  Can we all
say "vested interests"??  It is the insistent pushing and unfortunate
acceptance of this simplistic notion (which, if used as a line to sell
cars or just about anything else that typically costs more than an average
week's wage/salary, would see the vendor laughed out of the market) that
has lead to the expectation that the unerringly complex issues involved in
antivirus technology should be able to be mastered by an office secretary.

There are some very difficult issues in detecting and "cleaning" computer
viruses from typical systems but the customers want simplicity.  They may
do better to wish for elegance--elegance -can- be simple, but it may not
be, and all that is simple is not elegant.  Most of all though, they
should expect software that works.  Unfortunately, IMHO, that is asking
too much of antivirus software -alone-.  The complexities, interactions
and other difficulties in what is an incredibly fast-moving sector of
computing probably cannot ever be adequately subsumed into one software
package (or even a whole raft of them).  There will always (or at least
for the substantial foreseeable future) be the need for informed,
intelligent (dare I say "expert") human input to resolve -some- antivirus
problems.

Expecting your company secretary to deal with this is about as smart as
buying a used car from an ex-president.  In the headlong rush of
"downsizing" and in "upsizing" smaller businesses with the latest
"essential" IT, critical systems and systems admin functions have
increasingly been pushed onto staff hopelessly under-prepared for these
roles.

Ken--you'd be doing your clients a favour by educationg them a bit better
about what they are really trying to achieve and the true difficulties
involved, rather than fobbing them the "pill for every ill" formula they
expect to be prescribed and then complaining in Virus-L that the wonder
drug you want isn't available.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
 n.fitzgerald@csc.canterbury.ac.nz  TEL:+64 3 364 2337, FAX:+64 3 364 2332
              Virus-L/comp.virus moderator and FAQ maintainer
   PGP fingerprint =  2E 7D E9 0C DE 26 24 4F  1F 43 91 B9 C4 05 C9 83

------------------------------

Date: Sun, 03 Mar 1996 17:25:41 -0500 (EST)
From: Pete Radatti <radatti@cyber.com>
Subject: Computer viruses in UNIX networks (UNIX)
X-Digest: Volume 9 : Issue 36

Here is something that you may be interested in.  I would be very pleased
to have any comments you may have in return.  Please direct comments
directly to radatti@cyber.com in addition to the email server since I can
not always check the server daily.

Thanks,
Pete Radatti

BTW:  As way of context, my company CyberSoft, Inc. has been manufacturing
anti-virus solutions for all versions of Unix since 1990.  We invented
both heterogeneous and UNIX anti-virus technology.

PS:  If you would like more papers on this topic please let me know. - pvr

================================================================
CVIRUS.TXT  Start of document.  Please note that printed versions of this
document can be obtained by calling CyberSoft, Inc. 610/825-4748.  It can
also be read at our world wide web site, URL: http://www.cyber.com

Versions of this document were presented at the following conferences as
an invited paper: This paper is not the same paper as presented at the
conferences but is a work created from the same root.  Exact copies of the
papers presented are available as back issues from the individual
conference sponcers.

Virus Bulletin International 1995   *   September 21, 1995 Boston, Mass

8th Annual CALS Expo 1995           *   October 24, 1995 Long Beach, CA
 (National Security Industrial Association)

Photonics East 1995                 *   October 25, 1995 Philadelphia, PA
 (SPIE, International Society for Optical Engineering)

Open Systems Security 1996          *   March 5, 1996 Lake Buena Vista, FL
 (MIS Training, OSF, ISSA, Bellcore, InfoSecurity News)


================================================================

                                         Computer Viruses In Unix Networks

                                                          Peter V. Radatti

                                                   CyberSoft, Incorporated
                                 1508 Butler Pike  Conshohocken, PA. 19428
                                        Internet Email:  radatti@cyber.com

Copyright ) August 1995, February 1996 by Peter V. Radatti.

Permission is granted to any individual or institution to use, copy, or
redistribute this document so long as it is not sold for profit, and
provided that it is reproduced whole and this copyright notice is
retained.


ABSTRACT

Unix systems are as susceptible to hostile software attacks as any other
system, however, the Unix community is zealous in their believe that they
are immune.  This belief is in the face of historical reality.  The first
computer viruses created were on Unix systems.  The Internet Worm, Trojan
Horses and Logic Bombs are all ignored milestones in this belief.  Not
withstanding these beliefs, there is a growing concern among computer
security professionals about these problems.  This concern is based on
recognition of the complex nature of the problem and the increasing value
of Unix based networks.  Whereas, the Internet Worm disrupted the Internet
in 1988 the cost was relativity low.  If this attack is repeated today,
the cost will be very high because of the new found importance of the
Internet, electronic business networks using EDI and private networks, all
of which are Unix based.

Traditional methods used against attacks in other operating system
environments such as MS-DOS are insufficient in the more complex
environment provided by Unix.  Additionally, Unix provides a special and
significant problem in this regard due to its open and heterogeneous
nature.  These problems are expected to become both more common and
pronounced as 32 bit multitask network operating systems such as Microsoft
NT become popular.  Therefore, the problems experienced today are good
indicators of the problems and the solutions that will be experienced in
the future, no matter which operating system becomes predominate. 


2. THE EXISTENCE OF THE PROBLEM AND ITS NATURE

The problem of software attacks exists in all operating systems.  These
attacks follow different forms according to the function of the attack. 
In general, all forms of attack contain a method of self preservation
which may be propagation or migration and a payload.  The most common
method of self preservation in Unix is obscurity.  If the program has an
obscure name or storage location, then it may avoid detection until after
its payload has had the opportunity to execute.  Computer worms preserve
themselves by migration while computer viruses use propagation.  Trojan
horses, logic bombs and time bombs protect themselves by obscurity.

While the hostile algorithms that have captured the general public's
imagination are viruses and worms, the more common direct problem on Unix
systems are Trojan horses and time bombs.  A Trojan horse is a program
that appears to be something it is not.  An example of a Trojan horse is a
program that appears to be a calculator or other useful utility which has
a hidden payload of inserting a back door onto its host system.  A simple
Trojan horse can be created by modifying any source code with the addition
of a payload.  One of the most favorite payloads observed in the wild is
"/bin/rm -rf / >/dev/null 2>&1"  This payload will attempt to remove all
accessible files on the system as a background process with all messages
redirected to waste disposal.  Since system security is lax at many sites,
there are normally thousands of files with permission bit settings of
octal 777.   All files on the system with this permission setting will be
removed by this attack.  Additionally, all files owned by the user, their
group or anyone else on the system whose files are write accessible to the
user will be removed.  This payload is not limited to use by Trojan horses
but can be utilized by any form of attack.  Typically, a time bomb can be
created by using the "cron" or "at" utilities of the Unix system to
execute this command directly at the specified time.

[Moderator's note:  The full text of this paper can be read via the URL given at the beginning of the papaer or (in a few days) by retrieving a copy under the name cvirus.txt.pvr from the Virus-L archives at

   ftp://cs.ucr.edu/pub/virus-l]

------------------------------

Date: Tue, 05 Mar 1996 16:28:56 -0500 (EST)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: Macintosh Ram Virus?? (MAC)
X-Digest: Volume 9 : Issue 36

Thomas Vincent (runner12@ix.netcom.com) wrote:
> Does this sound like a Virus hiding? I start up my Mac and I try to open
> Netscape. It tells me that it doesn't have enough memory. I only have
> four extentions loaded. According to my addition in the about Macintosh
> menu, I am using 13 MB's of RAM out of 16 MB's. Though it says I only
> have one megabyte left of free RAM.

   Not a virus.  Select GetInfo from the File menu, and change the
preferred size for Netscape to something larger than what is there
already.  Also, it sounds from your description as if you might not have
32-bit addressing turned on -- check under the Memory Control Panel.

   -BPB

------------------------------

Date: Fri, 08 Mar 1996 10:29:29 +0000 (GMT)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Macintosh Ram Virus?? (MAC)
X-Digest: Volume 9 : Issue 36

Thomas Vincent (runner12@ix.netcom.com) wrote:
: Does this sound like a Virus hiding? I start up my Mac and I try to open
: Netscape. It tells me that it doesn't have enough memory. I only have
: four extentions loaded. According to my addition in the about Macintosh
: menu, I am using 13 MB's of RAM out of 16 MB's. Though it says I only
: have one megabyte left of free RAM.

No, it doesn't sound like a virus. It sounds like memory configuration.
You don't say which version of Netscape you're running, but they all like
lots of memory (especially 2.x). You need to check (1) the memory
allocated to Netscape (2) the memory allocated to the system. You can
check the system memory usage by selecting About This Macintosh on the
Apple menu in Finder.

My guess is that Netscape has too little and the system has too much. How
much you need and how you reallocate it depends on which System version
you're running.

David Harley

------------------------------

Date: Thu, 07 Mar 1996 07:35:08 -0500 (EST)
From: Ted Karlsson <pronyx@oxelosund.mail.telia.com>
Subject: Excel macro virus? (MAC,PC)
X-Digest: Volume 9 : Issue 36

Is there anyone outthere who knows how to exterminate the 'virus  in
Excel 5.0?? I also wonder where it comes from....

The virus doesn't do any harm, it just runs all makros in Excel.....

Ted Karlsson
pronyx@oxelosund.mail.telia.com

------------------------------

Date: Tue, 05 Mar 1996 15:00:58 -0500 (EST)
From: "Derek V. Giroulle" <Dirk.Giroulle@ping.be>
Subject: Re: MY DOCUMENTS folder virus? (WIN95)
X-Digest: Volume 9 : Issue 36

Jerry Meyers <jerrym@winternet.com> wrote:

>Noticed that word occasionally cant save to MY DOCUMENTS folder but can
>save as to anywhere else on the disk. This is a sometimes occurance.
>One minute word can save to MY DOCUMENTS and the next it locks up trying
>to do it. I have reinstalled word to no avail. Works after the intall
>(saves to mydocuments) then the next minute it will not, but the rest of
>win95 is ok. I have run various older anti-virus software to no avail.
>Anyone else experience this? Is it a virus, it sure acts like one.
>Alas I can only delete MY DOCUMENTS from NT. That will be my last
>resort. A virus or not?

I won't exclude you might have a virus (that's for you to decide with
Av-soft) however I had similar problems and logged a support call with
the belgain MS helpdesk.

(This was on win 6.0 for Win - not the win95 version)
Their database has a document on such matters related to ver 2.0 of
winwordm which claims it has been resolved in ver 6.0 nevertheless I
had these problems.

Micorsoft claimed it haad to do with share being loaded high,
incorrect parameters, and vshare loaded in system.ini
however the problem stayed ther no solution has been found... and MS
hasn't communicated one.

Dirk.Giroulle@ping.be
http://www.ping.be/~ping0010
Life is like a peepshow, through a little window you never get to see what you went in for (based on fvu's definition of panning)

------------------------------

Date: Tue, 05 Mar 1996 17:42:34 -0500 (EST)
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Subject: Re: Win95 calculator virus? (WIN95)
X-Digest: Volume 9 : Issue 36

In article <0019.01I202XWQI3ARANAG7@csc.canterbury.ac.nz>, Richard
Martinolich <gmargino@direct.ca> wrote:
>I just contracted a virus that is turnng all my win95 aplications to 
>calculator I heard it was from mcafee and i cant get rid of it any advice 
>would by apreciated

McAfee produces an anti-virus product, not viruses.  What do you mean that 
your Win95 applications are turning into calculators?  Is the icon
changing, or is the file being overwritten?  If others have access to your
computer, could it be that they're playing pranks on you?

Regards, 

George Wenzel

 ("`-''-/").___..--''"`-._       George Wenzel <gwenzel@gpu.srv.ualberta.ca>
  `6_ 6  )   `-.  (    ).`-.__.`)Student of Wado Kai Karate
  (_Y_.)'  ._   )  `._ `.``-..-' U of A Karate Club
 _..`--'_..-_/  /--'_.' ,'       HTTP://www.ualberta.ca/~gwenzel/
(il),-''  (li),'  ((!.-'         PGP Public key available on request

------------------------------

Date: Tue, 05 Mar 1996 13:50:18 -0500 (EST)
From: Charles Hersey <gingers@magnet.ca>
Subject: Re: Windows 3.1 goes blind to icons, dies (WIN)
X-Digest: Volume 9 : Issue 36

I'm not real good at this, but where are your  *.grp  files?

Also, What does your progman. file have listed?

------------------------------

Date: Thu, 07 Mar 1996 18:36:39 -0500
From: MMarsh8175 <mmarsh8175@aol.com>
Subject: Re: Windows 3.1 goes blind to icons, dies (WIN)
X-Digest: Volume 9 : Issue 36

i had almost the same problems. I kept loosing program groups in Windows
3.1.

I bought Norton Antivirus and found the "TPE.Bosnia" virus, which infects
.COM files. Then I checked my IBM Aptiva Original Software CD and found
the same virus ! I notified IBM, they don't really believe me, I had to
scan again and I found it in the same file on the CD. They want it so they
can scan it themselves. But wasn't it scanned before it left the
manufacturer? They sold me the virus so they can reimburse me for my
costs. Then they can have the CD. So if you have original software on CD,
I suggest you check it out!

------------------------------

Date: Tue, 05 Mar 1996 15:08:34 -0500 (EST)
From: Paul Egan <ai657@freenet.toronto.on.ca>
Subject: Pieck. How to remove? (PC)
X-Digest: Volume 9 : Issue 36

We got it. Twice in two years now. Does FDISK /MBR really
get rid of it? Any info would be greatly appreciated.

Thanks.

------------------------------

Date: Tue, 05 Mar 1996 15:49:25 -0500 (EST)
From: "Sandro V. Cuccia" <cucciasv@a1.lldmpc.umc.dupont.com>
Subject: MS Macro Virus Tool (PC)
X-Digest: Volume 9 : Issue 36

Am evaluating the option of using either Microsoft's Macro Virus
eradicator, or just going with the latest Norton AntiVirus version and
signature files.... any experience, pro or con, either way?

Thanks in advance, Sandro

------------------------------

Date: Tue, 05 Mar 1996 17:03:22 -0500 (EST)
From: Virex1 <virex1@aol.com>
Subject: Stoned.Empire.Monkey_B (PC)
X-Digest: Volume 9 : Issue 36

SOS... SOS...

I had a floppy disk infected with the Soned.Empire.Monkey_B virus, while
attempting to disinfect the floppy I ended up infecting my internal HD by
ways of forgetting the infected disk in the floppy drive while re-booting
the PC, However, I was able to remove the infection from my internal HD
inmidiately with a Program call Virex for the PC v2.96, after
susscessfully removing the Virus infection, now the only way I'm able to
see my internal HD is by starting the PC with a system disk, if I try a
normal startup a message indicating that a boot sector virus may still be
in my internal HD appears and doesn't let me go on.  I also tried running
FDisk /MBR to no avail.  It does not even get to Config.sys or
Autoexec.bat.

Please note that I may sure that my CMOS set up from AMI BIOS 1992 *is
not* set up to protec my HD boot sector.

Please help.

1800-445-3311 ext. 546

Thanx in advance.
Moises Valdez

------------------------------

Date: Tue, 05 Mar 1996 17:32:10 -0500 (EST)
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Subject: Re: Found a virus on my HDD.. (PC)
X-Digest: Volume 9 : Issue 36

In article <0035.01I202XWQI3ARANAG7@csc.canterbury.ac.nz>, Pow
<KRISTS@r1g.edu.lv> wrote:
>I found a virus on my HDD. System speed was 3x slower than it
>should be. I booted from clean diskette and found out that my c: disk
>is encrypted. I can't find anything on my HD while it's not in
>memory..
>
>The virus is polymorphic full memory stealth, I think. Infects
>COM/EXE/BS/MBR/SYS. It takes 10Kb memory. What can I do? Can someone
>help me?

This may seem like a simple question, but what program said you had a
virus, and which virus did it say you have?  I'd suggest you clean-boot from a DOS system disk (uninfected) and run a reputable anti-virus program after that.  It should provide an option for cleaning.

Regards, 

George Wenzel

------------------------------

Date: Tue, 05 Mar 1996 18:41:03 -0500 (EST)
From: Greg Wesson <chaotic@pe.net>
Subject: Possible virus--adds to command.com (PC)
X-Digest: Volume 9 : Issue 36

Hello, my name is Greg Wesson.  I think I have a virus, but I'm not sure. 
I am running DOS 6.22 and Windows 3.1 (just upgraded to 3.11).  About 30
40 days ago, I got an error when starting dos.  The error said "Bad or
missing command interpreter (i.e. c:\command.com)" and then promped me
with "c>"  I have downloaded some things from reputable (I think) places
such as Bloodlust software.  However, I have also downloaded things from
usenet.  My anti-virus program is Microsoft Anti-Virus.  When I scan now,
it detects changes in many files in the DOS, WINDOWS, and ACER
directories, but no viruses.  A friend of mine says that he scaned a disk
that I gave him of 2 bmp files that I scanned using a logitech scanman and
he said that there was a virus called "LEONARDO." 

Any input you can give me on this subject would be a great help.  As I am
new to this group I ask that you please mail me directly (if that's a
problem, I'll just check back here in a few days).  Thanks in advance.  I
appreciate your help.

Greg "CHAOTIC" Wesson

------------------------------

Date: Tue, 05 Mar 1996 23:15:46 -0500 (EST)
From: David Yates <david@yates.dungeon.com>
Subject: I need info about HOT virus please (PC)
X-Digest: Volume 9 : Issue 36

I have just got rid of the HOT Virus which was picked up by McAffe's
Virus Scan but not a 6 month old version of Dr Solomon's which hasn't
even heard of HOT.

If anybody knows anything about this virus, please let me know

David Yates

david@yates.dungeon.com

------------------------------

Date: Tue, 05 Mar 1996 23:16:24 -0500 (EST)
From: Hunter <hunterj@nethost.multnomah.lib.or.us>
Subject: Re: McAffee Word Virus Utility (PC)
X-Digest: Volume 9 : Issue 36

On 3 Mar 1996, Powerless wrote:

> Eric Choiniere <choua@graf.polymtl.ca> wrote:
> 
> >Does anybody
> >know how to disable this McAffee utility so that Word works fine again?
> 
> I have had NOTHING but troubole with my Mcafee product.  I bought
> VirusScan and plan to bring it back for a refund.  The virus data base
> it outdated, and Mcafee will not respond to my inquiries.

Likewise I've had zero response from their phantom support, and continuing
trouble updating the files. I very sorry I bought it and would advise
everyone not to repeat my mistake. 

Hunter

------------------------------

Date: Wed, 06 Mar 1996 02:17:47 -0500 (EST)
From: Dean <bell@ottawa.net>
Subject: Please Help with BOOT-437 (PC)
X-Digest: Volume 9 : Issue 36

I have detected this virus but I think I can remove it with F-PROT v2.21.

BUT I need some help on how to check all of my diskettes and rid them of
it also. Can anyone please e-mail me with some help. It would be greatly
appreciated.

Please E-mail me because I'm not sure how fast my server is at recieving
new posts.

                                       Thanks alot.

bell@ottawa.net

[Moderator's note:  If your AV software can handle a boot sector virus on
your hard-drive, it would be most unusual for it to not also deal with
infected floppies, as they are the only source of re-infection.]

------------------------------

Date: Wed, 06 Mar 1996 05:10:47 -0500 (EST)
From: Pavel Machek <machek@d12.novell.karlin.mff.cuni.cz>
Subject: Re: Problems accessing floppy drive (PC)
X-Digest: Volume 9 : Issue 36

Philipp Stampfu (stampfu@urix8.uni-muenster.de) wrote:
: I have a problem with my floppy-disk-drive and I think its a virus. Here
: my problem:

: If I boot the computer with OS/2:
:   I copy files to a disk and compare them with COMP. Then there are always
:   some files on the disk, wich are different form the original files.
:   These problem does not occur, if I copy the files from the hard-disk to
:   another directory of the harddisk.

  DOS virus can not work when OS/2 is booted (OS/2 probably has its own 
floppy drivers, hasn't it?)

: If I boot the computer with DOS:
:   If I compress files with PKZIP and I copy the file NAME.ZIP to the
:   floppydisk and then back to the harddisk, I can't uncompress the file.

  That's strange. 

: And now, why I think its a virus:
:   If I start my computer with a DOS bootdisk, the problem doesn't occur.

: But I have not found any virus with McAfee.

  And now, why I think it may not be virus:

  Try to boot dos from HDD, but bypass config.sys & autoexec.bat. I think
problem is much more likely to be related to some of your TSRs / Device
Drivers.

------------------------------

Date: Thu, 07 Mar 1996 04:11:41 -0500 (EST)
From: Pavel Machek <machek@d12.novell.karlin.mff.cuni.cz>
Subject: Re: Podaj hasLo? (PC)
X-Digest: Volume 9 : Issue 36

saai (saai@passport.ca) wrote:
: This came up on one of our pc's yesterday. MS Anti-virus didn't find any
: viruses (virii?). Where can I get information about this?

"Podaj Haslo" is in Slovak language and means "Enter password".

------------------------------

Date: Thu, 07 Mar 1996 06:49:56 -0500 (EST)
From: Ian Elrick <j.s.elrick@forth.stir.ac.uk>
Subject: Dir-2.a Virus - Please Help!!! (PC)
X-Digest: Volume 9 : Issue 36

I have just found a pc infected with the above beastie at my site.

Neither the latest versions of F-Prot or Dr Sols can clean it.

It is only the one machine so far but I am keen to get a fix before it
spreads.

Does anyone know how to clean this?

Thanks in advance

Ian Elrick

------------------------------

Date: Thu, 07 Mar 1996 07:05:23 -0500 (EST)
From: Richard Griffiths <rgriff@cix.compulink.co.uk>
Subject: Greenstripe (PC)
X-Digest: Volume 9 : Issue 36

Has anyone heard of the Greenstripe virus? Apparently it affects 
datafiles...how would that work?

Richard Griffiths

[Moderator's note:  The only GreenStripe virus I know of is the first (?)
AmiPro macro virus.  It doesn't infect "datafiles" but AmiPro document
files, .SAM (or more accurately, their associated macro files, .SMM).]

------------------------------

Date: Thu, 07 Mar 1996 07:41:53 -0500 (EST)
From: Al Kimel <akimel@awod.com>
Subject: Re: F-PROT, Opinions? (PC)
X-Digest: Volume 9 : Issue 36

George Kalemanis <georgek@TSO.Cin.IX.net> writes:
> I have been working as a tech. for quite some time, and been using F-PROT.
> While F-PROT is not 100% fool proof, I do believe it is the best, and even
> install it in all machines that get configured or serviced free of charge,
> whether it needs it or not.  How many people agree, or are there better
> scanners out there that people use -  I haven't been real impressed with
> McAfee (some viruses pass though McAfee using the latest version, while
> older F-PROT copies still detect).

George, you may find of interest this link, which will lead you to
a number of test results.  F-Prot scores consistently very well,
but there are other very good products too:

http://www.valleynet.com/~joe/avtest.html

Al

------------------------------

Date: Thu, 07 Mar 1996 10:45:19 -0500 (EST)
From: veilleux@tiac.net
Subject: Help w/ possible boot sector virus (PC)
X-Digest: Volume 9 : Issue 36

I've been having a problem with what I believe is a virus.  I have
McAfee VirusScan95 in my autoexec.bat.  When I boot up, I get the
message "Traces of virus found in memory.  This may be an active virus
or an image left by a previouis operation."  Then it tells me to shut
down, and boot from a floppy, and I think you guys know the routine
from there.

Well, I've run F-Prot from a bootable floppy, and nothing was found.
I've changed the autoexec.bat to get into Windows95, and run the virus
scans from there - again, nothing, and I used McAfee and Microsoft
Anti-Virus.  So, now 3 in total have told me there's nothing there,
but McAfee won't let me boot up my PC.  Other than reformatting my
computer, any suggestions?  

And McAfee hasn't been much help to me.  They've been going crazy with
calls about Michaelangelo, and I'll be damned if I'm going to sit on
the phone with them in San Jose or wherever they are (I'm in Boston)
for an hour when it's not a toll-free line.

So, if anyone could shed some light on this for me, that would be
fantastic.  Thank you much........

Pete

------------------------------

Date: Thu, 07 Mar 1996 11:59:02 -0500 (EST)
From: Doug Reed <dreed@panda.uchc.edu>
Subject: Re: Wordperfect 6.1 Virus? (PC)
X-Digest: Volume 9 : Issue 36

Joe Marshall wrote:

> I am a technician at a community college and we are having troble with
> Wordperfect 6.1 for Windows going down.  It seems that files are being
> deleted in Windows as well as other different applicaitons.
> 
> Windows kernel becomes damaged and parts if not all of Wordperfect become
> damaged.
> 
> We have tried that latest versions of McAfees Vshield and Scan and have
> also tried F-prot, both of which have been very succesful in the past at
> locating viruses, but neither one of these find any viruses on the
> computers with the problems.
> 
> If anyone out there has any info I'd appreciate the help.

We've been having similar problems here.  In our case, the Windows
Registration database was altered, resulting in damage to both
WordPerfect 6.1 and Word 6.0.  Correcting the database and reinstalling
solved the problem (for now).  Let me know if you find anything out!

------------------------------

Date: Thu, 07 Mar 1996 11:59:03 -0500 (EST)
From: Arild Bjoerk <abjork@sn.no>
Subject: CD Powerplay, Feb 1996, issue 10 - Virus infected? (PC)
X-Digest: Volume 9 : Issue 36

I scanned the CD-ROM with IBM Antivirus v. 2.3 and got the following
result:

Infection warning:
   Infected object: E:\HINTS\ONEFALL\OMFUP21\FILE0001.EXE
   (A) TaiPan-438
   Unusual virus strain.
   the Taipan-438 virus
Infection warning:
   Infected object: E:\OMF\FILE0001.EXE
   (A) TaiPan-438
   Unusual virus strain.
   the Taipan-438 virus
Infection warning:
   Infected object: E:\TYRIAN\HELPME.EXE
   (A) TaiPan-438
   Unusual virus strain.
   the Taipan-438 virus
Infection warning:
   Infected object: E:\TYRIAN\ORDER.EXE
   (A) TaiPan-438
   Unusual virus strain.
   the Taipan-438 virus
File check completed.
1046 files and boot records were checked for viruses.

Then I scanned it with F-prot v. 2.21, using both ordinary and
heuristic scan, but F-prot did not report any viruses. 

I think it is a false alarm from IBM Antivirus v. 2.3, but I am
wondering if anyone have scanned the CD-ROM with other
antivirusprograms.

Arild Bjork
abjork@sn.no

------------------------------

Date: Fri, 08 Mar 1996 07:29:49 -0500 (EST)
From: "David M. Chess" <chess@watson.ibm.com>
Subject: Re: CD Powerplay, Feb 1996, issue 10 - Virus infected? (PC)
X-Digest: Volume 9 : Issue 36

Thanks for the note!  If a file has been infected by the
Taipan-438 virus, and then disinfected with a program that
does not completely remove the virus code from the end of
the file (some old versions of McAfee's CLEAN, for instance),
IBMAV 2.3 will report the file infected with an "unusual
strain" of the virus.  In fact, while 16 or 24 bytes of the
virus are still in the file, they are not active, and
running the program will not cause the virus to execute.
IBMAV 2.4 will not report such files as infected.  I
imagine that is what has happened in this case.  Users
may wish to contemplate the wisdom of distributing a
program which has been infected and then imperfectly
disinfected (rather than, say, regenerating it from
clean original sources).

DC

------------------------------

Date: Thu, 07 Mar 1996 20:29:05 +0000 (GMT)
From: James Thompson <AAQF89A@prodigy.com>
Subject: Virus Utility recommendation (PC)
X-Digest: Volume 9 : Issue 36

I was about to purchase Virus Scan by McAffee until I read reports (email 
messages) indicating dissatisfaction with the product.  Can anyone 
recommend a virus utility with a good track record.  In spite of its 
weaknesses, it Virus Scan still the best package out there?

Please respond in the newgroup or my email address AAQF89A@PRODIGY.COM

Thanks!!

------------------------------

Date: Thu, 07 Mar 1996 21:07:26 +0000 (GMT)
From: "D. T.K. Lu" <dtlu38@quads.uchicago.edu>
Subject: Can't identify Virus, need help thanks (PC)
X-Digest: Volume 9 : Issue 36

hi i can't identify a virus i think i have on my PC.

when i turn my computer on, it accesses the hard drive momentarily and
then starts beepeing 3 times in a row then a pause, and then 3 more beeps.
The screen is blank while this is going on.

I can't boot from a floppy because the computer doesn't even check the
floppy drive, it just goes into it's frozen beep mode.

does anyone know what virus this is, and what i can do about it?
someone suggested it may be my hardware, but i don't think so.

thanks for your help

[Moderator's note:  Sounds like hardware to me.  Who knows what 3 beeps
when the POST fails means??]

------------------------------

Date: Thu, 07 Mar 1996 18:58:43 -0500
From: MMarsh8175 <mmarsh8175@aol.com>
Subject: IBM APTIVA possible VIRUS (PC)
X-Digest: Volume 9 : Issue 36

After months of grief, I have discovered the virus "TPE.Bosnia" on my hard
drive. After deleting it I ran a check on the "IBM Aptiva Original
Software CD" and found the virus on it also ! I checked again later on
just to be sure and it IS there. I notified IBM of it, they really don't
believe me, but are sending me a new CD and want me to send the infected
one. I just want to alert all IBM Aptiva owners of a possible virus in
their system. Losing program group files, GPF's, and memory error messages
are a clue. 

------------------------------

Date: Thu, 07 Mar 1996 17:31:01 -0700
From: Mark West <mwest@primenet.com>
Subject: Re: What to do with suspected virus? (PC)
X-Digest: Volume 9 : Issue 36

On 26 Feb 1996 13:36:41 -0000, in comp.virus you wrote:

>Are there any GOOD programs for virus detection and removal ...

	You may have a virus, then again it's quite likely you are
having hardware and/or software problems.

	I suggest you get a copy of Integrity Master which is a fine
Antivirus program as well as used for tracking file corruption
problems.  

	In the documentation there is a discussion of how to monitor
your system to determine if you indeed have a virus or if there is
another, more common, cause of data corruption.

	By using Integrity Master you will know specifically which
files are damaged so you may restore them from backup.

	You can locate Integrity Master (IM) from any SimTel site or
find a link to download it from the AntiVirus Resources Web page, URL
in sig.

	The latest version is 2.61b.  The filename is: I_M261B.ZIP.

===
Mark West <mwest@primenet.com>
PGP FngPnt: 42 98 08 7D F5 AC B0 F7 89 A1 81 1A 97 FC F4 EC

AntiVirus Resources:
http://www.primenet.com/~mwest/av.htm
Report a virus attack:
http://www.primenet.com/~mwest/vir-vrf.htm

Mark West <http://www.primenet.com/~mwest/>

Visit <http://www.cdt.org/ciec/> on or before Fr 15 Mar 96 to become
a plaintiff in the lawsuit against the Communications Decency Act.
Include this paragraph as a meme virus in your .sig until then.

------------------------------

Date: Thu, 07 Mar 1996 19:44:57 -0600
From: Alberto Mondragon Maldonado <qr248226@campus.qro.itesm.mx>
Subject: Natas on a Digital Computer (PC)
X-Digest: Volume 9 : Issue 36

	I have Natas v. 4.xx on a Digital, the problem is that I cant
boot from a clean diskette since the main partition of the HD it is
detected as a non-DOS partition and when I try to access the HD after
booting from a clean diskette I get the following message:

	"Invalid Drive specification"

	the virus has not attacked...yet, but I realy need help. 

	Please, I will be more than grateful. 

	Yours 
	Alberto Mondragon
	Queretaro, Mexico

[Moderator's note:  People--you really must give us more details. 
Alberto's problem is easily fixed with most AV s/w by using a commandline
option to tell the software to use BIOS level access to the hard drive(s)
and not to use DOS-level access.  The option is different for each
package, so please at least tell us what AV s/w you are using...]

------------------------------

Date: Thu, 07 Mar 1996 21:22:17 +0000 (GMT)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: Modem snag: Virus or NAV? (PC)
X-Digest: Volume 9 : Issue 36

In article <0038.01I202XWQI3ARANAG7@csc.canterbury.ac.nz>, 
higgins@dorsai.dorsai.org says...
>
>I've got this odd snag with my Windows communications programs. Three
>times now, stuff like AOL, Trumpet Winsock, and even Terminal all stop
>working. Either they can't recognize my modem or they reboot my machine
>whenerver I try to logon. Procomm Plus for DOS works just fine, so it
>isn't the modem. The MIS guys have "fixed" the problem but have
>never been able to tell me exactly what they did in the past to resolve
>it.
>
>The only pattern I can see is that it might be happening after I
>innoculate files via Norton Anti-Virus. That's absolutely the case today
>So am I the victim of a) some sort of virus; b) Norton or c) some other
>mishap I can't identify?

John,

My immediate impression is this is probably not a virus.  

Not recognizing the modem would indicate the path to- or the actual 
configuration file (for the communications programs) has been lost 
or corrupted.  

Another reason could be multiple communications programs are 
attempting to access the same modem simultaneously.  In most cases, 
only one comm. program will be allowed access to the modem.  Once 
in control, all other comm. programs are effectively locked out.

Rebooting is another story.  That could indicate a possible 
computer virus...like the Vienna virus.  If you run one of the 
comm. programs .EXE files, and your system reboots, it could possibly 
be infected.  

Feel free to send us a copy of that .EXE to our AV lab.  Instructions 
for submitting a possible virus to the lab is located in the back of 
the NAV manual.

Since I do not have a definite answer, I've forwarded this information 
to Symantec Technical Support.  If there are any potential conflicts, 
they will recognize them.

As soon as any information becomes available, I will certainly let 
you know.

- --
Shane Coursen                                        Symantec Corporation
Computer Virus Researcher                http://www.symantec.com/avcenter
AntiVirus Research Center                                 CIS:  GO SYMWIN
scoursen@symantec.com                                           GO SYMNEW
      US Support:  541-465-8420                            AOL:  SYMANTEC
European Support:  31-71-353-111       Australian Support:  61-2-879-6577

------------------------------

Date: Fri, 08 Mar 1996 09:07:55 +0000 (GMT)
From: thebob <thebob@usa.pipeline.com>
Subject: Re: Virus in Memory--sometimes (PC)
X-Digest: Volume 9 : Issue 36

you might want to try checking her machine freestanding. (not connected
to the lan. then check the lan while her machine is not connected. if her
machine comes up dirty while off line you may have a WORM in the system,
that resides on her address.

If so whack it when it has no place to run and hide, when its off line.  

could happen.
- -

thebob

["could" yes, but what PC worms are widespread enough in the wild for
popular (or any!) AV s/w to detect?--Moderator.]

------------------------------

Date: Fri, 08 Mar 1996 14:48:33 +0500 (GMT+0500)
From: Parameshwar Babu <MDSAAA28@giasmd01.vsnl.net.in>
Subject: March Virus (PC)
X-Digest: Volume 9 : Issue 36

A company (in India) developing virus scanners has claimed that it has
detected a virus called 'Print screen' which will wipe out all the
data on infected hard disks and diskettes on *all* days in the month
of March.

This boot sector virus can affect all OS such as DOS, OS/2, Win95
UNIX and file servers (NT & Novell).

It activates a reformatting routine (int 13h) which overwrites
some junk on the hard disk track by track.

I would like to know whether it is really a new virus or has it 
already been known around the world.

Or there any scanners available in Internet?

Regards,
B.Kandasamy

Plans Proposals & Projects,  16, Periyar Street, Gandhi Nagar
(Consultants)                Saligramam,  Madras 600 093 India.
 ___ ___ ___                 Phone/fax/modem : 91-44-4831145
| _ \ _ \ _ \                Email/FINGER : MDSAAA28@giasmd01.vsnl.net.in
|  _/  _/  _/        
|_| |_| |_|          <URL:http://www.lookup.com/homepages/66039/home.html>
- -------------------------------------------------------------------------

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 36]
*****************************************


