From Lehigh.EDU!owner-virus-l  Tue Mar 19 15:33:31 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Tue, 19 Mar 96 17:03:25 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id PAA15133; Tue, 19 Mar 1996 15:33:31 +0100
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39074-48544>; Tue, 19 Mar 1996 09:29:58 EST
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39074-48544>; Tue, 19 Mar 1996 09:28:01 EST
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id JAA25325 for <virus-l@lehigh.edu>; Tue, 19 Mar 1996 09:27:19 -0500
Received: from 132.181.30.207 ("port 1033"@132.181.30.207)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I2JN957PCSRI5O92@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Wed,
 20 Mar 1996 02:26:39 +1300
Message-Id: <01I2JN95HN9ARI5O92@csc.canterbury.ac.nz>
Date: 	Wed, 20 Mar 1996 03:18:18 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #37
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest Wednesday, 20 Mar 1996    Volume 9 : Issue 37

Today's Topics:

Command Software solicits votes for Infosecurity News award.
Can two hard drives help keep viruses controlled?
CyberSoft web page
Macro virus FAQ
F-PROT 2.22 is out
fp-222.zip Virus Protection system by Fridrik Skulason
Re: What I need in an enterprise-wide scanner
Re: Virus Damage Statistics
Re: Hard drive hardware write protection
Enterprise Security Workshop Extended deadline
Good Mac Virus Software (MAC)
Re: Macintosh Ram Virus?? (MAC)
Disk problem--virus? (MAC)
Re: Effects of Word.Concept Virus? (MAC,WIN)
Re: WinWord.Nuclear (MAC,WIN)
Win95 and TBAV (WIN95)
Re: McAfee 2.0 for Win95 "feature" (WIN95)
New Scanner finds/removes UNKNOWN Winword macro viruses (WIN)
Re: Nov 17th virus (PC)
CONCEPT/Word Perfect macro: really no cure? (PC)
Havoc ][ and Virus List (PC)
Microsoft Anti-virus memory problems (PC)
Info on Smiley Boot? (PC)
Re: Cpw Virus (PC)
Re: AntiExe- What are the sysptoms? (PC)
Re: NYB Virus (PC)
Disk drivers with boot sector protection (PC)
Re: Michelangelo recovery methods (PC)
Re: Modem snag: Virus or NAV? (PC)
New virus?!? or Disk drive problem (PC)
MSAV says files changed (PC)
Re: Directory problem (PC)
Possible new virus??? (PC)
Re: Virus in Memory--sometimes (PC)
Re: Viruses that damages hardware (PC)
Re: FORM_D boot sector virus (PC)
Novice with a virus? (PC)
Re: Directory problem (PC)
HELP! Floppy disks messed up! (PC)
Re: Ripper and NYB (PC)
Form Virus On A Lan (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Fri, 08 Mar 1996 10:54:00 -0800
From: 'Mike' M Ramey <mramey@u.washington.edu>
Subject: Command Software solicits votes for Infosecurity News award.
X-Digest: Volume 9 : Issue 37

I just got an unsigned fax from "Command Software Systems" which says: 

   "Dear Valued Customer:
      "F-PROT Professional has been chosen as a finalist in the 
   'Best Anti-Virus Product' category of the Infosecurity News 
   Readers Trust Awards.  ...
      "Winning this award requires an additional type of recognition - 
   a vote from you, our valued customer.  Please show your support by 
   completing the ballot attached.  It's up to you to select F-PROT 
   Professional as the 'Best Anti-Virus Product.'
      "The magazine is offering an incentive.  When you vote in the 
   Infosecurity News Readers Trust Awards, you become eligible to win
   many prizes.  See the attached materials for details."
      "... Please fill out the attached ballot and fax it to Infosecurity
   News by April 26th.  Their fax number is ... "

I resent being solicited by a manufacturer to vote for their product in a
magazine popularity contest.  I have some experience with anti-virus
products and report problems I encounter to the product vendor and
sometimes to the comp.virus and alt.comp.virus newsgroups.  I do *not*
consider myself a virus expert, capable of performing thorough, meaningful
tests on anti-virus products.  I would not trust this "Award"  to guide me
in the selection of an anti-virus product.  I have been a licensed user of
F-PROT shareware for several years; I have tried an evaluation copy of
F-PROT professional, and I am also considering Dr. Solomon's Anti-Virus
Toolkit for multiple platforms including Macintosh.  -mr

------------------------------

Date: Fri, 08 Mar 1996 16:56:01 -0800
From: WhiteD <w_dragon@shout.net>
Subject: Can two hard drives help keep viruses controlled?
X-Digest: Volume 9 : Issue 37

If you have two hard drives and one hard drive has the virus will the 
other get contaminated???

					-WhiteD

------------------------------

Date: Fri, 08 Mar 1996 18:17:24 -0500 (EST)
From: Pete Radatti <radatti@cyber.com>
Subject: CyberSoft web page
X-Digest: Volume 9 : Issue 37

Our web page (www.cyber.com) should now be available.
It doesn't say much of anything yet but stay tuned.
We plan to have white papers, tools, updates and 
anything else that may be useful available.

Pete Radatti
radatti@cyber.com

------------------------------

Date: Sat, 09 Mar 1996 22:44:45 +0000 (GMT)
From: Edward Fenton <ris1@gate.net>
Subject: Macro virus FAQ
X-Digest: Volume 9 : Issue 37

Version 2.0 of Richard Martin's FAQ on MS WORD 6.x MACRO VIRUSES, written 
for the alt.comp.virus newsgroup, is available for anonymous FTP at the 
ChekMate FTP site. 

     ftp.gate.net/pub/users/ris1/word.faq

 +---------------------+------------------------+----------------------+
 | Ed Fenton | U.S./Canadian agent for ChekMate | ris@transit.nyser.net|
 +---------------------+------------------------+----------------------+
 | ChekMate - a Generic Anti-Virus Utility that works under DOS, OS/2  |
 | and Windows (3.x, 95 and NT).  Detects Known and UNKNOWN Viruses.   |
 | Support (UK) chekmate@salig.demon.co.uk  (US) ris@transit.nyser.net |
 +---------------------------------------------------------------------+
  Download it from our FTP site: ftp.gate.net/pub/users/ris1/cm200.zip

------------------------------

Date: Thu, 14 Mar 1996 12:56:18 +0000
From: Fridrik Skulason <frisk@complex.is>
Subject: F-PROT 2.22 is out
X-Digest: Volume 9 : Issue 37

F-PROT 2.22 is now out.  Changes since 2.21 include:

   Better handling of boot sectors with multiple infections.
   Continuing renaming of viruses
   The VIRSTOP program has been rewritten

   Detection (and in most cases disinfection) of around 400 new viruses.

You can download this version from 

   ftp://garbo.uwasa.fi/pc/virus/fp-222.zip

The program has also been uploaded to Keith Petersen for distribution on
SimTel, but does not seem to be availabe for download yet.

-frisk
- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Fri, 15 Mar 1996 11:54:30 +0000 (GMT)
From: ajh@UWasa.Fi (Ari Hovila)
Subject: fp-222.zip Virus Protection system by Fridrik Skulason
X-Digest: Volume 9 : Issue 37

Thank you for your contribution.  This upload is now available as
 649065 Mar 14 14:14 ftp://garbo.uwasa.fi/pc/virus/fp-222.zip
 
: Date: Thu, 14 Mar 1996 12:19:10 +0000 (GMT)
: From: frisk@complex.is (Fridrik Skulason)
: To: pc-up@uwasa.fi
: Subject: fp-222.zip F-PROT anti-virus 2.22 uploaded
: 
: 
: File name: fp-222.zip
: One line description: Version 2.22 of the F-PROT anti-virus package
: Replaces: fp-221.zip
: Suggested Garbo directory:
: Uploader name & email: Fridrik Skulason (frisk@complex.is)
: Author or company: Frisk Software
: Email address: f-prot@sales.is, sales@complex.is, support@complex.is
: Surface address: Postholf 7180, IS-127 Reykjavik, Iceland
: Special requirements: No
: Shareware payment required from private users: No
: Shareware payment required from corporates: Yes
: Distribution limitations: May not be distributed together with viruses
: Demo: No
: Nagware: No (well, I don't think so)
: Self-documenting: Mostly
: External documentation included: Yes, some .DOC files.
: Source included: No
: Size: 611K
: 10 lines description:
: 
: The DOS shareware version of the program includes a virus scanner, with
: disinfection capabilities as well as a memory-resident virus "blocker".
: 
: While it does not include the Windows interface, the integrity checker, or
: some of the other features of the "Pro" version, it is a fully functioning
: program, able to handle the vast majority of viruses known today.
 
.................................................................
Ari Hovila, ajh@uwasa.fi   http://www.uwasa.fi/~ajh/
Moderating  garbo.uwasa.fi http://garbo.uwasa.fi/ FTP archives
Computer Centre, University of Vaasa,  Box 700, FIN-65101 Finland

------------------------------

Date: Thu, 07 Mar 1996 19:35:45 -0800
From: Glen D Moffitt <glenm@seanet.com>
Subject: Re: What I need in an enterprise-wide scanner
X-Digest: Volume 9 : Issue 37

Jim Richardson wrote:

> I have been trying for some time to find a viable enterprise virus
> protection solution.  My network consists of Windows NT servers, with Mac
> and Win 95 clients.  Important issues to me are:
[snip]
> So far I've looked at Intel VirusProtect, Cheyenne Inoculan, McAfee
> VirusScan,and  Symantics products.  I'm trying to get Dr. Soloman, and
> F-Prot.
> 
> Has anyone found a solution that answers these issues?

You might start with a comparative review in PCWEEK, 9/18/95, in the 
NetWeek section.  There are also others, look at some of the major 
antivirus web sites, they usually have either reviews posted or have 
links to sites with reviews.

Just in my humble opinion, of course the servers are paramount in being 
protected, both because of their critical relation to business 
operations as well as the data they hold.  However, (someone correct me 
if I'm wrong), my reading of antivirus liturature is that by far the 
main entry point of viruses to networks is through the workstations 
(assuming prudent physical control of the server area).  So having a 
strong defense there is very important.  I see the server file scan and 
real-time scan as 2nd and 3rd lines of defense.

Glen

------------------------------

Date: Mon, 11 Mar 1996 14:25:24 +0000 (GMT)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Virus Damage Statistics
X-Digest: Volume 9 : Issue 37

Jeff Beaubien (AnarchyX@charger.newhaven.edu) wrote:
: I am interested in obtaining statistical information regarding PC
: virus damage.  Examples include: how many viruses are there?  what is the
: estimated amount of financial cost incurred by computer viruses?  etc.

There are no reliable estimates of financial cost. When you think about 
it, there can't be: there's no standard method of measurement, and 
most non-specialists don't have the understanding of the field to
implement such a method if it existed. What statistics there are mostly
consist of suppositions supplied by individuals with insufficient
knowledge to similarly qualified researchers. To take one example: the cost of damage attributed to the recently-convicted virus-writer Christopher Pile has varied between #40k and #500k, according to various
sources I've seen.

Furthermore, You'd be surprised at the number of people who know a great 
deal about firewalls and Orange Book and Unix security, but come up with 
the most amazing rubbish when they talk about viruses.... Many so-called
virus incidents are so-called on the basis of "There's something wrong
with it - must be a virus...". Many real infections are undiagnosed, and
many that are diagnosed are not acted upon. Many infections are not made
public, as a PR/damage-limitation exercise.

The better-protected organisations are driven to attempt to estimate
what the cost of damage would be if they didn't have protection. Not
a promising basis for hard data. Viruses cost to protect against and they
cost if they're not protected against: the cost factors are many and
complex, and I don't know of a published study which considers them in
depth.

None of this means that there is no case for implementing virus
protection: only that making that case on the basis of a set of figures is
impractical.

: If someone could provide a reference to an article or book (relatively
: recent), I would greatly appreciate it.

I'm working on a paper considering the problems, and you're welcome to
have a look at it, as it stands, but it's no problem-solving magic bullet.
There are a couple of books by Dr. Fred Cohen which address some of the
issues - I don't have any of them to hand, so I may misquote the titles,
but 'A short course on computer viruses' and the one about data security
and the Information SuperHighway certainly include relevant material, 
though the latter isn't particularly virus-orientated. 

: I am presenting a training session on how to avoid/determine if you have
: a computer virus.  Such information would be esstential to
: "drive the point home" that viruses cause a great deal of financial
: damage to corporations, universities, etc.  Therefore, this information
: would give the training participants an incentive to apply the
: knowldege/skills they learned to the actual workplace.

There's a Price Waterhouse report from last year on the top 200 companies
in Ireland which reported that the rate of attack from viruses had more
than doubled to 61%. That's in line with other reports I've seen. A survey
by Ernst and Young/Information Week indicated that 12% of security
problems resulting in financial loss reported by respondents were virus-
related. At least 20 of those respondents had lost info worth more than
$1m, so 12% is not necessarily negligible. Personally, I place very little
faith in the precise figures: however, the trend may be sufficient to
frighten your trainees appropriately...

: Thanks in advance for any help provided.

You're welcome. I'm sorry I can't be more encouraging....

David Harley

------------------------------

Date: Sun, 10 Mar 1996 15:24:24 +0000 (GMT)
From: Espen Holje Olsen <eholje@sn.no>
Subject: Re: Hard drive hardware write protection
X-Digest: Volume 9 : Issue 37

Fridrik Skulason <frisk@complex.is> wrote:

>In <0001.01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz> Dave Pearce
><dpearce@flash.net> writes:
>>I'm looking for information on the following:
>>1) Is it possible to take a stock IDE or SCSI controller and write-protect 
>>the hard disk, i.e., so that all writes fail?
>should be possible to cut one vire in the cable....haven't done it
>though...

..and you migth do it the software-way by intercepting int 13h, of
course ..

[Moderator's note:  Yes, but all s/w write-protection schemes are able to
be circumvented by other s/w with techniques like those used in existing
viruses (at least under today's popular OSes).]

------------------------------

Date: Fri, 15 Mar 1996 16:52:59 +0000 (GMT)
From: Yahya Alsalqan <alsalqan@cerc.wvu.edu>
Subject: Enterprise Security Workshop Extended deadline
X-Digest: Volume 9 : Issue 37

The New Deadline is March 25th


			      Call For Papers -Extended Deadline

			   A WET ICE 96 WORKSHOP
		  International Workshop on Enterprise Security
			      June 19-21
		    Stanford University, Stanford, California
		
		Co-sponsored by the IEEE Computer Society and the
		Concurrent Engineering Research Center (CERC) at 
			   West Virginia University
	   
	       Hosted by the Center for Design Research, Stanford University
			  
==============================================================================
Enterprises are increasingly dependent on their information systems to
support their business and workflow activities.  
There is a need for
universal electronic connectivity to support interaction and cooperation
between multiple  organisations.  This makes enterprise security and
confidentiality more important, but more difficult to achieve, as the
multiple organisations may have differences in their security policies and
may have to interact via an inscure internet.  These inter-organisational
enterprise systems may be very large and so tools and techniques are needed
to support the specification, analysis and implementation of security.

This workshop will focus on the problems and challenges relating to
enterprise security in inter-organisational systems. We aim to biring
together principal players from both the internetwork and enterprise
security community and will provide plenty of time for discussion.   Topics
to be addressed include:

	- Specifying and Analysing Enterprise Security Policy
	- Role-Based Access Control
	- Security infrastructre for large-scale systems
	- Supporting enterprise security over the internet
	- Conflicts and harmonization of inter- and intra-organizational
	     Security
	- Distributed Database Security
	- Secure Transactions
	- Security in Workflow Process
	- Object Oriented and CORBA Security
	- Secure Applications and Environments
	- Integrating Heterogeneous Security Environments
	- Managing inter-oranisational Enterprise Security
	- Internet Security protocols
	- Security Algorithms

This workshop will be part of the IEEE Fifth Workshops on Enabling
Technologies: Infrastructure for Collaborative Enterprises (WET-ICE
96) organized by the Concurrent Engineering Research Center (CERC)/
West Virginia University and will be hosted by the Center for Design
Research, Stanford University, California.

Important Dates:
================
Papers Due                      March 25, 1996
Panel Proposals                 March 15, 1996
Authors notified of acceptance  April 19, 1996
Workshop                        June 19-21, 1996
Camera Ready                    June 28, 1996

INFORMATION FOR AUTHORS OF PAPERS TO BE INCLUDED IN THE PROCEEDINGS 
===================================================================
Mail six copies of an original (not submitted or published elsewhere)
paper (double-spaced) of 3000-5000 words to the Program Chair. Include
the title of the paper, the name and affiliation of each author, a
150-word abstract and no more than 8 keywords. The name, position,
address, telephone number, and if possible, fax number and e-mail
address of the author responsible for correspondence of the paper must
be included.


An e-mail submission in postscrip format will be accepted.

INFORMATION FOR PANEL ORGANIZERS 
================================
Send six copies of panel proposals to the Program Chair. Include the
title, a 150-word scope statement, proposed session chair and
panelists and their affiliations, the organizer's affiliation,
address, telephone and fax number, and e-mail address.

INFORMATION FOR AUTHORS OF POSITION PAPERS
==========================================
Send six copies of position paper of 2-3 pages to the Program
Chair. Include the title of the paper, the name and affiliation of
each author, a 150-word abstract and no more than 8 keywords. The
name, position, address, telephone number, and if possible, fax number
and e-mail address of the author responsible for correspondence of the
paper must be included. An accepted position paper will get less
presentation time than full paper.  


Program Committee
=================

Program Chair
	Yahya Al-Salqan
	Concurrent Engineering Research Center
	P.O. Box 6506
	886 Chestnut Ridge Road
	West Virginia University
	Morgantown, WV 26506
	USA

	Ph: (304) 293-7226
	Fax: (304) 293-7541

	e-mail: alsalqan@cerc.wvu.edu


Workshop Program Committee (Partial List):
==========================================
Takasi Arano, NTT Corp, Japan
Germano Caronni, ETH-Zurich, Switzerland
Chikuang Chao, AT&T, USA
Taher ElGamal, Netscape Corp., USA
Matthias Hirsch, BSI (Federal Department of Security in the Information
	Technology-Germany
Steve Kent, BBN, USA
W. Douglas Maughan, Technical Director, National Security Agency (NSA), USA
Clifford Neuman, USC/ISI, USA
LouAnna Notargiacomo, Oracle Corp., USA
Morris Sloman, Department of Computing: Imperial College, UK
Badie Taha, Al-Quds University, Jerusalem
Ravi Sandhu, Department of Information and Software Engineering,
	George Mason University, USA
Robert Thomys, BSI (Federal Department of Security in the Information
	Technology-Germany
Nick Zhang, CERC, West Virginia University, USA


Interrnet Hotline
================= 

Information on Enterprise Security Workshop may be obtained through
the WWW using the URL http://www.cerc.wvu.edu/SECWK/ 


You don't need to have a paper to attend the workshop.  

------------------------------

Date: Tue, 12 Mar 1996 16:30:05 -0500
From: Brian McEntire <mcentire@fact_checker.com>
Subject: Good Mac Virus Software (MAC)
X-Digest: Volume 9 : Issue 37

If your organization has had good luck with any commercial (i.e. SAM or
Virex)or shareware Macintosh Virus Scanning programs please let me know.

I need to upgrade my division's current SAM software and am not sure
that SAM is best. We have a mix of Macs from Mac II's up to PowerMac
7200/90's

Most Macs are running Mac OS 7 and above.

Thanks for commenting,

  Brian

------------------------------

Date: Fri, 08 Mar 1996 20:48:02 +0000 (GMT)
From: Joerg Erdei <a8101gbb@helios.edvz.univie.ac.at>
Subject: Re: Macintosh Ram Virus?? (MAC)
X-Digest: Volume 9 : Issue 37

Thomas Vincent <runner12@ix.netcom.com> wrote:
>Does this sound like a Virus hiding? I start up my Mac and I try to open
>Netscape. It tells me that it doesn't have enough memory. I only have
>four extentions loaded. According to my addition in the about Macintosh
>menu, I am using 13 MB's of RAM out of 16 MB's. Though it says I only
>have one megabyte left of free RAM.

Oh dear, be more precise: what Mac, what OS version;

First of all, check you have 32bit addressing on in the memory control
panel, for without it you can only access 8MB (and another 8MB will be
added to the System memory, but actually you cannot use them). System,
extension and Netscape will have to share these 8MB as well as RAM disk
(if you set it up). VM is not available with 32bit off. If you have no 32
bit option in the memory control panel, you are running one off those Macs
that are forced to use 32 bit and cannot switch back to 24bit. Second, the
free memory reported is not all memory available, but the biggest
continuous chunk of free memory. Memory can get partitioned like a hard
drive or floppy.

There is no Mac virus known that "eats up" your RAM.

Joerg Erdei

------------------------------

Date: Mon, 11 Mar 1996 14:47:14 +0000
From: Peter James DeVault <pdevault@students.wisc.edu>
Subject: Disk problem--virus? (MAC)
X-Digest: Volume 9 : Issue 37

I have what may be a virus-related problem on my PowerMac 7100/80av.  
My hard disk crashed.  I saved the disk, but Disk First Aid tells me I 
have the following irreparable problems:

Keys out of order, 4, 3795 

Does anyone know what this means or how to fix it?  I'm still having 
occassional crashes.

Thanks,
Peter DeVault
pdevault@students.wisc.edu

------------------------------

Date: Sat, 09 Mar 1996 07:59:00 +0000 (GMT)
From: David Griffiths <dgriff@matrix.infomatch.com>
Subject: Re: Effects of Word.Concept Virus? (MAC,WIN)
X-Digest: Volume 9 : Issue 37

scary kevin <isildur@abulafia.st.hmc.edu> writes:

>Yes.  Though it has the *.doc extension, Word 6 is finding macro commands in
>the file, and thinks it must therefore be a template.  I can't seem to fix
>it; my workaround is:

>New document
>Select all
>Copy
>Paste to new document
>close old document
>save the new document with the same name as the old one.

Just go to http://www.microsoft.com and look in the Word area for the 
"Scanprot.dot" macro to remove/protect against this virus.

- -
    David S. Griffiths:      - <dgriff@infomatch.com>  (Vancouver, Canada!)
An Arctic Animation WWW Site -> http://www.infomatch.com/~dgriff/main.htm
    VJAC/LW3D/City Hunter!   - Technical Director, Mendelson Films Ltd.

------------------------------

Date: Tue, 12 Mar 1996 15:22:15 +0000 (GMT)
From: Ken Stieers <kens@ontrack.com>
Subject: Re: WinWord.Nuclear (MAC,WIN)
X-Digest: Volume 9 : Issue 37

McAfee's latest beta (SCNB230E.zip on their site) has a remover for
Nuclear and Concept, as does Dr. Solly's AVTK and I think F-Prot. 

Ken 

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Fri, 08 Mar 1996 18:51:45 +0000 (GMT)
From: tkrieger@the.link.ca
Subject: Win95 and TBAV (WIN95)
X-Digest: Volume 9 : Issue 37

Hi, just looking for some information here, I've been asked to take a
quick look at a win 95 system that appears to have a virus of some sort.

the system is currently running win 95 and tbav 6.51 for win 95.  The
problem is that tbav keeps flaging the net.exe file and saying that is is
infected with some unknown virus.  The file has been deleted and the
entire network support removed from the system, however everytime that the
network support is re-installed tbav keeps flagging this one file as a
virus.

Has anyone else been having these problems with tbav?  Anyone heard
about a similar virus anywhere?  I need some information, I'm not sure
what to do next, the files are all coming of a win95 distribution CD and I
can't seem to find anything anywhere else.

Thanks in advance for all your wisdom.

Tim Krieger.

     Even with a lock and key, 
     We can never guarantee,
     that it's virus free.

------------------------------

Date: Mon, 11 Mar 1996 07:55:56 -0500
From: "Bob Witham Jr." <robert.l.witham.jr@state.me.us>
Subject: Re: McAfee 2.0 for Win95 "feature" (WIN95)
X-Digest: Volume 9 : Issue 37

jgrant@namsa.nato.int wrote:

>     However, when scanning in a DOS Window with scan.exe (as is possible
> now that it is included with McAfee95 v2...) it seems that McAfee
> regularly gives false positive results!  I have tried this a few times and
> have detected different viruses during different boots, leading me to
> believe that it is indeed Vshield in memory that is being detected...  I
> have yet to test this exhaustively, but have verified without doubt that
> the results of the DOS box scan are false positive.  The Win95 scan

I just tried the same thing and got no viruses reported.  You don't have 
another AV product other than McAfee running do you?  There were some 
problems with certain manufacturer's PCs reporting false alarms with an 
older version of McAfee, but I haven't heard of that happening with the 
newest version.  Also, could you possibly be executing an old version of 
SCAN rather than the version in C:\Program Files\McAfee?  I would 
believe an old incompatible version might detect the WIN95 VSHIELD as 
viruses.

Score stands 1 with false alarms vs 1 without.  Others?

Bob Witham

------------------------------

Date: Wed, 13 Mar 1996 05:00:08 +0000 (GMT)
From: F/WIN Support <fwin_sup@ix.netcom.com>
Subject: New Scanner finds/removes UNKNOWN Winword macro viruses (WIN)
X-Digest: Volume 9 : Issue 37

	PRESS RELEASE

For Immediate Release

Computer Virus Solutions
PO Box 30802
Gahanna, OH  43230-0802


Date:    March 12, 1996
Contact: Gary  Martin, Owner
Phone:   (614) 337-0995
Fax:     (614) 476-6884
E-mail: fwin_sup@ix.netcom.com  (Sales and Support)
E-mail: kurtzhal@wrcs3.urz.uni-wuppertal.de     
	   (Stefan Kurtzhals, Author of F/WIN)
WWW:   http://www.entrepreneurs.net/fwin/index.htm      
	   (temporary until early/middle March)
WWW:   http://www.fwin.com/index.htm
	   (permanent after early/middle March)


World's First Heuristic Virus Scanner for Microsoft 
Word Templates


A major concern that most users of Microsoft Word have 
today is how to protect themselves from viruses and 
trojans that may be present in template files.  Until 
now, only known viruses and trojans could be 
accurately detected by existing anti-virus scanners.  
Word users were highly vulnerable to new, unknown 
viruses and trojans. 

Computer Virus Solutions is pleased to announce that 
a new anti-virus scanner, called "F/WIN Anti-Virus", 
has solved this problem.  Unlike other macro virus 
scanners of today, F/WIN uses heuristic analysis  
to detect viruses in MS Word 6.x and 7.x templates.  

This allows it to detect and remove unknown, as well 
as known viruses.   News media outlets will be given 
a free, fully-functional evaluation copy of F/WIN 
Anti-Virus upon request.  They also have the option 
of downloading a shareware version of it from our 
web site (see above).  F/WIN Anti-Virus is available 
in both English and German versions.  F/WIN also 
detects (in addition to Word macro viruses):

*  Viruses that infect Windows 3.x .EXE (NE-EXE) files.
*  Viruses that infect Windows 95 .EXE (PE-EXE) files, 
   both using the VLAD infection scheme. 

The list of known macro viruses that can currently 
be detected and removed by F/WIN include:

WordMacro.Concept, WordMacro.Nuclear, WordMacro.NuclearB, 
WordMacro.Colors, WordMacro.DMV, WordMacro.Hot, 
WordMacro.Atom, WordMacro.Trojan.FormatC, 
WordMacro.Xenixos, WordMacro.Imposter

The following Windows executable viruses are detected 
by F/WIN:

NE.Winsurfer, NE.Ph33r, NE.Wintiny, NE.WinLame, PE.Boza

------------------------------

Date: Tue, 12 Mar 1996 23:24:49 +0000 (GMT)
From: Wayne Riddle <riddler@agate.net>
Subject: Re: Nov 17th virus (PC)
X-Digest: Volume 9 : Issue 37

William Yeung <wcfyeung@infolink.net> wrote:

>Does anyone know a virus called Nov 17th and how it can be killed? 
>Recently my WIndows 3.1 permanent swap file was infected by it.

It was a false alarm if it was detected in your swapfile. Here is some
information on the virus from Dr. Solomon's Anti-Virus Toolkit:

NOV17 is found sometimes. 

It is very infectious, and results in moderate damage (disk trashing).
COM and EXE files are infected.

The virus has a memory-resident payload and infection system. It has
minimum stealth capability. This virus is not encrypted. The virus
evades or attacks some antivirus programs.

Wayne Riddle
riddler@agate.net
http://ourworld.compuserve.com/homepages/riddler

------------------------------

Date: Thu, 07 Mar 1996 18:07:27 +0000 (GMT)
From: Heather A Thomas <hthomas@acsu.buffalo.edu>
Subject: CONCEPT/Word Perfect macro: really no cure? (PC)
X-Digest: Volume 9 : Issue 37

McAfee recently diagnosed a diskette with the "Concept/Word Perfect Macro"
virus, for which there is currently no cure.  F-prot/Virstop didn't even
detect it.  Are there any specific cleaners out there for Concept?  Does
anyone know WHAT it does?  It has infected one file, which I deleted and 
the diskette is now clean.  I would like another option.

Thank You,
  Heather
- - 
Heather Ann Thomas
hthomas@acsu.buffalo.edu
State University of NY at Buffalo

------------------------------

Date: Thu, 07 Mar 1996 18:50:06 +0000 (GMT)
From: "Douglas M. Munro" <d.munro@csuohio.edu>
Subject: Havoc ][ and Virus List (PC)
X-Digest: Volume 9 : Issue 37

I have a virus, but I've come to accept this and am dealing with it.

As one may surmise from the subject header that I had the pleasure of
dealing with the Havoc ][ virus, according to my newly installed Norton
Antivirus software.  NAV identified it but provided little information
aside from the fact that it is a floppy and boot sector virus.  I'm no
computer guru, but I was able to figure out what that means, however, I
am interested in knowing more about Havoc ][, particularly its behavioral
effects (can you tell I studied Psychology?).  On my computer, it either 
damaged or deleted several .exe files in software such as MS Access,
Excel, and PowerPoint.  I never actually checked to see if it had actually
damaged or deleted these files, but when I clicked on the MS Office button
bar for one of these programs, I got a message saying that it couldn't
locate the access.exe file.  At the time I was running win95 and tried to
reinstall MS Office, but always got and error saying "setup was not
completed successfully.  Anyway, after much frustration, I cleaned the
virus and reinstalled my entire system.  Does anyone have any more info on
this varmint?  Several years ago, around 1989, I downloaded, from this
group, I think, a list of all or many PC viruses--about 400 at the time. 
This list had extensive descriptions of each.  Does this still exist
today?

Any help in this area would be greatly appreciated.  You can email me
directly or post here.  Thanks.

Douglas M. Munro
d.munro@csuohio.edu

------------------------------

Date: Fri, 08 Mar 1996 15:28:01 +0000 (GMT)
From: Brian Toone <btoone@clemson.edu>
Subject: Microsoft Anti-virus memory problems (PC)
X-Digest: Volume 9 : Issue 37

I have a 486/66 with 20 megs of RAM.  When I attempt to detect or clean
viruses using Microsoft Anti-Virus, I get a not enough memory message.  I
have no other applications running when this problem occurs.  Does anyone
know what might be causing this problem? 

Thanks,
Brian Toone (btoone@clemson.edu)

------------------------------

Date: Fri, 08 Mar 1996 21:16:42 +0000 (GMT)
From: Average Boy <dyeske1@umbc.edu>
Subject: Info on Smiley Boot? (PC)
X-Digest: Volume 9 : Issue 37

I was wondering if anyone had any information on the Smiley Boot virus 
including any software that can clean it.  I have found several computers 
(PCs) that contain the virus as reported by both F-Prot and Viruscan.  But 
neither program has any info on it or can clean it.  Most of the 
infections seemed to be coupled with a B1 (NYB) infection.

F-Prot does give information on the Smiley virus which infects 
executables but none on the Smiley Boot virus.

- -
Dave Yeskey                  |  My employers sue me on a regular
NET dyeske1@umbc.edu         |  basis because of the above comments.
ATT (410) 461-1579           |                  -
URL http://umbc.edu/~dyeske1 |      The NSPF are at your door.

------------------------------

Date: Sat, 09 Mar 1996 15:23:34 +0000 (GMT)
From: Fernando Beya <fbeya@rigg.cl>
Subject: Re: Cpw Virus (PC)
X-Digest: Volume 9 : Issue 37

If you have Cpw.1527 virus. That is a Chilean virus. Activation  
date is 9/11 y 12/28, it infect .exe and .com files. You will 
remove it with VirusScan of McAfee.

If you need complete information, contact me on monday.

fbeya@rigg.cl

------------------------------

Date: Sat, 09 Mar 1996 11:53:24 -0600
From: "Clark R. Wilkins" <clarkw@accesscomm.net>
Subject: Re: AntiExe- What are the sysptoms? (PC)
X-Digest: Volume 9 : Issue 37

>Date: Mon, 26 Feb 1996 06:36:50 -0500 (EST)
>From: "Bob Witham Jr." <robert.l.witham.jr@state.me.us>

<snip>

>Actually, my experience has been that 32-bit disk access under windows
>does not work.  I don't remember the exact error, but essentially windows
>complains about using 32-bit.

Hopefully this is somewhat on topic. Let's not confuse issues. 32-bit disk
access is not a virus related issue. It has to do with the handling of
drive controllers. The most common causes we have seen are (a) CD-ROM
drives on primary IDE channel, (b) funky disk drivers.

Clark R. Wilkins * President, J.D.I. Solutions, Inc. * 713-974-2434 (f)
713-974-5248
   Providing computer solutions for small businesses since last Tuesday...

------------------------------

Date: Sat, 09 Mar 1996 11:53:31 -0600
From: "Clark R. Wilkins" <clarkw@accesscomm.net>
Subject: Re: NYB Virus (PC)
X-Digest: Volume 9 : Issue 37

>I downloaded virus scan from C:net web page when I installed and ran it,
>it gave me a message that there are traces of the NYB virus. At this point
>I reformated my hard drive and reinstalled Windows95. I downloaded
>viruscan from PRODIGY thinking that this had less chance of being
>infected. The Message came up again. The only problem I have had is that
>when I try to run a program on CD-ROM I will get the message that the D:
>drive is not available. Do I really have the NYB virus, or is this a
>Windows95 problem, or a Viruscan Problem. Viruscan scan suggest that I
>boot up from a clean disk and then run scan, but when I do that, I get the
>message that Himem.sys didn't load so therefor I can't run windows 95.

FWIW: We worked with an NYB problem just today. What was helpful for us
was to test our suspect floppies in a separate machine already running
Norton Anti-Virus. (Pick your own flavor.) I seriously doubt a virus could
survive your disk being formatted, but one or more of your boot floppies,
etc. could be infected.

Our solution, on a Win 3.1 platform, was to boot from a clean, locked
floppy and FDISK /MBR that machine, followed by a check with Norton.

Hope this helps!

Clark R. Wilkins * President, J.D.I. Solutions, Inc. * 713-974-2434 (f)
713-974-5248
    Providing computer solutions for small businesses since last Tuesday...

[Moderator's note:  You were lucky then that you didn't have a multiple
infection, with a less "benign" MBR infector having hit before NYB, as the
above prescription can really screw you up.  If anyone really feels they
must do things the hard way with MBR viruses, -please- read the relevant
Q&A in the FAQ (C3) carefully before beginning, so you have areasonable
understanding of what you are up against!]

------------------------------

Date: Sat, 09 Mar 1996 11:53:37 -0600
From: "Clark R. Wilkins" <clarkw@accesscomm.net>
Subject: Disk drivers with boot sector protection (PC)
X-Digest: Volume 9 : Issue 37

We are using a product called DrivePro on one of our 486 machines. It
includes a dsk driver which claims to offer boot-sector virus protection.
If I understand ths correctly, the driver examines itself at startup. If
there is any change, the file is reloaded. If this is true, which is
question 1, question 2 is why doesn't everyone use similar techniques?

Clark R. Wilkins * President, J.D.I. Solutions, Inc. * 713-974-2434 (f)
713-974-5248
    Providing computer solutions for small businesses since last Tuesday...

[Moderator's note:  This idea is, in fact, incorporated into several
commercial, shareware and freeware products, though it may not be as fool-
proof or as universally applicable now with the need to load drivers (such
as OnTrack's Disk Manager and others) to allow large hard drives to work
with "old" BIOSes.]

------------------------------

Date: Sat, 09 Mar 1996 21:04:38 +0300
From: Zvi Netiv <netz@actcom.co.il>
Subject: Re: Michelangelo recovery methods (PC)
X-Digest: Volume 9 : Issue 37

mumford@west.net (Bryan Mumford) wrote in alt.comp.virus:

> In article <DnuwEH.7vD@actcom.co.il>, netz@actcom.co.il wrote:

> ---Snip---

>> IMPORTANT: Resist the temptation to use NDD (or Central Point's DiskFix) at
>> ANY stage of the recovery. There isn't a single task in disk recovery that
>> can't be done better and safer with CHKDSK, SCANDISK, FDISK, UNFORMAT 
>> and RESQDISK.

> ---Snip---

> I seem to have run into Michelangelo. You say I should NOT use NDD. Others
> have advised to use NDD and NOT use FDISK. Would you be so kind as to
> explain why the following comment is not correct? I only want to do the
> right thing... the whole damn disk is down.

>From Henri Delger you quote:

>>   (NOTE: When creating new partitions, FDISK writes to the
>>   first sector of each head and cylinder until it reaches  
>>   the data area.  That means it will erase the DOS Boot 
>>   Sector, File Allocation Table data, at least part of the
>>   Root Directory, and even data, such as DOS System files 
> >   on a boot drive, which may add to damage from the virus,
>>   which is why the best advice is to use Norton Disk Doctor
>>   to rebuild the Partition table.)

As you said, "the whole damn thing is down". 

Simple logic: Michelangelo has trashed 256 x 4 x 17 = 17,408 sectors 
starting from sector 1, head 0, cylinder zero (0,0,1 in head, cylinder 
and sector coordinates, up to sector 3,255,17). Now, creating a new 
partition with FDISK will rewrite sector 0,0,1 and clear a few hundred 
sectors, the exact number depends on the capacity of your hard disk, 
starting from sector 1,0,1 (the standard location for the first partition 
boot sector).  Since Michelangelo already trashed that area, then 
where is exactly your problem?

Now, please recall my original post where I suggested to use FDISK
only where you had a SINGLE, full disk capacity partition on the
trashed physical drive.

IN ALL OTHER CASES USE ResQdisk Professional (ResQpro). With disks that
had more than a single partition DON'T USE FDISK to recreate the
partitions as it will clear the FAT and root directory of every partition
that might still exist past cylinder 255. If you had just one partition on
your hard drive then you can proceed safely with Fdisk.

You can use ResQdisk from the InVircible package to scan for still 
intact partitions. Available from any of the sites in my signature.

Hope this solves your problem.

Regards, Zvi
- --------------------------------------------------------------------
NetZ Computing Ltd, Israel          Producer of InVircible & ResQdisk
Voice +972 3 532 4563, +972 52 494 017 (mobile)   Fax +972 3 532 5325
Web sites:  http://invircible.com/  Anonymous ftp: ftp.invircible.com
E-mail: netz@actcom.co.il netz@invircible.com  Compuserve: 76702,3423
- --------------------------------------------------------------------

------------------------------

Date: Thu, 07 Mar 1996 19:16:56 -0800
From: Glen D Moffitt <glenm@seanet.com>
Subject: Re: Modem snag: Virus or NAV? (PC)
X-Digest: Volume 9 : Issue 37

John Higgins wrote:

> I've got this odd snag with my Windows communications programs. Three
> times now, stuff like AOL, Trumpet Winsock, and even Terminal all stop
> working. Either they can't recognize my modem or they reboot my machine
> whenerver I try to logon. Procomm Plus for DOS works just fine, so it
> isn't the modem. The MIS guys have "fixed" the problem but have
> never been able to tell me exactly what they did in the past to resolve
> it.
> 
> The only pattern I can see is that it might be happening after I
> innoculate files via Norton Anti-Virus. That's absolutely the case today
> So am I the victim of a) some sort of virus; b) Norton or c) some other
> mishap I can't identify?

Sounds like a classic case of IRQ conflict.  When two devices, say mouse 
and modem, are assigned the same IRQ, they may both work for a while, 
then when one device tries to grab the irq from the other device that 
has been using it, one or both of the devices will freeze.  I would look 
closer at any configuration changes that have been made recently..or 
hardware that has been installed or changed.

Glen

------------------------------

Date: Sun, 10 Mar 1996 12:15:04 -0800
From: "B. Warwick" <demo@netlabs.net>
Subject: New virus?!? or Disk drive problem (PC)
X-Digest: Volume 9 : Issue 37

My daughter's MS DOS/Windows 3.11 486sx25 computer has two 170 meg hard 
drives.  Yesterady Drive D: disappeared. The CMOS setup is fine.  Both 
drives are listed as proper types.  I tried swithching the cable 
connection, reversing the master and slave (making bad drive C:) while 
all the time booting from a clean floppy.  We get the message "INVALID 
DRIVE SPECIFICATION" when trying to access the drive in question.

I also ran F-PROT which I think is a GREAT piece of software as it 
allowed me to remove the Monkey Virus from the same computer (and one 
other) back in the fall of 1995.  It told me that the software was old 
and that I should update it.  I ran it anyway (F-PROT /HARD /DISINF) and 
it found 2 MBR's but did not otherwise mention Drive D:.  It found no 
virus!

Then I downloaded F-PROT version 2.21 (the latest I found) and ran it:

Still NO VIRUS!!!

MBR's:2
DOS Boot Sectors:1

...and we still get INVALID DRIVE SPECIFICATION

Does anyone have an idea whether this is in fact an undetected virus or a 
hardware problem?  The drive is a Western Digital 170 meg IDE (WDAC1170). 

Of course my daughter (a 4th grade school teacher) has some info she 
would really like to retrieve from the drive (most importantly e-mails 
received from her class's home page on the Internet).  If anyone can 
possibly offer some solutions we will be very appreciative.

I will monitor this Newsgroup for responses......or you may e-mail them 
to me directly at either of the following:

demo@netlabs.net
BWar@aol.com

Thank you for your assistance.

Bob Warwick

If you would like to see my daughter's class's home page try:
<A HREF="http://www.monmouth.com/~kwarwick/wolfhill.html"></A>

(I hope the above worked)

------------------------------

Date: Sun, 10 Mar 1996 18:38:45 -0500
From: BMosher183@aol.com
Subject: MSAV says files changed (PC)
X-Digest: Volume 9 : Issue 37

Is there a conflict with MSAV and Windows 95, Doublespace or any of
Windows 95 automated functions. I have been running MSAV every so often and I get (File has been changed) errors on a lot of files I just update the files and move on then when I run MSAV a couples days later same thing but not so many files changed this
 

So I download MCfee 95 and Thunderbite 95 and ran them and they found
nothing. Do the shareware virsions of these programs work? Do I have some
sort of Virus? or am I just confused ?

If anyone has seen this before Please e-mail me some info as far as I can
tell there has 
been no damage caused.

Brett Mosher     bmosher183@aol.com.

------------------------------

Date: Mon, 11 Mar 1996 00:23:53 +0000 (GMT)
From: Mic Johnston <MIC@mpx.com.au>
Subject: Re: Directory problem (PC)
X-Digest: Volume 9 : Issue 37

>In a previous article, MIC@mpx.com.au (Mic Johnston) says:

>>I have a directory that mirrors everything in the c: drive, and therfore 
>>becomes mirrored again and again and again etc. I have no idea how it got 
>>there, and I can't remove it because any file I remove from it is also removed 
>>from its directory under c: . 

>**** Have you run an anti-virus program on this directory?

Yes I've thought it might be due to some type of virus but when I run
F-prot it continues to run forever as it scans the mirrored drive again
and again until I have to esc. No message saying a virus is present
appears but I don't know if its supposed to until the end of the scan.

Mic Johnston
mic@ccs1.cc.monash.edu.au

------------------------------

Date: Mon, 11 Mar 1996 03:44:58 +0000 (GMT)
From: The One and Only <robin@thunder.ocis.temple.edu>
Subject: Possible new virus??? (PC)
X-Digest: Volume 9 : Issue 37

HELP! I think I have a virus and nothing is picking it up.

My friend is having a similar problem.  

My story:  I have Windows 3.1.  I was in File Mangler copying
a file onto my 850MB d:\ drive from a floppy.  Suddenly it
informed me that there was no room on my 850 drive.  Now I 
know I had like 540Mbs free.  So I went to my D: drive and it
showed a 4 GB, YES THAT'S 4 GB file sitting on my 850 drive.
I immediately thought it was a virus and ran f-prot221, Macafee,
and Rescue AntiVirus.  They all turned up nothing.  This
was a conner 850 drive.  After calling Conner for 2 weeks, they
couldn't figure out what happened and had me low-level format
the drive, and it's been fine now for a month.

My friend's story:  She is using Windows 95.  She turned on her computer
one day and it came up with a HDD controller failure. She by-passed
it and ran Norton which showed allocation errors in the FAT.
She told it to fix it and it wrote over system files, which she
then re-installed.  She had been saving Word files to a floppy,
when she went to access them the next day, it said there was
an unrecoverable error on the disk.  She ran Norton on it and
it couldn't fix it.  She tried copying the files to another floppy,
and when she did a directory on the new floppy, it showed a
3 GB file in the system area of the floppy that she couldn't remove.

Then the HDD control failures began to reoccur, show she tried
bootin with 3 different boot disks(DOS, WIN95bootdsk, WIN95startup)
which worked 3 days ago, and it didn't recognize them as system
disks.  She ran norton on the 3 disks and it showed that the
system areas of the disks had been damaged beyond repair.
Also, she tried to install a new IDE controller thinking that was
the problem, but this did nothing.

The virus seems to create severe damage to the FATs and the
system areas of the disks. Has anyone heard of such a thing?
At this point, my friends computer is fried, she doesn't want
to run a low-level format.  

ANYONE PLEASE HELP!!!

robin@thunder.ocis.temple.edu and friend
altomari@jedi.cis.temple.edu

[Moderator's note:  The second sounds like serious hardware problems to
me.  The former, due to non-replication is likely "just one of those
things".]

------------------------------

Date: Mon, 11 Mar 1996 06:00:05 +0000 (GMT)
From: "Blake F. Parker" <bfp@ultranet.com>
Subject: Re: Virus in Memory--sometimes (PC)
X-Digest: Volume 9 : Issue 37

Margaret Proctor <m_proctor@ncsu.edu> wrote:
[snip]
>Any way, to make a long story short, I have checked her machine, and the
>server from every angle I can think of and they always come out clean
>except when running the checker from the server when she logs on her PC.
>Then I get a virus-in-memory message.

I have not had experience with the virus you mentioned above however I 
have discovered that by rebuilding the master boot sector I have been
able to stop messages similar to those you are getting after cleaning a 
pc with F-Prot. Overall I have found F-Prot to detect some viruses that 
other anti-virus applications occasionally miss. One other thing you 
might do if you have not already been doing is to completely power down 
your system rather than soft-boot when you insert the clean floppy.

Good luck amd best regards...

- -Blake

Blake F. Parker        

------------------------------

Date: Mon, 11 Mar 1996 06:01:25 -0500
From: DarStec <darstec@aol.com>
Subject: Re: Viruses that damages hardware (PC)
X-Digest: Volume 9 : Issue 37

In article <0016.01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz>, "Denis Parslow
(Almo Distributing)" <dgp@world.std.com> writes:

>[snipping out a nice description on how it could be possible to 
>target a single adapter card, or chipset, or even, sometimes, family 
>of chipsets for damaging the monitor]
>
>>This is similar to the "risk" of having a Flash BIOS on your PC. Although
>>it is possible that such a virus could be written, it doesn't seem
>>plausible that a virus writer would spend the time to produce a virus
that
>>would, of necessity, be fairly large. 
>>
>>Compare the number of Video Drivers used with Windows or WIn95 (or OS/2
>>for that matter) and you realize that the virus would have to either be
>>VERY LARGE or the number of cards attacked would have to be VERY SMALL.
>>Not a very fertile soil for those virus writers (may they all be hung by
>>close friends) to sow.
>
>The problem is that if the person is writing a virus to be malicious, 
>and isn't targetting an AVpackage as in a 'game', this would be a 
>rational way to stage an attack.  You can make a virus that acts only 
>marginally slowly perhaps, so that it spreads quickly if not 
>detected.  However, if it is spreading through a system without the 
>targetted chip, it wouldn't be noticed (you can determine the chipset 
>through a BIOS call usually, so if it isn't the target, do not 
>react).  The only reason to slow it down is if it gets into a network 
>of similar computers with the target, that it might get more than one
>card.  The only drawback to this plan is that the monitor gets 
>damaged, not the card.
>
>The same concept would work for FLASH BIOS, although one would 
>probably target a particular BIOS mfgr and chipset, to try to narrow 
>down to systems it would be more likely to succeed on.  Perhaps 
>choosing a system maker and a model, and using the BIOS info from 
>there.
>
>The fact that it has fewer targets would lend to it being a more 
>'successful' virus by allowing it more chance to spread before being 
>noticed.

This makes sense to me.  After all, more than a few virus writers have
sociopathic problems.  If they get mad at a certain manufacturers video
card for example, and they feel that the manufacturer was unsympathetic to
their problem,or did not provide the support they expected, I would think
that they would vent their anger toward such company.  Makes sense that if
they can cause problems with that company's product it makes the company
look bad.  Sweet revenge.

Once I came upon a public domain program {back in the olden days} from
someone who apparently thought the Tandy 1000 was the best computer going.
When the program was run, a beautiful Christmas scene was display with
blinking lights and snow, accompanied by a nice little carol.  Meanwhile,
the program just wiped out the hard drive files, if you weren't running it
on a Tandy 1000.  It did the same on the Tandy 1200 if I remember the
model number correctly.  I saved that disk for years, but moved last month
and had to do a lot of preSpring cleaning, and most of my old 360K disks,
it included went into the wastebasket.  This is a case of selectivity
which I think demonstrates your view.

Later, DarStec

------------------------------

Date: Mon, 11 Mar 1996 11:49:06 +0000 (GMT)
From: Richard Evans <evansr@europa.lif.icnet.uk>
Subject: Re: FORM_D boot sector virus (PC)
X-Digest: Volume 9 : Issue 37

James Paul LaCas (jlacas@alaska.net) wrote:
: How do you get rid of the FORM_D boot sector virus?

Since Boot sector viruses infect boot sectors and not files. You can
copy all your files to a backup, and then re write the boot sector
by reformatting the disk drive. However you must be careful not to
infect any floppys used in the process, otherwist you may reinfect the
hard drive later.

Find a dos disk that you know is free of viruses, and write protect it.
Switch off the computer, and then switch it back on so that it boots from
the floppy. ( Note. DONT rely on a warm boot or a reset, you should
actually turn off the power ). This ensures that the viruses is not in
memory, and so can't spread.

Note. also that some viruses infect the partition table. I think that
using FDISK will overwite these.

------------------------------

Date: Mon, 11 Mar 1996 14:38:07 +0000 (GMT)
From: Bob Rice <arrice@usa.pipeline.com>
Subject: Novice with a virus? (PC)
X-Digest: Volume 9 : Issue 37

I booted my laptop, and to my surprise when it eventually booted, it
showed only 4 files.  There were 2 very large files with the extension
.chk.  I checked it for viruses, and it came up clean, so I reformatted
the hard disk.  However, I cannot write to the hard drive.  It responds,
"sector not found writing drive C". 

I though I'd come to the experts.  Do I have a virus, and what can I do
about it? 

------------------------------

Date: Mon, 11 Mar 1996 22:28:25 +0000 (GMT)
From: Mic Johnston <MIC@mpx.com.au>
Subject: Re: Directory problem (PC)
X-Digest: Volume 9 : Issue 37

>In a previous article, MIC@mpx.com.au (Mic Johnston) says:

>>
>>I have a directory that mirrors everything in the c: drive, and therfore 
>>becomes mirrored again and again and again etc. I have no idea how it got 
>>there, and I can't remove it because any file I remove from it is also removed 
>>from its directory under c: . 

>**** Have you run an anti-virus program on this directory?

Yes I've thought it might be due to some type of virus but when I run
F-prot it continues to run forever as it scans the mirrored drive again
and again until I have to esc. No message saying a virus is present
appears but I don't know if its supposed to until the end of the scan.

Mic Johnston

------------------------------

Date: Tue, 12 Mar 1996 09:13:48 +0800
From: TAN BIEN PENG <med20142@leonis.nus.sg>
Subject: HELP! Floppy disks messed up! (PC)
X-Digest: Volume 9 : Issue 37

Each time I access a floppy on either A: or B: and write something to it 
the FAT and MBR become damaged....with the 2nd FAT dissimilar to the 1st
etc.  CHKDSK reports F parameter not spec. with lost allocation units
invariably.  NDD also reports that the Media Descriptor Byte is invalid.
The HDDs are running 'ok'.

Findvirus by Dr.Solomon detects a tanpro.524 virus (gee, what does that 
virus do?) which it could remove. All subsequent scans by Mcafee, F-prot 
etc reveal nothing. I tried to boot from a clean disk but it hangs after 
"starting ms-dos..."

What is going on? Doesn't sound like a hardware problem....
Please send all desperately needed help to: med20142@leonis.nus.sg.

Thanks. 
Bien.

------------------------------

Date: Tue, 12 Mar 1996 04:51:05 +0000 (GMT)
From: Leon Portelance <lportela@island.net>
Subject: Re: Ripper and NYB (PC)
X-Digest: Volume 9 : Issue 37

In article <0042.01I22KYY8OO2RI50OL@csc.canterbury.ac.nz>, ABM User
<ABM@admin.abmsystems.ns.ca> says:

>In article <0017.01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz>, Cheryl Garfin
><GarfinChe@Cheers.niacc.cc.ia.us> says:
>
>>I'm still having trouble with the Ripper Virus. This time it crippled the
>>computer so that you couldn't boot up at all.  I was told to boot with a
>>clean boot disk and then run a:f-prot /hard /disinf.  What will this do.
>>I tried to do this and it said that it didn't have a virus at all.
[...]
>Macafee scan c: /boot /force should get rid of the virus. Similar to an
>fdisk /mbr

I also had a problem with the Ripper.  I got rid of it easily, using the
latest version of F-PROT.  (available via FTP, I used Archie to find a 
download site)

------------------------------

Date: Tue, 12 Mar 1996 07:22:40 +0000 (GMT)
From: D3lyr1uM? <kore8@usa.pipeline.com>
Subject: Form Virus On A Lan (PC)
X-Digest: Volume 9 : Issue 37

My lan at work is infected with the form virus, what will get rid of it?

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 37]
*****************************************


