From Lehigh.EDU!owner-virus-l  Wed Mar 20 22:23:23 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Wed, 20 Mar 96 22:48:51 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id WAA01262; Wed, 20 Mar 1996 22:23:23 +0100
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39142-42544>; Wed, 20 Mar 1996 16:19:56 EST
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39126-42544>; Wed, 20 Mar 1996 16:17:59 EST
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id QAA33334 for <virus-l@lehigh.edu>; Wed, 20 Mar 1996 16:17:24 -0500
Received: from 132.181.30.207 ("port 1027"@132.181.30.207)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I2LFSEC9O6RI6EE6@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Thu,
 21 Mar 1996 09:14:40 +1200
Message-Id: <01I2LFSELJ3CRI6EE6@csc.canterbury.ac.nz>
Date: 	Thu, 21 Mar 1996 09:03:10 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #38
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest  Thursday, 21 Mar 1996    Volume 9 : Issue 38

Today's Topics:

Server DEAD! Virus? Lantastic prob? Netscape prob? (PC)
Jackal.B (PC)
Re: F-PROT, Opinions? (PC)
Re: Wordperfect 6.1 Virus? (PC)
Possible Boot Sector Virus (PC)
urkel (PC)
Re: Can't indentify Virus, need help thanks (PC)
Re: I need info about HOT virus please (PC)
Re: Can't identify Virus, need help thanks (PC)
Date set to 2096--virus? (PC)
Re: Dir-2.a Virus - Please Help!!! (PC)
MANZON Virus (PC)
Re: Virus Utility recommendation (PC)
Re: Wordperfect 6.1 Virus? (PC)
Re: Virus Utility recommendation (PC)
Re: Dir-2.a Virus - Please Help!!! (PC)
Re: Possible virus--adds to command.com (PC)
HELP! newbie with possible virus (PC)
Re: I need info about HOT virus please (PC)
help backword.2000.a virus (PC)
Help disinfecting Sampo Virus (PC)
RE: Can't identify Virus, need help thanks (PC)
Re: MS Macro Virus Tool (PC)
Re: I need info about HOT virus please (PC)
Anti exe virus (PC)
Neuroquila (PC)
Re: Virus Utility recommendation (PC)
Ripper virus (PC)
Can't identify Virus, need help thanks (PC)
Re: IBM APTIVA possible VIRUS (PC)
Identification (not detection): Dr Solomons vs F-Prot (PC)
Can't identify Virus, need help thanks (PC)
TBAV/F-Prot false positive (PC)
Possible memory-resident virus HELP! (PC)
Re: I need info about HOT virus please (PC)
Config of McAffee (PC)
Need Help With a virus called SCRMING.FIST.II.652 (PC)
Re: Can't identify Virus, need help thanks (PC)
Re: Possible virus--adds to command.com (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Fri, 15 Mar 1996 01:53:50 -0500
From: MiCornwell <micornwell@aol.com>
Subject: Server DEAD! Virus? Lantastic prob? Netscape prob? (PC)
X-Digest: Volume 9 : Issue 38

I'm not sure if this is the right Usenet group to post this on, but if
anyone has info on the following problem, I'd like to hear some comments
from you.

A few weeks ago our office experienced a major disk crash on one of the
servers.  At the time I passed it off as a faulty hard drive or some other
random bug, but now I know it had nothing to do with the hard drive, as
the same exact problem occured this evening, while performing the exact
same operation.

About the crash (identical situations both times):  While copying a folder
containing Netscape 2.0, Eudora, and some other communications tools from
a workstation's hard drive to the server's hard drive, the server died
with a message saying a Serious disk error has occured.  After rebooting,
I rec'd a message saying Missing Operating System.  The first time we took
the disk to a Data Recovery Specialist who said the disk had started to
write files all over the front half of the disk (over the FAT etc...) and
was pretty unrecoverable.  I bought a new HD and restored from backups. 
This time I just formatted the disk and am doing a restore on it as we
speak.

After it happened the first time I did a Mcafee virus scan (Mid-January
data file) just to be safe, which turned up nothing.

BOTH times, the last file that was being copied to the server was
N16E20.EXE, the latest version of Netscape Browser that I personally
downloaded from Netscape's Website.

We're running a Lantastic 6.1 network, WFW 3.11.  At this point I'm unsure
if it's a Lantastic problem, Netscape problem (doubtful?) or a virus that
isn't listed in Mcafee's software yet.

If you have any clues, please e-mail me, as I don't monitor this Usenet
group regularly.

Thanks,

Mike
micornwell@aol.com (home)
mcornwell@abtechsys.com (work)

------------------------------

Date: Thu, 14 Mar 1996 09:42:36 -0800
From: "Byron D. Holdiman" <holdiman@luna.cas.usf.edu>
Subject: Jackal.B (PC)
X-Digest: Volume 9 : Issue 38

We have located Jackal.B on several computers through McAfee, but McAfee 
could not remove it.  Does anyone know what Jackal.B does and how to get 
rid of it?

------------------------------

Date: Fri, 15 Mar 1996 14:08:46 -0500
From: Dan Gilleece <Manatee2@ix.netcom.com>
Subject: Re: F-PROT, Opinions? (PC)
X-Digest: Volume 9 : Issue 38

George Kalemanis wrote:

> I have been working as a tech. for quite some time, and been using F-PROT.
> While F-PROT is not 100% fool proof, I do believe it is the best, and even
> install it in all machines that get configured or serviced free of charge,
> whether it needs it or not.  How many people agree, or are there better
> scanners out there that people use -  I haven't been real impressed with
> McAfee (some viruses pass though McAfee using the latest version, while
> older F-PROT copies still detect).

I have recently installed F-prot on our LAN and I can only say this:  
Nothing else compares.  For the basic seat price it covers our entire 
enterprise from DOS to Win 3.1 to Win 95.  

In comparison to McAfee, it is considerably faster and bull's-eye 
accurate.  In the several tests I have performed it has detected all the 
test viruses I "planted," and has scanned over 12,000 files without a 
single false positive.

The Dynamic Virus Protection for Win 95 acts a little flaky, but it 
still detects --- it just needs some refinement.  The Win 3.1 DVP works 
like a charm, and has the administration flexibility features many 
others lack.

It's a winner...

Dan

------------------------------

Date: Fri, 15 Mar 1996 19:29:58 -0500
From: DarStec <darstec@aol.com>
Subject: Re: Wordperfect 6.1 Virus? (PC)
X-Digest: Volume 9 : Issue 38

In article <0030.01I2ARWWZ0YWRI5O92@csc.canterbury.ac.nz>, Kenneth
Albanowski <kjahds@kjahds.com> writes:

>On Thu, 29 Feb 1996, Joe Marshall wrote:
>
>> I am a technician at a community college and we are having troble with
>> Wordperfect 6.1 for Windows going down.  It seems that files are being
>> deleted in Windows as well as other different applicaitons.
[snip]
> 1. Malicious damage (somebody running around deleting files.)
>
> 2. Bad software (are you running BETA versions of anything?)
>
> 3. A bad disk.
>
> 4. A Virus.
>
>It seems you've ruled out #4 (but of course you should try any other
virus
>checked you come across) so what about the rest of the list?  

One other possiblity which I have run across several times - a bad CPU. 
It can play havoc with the HD controller card.  Sometimes this is hard to
track down because if the problem is intermittent then everything works
until the CPU acts up and if it acts up the test software shuts down and
can't tell you.  Substitution seems to be the only way to track this one
down.

Later, DarStec

------------------------------

Date: Sat, 16 Mar 1996 11:51:40 -0700 (PDT)
From: Alan Rock <arock@birchdavis.com>
Subject: Possible Boot Sector Virus (PC)
X-Digest: Volume 9 : Issue 38

I believe that my PC, (ms-dos 6.22, windows 3.1) has a boot sector virus
that has not been detected by McAfee or Norton anti-virus.  Symptoms as
follows: 1) The system did not reboot and said "Non-system disk;" 2) after
reformatiing the hard drive and reloading all software it is impossible to
create a Norton rescue disk or any other bootable floppy; 3) When
attempting to reload Windows 95, I get a Possible Boot Sector Virus
message and the system locks up at that point.  I have had the machine to
a shop and they can't find a virus.  I'd appreciate some help, as I'd like
to have a rescue disk, use Win-95, and get on with my life!

Thanks for your time.

------------------------------

Date: Fri, 15 Mar 1996 17:46:05 +0000 (GMT)
From: Larry Schimmel <schimmel@netcom.com>
Subject: urkel (PC)
X-Digest: Volume 9 : Issue 38

Is there someone who knows how to remove once and for all the urkel 
virus.  I've checked past postings and other sources but cannot find a 
solution.  Any help would be appreciated.

e-mail schimmel@netcom.com

------------------------------

Date: Sat, 16 Mar 1996 19:48:58 -0800
From: Tom Simondi <tsimondi@slonet.org>
Subject: Re: Can't indentify Virus, need help thanks (PC)
X-Digest: Volume 9 : Issue 38

In Digest: Volume 9 : Issue 36

> when i turn my computer on, it accesses the hard drive momentarily and
> then starts beepeing 3 times in a row then a pause, and then 3 more beeps.
> The screen is blank while this is going on.
> [Moderator's note:  Sounds like hardware to me.  Who knows what 3 beeps
> when the POST fails means??]

Not enough info to say exactly because the BIOS was not identified.
For reference:

IBM POST Audio Error Codes:
  1 short beep                  Normal POST - System OK
  2 short beeps                 POST error - Error code on CRT
  No beep                       Power supply, system board
  Continuous beep               Power supply, system board
  Repeating short beeps         Power supply, system board
  1 long, 1 short beep          System board
  1 long, 2 short beeps         Display adapter (MDA, CGA)
  1 long, 3 short beeps         Enhanced Graphics Adapter (EGA)
  3 long beeps                  3270 keyboard card

AMI BIOS Audio POST Codes:
  1 short beep                  DRAM refresh failure
  2 short beeps                 Parity circuit failure
  3 short beeps                 Base 64K RAM failure
  4 short beeps                 System timer failure
  5 short beeps                 Processor failure
  6 short beeps                 Keyboard controller Gate A20 error
  7 short beeps                 Virtual mode exception error
  8 short beeps                 Display memory Read/Write test failure
  9 short beeps                 ROM BIOS checksum failure
  10 short beeps                CMOS Shutdown Read/Write error
  11 short beeps                Cache Memory error
  1 long, 3 short beeps         Conventional/extended memory failure
  1 long, 8 short beeps         Display/retrace test failed

I don't have the other BIOS maker's info close at hand but they
are all different.

The moderator is correct, however. This is most likely a hardware
problem.

=-=- Tom Simondi -=-= Visit the Computer Knowledge home page -=-=
=-=- http://www.slonet.org/~tsimondi/ck.htm      -=-=-=-=-=-=-=-=
=-=- E-mail: 75655.210@compuserve.com -or- tsimondi@slonet.org -=

------------------------------

Date: Sun, 17 Mar 1996 10:23:34 +0100
From: Gerard Mannig <mannig@world-net.sct.fr>
Subject: Re: I need info about HOT virus please (PC)
X-Digest: Volume 9 : Issue 38

>I have just got rid of the HOT Virus which was picked up by McAffe's
>Virus Scan but not a 6 month old version of Dr Solomon's which hasn't
>even heard of HOT.
>
>If anybody knows anything about this virus, please let me know

This is some tstuff from Eugene KASPERSKY about the so-called 'macro'
viruses

Hope this helps
..........................................................................

 Macro.Word-viruses


 Macro.Word.Atom
- ------------------------------
This virus contains four macros: Atom, FileOpen, FileSaveAs, AutoOpen, and
infects Word while loading the infected document (AutoOpen).

This virus infects the files in two ways: while opening the file (command
File/Open, macros FileOpen), and while saving the document with new name
(command File/SaveAs, macros FileSaveAs).

While infecting the document while saving it with new name (FileSaveAs)
the virus checks the system time. If the value of seconds is equal to 13
the virus set the password ATOM#1 for this document. The virus cannot set
the password if the file is already infected - Word displays the
message about WordBasic error.

While opening the infected document on 13th of December the virus deletes
all files of current directory. We did not check it, but the system has to
display the error message while deleting opened files.


 Macro.Word.Color (Rainbow, Color Changer)
- -----------------------------------------------------------------------
This is encrypted virus, it contains the macroses:

 macros, FileNew, AutoExec, AutoOpen, FileExit, 
 FileSave, AutoClose, FileSaveAs, ToolsMacro

This virus infects the files while creating of new document (FileNew) and 
while saving the document with new name (FileSaveAs).

On each 300th call to the file functions (FileNew, AutoOpen, FileExit, 
FileSave, AutoClose, FileSaveAs and ToolsMacro) the virus alters the 
section [colors] in the WIN.INI file, and sets the random selected colors 
for Windows components. New colors appear after next Windows loading. The 
virus keeps the trigger counter in the WIN.INI file in the [windows] 
section:

 [windows]
 countersu= 234

The virus allows Auto-macroses (AutoOpen, AutoClose and so on), it sets 
DisableAutoMacros to zero.

When the virus is active, it is impossible to activate Tools/Macro command. 
To manual disinfection it is necessary to delete virus' macroses by using  
Organizer (Tools/Customize, Word command, then draw Organizer out to 
toolbar).


 Macro.Word.Concept (WW6Macro)
- --------------------------------------------------------------
This is the first WinWord virus found "in the wild". The virus contains
five macroses: AAAZAO, AAAZFS, AutoOpen, PayLoad, FileSaveAs. It infects 
the files that are SaveAs'ed (FileSaveAs).

There are the text strings in the infected document:

 see if we're already installed
 iWW6IInstance
 AAAZFS
 AAAZAO
 That's enough to prove my point

and other. The WINWORD6.INI on infected system contains the file:

 WW6I= 1

On the first execution of the virus code (i.e. on the first opening of the
infected file) the MessageBox appears with digit "1" inside, and "Ok"
button.


 Macro.Word.DMV
- -------------------------------
This is the first known MS-Word macro-virus. It contains only one macros -
AutoClose, and infects the files that are saved on disk. While infecting 
this virus displays the MessageBox'es with the header:

 Document Macro Virus

The messages are:

 Counting global macros.
 AutoClose macro virus is already installed in NORMAL.DOT.
 AutoClose macro virus already present in this document.
 Saved current document as template.
 Infected current document with copy of AutoClose macro virus.
 Macro virus has been spread.
 Now execute some other code (good, bad, or indifferent).


 Macro.Word.Hot
- ------------------------------
This is encrypted virus. It contains the macroses: AutoOpen, InsertPBreak, 
DrawBringInFrOut, ToolsRepaginat. While infecting the system that virus 
renames the ToolsRepaginat macros to FileSave, and then infects the 
existing documents that are saved on disk (FileSave). While infecting the 
documents the virus renames FileSave macros back to ToolsRepaginat name.

While infecting the system the virus inserts the string "QLHot=nnnn" into
the WINWORD6.INI file, where "nnnn" is the "triggering day", it is the
number of current day of this century plus 14, for example:

 QLHot=35110

The next days the virus selects random value from 1 till 6, and adds to the
"triggering day". If the result is equal to the current day, the virus
deletes the file before saving it to disk.

14 days after last modifying of the "QLHot" string the virus renews it.

The virus does no action if there is the C:\DOS\EGA5.CPI file.

The virus does not work under Microsoft Word 7.0. While opening the
infected document the system displays the message:

 Unable to load specified library


 Macro.Word.Imposter
- ------------------------------------
This is a plagiarism from "Word.Macro.Concept" and "Word.Macro.DMV". It 
contains two macroses:

 in infected document:   AutoClose, DMV
 in infected NORMAL.DOT: FileSaveAs, DMV

While infecting the system the virus receives the control in AutoClose 
document, renames DMV macros to FileSaveAs, then renames AutoClose to DMV.  
While infecting the files (FileSaveAs) the virus renames these macros back 
DMV -> AutoClose, FileSaveAs -> DMV.

While infecting the documents the virus displays the MessageBox:

 DMV

One of the strings in the virus body looks like follows:

 just to prove another point


 Macro.Word.Nuclear
- --------------------------------------
It is encrypted virus, it contains the macroses:

 AutoExec, AutoOpen, FileSaveAs, FilePrint, FilePrintDefault,
 InsertPayload, Payload, DropSuriv, FileExit

While installation these macros are copied into Global Macros area, and 
overwrites the macros if they are already present there. Then the virus 
infects the documents by FileSaveAs macros.

The virus manifest itself in three ways: 1) runs COM/EXE/NewEXE virus,
2) appends the text strings while printing the documents, 3) corrupts the 
system files.

1) The AutoExec macro calls DropSuriv macro which check the system time and
drops the COM/EXE/NewEXE virus ({"Ph33r":Ph33r}) if the time is in 17:00 /
18:00. While dropping the virus uses DEBUG utility.

First, the virus checks the C:\DOS\DEBUG.EXE. If there is such one the
virus creates temporary file PH33R.SCR in C:\DOS directory, and writes hex
dump of COM/EXE/NewEXE virus and DEBUG commands into there. Then the virus
creates the temporary file EXEC_PH.BAT with the strings inside:

 @echo off
 debug < ph33r.scr > nul

and executes that. As the result DEBUG utility creates the copy of
COM/EXE/NewEXE virus (in the memory) and executes it. That virus hooks INT
21h and writes itself to the end of COM/EXE/NewEXE files while opening,
execution, renaming and changing their attributes.

The execution of BAT-file is doing in background, so the user does not know
that there are two(!) viruses on his PC.

Them the virus deletes the temporary PH33R.SCR and EXEC_PH.BAT files.

Fortunately, this virus has a bug, and fails to drop COM/EXE/NewEXE-virus, 
but it is quite easy way to fix that bug in next virus version.

2) While printing of documents the virus appends the text approximately to
each 12th file (if the seconds are 55 or more):

 And finally I would like to say:
 STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!

These strings are appended to the document immediately before printing, so
the uses does not see them (often documents occupy more that one screen).
This is very curios effect, especially while sending documents via fax.


3) On 5th of April the virus erases IO.SYS and COMMAND.COM files.


 Macro.Word.Nuclear.b
- -----------------------------------
The variant of previous one. Does not contain COM/EXE/NewEXE virus and 
macroses DropSuriv, FileExit. 

There is a bug while appending the text to the end of the document while 
printing. As the result the virus appends blank page, and Word displays the 
message about WordBasic error.


 Macro.Word.Xenixos (Nemesis)
- --------------------------------------------------
It is encrypted virus. It contains the macroses:

Drop, Dummy, AutoExec, AutoOpen, Datei ffnen, ExtrasMakro, DateiBeenden, 
DateiDrucken, DateiSpeichern, DateiSpeichernUnter, DateiDruckenStandard.

In some cases it sets the password "xenixos" for infected documents, 
displays the message:

 Diese Option ist derzeit leider nicht verf gbar.
 Fehler

While printing the documents it appends:

 Brought to you by the Nemesis Corporation,  1996

On 1st of may the virus writes the string to the AUTOEXEC.BAT file:

 @echo j|format c: /u >nul

This virus also launches "Neurobasher.b" multipartite virus. To do that the 
virus creates the C:\DOS\SCRIPT.SCR file, and writes hexadecimal dump 
of that virus into there. Then the virus creates the C:\DOS\EXEC.BAT file, 
and writes the strings into there:

 @echo off
 debug < script.scr>nul
 rem debugger.com
 echo @c:\dos\debugger.exe>>c:\autoexec.bat
 del c:\dos\script.scr
 del c:\dos\exec.bat

Then the virus executes that file. As the result DEBUG.EXE creates the
DEBUGGER.EXE file, and C:\AUTOEXEC.BAT has new string at its end:

 @c:\dos\debugger.exe

So, the last command of AUTOEXEC.BAT launches dropper of "Neurobasher.b" 
virus.
..........................................................................

Regards,

- ----------------------------------------------------------------
Gerard MANNIG                                    Virus Consultant 
    Phone : +33 (16) 3559-9344     Fax     : +33 (16) 3560-5011               
Report a virus attack: http://www.primenet.com/~mwest/vir-vrf.htm
Member of   R . E . C . I . F 
data +33 1 3415-4959                Voice machine +33 1 3072-9443
=-=-=- I do NOT speak for RECIF unless otherwise specified -=-=-

------------------------------

Date: Sun, 17 Mar 1996 04:52:03 -0500
From: DarStec <darstec@aol.com>
Subject: Re: Can't identify Virus, need help thanks (PC)
X-Digest: Volume 9 : Issue 38

In article <0038.01I2G0808C12RI5O92@csc.canterbury.ac.nz>, "D. T.K. Lu"
<dtlu38@quads.uchicago.edu> writes:

>when i turn my computer on, it accesses the hard drive momentarily and
>then starts beepeing 3 times in a row then a pause, and then 3 more
beeps.
>The screen is blank while this is going on.
>
>I can't boot from a floppy because the computer doesn't even check the
>floppy drive, it just goes into it's frozen beep mode.
>
>does anyone know what virus this is, and what i can do about it?
>someone suggested it may be my hardware, but i don't think so.

There is very little to go on.  The POST beeps mean different things with
differing BIOS chips.  Most commonly the three beeps point to either a
keyboard problem or a video problem or sometimes a ram problem. 
Considering the PC won't boot up, I would look for a problem such as a bad
video card.  Secondly I would switch Ram Simms around and see if the ram
count down can be seen.  If the ram is bad at the first 64K area, the
computer may not even get to the countdown.  My vote though is for the
video card.  Other possibilities are the interrupt chips, dma chips and a
few others on the motherboard depending on the BIOS.

Later, DarStec

------------------------------

Date: Sat, 16 Mar 1996 12:57:15 +0200 (EET)
From: Balogh Csaba Jozsef <bc6571@scs.ubbcluj.ro>
Subject: Date set to 2096--virus? (PC)
X-Digest: Volume 9 : Issue 38

Does anyone know of a virus that sets the date & time control forward?
(ex: to 2096). If you try to set back the date your c: drive's FAT will be 
damaged. The only way (that I found) to correct this error is: reboot from
a floppy and run the NDD.EXE and some of the files will be damaged, OR set
the time back to 2096 !?

I tried to find the "bug" with F-Prot 2.21 and Tbav650 without success.
I need emergency help.

(My battery isn't dead!)

Thankful for the smallest clue is

------------------------------

Date: Sun, 17 Mar 1996 17:56:35 +0000
From: Dmitry Gryaznov <er86@dial.pipex.com>
Subject: Re: Dir-2.a Virus - Please Help!!! (PC)
X-Digest: Volume 9 : Issue 38

Ian Elrick wrote:

> I have just found a pc infected with the above beastie at my site.
> 
> Neither the latest versions of F-Prot or Dr Sols can clean it.
> 
> It is only the one machine so far but I am keen to get a fix before it
> spreads.

The easiest way to clean DIR-II is to use the virus' full stealth 
capabilities. While the virus is active on your PC (do NOT boot clean 
in the case) you can a) PKZIP all of your hard disk or b) backup all the 
files on your hard disk to a tape or even c) simply copy everything from 
your hard disk to a remote drive on the network. In any of the cases 
listed, the copy will be virus-free. That's because DIR-II installs 
itself as a main DOS disk driver and when the virus is active it 
effectively "removes" itself from any file being accessed. And since the 
virus cannot infect neither ZIP (ARJ, etc) archives nor tape drives nor 
remote Novell LAN drives, the archives/backups/copies are always free 
from this virus. After copying or archiving, boot clean, reformat your 
hard disk and restore everything from the archive/backup/copy.

Another method doesn't need reformatting. Again, with the virus active, 
you have to rename ALL *.COM and *.EXE files on your hard disk to any 
other extension. Then boot from a clean floppy (you won't be able to boot 
from the hard disk since COMMAND.COM will be renamed too) and rename all 
the files back to *.COM and *.EXE. Your computer is clean now.

- - 
Sincerely,                    | VirusLab, S & S International PLC.
     Dmitry O. Gryaznov       | Alton House, Office Park, Gatehouse Way,
Senior Virus Research Analyst | Aylesbury, Bucks HP19 3XU, United Kingdom
E-mail: grdo@dial.pipex.com   | Tel: +44 (0)1296 318700
WWW: http://www.drsolomon.com | Fax: +44 (0)1296 318734

------------------------------

Date: Sun, 17 Mar 1996 18:06:06 +0000 (GMT)
From: genstorm@hookup.net
Subject: MANZON Virus (PC)
X-Digest: Volume 9 : Issue 38

Has anyone heard of a virus known as Manzon? If so, how did you deal with
it?

Please reply directly through email address. Thanks.

Pat Cunningham                             genstorm@hookup.net

------------------------------

Date: Sun, 17 Mar 1996 18:02:01 +0000
From: Dmitry Gryaznov <er86@dial.pipex.com>
Subject: Re: Virus Utility recommendation (PC)
X-Digest: Volume 9 : Issue 38

James Thompson wrote:

> I was about to purchase Virus Scan by McAffee until I read reports (email
> messages) indicating dissatisfaction with the product.  Can anyone
> recommend a virus utility with a good track record.  In spite of its
> weaknesses, it Virus Scan still the best package out there?

No, ViruScan is definitely -not- the best AV package on the market and has 
not been such for quite a few years. You can find intependent reviews of 
different AV products at http://www.drsolomon.com and
http://www.virusbtn.com and you'll find many other AV links at those
sites.

> Please respond in the newgroup or my email address AAQF89A@PRODIGY.COM

Am responding to both.

- - 
Sincerely,                    | VirusLab, S & S International PLC.
     Dmitry O. Gryaznov       | Alton House, Office Park, Gatehouse Way,
Senior Virus Research Analyst | Aylesbury, Bucks HP19 3XU, United Kingdom
E-mail: grdo@dial.pipex.com   | Tel: +44 (0)1296 318700
WWW: http://www.drsolomon.com | Fax: +44 (0)1296 318734

------------------------------

Date: Sun, 17 Mar 1996 17:24:27 -0800
From: Evan Hand <ehandjr@ibm.net>
Subject: Re: Wordperfect 6.1 Virus? (PC)
X-Digest: Volume 9 : Issue 38

Doug Reed wrote:

> Joe Marshall wrote:
> 
> > I am a technician at a community college and we are having troble with
> > Wordperfect 6.1 for Windows going down.  It seems that files are being
> > deleted in Windows as well as other different applicaitons.
> >
> > Windows kernel becomes damaged and parts if not all of Wordperfect become
> > damaged.
> >
> > We have tried that latest versions of McAfees Vshield and Scan and have
> > also tried F-prot, both of which have been very succesful in the past at
> > locating viruses, but neither one of these find any viruses on the
> > computers with the problems.
> >
> > If anyone out there has any info I'd appreciate the help.
> 
> We've been having similar problems here.  In our case, the Windows
> Registration database was altered, resulting in damage to both
> WordPerfect 6.1 and Word 6.0.  Correcting the database and reinstalling
> solved the problem (for now).  Let me know if you find anything out!

We have been using Word 6.0 at work, and have had some of the above 
problems.  They were traced to the PRANK (CONCEPT) Word virus.  Microsoft 
has a fix for the above virus.  You will need to locate scan831.doc at 
the Microsoft site and open it as the first document after starting it 
directly from the program manager.  (above is all under WFW 3.11, so may 
be different for Win95)

Good-luck
Evan

------------------------------

Date: Sun, 17 Mar 1996 22:33:48 +0000 (BUE)
From: ruben@ralp.satlink.net
Subject: Re: Virus Utility recommendation (PC)
X-Digest: Volume 9 : Issue 38

Thu, 07 Mar 1996 20:29:05 +0000 (GMT)
James Thompson <AAQF89A@prodigy.com>

>I was about to purchase Virus Scan by McAffee until I read reports (email 
>messages) indicating dissatisfaction with the product.  Can anyone 
>recommend a virus utility with a good track record.  In spite of its 
>weaknesses, it Virus Scan still the best package out there?

I could recommend You the Av packages I believe are the best:

- Integrity Master v 2.61b (Stiller Research)
- F-Prot v 2.21            (Frisk)
- Dr Solomon Av Toolkit 

Regards

Ruben Arias

- ------------------------------------------------------------------------------
 Ruben M. Arias                                _   _      _
					      | ) |_| |  |_)
					      | \ | | |_ |
 E-Mail: Ruben@RALP.Satlink.net
 Buenos Aires - ARGENTINA            RALP - Computer Security - Virus
- ------------------------------------------------------------------------------

------------------------------

Date: Sun, 17 Mar 1996 23:07:27 +0000 (BUE)
From: ruben@ralp.satlink.net
Subject: Re: Dir-2.a Virus - Please Help!!! (PC)
X-Digest: Volume 9 : Issue 38

Thu, 07 Mar 1996 06:49:56 -0500 (EST)
Ian Elrick <j.s.elrick@forth.stir.ac.uk>
Wrote:

>I have just found a pc infected with the above beastie at my site.
>Neither the latest versions of F-Prot or Dr Sols can clean it.
>It is only the one machine so far but I am keen to get a fix before it
>spreads.

Dir-2.a is NOT a new virus.
Its hardly to believe that F-prot or Dr Solomons can't deal with them.
I'm pretty shure that this AV packages identifies the infected files.

Just delete the infected files and replace them by the originals. Its 
possible that the AV packages can't remove the virus from the file.
(In the case of F-prot read Virlist.lis file, to check this)

Also be shure to Boot clean when You look for infection using the AV
packages.

Regards

Ruben Arias

------------------------------

Date: Sun, 17 Mar 1996 22:59:29 +0000 (BUE)
From: ruben@ralp.satlink.net
Subject: Re: Possible virus--adds to command.com (PC)
X-Digest: Volume 9 : Issue 38

Tue, 05 Mar 1996 18:41:03 -0500 (EST)
Greg Wesson <chaotic@pe.net>
Wrote:

>Hello, my name is Greg Wesson.  I think I have a virus, but I'm not sure. 
>I am running DOS 6.22 and Windows 3.1 (just upgraded to 3.11).  About 30
>40 days ago, I got an error when starting dos.  The error said "Bad or
>missing command interpreter (i.e. c:\command.com)" and then promped me
>with "c>"  I have downloaded some things from reputable (I think) places
>such as Bloodlust software.  However, I have also downloaded things from
>usenet.  My anti-virus program is Microsoft Anti-Virus.  When I scan now,
>it detects changes in many files in the DOS, WINDOWS, and ACER
>directories, but no viruses.  A friend of mine says that he scaned a disk
>that I gave him of 2 bmp files that I scanned using a logitech scanman and
>he said that there was a virus called "LEONARDO." 
>
>Any input you can give me on this subject would be a great help.  As I am
>new to this group I ask that you please mail me directly (if that's a
>problem, I'll just check back here in a few days).  Thanks in advance.  I
>appreciate your help.

If You're talking about download many files of some sites may check EVERY 
file with a good or reputable AV package.

Of course You may choose somethig better than MSAV (Microsoft Anti virus), 
its old, have no update and was commented many (MANY) times here as an 
example of NOT_TO_USE AV program.

Exist many kind of programs that I'm shure folks here could recommend.

Talking about Your problem if NO virus could infect .bmp files as far I
can see.

You may precise what kind of infection You found but must use a better an 
accurate tool to do this. (Of course booting from a CLEAN_Bootable_Write-
protected Diskette)

Regards

Ruben Arias

------------------------------

Date: Mon, 18 Mar 1996 03:51:50 +0000 (GMT)
From: "eric j. geller" <hoppr@ix.netcom.com>
Subject: HELP! newbie with possible virus (PC)
X-Digest: Volume 9 : Issue 38

i think i may have encountered a virus on the net. can't remember the 
web page but it said specifically that "you have just downloaded a
virus". unfortunately weird things were occuring even before the web
encounter. i'll try to keep the description short. firstly, i can't get
any sound to work with my games or my cd-roms, even after re-installing
the sound software. the sound will work if i play a music cd with the
comp. cd player but not with anything else. secondly, i am having weird
messages crop up when trying to open some of my games like myst. when i
try to open myst i get the message "unable to open dynalink" or some
such nonsense. i've never had any of these problems before. another
problem seems to be that when i boot up my computer the set-up routine
is sticking momentarily in two places for a short period of time. this
has also never happened before. 

i have run micro-soft anti-virus and it came up with four execution
files that have changed. since i don't know very much about computers
this is all new to me. i want to buy an anti-virus program for this
problem and any future ones, please give suggestions before i spend
money that i don't have!

last question, i run a netcruiser browser which i believe holds web
pages in ram and  does not write directly to the HD. is it possible to
get a virus that just lives in ram and then causes damage w/o having to
be written to the HD. any help at all is incredibly appreciated.
thanks.

------------------------------

Date: Sun, 17 Mar 1996 11:44:46 +0000 (GMT)
From: Jan Hruska <Jan_Hruska@sophos.com>
Subject: Re: I need info about HOT virus please (PC)
X-Digest: Volume 9 : Issue 38

Visit http://www.sophos.com/

There is a report on macro viruses including Hot as well as evaluation
versions of Sophos anti-virus software.

------------------------------

Date: Mon, 18 Mar 1996 10:59:13 +0200
From: Teodosiu Iulian <u9512279@runner.sorosis.ro>
Subject: help backword.2000.a virus (PC)
X-Digest: Volume 9 : Issue 38

I found with SCAN backword.2000.a virus and it cannot be removed by SCAN.

------------------------------

Date: Mon, 18 Mar 1996 09:42:20 +0000 (GMT)
From: Ian Elrick <j.s.elrick@forth.stir.ac.uk>
Subject: Help disinfecting Sampo Virus (PC)
X-Digest: Volume 9 : Issue 38

A colleague of mine found SAMPO on a student's notebook with F-Prot 
professional ver 2.21a. He tried to disinfect with the same program and 
everything seemed to go ok but after trying the fix he found that the mbr 
seemed to be corrupt. 

Is there anything special about Sampo that could cause this? How well does 
F-prot disinfect this virus?

Is there any way I can recover this users data for him?

Thanks in advance

Ian Elrick

------------------------------

Date: Mon, 18 Mar 1996 05:59:43 -0500 (EST)
From: Richard Wood <101346.3667@compuserve.com>
Subject: RE: Can't identify Virus, need help thanks (PC)
X-Digest: Volume 9 : Issue 38

"D. T.K. Lu" <dtlu38@quads.uchicago.edu> wrote:

>when i turn my computer on, it accesses the hard drive momentarily and
>then starts beepeing 3 times in a row then a pause, and then 3 more beeps.
>The screen is blank while this is going on.

>I can't boot from a floppy because the computer doesn't even check the
>floppy drive, it just goes into it's frozen beep mode.

>does anyone know what virus this is, and what i can do about it?
>someone suggested it may be my hardware, but i don't think so.

Assuming this is an AMI BIOS, 3 beeps means base 64K or CMOS RAM failed.

Richard

- -
Richard Wood, Senior Systems Operator
Royal United Hospital, Bath, UK
101346.3667@compuserve.com

------------------------------

Date: Mon, 18 Mar 1996 12:22:14 +0000 (GMT)
From: Stefan Kurtzhals <kurtzhal@wmwap1.math.uni-wuppertal.de>
Subject: Re: MS Macro Virus Tool (PC)
X-Digest: Volume 9 : Issue 38

"Sandro V. Cuccia" <cucciasv@a1.lldmpc.umc.dupont.com> wrote:
>Am evaluating the option of using either Microsoft's Macro Virus
>eradicator, or just going with the latest Norton AntiVirus version and
>signature files.... any experience, pro or con, either way?

Both have serious drawbacks. SCANPROT.DOT from Microsoft is just 
an antivirus macro which can handle the Concept virus alone.
NAV can scan and clean more viruses, but both are restricted to
known macro viruses. 

I've written a tool which can detect macro viruses with heuristic
analysis. This mean F/WIN can detect known and unknown macro viruses
and trojans and it is able to clean them. Beside that it uses heuristics
to detect NE-EXE and PE-EXE viruses (Windowx 3.x and Windows 95).

Try the following link for more information about F/WIN:

http://www.entrepreneurs.net/fwin

bye, Stefan Kurtzhals

------------------------------

Date: Mon, 18 Mar 1996 12:28:17 +0000 (GMT)
From: Stefan Kurtzhals <kurtzhal@wmwap1.math.uni-wuppertal.de>
Subject: Re: I need info about HOT virus please (PC)
X-Digest: Volume 9 : Issue 38

David Yates <david@yates.dungeon.com> wrote:

>I have just got rid of the HOT Virus which was picked up by McAffe's
>Virus Scan but not a 6 month old version of Dr Solomon's which hasn't
>even heard of HOT.

Hot is quite new, so you need at least DSAV 7.57 to detect and clean it.

Take a look at the homepage of Dr.Solomon, they have good information
about macro virues. (http://www.drsolomon.com/vircen)
They also offer never evaluation versions of DSAV.

I've written a tool which can detect and clean known and UNKNOWN
macro viruses. It's able to detect and clean Concept, Nuclear, Nuclear.B,
Colors, Hot, Imposter, Xenixos, DMV and FormatC.

You can download the shareware version from:

http://www.entrepreneurs.net/fwin

bye, Stefan Kurtzhals

------------------------------

Date: Sun, 17 Mar 1996 19:52:08 +0000 (GMT)
From: Angela Cowley <Angela@squig.demon.co.uk>
Subject: Anti exe virus (PC)
X-Digest: Volume 9 : Issue 38

I bought a new computer 2 weeks ago and it was definitely clear of viruses
when I got it, but then 5 days ago I discovered it had the anti exe virus.
I know my old computer is clean and the floppies I installed the day I got
it are clean, just ones I've used over the last week are infected. I've
cleaned everything now and have dr solomons installed, but wonder where
the virus came from. Every one I know who is not on the net is telling me
I got it from the net, but are they right? I was online for 4 months on
the old machine and that is ok.

-Angela Cowley 

------------------------------

Date: Mon, 18 Mar 1996 14:06:37 +0000 (GMT)
From: Dan Wright <danright@ix.netcom.com>
Subject: Neuroquila (PC)
X-Digest: Volume 9 : Issue 38

Could use some help please for a friends 486 PC.

McAfee Viruscan (7/95) detects Neuroquila or Nightfall virus in files,
has no remover.

Files are in a directory called Sentry that does not show on a tree,
attempts to delete files result in "access denied". Over 700 files show
up in a DIR, in the form #a1b2lrs.ms or some variant of this name. 8 of
these are infected according to McAfee. These files are being created
daily, some show dates before the computer was purchased.

Anyone know whats going on here?

------------------------------

Date: Mon, 18 Mar 1996 11:13:58 +0000 (GMT)
From: Jan Hruska <Jan_Hruska@sophos.com>
Subject: Re: Virus Utility recommendation (PC)
X-Digest: Volume 9 : Issue 38

Try Sophos, http://www.sophos.com/

------------------------------

Date: Mon, 18 Mar 1996 16:13:37 +0000 (GMT)
From: Florian Erhard <erhardf@informatik.tu-muenchen.de>
Subject: Ripper virus (PC)
X-Digest: Volume 9 : Issue 38

I guess this is a FAQ, but nevertheless I need some help.

McAfee for Windows 95 told me I have the RIPPER virus on my hard disc
as well as on my Win95 setup disc. 

I'm using Win95 on a P100 with NCR810 host-adapter and a IBM SCSI
harddisc. What can I do to remove the virus? The scan program said it is
unable to clean it.

Thanks for your help!

Florian

- ------------------------------------------
Florian Erhard # erhardf@informatik.tu-muenchen.de
http://www.informatik.tu-muenchen.de/~erhardf/

[Moderator's note:  Ripper is a data diddler that slowly corrupts your
disk contents so should be disinfected ASAP.  You may need to floppy-boot
a version of DOS earlier than MS-DOS 7 and run a DOS-based disinfector.]

------------------------------

Date: Mon, 18 Mar 1996 12:25:56 +0000
From: "Denis Parslow (Almo Distributing)" <dgp@world.std.com>
Subject: Can't identify Virus, need help thanks (PC)
X-Digest: Volume 9 : Issue 38

"D. T.K. Lu" <dtlu38@quads.uchicago.edu> writes:

>when i turn my computer on, it accesses the hard drive momentarily and
>then starts beepeing 3 times in a row then a pause, and then 3 more beeps.
>The screen is blank while this is going on.

Three beeps repeating under AMI BIOS is the good old memory (first 
64k) error.  

This is as catasrophic a memory error as possible.  Usually the 
solution involves replacing (or if one is very lucky, reseating) 
memory.  It can also be incorrectly installed memory, but that is 
less likely, if the system was working.  It also can be a bad socket, 
but this is also less likely unless the error started directly after 
installing/changing RAM modules.

Denis Parslow
Engineering Mgr
Almo Distributing, Trademark Computers
dgp@world.std.com
http://www.almo.com
http://world.std.com/~dgp/

------------------------------

Date: Mon, 18 Mar 1996 12:19:26 -0500 (EST)
From: "David M. Chess" <chess@watson.ibm.com>
Subject: Re: IBM APTIVA possible VIRUS (PC)
X-Digest: Volume 9 : Issue 38

> From: MMarsh8175 <mmarsh8175@aol.com>

> I bought Norton Antivirus and found the "TPE.Bosnia" virus, which infects
> ..COM files. Then I checked my IBM Aptiva Original Software CD and found
> the same virus ! I notified IBM, they don't really believe me, I had to
> scan again and I found it in the same file on the CD.

Hm.  "The same file" suggests that Norton Antivirus accused exactly
one file of being infected with this virus?  Typically, in an actual
infection with a file-infector, especially if the virus has been
active on the system for some time, the virus will be present in
a large number of files.  In my experience, if an anti-virus
program accuses exactly one file of being infected with a virus,
and that virus is one that isn't known to be widespread (as
"TPE.Bosnia" is not), and especially when the virus is highly
polymorphic and difficult to detect reliably (as "TPE.Bosnia"
is), the anti-virus program is almost always wrong; i.e. the
report is a false alarm.  So it's not that IBM doesn't believe
*you*...   *8)

If you send IBM a copy of the file that NAV reported as
infected, it'll probably be sent to me for analysis.  If
you like, you can also xxencode a copy (or whatever) and
send it to me.  Or you can just tell me what the name and
size and date and time of the file are, and the part number
of the CD, and I'll dig up a copy myself (that's not quite
as reliable, as I still might end up looking at a different
file than the one you have).

- -- -
David M. Chess
High Integrity Computing Lab
IBM Watson Research

------------------------------

Date: Mon, 18 Mar 1996 19:59:06 +0000 (GMT)
From: Gerald Pfeifer <gerald@pfeifer.co.at>
Subject: Identification (not detection): Dr Solomons vs F-Prot (PC)
X-Digest: Volume 9 : Issue 38

In the process of deciding whether to renew my current F-Prot license or 
switch over to Dr Solomons, I ran a few tests last week.

While both products seem to be quite good in detecting viruses, testing their 
abilities to *identify* viruses revealed some interesting results. (Basic 
familiarity with the CARO naming scheme is assumed throughout the rest of this 
posting.)

  FindViru 7.57           F-Prot 2.21
  -------------           -------------

  like Casino.2331        Casino.2330.A

Just how long is this virus then? 2331 oder 2330 bytes?

  like Cascade            Cascade.1701.A
  like Cascade            Cascade.1704.A

So does FindViru call all members of the Cascade family just Cascade?

  like Cascade.1701       Cascade.1704.D
  like Cascade.1704       Cascade.1704.Y

No, it does recognise Cascade.1701, but why does F-Prot identify the same 
virus as Cascade.1704?

  like Possessed.2367     Possessed.2367
  like Posessed.2167      Possessed.2367
  like Possessed.2367     Possessed.2438
  like Posessed.2167      Possessed.2438
  like Possessed.2367     Possessed.2443
  like Posessed.2167      Possessed.2443
  like Possessed.2367     Possessed.2446.A
  like Possessed.2446.a   Possessed.2446.A
  like Possessed.2367     Possessed.2446.B
  like Posessed.2167      Possessed.2446.B

Study the above results for Possesed.* carefully and try to find some pattern!
I couldn't. (And then, mind the different spellings ViruFind uses.)

I do know that these examples are somewhat arbitrary, and I still do 
believe that both products are among the best in their class, but I also do 
believe that we can draw at least some conclusions from these results.

Ciao,
Gerald

------------------------------

Date: Mon, 18 Mar 1996 16:11:24 +0000 (GMT)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Can't identify Virus, need help thanks (PC)
X-Digest: Volume 9 : Issue 38

In article <0038.01I2G0808C12RI5O92@csc.canterbury.ac.nz>
	   dtlu38@quads.uchicago.edu "D. T.K. Lu" writes:

> when i turn my computer on, it accesses the hard drive momentarily and
 > then starts beepeing 3 times in a row then a pause, and then 3 more beeps.
 > The screen is blank while this is going on.

This is what happens when you have a hardware error at bootup.  
The number of beeps is meaningful, but I don't know what that 
particular pattern means on your computer.  On a real IBM, three 
long beeps is the "keyboard card", one long and three short is 
the EGA card, repeating short beeps is the power supply, and so 
on.

 > I can't boot from a floppy because the computer doesn't even check the
 > floppy drive, it just goes into it's frozen beep mode.
 >
 > does anyone know what virus this is, and what i can do about it?
 > someone suggested it may be my hardware, but i don't think so.

Think again.

- -
WE CAN'T                    BUT WE DO SUPPLY
	PROVIDE YOU                         THE BEST DARN BAIT
		   WITH A DATE                                Burma-Shave

------------------------------

Date: Mon, 18 Mar 1996 21:23:43 -0600
From: Joe Foor <joefoor@digitalexp.com>
Subject: TBAV/F-Prot false positive (PC)
X-Digest: Volume 9 : Issue 38

This was a single, non-repetitive, event. F-Prot 2.21 announced it 
had found Leprosy in memory.

I have a Packard Bell 486 with MS-dos 6.2 and Windows for 
	Workgroups 3.11.
Virstop is active from config.sys.
F-Prot 2.21 is run from within windows.
Integrity Master 2.61 is run from within windows.

I ran Integrity Master and found no virus or altered sectors or files.

I ran F-Prot in Hueristic mode, scanning executable files and 
F-Prot reported no virus.

I then downloaded and unzipped tbavw700.zip.

Again, I ran F-Prot in Hueristic mode, scanning executable files 
and F-Prot reported no virus. 

I ran setup for tbav, then restarted windows and ran tbav which 
reported no virus.

Again, I ran F-Prot in Hueristic mode, scanning executable files 
and F-Prot reported no virus.

Again, I ran Integrity Master and found no viruses, but autoexec.bat 
was altered and there was a new directory, with new files.

I updated the Integrity Master data files.

I performed a power on reboot and ran F-Prot again, after windows 
came up. This time, F-Prot reported Leprosy in memory. 

I ran Integrity Master and found no virus or altered sectors or files. 

I again performed a power on reboot and ran F-Prot, after windows 
came up, and found no virus.

The false positive has not reoccurred.

Tbav appeared to perform several tests, during the first power on 
reboot, that it has not performed since. I suspect that one of those 
tests left some code in memory, which F-Prot falsely interpreted as 
Leprosy.

Regards,
Joe Foor

[Moderator's note:  Some people take a lot of convincing they don't have a
virus...  8-)  If you've read the FAQ you should have already found an
explanation for what may have happened.  There are several well understood
causes of sporadic flase positives.  The current FAQ is at:

   ftp://cs.ucr.edu/pub/virus-l/vlfaq200.txt

Also, did F-PROT actually say Leprosy was active in memory or that
something that might be a Leprosy variant was in memory??  At least in
F-PROT's case the latter is quite a different thing from the former.]

------------------------------

Date: Mon, 18 Mar 1996 22:28:39 +0000 (GMT)
From: Rick and/or Teresa Hull <hull@atlcom.net>
Subject: Possible memory-resident virus HELP! (PC)
X-Digest: Volume 9 : Issue 38

Rebel Assault II did a diagnostics check on my 'puter and it said I only 
had 6.9 megs of RAM (normally 8).  Also, Norton AV wouldn't run (it said 
it needed 704 more bytes of memory to run).  So I clean-booted and Norton 
didn't find anything.  Anyone know what's wrong?

[Moderator's note:  It would likely have helped quite a bit had you
included information about your hardware configuration, what OS you are
running, what memory manager, etc, as many things go into working out if a
reported configuration is "normal".]

------------------------------

Date: Mon, 18 Mar 1996 15:56:53 +0000 (GMT)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: I need info about HOT virus please (PC)
X-Digest: Volume 9 : Issue 38

In article <0025.01I2G0808C12RI5O92@csc.canterbury.ac.nz>
	   david@yates.dungeon.com "David Yates" writes:

> I have just got rid of the HOT Virus which was picked up by McAffe's
> Virus Scan but not a 6 month old version of Dr Solomon's which hasn't
> even heard of HOT.

Six months old means six Toolkit versions out of date.  If HOT is 
less than six months old, then it was written since the version 
of the Toolkit you are trying to detect it with and you can't 
expect the Toolkit's scanner to recognise it.  This is true of 
all known-virus scanners.

You can obtain an up-to-date evaluation copy of the scanner from 
Dr. Solomon's Toolkit (FindVirus) free from their web page,  
www.drsolomon.com.

- -
WE CAN'T                    BUT WE DO SUPPLY
	PROVIDE YOU                         THE BEST DARN BAIT
		   WITH A DATE                                Burma-Shave

------------------------------

Date: Mon, 18 Mar 1996 19:42:09 +0900
From: Buster Maddog <buster@newnorth.net>
Subject: Config of McAffee (PC)
X-Digest: Volume 9 : Issue 38

I would like some help with my McAffee scanner, is there a way to limit
the primary scan on powerup to once a week, and would i want to

------------------------------

Date: Mon, 18 Mar 1996 15:04:08 -0800
From: Annie Hayes <rcmpinf@lancite.net>
Subject: Need Help With a virus called SCRMING.FIST.II.652 (PC)
X-Digest: Volume 9 : Issue 38

I'm a tech for an big accounting firm.

The users often have to connect on customer's networks. They are bringing 
back hundreds of virus, McAfee 227 is usualy doing the job but I have a 
couple of LapTop with every executables files infected by what McAfee 227 
detect to be a virus called SCRMING.FIST.II.652 at the same time it's telling 
me that there's no remover for this virus.  I really need to find a scanner 
that will do the job.

				Thanks, Pascal
				(E-mail or Reply in that newsgroup)
				My Email: rcmpinf@lancite.net

------------------------------

Date: Tue, 19 Mar 1996 16:16:39 -0800
From: SSChan <lossc@venus.likom.com.my>
Subject: Re: Can't identify Virus, need help thanks (PC)
X-Digest: Volume 9 : Issue 38

On 07 Mar 1996 21:07:26 "D. T.K. Lu" <dtlu38@quads.uchicago.edu> wrote:

>when i turn my computer on, it accesses the hard drive momentarily and
>then starts beepeing 3 times in a row then a pause, and then 3 more beeps.
>The screen is blank while this is going on.
>
>I can't boot from a floppy because the computer doesn't even check the
>floppy drive, it just goes into it's frozen beep mode.
>
>does anyone know what virus this is, and what i can do about it?
>someone suggested it may be my hardware, but i don't think so.
>
>[Moderator's note:  Sounds like hardware to me.  Who knows what 3 beeps
>when the POST fails means??]
>
Given the blank screen and no floppy disk access, it looks like hardware
to me. Don't know what the beep codes mean, but they will depend on the
BIOS make.  But all BIOS use beeps to tell the world what is wrong when
the VGA/monitor is not ready for display.  I would lay by bets on
bad/loose RAM or a bad VGA.

------------------------------

Date: Tue, 19 Mar 1996 13:21:34 -0800
From: news@chaos.kulnet.kuleuven.ac.be
Subject: Re: Possible virus--adds to command.com (PC)
X-Digest: Volume 9 : Issue 38

Greg Wesson wrote:

> Hello, my name is Greg Wesson.  I think I have a virus, but I'm not sure.
> I am running DOS 6.22 and Windows 3.1 (just upgraded to 3.11).  About 30
> 40 days ago, I got an error when starting dos.  The error said "Bad or
> missing command interpreter (i.e. c:\command.com)" and then promped me
> with "c>"  I have downloaded some things from reputable (I think) places
> such as Bloodlust software.  However, I have also downloaded things from
> usenet.  My anti-virus program is Microsoft Anti-Virus.  When I scan now,
> it detects changes in many files in the DOS, WINDOWS, and ACER
> directories, but no viruses.  A friend of mine says that he scaned a disk
> that I gave him of 2 bmp files that I scanned using a logitech scanman and
> he said that there was a virus called "LEONARDO."
> 
> Any input you can give me on this subject would be a great help.  As I am
> new to this group I ask that you please mail me directly (if that's a
> problem, I'll just check back here in a few days).  Thanks in advance.  I
> appreciate your help.

Well, I'm not quite shore, but I think I have i simular problem. I also work
with DOS 6.22 & WFW311.
When I boot the computer, DOS start loading. He begins with
CONFIG.SYS en loads the HIMEM.SYS driver. When he comes at the line
SHELL=C:\COMMAND.COM /P etc... he says :
 "INvalid Command.com. System Halted".

(I do not get a prompt.)
I let McAfee scan the computer, but he couldn't find anything.

I'm still not sure if it's a virus. It could be a hardware error also.
But some other programs (network software) are also acting VERY strange.
I installed this software on about 15 computers where it always worked.

P.S. Check this Site : http://www.datafellows.fi/vir-desc.htm
     It contains LOTS of virus information of all kind.

Geert.

- --------------------------------------------------------- KULeuven ---
 Geert Nijs                     Tel    : +32 16 32.71.56
 KULeuven                       Fax    : +32 16 32.79.83
 Celestijnenlaan 200D           E-mail : Geert.Nijs@fys.kuleuven.ac.be
 B-3001 Leuven
 Home-Page: http://www.fys.kuleuven.ac.be/vsm/personel/gnijs/geert.html

 Please do not short the output or severe damage will be caused to the
 fuse. (from a Sony power supply leaflet!)
 ---------------------------------------------------------------------

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 38]
*****************************************


