From Lehigh.EDU!owner-virus-l  Wed Mar 27 08:43:43 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Wed, 27 Mar 96 19:54:42 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id IAA01066; Wed, 27 Mar 1996 08:43:43 +0100
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39157-63908>; Wed, 27 Mar 1996 02:41:46 EST
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39110-50594>; Wed, 27 Mar 1996 02:38:44 EST
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id CAA77751 for <virus-l@lehigh.edu>; Wed, 27 Mar 1996 02:38:18 -0500
Received: from 132.181.30.50 ("port 1036"@nick.csc.canterbury.ac.nz)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I2UER2BRG2S24DPB@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Wed,
 27 Mar 1996 19:37:39 +1200
Message-Id: <01I2UER2C1TGS24DPB@csc.canterbury.ac.nz>
Date: 	Thu, 21 Mar 1996 18:09:31 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #39
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest  Thursday, 21 Mar 1996    Volume 9 : Issue 39

Today's Topics:

Administrivia... (ADMIN)
QUESTION: Email Viruses
Re: Flash BIOS viruses?
AVP for WORD v1.04
Re: Flash BIOS viruses?
How to Contact Command Software?
Re: Technicalities of scanning Email in multi-OS network??
Re: Technicalities of scanning Email in multi-OS network??
Virus???
Virus Checker for MS Mail Gateway.
Re: What REALLY matters in Commercial Anti-Virus Software
Mcafee support stinks
McAfee Toll-Free Support
Re: Flash BIOS viruses?
Re: What REALLY matters in Commercial Anti-Virus Software
McAfee Dishonesty
Removal of Antiexe (OS/2,WIN)
Good Mac Virus Software (MAC)
Excel Macro Virus (MAC,WIN)
Help: Strange blue screen (WIN95)
Vshield95 - Problems with Icons etc. (WIN95)
Stange 32-bit disk access problem (WIN95)
Re: Possible Virus!! (WIN95)
AntiEXE triggers McAfee problems? (WIN95)
McAfee95 reports McWhale (WIN95)
Re: What detects BOZA virus? (WIN95)
TBAV says HIMEM.SYS changed (WIN95)
One byte added to .EXEs in Explorer (WIN95)
2 byte file size increase (WIN95)
NAV 95 PATCH WOES... (WIN95)
Scanning MS Exchange e-mail? (WIN)
FindVirus 7.57 fails to detect Macro.Word.Xenixos virus ! (WIN)
Re: DOS Antivirus software under Windows? (WIN)
Dr Solomon - Questions (WIN)
Shiftlock Switch (WIN)
LAN-based virus protection advice wanted (PC)
McAfee VirusScan 95 and Tai-pan virus (PC)
Winword/Scanprot/FProt questions (PC)
Re: F-PROT, Opinions? (PC)
Weird disk problems--virus ?? (PC)
Bones Virus (PC)
Did Michelangelo Virus Wipe this PC's Hard Drive? (PC)
Could this be a virus? (PC)
Disabling QEMM's quickboot (was: Re: Student use of PCs) (PC)
Strange date probelm (was: Re: Aug, 27 1956 Virus? (MAC)) (PC)
_377 or variant (PC)
Virus scanners and web browsers? (PC)
SAMPO virus (PC)
Floppy Disk TSR scan software (PC)
AntiExe.a infection from Win95 Workstation? (PC)
Help with rabbit virus, please (PC)
HELP stoned.michelangelo virus!!! (PC)
NRLG Virus (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Thu, 27 Mar 1996 18:45:21 +1200 (NZS)
From: Nick FitzGerald <n.fitzgerald@csc.canterbury.ac.nz>
Subject: Administrivia... (ADMIN)
X-Digest: Volume 9 : Issue 39

Hmmmmm--well, I first posted digest #39 (this one) out a few hours
after #38.  I've learnt quite a bit about the internals of the
listserv since the s/w was updated...  I also now know how to fool
to post a digest that it thinks it's seen but didn't post out!

Again, thanks to the listserv people at Lehigh.

Expect an avalanche of catch-up posts over the next 48 hours or so...

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
 n.fitzgerald@csc.canterbury.ac.nz  TEL:+64 3 364 2337, FAX:+64 3 364 2332
	      Virus-L/comp.virus moderator and FAQ maintainer
   PGP fingerprint =  2E 7D E9 0C DE 26 24 4F  1F 43 91 B9 C4 05 C9 83

------------------------------

Date: Tue, 12 Mar 1996 23:15:21 +0000 (GMT)
From: Greg Rice <wyldryce@ix.netcom.com>
Subject: QUESTION: Email Viruses
X-Digest: Volume 9 : Issue 39

I'm wondering, why isn't an email virus possible?  I read that no one
really needs to worry about loading an email message from a service
like AOL or Compuserve and recieving a virus on their home PC. 
Wouldn't it be possible to write code that is an attached .EXE file and
is called into downloading itself by the 'read mail' action of the
service provider?

I realize that if there was such a code, it would be service provider
specific, but it seems plausible.

Any responses?

------------------------------

Date: Wed, 13 Mar 1996 10:16:34 +0000 (GMT)
From: brian mitchell <brian@devnull.saturn.net>
Subject: Re: Flash BIOS viruses?
X-Digest: Volume 9 : Issue 39

>Personnaly I think the whole idea of Flash BIOS on standard MB is a bad
>idea. (not talking about portables with lots of fancy powersaving
>features) It is an excuse for sending customers beta-versions of hardware.
>I've had to upgrade BIOS'es a few times, and I don't think that the
>process of updating the BIOS physically was such hard work. I spent much
>more time to realize that I needed the BIOS upgrade :-(
>
>The worst thing that could happen is that they agree on a "Universal Flash
>BIOS standard". Then people will start upgrading their BIOS when anything
>happens to their system. Then people will make shareware tools to make
>your customized BIOS. And people will ofcourse write viruses for them...

It's a convienience item. If you _DO_ need a upgraded bios, would you
rather wait a week for the chip, have to open your computer, insert it,
etc or download some program from AMI or whatever, run it, point on a
little upgrade icon (gee, we cant do _anything_ without a GUI, y'know) and
presto, be upgraded.

The security issues to be delt with, however, are horrific.

- - 
- -----------------------------------------------------------------------
Brian Mitchell                  brian@unix.geek.net
PGP Public Key                  http://www.saturn.net/~brian/pubkey
- -----------------------------------------------------------------------

------------------------------

Date: Wed, 13 Mar 1996 09:08:08 +0000
From: Keith Peer <keith@command-hq.com>
Subject: AVP for WORD v1.04
X-Digest: Volume 9 : Issue 39

AntiViral Toolkit Pro version 1.04 for Microsoft Word 
has been released!

Detects and disinfects known Word MACRO virus infections.

FREEWARE

You can obtain the program from:

Web:             www.command-hq.com/command
Ftp:             ftp.command-hq.com /pub/command/avp/avpww014.zip
Compuserve:      GO AVPRO

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.               USA  Distributor  for
P.O. Box 856                       AntiViral Toolkit Pro
Bruswick, Ohio 44212               216-273-2820
Internet: info@command-hq.com      Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp     :GO AVPRO
WWW: http://www.command-hq.com/command
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

Date: Wed, 13 Mar 1996 11:53:04 +0000
From: "Denis Parslow (Almo Distributing)" <dgp@world.std.com>
Subject: Re: Flash BIOS viruses?
X-Digest: Volume 9 : Issue 39

We were talking about limited number of write to the Flash BIOS.  
Also note that changing the CMOS (adjusting date, wait states,
whatever) also causes an update to the ESCD.

Oeyvind Pedersen <Oyvind.Pedersen@capella.no> believes that Flash 
BIOS is a bad idea. Maybe, but...

Remember that motherboards are trying to be compatible with 
technologies that are not existent yet.  For example, a board that 
doesn't support the non-existent K5 is likely to have real problems 
with market acceptance.  However, without actual chips to test with, 
there are very likely to be tweaks to be made to the BIOS.  Also, 
there are still questions about the PnP standard (sic) that often 
require updates to work with other peoples' products, which are made 
to different ideas of this spec.

But most of all, remember that PnP requires a Flash BIOS to operate 
at all.  I am not a fan of PnP.  I think it is a nice concept, but is 
at least a year from true stability, and might not be a great idea 
then.  However, PnP is the way the industry is headed.

Denis Parslow
Engineering Mgr
Almo Distributing, Trademark Computers
dgp@world.std.com
http://www.almo.com
http://world.std.com/~dgp/

------------------------------

Date: Wed, 13 Mar 1996 16:47:54 -0500
From: Evan Rosenbaum <erosenba@vger.rutgers.edu>
Subject: How to Contact Command Software?
X-Digest: Volume 9 : Issue 39

Yeah, I realize that this is a no-brainer question.  But I checked the
FAQ and everyplace else I could think of, and can't find a phone # or
a URL.  Can anyone throw me a pointer?

TIA

------------------------------

Date: Thu, 14 Mar 1996 10:45:31 +0000 (GMT)
From: Jan Hruska <Jan_Hruska@sophos.com>
Subject: Re: Technicalities of scanning Email in multi-OS network??
X-Digest: Volume 9 : Issue 39

>For MIMEsweeper, which runs on NT, to work for us, we would need a cross 
>platform virus checker that runs on NT.  Have you heard of any cross 
>platform virus checkers?

Have a look at Sophos InterCheck client-server approach, info from
http://www.sophos.com/

Server a/v s/w available for NetWare, Windows NT, OS/2, OpenVMS, Banyan,
Unix etc. Clients available for DOS, Windows, Windows 95, Macintosh.
Evaluation copies are available from the www.

InterCheck intercepts and checks files as they are unpacked, so it does
not matter which packer was used. Some people may find it unconfortable to
allow the virus on their system even in packed form, but the virus cannot
be activated until and unless it is unpacked into an executable form. This
is where we trap it and stop it. The same applies to ZIP, ARC, ARJ,
[insert your favourite compression utility here].

------------------------------

Date: Fri, 15 Mar 1996 19:34:03 +0000 (GMT)
From: Ken Stieers <ken_stieers@ontrack.com>
Subject: Re: Technicalities of scanning Email in multi-OS network??
X-Digest: Volume 9 : Issue 39

A note as I'm in the middle of converting our enterprise to MSMail.

I think I'm going to use Mimetic from Netgain (http:\\www.netgain.se),
which runs on NT and allows you to specify a virus scanner for
attachments.  If it finds a virus, it renames the attached file and adds a
comment to the email.  It DOESN'T stop the attachment from going to its
destination, but it does log everything.  

I'm using McAfee's NTSCAN right now, though I may create a batch file and
have it scan with McAfee's and Dr. Solly's.  

Ken 

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Fri, 15 Mar 1996 19:33:14 +0000 (GMT)
From: Herbert Slaghekke <herb1@xs4all.nl>
Subject: Virus???
X-Digest: Volume 9 : Issue 39

Can anyone tell me what the following message on my screen means?

To see a world in grain of sand, and heaven in a wild flower
Hold infinity in your hand
And eternity in an hour

The virus 16\3\91

I have tried a clean boot disk. but it won't recognise my hard disk.
My virusscanner is also unable to access my hard disk.

What to do?

Herbert Slaghekke

------------------------------

Date: Sat, 16 Mar 1996 16:59:42 +0000 (UNDEFINED)
From: Atlantic Lottery Corporation <rogara@nbnet.nb.ca>
Subject: Virus Checker for MS Mail Gateway.
X-Digest: Volume 9 : Issue 39

Is there a product like MIMEsweeper for a MS Mail Gateway.  One of my 
suppliers has sent me the Word Macro Virus through the MS Mail gateway.  I 
would like to protect my system from futher problems like this.  

------------------------------

Date: Sun, 17 Mar 1996 02:08:17 +0000 (GMT)
From: Robert Michael Slade <rslade@vcn.bc.ca>
Subject: Re: What REALLY matters in Commercial Anti-Virus Software
X-Digest: Volume 9 : Issue 39

wallewek@cadvision.com wrote:
: I've been installing McAfee at client sites lately, and have come to
: the conclusion that it has significant problems.  Oh, I'm not talking

Actually, why the heck *not* technical problems?  The company has 
undergone some serious changes over the past year.  They didn't respond 
to the last call for review copies, so I have no idea how the "red box" 
version compares to the shareware we all know and ... well ... anyway, 
can anyone enlighten me?  (But I digress.)

: The problems is that the average user site doesn't have a hope in hell
: of updating their own software and/or data files.  Even if they PAY

Good point, particularly with some of the fancier network configuration 
setups.  But, as Nick has pointed out in his earlier reply, could the 
average user update a word processor?

: Even if they have a modem, I'll bet dollars to donuts they don't know
: how to use it to download software. Or have an Internet account.  Or
: are willing to download those massive files at low modem speeds at
: long distance daytime toll charges. Or can figure out how to apply the
: updates.  Or have the time to figure all that stuff out, and not screw
: it up!

Or be willing to use a modem.  Modems give you viruses, didn't you know? 
:-)

: All you anti-virus gurus have got it all wrong.  Those esoteric
: technical arguments, and who's software detects a few more oddball
: viruses, really doesn't matter in the workaday world.  What counts is
: what can be installed and maintained by the typical secretary.

All of us got it wrong?  Well, I have always gone into detail about how 
easy or difficult it was to install and operate any given piece of 
antiviral software, in my reviews.  I have tried to be specific as to the 
type of environment suited or unsuited to each package.  I have, in fact, 
given higher marks to some programs which don't do as good a job at 
protection, but are easier to use and more informative to the user.

: Any recomendations?

He insults us, and then he asks for help yet.  Huh!  OK, a couple of 
points to ponder.

Per Nick's posting, you can't expect it to be *too* easy.  Some people 
just don't get it, regardless.  I just got through posting a response to 
someone on alt.comp.virus who had been trying to help a friend reformat a 
disk.  Unfortunately, they had left an activity monitor operating while 
they did so.  The program, of course, refused to let them do the format.

Related to that, remember that the virus problem, although very common, 
is still an aspect of data security.  *No* security work is easy.  As 
Nick pointed out as well, you *are* going to have to do some educating.  
Virus protection is not a "set and forget" operation: it *cannot* be.

Now, I wasn't going to recommend a program, since none of them are as 
"stick in the disk and run" as you seem to want.  But one is very close.  
I'd suggest you try out Wolfgang Stiller's Integrity Master.  It isn't 
perfect (who is?), but he does have an installation program that could 
give pointers to *any* installation program I have ever seen, commercial 
or shareware, antiviral or otherwise.

======================
ROBERTS@decus.ca      rslade@vanisl.decus.ca      Rob_Slade@mindlink.bc.ca
    The client interface is the boundary of trustworthiness - T. Buckland
Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER)

------------------------------

Date: Mon, 18 Mar 1996 00:52:37 +0000 (GMT)
From: lf <leaf@ix.netcom.com>
Subject: Mcafee support stinks
X-Digest: Volume 9 : Issue 39

I bought VirusScan 95, and my current version recognizes me as a
licensed user.  Whenever I try to update it from FTP site, I get a
"thank you for evaluating message" when I run the updated version, and
it no longer recognizes me as a licensed user.  Over a month period, I
have sent four emails to support@mcafee.com, without response.  I'm
ready to dump the program and try Norton.  Any suggestions?

------------------------------

Date: Mon, 18 Mar 1996 08:35:24 -0700 (MST)
From: Richard Cox <rcox@usa.net>
Subject: McAfee Toll-Free Support
X-Digest: Volume 9 : Issue 39

Pete Veilleux writes:
> McAfee hasn't been much help ... it's not a toll-free line

McAfee's toll-free support line is 1-888-847-8766.

And they have an electronic BBS, an Internet email address, an FTP 
address, a WWW address, an America Online address, a Compuserve address, 
a Microsoft network address....

I'm not affiliated with McAfee, but I have used their software without 
incident since 1988.  And I have used it successfully against a dozen or 
more live viruses....

Richard-- 

------------------------------

Date: Mon, 18 Mar 1996 15:14:13 +0000 (GMT)
From: Pavel Machek <machek@atrey.karlin.mff.cuni.cz>
Subject: Re: Flash BIOS viruses?
X-Digest: Volume 9 : Issue 39

Oeyvind Pedersen (Oyvind.Pedersen@capella.no) wrote:
: In article <0005.01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz>,
:    "Derek V. Giroulle" <Dirk.Giroulle@ping.be> wrote:

: >Anyway that leads me to another question is there some kind of
: >flash-rom Bios backup/restore  utility , if it still helps after an
: >infection ...?

: There is no such thing, As you can telle from the name, the BIOS does the
: "Basic Input/Output". If you wipe your Flash BIOS, it will act like
: another a motherboard with the BIOS ripped off the board. The only thing
: that works will be your power LED.

I don't think so. In my computer, there's an Ami WinBIOS, which has
windows etc. Only small part of bios is that which deals with floppy. (And
that is the only part needed for upgrading FlashBIOS). So I believe, that
even with flash bioses there's a small ROM part that allows you to reread
Flash BIOS from floppy.

  (From analogy with phone machines. They download new versions of
software, but ability to download software is in ROM.)

- -
This looks like my signature...                                   Pavel Machek
If you want more info about me, http://novell.karlin.mff.cuni.cz/~pmac5296.

------------------------------

Date: Mon, 18 Mar 1996 16:06:32 +0000 (GMT)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: What REALLY matters in Commercial Anti-Virus Software
X-Digest: Volume 9 : Issue 39

In article <0010.01I2G0808C12RI5O92@csc.canterbury.ac.nz>
	   wallewek@cadvision.com  writes:

 > The problems is that the average user site doesn't have a hope in hell
 > of updating their own software and/or data files.  Even if they PAY
 > for 2 YEARS of software updates, who is going to obtain and install
 > those updates?
 >
 > Even if they have a modem, I'll bet dollars to donuts they don't know
 > how to use it to download software. Or have an Internet account.  Or
[snip]
 > All you anti-virus gurus have got it all wrong.  Those esoteric
 > technical arguments, and who's software detects a few more oddball
 > viruses, really doesn't matter in the workaday world.  What counts is
 > what can be installed and maintained by the typical secretary.

Some AV software companies send their updates out as floppy disks 
in the mail (Dr. Solomon's, for instance).  The user just has to 
type "INSTALL" and feed the floppy drive.  Maybe you should use 
one of those products instead.

- -
WE CAN'T                    BUT WE DO SUPPLY
	PROVIDE YOU                         THE BEST DARN BAIT
		   WITH A DATE                                Burma-Shave

------------------------------

Date: Mon, 18 Mar 1996 14:09:03 -0800
From: Hunter <hunterj@nethost.multnomah.lib.or.us>
Subject: McAfee Dishonesty
X-Digest: Volume 9 : Issue 39

In October 1995 I prepaid to McAfee for a registered copy of their
Viruscan for Windows.  It wasn't till 8 weeks later that the software
finally arrived in the mail; and they sent the DOS version, not the
Windows.  They rectified their error by sending me the Windows disks for
the version 2.2.5 from August 1995. 

After finally locating and downloading the updating .dat files, which were
supposed to be provided to me free for two years as a registered user,
they disabled the Vshield.  McAfee support, such as it is, did not respond
to two email messages, nor to a telephone call. 

Now 2 months later, McAfee finally updates its Web page with the
announcement that the .dat files are not backwards compatible. In effect
you must now purchase their ongoing subscription service to new version
releases in order to make use of the new .dat files, in effect doubling
the price for the single retail user per year. 

One of my main considerations in purchasing the McAfee Viruscan was its
two-year free updating service.  It's rather disingenuous of them to
nullify that promise almost immediately after my purchase.  It took two
months to figure out what was happening, not counting the frustrating
hours confronting their BBS and the exasperating "Out of Memory" message
from VShield.  I'd like to get a refund, but can't get any response from
them. 

My advice is try a different product; there are others. 

Hunter

------------------------------

Date: Mon, 18 Mar 1996 08:31:45 +0000 (GMT)
From: fleur-de-lis <hagen@vipunen.hut.fi>
Subject: Removal of Antiexe (OS/2,WIN)
X-Digest: Volume 9 : Issue 39

I have the following problem:

In a computer system, run on OS/2 with DOS/Windows, a virus scan was
run under Windows mode (McAfee VirusScan), which detected the ANTIEXE
virus on hard disk boot sector. 

The program was made to remove the virus in question, and as the 
anti-virus program was run again, it announced at first that the
virus was successfully removed, and a little later that it still existed.

The DOS version of the same program was run in order to re-scan the
boot sector and master boot records, and it announced that traces of
the ANTIEXE virus can be found on MBR. The program announced again
that those may be traces of a previously removed virus.

The question is: How can I be ascertained that the removal of the virus
has been succesful ? The description of the ANTIEXE tells that the virus
itself is particularly harmless, destroying only files which are just
of the correct size, and it infects the boot sectors and master boot
records. But it is a virus still, and nasty per se. If anyone has
encountered similar problems, I'd be grateful for any advance. Please
reply me personally.

	Cheers,
	Tom Viljanen

------------------------------

Date: Wed, 13 Mar 1996 09:55:21 -0500
From: Brian McEntire <mcentire@sdd.comsat.com>
Subject: Good Mac Virus Software (MAC)
X-Digest: Volume 9 : Issue 39

If your organization has had good luck with any commercial (i.e.
SAM or Virex) or shareware Macintosh Virus Scanning programs please
let me know.

I need to upgrade my division's current SAM software and am not
sure that SAM the is best. We have a mix of Macs from Mac II's up
to PowerMac 7200/90's

Most Macs are running Mac OS 7 and above.

Thanks for commenting,
  Brian

------------------------------

Date: Wed, 13 Mar 1996 07:26:07 -0700 (MST)
From: Richard Cox <rcox@usa.net>
Subject: Excel Macro Virus (MAC,WIN)
X-Digest: Volume 9 : Issue 39

I keep hearing rumors of a new macro virus that can attach to or infect 
Excel spreadsheets.  Does anyone know anything about this?

If there is such an Excel Macro Virus, what can we do to protect 
ourselves?

Thanx!-- 

------------------------------

Date: Wed, 13 Mar 1996 10:13:08 +0000 (GMT)
From: Joon Park <junebug@netcom.com>
Subject: Help: Strange blue screen (WIN95)
X-Digest: Volume 9 : Issue 39

I am using Win95, and strange thing's been happening to me.
When I tried to run a couple of programs, the screen went blue.
The screen has three letters on it; C,O,and D.
And two vertical lines on side of the screen.
I used McAfee 95 to scan for viruses, but came up empty.
I scaned my hard drive, and floppies.
If the floppy causes the blue screen to appear, when I try to scan it
that damn blue screen appears again...
Can somebody please help me?
Any help would be greatly appreciated.
Thank you.

Joon

junebug@netcom.com

------------------------------

Date: Thu, 14 Mar 1996 10:31:00 +0000 (NZS)
From: Len Thomson {DSL AK} <LenT@datacom.co.nz>
Subject: Vshield95 - Problems with Icons etc. (WIN95)
X-Digest: Volume 9 : Issue 39

I was running McAfee Vshield for Windows95, but have now removed it. The
reason was the ability to set-up Windows95 to automatically display the
contents of a BMP or ICO file in the Explorer Windows icons.

If you set-up Win95 in this way, Win95 opens all picture files and
Executables to find as icon to display - guess what that does to Vshield
 - right, it triggers the Virus Scan. Now, imagine a directory on your
network server containing several hundred icon or bitmap files - It is
VERY VERY slow to display them!!!!! After 2 hours, I still had only about
half of them on the screen. So, I pressed CTRL-ALT-DEL and cancelled the
VSHIELD task - my system came back to life again and I carried on
working.

The next time I restarted the PC, it crashed on me as soon as Vshield was
starting - I couldn't do anything at all to stop it crashing the system -
eventually I started Windows95 in Safe Mode and deleted the autorun info
from the registry that was auto starting Vshield - My PC was back to
normal again.

While I understand the problem, and could work around it, I wasn't happy
with the bad effect of cancelling (there was no other way to stop it) the
scanning. Oh well, I have tried it, I didn't like it - I can see it's
point, but I personally prefer to do "manual" scanning - For others it
may be quite appropriate, but watch out for side effects.

Just my $0.02 worth

Len Thomson
Senior Consultant
Datacom Systems Ltd
Auckland
New Zealand

------------------------------

Date: Wed, 13 Mar 1996 21:34:36 -0800
From: vladimip@iceonline.com
Subject: Stange 32-bit disk access problem (WIN95)
X-Digest: Volume 9 : Issue 39

Each time when I make some changes in system configuration, Win
95 prompt me to restart the computer. When I do that, it restarts
and goes as far as almost to display desktop, exactly at the moment
when "Loading 32-bit file access" stops. At this moment, a blue 
screen appears:
- ---------------------------------------------------------------------
	    A fatal exception 0D has occured at 0137:BFF79E48.
	    The current application will be terminated.
	    You can press Ctrl-Alt-Delete to restart you computer
	    Or press any key to continue.
- ---------------------------------------------------------------------
Pressing "any key" makes the screen go black for half a second,
and the same message comes up again. Safe mode, step-by-step
confirmation, whatever else, gives me the same screen. Disabling
32-bit access doesn't solve the problem. I tried everything and
the only (quickest) way is to reinstall the windows, I choose
custom setup without detecting hardware and without installing
any accessories or network (it's all already installed) so that it just 
overwrights corrupted files. Then I reboot and it's OK again.
Then I export registry from a backup file, since W95 sometimes
make slight changes after each setup. 

(Lame) solution: So far, I found out how to avoid the problem: when,
after some changes, it prompts me to restart, I click "cancel", and 
restart it manually by "Start/shutdown/restart the computer/". No problem.

Conclusion: when restarting automatically, it does destroy/corrupt/
substitute some files, but which ones? I checked the start-up log in the
root c:\ directory, it ends on "Load Kernel-failure". But there is no
problem with the kernel: I made a back-up of \system directory at another
directory, and I just copy it over in DOS, it doesn't eliminate the blue
screen and error is still the same.

I would appreciate any useful/good ideas/suggestions/opinions. I tried
everything described at all the manuals, went through MS-WWW site, without
any result. I installed W95 last year, and the error started appearing a
month ago. No viruses detected. On the same system, I have Windows NT and
Linux, no problems.

Please mail me at vladimip@iceonline.com.

Thank you.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
	   vladimip@iceonline.com
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
PGP key is available on request. You can also obtain it  by making a
search at MIT keyserver. Keywords: "Vlad Petersen"

------------------------------

Date: Thu, 14 Mar 1996 05:37:08 -0500
From: bfeitell <bfeitell@panix.com>
Subject: Re: Possible Virus!! (WIN95)
X-Digest: Volume 9 : Issue 39

Mike W. wrote:

> I have windows 95 and NAV 95.  I have scaned my HD many times but it
> has not come up with a virus.  The problem I have is that everytime I
> start up my computer I get into windows but then my computer freezes.
> I hit CTRL-ALT-DEL and it says "MMTASK" (not responding)  I hit end
> task and then usally it will let me back into windows and it works
> fine.  I have no idea if it is a virus or it is just a software
> conflict within my computer.
[snip]

I run win95 and must say that I am extremely sceptical of the situation
you have described.  While Windows 95 is far more stable than Win 3.1x in
most respects it is still suceptable to many problems that I never
encountered in win 3.1.  I run a 486dx4/120 and have found that pushing
memory access and cache access times too close to the limit can yeild some
very strange results with win95.

I have experienced hangs on boot as well as odd GPF's when I push my
system memory too hard.  I have found that slowing down the cache wait
states can do wonders for stability.  I offer this in response to the
plethora of win95 virus posts I have seen in this group.  While my view is
not definative I suggest slowing things down and checking again before
getting too excited.

On another note: a quick re-install of win95 can never hurt.  After
several gpf hangs I experienced quirky operation that was cured by a re-
install(i.e. corrupt system files).  Win95 lets you freshen installed
files in this manner although I must admit that I lost some of the
customization I had done to the GUI.  It was not hard to recover.  

Just a thought,

Bennett

------------------------------

Date: Thu, 14 Mar 1996 10:50:02 -0700
From: "J.Gonzalez" <apex@primenet.com>
Subject: AntiEXE triggers McAfee problems? (WIN95)
X-Digest: Volume 9 : Issue 39

I just came accross the AntiEXE virus.  One of my users detected it on
a floppy he had and brought it up to me because his antivirus software
could not remove it (cheyenne's Inoculan).  I have the newest
VirusScan for Windows95 from Mcafee.  I placed the disk in my system,
right mouse clicked on the B: drive icon and selected "San for Virus".
BOOM, I got a wierd, DOS-like screen saying that it had detected the
AntiEXE virus and gave me the option of cleaning it, which I did.
Right after, I clicked on the B: drive icon again and my computer
locked up.  So, I just tossed the disk.  Now, my computer has been
crashing repeatedly.  Naturally I have Mcafee's scanner running all
the time, I even scanned my entire harddrive, but my PC's still acting
wierd.  Has anyone else had this problem?  What can I do?  HELP!

Thanx.

------------------------------

Date: Fri, 15 Mar 1996 00:32:43 +0000 (GMT)
From: mezzano@bccom.com
Subject: McAfee95 reports McWhale (WIN95)
X-Digest: Volume 9 : Issue 39

After I started loading McAfee Win95 virus program to upper memory, I
get a message from vshield saying that the McWhale virus may be
present or a trace from another operation.

I booted with a known clean disk and scanned all the hard drives, but
everything comes up clean.

Anyone know anything about this.
John
mezzano@bccom.com

------------------------------

Date: Fri, 15 Mar 1996 14:11:26 -0800
From: Christopher Jones <cjones@dsddi.eds.com>
Subject: Re: What detects BOZA virus? (WIN95)
X-Digest: Volume 9 : Issue 39

news@dub-news-svc-5.compuserve.com wrote:

> Which virus scanner can find this virus and can remove it ?

Noton Anti-Virus 95, can detect this virus and remove it.

------------------------------

Date: Sun, 17 Mar 1996 07:29:05 +0000 (GMT)
From: Jared Williams <williams@finland.it.earthlink.net>
Subject: TBAV says HIMEM.SYS changed (WIN95)
X-Digest: Volume 9 : Issue 39

I am currently running thunder byte for dos. It came with 
Windows 95 and when I boot up using it, it always says 
himem.sys has been changed. It won't allow to validate it. Is 
there anyone out there that has had the same problem using 
thungerbyte? 

------------------------------

Date: Sun, 17 Mar 1996 09:06:57 +0000 (GMT)
From: Gil <gseward@wco.com>
Subject: One byte added to .EXEs in Explorer (WIN95)
X-Digest: Volume 9 : Issue 39

Using Windows 95, every time I look at the properties of an .EXE file
the file gets one byte bigger. If I set the file to read-only this
increase is prevented, but I have no idea if other changes are
happening. McAfee's Vshield w/95 is active and does not see any virus
activity. I have also booted from a clean write-protected DOS disk and
run McAfee's Scan 229e and it sees no virus. I believe this is a
virus, but have no idea what virus, or what program introduced it. I
have had a friend try the same operation on his computer and he had no
file size increase when viewing properties. 
Also tried ThunderByte with same negative result. Any help would be
appreciated. 

Gil Seward   

------------------------------

Date: Mon, 18 Mar 1996 06:01:12 +0000 (GMT)
From: Peter Jeffery <P.B.Jeffery@massey.ac.nz>
Subject: 2 byte file size increase (WIN95)
X-Digest: Volume 9 : Issue 39

While using Win95 Explorer to copy or move files form one directory to 
another the copied/moved file has been increasing in size by 2 bytes and
the file date is modified to the current time.  This only occurs for "exe"
files as far as I can tell.  This modifcation only occurs when using the
Win95 Explorer - it does not happen when I use the old windows file manger
(that is included in Win95) or an old version of the PCTools file manger
for windows or even a dos window to carry out the move or copy of a file.

The two bytes that are added seem to be random (well as far as I can
tell), - different bytes are added to different files.

I have been running McAfee 2.0 for Windows 95 with the lastest dat files.
This or other win and dos virus checkers do not detect any thing wrong.

At the moment the system does not appeared to be affected in any other
way.

Some help in identify if the problem I have is a virus and a possible
solution would be greatful appreated.

Thanks Peter.

P.B.Jeffery@massey.ac.nz

------------------------------

Date: Sun, 17 Mar 1996 00:39:19 -0800
From: Mephisto <ewright@ap.net>
Subject: NAV 95 PATCH WOES... (WIN95)
X-Digest: Volume 9 : Issue 39

can anyone help? I have NAV95 and just recently d/led the patch (for word 
macro virus). I followed the instructions, which said to d/l to a temp 
directory, unzip it, etc. well I was able to update NAV with no trouble. 
the problem is now in my temp directory, there were a bunch of files (i.e. 
SYMGLOSS, INFODESK, etc.) that came with the patch. I deleted these, 
seemingly with no effect on my NAV. I then tried to delete everything in
that directory (since it's only a temp directory) but was told there were
hidden files. I opted to show all files, and they were all .dll and .dat
files that came with the patch. I figured since the NAV was working
correctly, and this wasn't even the directory anyway, I could delete them.
apparently that wasn't a smart move because then in my "file manager" and
desktop I had about 30 new files with some pretty cryptic names. does
anyone know if I can delete these files or move them to my NAV directory
without any serious repercussions

thanks a million...
- - 
-Mephisto
ewright@ap.net
"Despite All My Rage, I Am Still Just A Rat In A Cage"
				     -Mellon Collie

------------------------------

Date: Wed, 13 Mar 1996 20:22:57 +0000
From: Pele Johnson <pele@johnson.netkonect.co.uk>
Subject: Scanning MS Exchange e-mail? (WIN)
X-Digest: Volume 9 : Issue 39

Does anyone out there know of an anti-virus package that can scan 
Microsoft Exchange e-mails stored on an NT network and scan any 
attachments.

Please e-mail
pele@johnson.netkonect.co.uk

------------------------------

Date: Sat, 16 Mar 1996 09:26:47 +0000 (GMT)
From: Patrick Noyens <patrick.noyens@ping.be>
Subject: FindVirus 7.57 fails to detect Macro.Word.Xenixos virus ! (WIN)
X-Digest: Volume 9 : Issue 39

While scanning my system with FindViru 7.57, no virus was detected.

However, scanning with AVP 2.2 Pro a .DOC file was declared as
infected by Macro.Word.Xenixos virus.

Are there updated drivers (or an EXTRA.DRV) available to
detect/disinfect this macro virus ?

Please E-mail to : patrick.noyens@ping.be

Thanks,

Patrick


- --------REPORT GENERATED BY AVP 2.2 Pro----------------------------

[snip]

Report:  Fri Mar 15 15:17:21 1996 ____________________________________

Scan info:

  Test mode:        Analyzer  Warnings  Slow  Unpack
 ________________________ . (*.exe *.com *.doc) ______________________

 .\nemesis.doc  : virus Macro.Word.Xenixos detected.
 .\register.exe : packed file. Method Com2Exe

Statistics:
       Detected:     1 bodies of
		     1 viruses

------------------------------

Date: Sat, 16 Mar 1996 15:58:14 -0500
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: DOS Antivirus software under Windows? (WIN)
X-Digest: Volume 9 : Issue 39

In article <0022.01I202XWQI3ARANAG7@csc.canterbury.ac.nz>, Pavel Machek
writes:
:   BTW had someone ever seen virus activelly changing specific antivirus?

	Yes, there are "anti anti-virus" viruses in existance.  I do not 
remember individual names but there are some that will deactivate VSAFE 
for MSAV.  There are others that will delete the CHKLIST file that comes 
with CPAV/MSAV.  There is at least one (maybe tremor?  can't remember..) 
that will delete programs with names like scan.exe, f-prot.exe, in order 
to wipe out any AV programs, hence the wisdom in having boot disks.

	Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code
Anti-virus software and utils:  | The Transformers fanfiction:
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html
-=-=-=-=-=-"Linux - The choice of a GNU generation"-=-=-=-=-=-

------------------------------

Date: Mon, 18 Mar 1996 12:11:38 +0000 (GMT)
From: The Toad <notpc@ix.netcom.com>
Subject: Dr Solomon - Questions (WIN)
X-Digest: Volume 9 : Issue 39

I would like to buy Dr Solomon's Anti-Virus Toolkit for Windows 3.x.
>From the reviews, it sounds like the best of the pack, at least from
my perspective.  (For example, see the March/April 1996 Infosecurity
News.)

But, for some reason that I can't readily fathom, I can't find answers
to the following questions:

1. HOW DO I BUY IT?  

a. I have tried several obvious sources (eg, CompUSA and Computer
City).  They not only don't have it in stock, it isn't even a "stock
item."

b. I have searched the Net using both general search engines like
Lycos and specialized sites dealing in viruses & security.  I found a
"S&S Software" page, but it said nothing about how to buy its "Dr
Solomon" products.

c. Is this something one must download?  If so, from where?

2. HOW DO I GET UPDATES?

a. I want to buy the Dr. Solomon pkg because McAfee will neither let
me download updates to WScan/VShield any more, nor answer my e-mail
queries as to what I must do to be able to obtain updates again, as I
have been doing for nearly a year.

b. Because of a. above, I want some assurance that there is a simple,
straightforward process for getting Dr Solomon updates, before I "sign
on" with S&SS.

c. Can anyone supply information on this?  I'd appreciate it.

Bill (a.k.a. The Toad) 

------------------------------

Date: Wed, 13 Mar 1996 19:08:14 -0600
From: Brian Hodgert <bhodgert@mail.techplus.com>
Subject: Shiftlock Switch (WIN)
X-Digest: Volume 9 : Issue 39

Does anybody know if a virus could be causing the shiftlock on our 
network computers to work backwards. It will all of a sudden do this for 
no reason in our Windows 95 computers and WFWG computers it eventually 
shifts back if we keep banging on the keyboard.

Thanks,
Brian

[Moderator's note:  Not sure exactly how this applies to Win95, but the MS
Knowledge Base reports that these symptoms can indicate problems with the
default settings of HIMEM.SYS.  MS recommend that you add the /CPUCLOCK:ON
switch to HIMEM's load line.  If that doesn't fix the problem they suggest
you try different /MACHINE:x settings to change HIMEM's A20 handling--11,
12 & 13 are the most likely options to fix this problem.  A few more
details are available in MS Knowledge Base article Q7430.]

------------------------------

Date: Tue, 12 Mar 1996 10:46:28 -0400 (EDT)
From: Glenn Rabut <GRABUT@ssw02.ab.umd.edu>
Subject: LAN-based virus protection advice wanted (PC)
X-Digest: Volume 9 : Issue 39

We are a graduate school of social work with a Novell LAN with 2 file 
servers and approx. 200 nodes, including 2 computer labs.  We would 
like advice on LAN-based virus protection schemes that you have found 
successful.  We are interested in:

1. Ease of installation and maintenance of virus updates.
2. Cost
3. Effectiveness
4. Availability of updates when new viruses appear

What has worked well for you?  Thanks for your assistance.

------------------------------

Date: Tue, 12 Mar 1996 18:36:59 +0000 (GMT)
From: Bill Enloe <bill_e@ix.netcom.com>
Subject: McAfee VirusScan 95 and Tai-pan virus (PC)
X-Digest: Volume 9 : Issue 39

Hi all, I downloaded the try-me-out version of McAfee VirusScan 95 ver.
2.01 last night, late last night.  After installing, and scanning, it
found several files infected with the Taipan virus (Tai-pan.438)
Specifically, both versions of xcopy (Win95), conagent.exe (Win95), and
a ton of programs off a graphics CD were infected.  In fact, scanning
the original CD, from a popular graphics book, results in all kinds of
virus flags (all Taipan again).  Could this be false-positives?  Is
there a bug in VirusScan?  And what is the Tai-pan virus?  Basically,
is it me or them?  I would appreciate the help and please feel free to
recommend an anti-virus program.  Thanks again.

- -
  Bill Enloe
  bill_e@ix.netcom.com

------------------------------

Date: Mon, 11 Mar 1996 22:47:50 +0000 (GMT)
From: "Charles M. Robinson" <charles.m.robinson@medtronic.com>
Subject: Winword/Scanprot/FProt questions (PC)
X-Digest: Volume 9 : Issue 39

We've had a major spreading of the Winword/Concept virus here at work.  
The latest version of FProt (2.21) finds .DOC files with this macro virus 
just fine.

The problem is this:  We've downloaded the "scanprot" file from Microsoft 
which scans all .DOC files and "cleans" them of this macro virus.  Lo and 
behold, the documents no longer affect the operation of Word.  This is good.

What is BAD is, F-Prot still finds the string in the .DOC files and still 
reports them as infected with the CONCEPT virus.  

My guess is that we either need a newer version of F-Prot, or a newer 
version of the "scanprot" macro from Microsoft.  Has anybody else run 
into this problem?

Currently, the workaround is that we run fprot with the /nodoc parameter 
- but I would like to know when DOC files are actually infected.  There's 
gotta be a better way! 

If you can email an answer to me, that would be most appreciated.  I 
will, however, try to stay current on this newsgroup to see any possible 
responses...

 -Charles

------------------------------

Date: Tue, 12 Mar 1996 05:00:34 +0000 (GMT)
From: Leon Portelance <lportela@island.net>
Subject: Re: F-PROT, Opinions? (PC)
X-Digest: Volume 9 : Issue 39

In article <0025.01I202XWQI3ARANAG7@csc.canterbury.ac.nz>, George
Kalemanis <georgek@TSO.Cin.IX.net> says:

>I have been working as a tech. for quite some time, and been using F-PROT.
>While F-PROT is not 100% fool proof, I do believe it is the best, and even
>install it in all machines that get configured or serviced free of charge,
>whether it needs it or not.  How many people agree, or are there better
>scanners out there that people use -  I haven't been real impressed with
>McAfee (some viruses pass though McAfee using the latest version, while
>older F-PROT copies still detect).

I use both F-PROT and MCAFEE.  I quess I figure if one misses a virus, the
other might catch it.  I always try to keep current with the updates.
F-PROT did get rid of the Ripper for me, while at the time, McAfee
could only detect it.

I also use a program called Arfman which is loaded as a driver and detects
virus while the computer is running.  It seems to work well.

------------------------------

Date: Tue, 12 Mar 1996 16:00:34 -0300
From: Yossi Zana <zana@spider.usp.br>
Subject: Weird disk problems--virus ?? (PC)
X-Digest: Volume 9 : Issue 39

   Well, it feels like a virus. Directories change places and beening 
deleted. F-prot 2.21 don't detect anything, but norton command say 
something is wrong with the clusters, but can not fix it. What now? Is 
there a better untivirus? And if it's a new virus?

yossi

[Moderator's note:  From much PC experience this sounds more like you need
good disk-recovery advice/assistance more than antivirus s/w.]

------------------------------

Date: Tue, 12 Mar 1996 20:44:03 +0000 (GMT)
From: Charlie Hill <cy321@cleveland.freenet.edu>
Subject: Bones Virus (PC)
X-Digest: Volume 9 : Issue 39

F-Prot Ver 2.21 reported that there was a MBR virus named Bones on a
floppy disk of mine.  F-Prot and the program VSUM has no information
about this virus.  Would appreciate any information that can be provided.

Charlie Hill
Instructor,  International Correspondence School1

Charlie Hill

------------------------------

Date: Wed, 13 Mar 1996 09:20:13 +0000 (GMT)
From: Mike Blackwell <mike.blackwell@pnn.com>
Subject: Did Michelangelo Virus Wipe this PC's Hard Drive? (PC)
X-Digest: Volume 9 : Issue 39

I'm a Mac user (please, no flames :), and need help diagnosing a friend's
PC problem. She has a 286, and doesn't know how much RAM or HD space she
has, so I'd assume it's whatever's standard. Recently, she recalls hearing
strange sounds from the hard drive, and the next time she booted, her hard
drive was empty: a "DIR" command revealed no files.

The computer store that sold it to her told her she'd been struck by the
Michelangelo virus, which, as I understand it, is programmed to go off on
a certain date (March 6?) and delete the hard drive directory. However,
the virus had to have been on the hard drive to begin with, since she has
no modem, and by her admission, she hasn't used a floppy in a couple of
years. One would think Michelangelo would have struck 12 months ago, so
I'm having trouble accepting a viral diagnosis.

She has no anti-viral, diagnostic, recovery, or backup software of her
own, so I advised her to leave the machine turned off and wait until I can
learn something. I suggested she get a second opinion from another store,
but at $25 per opinion, I don't blame her for being loath to do so.

While I'm a consultant for Macs, I have only a rudimentary knowledge of
the PC world, and would appreciate any advice you can offer. Thanks in
advance for your input. E-mail replies are preferred; I read too many
newsgroups already. :)

Cheers,

Mike Blackwell

------------------------------

Date: Wed, 13 Mar 1996 13:10:26 +0000 (GMT)
From: Gail Rider Craig <Mac.NewsWatcher@epix.net>
Subject: Could this be a virus? (PC)
X-Digest: Volume 9 : Issue 39

First of all, I work with a network of all Macintosh computers, so I have
very little knowledge about the Dos system and have been very fortunate in
not running into any viruses.

A friend asked me for help on this and I was hoping I could find some
answers for him here.  He has a 386 running a custom database for his
work.  There were 8 mgs left on the hard disk and his son tried to install
Borland Visual Turbo C++ which was supposed to be only 4 mgs.  Half way
through the installation, he received a hard disk error message and quit
the installation.

The next time the computer was booted up, it had changed the load
sequence, changed the color of the screen, asks for the date and time each
time you boot up and appears to have erased some of the custom database
files.

Is this a virus and, if it is, what program can he purchase to clean it up?

Any help would be appreciated.

If you could respond directly to my e-mail address it would help me
facilitate this for him since I can't always access the newsgroups.  
dvrnet@epix.net

- - 
Gail Rider Craig

------------------------------

Date: Wed, 13 Mar 1996 12:38:30 +0000
From: nrb@rncb.ac.uk
Subject: Disabling QEMM's quickboot (was: Re: Student use of PCs) (PC)
X-Digest: Volume 9 : Issue 39

>   Yes. And Qemm 7.5 with quickboot enabled happily boots from A:. If you
> want to disable this, you have to ask qemm to display menu, which is even
> more annoying than spinning-up floppies all the time and loading viruses
> sometimes.
> 
>   Is there a way to disable that qemm's behaviour? (Maybe patch?) 

Yes. Just put BF:N in your DEVICE=QEMM386.SYS line in CONFIG.SYS

- -
Nick Brown, CNE.         Tel +44 (0)1432 265725.            nrb@rncb.ac.uk
Network Manager,      Mobile +44 (0)589  114802.     http://www.rncb.ac.uk
Royal National College for the Blind, College Rd,  Hereford.  HR1 1EB.  UK
PGP Public Key available by request + void WhyDoesntItWork {_asm int 19h;}

------------------------------

Date: Wed, 13 Mar 1996 11:53:05 +0000
From: "Denis Parslow (Almo Distributing)" <dgp@world.std.com>
Subject: Strange date probelm (was: Re: Aug, 27 1956 Virus? (MAC)) (PC)
X-Digest: Volume 9 : Issue 39

<uv923@freenet.victoria.bc.ca> wrote:

>Does anyone know of a virus that sets the date & time control panel back 
>to aug 27 1956 when ever you boot up the computer? We have had this 
>computer for many years and it never did that before, but now no matter 
>how many times we change the date it just goes back to aug 27 1956 next 
>time we turn on the computer.

I have a PC that is showing similar behavior.

The CMOS lists the time/date correctly.  (So therefore, it shouldn't
be the aforementioned 'dead battery virus')

DOS (and therefore Win 3.11) list the date as 1956 (I don't remember
the exact date).

Files created/changed are stamped with the correct date/time.

Changing the time/date in the system resets upon hard or soft reboot.

Denis Parslow
Engineering Mgr
Almo Distributing, Trademark Computers
dgp@world.std.com
http://www.almo.com
http://world.std.com/~dgp/

------------------------------

Date: Wed, 13 Mar 1996 19:47:10 +0000 (GMT)
From: Karsten Dischek <kdischek@aixterm1.urz.uni-heidelberg.de>
Subject: _377 or variant (PC)
X-Digest: Volume 9 : Issue 39

can somebody tell me, what exactly the _377 Virus does? Is there any
possibility to kill/disinfect it? 

Please help me and thanks in advance,

Karsten

Please post to my e-mail: dischek@jura.jurs.uni-heidelberg.de

------------------------------

Date: Wed, 13 Mar 1996 22:26:53 +0000 (GMT)
From: Howard Price <hprice@girch301.med.uth.tmc.edu>
Subject: Virus scanners and web browsers? (PC)
X-Digest: Volume 9 : Issue 39

I had PCTools for Windows2's virus scanner running as a tsr in dos and
in the startup in win3.11; but when using Netscape 1.1, it would pause
for 20secs each minute, which I eventually eliminated by not loading
the virus scanner.  I assume the scanner kept trying to scan all the
new info being brought in through Netscape.

Is this correct?  Do other or all virus scanners do this?  How to
avoid it, yet have a resident scanner and c: drive protector running?

------------------------------

Date: Wed, 13 Mar 1996 23:11:11 -0800
From: Les Ariansen <larianse@groucho.mit.csu.edu.au>
Subject: SAMPO virus (PC)
X-Digest: Volume 9 : Issue 39

I have the sampo virus and do not know how to get rid of it could you 
please HELP !!!!! HELP !!!!!!!

I have a Pentium 75 with windows 95 and I have lost my CD drive???????

ALL the BEST

 LES 

------------------------------

Date: Thu, 14 Mar 1996 06:46:54 +0000 (GMT)
From: Warwick Mortensen <wam@data3.com.au>
Subject: Floppy Disk TSR scan software (PC)
X-Digest: Volume 9 : Issue 39

I was woundering what's the best Anti Virus program on the 
market that will scan a floppy disk when you put it in the 
drive? It must be the TSR that does the scan.  No a menu 
driven program.

Can you please e-mail thanks

Regards
Warwick Mortensen
wam@data3.com.au

------------------------------

Date: Thu, 14 Mar 1996 16:31:40 +0000 (GMT)
From: "Walter C. Dove" <dove.walter@epamail.epa.gov>
Subject: AntiExe.a infection from Win95 Workstation? (PC)
X-Digest: Volume 9 : Issue 39

Had a visit today from a vendor, all four of their demo installation
diskettes were infected with common AntiExe.a (it was a Windows 3.1
application, standard Windows app. installation diskettes).

As usual, the diskettes were write enabled, and the rep. was essentially
clueless:  the last site visit the rep had done was a demo using an
Intel/IBM/ISA machine running Windows 95.

Is it credible that the infection with AntiExe.a was from the Win95
machine, or is it more likely that it occurred earlier?

[Needless to say, I don't have access to a Win95 machine to evaluate this 
on my own.]

thanx.  wcd.

------------------------------

Date: Thu, 14 Mar 1996 19:45:22 +0000 (GMT)
From: Dan Kachel <d.kachel@ix.netcom.com>
Subject: Help with rabbit virus, please (PC)
X-Digest: Volume 9 : Issue 39

Has anyone experienced something called a rabbit virus? When installing
a corporate demo diskette (clean) under Win 3.11 a subdirectory was
created that copied the c:\ files into it. When the program tried to
install, the pkunzip.pif repeated over and over until a GPF occurred.
Then all files in all directories were gone and replaced by rabbit.pcn
or something to that effect. The computer would not reboot stating
there was a non-system disk error. The files were then viewed thru the
NT server and the original files are there indeed. Did this virus
corrupt the command.com file or what. The only files recently
downloaded off the net were pkunzip and virusscan for Win NT. That was
two weeks ago. Can anyone offer some help here?

Much appreciated in advance,

Dan Kachel
d.kachel@ix.netcom.com

------------------------------

Date: Thu, 14 Mar 1996 15:38:44 -0500
From: Eli Dickinson <eli_d@pipeline.com>
Subject: HELP stoned.michelangelo virus!!! (PC)
X-Digest: Volume 9 : Issue 39

	I went to go play a game and it informed me a file had been altered.
I ran Mcaffe Virus Scan and found the Stoned.Michelangelo virus in one
file.  My dad is out of town, and this virus is on his Red-hot new
computer with a 9-gb SCSI drive. 

HELP ME!!! 

a prompt reply would help since my dad is getting back soon, E-Mail me if
possible. 

- - 

Eli Dickinson 
eli_d@nyc.pipeline.com 

------------------------------

Date: Thu, 14 Mar 1996 13:37:07 -0800
From: Joe Patterson <Joe_Patterson@mindlink.bc.ca>
Subject: NRLG Virus (PC)
X-Digest: Volume 9 : Issue 39

Does anyone have information on the NRLG virus?  McAfee and F-Prot both
detect this virus, but neither can remove it.  I have tried replacing the
MBR and sysing the drives, and this works on about 1/2 of the infected
machine.  Any info would be appreciated.

Joe P

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 39]
*****************************************


