From Lehigh.EDU!owner-virus-l  Wed Mar 27 21:24:14 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Wed, 27 Mar 96 22:53:40 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id VAA03818; Wed, 27 Mar 1996 21:24:14 +0100
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39590-63397>; Wed, 27 Mar 1996 15:01:12 EST
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39370-63908>; Wed, 27 Mar 1996 14:57:11 EST
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id OAA89796 for <virus-l@lehigh.edu>; Wed, 27 Mar 1996 14:56:19 -0500
Received: from 172.31.30.201 ("port 1031"@misc9003.tacacs.canterbury.ac.nz)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I2V51V91VKS24DPB@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Thu,
 28 Mar 1996 07:55:07 +1200
Message-Id: <01I2V51VSHUQS24DPB@csc.canterbury.ac.nz>
Date: 	Thu, 28 Mar 1996 07:47:27 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #40
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest  Thursday, 28 Mar 1996    Volume 9 : Issue 40

Today's Topics:

Re: Can two hard drives help keep viruses controlled?
Re: Can two hard drives help keep viruses controlled?
Re: What REALLY matters in Commercial Anti-Virus Software
Re: Can two hard drives help keep viruses controlled?
Re: Can two hard drives help keep viruses controlled?
Re: Can two hard drives help keep viruses controlled?
Macro viruses
Re: Disk problem--virus? (MAC)
Re: Good Mac Virus Software (MAC)
Re: Disk problem--virus? (MAC)
Devices disappearing--virus? (WIN95)
TBAV says WIN95 CD infected? (WIN95)
Re: Windows 3.1 goes blind to icons, dies (WIN)
Re: Windows 3.1 goes blind to icons, dies (WIN)
Re: Podaj hasLo? (PC)
Uncl: Re:Modem snag: Virus or NAV? (PC)
Re: Microsoft Anti-virus memory problems (PC)
Re: CONCEPT/Word Perfect macro: really no cure? (PC)
Re: Viruses that damages hardware (PC)
Command line scanners with "quiet" mode? (PC)
Re: CONCEPT/Word Perfect macro: really no cure? (PC)
Readiosys - is it real? (PC)
Re: Novice with a virus? (PC)
Re: CONCEPT/Word Perfect macro: really no cure? (PC)
Tai_Pan438 Virus (PC)
Re: Microsoft Anti-virus memory problems (PC)
Re: Virus in Memory--sometimes (PC)
Re: Help w/ possible boot sector virus (PC)
Re: Can't identify Virus, need help thanks (PC)
Re: Directory problem (PC)
Date set to 2096--virus?? (PC)
TAI-PAN virus found on CD-ROM with Waite Group book! (PC)
Disappearing Partitions (PC)
Re: New virus?!? or Disk drive problem (PC)
RITT.6917 virus--false positive from SCAN 2.2.11? (PC)
10b7 (PC)
Re: Possible new virus??? (PC)
Re: NYB Virus (PC)
Re: Novice with a virus? (PC)
Re: Directory problem (PC)
Re: Problems accessing floppy drive (PC)
Re: Wordperfect 6.1 Virus? (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Tue, 19 Mar 1996 16:48:23 +0000
From: Dmitry Gryaznov <er86@dial.pipex.com>
Subject: Re: Can two hard drives help keep viruses controlled?
X-Digest: Volume 9 : Issue 40

WhiteD wrote:

> If you have two hard drives and one hard drive has the virus will the
> other get contaminated???

It depends on the virus. But for virtually any file virus and for quite a
few boot/MBR viruses the answer is 'yes, the virus will infect both hard
disks'. So, back to your Subject: question, two hard drives cannot help to
keep viruses controlled.
- - 
Sincerely,                    | VirusLab, S & S International PLC.
     Dmitry O. Gryaznov       | Alton House, Office Park, Gatehouse Way,
Senior Virus Research Analyst | Aylesbury, Bucks HP19 3XU, United Kingdom
E-mail: grdo@dial.pipex.com   | Tel: +44 (0)1296 318700
WWW: http://www.drsolomon.com | Fax: +44 (0)1296 318734

------------------------------

Date: Tue, 19 Mar 1996 17:39:01 -0500 (EST)
From: Kenneth Albanowski <kjahds@kjahds.com>
Subject: Re: Can two hard drives help keep viruses controlled?
X-Digest: Volume 9 : Issue 40

On Fri, 8 Mar 1996, WhiteD wrote:

> If you have two hard drives and one hard drive has the virus will the 
> other get contaminated???

If the contaminated one is sitting on a shelf, no, probably not. If it's
in the computer, and you are running programs on it, then yes, probably. 

(Of course, leaving a contaminated disk sit around is quite dangerous, as you may have forgotten why it was sitting there a year from now.)

- -
Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126)

------------------------------

Date: Wed, 20 Mar 1996 00:26:00 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: What REALLY matters in Commercial Anti-Virus Software
X-Digest: Volume 9 : Issue 40

wallewek@cadvision.com writes:

>The problems is that the average user site doesn't have a hope in hell
>of updating their own software and/or data files.  Even if they PAY
>for 2 YEARS of software updates, who is going to obtain and install
>those updates?

>Even if they have a modem, I'll bet dollars to donuts they don't know
>how to use it to download software. Or have an Internet account.  Or
>are willing to download those massive files at low modem speeds at
>long distance daytime toll charges. Or can figure out how to apply the
>updates.  Or have the time to figure all that stuff out, and not screw
>it up!

>All you anti-virus gurus have got it all wrong.  Those esoteric
>technical arguments, and who's software detects a few more oddball
>viruses, really doesn't matter in the workaday world.  What counts is
>what can be installed and maintained by the typical secretary.

I have an opinion which I'd like input...

It is my understanding that there does stand a correlation between
"people who need updates" and "people who know how to download."

As for "installed and maintained by the typical secretary," well,...
Yes, we do try to strive for that.  But at some point, it just doesn't
fit the real world.  At some point in all this technology, you do need
MIS people, and you do need people like you who have specialties.
This is in no way to show any elitism.  Just that every job category
has its specialization.  At some point, you do not force certain
specializations upon others.

If it takes an MIS person to install and update the whole site in
one day or even one week, would you prefer that to each and every 
person devoting whatever, 1 hour, to the task (every task, however
meanial, takes at least an hour right?).

I do sympathize and even empathize.  But if you leave it to every
individual to install and upgrade, a majority will not.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Wed, 20 Mar 1996 06:39:54 +0000 (GMT)
From: Cameron Perkins <gt5237c@prism.gatech.edu>
Subject: Re: Can two hard drives help keep viruses controlled?
X-Digest: Volume 9 : Issue 40

WhiteD (w_dragon@shout.net) wrote:

: If you have two hard drives and one hard drive has the virus will the 
: other get contaminated???

That depends entirely on the type of virus.  For example, it wouldn't
make sense for a boot sector infector to infect the second harddrive
if only the first one is bootable...  On the other hand, if it infects
programs, that it's entirely possible for it to infect files on the
other harddrive, especially if it's the kind that stays memory
resident and infects programs as they're executed.

- -
Cameron Perkins <gt5237c@prism.gatech.edu>

[Modertator's note:  There -are- MBR viruses that infect the MBRs of
second (and subsequent) drives.  I'm not sure about BSIs that infect other
than the boot sector of the active partition--anyone know of any?]

------------------------------

Date: Tue, 19 Mar 1996 16:51:04 +0000 (GMT)
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Subject: Re: Can two hard drives help keep viruses controlled?
X-Digest: Volume 9 : Issue 40

In article <0002.01I2JN95HN9ARI5O92@csc.canterbury.ac.nz>, WhiteD
<w_dragon@shout.net> wrote:

>If you have two hard drives and one hard drive has the virus will the 
>other get contaminated???

It's possible if you copy files between the drives, but the most effective
way of containing the virus is to run a good AV program to disinfect the
virus.

Regards, 

George Wenzel

 ("`-''-/").___..--''"`-._       George Wenzel <gwenzel@gpu.srv.ualberta.ca>
  `6_ 6  )   `-.  (    ).`-.__.`)Student of Wado Kai Karate
  (_Y_.)'  ._   )  `._ `.``-..-' U of A Karate Club
 _..`--'_..-_/  /--'_.' ,'       HTTP://www.ualberta.ca/~gwenzel/
(il),-''  (li),'  ((!.-'         PGP Public key available on request

------------------------------

Date: Wed, 20 Mar 1996 12:09:18 -0800
From: news@chaos.kulnet.kuleuven.ac.be
Subject: Re: Can two hard drives help keep viruses controlled?
X-Digest: Volume 9 : Issue 40

WhiteD wrote:

> If you have two hard drives and one hard drive has the virus will the
> other get contaminated???

- If the second contains executable files
- and if they are both installed (accessable) at the same time

, OF COUSE he will be infected !

Geert.

- --------------------------------------------------------- KULeuven ---
 Geert Nijs			Tel    : +32 16 32.71.56
 KULeuven			Fax    : +32 16 32.79.83
 Celestijnenlaan 200D		E-mail : Geert.Nijs@fys.kuleuven.ac.be
 B-3001 Leuven
 Home-Page: http://www.fys.kuleuven.ac.be/vsm/personel/gnijs/geert.html

------------------------------

Date: Wed, 20 Mar 1996 15:17:53 +0000 (GMT)
From: "A.Appleyard" <A.APPLEYARD@fs2.mt.umist.ac.uk>
Subject: Macro viruses
X-Digest: Volume 9 : Issue 40

As a recent message said that the 2nd most common virus was
WinWord.Concept, PLEASE!!!! what is the state of progress of getting (each
of the commonly used antivirals) able to adequately safely detect and
remove macro viruses?

  In particular, what is the progress with McAfee Scan and with Vet?

------------------------------

Date: Tue, 19 Mar 1996 19:30:38 +0000 (GMT)
From: Joerg Erdei <a8101gbb@helios.edvz.univie.ac.at>
Subject: Re: Disk problem--virus? (MAC)
X-Digest: Volume 9 : Issue 40

Peter James DeVault <pdevault@students.wisc.edu> wrote:

>I have what may be a virus-related problem on my PowerMac 7100/80av.  
>My hard disk crashed.  I saved the disk, but Disk First Aid tells me I 
>have the following irreparable problems:
>
>Keys out of order, 4, 3795 
>
>Does anyone know what this means or how to fix it?  I'm still having 
>occassional crashes.

You have a logical problem with your drive. Althought a virus could be
the reason that you got the problem, it is not very likely. Each
crash has the potential of creating directory problems. You should
routinously check your HD with Disk First Aid after a crash, thus
those problems cannot accumulate.

It is very likely that Norton Utilities or MacTools can solve your
problem.

Joerg Erdei.

------------------------------

Date: Tue, 19 Mar 1996 19:26:07 +0000 (GMT)
From: Joerg Erdei <a8101gbb@helios.edvz.univie.ac.at>
Subject: Re: Good Mac Virus Software (MAC)
X-Digest: Volume 9 : Issue 40

Brian McEntire <mcentire@fact_checker.com> wrote:

>If your organization has had good luck with any commercial (i.e. SAM or
>Virex)or shareware Macintosh Virus Scanning programs please let me know.
>
>I need to upgrade my division's current SAM software and am not sure
>that SAM is best. We have a mix of Macs from Mac II's up to PowerMac
>7200/90's

SAM and VIREX are both highly relyable and offer newest virus definitions
and infos online at no charge.

VIREX has some functionallity due to network security SAM has not, but if
you control all Macs on your net (i.e., if it is a local-only network) and
all have a virus scanner installed and properly configured, you might not
need those extra capabilities. SAM is easier to set up than VIREX, but a
little slower at scanning whole volumes.

On non-networked Macs, installing the free Disinfectant is sufficient in
most cases (but it cannot scan compressed files).

Joerg Erdei

------------------------------

Date: Wed, 20 Mar 1996 19:41:52 +0000 (GMT)
From: "Bruce E. Goldstein" <bgoldstein@jplsp2.jpl.nasa.gov>
Subject: Re: Disk problem--virus? (MAC)
X-Digest: Volume 9 : Issue 40

In article <0013.01I2JN95HN9ARI5O92@csc.canterbury.ac.nz>, Peter James
DeVault <pdevault@students.wisc.edu> wrote:

!I have what may be a virus-related problem on my PowerMac 7100/80av.  
!My hard disk crashed.  I saved the disk, but Disk First Aid tells me I 
!have the following irreparable problems:
!
!Keys out of order, 4, 3795 
!
SNIP
This is not a virus problem, the catalog/directory structure of your hard
disk is screwed up from the crash. If Disk First Aid can not fix it (most
current version is 7.2.2 that comes with System 7.5 Update 2.0, you could
try a repair utility like MacTools or Norton Disk Doctor. If these fail
(or you don't have them), you will have to back up your hard drive,
reformat it, and restore your files.

------------------------------

Date: Tue, 19 Mar 1996 23:50:08 -0600
From: Douglas Grimes <grimes@airmail.net>
Subject: Devices disappearing--virus? (WIN95)
X-Digest: Volume 9 : Issue 40

Last month I was running Disk Defragmenter under Windows 95 after 
terminating all running programs when it reported an error and locked up 
my PC.  The error was something like this, 'The file retrieved has 
changed.'  Then I ran Scandisk to check for errors.  It reported that it 
found an error and fixed it.  I ran Scandisk again to check if it really 
corrected the error.  Scandisk reported the same error again.  I let 
this go on for a couple of days when I started losing my devices - my 
hard drives, CD-ROM, sound card, video card, etc..  During this time 
when I pulled up the Control Panel it was taking up to 10 minutes to 
open.  So, I decided to reformat my drives and reinstall my software.  
After a couple days the same symptoms started to show up again.  I 
purchased a copy of McAfee's Virus Scan 95 and ran it.  Virus Scan 
reported that no virus was found.  I finally did an unconditional 
format and reloaded all of my software.  To this day I have not had any 
other problems.

I am a system engineer and have a good technical knowlegde. So, I am 
positive that I did not do anything 'Stupid'.  Some of my programmer 
friends thought, based on the symptoms, sounded like I had a new virus 
they heard about called SATAN.  Could this have been a virus or is this 
some strange thing under Win95?  If so, which one?  Is there such a 
thing called the Satan Virus, because I have never heard of it? 

Douglas Grimes
grimes@airmail.net

------------------------------

Date: Wed, 20 Mar 1996 17:01:00 +0000 (GMT)
From: "Richard K.C. Ling" <rkcling@netcom.ca>
Subject: TBAV says WIN95 CD infected? (WIN95)
X-Digest: Volume 9 : Issue 40

Hi!  I just recently bought and set-up a DELL P166.  After virus
warnings from a 32-bit TBAV under WIN95, I killed the affected files
and re-installed WIN95.  Two of the same warnings appeared again during
my first session.  I finally did a full scan on my WIN95 CD and three
files were revealed infected.  They are:

OTHER\CHANGE CP\1253.BIN
WIN\95\OEMSETUP.BIN and
WIN\95\SAVE32.COM

Can this be possible?

Richard K.C. Ling

Rkcling@aol.com

------------------------------

Date: Tue, 19 Mar 1996 18:36:04 +0000 (GMT)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: Windows 3.1 goes blind to icons, dies (WIN)
X-Digest: Volume 9 : Issue 40

In article <0019.01I2G0808C12RI5O92@csc.canterbury.ac.nz>,
mmarsh8175@aol.com says...

>I bought Norton Antivirus and found the "TPE.Bosnia" virus, which infects
>.COM files. Then I checked my IBM Aptiva Original Software CD and found
>the same virus ! I notified IBM, they don't really believe me, I had to
>scan again and I found it in the same file on the CD. They want it so they
>can scan it themselves. But wasn't it scanned before it left the
>manufacturer? They sold me the virus so they can reimburse me for my
>costs. Then they can have the CD. So if you have original software on CD,
>I suggest you check it out!

I have a very strong feeling this is a false-ID.  

TPE.Bosnia is a polymorphic virus and as such, is difficult 
to detect.  If you still have a copy of the suspect file, I 
would really like to see it.  The address to send a suspected 
virus-infected file can be found in the back of the NAV manual.

Once received, I can give you the bottom line and strengthen
NAV's signature, if necessary.

- --
Shane Coursen                                        Symantec Corporation
Computer Virus Researcher                http://www.symantec.com/avcenter
AntiVirus Research Center                                 CIS:  GO SYMWIN
scoursen@symantec.com                                           GO SYMNEW
      US Support:  541-465-8420                            AOL:  SYMANTEC
European Support:  31-71-353-111       Australian Support:  61-2-879-6577

------------------------------

Date: Tue, 19 Mar 1996 18:51:52 -0500
From: Ben Danielson <bendan@asu.edu>
Subject: Re: Windows 3.1 goes blind to icons, dies (WIN)
X-Digest: Volume 9 : Issue 40

Charles Hersey <gingers@magnet.ca> wrote in Digest: Volume 9 : Issue 36:

>I'm not real good at this, but where are your  *.grp  files

Windows 3.1 group files (.grp) are located in your \windows directory.
Some public site administrators like to make them hidden and read-only, so
if you can not see them, type attrib -r -h *.grp from the /windows
directory prompt.

>Also, What does your progman. file have listed?

Progman.ini is a file that tells windows what groups you have and how they
should look on your desktop.  It can also have an area named
[restrictions] that can be set to lock the properties of icons in windows,
among other things.

Ben Danielson
Information Technology
Arizona State University West

[Moderator's note:  .GRP files can be anywhere and technically the default
location is "the windows directory" which is an installation choice, not
an absolute location.]

------------------------------

Date: Tue, 19 Mar 1996 13:37:11 -0800
From: news@chaos.kulnet.kuleuven.ac.be
Subject: Re: Podaj hasLo? (PC)
X-Digest: Volume 9 : Issue 40

saai wrote:

> This came up on one of our pc's yesterday. MS Anti-virus didn't find any
> viruses (virii?). Where can I get information about this?

YOUR PC has been infected with the PIECK virus.

Answer PIECK to the question. You will be able
to continue, all other answers result in a 
non-bootable PC.

PS. Get a good virus remover as soon as possible !

VIRUS INFO : See http://www.datafellows.fi/vir-desc.htm
(really good)

Geert.

- --------------------------------------------------------- KULeuven ---
 Geert Nijs			Tel    : +32 16 32.71.56
 KULeuven			Fax    : +32 16 32.79.83
 Celestijnenlaan 200D		E-mail : Geert.Nijs@fys.kuleuven.ac.be
 B-3001 Leuven
 Home-Page: http://www.fys.kuleuven.ac.be/vsm/personel/gnijs/geert.html

------------------------------

Date: Tue, 19 Mar 1996 10:39:56 +0000 (UTC)
From: RMORTON@TULSAJC.TULSA.CC.OK.US
Subject: Uncl: Re:Modem snag: Virus or NAV? (PC)
X-Digest: Volume 9 : Issue 40

From: Robert Morton

I would not throw out the fact that Norton's innoculation may be the
problem.

We had a custom program that did usage for the college computer lab I work
in, (things like how many students used computers for how long).  We had a
student aid experiment with the Inoculation program one evening, and it
totally trashed the program.  Took us almost a month to get the data re-entered

    The inoculation program adds a bit to the program, and checks itself.
I would imagine that if it was trashing these established programs, others
would have written about it by now, but then again, I have been wrong
before.

Robert 'Bob' Morton
Tulsa Junior College, Southeast Campus
Microcomputer Lab Paraprofessional
Tulsa, OK.

------------------------------

Date: Tue, 19 Mar 1996 16:57:09 +0000
From: Dmitry Gryaznov <er86@dial.pipex.com>
Subject: Re: Microsoft Anti-virus memory problems (PC)
X-Digest: Volume 9 : Issue 40

Brian Toone wrote:

> I have a 486/66 with 20 megs of RAM.  When I attempt to detect or clean
> viruses using Microsoft Anti-Virus, I get a not enough memory message.  I
> have no other applications running when this problem occurs.  Does anyone
> know what might be causing this problem?

Most likely the disk you want to scan contains more subdirectories and
files than MSAV can handle. The best solution is to dump MSAV and to get
yourself a better antivirus. (Tip: virtually any other antivirus (but
CPAV, of course) -is- better than MSAV :-)).
- - 
Sincerely,                    | VirusLab, S & S International PLC.
     Dmitry O. Gryaznov       | Alton House, Office Park, Gatehouse Way,
Senior Virus Research Analyst | Aylesbury, Bucks HP19 3XU, United Kingdom
E-mail: grdo@dial.pipex.com   | Tel: +44 (0)1296 318700
WWW: http://www.drsolomon.com | Fax: +44 (0)1296 318734

------------------------------

Date: Tue, 19 Mar 1996 22:28:17 +0000 (GMT)
From: Robert Michael Slade <rslade@vcn.bc.ca>
Subject: Re: CONCEPT/Word Perfect macro: really no cure? (PC)
X-Digest: Volume 9 : Issue 40

Heather A Thomas (hthomas@acsu.buffalo.edu) wrote:

: McAfee recently diagnosed a diskette with the "Concept/Word Perfect Macro"

Are you sure you have that designation correct?  "Concept" is most 
commonly used as the name of a Microsoft Word macro virus.

: virus, for which there is currently no cure.  F-prot/Virstop didn't even

Well, there is no *automated* cure that I would rely on.  Also, I suspect 
that you have been the victim of a false positive here, since F-PROT is 
generally more accurate in its identifications than is McAfee.

: detect it.  Are there any specific cleaners out there for Concept?  Does

I believe that I did see notice of a disinfectant program for Concept 
and/or other Word macro viruses.  However, as I said, I would be very 
loath to rely on them.

: anyone know WHAT it does?  It has infected one file, which I deleted and 

A macro virus uses the macro (or scripting) language of a particular 
application program.  In this case, the program is Word.  You therefore 
have to process the file or document with that particular application.

This means that the Word macro viruses can only (effectively) infect Word 
documents.  Word documents can be converted into macro templates without 
any obvious changes being made to the file.  When an infected Word 
document (now a macro template) is read, then an "auto" macro (in the 
case of Concept, AutoOpen) can be invoked, or a function replacement 
macro (such as FileSaveAs) can modify the operation of a menu item.  Word 
macro viruses may also attempt to copy themselves to the "global document 
template" (the file NORMAL.DOT) and to infect other Word documents, 
converting them into templates.

: the diskette is now clean.  I would like another option.

Your options are relatively few.  It is possible to read the infected 
document, save it as a "text" file (losing the formatting, but also the 
"template" and macro infection), and then reread it later.  This, 
however, assumes that you are willing to manually insure that you can 
clean up your global document template after the infection.  (The only 
way I can think of to do this is to copy the clean NORMAL.DOT to a 
different directory and filename, and copy it back after deleting the one 
that becomes infected.)

Or, you could switch to WordPerfect  :-)

======================
roberts@decus.ca   rslade@vanisl.decus.ca  Rob.Slade@f733.n153.z1.fidonet.org
                    Frequent advice to Internet newcomers:
 State your business, avoid eye contact, leave quietly, and no one gets hurt.
Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER)

------------------------------

Date: Tue, 19 Mar 1996 17:58:29 -0500 (EST)
From: Kenneth Albanowski <kjahds@kjahds.com>
Subject: Re: Viruses that damages hardware (PC)
X-Digest: Volume 9 : Issue 40

On Mon, 11 Mar 1996, DarStec wrote:

> Once I came upon a public domain program {back in the olden days} from
> someone who apparently thought the Tandy 1000 was the best computer going.
> When the program was run, a beautiful Christmas scene was display with
> blinking lights and snow, accompanied by a nice little carol.  Meanwhile,
> the program just wiped out the hard drive files, if you weren't running it
> on a Tandy 1000. 

The thing is, that's a trojan horse, not a virus. That's what one keeps
running up against when you talk about programs destroying video cards and
such. As a trojan horse, it has some feasibilty. Certainly more then as a
virus. 

- -
Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126)

[Moderator's note:  I disagree with this claim--it makes no difference
whether the code is a function in a virus, a trojan horse or a worm, the
issue being debated is -whether- hardware damage through the action of
software is possible.  This discussion has diverged slightly to the
-likelihood- of such damage ever being coded in a virus, but I see no
reason why damaging hardware per se should be any more prone to inclusion
in trojans than viruses.]

------------------------------

Date: Tue, 19 Mar 1996 16:01:33 -0800
From: kmahesh@CENTRALHOUSE.COM
Subject: Command line scanners with "quiet" mode? (PC)
X-Digest: Volume 9 : Issue 40

I am looking for information on virus scanners which can run from the 
command line in the silent mode without generating output to screen.
I think F-PROT Professional may be one - would someone please have 
some idea on other scanners ?

Kolar Mahesh

kmahesh@centralhouse.com

------------------------------

Date: Wed, 20 Mar 1996 00:29:37 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: CONCEPT/Word Perfect macro: really no cure? (PC)
X-Digest: Volume 9 : Issue 40

Heather A Thomas <hthomas@acsu.buffalo.edu> writes:

>McAfee recently diagnosed a diskette with the "Concept/Word Perfect Macro"
>virus, for which there is currently no cure.  F-prot/Virstop didn't even
>detect it.  Are there any specific cleaners out there for Concept?  Does
>anyone know WHAT it does?  It has infected one file, which I deleted and 
>the diskette is now clean.  I would like another option.

First, it's Concept and it has nothing to do with Word Perfect.

And if indeed you have Concept, our newly released 2.2.11 has removers
for the macro viruses.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Tue, 19 Mar 1996 16:33:04 -0800 (PST)
From: Cy Ulberg <cyu@u.washington.edu>
Subject: Readiosys - is it real? (PC)
X-Digest: Volume 9 : Issue 40

I inherited an old computer at work that Intel virus software labeled as 
infected with "readiosys."  When the hard drive was disinfected, 
everything on the c: drive was corrupted.  The same thing happened to a 
floppy I tried to disinfect.  I find various references to "readiosys" as 
a well-known false positive on the Web.  If it is well-known, why does 
the latest version of Intel software detect it, and corrupt disks?  The 
same software says my home computer is also infected.  Before I crash 
another hard drive, I'd like to find out what is going on.  I haven't yet 
received a satisfactory response from Intel.  Can anyone help?

**************************************************************************
Cy Ulberg				(206) 543-0365  (206) 685-0767 FAX
Research Associate Professor, Graduate School of Public Affairs
University of Washington         		  also
1107 NE 45th Street #535        Institute for Public Policy and Management
Seattle, WA  98105    		Washington State Transportation Center
**************************************************************************

------------------------------

Date: Wed, 20 Mar 1996 00:42:28 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Novice with a virus? (PC)
X-Digest: Volume 9 : Issue 40

Bob Rice <arrice@usa.pipeline.com> writes:

>I booted my laptop, and to my surprise when it eventually booted, it
>showed only 4 files.  There were 2 very large files with the extension
>.chk.  I checked it for viruses, and it came up clean, so I reformatted
>the hard disk.  However, I cannot write to the hard drive.  It responds,
>"sector not found writing drive C". 

>I though I'd come to the experts.  Do I have a virus, and what can I do
>about it? 

You've got a serious disk problem there.  In all probability, you also
were using something like DiskDoubler or some other compressed disk
utility.

My personal rule is never to use them.  They are a disaster in the making
when it comes to disaster recovery.  And today, with disk prices the way
they are, if you need active disk, just get another one.  (I had to use
one once to test our own product in development.  As soon as that
requirement was lifted, I took however many hours I needed to reload my
system to be rid of it.)

.chk files are resultant files from CHKDSK cleaning up corruption.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Wed, 20 Mar 1996 12:50:00 +0100 (N)
From: listproc@Lehigh.EDU
Subject: Re: CONCEPT/Word Perfect macro: really no cure? (PC)
X-Digest: Volume 9 : Issue 40

From: Heather A Thomas <hthomas@acsu.buffalo.edu>

> McAfee recently diagnosed a diskette with the "Concept/Word Perfect   
> Macro"
> virus, for which there is currently no cure.  F-prot/Virstop didn't even
> detect it.  Are there any specific cleaners out there for Concept?  Does
> anyone know WHAT it does?  It has infected one file, which I deleted and
> the diskette is now clean.  I would like another option.

Mcafee comes with a file called MVTOOL10.exe, which when expanded will
give you a scanpro.dot file. This is a Microsoft Word template which you
load into word. Follow the instructions then load the infected CONCEPT
files into word and re save them. This will get rid of the CONCEPT
Viruses.

Tyler Rosolowski (tylerr@fms.co.nz)

------------------------------

Date: Wed, 20 Mar 1996 05:20:43 +0000 (GMT)
From: watcher <bud@varyloose.com>
Subject: Tai_Pan438 Virus (PC)
X-Digest: Volume 9 : Issue 40

Can someone give me some info on this little bug.

------------------------------

Date: Wed, 20 Mar 1996 09:12:14 +0000 (GMT)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: Microsoft Anti-virus memory problems (PC)
X-Digest: Volume 9 : Issue 40

Brian Toone (btoone@clemson.edu) wrote:

> I have a 486/66 with 20 megs of RAM.  When I attempt to detect or clean
> viruses using Microsoft Anti-Virus, I get a not enough memory message.  I
> have no other applications running when this problem occurs.  Does anyone
> know what might be causing this problem? 

   My bet is that there are so many new viruses that MSAV can't handle
nowadays that it just throws up its hands and quits. 

   But seriously, MSAV was never any good (in my opinion), and it's 
hopelessly behind now.  There are several scanners that you can evaluate 
at ftp://oak.oakland.edu/simtel/msdos/virus/ -- look for F-PROT 
(fp-222.zip), AVP (avp*.zip), TBAV (tbav*.zip).  Also check DSAVTK at 
ftp://ftp.drsolomon.com/pub/progs/dsav757.zip    http://www.drsolomon.com 
and http://www.datafellows.com have web sites pointing to other vendors 
products as well as their own, so look around and check out the reviews.

   -BPB

------------------------------

Date: Wed, 20 Mar 1996 05:30:49 +0000 (GMT)
From: joe_peter@cc.mcafee.com
Subject: Re: Virus in Memory--sometimes (PC)
X-Digest: Volume 9 : Issue 40

On 13 Mar 1996 05:51:53 -0000, Margaret Proctor <m_proctor@ncsu.edu>
wrote:

This sounds like FProt is not finding all the infections. Try using a
few other AV programs to see if they find anything after FProt is
done. It could also be that you have a virus encrypted or packed after
a file has become infected in which cause you might want to try using
AVP light which is the only one I know off which recurses multiple
packed files and still finds stuff..

======================================================================
McAfee. We Are the Anti-Virus and Network management specialists.
Although I work for McAfee, These are my own thoughts and comments and
in no way are they representative of my employer or company.
======================================================================

------------------------------

Date: Wed, 20 Mar 1996 06:37:22 -0500
From: "Bob Witham Jr." <robert.l.witham.jr@state.me.us>
Subject: Re: Help w/ possible boot sector virus (PC)
X-Digest: Volume 9 : Issue 40

veilleux@tiac.net wrote:

> I've been having a problem with what I believe is a virus.  I have
> McAfee VirusScan95 in my autoexec.bat.  When I boot up, I get the
> message "Traces of virus found in memory.  This may be an active virus
> or an image left by a previouis operation."  Then it tells me to shut
> down, and boot from a floppy, and I think you guys know the routine
> from there.

McAfee VirusScan95 is installed under WIN95 by running the program
STEUP.EXE.  By default, the files install in C:\Program Files\McAfee. 
There is n9othing you need to do to autoexec.bat.  The install does put a
line in your autoexec that executes the DOS SCAN.EXE program.  This scans
memory, and is probably what is giving you fits.  You need to ensure that
there is no other AV product loaded into memory prior to running SCAN. 
Also, if you are loading the old DOS version of VSHIELD, you will
experience problems when WIN95 starts up its version of VSHIELD.  You need
to completely remove the old versions of McAfee antivirus for DOS.  Also,
just run one AV product at a time.  It is nice to have multiple products
available, but it is really overkill to try to run 3 or 4 at a time.

Just my $.02 worth.

Bob Witham

------------------------------

Date: Wed, 20 Mar 1996 13:18:19 +0000 (GMT)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Can't identify Virus, need help thanks (PC)
X-Digest: Volume 9 : Issue 40

D. T.K. Lu (dtlu38@quads.uchicago.edu) wrote:

: hi i can't identify a virus i think i have on my PC.

: when i turn my computer on, it accesses the hard drive momentarily and
: then starts beepeing 3 times in a row then a pause, and then 3 more beeps.
: The screen is blank while this is going on.

: [Moderator's note:  Sounds like hardware to me.  Who knows what 3 beeps
: when the POST fails means??]

Sounds like hardware to me, too. Without knowing what PC/BIOS this is,
difficult to say definitely what the problem is. An old edition of Scott
Mueller's book on upgrading and repairing PCs (2nd edition) which happens
to be cluttering up my shelves indicates:

AMI BIOS
3 short beeps - base 64k RAM failure
6 short beeps - keyboard controller gate a20 error

Award BIOS
No beep codes listed

Phoenix BIOS
All listed beep codes are clustered in three groups, not two.

IBM 
Repeating short beeps - power supply, system board
1 long, 2 short - video adapter
3 long 3270 keyboard card

None of which seem very relevant.

If you have a handbook to go with your system board, it *may* help. 

The fact that nothing appears on screen *possibly* indicates a video 
problem. 

The chances of a virus being implicated are negligible.

Check all your cables (inside and out). That includes the keyboard 
and video connectors as well as the drive cables (power and data).
If that all checks out, chances are you're going to have to try
swapping peripherals, or call in a repair shop.

David Harley

[Moderator's note:  And thank-you to all the others who have submitted
similar info I haven't posted...]

------------------------------

Date: Wed, 20 Mar 1996 13:53:00 +0000 (GMT)
From: "A.Appleyard" <A.APPLEYARD@fs2.mt.umist.ac.uk>
Subject: Re: Directory problem (PC)
X-Digest: Volume 9 : Issue 40

In a previous article, MIC@mpx.com.au (Mic Johnston) says:

> I have a directory that mirrors everything in the c: drive, and therfore
> becomes mirrored again and again and again etc. I have no idea how it got
> there, and I can't remove it because any file I remove from it is also
> removed from its directory under c: .

This happened here at work once. Something wrote a copy of the C:\ root
directory into a subdirectory as a directory entry. This created a
directory tree with one of its twigs going down and round underneath and
becoming its trunk again. (This was normal on the old Prime mainframe,
where each diskpack's root directory was stored under itself under the
name MFD, but it is NOT normal with PC's.) Norton Disk Doctor should sort
it out. Or try the DOS command Scandisk, if you have DOS >= 6.20.

------------------------------

Date: Wed, 20 Mar 1996 15:02:22 +0200 (EET)
From: Balogh Csaba Jozsef <bc6571@scs.ubbcluj.ro>
Subject: Date set to 2096--virus?? (PC)
X-Digest: Volume 9 : Issue 40

Does anyone know of a virus that sets the date & time control forward?
(ex: to 2096). If you try to set back the date your c: drive's FAT will be 
damaged. The only way (that I found) to correct this error is: reboot from
a floppy and run the NDD.EXE and some of the files will be damaged, OR set
the time back to 2096 !?

I tried to find the "bug" with F-Prot 2.21 and Tbav650 without success.
I need emergency help.

(My battery isn't dead!)

Thankful for the smallest clue is

------------------------------

Date: Wed, 20 Mar 1996 15:35:06 +0000 (GMT)
From: "Fred E. Davis" <inspctec@ix.netcom.com>
Subject: TAI-PAN virus found on CD-ROM with Waite Group book! (PC)
X-Digest: Volume 9 : Issue 40

I just discovered that a CD-ROM that accompanies the book "Black
Art of 3D Game Programming" by Andre LaMothe, published by The
Waite Group, 1995, ISBN 1-57169-004-2, is infected with the Tai-
Pan virus. This CD-ROM can be identified by the manufacturer's
code near the center hole: "CD ROM SERVICES BY BOSS DISKS
CD4128S". Another CD-ROM with the code "CD4319S" does not seem to
be infected. There are 36 .EXE files on CD4128S that are
infected. These files include README.EXE, SETUP.EXE and
INSTALL.EXE.

This is a memory resident virus. Once you run any of these
infected programs, the virus loads into your RAM and continues to
infect other .EXE programs you run.

Since this virus only infects .EXE files and contains the text
"[Whisper presenterar Tai-Pan]", you can search for it using a
text-search program such as Norton TS.EXE.

The West coast hasn't gone to work yet, but I plan to call Waite
Group to see if they are aware of this. Since I haven't followed
the threads in this newsgroup, I apologize if this information is
redundant, but I feel the risks are too high to worry about
offense.

Fred E. Davis

------------------------------

Date: Wed, 20 Mar 1996 15:32:40 +0000 (GMT)
From: Chaim Krause <ckrause@mbay.net>
Subject: Disappearing Partitions (PC)
X-Digest: Volume 9 : Issue 40

I was hoping someone could shed some light on this for me. It is
probably a hardware problem, but last night it happend on a second
machine and made me wonder if it might be a virus.

I have read every posting in this newgroup that my news server carries
and can't find anything related, so I felt a new poting was in order.

Here is a fairly detailed description of my problem. There are some
things that I am sure I am leaving out, but as I wasn't planning on
having these problems I didn't keep a diary <g>

I know it is long, so if you don't like reading, thank you, have a
nice day. If you have a few minutes to spare please read on and offer
any suggestions.

First occurance:
- ----------------

I was rebuilding my two machines over the weekend. I had gotten some
new 2 Gig drives and was building a server and a workstation for C/S
software developement.

In the 'server' I installed a EIDE controller with

drive 0 510 Mb
drive 1 420 Mb
drive 2 2 Gb
drive 3 2 GB

Drive 0 1 Primary partition
Drive 1 1 Extended/1 Logical partition
Drive 2 1 Extended/4 Logical partitions
Drive 3 1 Extended/4 Logical partitions

I loaded MS-DOS 6.2 and installed a driver that made the secondary
controller and drives 2 and 3 avaialable. I formated all the drives.

Installed SCSI controller and DOS software to access CD-ROM drive.

Installed Windows 95

Machine ran fine for a few days. I left it on continuously most of the
time. Only turned it on off on occasion.

Then came the problem.

Last time I turned the machine off all was well. When I turned it back
on it booted up fine, but some of the drives weren't available. I
cycled power again and same problem. I booted to DOS (on drive 0) and
ran FDISK. The result were...

Drive 0 fine
Drive 1 fine
Drive 2 partitioned but unformatted
Drive 3 no partitions

I repartitioned drive 3 and rebooted.

Now Drives 0 and 1 were still fine, but 2 and 3 were partitioned but
unformatted in DOS.

I rebooted to Win95 and all drives appeared as partitioned and
formatted as if nothing happened.

No virus showed up with McAfee 95.

As it stood at that poing all was fine in Win 95, but drives 2 & 3
were unformatted as far as DOS was concerned.

I ended up reformatting in DOS and all seems well for the 1 hour or so
I have used the system since then.

Second occurance:
- ----------------

Yesterday I turned on the 'workstation' and all was fine. I had a
Thrustmaster joystick card already in the machine and was using "Add
new hardware" to activate it in Win 95. When it was time to reboot I
did and got a message along the lines of "Not system disk. Insert disk
and press <enter>" I don't remember the wording. I put in a Win95 boot
floppy and same problem as before. This time it was drive 0.

Before

Drive 0   1 Gig
Drive 1   1 Gig

Drive 0   1 x 255 Mb primary and 1 Extended with 3 X 255 logical
Drive 1   1 Extended partitin with 4 x 255 logical

After problem

Drive 0   no partitions
Drive 1   all seemed fine

I repartitioned Drive 0 to origional specs and rebooted. Not system
disk error of some kind. Booted with Win95 boot disk and drive 0
showed as invalid media type and drive 1 was fine.

Put in my MS-DOS installed disk and it said that it could not install
DOS because I already had DOS on HD. F3'd out of install and typed DIR
c: some files showed up but before dir finished I got invalid media
type. If I tried d: e: or f: I got invalid media type. Drive 1's
partitions were OK.

Scanned everything and no viruses detected.

So, It seems like a hardware issue. Maybe something with LBA type EIDE
drives, but I don't see how things can work for a week or so and then
rebooting a machine causes these types of problems. I am using a tried
and true generic methods, hardware, and software. At this point (since
I was rebuilding these machines from scratch) there wasn't much on the
systems. No fancy add-ons or TSRs. Pretty much generic systems.

Any insight would be helpful.

Also, is there a database where you can enter symptoms and possible
viruses are named?

Thanx,
Chaim

------------------------------

Date: Wed, 20 Mar 1996 13:25:35 -0800
From: "B. Warwick" <demo@netlabs.net>
Subject: Re: New virus?!? or Disk drive problem (PC)
X-Digest: Volume 9 : Issue 40

I am responding to my own posting to say that My daughter's hard drive 
problem is solved.  Thanks to Bruce Burrell a frequent respondent to this 
Newsgroup!  Bruce was patient, diligent and thorough while he walked me 
through the process of the troubleshooting and ultimate repair.

For those of you who are interested:  Bruce had me run FDISK option 5 to 
select the second hard drive.  It was there.  Then FDISK option 4 to find out 
the partition size.  There were no partitions.  That led Bruce to the 
conclusion that the Master Boot record was probably corrupt.  

He then walked me through MS/DOS DEBUG to look at "stuff"....MBR, DBS 
....this made sense to Bruce, not me (although he VERY patiently described 
each step before we did it.....hope he doesn't see this posting).  He had
me load both the MBR and the DBS to a floppy which I then took to my own 
computer and sent (e-mailed) both files to Bruce.  He then waved a magic
wand over the MBR and it was better.

Bruce e-mailed the corrected MBR to me along with instructions for the
DEBUG process to reinstall this corrected version.  .....and believe it or
not I must have typed those DEBUG statements correctly, for when I turned
the computer off and then back on, Drive D: reappeared in all its glory! 
All data intact

My daughter and I are both very impressed with all Bruce's help.  It's 
gratifying to know there are people like Bruce around.

Thank you to anyone who has read the original post and responded before 
seeing this response.  (I have received 2 so far).

Bob Warwick

------------------------------

Date: Thu, 21 Mar 1996 05:10:59 +0000 (GMT)
From: Patrick Noyens <patrick.noyens@ping.be>
Subject: RITT.6917 virus--false positive from SCAN 2.2.11? (PC)
X-Digest: Volume 9 : Issue 40

While scanning my system with SCAN V. 2.2.11 I got some files infected
by the 'RITT.6917' virus... at least that's what McAfee 's SCAN told
me.


I scanned my system with several other major scanners :

	- F-Prot Professional 2.22 (March 1996 release) by Frisk Soft Int.
	- Dr. Solomon's FINDVIRU 7.58, drivers 7.58 (S & S International)
	- AVP 2.2 Pro (March 11, 1996) by KAMI Corp. USSR
	- Sweep 2.83 (March 1996 release) by Sophos PLC
	- TBAV 7.00 by Frans Veldman, ESASS B.V.
	- AntiVir IV (March 1996 release) by H+BEDV Datentechnik GmbH
	- AVAST! 7.50 (Feb 1996) by ALWIL Software

I scanned with these scanners after cold-booting from a clean system
disk.

None of the scanners reported an infection. So, could this be a false
possitive from McAfee's SCAN V. 2.2.11 ?

Thanks,

Patrick Noyens

Please send E-mail to : patrick.noyens@ping.be


- --------BEGIN REPORT GENERATED BY SCAN------------------------

Scan V.2.2.11 Copyright (c) McAfee, Inc. 1994-1996.  All rights
reserved.
Virus data file  V9603 created 03/14/96  19:12:53

03/20/96  19:37:46


Options:
/ADL /REPORT scn22b.log /RPTCOR /RPTERR 

Scanning C: [MS-DOS_62]

Summary report on C:

File(s)
	Analyzed: ..............    5462
	Scanned: ...............    1208
	Possibly Infected: .....       0
Master Boot Record(s):..........       1
	Possibly Infected:......       0
Boot Sector(s):.................       1
	Possibly Infected:......       0
Scanning D: []
D:\TEMP\X-TRACT.EXE
	Found the RITT.6917 virus
D:\UTILITYS\DIZVUE\TRYIT!.EXE
	Found the RITT.6917 virus
D:\UTILITYS\NCAV48B9\MAYBE!.COM
	Found the RITT.6917 virus
D:\UTILITYS\XTRAC151\X-TRACT.EXE
	Found the RITT.6917 virus
D:\FD\PHONECVT.EXE
	Found the RITT.6917 virus
D:\CDROM\CDBENCH\PU$$Y.EXE
	Found the RITT.6917 virus
D:\GUS\MULTIPLA\LS.COM
	Found the RITT.6917 virus
D:\GUS\MULTIPLA\MODDIR.EXE
	Found the RITT.6917 virus
D:\GUS\MULTIPLA\PLAYLNK.EXE
	Found the RITT.6917 virus

Summary report on D:

File(s)
	Analyzed: ..............    9492
	Scanned: ...............    2227
	Possibly Infected: .....       9
Master Boot Record(s):..........       1
	Possibly Infected:......       0
Boot Sector(s):.................       1
	Possibly Infected:......       0
Scanning F: [AQUASOFT]
F:\TESTING\NEMESIS.DOC
	Found the XENIXOS virus

Summary report on F:

File(s)
	Analyzed: ..............    7865
	Scanned: ...............    1622
	Possibly Infected: .....       1
Master Boot Record(s):..........       1
	Possibly Infected:......       0
Boot Sector(s):.................       1
	Possibly Infected:......       0
Scanning H: [C]
H:\GAMES\PHANSC12\INSTALL.EXE
	Found the RITT.6917 virus

Summary report on H:

File(s)
	Analyzed: ..............    6386
	Scanned: ...............     728
	Possibly Infected: .....       1
Master Boot Record(s):..........       1
	Possibly Infected:......       0
Boot Sector(s):.................       1
	Possibly Infected:......       0
Time: 00:17.17

- --------END REPORT GENERATED BY SCAN------------------------

------------------------------

Date: Wed, 20 Mar 1996 14:16:11 -0600 (MDT)
From: "Stephen E. Clarke" slcfv@cc.usu.edu
Subject: 10b7 (PC)
X-Digest: Volume 9 : Issue 40

Does anyone know if any other virus detection program currently detects 
and cleans the 10b7 virus besides microsoft anti-virus.  Also I recently 
purchased Warcraft 2 and it appears that the save game files become 
corrupted with this virus directly from the game executable.  Has anyone 
else experienced this.

Thanks,
Stephen Clarke

------------------------------

Date: Wed, 20 Mar 1996 16:41:32 -0500
From: support@vse.ac-copy.com
Subject: Re: Possible new virus??? (PC)
X-Digest: Volume 9 : Issue 40

on : Mon, 11 Mar 1996 03:44:58 +0000 (GMT)
you wrote:

> HELP! I think I have a virus and nothing is picking it up.

I think you might be reading a bit too much in cheap computer magazines...

>My story:  I have Windows 3.1.  
[snip happens].
>I immediately thought it was a virus and ran f-prot221,

You did not run SCANDISK? Or NDD? Both of them are able to deal with this
kind of problem. It is, alas, possible to corrupt the FAT in a way that
such large file sizes are reported in a directory. However, this will be
easily repaired with one of the above utilities.

> After calling Conner for 2 weeks, they couldn't figure out what happened
> and had me low-level format the drive

Well, I have never thought of of Connor as a manufactuerer too highly, but
I seriously doubt this! No one ever asked you, whether you ran SCANDISK?
And where did you get the program to format a Conner 850 MB harddrive? Did
they send it to you? You cannot format these drives with a "standard"
low-level-formatter, because it uses ZBR.

>My friend's story:  She is using Windows 95.  She turned on her computer
>one day and it came up with a HDD controller failure. She by-passed
>it and ran Norton which showed allocation errors in the FAT.

Bypassed it? How? I have never seen a system on which i could bypass a HDD
contoller failure, except for those using both SCSI and IDE disks

>She told it to fix it and it wrote over system files, which she
>then re-installed. 

Re-installed win95 system files? How? There is no utility in the Win95
package which can do this. She used the rescue disk from NU95?

[snip happened again]

>It showed a 3 GB file in the system area of the floppy that she couldn't
>remove.

What do you mean by system area? The root directory? If so, the file can
be removed just by using 4del filename.ext4, even if the filesize is
totally wrong. You cannot remove files with 0 length, or files with
special charcters in their names that standard DOS functions parse away.

[and again]
> She ran norton on the 3 disks and it showed that the
>system areas of the disks had been damaged beyond repair.

She IS using NU95, I presume?

>Also, she tried to install a new IDE controller thinking that was
>the problem, but this did nothing.

This was to be expected, the IDE controller has nothing to do with floppy
access...

You should elobarate about the type of system your freind uses. This
sounds like a major DMA failure to me. Has she added a soundcard recently?
Has there been a failure of CMOS memory? Is the system able to format
floppy disks? If she owns NU95, what does NDIAGS say when examining the
system?

We need much more information to help.

But again: no virus here...

Ciao, Guido

- 
voerste edv beratung, Theaterstr.22, 52062 Aachen, Germany
fon (++49) (0)241 404 888   |    fax (++49) (0)241 404 876

------------------------------

Date: Wed, 20 Mar 1996 21:37:31 +0000 (GMT)
From: Eric Rossing <intec@vixc.voyager.net>
Subject: Re: NYB Virus (PC)
X-Digest: Volume 9 : Issue 40

On 1 Mar 1996 12:35:24 -0000, John Balliew <jballie@primenet.com> wrote:

>I downloaded virus scan from C:net web page when I installed and ran it,
>it gave me a message that there are traces of the NYB virus. At this point
>I reformated my hard drive and reinstalled Windows95. I downloaded
>viruscan from PRODIGY thinking that this had less chance of being
>infected. The Message came up again. The only problem I have had is that
>when I try to run a program on CD-ROM I will get the message that the D:
>drive is not available. Do I really have the NYB virus, or is this a
>Windows95 problem, or a Viruscan Problem. Viruscan scan suggest that I
>boot up from a clean disk and then run scan, but when I do that, I get the
>message that Himem.sys didn't load so therefor I can't run windows 95. 

I would say you really have the NYB virus.  I had some trouble with a
machine that, for absolutely no reason, would no longer recognize the CD
ROM in Windows95.  Examining the device manager revealed that the two IDE
controller devices were apparently not functioning.  No amount of
replugging, swapping cables or drives, or beating on the Win95 Device
Manager worked.

As a last resort before tossing the offending box(and the second box which
also exhibited the behavior), I installed McAfee VirusScan95, and it's
memory check revealed the NYB virus.  As it suggested, I rebooted using a
clean floppy and ran scan:

VirusScan95 comes with the DOS-based scan program as well.  At your DOS
prompt after booting, type(assuming you installed it to the default
directory)

C:\PROGRA~1\MCAFEE\SCAN

to run the program.  I was able to use SCAN C: /CLEAN to remove the virus.
After that cleaning, the CD-ROM worked fine...

BTW: Does anyone know of a current Virus database?  I have the VSUM
database from July, 1995, and would like something more current, if
possible.  Thanks!

Eric Rossing
Intec Company, Inc.
intec@voyager.net

------------------------------

Date: Wed, 20 Mar 1996 16:50:14 -0500
From: support@vse.ac-copy.com
Subject: Re: Novice with a virus? (PC)
X-Digest: Volume 9 : Issue 40

On Mon, 11 Mar 1996 14:38:07 +0000 (GMT)
you wrote:

>I booted my laptop, and to my surprise when it eventually booted, it
>showed only 4 files.  There were 2 very large files with the extension
>.chk.  I checked it for viruses, and it came up clean, so I reformatted
>the hard disk.  However, I cannot write to the hard drive.  It responds,
>"sector not found writing drive C". 

>I though I'd come to the experts.  Do I have a virus, and what can I do
>about it? 

Maybe you really had a virus, but it4s too late to tell now. 
Something corrupted your systems FAT. Maybe a virus, but not a clever one,
this isn4t really the way to propagate, is it?

But then someone (you, perhaps?), or something (your AUTOEXEC.BAT) ran a
CHKDSK or SCANDISK on your harddrive, repaired the FAT and created a few
files with the ".chk" extension. All your data is now rolled up into
these. And, alas, there is no easy way to get them back. The best thing to
do, is to take a deep breath and restore from your backup. Then get hold
on a decent, up-to-date scanner, and check that there is definitly no
virus around...

Good Luck,  Guido
- 
voerste edv beratung, Theaterstr.22, 52062 Aachen, Germany
fon (++49) (0)241 404 888   |    fax (++49) (0)241 404 876

------------------------------

Date: Wed, 20 Mar 1996 22:34:53 +0000 (GMT)
From: Chuck <cs60@cornell.edu>
Subject: Re: Directory problem (PC)
X-Digest: Volume 9 : Issue 40

Mic Johnston <MIC@mpx.com.au> wrote:

>>In a previous article, MIC@mpx.com.au (Mic Johnston) says:

>>>I have a directory that mirrors everything in the c: drive, and therfore 
>>>becomes mirrored again and again and again etc. I have no idea how it got 
>>>there, and I can't remove it because any file I remove from it is also removed 
>>>from its directory under c: . 

>>**** Have you run an anti-virus program on this directory?

>Yes I've thought it might be due to some type of virus but when I run
>F-prot it continues to run forever as it scans the mirrored drive again
>and again until I have to esc. No message saying a virus is present
>appears but I don't know if its supposed to until the end of the scan.

Same thing happened to me.  Finally got rid of that directory by running
CHKDSK /F.  It converted the bad directory into a file, which I deleted.
:)

[Moderator's note:  Are you sure it was exactly the same??  The only thing
FDISK /F is half good for is turning lost clusters back into "files". 
Then, if you are at all concerned about data recovery, you should only
-ever- run it if there are no other problems on the disk like cross-links
or incorrect file sizes.  Pretty much the same goes for all other
"automatic" disk repair utils--if you wish to maximize your data recovery
you need an expert to check out the damage before deciding whether it is
safe to run the "disk doctor" type utils.]

------------------------------

Date: Wed, 20 Mar 1996 23:29:40 +0000 (GMT)
From: "Derek V. Giroulle" <Dirk.Giroulle@ping.be>
Subject: Re: Problems accessing floppy drive (PC)
X-Digest: Volume 9 : Issue 40

Pavel Machek <machek@d12.novell.karlin.mff.cuni.cz> wrote:

>Philipp Stampfu (stampfu@urix8.uni-muenster.de) wrote:
>: I have a problem with my floppy-disk-drive and I think its a virus. Here
>: my problem:

>: If I boot the computer with OS/2:
>:   I copy files to a disk and compare them with COMP. Then there are always
>:   some files on the disk, wich are different form the original files.
>:   These problem does not occur, if I copy the files from the hard-disk to
>:   another directory of the harddisk.

>  DOS virus can not work when OS/2 is booted (OS/2 probably has its own 
>floppy drivers, hasn't it?)

>: If I boot the computer with DOS:
>:   If I compress files with PKZIP and I copy the file NAME.ZIP to the
>:   floppydisk and then back to the harddisk, I can't uncompress the file.

If you have problems with a floppy drive under OS/2  I suggest you
look at the hardware (FDController, ribbon cable, floppy) It may work
apparently normally under DOS and hang every 2 or 3
read/write-operations under OS/2

had similar experience when installing OS/2

Dirk.Giroulle@ping.be
http://www.ping.be/~ping0010
Life is like a peepshow, through a little window you never get to see what you went in for (based on fvu's definition of panning)

------------------------------

Date: Wed, 20 Mar 1996 18:43:01 -0700
From: "James R. Bunch" <jbunch@primenet.com>
Subject: Re: Wordperfect 6.1 Virus? (PC)
X-Digest: Volume 9 : Issue 40

Evan Hand <ehandjr@ibm.net> wrote:

: We have been using Word 6.0 at work, and have had some of the above 
: problems.  They were traced to the PRANK (CONCEPT) Word virus.  Microsoft 
: has a fix for the above virus.  You will need to locate scan831.doc at 
: the Microsoft site and open it as the first document after starting it 
: directly from the program manager.  (above is all under WFW 3.11, so may 
: be different for Win95)

The latest version from Micro$oft is scanprot.dot.  scan831.doc, BTW, did
a poor job of cleaning infected documents -- left fragments which other
scanners (Vi-Spy for example) will false alarm on.  So far I've not seen
false alarms from docs cleaned by scanprot.dot (I'm p/o my outfits virus 
response team, so get to see the blood and gore).

Good luck!

- -
- ----------------------------
James R. Bunch         "A Byte is a terrible thing to waste ... 
jbunch@primenet.com     ... a MByte 1048576 times worse"

PGP Key available via finger
PGP Key fingerprint =  B5 31 10 77 BF B0 FD B2  10 54 CB E6 13 7C 26 58
- -----------------------------

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 40]
*****************************************


