From Lehigh.EDU!owner-virus-l  Sun Mar 31 17:39:10 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Sun, 31 Mar 96 19:48:31 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id RAA10064; Sun, 31 Mar 1996 17:39:10 +0200
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39908-40959>; Sun, 31 Mar 1996 10:38:23 EST
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39792-40959>; Sun, 31 Mar 1996 10:16:39 EST
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id KAA37367 for <virus-l@lehigh.edu>; Sun, 31 Mar 1996 10:16:29 -0500
Received: from 132.181.30.207 ("port 1049"@132.181.30.207)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I30DCRPAI4S5UZJP@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Mon,
 01 Apr 1996 01:46:42 +1200
Message-Id: <01I30DCRYH72S5UZJP@csc.canterbury.ac.nz>
Date: 	Mon, 01 Apr 1996 00:17:13 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #41
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest    Monday, 1 Apr 1996    Volume 9 : Issue 41

Today's Topics:

Re: What REALLY matters in Commercial Anti-Virus Software
Re: What REALLY matters in Commercial Anti-Virus Software
Trojan? - "Meaning of Life"
NCSA certified products
alt.comp.virus FAQ
help- possible virus that causes auto reboot
Re: Virus Damage Statistics
scn-22ce.zip McAfee VirusScan for DOS, SCAN.EXE
New Windows NE virus--Win.Tentacle (WIN95)
Re: McAfee 2.0 for Win95 "feature" (WIN95)
NAV hidden files? (WIN95)
Re: McAfee 2.0 for Win95 "feature" (WIN95)
NAV says Stealth_Boot in memory (WIN95)
Undetectable 32-bit Windows 95 virus? (WIN95)
A small change to Word for Windows (WIN)
Re: Need Help With a virus called SCRMING.FIST.II.652 (PC)
Re: Jackal.B (PC)
Re: Stoned.Empire.Monkey_B (PC)
Re: Help w/ possible boot sector virus (PC)
Re: Config of McAffee (PC)
CraZZZZZZy BoOOOOOt!! (PC)
An aftereffect of Natas (PC)
Re: Wordperfect 6.1 Virus? (PC)
Re: HELP! newbie with possible virus (PC)
Re: Anti exe virus (PC)
Re: Possible memory-resident virus HELP! (PC)
Re: Jackal.B (PC)
Re: March Virus (PC)
Re: urkel (PC)
Re: Dir-2.a Virus - Please Help!!! (PC)
Re: MANZON Virus (PC)
Re: Identification (not detection): Dr Solomons vs F-Prot (PC)
"Dis is one half" messages-Virus? (PC)
Re: IBM APTIVA possible VIRUS (PC)
Re: Modem snag: Virus or NAV? (PC)
Re: Jackal.B (PC)
Wanted TSR checks A: as used (PC)
Re: Form Virus On A Lan (PC)
Re: MSAV says files changed (PC)
Re: Havoc ][ and Virus List (PC)
Re: Jackal.B (PC)
Re: Jackal.B (PC)
McAfee Vshield 2.9 and windows (PC)
Re: MSAV says files changed (PC)
Re: Possible virus--adds to command.com (PC)
Is ARJ 2.8 a trojan? (PC)
Re: Identification (not detection): Dr Solomons vs F-Prot (PC)
Re: Need Help With a virus called SCRMING.FIST.II.652 (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Thu, 21 Mar 1996 03:14:57 +0000 (GMT)
From: Joe Wallace <yusuf@chelsea.ios.com>
Subject: Re: What REALLY matters in Commercial Anti-Virus Software
X-Digest: Volume 9 : Issue 41

I do commercial antivirus installations all day. I use Mcaffee and see the
same problems with system slowdowns and a need for knowhow that is way
above the heads of average users. No problem, keeps me in business.

Dr. Jay (New York City)

------------------------------

Date: Thu, 21 Mar 1996 03:46:27 +0000 (GMT)
From: Enrico DePaolis <74777.171@compuserve.com>
Subject: Re: What REALLY matters in Commercial Anti-Virus Software
X-Digest: Volume 9 : Issue 41

Ken wrote:

>All you anti-virus gurus have got it all wrong.  Those esoteric
technical arguments, and who's software detects a few more
oddball
viruses, really doesn't matter in the workaday world.  What
counts is
what can be installed and maintained by the typical secretary.

Any recomendations?<

Take a look at the EMD Armor line.  It is different then the rest 
of the AV pack.  Prevention is stressed and we don't get you 
on the updates.  Heck we don't have updates since we tackle 
the virus before it attacks the system.  Give it a try.  If you 
don't like it return it.

Safe Computing!

Enrico DePaolis
EMD Enterprises
http://www.emdent.com
(800) 8989-EMD

------------------------------

Date: Thu, 21 Mar 1996 23:10:37 +0000 (GMT)
From: John Elsbury <jelsbur@clear.co.nz>
Subject: Trojan? - "Meaning of Life"
X-Digest: Volume 9 : Issue 41

I have had a couple of instances of people receiving a ZIPped Email
attachment - MEANING.ZIP - which they are invited to unpack and run.

I have told staff not to run programs they don't trust...
Has anybody else come across this? 

John

------------------------------

Date: Fri, 22 Mar 1996 14:37:27 +0000 (GMT)
From: Al Kimel <akimel@awod.com>
Subject: NCSA certified products
X-Digest: Volume 9 : Issue 41

For everyone's interest:

The products that have now been certified by the NCSA are InocuLan,
F-Prot Professional, IBM, and NAV.  I understand that a couple of others
(e.g., McAfee and Dr. Solomon's are in the testing phase).

The certification means (I think) that these products successfully
caught 100% of the in-the-wild viruses and 90% of the NCSA zoo.

For more, see:

http://www.ncsa.com/avpdcert.html

Cheers,
Al

------------------------------

Date: Fri, 22 Mar 1996 17:22:47 +0000 (GMT)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: alt.comp.virus FAQ
X-Digest: Volume 9 : Issue 41

I've just updated the alt.comp.virus FAQ (NB *not* the comp.virus FAQ
maintained by Nick FitzGerald). In addition to the sites already making
it available by FTP/HTTP, I'm now putting the latest version into

	ftp://ftp.icnet.uk/icrf-public/acv.FAQ/

at the same time as I post them to a.c.v., in the hope of easing the
strain on my mailserver.

End of commercial.

David Harley

[Moderator's note:  ...and well worth a look too!]

------------------------------

Date: Fri, 22 Mar 1996 18:12:22 +0000 (GMT)
From: ebbtide@cris.com
Subject: help- possible virus that causes auto reboot
X-Digest: Volume 9 : Issue 41

I am having a problem that I think might be a virus.  Without even
touching my computer, not even running a program, the computer re-boots
itself.  Sometimes I can be in the middle of running a program and it
happens.  There doesn't seem to be any rhyme or reason, it just reboots.

Has anyone had the problem?  Are there any ways to correct it?

				Ebbtide

[Moderator's note:  Without more details about the machine it is hard to
know where to start.  There most likely are viruses that unintentionally
or otherwise cause unprompted, spontaneous reboots, but in my experience
with PCs (is this a PC??) such symptoms are more likely due to hardware
faults (flakey RAM for example), over-optimistic BIOS/chipset settings
(too few wait states maybe) or memory manager problems (check EMM386,
QEMM, etc settings).]

------------------------------

Date: Fri, 22 Mar 1996 16:52:14 +0000 (GMT)
From: David Harley <harley@callisto.lif.icnet.uk>
Subject: Re: Virus Damage Statistics
X-Digest: Volume 9 : Issue 41

Pavel Machek (machek@d12.novell.karlin.mff.cuni.cz) wrote:

: Jeff Beaubien (AnarchyX@charger.newhaven.edu) wrote:
: : I am interested in obtaining statistical information regarding PC
: : virus damage.  Examples include: how many viruses are there?  what is the
: : estimated amount of financial cost incurred by computer viruses?  etc.

There are no authoritative estimates.

: : If someone could provide a reference to an article or book (relatively
: : recent), I would greatly appreciate it.

:   I think that more damage is done by people trying to remove virus than
: by viruses. I heard about many people formating harddisk because of some
: virus. Some of loses are because they are users, which see virus even when
: no virus is there.

This is certainly a significant cause of 'damage'. In general, damage to
data is less expensive than other factors such as damage to reputation
and the costs of prevention/limitation. Putting together a realistic
set of figures is not trivial, and most of the estimates put together
by consultants are probably just guesswork....

David Harley
ICRF

------------------------------

Date: Fri, 22 Mar 1996 14:53:04 +0200
From: ts@UWasa.Fi (Timo Salmi)
Subject: scn-22ce.zip McAfee VirusScan for DOS, SCAN.EXE
X-Digest: Volume 9 : Issue 41

Fri 22-Mar-96: Acquired to our archives

 435746 Mar 19 02:11 ftp://garbo.uwasa.fi/pc/virus/scn-22ce.zip
 scn-22ce.zip McAfee VirusScan for DOS, SCAN.EXE

 444425 Mar 19 02:11 ftp://garbo.uwasa.fi/pc/virus/vsh-22ce.zip
 vsh-22ce.zip McAfee antivirus TSR, VSHIELD.EXE

   All the best, Timo

....................................................................
Prof. Timo Salmi   Co-moderator of news:comp.archives.msdos.announce
Moderating at ftp:// & http://garbo.uwasa.fi archives  193.166.120.5
Department of Accounting and Business Finance  ; University of Vaasa
ts@uwasa.fi http://uwasa.fi/~ts BBS 961-3170972; FIN-65101,  Finland

------------------------------

Date: Sun, 24 Mar 1996 13:04:34 +0100
From: Gerard Mannig <mannig@world-net.sct.fr>
Subject: New Windows NE virus--Win.Tentacle (WIN95)
X-Digest: Volume 9 : Issue 41


N E W   V I R U S   R E P O R T 

A new virus hitting Windows NE has just been found

We strongly suspect this virus to quickly spread because it has been
discovered in UseNet


Please, report any infection you've been victim of about this virus. As
being a RECIF member, complete privacy is offered by default 

Here is a technical record about Win.Tentacle

 Win.Tentacle.1958 ( discovered March 15, 1996 )
 -----------------
It is not a dangerous nonmemory resident parasitic virus. It searches for
NewEXE-files in current and C:\WINDOWS directories, then writes itself to
the end of the file. While infecting the virus creates temporary
C:\TENTACLE.$$$ file, then modifies and copies blocks of original file to
temporary one, then copies temporary file to original one, and then
deletes temporary file.

>From 0:0am till 0:15am the virus checks the just infected file for the
Resources, and searches for Icon resource. If such Resource is there, the
virus overwrites it with another icon which is contained in the virus
body.

The virus contains the internal text string:

 C:\TENTACLE.$$$ C:\WINDOWS\*.EXE

-_-

For those willing to check out their systems for Win.Tentacle, please get
the AVP detection/disinfection routine and/or AVP or AVPLite from one of
the following sites :


polbox.com.pl;/!antivir                        ( Poland )
star.brisnet.org.au;/avp/incoming            ( Australia )
ftp.command-hq.com;/pub/command             ( USA )
http://www.command-hq.com/command   ( USA )

and

www.thenet.ch/metro   ( main Swiss AVP site )

As a side note, AVPLite is a shareware while AVP is the complete commercial
package

-_-

Travel in Spain between March 25th - April 1st
- -----------------------------------------------------------------

I went to Spain between the dates above. Please allow some days if your
mails ask me for a response. Weekly AVP updates are available on
www.thenet.ch/metro Web site as usual and on an increasing  quantity of BBS

- ----------------------------------------------------------------
Gerard MANNIG                                    Virus Consultant 
    Phone : +33 (16) 3559-9344     Fax     : +33 (16) 3560-5011               
Report a virus attack: http://www.primenet.com/~mwest/vir-vrf.htm
Member of   R . E . C . I . F 
data +33 1 3415-4959                Voice machine +33 1 3072-9443
=-=-=- I do NOT speak for RECIF unless otherwise specified -=-=-

------------------------------

Date: Thu, 21 Mar 1996 10:18:03 -0500
From: Doorblower <doorblower@aol.com>
Subject: Re: McAfee 2.0 for Win95 "feature" (WIN95)
X-Digest: Volume 9 : Issue 41

I accidentally copied the new viruse dat files for the month for the dos
version into the folder for McAfee for Win95 and that really messed things
up because I am running V-Shield.
I believe they had the same file name so I thought...
I was wrong.
doorblower@aol.com

------------------------------

Date: Thu, 21 Mar 1996 19:18:02 -0800
From: Lycanthrope <ewright@ap.net>
Subject: NAV hidden files? (WIN95)
X-Digest: Volume 9 : Issue 41

hey all. I recently d/led the monthly virus updates and an upgrade for 
word macrovirus from SYMANTEC. I followed the instructions which said to 
d/l to a temp directory, unzip there, etc. everything worked fine but 
now I have several hidden files which relate to NAV in my temp 
directory. I attempted to delete them (since they weren't in the NAV 
directory anyway) but this created about 50 new files all over my 
program manager and desktop (I have WIN95) can I delete these or move 
them to my NAV directory? any help appreciated.
- - 
-Lycanthrope
ewright@ap.net

------------------------------

Date: Fri, 22 Mar 1996 17:18:24 +0000 (GMT)
From: Zack Jones <zack@hom.net>
Subject: Re: McAfee 2.0 for Win95 "feature" (WIN95)
X-Digest: Volume 9 : Issue 41

>Score stands 1 with false alarms vs 1 without.  Others?
 
No false alarms and 1 positive hit on the anti-exe virus which was on
a floppy one of our customers brought to the office.

The only odd behavior I've observed and I don't know if this is caused
by McAfee or something else, but everytime I shut down the computer it
tries to read the A Drive for a few seconds before I get the "It's
save to turn off your computer screen".

Have you or anyone else observed this?

Take Care, Zack Jones
zack@hom.net

------------------------------

Date: Fri, 22 Mar 1996 21:41:45 +0000 (GMT)
From: Decius <bhill@usa.pipeline.com>
Subject: NAV says Stealth_Boot in memory (WIN95)
X-Digest: Volume 9 : Issue 41

I have Norton Antivirus Scanner for Windows 95.  When I run it to search
for viruses in memory it displays a message, "The virus Stealth_Boot.B was
found.  Shutting down computer."  But when I run it to search everything
but the memory, including the master boot file it finds no viruses.  I
would very much like to irradicate this virus from my system but am having
difficulties.  Any suggestions would be greatly appreciated. 

- - 
Bradley Hill 
bhill@usa.pipeline.com

------------------------------

Date: Fri, 22 Mar 1996 14:47:35 +0000 (GMT)
From: Charlie Bryant <cbryant@hq.vni.net>
Subject: Undetectable 32-bit Windows 95 virus? (WIN95)
X-Digest: Volume 9 : Issue 41

Guy in our shop booted up his Win95 machine today and got this message:

		     http://www.hiv.aids.death

	    The undetectable 32 bit virus for Windows 95

	    Infection is spreading faster than expected

		You have less than 1 month to live

Press any key to continue . . .

Okay, I know it's an obvious joke address and all that, and it sounds
like the work of a lamer who figured out how to plant a text file
somewhere.  But has anybody else seen this, or anything like it?

Thanks.

- -
- ----------------------------------
Charlie Bryant
Another guy with too many computers
http://www.vni.net/~cbryant
- ----------------------------------

------------------------------

Date: Wed, 20 Mar 1996 22:37:38 -0500
From: Larry Frank <ELFRANK@globalone.net>
Subject: A small change to Word for Windows (WIN)
X-Digest: Volume 9 : Issue 41

While reading the current postings about macro virus behavior I realized
that over the last few weeks when Word for Windows opens a document via
associated extension, my computer gives one beep as the program opens. 
This is new and unaccounted for behavior.  I have run four current av
pgms. without any indication of a problem. Does this sound like macro
virus behavior?  Can I turn the beep off an if so how.  Would this be a
means of persuing the posibility of infection?

Thanks

Larry Frank

------------------------------

Date: Thu, 21 Mar 1996 03:10:51 +0000 (GMT)
From: Steve Anthony <santhony@morgan.ucs.mun.ca>
Subject: Re: Need Help With a virus called SCRMING.FIST.II.652 (PC)
X-Digest: Volume 9 : Issue 41

Annie Hayes (rcmpinf@lancite.net) wrote:

: The users often have to connect on customer's networks. They are bringing 
: back hundreds of virus, McAfee 227 is usualy doing the job but I have a 
: couple of LapTop with every executables files infected by what McAfee 227 
: detect to be a virus called SCRMING.FIST.II.652 at the same time it's telling
: me that there's no remover for this virus.  I really need to find a scanner 
: that will do the job.

F-Prot ver 2.22 lists Screaming Fist, but not Screaming Fist 2.  However, 
it does include a repair for the former.... 

Steve.

- -
Stephen K. Anthony, 401 Burke House, Paton College, St. John's, NF, CANADA
Local Phone:  (709) 753-0937   Web Server:  http://www.cs.mun.ca/~santhony  
Geek Code V3.1:  GCS d- s:+ a-- C++ U++ P L+ E--- W++ N++ K++ w---(+) M-- 
		 V-- PS+ PE Y+ PGP- t++ 5 X+ R* tv b+ DI- D+ G e+>++ h-- r y?

------------------------------

Date: Thu, 21 Mar 1996 03:26:40 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Jackal.B (PC)
X-Digest: Volume 9 : Issue 41

"Byron D. Holdiman" <holdiman@luna.cas.usf.edu> writes:

>We have located Jackal.B on several computers through McAfee, but McAfee 
>could not remove it.  Does anyone know what Jackal.B does and how to get 
>rid of it?

Please update your DAT set to the latest 9603 dated March 18th.

The Jackal.B (MBR) sig is a false id.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Thu, 21 Mar 1996 03:32:32 +0000 (GMT)
From: Joe Wallace <yusuf@chelsea.ios.com>
Subject: Re: Stoned.Empire.Monkey_B (PC)
X-Digest: Volume 9 : Issue 41

In article <0022.01I2G0808C12RI5O92@csc.canterbury.ac.nz>,
Virex1<virex1@aol.com> says:

>I had a floppy disk infected with the Soned.Empire.Monkey_B virus, while
>attempting to disinfect the floppy I ended up infecting my internal HD by
>ways of forgetting the infected disk in the floppy drive while re-booting
>the PC, However, I was able to remove the infection from my internal HD
>inmidiately with a Program call Virex for the PC v2.96, after
>susscessfully removing the Virus infection, now the only way I'm able to
>see my internal HD is by starting the PC with a system disk, if I try a
>normal startup a message indicating that a boot sector virus may still be
>in my internal HD appears and doesn't let me go on.  I also tried running
>FDisk /MBR to no avail.  It does not even get to Config.sys or
>Autoexec.bat.
>
>Please note that I may sure that my CMOS set up from AMI BIOS 1992 *is
>not* set up to protec my HD boot sector.

You still have the virus. I could tell you how to get rid of it but its
a bit involved. If no one else helps you out in the next couple of 
days, e-mail me and I'll try.

Yusuf

------------------------------

Date: Thu, 21 Mar 1996 03:59:37 +0000 (GMT)
From: Joe Wallace <yusuf@chelsea.ios.com>
Subject: Re: Help w/ possible boot sector virus (PC)
X-Digest: Volume 9 : Issue 41

In article <0033.01I2G0808C12RI5O92@csc.canterbury.ac.nz>,
veilleux@tiac.net says:

>I've been having a problem with what I believe is a virus.  I have
>McAfee VirusScan95 in my autoexec.bat.  When I boot up, I get the
>message "Traces of virus found in memory.  This may be an active virus
>or an image left by a previouis operation."  Then it tells me to shut
>down, and boot from a floppy, and I think you guys know the routine
>from there.
>
>Well, I've run F-Prot from a bootable floppy, and nothing was found.
>I've changed the autoexec.bat to get into Windows95, and run the virus
>scans from there - again, nothing, and I used McAfee and Microsoft
>Anti-Virus.  So, now 3 in total have told me there's nothing there,
>but McAfee won't let me boot up my PC.  Other than reformatting my
>computer, any suggestions?  
>
>And McAfee hasn't been much help to me.  They've been going crazy with
>calls about Michaelangelo, and I'll be damned if I'm going to sit on
>the phone with them in San Jose or wherever they are (I'm in Boston)
>for an hour when it's not a toll-free line.
>
>So, if anyone could shed some light on this for me, that would be
>fantastic.  Thank you much........

 You probably still have a boot sector virus. Getting it out requires 
a delicate and dangerous re-write of certain system files. AV Pro which is
available vie a NET Search does this but warns of possible loss of all
data. I've used it many times in similar circumstances. So far it has 
always worked with no problems.


Dr. Jay (New York City)

[Moderator's note:  Or maybe he should just take VirusScan out of his
AUTOEXEC until McAfee fix what sounds like a false positive??

Over the last few weeks there have been a large number of similar reports
of VirusScan finding (traces of) viruses in memory at boot up under Win95
and no other reputable scanners finding anything--would someone from
McAfee's like to comment?]

------------------------------

Date: Thu, 21 Mar 1996 16:20:00 +0100 (N)
From: "Rosolowski, Tyler - FMS Auck" <TylerR@fms.co.nz>
Subject: Re: Config of McAffee (PC)
X-Digest: Volume 9 : Issue 41

In Digest: Volume 9 : Issue 38 Buster Maddog <buster@newnorth.net> wrote:

> I would like some help with my McAffee scanner, is there a way to limit
> the primary scan on powerup to once a week, and would i want to

If you are using the DOS based SCAN then it's

SCAN /FREQUENCY <n>       Do not scan [n] hours after the previous scan.

eg

SCAN /FREQUENCY 168

Regards,
Tyler Rosolowski [tylerr@fms.co.nz]  

------------------------------

Date: Wed, 20 Mar 1996 22:32:04 -0800
From: BB Bucks <cweng@aol.com>
Subject: CraZZZZZZy BoOOOOOt!! (PC)
X-Digest: Volume 9 : Issue 41

Will that work for the virus "Crazy Boot" if I redo the FDISK than 
Format the disk?

If not, how can I handle it? or where can I find the resouces?

My computer: Intel 486DX4-100
	     16MB RAM
	     1 850 HD (Master)
	     1 540 HD (Slave)
	     1 3 1/2" FD
	     Running Win95
===== Bucks =====

------------------------------

Date: Thu, 21 Mar 1996 08:20:05 +0000 (GMT)
From: "A.Appleyard" <A.APPLEYARD@fs2.mt.umist.ac.uk>
Subject: An aftereffect of Natas (PC)
X-Digest: Volume 9 : Issue 41

I have had attacks of NATAS in some PC's that students use. It seems that
when NATAS has infected a file and McAfee SCAN has cleaned it out, there
remains an odd effect:

  `DIR' prints its date as correct (at least with DOS 5.00: I have no
intention of letting NATAS into my own PC just to find if DOS 6.22's DIR
does this also!)

  The DOS interrupts `AX=4E00, int21' & `AX=4F00, int21' read its date as
128 years in the future from correct.

  `DIR /OD' sorts affected filenames by date as if the date was 128 years
in the future from correct, but yet prints their dates as correct.

Sometimes the only clue that NATAS is or has been about, is that DIR /OD
sorts file dates wrong. Why is this? Is there a bug in DIR's date-printing
routine? Or what? I can't see why DIR's print routine needs to ignore the
128-years bit; if some fault has set a file's creation year wildly wrong,
I want to know about it!

------------------------------

Date: Thu, 21 Mar 1996 03:37:23 -0500 (EST)
From: Kenneth Albanowski <kjahds@kjahds.com>
Subject: Re: Wordperfect 6.1 Virus? (PC)
X-Digest: Volume 9 : Issue 41

On Fri, 15 Mar 1996, DarStec wrote:

> One other possiblity which I have run across several times - a bad CPU. 
> It can play havoc with the HD controller card.  Sometimes this is hard to
> track down because if the problem is intermittent then everything works
> until the CPU acts up and if it acts up the test software shuts down and
> can't tell you.  Substitution seems to be the only way to track this one
> down.

An excellent point, and one I can confirm with very recent experience (if
slightly apocryphal: it was related to me that the CPU was damaged, and
with a different CPU everything worked properly): a damaged 486 CPU, of
which the only immediate sign was that the floppy drive didn't work quite
right. Some floppy disks would boot, some wouldn't. F-prot (as a handy
test) failed it's startup file consistency checks. The obvious tests of
substituting controllers, cables, or drives produced no positive results. 

Going from problems reading floppy disks to problem writing hard disks
isn't too much of a jump. Modern (let alone traditional) PC's are hardly
fault tolerant, or self diagnosing, and it doesn't take a virus to wreak
havoc.

- -
Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126)

------------------------------

Date: Thu, 21 Mar 1996 04:00:18 -0500 (EST)
From: Kenneth Albanowski <kjahds@kjahds.com>
Subject: Re: HELP! newbie with possible virus (PC)
X-Digest: Volume 9 : Issue 41

On Mon, 18 Mar 1996, eric j. geller wrote:

> i think i may have encountered a virus on the net. can't remember the 
> web page but it said specifically that "you have just downloaded a
> virus".

A quick search with AltaVista shows two sites containing messages like
this. The first one is a contextual joke, not a virus. The second one is
aparently pointless and/or bizarre, but also not a virus. At this point in
time, the probability of going to a web page and "getting a virus" without
doing anything else is unlikely at best. Certainly if you don't download
_and execute_ an executable program, or download _and open_ a Word
document, you should be safe. 

> unfortunately weird things were occuring even before the web
> encounter.

Ah, false alarm, I'd say.

> i'll try to keep the description short. firstly, i can't get
> any sound to work with my games or my cd-roms, even after re-installing
> the sound software. the sound will work if i play a music cd with the
> comp. cd player but not with anything else. 

Sound from the CD player isn't quite routed in the same way other sounds
are. This sounds like either you have the sound card's volume controls set
to off, or the sound card's drivers are not properly installed. 

> secondly, i am having weird
> messages crop up when trying to open some of my games like myst. when i
> try to open myst i get the message "unable to open dynalink" or some
> such nonsense. i've never had any of these problems before. another
> problem seems to be that when i boot up my computer the set-up routine
> is sticking momentarily in two places for a short period of time. this
> has also never happened before. 

The "unable to open dynalink" type messages could refer to PATH problems,
memory problems, configuration problems, or any of a raft of troubles in a
sea of woes. 

The "sticking during bootup" cannot be attributed to anything without 
more information.

> i have run micro-soft anti-virus and it came up with four execution
> files that have changed. since i don't know very much about computers
> this is all new to me. i want to buy an anti-virus program for this
> problem and any future ones, please give suggestions before i spend
> money that i don't have!

Try to obtain F-Prot, or a similar shareware virus scanner. Most such 
scanners are better the MS-AV.

In addition, you say four files changed. Which files? This might, or might
not, be useful information. 

> last question, i run a netcruiser browser which i believe holds web
> pages in ram and  does not write directly to the HD. is it possible to
> get a virus that just lives in ram and then causes damage w/o having to
> be written to the HD. any help at all is incredibly appreciated.
> thanks.

To be blunt, this is utter sillyness. However, as you're still learning, a
better explanation is called for: some web browsers cache pages to the
hard drive in a special cache directory. This, while I suppose it could
copy a virus to your machine, will not, and can not, execute a virus, or
anything else. It is merely _cached_, or stored for a while, not executed.

If a web browsers don't use such a cache, then it has to keep all the
pages it keeps current (a relatively small number) in memory. Regardless,
despite the possibility of a virus being "in memory" (although I'm hard
pressed to see how it would get cached this way) it would not get
executed, merely discarded in a while. 

In any event, if you did actually get a virus "off the web", I'm pretty
sure you would have noticed a more specific arrival. 

- -
Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126)

------------------------------

Date: Thu, 21 Mar 1996 04:05:19 -0500 (EST)
From: Kenneth Albanowski <kjahds@kjahds.com>
Subject: Re: Anti exe virus (PC)
X-Digest: Volume 9 : Issue 41

On Sun, 17 Mar 1996, Angela Cowley wrote:

> I bought a new computer 2 weeks ago and it was definitely clear of viruses
> when I got it, but then 5 days ago I discovered it had the anti exe virus.
> I know my old computer is clean and the floppies I installed the day I got
> it are clean, just ones I've used over the last week are infected. I've
> cleaned everything now and have dr solomons installed, but wonder where
> the virus came from. Every one I know who is not on the net is telling me
> I got it from the net, but are they right? I was online for 4 months on
> the old machine and that is ok.

Have you checked that _all_ disks that have been anywhere near it are
clean? Don't just check bootable disks, as any disk that has been left
in the machine while the machine is booting could be a source. Likewise,
any disk used in the machine once it is infected will be infected. 

- -
Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126)

[Moderator's note:  Good advice but a small element of "myth spreading". 
The term "bootable" strongly implies that there are "non-bootable"
diskettes.  Technically there are "non-bootable" PC diskettes, but they
tend to go by the more meaningful description "unusable".  -ANY- DOS-
formatted diskette that does not have a disk error in the boot sector can
infect your PC if the diskette is infected with a boot sector virus and a
-boot ATTEMPT- is made from that diskette.

The use of the term "bootable diskette" has, unfortunately, been
misconstrued for PCs to mean that diskettes that cause the "Non system
disk or disk error..." message to appear are "non-bootable".  This is then
extended something along the lines "as boot sector viruses infect boot
sectors, non-bootable diskettes are safe from BSIs as non-bootable
diskettes presumably do not have boot sectors".  The real "problem" here
is the presumption in the previous sentence, but AV and systems experts
would do the less-expert community a favour by referring to "system
diskettes" rather than to "bootable diskettes".]

------------------------------

Date: Thu, 21 Mar 1996 04:15:09 -0500 (EST)
From: Kenneth Albanowski <kjahds@kjahds.com>
Subject: Re: Possible memory-resident virus HELP! (PC)
X-Digest: Volume 9 : Issue 41

On Mon, 18 Mar 1996, Rick and/or Teresa Hull wrote:

> Rebel Assault II did a diagnostics check on my 'puter and it said I only 
> had 6.9 megs of RAM (normally 8).  Also, Norton AV wouldn't run (it said 
> it needed 704 more bytes of memory to run).  So I clean-booted and Norton 
> didn't find anything.  Anyone know what's wrong?

PC memory management is a bit of a black art: yes, your PC has 8 meg of
memory, but depending on how you measure it, 1 meg + some spare change
will aways be used. Thus RA II's report sounds quite reasonable. 

As for the Norton AV complaint, that is a different thing altogether, most
likey: that refers to "conventional" memory, which happens to a 640K chunk
of the 1 meg I mentioned previously. All loaded programs, drivers, and
TSRs use some of this memory, and most programs need a rather large free
amount to run. 

Check your memory manager's configuration (if you have one installed)
and/or remove any drivers or TSRs that you don't need. At the very least,
the "mem" command (or is it "memory"?) should tell you what is available. 

> [Moderator's note:  It would likely have helped quite a bit had you
> included information about your hardware configuration, what OS you are
> running, what memory manager, etc, as many things go into working out if a
> reported configuration is "normal".]

The moderator brings this up because, in some specific cases, missing
memory does indicate the presence of a virus. If you originally had 640K
_total_ conventional memory, and now have 639K, that is a good reason to
suspect a virus. If you simply have too many drivers loaded, that's a
different matter. 

- -
Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126)

------------------------------

Date: Thu, 21 Mar 1996 11:12:39 +0000
From: Dmitry Gryaznov <er86@dial.pipex.com>
Subject: Re: Jackal.B (PC)
X-Digest: Volume 9 : Issue 41

Byron D. Holdiman wrote:

> We have located Jackal.B on several computers through McAfee, but McAfee
> could not remove it.  Does anyone know what Jackal.B does and how to get
> rid of it?

Most AV products detect Jackal virus. But what you had was most likely a 
false alarm. The virus is multipartite - i.e. it infects both files 
and boot areas of disks. Was the virus detected in files as well as in 
boot/MBR of disks? If not - you had a false alarm. The virus stays 
memory resident. Was it detected in memory? If not - you had a false 
alarm. Similar to Empire Monkey and some other viruses, Jackal 
modifies hard disk MBR in such a way that the hard disk is visible to 
DOS only when the virus is active in memory (it's stealth). Can you 
access your hard disk when booted from a virus-free system diskette? If 
yes - you had a false alarm.
- - 
Sincerely,                    | VirusLab, S & S International PLC.
     Dmitry O. Gryaznov       | Alton House, Office Park, Gatehouse Way,
Senior Virus Research Analyst | Aylesbury, Bucks HP19 3XU, United Kingdom
E-mail: grdo@dial.pipex.com   | Tel: +44 (0)1296 318700
WWW: http://www.drsolomon.com | Fax: +44 (0)1296 318734

------------------------------

Date: Thu, 21 Mar 1996 12:15:22 +0100
From: Ann-Katrin Elgesem Engen <aengen@sn.no>
Subject: Re: March Virus (PC)
X-Digest: Volume 9 : Issue 41

Parameshwar Babu <MDSAAA28@giasmd01.vsnl.net.in> wrote:

>A company (in India) developing virus scanners has claimed that it has
>detected a virus called 'Print screen' which will wipe out all the
>data on infected hard disks and diskettes on *all* days in the month
>of March.

I forwarded the question to the F-prot dealer here in Norway. Mikko in
DataFellows says:

>     Sounds like a new variant of Print_Screen_Boot to me. Probably
>     detected by F-PROT already.
> 
> --
>          Mikko Hermanni Hypp nen - Mikko.Hypponen@DataFellows.com
>    Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com
>  Computer virus information available via web: http://www.DataFellows.com/
> Paivantaite 8, 02210 Espoo, Finland. Tel +358-0-478444, Fax +358-0-47844599

- - 
- Ann-Katrin Elgesem Engen

------------------------------

Date: Thu, 21 Mar 1996 11:15:37 +0000
From: Dmitry Gryaznov <er86@dial.pipex.com>
Subject: Re: urkel (PC)
X-Digest: Volume 9 : Issue 41

Larry Schimmel wrote:

> Is there someone who knows how to remove once and for all the urkel
> virus.  I've checked past postings and other sources but cannot find a
> solution.  Any help would be appreciated.

Have you tried Dr.Solomon's FindVirus? You can get it from 
http://www.drsolomon.com or ftp://ftp.drsolomon.com . It should be able to 
remove the virus.

- - 
Sincerely,                    | VirusLab, S & S International PLC.
     Dmitry O. Gryaznov       | Alton House, Office Park, Gatehouse Way,
Senior Virus Research Analyst | Aylesbury, Bucks HP19 3XU, United Kingdom
E-mail: grdo@dial.pipex.com   | Tel: +44 (0)1296 318700
WWW: http://www.drsolomon.com | Fax: +44 (0)1296 318734

------------------------------

Date: Thu, 21 Mar 1996 11:26:33 +0000
From: Dmitry Gryaznov <er86@dial.pipex.com>
Subject: Re: Dir-2.a Virus - Please Help!!! (PC)
X-Digest: Volume 9 : Issue 41

ruben@ralp.satlink.net wrote:

> Ian Elrick <j.s.elrick@forth.stir.ac.uk>
> Wrote:
> 
> >I have just found a pc infected with the above beastie at my site.
> >Neither the latest versions of F-Prot or Dr Sols can clean it.
> >It is only the one machine so far but I am keen to get a fix before it
> >spreads.
> 
> Dir-2.a is NOT a new virus.
> Its hardly to believe that F-prot or Dr Solomons can't deal with them.
> I'm pretty shure that this AV packages identifies the infected files.
> 
> Just delete the infected files and replace them by the originals. Its
> possible that the AV packages can't remove the virus from the file.

NO!!! DIR-II cross-links all infected files to the same cluster. If you 
boot clean and delete all teh infected files, you'll end up with a 
damaged file system (a -lot- of lost clusters). Use the virus itself to 
get rid of it. See my previous posting on the subject.

- - 
Sincerely,                    | VirusLab, S & S International PLC.
     Dmitry O. Gryaznov       | Alton House, Office Park, Gatehouse Way,
Senior Virus Research Analyst | Aylesbury, Bucks HP19 3XU, United Kingdom
E-mail: grdo@dial.pipex.com   | Tel: +44 (0)1296 318700
WWW: http://www.drsolomon.com | Fax: +44 (0)1296 318734

------------------------------

Date: Thu, 21 Mar 1996 11:28:24 +0000
From: Dmitry Gryaznov <er86@dial.pipex.com>
Subject: Re: MANZON Virus (PC)
X-Digest: Volume 9 : Issue 41

genstorm@hookup.net wrote:

> Has anyone heard of a virus known as Manzon? If so, how did you deal with
> it?

Many good AV packages are able to detect and remove the virus. 
For example, you can download a free evaluation copy of Dr.Solomon's 
FindVirus from http://www.drsolomon.com or ftp://ftp.drsolomon.com . 
FindVirus does detect and repair Manzon.

- - 
Sincerely,                    | VirusLab, S & S International PLC.
     Dmitry O. Gryaznov       | Alton House, Office Park, Gatehouse Way,
Senior Virus Research Analyst | Aylesbury, Bucks HP19 3XU, United Kingdom
E-mail: grdo@dial.pipex.com   | Tel: +44 (0)1296 318700
WWW: http://www.drsolomon.com | Fax: +44 (0)1296 318734

------------------------------

Date: Thu, 21 Mar 1996 11:37:15 +0000
From: Dmitry Gryaznov <er86@dial.pipex.com>
Subject: Re: Identification (not detection): Dr Solomons vs F-Prot (PC)
X-Digest: Volume 9 : Issue 41

Gerald Pfeifer wrote:

> In the process of deciding whether to renew my current F-Prot license or
> switch over to Dr Solomons, I ran a few tests last week.
> 
> While both products seem to be quite good in detecting viruses, testing their
> abilities to *identify* viruses revealed some interesting results. (Basic
> familiarity with the CARO naming scheme is assumed throughout the rest of this
> posting.)
> 
>   FindViru 7.57           F-Prot 2.21
>   -------------           -------------
> 
>   like Casino.2331        Casino.2330.A
[snip]
>   like Cascade.1701       Cascade.1704.D
>   like Cascade.1704       Cascade.1704.Y
> 
> No, it does recognise Cascade.1701, but why does F-Prot identify the same
> virus as Cascade.1704?
> 
>   like Possessed.2367     Possessed.2367
>   like Posessed.2167      Possessed.2367
>   like Possessed.2367     Possessed.2438
[snip]

If you run FindVirus against a virus collection, use /VID switch.
Otherwise after finding about 10 different viruses FindVirus stops doing
exact identification and reports just the basic name of each further
virus.

- - 
Sincerely,                    | VirusLab, S & S International PLC.
     Dmitry O. Gryaznov       | Alton House, Office Park, Gatehouse Way,
Senior Virus Research Analyst | Aylesbury, Bucks HP19 3XU, United Kingdom
E-mail: grdo@dial.pipex.com   | Tel: +44 (0)1296 318700
WWW: http://www.drsolomon.com | Fax: +44 (0)1296 318734

------------------------------

Date: Thu, 21 Mar 1996 12:42:20 +0000 (GMT)
From: Allen <oreo@tiac.net>
Subject: "Dis is one half" messages-Virus? (PC)
X-Digest: Volume 9 : Issue 41

When booting my computer a strange message has started appearing.
The message appears before the computer starts MS-DOS.
The Message is "Dis is one half."
Then I get the message "Press any key to continue."
After I type a key then I get the message Starting Dos.
Is this an indicator of any known virus?
Thanks.

[Moderator's note:  This is, I believe, a symptom of the One Half virus. 
It progressively encrypts your disk from the end tracks (cylinders) back
towards the beginning of the disk.  It encrypts two more cylinders per
boot.  Do NOT use the FDISK /MBR "trick" on this virus--doing so will
leave a section of your HD undecryptable.  I will leave it to those with
actual experience of this virus to suggest reliable disinfectors for it.]

------------------------------

Date: Thu, 21 Mar 1996 08:34:48 -0600
From: Jason Higgins <jhiggin1@tuelectric.com>
Subject: Re: IBM APTIVA possible VIRUS (PC)
X-Digest: Volume 9 : Issue 41

MMarsh8175 wrote:

> After months of grief, I have discovered the virus "TPE.Bosnia" on my hard
> drive. After deleting it I ran a check on the "IBM Aptiva Original
> Software CD" and found the virus on it also ! I checked again later on
> just to be sure and it IS there. I notified IBM of it, they really don't
> believe me, but are sending me a new CD and want me to send the infected
> one. I just want to alert all IBM Aptiva owners of a possible virus in
> their system. Losing program group files, GPF's, and memory error messages
> are a clue.

	I doubt this is an actuall virus.  Losing program group files, 
GPF's and memmory errors are all clues that your cache ram is bad.  I'd 
call IBM and talk to them about getting your hardware checked.

- - 
PGP on request
Jason

------------------------------

Date: Thu, 21 Mar 1996 15:34:24 +0000 (GMT)
From: "Walter C. Dove" <dove.walter@epamail.epa.gov>
Subject: Re: Modem snag: Virus or NAV? (PC)
X-Digest: Volume 9 : Issue 41

John Higgins <higgins@dorsai.dorsai.org> wrote:

<snip>
>The only pattern I can see is that it might be happening after I
>innoculate files via Norton Anti-Virus. That's absolutely the case today
>So am I the victim of a) some sort of virus; b) Norton or c) some other
>mishap I can't identify?

Personal opinion only: b).  It's probably the innoculation process, given 
the sequence of events -- I don't know how Norton AV does this, so it is 
not an opinion that I'd back with my life.

At least some of the products that "innoculate" executeable files 
(programs, that is) will admit that "innoculation" is not necessarily a 
good thing from the standpoint of having reliable programs.  

Which is reasonable, since the "innoculation" process changes existing 
code -- code changes -- not designed into a program -- by definition, are 
going to have uncertain results.

There is some discussion of this in the FAQ, section F8, I think.

rgds.  wcd.

[standard disclaimer: I speak only for myself.]

[Moderator's note:  F8 it is and in case people have forgotten or just
started following this list/group, the FAQ is at:

   ftp://cs.ucr.edu/pub/virus-l/vlfaq200.txt]

------------------------------

Date: Thu, 21 Mar 1996 17:51:43 +0000 (GMT)
From: Ken Stieers <ken_stieers@ontrack.com>
Subject: Re: Jackal.B (PC)
X-Digest: Volume 9 : Issue 41

>We have located Jackal.B on several computers through McAfee, but McAfee 
>could not remove it.  Does anyone know what Jackal.B does and how to get 
>rid of it?

If you are using 2.2.B, then its a false ID.  Are these machines using 
DiskManager v6.03B??

Ken

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       *
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Thu, 21 Mar 1996 13:55:03 -0800
From: Garry S <GarryS@win.tec.mn.us>
Subject: Wanted TSR checks A: as used (PC)
X-Digest: Volume 9 : Issue 41

Our site has licenses for Mcafee and F-prot.  Unfortunatley I have gotten 
several virus onto our LAN becuase it does Not TEST as it READS diskettes 
in A:.  Does anyone know of a TSR that does?

Garry

------------------------------

Date: Thu, 21 Mar 1996 14:57:00 -0700
From: John Millington <sloppy@mack.Rt66.com>
Subject: Re: Form Virus On A Lan (PC)
X-Digest: Volume 9 : Issue 41

D3lyr1uM? (kore8@usa.pipeline.com) wrote:
: My lan at work is infected with the form virus, what will get rid of it?

Form doesn't infect LANs; it infects boot disks.  Check/clean all disks.

   Yog-Sothoth Neblod Zin,
      John Millington

------------------------------

Date: Thu, 21 Mar 1996 15:30:54 -0700
From: William A Wenrich <wawenri@sandia.gov>
Subject: Re: MSAV says files changed (PC)
X-Digest: Volume 9 : Issue 41

BMosher183@aol.com wrote:

> Is there a conflict with MSAV and Windows 95<snip>?

MSAV is incompatable with Windows 95.  I swiched to Norton when I 
upgraded.

------------------------------

Date: Thu, 21 Mar 1996 22:48:21 +0000 (GMT)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: Havoc ][ and Virus List (PC)
X-Digest: Volume 9 : Issue 41

In article <0021.01I2JN95HN9ARI5O92@csc.canterbury.ac.nz>, 
d.munro@csuohio.edu says...

>As one may surmise from the subject header that I had the pleasure 
>of dealing with the Havoc ][ virus, according to my newly installed 
>Norton Antivirus software.  NAV identified it but provided little 
>information aside from the fact that it is a floppy and boot sector 
>virus.  

Apoologies.  I'll see about adding some more information for those 
that are curious.

>On my computer, it either damaged or deleted several .exe files 
>in software such as MS Access, Excel, and PowerPoint. I never 
>actually checked to see if it had actually damaged or deleted 
>these files, but when I clicked on the MS Office button 
>bar for one of these programs, I got a message saying that it 
>couldn't locate the access.exe file.  

To my knowledge, Havoc][ will only affect the MBR.  My guess is 
that the .EXE files were not damaged, but the problem may very well 
have been a result of Havoc in memory.  It is difficult to say 
exactly what the caused you to not be able to run MS-Office 
applications.

>At the time I was running win95 and tried to reinstall MS Office, 
>but always got and error saying "setup was not completed 
>successfully.  Anyway, after much frustration, I cleaned the virus 
>and reinstalled my entire system.

That's a shame.  In most virus cases, rebuilding the system is not 
required.  Havoc is repairable through NAV and most other scanners. 
As with any AV scanner you must first boot from a known clean 
diskette.

Once you have booted from a known clean diskette you will not be 
able to type C: and get to the hard drive (but that is alright.)  
Scanners will still scan the MBR and boot sector of a hard drive.
If any viruses are found, they will then be repaired.

>Does anyone have any more info on this varmint?

yes.

>Several years ago, around 1989, I downloaded, from this
>group, I think, a list of all or many PC viruses--about 400 at the 
>time. This list had extensive descriptions of each.  Does this still 
>exist today?

You might be referring to VSUM.  It isn't the most accurate virus
information database, but it should do the job.  It is available for
download from the Symantec WWW.  Address is in my .SIG.  Download 
area is "Download Updates | Utilities"

Other AV vendors represented in a.c.v. also provide excellent virus
informational databases.  See there .sigs for www addresses.

>Any help in this area would be greatly appreciated.  You can email 
>me directly or post here.  Thanks.

Here is a bit of information.  It is sort of technical and 
shortwinded, but it will give you some more info.

Havoc][ moves the partition table information from 0x1be to 0x1b6, 
rendering the drive unreadable on clean boot.  Once in memory, you 
will see a reduction in (@ word 40:13) memory of 4 kilobytes.  
Havoc][ only infects high density floppies.  If the system time 
reads "0 seconds" and the minutes are a multiple of 16 on any 
INT 13h activity (1 chance in 960 that...), the first 17 sectors 
of the first 4 heads of the first 256 cyliders are overwritten.

- - 
- --
Shane Coursen                                        Symantec Corporation
Computer Virus Researcher                http://www.symantec.com/avcenter
AntiVirus Research Center                                 CIS:  GO SYMWIN
scoursen@symantec.com                                           GO SYMNEW
      US Support:  541-465-8420                            AOL:  SYMANTEC
European Support:  31-71-353-111       Australian Support:  61-2-879-6577

------------------------------

Date: Thu, 21 Mar 1996 20:16:32 -0500
From: "Byron Holdiman (LIS)" <holdiman@luna.cas.usf.edu>
Subject: Re: Jackal.B (PC)
X-Digest: Volume 9 : Issue 41

We did do the FDISK /MBR on all of the computers that were reported as 
being infected and it seems to have taken care of the problem.  I noticed 
that you mentioned that this should not be done?  Could it still have 
survived the FDISK /MBR and not being picked up by McAfee now, or does it 
appear that the virus was taken care of after all?

**************************************************************************
Byron D. Holdiman     (holdiman@luna.cas.usf.edu)  
  Graduate Assistant, LIS 2002 - Introduction to the Internet
  ALIS Vice-President, USF Chapter

Check out my Resume:  http://genealogy.org/~holdiman/resume.html
**************************************************************************

------------------------------

Date: Thu, 21 Mar 1996 20:20:51 -0500
From: "Byron Holdiman (LIS)" <holdiman@luna.cas.usf.edu>
Subject: Re: Jackal.B (PC)
X-Digest: Volume 9 : Issue 41

We are not using DiskManager, but we are using 2.2.B (Mar 96).

**************************************************************************
Byron D. Holdiman     (holdiman@luna.cas.usf.edu)  
  Graduate Assistant, LIS 2002 - Introduction to the Internet
  ALIS Vice-President, USF Chapter

------------------------------

Date: Fri, 22 Mar 1996 02:48:37 +0000 (GMT)
From: Maxine Sheinin <msheinin@ix.netcom.com>
Subject: McAfee Vshield 2.9 and windows (PC)
X-Digest: Volume 9 : Issue 41

We installed McAfee Vshield 2.9 on a Novell Network.  Did the vshield and
swap option before network connect and a vshield reconnect after.  Then
loaded windows 3.11 (not workgroups enabled).  Many of the workstations
started getting emm386 (#06) errors...reminds me of the black screen of
death.  Does anyone have any similar conditions or any suggestions on what
the problem might be?  We are checking with McAfee but you support would
probably be quicker than theirs...

Thanks for any assistance, Maxine Sheinin

------------------------------

Date: Fri, 22 Mar 1996 08:37:57 +1100
From: Bernard Duggan <d3064084@toscanini.anu.edu.au>
Subject: Re: MSAV says files changed (PC)
X-Digest: Volume 9 : Issue 41

BMosher183@aol.com wrote:

>I have been running MSAV every so often and I get (File has been changed)
) errors on a lot of files I just update the files and
> 
> So I download MCfee 95 and Thunderbite 95 and ran them and they found
> nothing. Do the shareware virsions of these programs work? 
> Do I have some
> sort of Virus? or am I just confused ?

I couldn't say it with 100% certainty, but as far as I can tell, this is
just MSAV being paranoid.  In the short period I was using it, I too was
bugged by this report.

In my ecperience, McAffe and Tbite are considerably better scanners
anyway, and yes, the shareware versions do work.

Bernie

------------------------------

Date: Fri, 22 Mar 1996 10:52:25 +0000 (GMT)
From: Wayne Riddle <riddler@agate.net>
Subject: Re: Possible virus--adds to command.com (PC)
X-Digest: Volume 9 : Issue 41

Greg Wesson <chaotic@pe.net> wrote:

>Hello, my name is Greg Wesson.  I think I have a virus, but I'm not sure. 
>I am running DOS 6.22 and Windows 3.1 (just upgraded to 3.11).  About 30
>40 days ago, I got an error when starting dos.  The error said "Bad or
>missing command interpreter (i.e. c:\command.com)" and then promped me
>with "c>" 

Boot from a clean disk with a good (i.e., not MSAV) and run a check.
Several shareware and evaluation anti-virus programs are available for
downloading off the Internet. If everything comes up clean, boot from
a clean disk that has a copy of SYS for your version of DOS and use
and type SYS C: 

Wayne Riddle
riddler@agate.net
http://ourworld.compuserve.com/homepages/riddler

------------------------------

Date: Fri, 22 Mar 1996 20:13:20 -0800
From: Sune Lundholm <sune@novell.central.se>
Subject: Is ARJ 2.8 a trojan? (PC)
X-Digest: Volume 9 : Issue 41

Can somebody tell us if PKZip 3.0, 4.1 and ARJ 2.8 are trojans or just 
fakes. And if they are trojans what is the damage?

			WBR

[Moderator's note:  The PKZip issue was discussed recently--look for the
official announcement on a page somewhere off http://www.pkware.com/.]

------------------------------

Date: Fri, 22 Mar 1996 21:34:34 +0000 (GMT)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Identification (not detection): Dr Solomons vs F-Prot (PC)
X-Digest: Volume 9 : Issue 41

In article <0031.01I2LFSELJ3CRI6EE6@csc.canterbury.ac.nz>
	   gerald@pfeifer.co.at "Gerald Pfeifer" writes:

> In the process of deciding whether to renew my current F-Prot license or
> switch over to Dr Solomons, I ran a few tests last week.
>
> While both products seem to be quite good in detecting viruses, testing their
> abilities to *identify* viruses revealed some interesting results. (Basic
> familiarity with the CARO naming scheme is assumed throughout the rest of this
> posting.)
>
>   FindViru 7.57           F-Prot 2.21
>   -------------           -------------
>
>   like Casino.2331        Casino.2330.A
>
> Just how long is this virus then? 2331 oder 2330 bytes?
>
>   like Cascade            Cascade.1701.A
>   like Cascade            Cascade.1704.A
>
> So does FindViru call all members of the Cascade family just Cascade?
>
>   like Cascade.1701       Cascade.1704.D
>   like Cascade.1704       Cascade.1704.Y
>
> No, it does recognise Cascade.1701, but why does F-Prot identify the ame
> virus as Cascade.1704?
>
>   like Possessed.2367     Possessed.2367

Ok, I see your problem.  You were testing against a collection of 
viruses.  FindVurus goes into a rapid "review" mode when it 
encounters more than about ten different viruses on a computer.  
It does this because the situation is an unreal one indicating 
that someone is doing a performance test, not coping with a 
genuine virus outbreak.

If you want it to do the exact identification that it would 
normally do, there is a command line switch that makes it stay in 
precise identification mode.  I think it is /IDENTIFY. 

> I do know that these examples are somewhat arbitrary, and I still do
> believe that both products are among the best in their class, but I also do
> believe that we can draw at least some conclusions from these results.

The conclusion is that you ran it on a collection of viruses and 
it went into "review" mode.  The word "like" is the giveaway.  

- -
WE CAN'T                    BUT WE DO SUPPLY
	PROVIDE YOU                         THE BEST DARN BAIT
		   WITH A DATE                                Burma-Shave

------------------------------

Date: Fri, 22 Mar 1996 19:35:38 -0500
From: Steven Hoke <shoke@baldcom.net>
Subject: Re: Need Help With a virus called SCRMING.FIST.II.652 (PC)
X-Digest: Volume 9 : Issue 41

Annie Hayes wrote:

> I'm a tech for an big accounting firm.
> 
> The users often have to connect on customer's networks. They are bringing
> back hundreds of virus, McAfee 227 is usualy doing the job but I have a
> couple of LapTop with every executables files infected by what McAfee 227
> detect to be a virus called SCRMING.FIST.II.652 at the same time it's telling
> me that there's no remover for this virus.  I really need to find a scanner
> that will do the job.

I think that F-Prot will. I can't be certain its the same virus, because
of the non-standardization of virus names, but F-Prot's documentation
lists a Screaming_Fist.652, which may be the same virus, since it lists
the size as the same (they don't list any Screaming.Fist with a II in the
name), and it says that it can remove the virus. You can get F-Prot 2.22
at ftp://garbo.uwasa.fi/pc/virus/ or at
ftp://ftp.simtel.net/pub/simtelnet/msdos/virus/fp-222.zip

Don't forget to first boot from a clean, uninfected, write-protected
floppy before running F-Prot, preferably from another clean, uninfected,
write-protected flopppy.

- - 
- -==Steve==--

shoke@baldcom.net
steven_hoke@msn.com

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 41]
*****************************************


