From Lehigh.EDU!owner-virus-l  Fri Apr  5 21:27:03 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Mon, 08 Apr 96 13:58:58 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id VAA14852; Fri, 5 Apr 1996 21:27:03 +0200
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39029-101448>; Fri, 5 Apr 1996 10:16:06 EST
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39020-122695>; Fri, 5 Apr 1996 10:14:23 EST
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id KAA73107 for <virus-l@lehigh.edu>; Fri, 5 Apr 1996 10:13:59 -0500
Received: from 172.31.30.201 ("port 1064"@misc9003.tacacs.canterbury.ac.nz)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I37FTN7M3MSH3CBI@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Sat,
 06 Apr 1996 03:13:21 +1200
Message-Id: <01I37FTNL19GSH3CBI@csc.canterbury.ac.nz>
Date: 	Sat, 06 Apr 1996 02:55:55 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #42
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest  Saturday, 6 Apr 1996    Volume 9 : Issue 42

Today's Topics:

Virus signatures
What is OJ Virus? What does it do?
Re: QUESTION: Email viruses
Why I abandoned McAfee
RE: McAfee Dishonesty
Re: Contacting Command Software
Is MEANING.EXE a Trojan horse?
Re: Macafee support stinks
Re: Flash BIOS viruses?
Unix Virus Scanning Software? (UNIX)
Virus scanning tools running on Unix? (UNIX)
vlad the impaler (MAC)
concept virus on macintosh (MAC)
Possilbe new virus? (WIN95)
32-bit Win95 virus? (WIN95)
Junkie.MBR or other unknown virus appends command.com (WIN95)
NAV upgrade hidden files (WIN95)
386SPARTN.PRN and Win 95 boot sector modification (WIN95)
Drive Space 3 Problems (WIN95)
Re: TBAV says HIMEM.SYS changed (WIN95)
Bytes added to files (WIN95)
Viruses from kids floppies - How I stopped them... (WIN)
virus effecting winhelp.exe? (WIN)
"loading bootstrap" message (PC)
Does somebody know 'Partitori-B'? (PC)
Re: Ripper virus (PC)
Cmos-corrupting Virus (Monkey?) (PC)
Re: Anti exe virus (PC)
Re: MS Macro Virus Tool (PC)
Re: CONCEPT/Word Perfect macro: really no cure? (PC)
Re: CONCEPT/Wordperfect macro:really no cure? (PC)
Re: Neuroquila (PC)
how to get rid of Urkel (PC)
Re: Anti exe virus (PC)
Re: Neuroquila (PC)
Re: WelcomB Virus (PC)
Re: F-PROT, Opinions? (PC)
Re: Neuroquila (PC)
Netscape virus? (PC)
Theta virus ..... anybody got solutions??? (PC)
Jerus X (PC)
Re: Michelangelo recovery methods (PC)
634K of RAM--virus? (PC)
anticmos?? Help (PC)
McAfee Scan 2.3.0. Genuine? (PC)
LAN infected with FORM? (PC)
HELP stoned 4 virus (PC)
Dr Solomon's 7.58 available for download (PC)
Residual effects of a virus? (PC)
Doom2 Death virus question (PC)
Lost Harddrive (PC)
Re: Bones Virus (PC)
Re: Virus??? (PC)
Re: Virus??? (PC)
FindVirus 7.58 fails to detect Macro.Word.Xenixos virus (PC)
Re: Did Michelangelo Virus Wipe this PC's Hard Drive? (PC)
F S Virus - Anybody??? (PC)
Re: Anti exe virus (PC)
Re: Need Help With a virus called SCRMING.FIST.II.652 (PC)
Re: Virus??? (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Fri, 22 Mar 1996 21:14:49 +0000 (GMT)
From: James Kruger <jkruger@ucg.com>
Subject: Virus signatures
X-Digest: Volume 9 : Issue 42

I was wondering if there is a library of virus signitures.
I have a couple virus scanners that allow you to add signitures
to look for and I wish to update the files.

Please reply to "jkruger@ucg.com".

Thanks and sorry if this question has been asked befor.

[Moderator's note:  This question is often asked and the reasons it is a
poor idea are covered in the FAQ.]

------------------------------

Date: Tue, 26 Mar 1996 10:03:08 +0000 (GMT)
From: Mark.Trayling@otis.netspace.net.au
Subject: What is OJ Virus? What does it do?
X-Digest: Volume 9 : Issue 42

What does the OJ Virus do?

------------------------------

Date: Wed, 27 Mar 1996 13:49:00 -0600 (MDT)
From: DONNY@iris.co.il
Subject: Re: QUESTION: Email viruses
X-Digest: Volume 9 : Issue 42

> I'm wondering, why isn't an email virus possible?  I read that no one
> really needs to worry about loading an email message from a service
> like AOL or Compuserve and recieving a virus on their home PC.

If an email service allows the email to contain "automatic execution"
code then it is definitely possible to attach code to email and cause
a lot of trouble. Basically, it is recommended not to use any email
reader that automatically runs code. The situation is bad enough when
someone sends you a file and says "run this, it is a cute program
that displays a Christmas tree" in which the file has more than that.
At least this "trick" will not work with those who are suspicious about
any incoming mail. When the mail is executed automatically (when read) the
situation is worse since you have no control over what is happening.

> Wouldn't it be possible to write code that is an attached .EXE file and
> is called into downloading itself by the 'read mail' action of the
> service provider?

Most email systems don't automatically run email when the email is read.

BTW, the executable being run doesn't automatically mean that it is
a virus (or worm). It can also be a trojan horse.

Donny Gilor (Dr. Virus)    donny@iris.co.il
- -----------------------------------------
Development manager, Iris Software (Israel)
Tel: (972)-3-9221280   Fax: (972)-3-9228060

------------------------------

Date: Tue, 26 Mar 1996 15:57:18 +0000 (GMT)
From: The Toad <notpc@ix.netcom.com>
Subject: Why I abandoned McAfee
X-Digest: Volume 9 : Issue 42

I subscribed to McAfee and was supposed to get free updates, via
downloading .dat files, for 2 years.  That was less than a year ago.
Two months ago, they stopped letting me download the .dat files
without a password and some other ID number, neither of which they had
given me.

I have sent several e-mail requests for help to "support."  All have
been ignored.  I called the 800 number, was put on hold and then cut
off.  Twice.

Finally, I decided to go with a different vendor.  After research, I
picked S&S (Dr Solomon).  I signed up, and they delivered the software
THE NEXT DAY!!  I haven't installed it yet, mainly because they want
me to boot from my original DOS floppy, and I need to find that first.
But, the installation looks easy and those I asked said that the
updates arrive by snail mail as scheduled, regular as clockwork.

I also use F-Prot (the freeware version), and have updated that that
twice, without incident.

Frankly, I think that McAfee (described as the 700-lb gorilla of virus
protection) is terminally ill, and I don't intend having anything
further to do with them.   

Toad

------------------------------

Date: Wed, 27 Mar 1996 08:40:22 -0600
From: Duane Franklet <DFranklet@uh.edu>
Subject: RE: McAfee Dishonesty
X-Digest: Volume 9 : Issue 42

hunterj@nethost.multnomah.lib.or.us writes:

>After finally locating and downloading the updating .dat files, which were
>supposed to be provided to me free for two years as a registered user,
>they disabled the Vshield.  McAfee support, such as it is, did not respond
>to two email messages, nor to a telephone call.

I agree with your frustration completely and it mirrors my own experience.
I know McAfee folks read this list (although probably not the ones
responsible for this decision/implementation). Please forward these signs
of discontent to those appropriate at your company...

The "Out of memory" message is inexcusable. I can't imagine how many
people have had to sit there, tweaking memory config, thinking, "Ah, there
must be too many virus signatures. The DAT file's too big. I can get this
to work..."

Dr. Solomon, FPROT, here comes business...

DFranklet@uh.edu

------------------------------

Date: Wed, 27 Mar 1996 08:43:09 -0600 (GMT-0600)
From: Georgina Kisling <gina@ucb.edu.bz>
Subject: Re: Contacting Command Software
X-Digest: Volume 9 : Issue 42

Hope this is what you're looking for:

		  Command Software Systems, Inc
		  1061 E. Indiantown Road
		  Jupiter, FL  33477
		  USA
		  +800 423-9147
		  +407-575-3200
		  +407-575-3026 FAX

		  sales@commandcom.com
		  http://www.commandcom.com

Gina
- ---
Georgina Kisling                   Voice: +501 2 30256/32733
Computer Specialist Trainee        Fax  : +501 2 30255
University College of Belize       
Box 990, Belize City, BELIZE       Email: gina@ucb.edu.bz

------------------------------

Date: Wed, 27 Mar 1996 14:56:12 +0000 (GMT)
From: Anthony Garcia <agarcia@starbase.neosoft.com>
Subject: Is MEANING.EXE a Trojan horse?
X-Digest: Volume 9 : Issue 42

I noticed the file MEANING.EXE being forwarded around our mail system
yesterday.  Supposedly it will display a humorous message when
executed.  I did a Dejanews search and found an article from Glen
Benson (benson@xroads.com) posted to alt.med.fibromyalgia on February
23rd indicating that MEANING.EXE may be a trojan horse or may be
infected with a virus.

Has anyone else seen this program, and does anyone know of any possible
harmful behavior it may exhibit?

Thanks,
-Anthony Garcia
agarcia@neosoft.com

------------------------------

Date: Wed, 27 Mar 1996 10:43:56 +0000
From: "Denis Parslow (Almo Distributing)" <dgp@world.std.com>
Subject: Re: Macafee support stinks
X-Digest: Volume 9 : Issue 42

>I bought VirusScan 95, and my current version recognizes me as a
>licensed user.  Whenever I try to update it from FTP site, I get a
>"thank you for evaluating message" when I run the updated version, and
>it no longer recognizes me as a licensed user.  Over a month period, I
>have sent four emails to support@mcafee.com, without response.  I'm
>ready to dump the program and try Norton.  Any suggestions?

I am sure I won't be the only person to tell you this, but the 
products you are downloading *are* evaluation copies.  This is why 
you get that message.  If you want to use your licensed copy, you 
need to update *only* the data file, and may need to get a version 
update periodically anyway.

Denis Parslow
Engineering Mgr
Almo Distributing, Trademark Computers
dgp@world.std.com
http://www.almo.com
http://world.std.com/~dgp/

------------------------------

Date: Wed, 27 Mar 1996 10:43:56 +0000
From: "Denis Parslow (Almo Distributing)" <dgp@world.std.com>
Subject: Re: Flash BIOS viruses?
X-Digest: Volume 9 : Issue 42

Pavel Machek writes:

>I don't think so. In my computer, there's an Ami WinBIOS, which has
>windows etc. Only small part of bios is that which deals with floppy. (And
>that is the only part needed for upgrading FlashBIOS). So I believe, that
>even with flash bioses there's a small ROM part that allows you to reread
>Flash BIOS from floppy.

Actually, WinBIOS is called that merely because it has a GUI.  It 
contains no part of Windows whatsoever.  Derek was very correct when 
he tells you that if something bad happens flashing your BIOS, you 
are cooked, and need to replace the chip.

(Not that this is getting off the subject of viruses or anything ;-)

The BIOS needs more than the floppy drive to update itself:  it needs 
the CPU, the memory, the flash software, the floppy drive, and the 
video at a minimum.  If the BIOS provides the flash software (I have 
never heard of this), then you need the CMOS BIOS program (WinBIOS is 
particularly large) itself.  Otherwise, you need to be running at 
least some sort of rudimentary OS.

When the flash program warns you "DO NOT TURN OFF POWER WHILE 
PROGRAMMING", this is a hint that if you do, you will need a new BIOS 
chip.

Denis Parslow
Engineering Mgr
Almo Distributing, Trademark Computers
dgp@world.std.com
http://www.almo.com
http://world.std.com/~dgp/

------------------------------

Date: Sat, 23 Mar 1996 21:52:39 -0500 (EST)
From: Charles Henrich <henrich@crh.cl.msu.edu>
Subject: Unix Virus Scanning Software? (UNIX)
X-Digest: Volume 9 : Issue 42

I've been scouring the net for the last hour or so and have yet to come
across any mention of scanning software for unix systems.  Does such a
beast exist?

Im looking for a program that will go through a directory and unzip zip
files, un-tar tarfiles, and scan for Mac/PeeCee virus.

All comments appreciated!

-Crh

       Charles Henrich     Michigan State University     henrich@msu.edu

			 http://pilot.msu.edu/~henrich

------------------------------

Date: Sun, 24 Mar 1996 20:55:21 +0000 (GMT)
From: Tom KC Basham <thunk@cris.com>
Subject: Virus scanning tools running on Unix? (UNIX)
X-Digest: Volume 9 : Issue 42

I'm doing some work with an FTP site and we'd like the ability to scan
uploaded files on the server. (most of the uploaded files will be from the
PC world). Could anyone provide any leads on commercial/shareware/whatever 
utilities?

- - 
- ---
Tom "KC" Basham a.k.a "Thunk"            Senior Editor, PC ACE Magazine
Email: thunk@cris.com                   
	     
	  

------------------------------

Date: Sat, 23 Mar 96 20:10:42
From: Dan Doyle <ddoyle@csrlink.net>
Subject: vlad the impaler (MAC)
X-Digest: Volume 9 : Issue 42

I am interested in information about the nature of and method of removing
"vlad the impaler" from a macintosh.

ddoyle@csrlink.net

------------------------------

Date: Tue, 26 Mar 1996 22:10:05 +0000 (GMT)
From: Sang Park <dtutor@uclink2.berkeley.edu>
Subject: concept virus on macintosh (MAC)
X-Digest: Volume 9 : Issue 42

Can anyone tell me whether the Symantec Antivirus for Macintosh (SAM) 
removes the concept macro virus from MS Word files or it simply 
deactivates, as per the MS 'Scanprot.dot' macro?

Much appreciate any help,

Sang

------------------------------

Date: Sat, 23 Mar 1996 07:14:55 -0500
From: JaegerSoft <jaegersoft@aol.com>
Subject: Possilbe new virus? (WIN95)
X-Digest: Volume 9 : Issue 42

I think we may have a possible virus on our systems. The Mcafee and Norton
AV both show everything as clean.

It happens to two of our Win95 machines which are RJ45 netted to each
other and use the Win95 networking.

Both machines show what is best described as a lockup for about a second
every 10-25 minutes.  Whether running Windows screen saver or Win
application or a game in a dos box, it will just stop and and restart in a
series of 4 stop and start hiccups.  A performance monitor will show
between 50 and 60 % cpu usage during this event.

At first I thought this was a network problem and have been checking
things with that until the day before yesterday.  Every so often ( There
was no definite pattern), one of the machines would do the hiccup and
generate sound out of the speakers.  This sound was that of a poor
recording with someone saying (kind of unintellibly) something about over
and over.  I am not going nuts, this was witnessed by several of our
people.  It coincided with the cpu usage spikes.

Since that day, no more sound, but the hiccups continue.

Anyone have any ideas?

Matt Shaw
SPGS, Inc.
Makers of 
Philips Media's 
Fighter Duel

------------------------------

Date: Sun, 24 Mar 1996 04:12:08 +0000 (GMT)
From: Charlie Bryant <cbryant@vni.net>
Subject: 32-bit Win95 virus? (WIN95)
X-Digest: Volume 9 : Issue 42

Guy in our shop booted up his Win95 machine the other day and got this
message on his screen:

		       The new Internet AIDS
		    http://www.hiv.aids.death

	    The undetectable 32 bit virus for Windows 95

	    Infection is spreading faster than expected

		You have less than 1 month to live

Press any key to continue . . .


Okay, I know it's an obvious joke address and all that, and it sounds 
like the work of a lamer who figured out how to plant a text file 
somewhere.  But has anybody else seen this, or anything like it?

- ----------------------------------
Charlie Bryant
Another guy with too many computers
http://www.vni.net/~cbryant
- ----------------------------------

------------------------------

Date: Sun, 24 Mar 1996 12:52:29 +0000 (GMT)
From: P Boutros <PCBOUTRO@WEDGE.Watstar.UWaterloo.CA>
Subject: Junkie.MBR or other unknown virus appends command.com (WIN95)
X-Digest: Volume 9 : Issue 42

My friend has a P100, running win 95 and scan 95 1.00. 

Mcafee Scan told him he had Junkie.MBR on his computer, but it couldn't 
remove until a clean boot up was made.  

He tried to boot off of his gateway 2000 bootup disk, which in turn made 
him boot off of a CD.  Mcafee still couldn't clean.  

I sent him F-prot on a clean Dos622 disk.  

He claims it didn't clean, but mcafee scan (DOS) off a clean win95 
startup disk found nothing.

Afterwards, the computer would not boot up off of hard disk 
BECAUSE COMMAND.COM WAS APPENDED TO.

No virus checkers caught the appending, I just noticed his command.com 
was larger than mine.  I deleted his and replaced with clean copies.  

HELP HELP HELP
1.  What the hell was that?  A virus?  Junkie.MBR?  A boot sector virus 
that overwrites?
2.  Did that append to anything else?  His graphics are a little fucked 
up, but I can't see anything wrong.
3.  His Gateway bootdisk needs a CD to boot without hard disk. Is this 
safe?

Please reply to 
PCBOUTRO@NOVICE.UWATERLOO.CA

------------------------------

Date: Mon, 25 Mar 1996 19:02:49 -0800
From: Lycanthrope <ewright@ap.net>
Subject: NAV upgrade hidden files (WIN95)
X-Digest: Volume 9 : Issue 42

howdy. I recently d/led the word macrovirus upgrade for NAV95. I followed
the directions which said to unzip in a temp directory, scan, etc.
everything worked fine but now my temp directory is full of hidden files
relating to NAV. I tried deleting them but that caused my "file manager"
and desktop to have about 30 new files on it, still relating to NAV. can I
delete these or move them to my NAV directory without any harm? thanks in
advance...
- - 
-Lycanthrope
ewright@ap.net

------------------------------

Date: Mon, 25 Mar 1996 23:23:19 -0500
From: Wayne Shanks <Aleph@wam.umd.edu>
Subject: 386SPARTN.PRN and Win 95 boot sector modification (WIN95)
X-Digest: Volume 9 : Issue 42

386SPARTN.PRN

The file above apeared in the root directory on the C drive.  It seems 
to always be in use in that I can not rename it or move it.

Mcafee can not read it to test for a virus.

Also every time I boot win 95 the Bios boot sector modification alarm 
goes off.  Is this normal?.  I am having tremendious trouble with 
protection fault errors.  If I format a system disk and boot off it I 
get no Bios alarm.  What is going on.... is this a Virus?

Mcafee, and Tbav, and Doctor anti virus scanners find nothing

Any Ideas or tips would be greatly apreciated.

Wayne Shanks

------------------------------

Date: Wed, 27 Mar 1996 10:26:24 -0600 (cst)
From: "Arif, Rahan" <rarif@chiaolink.dcmdc.dla.mil>
Subject: Drive Space 3 Problems (WIN95)
X-Digest: Volume 9 : Issue 42

I have been having some trouble with my compressed hard drive. I had 
Windows 95 with PLUS! installed in my computer using PLUS!'s version 
of Drive Space. Due to some unrecoverrable errors in the system 
registry, I almost gave up after many attempts to fix it. Finally, I 
erased the entire c:\windows tree and I installed Windows 95 again.  
It barely installed, but I was lucky.  Well the wierd registry problem 
was fixed, but now every time I start my computer I get a blue screen 
with a message saying that my DRIVESPACE DRIVER doesn't match with 
current driver it is using. Thats because Windows 95 is trying to use 
its own older version of Drive space and it can't recognize the Drive 
space 3 format.  So logically after seeing this appear, I tried to 
install PLUS! again.  But after several attempts, PLUS! didn't install 
at all.  A message saying that TOP LEVEL INFORMATION COULD NOT BE 
PROCESSED kept appearing.  Also when I go to My Computer and click on 
Properties, it show that I have 1.6 GIGABYTES of FREE SPACE, when my 
original hard drive was only 200 MEGABYTES to begin with! and after 
being compressed, it should only have been around 380 megabytes!!!  I 
really need some help in figuring out how I can possibly reinstall 
Drive Space 3 or some way I can extract the Drive Space 3 compenents 
from the .CAB files found on the PLUS! CD-ROM.  Also can anyone tell 
me the address of the Windows 95 Tips list. I was once on it and I 
lost the subscription address.  Any help will be highly appreciated.

Thanks you very much,

rarif@chiaolink.dcmc.dla.mil

------------------------------

Date: Wed, 27 Mar 1996 18:37:11 +0000 (GMT)
From: Ian Mullins <obe4019@InfoNET.st-johns.nf.ca>
Subject: Re: TBAV says HIMEM.SYS changed (WIN95)
X-Digest: Volume 9 : Issue 42

Jared Williams (williams@finland.it.earthlink.net) wrote:

: I am currently running thunder byte for dos. It came with 
: Windows 95 and when I boot up using it, it always says 
: himem.sys has been changed. It won't allow to validate it. Is 
: there anyone out there that has had the same problem using 
: thungerbyte? 

If you ran TBSETUP before installing Windows '95, then installed Win '95 
and scanned your system it would say that. First boot with a boot disk 
and scan your system to make sure it's not a virus. If all is well, make 
sure the HIMEM.SYS file is 32,935 bytes long. If so, it's 99.9% likely 
that it's not infected. Then, simply make sure that the option "Only New 
Files" is not checked in the TBSETUP options, and then run TBSETUP. 
After it's complete, it shouldn't say that HIMEM.SYS has changed anymore.

- -
Crash,
Remote SysOp of The Danger Zone (709)368-4709

------------------------------

Date: Wed, 27 Mar 1996 12:25:24 -0600 (CST)
From: Pete Turner <Pete_Turner@bakerbotts.com>
Subject: Bytes added to files (WIN95)
X-Digest: Volume 9 : Issue 42

Anyone using Win95 with WinZip *installed* and experiencing "bytes added
to files" should obtain the most recent version of WinZip.  A known bug in
one version of WinZip (6.0b, I believe) causes this and often makes the
user think s/he has a virus. 

------------------------------

Date: Wed, 27 Mar 1996 11:40:34 -0500
From: Mike Lawrence <webber@va.pubnix.com>
Subject: Viruses from kids floppies - How I stopped them... (WIN)
X-Digest: Volume 9 : Issue 42

I believe most viruses enter from a floppy or modem. 
If your kids are introducing viruses to your computer, you can 
try IconHideIt. I use it to lock down the DOS box, groups, 
icons, directories, communication and printer ports. 

http://www.mclellansoft.com/iconhideit/ or 1-800-794-5679 

-mike

------------------------------

Date: Sun, 24 Mar 1996 23:36:19 +0000 (GMT)
From: "G.h.van den Berg" <guy@net-prophets.co.uk>
Subject: virus effecting winhelp.exe? (WIN)
X-Digest: Volume 9 : Issue 42

Does any one know of a virus that infects at least winhelp.exe...my
copy has corrupted lately and when I reinstall it it corrupts again.
The version on the install disks is 256,192 bytes after a windows
session that has refused to run winhelp winhelp.exe is now
258,150...does any one know what is going on. I have also noticed a
drop in system performance of late. Do  I have a virus...all the scan
I have run so far don't detect anything.

TIA.

g.

------------------------------

Date: Sat, 23 Mar 1996 00:23:02 -0800
From: "J. L. Packer" <jpack@nicoh.com>
Subject: "loading bootstrap" message (PC)
X-Digest: Volume 9 : Issue 42

I recently dealt with (and hopefully eliminated!) what McAffee Identified 
as anti-cmos, as well as a stealth virus. When I first began experiencing 
symtoms of these viruses on my pc, I noticed a message at bootup (which I 
do not recall having seen previously) reading "loading bootstrap". After 
eliminating the virus infections (I reformated my hard drive and restored 
from backup.... just to be on the safe side), my pc no longer displays 
the mystery message. Question: does anyone know what the "loading 
bootstrap" business was all about?

regards, JP
jpack@nicoh.com

------------------------------

Date: Sat, 23 Mar 1996 17:01:26 +0000 (GMT)
From: Oliver Heidelbach <oheiabbd@fub46.zedat.fu-berlin.de>
Subject: Does somebody know 'Partitori-B'? (PC)
X-Digest: Volume 9 : Issue 42

does anybody ever heard of a virus called 'Partitori-B'?

I have to deal with it, but I can't find any reference,
not in McAfee's VSUM, not anywhere else.

The only thing I can say up to now is, that it must
be a boot sector virus and that it draws a red box
on the screen.

It also made Word for Windows ('95) refusing to
load documents.

I need a strategy to handle that virus.

If 'Partitori-B' should be an uncommon alias
I would appreciate if somebody can tell me its
common name.

TIA, Oliver
- -
Internet: oheiabbd@zedat.fu-berlin.de
BBS: o.heidelbach@telemail.berlinet.de
WWW: http://fub46.zedat.fu-berlin.de:8080/~oheiabbd


------------------------------

Date: Sat, 23 Mar 1996 11:40:40 -0700 (PDT)
From: cribbv@icsi.net
Subject: Re: Ripper virus (PC)
X-Digest: Volume 9 : Issue 42

In response to Florian Erhard's post regarding the Ripper virus, the
moderator said: "... You may need to floppy boot a version of DOS earlier
than MS-DOS7 and run a dos-based disinfector."

The key here being "floppies with an earlier version of DOS and a
DOS-bases disinfector."

Even though Windows 95 saved your old DOS during Setup, you may soon find
yourself in a situation where you will be forced to re-format your hard
drive and, if so, you just lost the most versitle version of DOS if you
haven't saved it.

Myself, I'm glad that years ago I prepared a set of emergency disks (3)
complete with the essential DOS programs, drivers, appropriate
autoexec.bat & config.sys, and an anti-virus program. The only thing I
can't do, when using them, is operate Windows 95 or restore a Window's
backup.

PS: Two medium-size hard drives are better than one large one, especially
if you use the slave to save your documents, templates and supporting
graphics.

------------------------------

Date: Fri, 22 Mar 1996 04:42:28 -0500
From: Wayne Shanks <Aleph@wam.umd.edu>
Subject: Cmos-corrupting Virus (Monkey?) (PC)
X-Digest: Volume 9 : Issue 42

Ther is mow a full blown epidemic in the Maryland area (maby overstated, 
but I know of over 70 computers at dozens of sites infected).  This 
Virus deletes the Cmos setup info.  You can go back in and reset 
everything, but at the next reboot you have to do it again.  My father 
helps run the computer lab at the elemantary school where he teaches.  A 
bunch of the computer in the lab had these problems, and he thought the 
clock/cmos went bad.  These computers were IBM PS2.  He talked with a 
tech support guy at IBM, and the Tech guy thought that it was not a 
Hardware problem, but a new Monkey Virus. The guy said It has poped up 
in the last 6 months.  When my father told me about this, a light went 
on.  For the last 2 or three months I have been hearing dozens of people 
complain about there Cmos droping out.  

Have you heard anyhing about this?

Do you know how to kill it.

Wayne Shanks

------------------------------

Date: Sat, 23 Mar 1996 21:44:51 +0000 (GMT)
From: Wayne Riddle <riddler@agate.net>
Subject: Re: Anti exe virus (PC)
X-Digest: Volume 9 : Issue 42

Angela Cowley <Angela@squig.demon.co.uk> wrote:

> Every one I know who is not on the net is telling me
>I got it from the net, but are they right? I was online for 4 months on
>the old machine and that is ok.

Anti-Exe is a boot-secot virus. You picked up the virus from an
infected disk.

Wayne Riddle
riddler@agate.net
http://ourworld.compuserve.com/homepages/riddler

------------------------------

Date: Sat, 23 Mar 1996 21:56:14 +0000 (GMT)
From: Maxine Sheinin <msheinin@ix.netcom.com>
Subject: Re: MS Macro Virus Tool (PC)
X-Digest: Volume 9 : Issue 42

> Am evaluating the option of using either Microsoft's Macro Virus
> eradicator, or just going with the latest Norton AntiVirus version and
> signature files.... any experience, pro or con, either way?

I installed the Microsoft Protection Macro for Word.  Found a few minor 
irritable differences (one is that you cannot open multiple files at
once), but the alternative seems worse.  We started scanning (using
McAfee) the document files but found that some people had so many
documents on their hard drives that it took foreverrrrrrrrrrrrrrrrrr to
scan.  There is no noticeable file open or close delay in Word (6.0), so
we went with that.

------------------------------

Date: Sat, 23 Mar 1996 22:10:03 -0500
From: Richard Palumbo <rich@safari.net>
Subject: Re: CONCEPT/Word Perfect macro: really no cure? (PC)
X-Digest: Volume 9 : Issue 42

our network was infected with this virus.  After cleaning with Mcafee
the word perfect operators complain of computers hanging.  The Dos 6.0b
WP has been reistalled yet the problem persists and none of the 
documents show infection :-(

------------------------------

Date: Sat, 23 Mar 1996 13:43:04 -0500
From: Richard Palumbo <rich@safari.net>
Subject: Re: CONCEPT/Wordperfect macro:really no cure? (PC)
X-Digest: Volume 9 : Issue 42

after detecting CONCEPT several workstations now hang
and one will present 242424242424 at the top of a document 
before hanging.

any comments :-(

------------------------------

Date: Sun, 24 Mar 1996 13:18:10 +0000 (GMT)
From: <oyvroe@svg.na.no>
Subject: Re: Neuroquila (PC)
X-Digest: Volume 9 : Issue 42

On 20 Mar 1996 22:10:05 -0000, Dan Wright <danright@ix.netcom.com>
wrote:

>McAfee Viruscan (7/95) detects Neuroquila or Nightfall virus in files,
>has no remover.
>
>Files are in a directory called Sentry that does not show on a tree,
>attempts to delete files result in "access denied". Over 700 files show
>up in a DIR, in the form #a1b2lrs.ms or some variant of this name. 8 of
>these are infected according to McAfee. These files are being created
>daily, some show dates before the computer was purchased.

Hi.. Seems like you're using Microsoft's Undelete Sentry (also found
in PCTools, but then the files have different extention.).. The Sentry
directory is a directory where the "Delete Sentry program" puts files
which are deleted, so that it's easy to undelete files which have been
protected by this program...

As for the virus signature of Neuroquila, it could be a false alarm,
specially if it only shows up in this exact directory... In either
case, if it's the case that it only occurs in the Sentry directory,
there is probably no danger.

The reason for you not being able to view the sentry directory, or to
delete the files is that the directory is hidden, and the files in it
are locked by the Undelete program...

One last thing:  Update your scanner, it's way to old.

------------------------------

Date: Mon, 25 Mar 1996 00:18:19 +0000 (GMT)
From: Jim Wu <yenchun@engin.umich.edu>
Subject: how to get rid of Urkel (PC)
X-Digest: Volume 9 : Issue 42

My computer was infected with Urkel.  Is there anyone knowing how to
get rid of it?  Also, I couldnot have access to my D drive (harddisk).
Does this problem result from the virus?

Thank you!

e-mail:  yenchun@engin.umich.edu

------------------------------

Date: Mon, 25 Mar 1996 12:27:29 -0800
From: Kelvin Chien <kchien@chevalier.net>
Subject: Re: Anti exe virus (PC)
X-Digest: Volume 9 : Issue 42

Angela Cowley wrote:

> I bought a new computer 2 weeks ago and it was definitely clear of viruses
> when I got it, but then 5 days ago I discovered it had the anti exe virus.
> I know my old computer is clean and the floppies I installed the day I got
> it are clean, just ones I've used over the last week are infected. I've
> cleaned everything now and have dr solomons installed, but wonder where
> the virus came from. Every one I know who is not on the net is telling me
> I got it from the net, but are they right? I was online for 4 months on
> the old machine and that is ok.

Right and wrong. Provided you only "browse" on the net without clicking
on links that automatically download executable files, you shouldn't have
got it from the net. Java pages are, in this stage, not capable of
letting Java applets tweak into your harddisk. Uuencoded files can
contain viruses, but if you don't uudecode and use them, they're like
frozen chickens.

You would want to concentrate on how you got the virus. Below shows
some tips:

* Do you let someone else use your diskettes/computer?
* Do you use your diskettes on computers other than your own?
* Do you have infected diskettes but still use them after you
  re-format them?
* Did you scan all diskettes including all your software, games etc?
* From your description, you said the floppies and the box were clean
  when you bought it from your vendor. A few years back when I helped my
  relatives/friends buy their first machines, some of them were already
  infected. Their floppies were fine, but if I hadn't checked their
  boxes, they'd sooner or later be infected by the virus on the
  boot sector, so that they would have had the case as you do now.

It's extremely important you have an up-to-date virus scanner. As you
may have read the previous messages, people (my boss included :) use
Microsoft (or other old scanners) Antivirus and they think they are
virus-free. Trust no old scanners and keep yourself update with new
scanners from those reputable companies (Mcafee, F-PROT to name a few).

Cheers
_______________________________________________________________________
- Kelvin K. W. Chien                                                  -
- kchien@chevalier.net                                                -

------------------------------

Date: Sun, 24 Mar 1996 22:59:26 -0800
From: "Cory L. Curtis" <palmtops@starlink.com>
Subject: Re: Neuroquila (PC)
X-Digest: Volume 9 : Issue 42

Dan Wright wrote:

> Could use some help please for a friends 486 PC.
> 
> McAfee Viruscan (7/95) detects Neuroquila or Nightfall virus in files,
> has no remover.
> 
> Files are in a directory called Sentry that does not show on a tree,
> attempts to delete files result in "access denied". Over 700 files show
> up in a DIR, in the form #a1b2lrs.ms or some variant of this name. 8 of
> these are infected according to McAfee. These files are being created
> daily, some show dates before the computer was purchased.
> 
> Anyone know whats going on here?


Check out this link:

http://www.datafellows.fi/vir-desc.html

It doesnt sound like Nightfall.
See what the file attributes are with attrib.
Change them with attrib *.* -a -h -r -s for example if the files have
all or any of these atributes, then try del . to get rid of them.
I don't know if this is what your looking for?

Good Luck!

Cory

------------------------------

Date: Mon, 25 Mar 1996 11:59:52 -0800
From: Stephen Weller <stevefw@u.washington.edu>
Subject: Re: WelcomB Virus (PC)
X-Digest: Volume 9 : Issue 42

Yes, as a matter of fact it has been dormant in my machine for some time
now. Tried to kill it with McAfee's program, but had the same luck as you.
All my floppy disks seem to be infected as well. Where can I get this NAV
Antivirus program? I would really like to know.

Thanks a million.

Steve Weller

------------------------------

Date: Mon, 25 Mar 1996 22:59:37 +0300
From: dekel@carmel.haifa.ac.il (L. DEkel)
Subject: Re: F-PROT, Opinions? (PC)
X-Digest: Volume 9 : Issue 42

F-PROT is my favorite, it saved the day several times when other AV have
failed (Mcfee, Invirc - to name just 2).

Just remember always to use the latest update of F-PROT.

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
L. DEkel
Email: dekel@carmel.haifa.ac.il
'''''''''''''''''''''''''''''''

------------------------------

Date: Mon, 25 Mar 1996 21:27:55 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Neuroquila (PC)
X-Digest: Volume 9 : Issue 42

Dan Wright <danright@ix.netcom.com> writes:

>McAfee Viruscan (7/95) detects Neuroquila or Nightfall virus in files,
>has no remover.
>
>Files are in a directory called Sentry that does not show on a tree,
>attempts to delete files result in "access denied". Over 700 files show
>up in a DIR, in the form #a1b2lrs.ms or some variant of this name. 8 of
>these are infected according to McAfee. These files are being created
>daily, some show dates before the computer was purchased.

Please try a newer version.  I believe I had a false id with the first
version of the code, which was from about that time.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Mon, 25 Mar 1996 17:27:09 -0800
From: Jared Williams <williams@earthlink.net>
Subject: Netscape virus? (PC)
X-Digest: Volume 9 : Issue 42

The other day my Thunderbyte anti-virus program discovered two .com files
in my netscape's cache and said that they were suspicous files with
garbage. I executed it and had my printer off. Every thing went fine. The
program went to dos and the .com file tried to access the printer, but
since it was off it was unsuccessful. I got out of dos and killed the
file afterword use Thunderbyte.

What I wanted to know is how did they get there? Did a virus possibly get
downloaded into my cache through a Java program or somethig else perhaps?

Thanks to any who can provide me with an answer!

						Jared Williams

------------------------------

Date: Tue, 26 Mar 1996 01:32:59 +0000 (GMT)
From: alan gan <alan.gan@mcdermott.com>
Subject: Theta virus ..... anybody got solutions??? (PC)
X-Digest: Volume 9 : Issue 42

I'd just encountered Theta virus in one of my users's PC. Does anyone 
know how to deal with it?? Would appreciate some info from anyone.
I'd tried killing it with McAfee SCAN 2.2.9 with success.

------------------------------

Date: Tue, 26 Mar 1996 01:42:48 +0000 (GMT)
From: "Luciano A. Martinez" <hh805@cleveland.freenet.edu>
Subject: Jerus X (PC)
X-Digest: Volume 9 : Issue 42

Has anyone heard of this virus, I ran a virus detection utility on my PC
and it told me I had Jerus X. I was just wondering if anyone knows what to
do about this virus, and some noticeable side effects. 

------------------------------

Date: Mon, 25 Mar 1996 23:05:10 +0300
From: dekel@carmel.haifa.ac.il (L. DEkel)
Subject: Re: Michelangelo recovery methods (PC)
X-Digest: Volume 9 : Issue 42

Zvi Netiv (netz@actcom.co.il) wrote:

<snip>

: IN ALL OTHER CASES USE ResQdisk Professional (ResQpro). With disks that

	What a "nice" "objective" advice comming from a ResQdisk salesman...
	your sig. tells it all :
 "
: - --------------------------------------------------------------------
: NetZ Computing Ltd, Israel          Producer of InVircible & ResQdisk
: Voice +972 3 532 4563, +972 52 494 017 (mobile)   Fax +972 3 532 5325
: Web sites:  http://invircible.com/  Anonymous ftp: ftp.invircible.com
: E-mail: netz@actcom.co.il netz@invircible.com  Compuserve: 76702,3423
: - --------------------------------------------------------------------
 "

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
L. DEkel
Email: dekel@carmel.haifa.ac.il
'''''''''''''''''''''''''''''''

------------------------------

Date: Sat, 23 Mar 1996 16:27:25 -0500
From: Sayitmean <sayitmean@aol.com>
Subject: 634K of RAM--virus? (PC)
X-Digest: Volume 9 : Issue 42

I don't know the name of this virus, but my memory shows 634K.  I can't
run the 32 bit access through windows.  I looked on the FAQ but didn't see
any reference to it.  Can someone help?

Kim

------------------------------

Date: Sat, 1 Jan 1994 21:04:04
From: philski@spirit.com.au
Subject: anticmos?? Help (PC)
X-Digest: Volume 9 : Issue 42

help!!! I am running 486 dx4 120 award with 12 meg ram win 95. My problem
is that I get a "checksum error defaults loaded" and/or "cmos battery
failed" but it  is a brand new mo'board and I have replaced battery since
first occ!

Please help me I'm melting.

PS I have tried clean boot with fdisk/mbr and formatting hd.

------------------------------

Date: Tue, 26 Mar 1996 18:36:54 +0800
From: sg7248613@omega.ntu.ac.sg
Subject: McAfee Scan 2.3.0. Genuine? (PC)
X-Digest: Volume 9 : Issue 42

I recently encountered an evaluation copy of McAfee Antivirus Scan ver
2.3.0, which was released on 17 Jan 96. 

This is however, not available for download at McAfee's WWW site.
I wonder if this is a valid and genuine antivirus software, or is this
a dangerous copy of a virus?

Could anyone comment? 

------------------------------

Date: Tue, 26 Mar 1996 13:56:12 +0100
From: "David W. Hanson" <hansond@afrc.garmisch.army.mil>
Subject: LAN infected with FORM? (PC)
X-Digest: Volume 9 : Issue 42

>From: D3lyr1uM? <kore8@usa.pipeline.com>

>My lan at work is infected with the form virus, what will get rid of
>it?

Your LAN is -not- infected with FORM.  FORM is a boot-sector virus.  
The LAN has no boot sector, so the LAN is not infected.  The boot 
sectors on your LAN's workstations could be infected with FORM.

FORM is easily removed by the reputable scanners/disinfectors.

However, removing it from the workstations' boot sectors alone will 
not fix your problem.  You see, every diskette you have has a boot 
sector on it, bootable or not.  So you have to disinfect -every- 
diskette that you have.

So, first disinfect the hard drives on your workstations, then 
diligently hunt down every single diskette and disinfect them.

To prevent further occurances of boot sector viruses, you can go into 
the BIOS setup on each workstation, and disable booting from floppy.

David Hanson
Armed Forces Recreation Center Europe
Garmisch-Partenkirchen Germany
hansond@afrc.garmisch.army.mil

------------------------------

Date: Tue, 26 Mar 1996 14:34:23 +0000 (GMT)
From: hanbinde <hanbinde@limestone.kosone.com>
Subject: HELP stoned 4 virus (PC)
X-Digest: Volume 9 : Issue 42

Does anyone have documentation on how to remove the stoned 4 virus. It 
was detected by Microsoft's MSAV which doesn't remove it and F-Prot 
(Dec 95 version) doesn't see it.. 

------------------------------

Date: Tue, 26 Mar 1996 16:53 +0000 (GMT)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Dr Solomon's 7.58 available for download (PC)
X-Digest: Volume 9 : Issue 42

Dr Solomon's FindVirus v7.58 is now available for download and evaluation 
via the web and ftp.  You can also now have FindVirus emailed direct to 
your mailbox (see below for details).

Here's what's new

    New in Version 7.58
    ===================
    1.  This version of Dr Solomon's FindVirus detects 209 new viruses
    bringing the total detected to 8281.

    2.  This version may be evaluated until the end of May 1996 -
    see README.TXT for more information.


Archive formats now supported: ZIP, ARJ, ARC, LZH (also known
as LHA)

Compression formats now supported: PKLite, LZExe, ICE, Diet,
CryptCom, and Microsoft Expand

This version of Dr Solomon's FindVirus is for evaluation purposes only. 
It is NOT free, shareware or public domain.  The evaluation period for 
this version ends at the end of May 1996.  At that point the evaluation 
period will have expired, and the program will no longer run.

If you require longer to evaluate the product then we recommend that you 
download a more recent version of the evaluation software from the 
approved sites (see DISTRIB.TXT in the zip file), as this will be more 
up-to-date and detect more viruses.

FindVirus can scan recursively inside compressed and archived files (ZIP, 
LZH, ARJ, ARC, ICE, Diet, CryptCom, Microsoft Expand, PKLite, and LZExe) 
without writing to the hard disk.  Additionally its advanced heuristic 
capability means it can detect a large number of new and unknown viruses 
without the false alarm problem found in some other products.

If you are interested in purchasing the full commercial version of Dr 
Solomon's Anti-Virus Toolkit then contact S&S International (USA: +1 617 
273 7400, or UK: +44 (0)1296 318700), or take a look at our website: 
http://www.drsolomon.com

You can download the evaluation version of FindVirus v7.57 from:

     Website:    http://www.drsolomon.com
     AnonFTP:    ftp.drsolomon.com/pub/progs/dsav758.zip
     CompuServe: GO DRSOLOMON
  
NEW!! Email:  Send a blank email to findvirus@info.drsolomon.com
      and you'll have the latest version of FindVirus sent to you in
      UUEncoded form.  This should be of particular use to those of
      you who have experienced difficulties downloading FindVirus from
      our website.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400
NEW:Evaluate Dr Solomon's FindVirus 7.58! Download it from our webpage

------------------------------

Date: Tue, 26 Mar 1996 17:39:42 +0000 (GMT)
From: "Douglas M. Munro" <d.munro@csuohio.edu>
Subject: Residual effects of a virus? (PC)
X-Digest: Volume 9 : Issue 42

I have recently overcome the Havoc ][ virus on my system and have noticed
that two of my floppies which were flagged as having the virus had a
volume lable of "COMPAT  FUL".  I am sure that I didn't lable those 
floppies with that and according to one Norton guy, he doesn't think that
NAV did either.  Has anyone ever seen this before and is it virus related?

Thanks for your time.

DMM
d.munro@csuohio.edu

------------------------------

Date: Tue, 26 Mar 1996 21:32:14 +0000 (GMT)
From: Eleu <deleu@finland.it.earthlink.net>
Subject: Doom2 Death virus question (PC)
X-Digest: Volume 9 : Issue 42

I have a problem. The Doom2 Death was found by my McAfee AV, and it
said it wiped it out. However, I can no longer run WordPerfect 6.0a,
even after wiping it off the hard drive and restoring it from the
master disks. The error message: cannot initialize-- most probable
reason is insufficient memory. Everything else I have runs just fine.
Any information would be helpful, as I really don't know what this
virus is capable of doing.

------------------------------

Date: Tue, 26 Mar 1996 21:00:18 -0800
From: Frode Brean Sorken <fsorken@sn.no>
Subject: Lost Harddrive (PC)
X-Digest: Volume 9 : Issue 42

I was trying to help a friend of mine with his PC today. He didn't have 
proper sound, and his cd-rom wouldn't work in MS-dos modus (he runns with 
 Windows 95).

I found that he had severalproblems, and decided to delete his windows 
directory, to reinstall it. After using the command "deltree windows", it 
all came cribbled. The result of using the "dir" command was a lot of 
strange symbols. I thendecided to check for virus, using the f-prot 
software. This program was too big for the memory. After restarting the 
computer, I got the message "non system disk..." (there was no diskettes 
in the diskdrive). Restarting with a systemdiskette in a: worked fine, 
BUT now, trying to get in contact with the harddrive (typing "c:") 
results "C: is an invalid drive" (or simmilar). So now I can't delete the 
rest of c:, and I can't reinstall any software.

Do my friend have a virus?
What do I do???
- - 
- Frode Sorken

------------------------------

Date: Wed, 27 Mar 1996 11:03:36 +0200 (EET)
From: "Mikko H. Hypponen" <Mikko.Hypponen@datafellows.com>
Subject: Re: Bones Virus (PC)
X-Digest: Volume 9 : Issue 42

Charlie Hill <cy321@cleveland.freenet.edu> wrote:

> F-Prot Ver 2.21 reported that there was a MBR virus named Bones on a
> floppy disk of mine.  F-Prot and the program VSUM has no information
> about this virus. 

As usual, there is a description in the virus description database at
www.DataFellows.com:

NAME:  Bones
ALIAS: Brazil, Ibex
TYPE:  Resident, floppy boot, MBR

Bones replicates when you boot from an infected floppy. Once you
infect a machine, all accessed floppies get the virus.

Bones has code to activate and overwrite part of the hard
drive on the 7th of each month when any floppy disk is
accessed.

Bones was reported to be in the wild in USA in December 1995.

- - 
	 Mikko Hermanni Hypp nen - Mikko.Hypponen@DataFellows.com  
   Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com
 Computer virus information available via web: http://www.DataFellows.com/
Paivantaite 8, 02210 Espoo, Finland. Tel +358-0-478444, Fax +358-0-47844599

------------------------------

Date: Wed, 27 Mar 1996 10:41:37 +0000 (GMT)
From: Toby Armfield <tja@easynet.co.uk>
Subject: Re: Virus??? (PC)
X-Digest: Volume 9 : Issue 42

Somebody asked:

>Can anyone tell me what the following message on my screen means?
>
>To see a world in grain of sand, and heaven in a wild flower
>Hold infinity in your hand
>And eternity in an hour
>
>The virus 16\3\91

Yes - it means you have the Maltese Ameoba Virus details of which follow
from Dr Solomons Website:

Maltese Amoeba

(Irish)
Type : Memory-resident file virus.
Affects : COM EXE files on execution. COM files must be between 450 and
63,000 bytes.
File Growth : 2,498 to 2,565 bytes.
Removal : Method 2.

Hope this is of help!

Toby
DJT - Hit It - Out soon on SUS Records!!!

http://www.helsinki.fi/~bbacklun/Toby/toby.htm      tja@easynet.co.uk

------------------------------

Date: Wed, 27 Mar 1996 13:53:01 -0600 (MDT)
From: DONNY@iris.co.il
Subject: Re: Virus??? (PC)
X-Digest: Volume 9 : Issue 42

> Can anyone tell me what the following message on my screen means?
>
> To see a world in grain of sand, and heaven in a wild flower
> Hold infinity in your hand
> And eternity in an hour
>
> The virus 16\3\91

This is the Maltese Amoeba virus (also known as "Grain of sand").

> I have tried a clean boot disk. but it won't recognise my hard disk.
> My virusscanner is also unable to access my hard disk.

Update the virus scanner or get another one (you can use
Iris AntiVirus Plus :-) ).

Donny Gilor (Dr. Virus)    donny@iris.co.il
- -----------------------------------------
Development manager, Iris Software (Israel)
Tel: (972)-3-9221280   Fax: (972)-3-9228060


------------------------------

Date: Wed, 27 Mar 1996 13:06:44 +0000 (GMT)
From: Patrick Noyens <patrick.noyens@ping.be>
Subject: FindVirus 7.58 fails to detect Macro.Word.Xenixos virus (PC)
X-Digest: Volume 9 : Issue 42

After I got the evaluation copy from the WWW.DRSOLOMON.COM side I
tested this 'brand new' version against some macro viruses :

It seems that it fails to detect the Macro.Word.Xenixos virus 
(alias Nemesis) : no infection was reported after scanning an infected
file !!

However, scanning with AVP 2.2 Pro (March 13th 1996), AVAST 7.50
(March 1996), Sweep 2.83 and AntiVir IV (H+BEDV GmbH) a this .DOC file
was declared as infected by Macro.Word.Xenixos virus. (or its alias
Nemesis was reported)

BTW : 'even' McAfee's SCAN V. 2.2.C detected this virus !:):)

I was kind of surprised by this, because I recieved this sample at
least 8 weeks ago ... so it's not a complete unknown Macro virus !

Is this just a forgotton signature in the FINDVIRU.DRV ... or is the
virus really complete unknown to Solly's technical fellows ?

Is an EXTRA.DRV available on your FTP or WWWW site ?

Patrick

Please reply to my E-mail address :

		 patrick.noyens@ping.be

------------------------------

Date: Wed, 27 Mar 1996 14:05:47 -0600 (MDT)
From: DONNY@iris.co.il
Subject: Re: Did Michelangelo Virus Wipe this PC's Hard Drive? (PC)
X-Digest: Volume 9 : Issue 42

> Recently, she recalls hearing
> strange sounds from the hard drive, and the next time she booted, her hard
> drive was empty: a "DIR" command revealed no files.

Did the command "DIR" show an error reading the hard drive? If the "DIR"
just showed no files (but besides that the disk is "okay") then it is not
the Michelangelo. If the hard drive is not readable "Invalid media type
on drive C" or similar, then it COULD be the Michelangelo. Since this
occurred pretty close to the 6th of March it sounds reasonable.

> One would think Michelangelo would have struck 12 months ago, so
> I'm having trouble accepting a viral diagnosis.

If I'm not mistaken, last year the 6th of March was on a weekend so that
she may not have turned on the computer on the correct date. Besides, you
never know when she may have booted from a floppy (maybe not even
intentionally, just by booting from a blank (infected) floppy - see the
FAQ).

> She has no anti-viral, diagnostic, recovery, or backup software of her
> own.

She should have anti-viral software (at least for next time).

Donny Gilor (Dr. Virus)    donny@iris.co.il
- -----------------------------------------
Development manager, Iris Software (Israel)
Tel: (972)-3-9221280   Fax: (972)-3-9228060

------------------------------

Date: Wed, 27 Mar 1996 18:34:05 +0000 (GMT)
From: gallant@therston.cc.hollandc.pe.ca
Subject: F S Virus - Anybody??? (PC)
X-Digest: Volume 9 : Issue 42

F S Virus attacked a PC in my dept. today.  It first appeared as 
memory problems in Windows 3.1.  When I ran F-Prot it detected 
nothing, but when I booted again it locked up on VIRSTOP (the TSR 
with F-PROT), and then mentioned an F S Virus.  (Fred 
Scklanson?).  Any way, F-prot never did find the virus, only a 
few suspicious files, (c:\windows\setup1.exe and mem.exe).  One 
time when I exited out of F-Prot I got a dialogue box asking me 
if I wanted to buy some disk.  I answered no, (maybe a mistake). 
The next I booted up the hard drive was wiped.

Has anybody encountered this one before???
Please eMail direct.

Does anybody know of a scanner that will detect this one.  I have 
aproximately 200 computers in the dept. and am a little 
concerned.  

Shirley Gallant
gallant@therston.cc.hollandc.pe.ca

------------------------------

Date: Wed, 27 Mar 1996 07:01:31 +0000 (GMT)
From: owner-virus-l@fidoii.cc.lehigh.edu
Subject: Re: Anti exe virus (PC)
X-Digest: Volume 9 : Issue 42

Angela Cowley <Angela@squig.demon.co.uk> wrote:

>I bought a new computer 2 weeks ago and it was definitely clear of viruses
>when I got it, but then 5 days ago I discovered it had the anti exe virus.
>I know my old computer is clean and the floppies I installed the day I got
>it are clean, just ones I've used over the last week are infected. I've
>cleaned everything now and have dr solomons installed, but wonder where
>the virus came from. Every one I know who is not on the net is telling me
>I got it from the net, but are they right? I was online for 4 months on
>the old machine and that is ok.

We had AntiExe here at the library where I work. It is an almost
completely beingn virus. All it really does is exist. It has no
stealth capability nor can it execute anything. You get it when you
try to boot up your machine, but have left an infected disk in the A:
drive. The machine's hard drive picks up the virus when it trys to
boot of the disk. From then on it infects any disk you use in the A:
drive. Programs like F-Prot will easily clear this virus, but, as you
know, you have to boot with clean (non-infected) disks in order to
clear. Hope this helps.   Bob Davis

------------------------------

Date: Wed, 27 Mar 1996 20:36:00 +0000 (GMT)
From: "Walter C. Dove" <dove.walter@epamail.epa.gov>
Subject: Re: Need Help With a virus called SCRMING.FIST.II.652 (PC)
X-Digest: Volume 9 : Issue 42

Annie Hayes <rcmpinf@lancite.net> wrote:

>The users often have to connect on customer's networks. They are
>bringing back hundreds of virus, 

Assuming Intel/IBM PCs:

Suggestion #1:  if available, set the boot sequence in the BIOS to boot 
preferentially from the hard disc.

This'll save you from many/most/virtually all BSV infections.

>McAfee 227 is usualy doing the job but I have a couple of LapTop with 
>every executables files infected by what McAfee 227 detect to be a
>virus called SCRMING.FIST.II.652 at the same time it's telling me that
>there's no remover for this virus.

Suggestion #2:  get an AV TSR (F-Prot has one, Dr. Soloman's has one, 
McAfee has one, etc. ad naseum) and install it on the laptops (load from 
config.sys if possible) to provide _some_ protection.

>  I really need to find a scanner that will do the job.

If the virus overwrites code, there may be no way to clean it off and 
retain a functioning program (I can't get to my documentation to see if 
I've got any information on your screaming-fist varient from a credible 
source -- it may or may not overwrite, may or may not be generally 
"cleanable").

A better scanner isn't the total answer:  defense in depth and an 
educated user community is a better answer.

rgds.  wcd.

------------------------------

Date: Wed, 27 Mar 1996 21:00:25 +0000 (GMT)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: Virus??? (PC)
X-Digest: Volume 9 : Issue 42

In article <0009.01I2UER2C1TGS24DPB@csc.canterbury.ac.nz>, herb1@xs4all.nl
says...

>Can anyone tell me what the following message on my screen means?
>
>To see a world in grain of sand, and heaven in a wild flower
>Hold infinity in your hand
>And eternity in an hour
>
>The virus 16\3\91

Interpretations of the passage may differ but it ultimately means 
that you (probably) have the Maltese Amoeba virus.

>I have tried a clean boot disk. but it won't recognise my hard disk.
>My virusscanner is also unable to access my hard disk.

Maltese Amoeba has two activation dates.  November 1st is one date,
March 15th is another.  Due to the close proximity of your message
and March 15th, my guess is the virus has already overwritten
several sectors of the hard drive and you *may* not be able to 
recover the data.

If it really is Maltese Amoeba and it did activate, I am surprised
that you would be able to see the hard drive at all (clean boot or
not.)  But, I've seen stranger things, and am willing to believe 
just about anything.

As for not "seeing" the hard drive:
It makes no difference whether a scanner reports seeing a hard 
drive or not.  Most scanners treat the hard drive as a physical 
device and will scan it regardless.

I'll follow this up with a private eMail to see if I can be
of any further assistance.

- --
Shane Coursen                                        Symantec Corporation
Computer Virus Researcher                http://www.symantec.com/avcenter
AntiVirus Research Center                                 CIS:  GO SYMWIN
scoursen@symantec.com                                           GO SYMNEW
      US Support:  541-465-8420                            AOL:  SYMANTEC
European Support:  31-71-353-111       Australian Support:  61-2-879-6577

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 42]
*****************************************


