From Lehigh.EDU!owner-virus-l  Sat Apr  6 01:01:41 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Mon, 08 Apr 96 13:59:01 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id BAA28469; Sat, 6 Apr 1996 01:01:41 +0200
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39506-47945>; Fri, 5 Apr 1996 18:02:00 EST
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39455-47945>; Fri, 5 Apr 1996 18:00:13 EST
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id RAA111387 for <virus-l@lehigh.edu>; Fri, 5 Apr 1996 17:59:51 -0500
Received: from 172.31.30.201 ("port 1035"@misc9003.tacacs.canterbury.ac.nz)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I37W48JIKASH3CBI@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Sat,
 06 Apr 1996 10:59:14 +1200
Message-Id: <01I37W48WZM4SH3CBI@csc.canterbury.ac.nz>
Date: 	Sat, 06 Apr 1996 10:44:29 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #43
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest  Saturday, 6 Apr 1996    Volume 9 : Issue 43

Today's Topics:

Re: QUESTION: Email Viruses
Re: QUESTION: Email Viruses
Re: QUESTION: Email Viruses
Re: McAfee Dishonesty
Re: How to Contact Command Software?
Re: Mcafee support stinks
RE: Satan Virus Question
Re: QUESTION: Email Viruses
NT virus risks/solutions? (NT)
Viruses and Windows NT (NT)
Re: Removal of Antiexe (OS/2,WIN)
Re: Macro viruses, MS-Word consept (MAC,WIN)
Word Macro Virus (MAC,WIN)
Re: Devices disappearing -- virus? (WIN95)
Re: TBAV says WIN95 CD infected? (WIN95)
Re: McAfee95 reports McWhale (WIN95)
Strange icon label changes--Possible virus? (WIN95)
Re: TBAV says HIMEM.SYS changed (WIN95)
Re: TBAV says WIN95 CD infected? (WIN95)
Re: What detects BOZA virus? (WIN95)
Re: Dr Solomon - Questions (WIN)
Re: Possible memory-resident virus HELP! (PC)
Re: Virus??? (PC)
Re: Possible new virus??? (PC)
Re: Viruses that damages hardware (PC)
Re: Form Virus On A Lan (PC)
boot sector locked (PC)
Re: Directory problem (PC)
Help: The IHC-virus does its work! (PC)
Re: Virus??? (PC)
!DELWINBOOT.sys (PC)
lingering effects of Doom2Death (PC)
Stoned virus in blocked out partion of HD--help!!! (PC)
Re: Tai_Pan438 Virus (PC)
Re: Directory problem (PC)
Re: 10b7 (PC)
Re: 10b7 (PC)
HELP!!! Form virus..how to remove? (PC)
Re: Winword/Scanprot/FProt questions (PC)
Multiple boot sector infections (PC)
ANTI-CMOS virus (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Wed, 27 Mar 1996 23:56:05 +0000 (GMT)
From: Tony Warren <tony@us.integralis.com>
Subject: Re: QUESTION: Email Viruses
X-Digest: Volume 9 : Issue 43

Yes, it is posible to receive a virus as an Email attachment.  Many of
the new viruses are attached as data rather than a EXE file.  For
example the Word Concept virus is easily spread via an Email
attachment.

Tony Warren
Integralis, Inc.

------------------------------

Date: Thu, 28 Mar 1996 05:06:42 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: QUESTION: Email Viruses
X-Digest: Volume 9 : Issue 43

Greg Rice <wyldryce@ix.netcom.com> writes:

>I'm wondering, why isn't an email virus possible?  I read that no one
>really needs to worry about loading an email message from a service
>like AOL or Compuserve and recieving a virus on their home PC. 
>Wouldn't it be possible to write code that is an attached .EXE file and
>is called into downloading itself by the 'read mail' action of the
>service provider?
>
>I realize that if there was such a code, it would be service provider
>specific, but it seems plausible.

It's a matter of semantics.  An email virus is not possible.  That's
basically because there are just too many standards and packages
handling email.

However, your followup asks whether you can get a virus through email.
The answer to that is yes.  But what we acknowledge is that you can
get a virus through an email attachment.  But this is not an email
virus.

What it is, is a semantic difference, not necessarily of value to the
layman.  But then, we do want to make sure you know exactly what is
and is not possible because part of our jobs is to answer the "I've
got a virus" cries.  And we don't want to answer to, "there's this
garbage in the middle of my message.  Is it a virus?"  And all those
PGP blocks, UUENCODE blocks, base64.  To the average person, he's
likely to misinterpret them if he sees the raw data.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Wed, 27 Mar 1996 22:06:25 +0000
From: "B.MacDonald" <burns@nthwd.demon.co.uk>
Subject: Re: QUESTION: Email Viruses
X-Digest: Volume 9 : Issue 43

In article <0002.01I2UER2C1TGS24DPB@csc.canterbury.ac.nz>, Greg Rice
<wyldryce@ix.netcom.com> writes

>I'm wondering, why isn't an email virus possible?  I read that no one
>really needs to worry about loading an email message from a service
>like AOL or Compuserve and recieving a virus on their home PC. 
>Wouldn't it be possible to write code that is an attached .EXE file and
>is called into downloading itself by the 'read mail' action of the
>service provider?
>
>I realize that if there was such a code, it would be service provider
>specific, but it seems plausible.

Yes, it is possible to transfer a virus in the manner you have
described, but NOT as a normal, *text* Email. 

There must be some form of executable, therefore Email with attached exe
files, self-expanding zip files, some forms of encoded and binary files
and -  yes that's right - even mime attachments, are all capable of
being propagated by Email. In fact the current spat of the Word Macro-
Virus (which is alive and well in England right now) is most often
spread as a Word document Email enclosure.

I can't think of any way that these viruses would be ISP-specific except
in the broadest sense where a detectable virus has been screened out by
all but one of two service providers whose anti-virus regime is not up
to snuff. Even in these cases, the Service Provider is simply an
innocent and unknowing conduit.

The golden rules never change:

* get an anti-virus program you can trust, preferably one which offers
regular updates. If your on the internet a lot and dowloading files and
software from the net, or you are swapping floppies with other people
frequently, you should try and get the best anti-virus software you can
...even if it means paying for it. (I'm running Dr Solomon's - there are
others).

* do NOT download programs, binaries or executables from unknown
"fringe" sources. Especially, do not unzip, decode or execute any that
comes to you unsolicited from someone you don't know. This includes mime
enclosure to E-mai from strangers.

Hope this helps. I'm sure others in this group can offer additional
thoughts.

* 
- - 
B.MacDonald, Northwood, Middlesex, UK
E-mail burns@nthwd.demon.co.uk or burns@dircon.co.uk

------------------------------

Date: Thu, 28 Mar 1996 08:13:11 -0500
From: Mike Michalowicz <ici@planet.net>
Subject: Re: McAfee Dishonesty
X-Digest: Volume 9 : Issue 43

Hunter wrote:

> In October 1995 I prepaid to McAfee for a registered copy of their
> Viruscan for Windows.  It wasn't till 8 weeks later that the software
> finally arrived in the mail; and they sent the DOS version, not the
> Windows.  They rectified their error by sending me the Windows disks for
> the version 2.2.5 from August 1995.
> 
> After finally locating and downloading the updating .dat files, which were
> supposed to be provided to me free for two years as a registered user,
> they disabled the Vshield.  McAfee support, such as it is, did not respond
> to two email messages, nor to a telephone call.
> 
> Now 2 months later, McAfee finally updates its Web page with the
> announcement that the .dat files are not backwards compatible. In effect
> you must now purchase their ongoing subscription service to new version
> releases in order to make use of the new .dat files, in effect doubling
> the price for the single retail user per year.
> 
> One of my main considerations in purchasing the McAfee Viruscan was its
> two-year free updating service.  It's rather disingenuous of them to
> nullify that promise almost immediately after my purchase.  It took two
> months to figure out what was happening, not counting the frustrating
> hours confronting their BBS and the exasperating "Out of Memory" message
> from VShield.  I'd like to get a refund, but can't get any response from
> them.
> 
> My advice is try a different product; there are others.

Hunter-
My former company, and specifically myself, are an authorized agent for 
the McAfee anti-virus software.  You experience is quite unfortunate, 
and has been reported by other people when dealing with McAfee directly.

McAfee should have made you aware of the BBS access password for 
(r)egistered files.  All you need is a modem and this password, and you 
will be able to download the updates as frequently as you want for two 
years (you can use either the BBS or the Web).

If you need any help in obtaining the appropriate software, please 
contact me.  I'm listed in the Agents list under my former company.  I'm 
now with Inter-Com, Inc. (201)252-1100.

Best of luck!

- Mike Michalowicz
ici@planet.net

------------------------------

Date: Thu, 28 Mar 1996 08:40:07 -0500
From: Mike Michalowicz <ici@planet.net>
Subject: Re: How to Contact Command Software?
X-Digest: Volume 9 : Issue 43

Evan Rosenbaum wrote:

> Yeah, I realize that this is a no-brainer question.  But I checked the
> FAQ and everyplace else I could think of, and can't find a phone # or
> a URL.  Can anyone throw me a pointer?

If your looking for Command Software Systems, HQed down in Florida.  

Their numbers are:
Phone (800)423-9147
Tech  (407)575-3200
Fax   (407)575-3026

Hope this helps.

- Mike Michalowicz
  Inter-Com, Inc.
  ici@planet.net

------------------------------

Date: Thu, 28 Mar 1996 08:50:56 -0500
From: Mike Michalowicz <ici@planet.net>
Subject: Re: Mcafee support stinks
X-Digest: Volume 9 : Issue 43

lf wrote:

> I bought VirusScan 95, and my current version recognizes me as a
> licensed user.  Whenever I try to update it from FTP site, I get a
> "thank you for evaluating message" when I run the updated version, and
> it no longer recognizes me as a licensed user.  Over a month period, I
> have sent four emails to support@mcafee.com, without response.  I'm
> ready to dump the program and try Norton.  Any suggestions?

It seems to me like you are downloading the eval and not the registered. 
Make sure you are downloading the (R)egistered files.  You will need a 
password to get into this area (both the BBS and the FTP require a 
password).  Contact McAfee to get your password.

- Mike Michalowicz
  Inter-Com, Inc.
  (201)252-1100
   ici@planet.net

------------------------------

Date: Thu, 28 Mar 1996 09:54:15 -0400 (EDT)
From: Kim Graham <kimberley.graham@SheridanC.on.ca>
Subject: RE: Satan Virus Question
X-Digest: Volume 9 : Issue 43

>Could this have been a virus or is this 
>some strange thing under Win95?  If so, which one?  Is there such a 
>thing called the Satan Virus, because I have never heard of it? 

During a scan of the Lab I work in I encountered a computer with a virus
called "NATAS" (backwards it is 'Satan').  This maybe the virus your
friends were talking about. We were lucky not to have the symptoms you
encountered.

It is a DOS virus and I cleaned it with McAfee's 2.2.8. 

****************************************************************
Kim Graham                                e-mail: 
Novell & Teleconference         kimberley.graham@sheridanc.on.ca  
Lab Technician                   Voice Mail:(905)815-4040 X3742
****************************************************************

------------------------------

Date: Thu, 28 Mar 1996 21:23:07 -0500
From: Ken Bell <syklb@babylon.giss.nasa.gov>
Subject: Re: QUESTION: Email Viruses
X-Digest: Volume 9 : Issue 43

In article <0002.01I2UER2C1TGS24DPB@csc.canterbury.ac.nz>,
Greg Rice  <wyldryce@ix.netcom.com> wrote:

>I'm wondering, why isn't an email virus possible?  I read that no one
>really needs to worry about loading an email message from a service
>like AOL or Compuserve and recieving a virus on their home PC. 
>Wouldn't it be possible to write code that is an attached .EXE file and
>is called into downloading itself by the 'read mail' action of the
>service provider?
>
>I realize that if there was such a code, it would be service provider
>specific, but it seems plausible.

MIME-compliant mail readers definitely open the possibility for such
virus (or Trojan Horse) delivery via email.  For example, a postscript
attachment will typically be fed into a postscript interpreter.  Since
postscript is a rather powerful language (it can be used for general
purpose computing tasks, not just for page layout), it could be used as
a method of attack.  The recipient of the email need do nothing more
than read the message.  Cognizant of this, GNU's ghostscript program
offers a "-DSAFER" option that disallows certain functionality.
Quoting from the ghostscript man page:

	  -dSAFER
	       Disables the deletefile and renamefile operators, and
	       the ability to open files in any mode other than read-
	       only.  This may be desirable for spoolers or other
	       sensitive environments.

A potentially wider "audience" for email attacks is available via the
Microsoft Word program, via it's macro language.  The recommendation
here is to avoid using Word as a viewer for attached Word documents.
(especially when reading unsolicited email).  There are Word-compatible
viewers available that do not execute macro code, and these can be used
safely.

It should be noted that these types of attacks are relatively "platform
independent", as, for example, both postscript and (to a slightly lesser
extent), Word macros, are programming languages defined independently of
any particular operating system.

- - 
Ken Bell :: syklb@giss.nasa.gov :: (212)-678-5516 (voice), 678-5552 (fax)
======== :: kenbell@panix.com   :: (212)-475-4976 (voice)

------------------------------

Date: Thu, 28 Mar 1996 16:43:06 -0500
From: KDTrue <kdtrue@aol.com>
Subject: NT virus risks/solutions? (NT)
X-Digest: Volume 9 : Issue 43

I have just become responsible for reviewing virus risks and our
response to them.  I would appreciate any help you can offer.  We have a
network of about 30 PC and Mac clients hosted by an NT server.  At the
moment, the Macs and PCs have standard anti-virus utilities installed
(McAfee and Disinfectant), but the server is unprotected.  Because we use
the server to store data files and run our executables from the local
machines, we have not been very worried about the server.  However, we
have some holes and the emergence of the macro viruses worries us.  We
interact with the world via the Web and file transfers.  

How great a risk does an unprotected server pose?  What is the best
solution in terms of configuration (network-wide virus protection from the
server versus distributed protection) and in terms of preferred packages
(I know of InocuLAN and Sweep, but don't know enough to evaluate them.) 
If you can direct me to reviews, general virus protection information or
recommended software providers, I'd be most grateful.  Thanks.

   - true@bbcresearch.com

------------------------------

Date: Thu, 28 Mar 1996 12:22:00 -0500 (est)
From: "Taber, Henry" <TaberH@dma.gov>
Subject: Viruses and Windows NT (NT)
X-Digest: Volume 9 : Issue 43

Our network consists of a mixture of 286-, 386-, 486-, and 
Pentium-based PCs as well as a liberal sprinkling of Macintoshes.
We are in the process of converting all of our PCs to the Windows NT 
operating system.  Those effectively in charge of this operation
have stated that Windows NT does not have any virus problems.

I have read the FAQ for anything specific to Windows NT.  Nothing
mentioned outside of a reference to DOS windows within a vanilla
Windows environment, but I am not sure how Windows NT handles
things internally vis a vis Windows 3.x and 95.

How does the sole use of Windows NT on all Intel-based systems
affect our vulnerability to the known set of viruses?

Are there virus trends appearing which may indicate that we may 
have cause for concern by going to an all Wintel-NT network?

Have there been viruses specifically written for Windows NT?

My background is mainly from the Macintosh side of the equation
with only an Introduction to Windows course to my credit. 

Email on this subject will be very welcome.

Henry V. Taber
DMA St. Louis
taberh@dma.gov 

------------------------------

Date: Thu, 28 Mar 1996 05:30:32 +0000 (GMT)
From: Jacqueline & David Brankley <jdbranks@oxford.net>
Subject: Re: Removal of Antiexe (OS/2,WIN)
X-Digest: Volume 9 : Issue 43

No kidding!! I had EXACTLY the same experience!  I had Windows and Dos
and even booted with a clean floppy, but the virus kept coming back!
Finally, I ditched Mcafee and bought Norton Antivirus and it cleaned
the boot record and I haven't had a problem since!  I download the new
virus definitions each month.

------------------------------

Date: Thu, 28 Mar 1996 10:31:33 +0100
From: Ann-Katrin Elgesem Engen <aengen@sn.no>
Subject: Re: Macro viruses, MS-Word consept (MAC,WIN)
X-Digest: Volume 9 : Issue 43

A. Appleyard Earlier asked for information about state of progress of
getting able to adequately safely detect and remove macro viruses.

Microsoft has a template named "scanprot.dot".  This template which sets up
the protection macros on the user's machine for Microsoft Word.  The
template scan/remove the Consept macro-virus in setup.  After installation
this template will check for macroes and autoexecutes in ex. FileOpen.  The
template will give a warning for other possible bad-documents, not only
consept or other known macroes.

You can get the template and documentation from Microsoft.  Maybe other
readers of this list can give you the URL - address if it exist.  

Regards
- - 
- Ann-Katrin Elgesem Engen

------------------------------

Date: Wed, 27 Mar 1996 16:57:48 -0800
From: Lee Morgan <lmorgan@pepperdine.edu>
Subject: Word Macro Virus (MAC,WIN)
X-Digest: Volume 9 : Issue 43

Until 2 days ago I was able to use the "scanprot.dot" macro from Microsoft
to get rid of the "concept" virus that has plagued MS Word for some time
now.  2 Days ago, it started giving me a "load error", or an application
error.

Does anybody body have any suggestions???

Lee Morgan
Manager PC Repair, Pepperdine University

------------------------------

Date: Wed, 27 Mar 1996 13:40:12 -0800 (PST)
From: Tim Adamec <TAdamec@smtplink.simsci.com>
Subject: Re: Devices disappearing -- virus? (WIN95)
X-Digest: Volume 9 : Issue 43

<<Sorry about not being able to quote here, I'm using cc:Mail and an SMTP 
gateway>>

Basically, you were asking if devices disappearing could be the result of 
viral attack.

Your problem sounds a lot like one I was encountering with Win95 installs. 
Win95 seems to have some problems with certain hardware configurations--
two of the most problematic for me: IBM PS/2 Consultant (hahah) model, and
my own bits-and-peices-scrounged-at-swapmeets special. The only way I
found to remedy the situation was to reinstall Win95. In the case of the
PS/2, I had to reformat and reinstall.

Sounds like you just had a/some corrupted system device to me.

HTH

Tim Adamec
tadamec@earthlink.net

------------------------------

Date: Thu, 28 Mar 1996 11:18:49 +0000 (GMT)
From: Ian Mullins <obe4019@InfoNET.st-johns.nf.ca>
Subject: Re: TBAV says WIN95 CD infected? (WIN95)
X-Digest: Volume 9 : Issue 43

: and re-installed WIN95.  Two of the same warnings appeared again during
: my first session.  I finally did a full scan on my WIN95 CD and three
: files were revealed infected.  They are:
: 
: OTHER\CHANGE CP\1253.BIN
: WIN\95\OEMSETUP.BIN and
: WIN\95\SAVE32.COM
: 
: Can this be possible?

It's possible, but unlikely. Were you using the High Heuristics option? 
If so, you shouldn't.. What exactly did TBAV say about the file. Did it 
say "file xxxx MIGHT be infected" or "file xxxx PROBABLY infected" and 
what were the flags for the files?

Crash,
Remote SysOp of The Danger Zone (709)368-4709

------------------------------

Date: Thu, 28 Mar 1996 16:43 +0000 (GMT)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: McAfee95 reports McWhale (WIN95)
X-Digest: Volume 9 : Issue 43

In-Reply-To: <01I2UER2C1TGS24DPB@csc.canterbury.ac.nz>
mezzano@bccom.com writes:

> After I started loading McAfee Win95 virus program to upper
> memory, I get a message from vshield saying that the McWhale
> virus may be present or a trace from another operation.
>
> I booted with a known clean disk and scanned all the hard drives, but
> everything comes up clean.

It sounds to me like you have a McAfee false alarm.  

If I may quote the Dr Solomon's Virus Encyclopedia: "Whale is such a 
large and clumsy virus that on most computers it doesn't actually work at 
all.  As a result, the main replication method is anti-virus researchers 
sending specimens to each other.  With careful treatment it can be 
persuaded to go memory-resident and infect files from memory.  The system 
slows down considerably because the virus is so inefficient.  It contains 
a few dozen "heads" which are the different decryption/loader routines."

So I think it's pretty unlikely that you actually had a Whale infection, 
but a McAfee false alarm instead.

Three courses of action you can take:  1) ignore the false alarm.  2) 
upgrade your version of McAfee to a version which does not include this 
particular false alarm.  3)  Switch to a different product.

There's an interesting article about the cost of false alarms in the 
current issue of Info Security News I believe.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Thu, 28 Mar 1996 15:10:09 -0800
From: Warren Schwader <warrens@sierranet.net>
Subject: Strange icon label changes--Possible virus? (WIN95)
X-Digest: Volume 9 : Issue 43

Using Win95: the file names on my desktop, start menu, explorer, and 
other windows are jumbled so that they look like:

0y 00m00000  instead of "My Computer" except that the 0 looks like a 
squared 0 (I don't know how to make the symbol.)  Some of the letters 
remain but it is generally unreadable.  It does not seem to hinder my 
ability to run programs.  Also, if I change desktop themes (I'm using 
Plus! also) the words come back for a time.  The ploblem also seems 
intermittant in that all of a sudden everything will seem fine for a day 
or two.  I reinstalled Win95 and Plus! but it didn't help.

Any ideas please?

------------------------------

Date: Thu, 28 Mar 1996 23:16:03 +0000 (GMT)
From: Wolfgang Weisselberg <weissel@ph-cip.uni-koeln.de>
Subject: Re: TBAV says HIMEM.SYS changed (WIN95)
X-Digest: Volume 9 : Issue 43

williams@finland.it.earthlink.net, 
who is called Jared Williams wrote one day:

> I am currently running thunder byte for dos. It came with 
> Windows 95 and when I boot up using it, it always says 
> himem.sys has been changed. It won't allow to validate it. Is 
> there anyone out there that has had the same problem using 
> thungerbyte? 

Aehm, you did read the manual and know about the secure option?
And if himem.sys changed, have a look at it - look if is there's 
something that does not belong there. 

If that does not help, create a new checksum for Himem.sys. 

- -Wolfgang

- -
"finger weissel@moon.ph-cip.uni-koeln.de" for my PGP-Key, or mail me.

Verbietet Autos, Geiselgangster koennten damit fluechten!
   Outlaw cars, kidnappers might use them to escape!

------------------------------

Date: Thu, 28 Mar 1996 23:19:41 +0000 (GMT)
From: Wolfgang Weisselberg <weissel@ph-cip.uni-koeln.de>
Subject: Re: TBAV says WIN95 CD infected? (WIN95)
X-Digest: Volume 9 : Issue 43

rkcling@netcom.ca, who is called Richard K.C. Ling wrote one day:

> my first session.  I finally did a full scan on my WIN95 CD and three
> files were revealed infected.  They are:
> 
> OTHER\CHANGE CP\1253.BIN
> WIN\95\OEMSETUP.BIN and
> WIN\95\SAVE32.COM
> 
> Can this be possible?

More info needed.
Which flags, which warnings, which viruses were idenified?
What do AVP and F-Prot say?
Did you boot from a CLEAN, writeprotected diskette and run TBAV of 
such a diskette?

- -Wolfgang

- -
"finger weissel@moon.ph-cip.uni-koeln.de" for my PGP-Key, or mail me.

Verbietet Autos, Geiselgangster koennten damit fluechten!
   Outlaw cars, kidnappers might use them to escape!

------------------------------

Date: Fri, 29 Mar 1996 04:47:52 +0000 (GMT)
From: F/WIN Anti-Virus Support/Ordering <fwin_sup@ix.netcom.com>
Subject: Re: What detects BOZA virus? (WIN95)
X-Digest: Volume 9 : Issue 43

In <0026.01I2UER2C1TGS24DPB@csc.canterbury.ac.nz> Christopher Jones
<cjones@dsddi.eds.com> writes: 

>news@dub-news-svc-5.compuserve.com wrote:
>
>> Which virus scanner can find this virus and can remove it ?
>
>Noton Anti-Virus 95, can detect this virus and remove it.

F/WIN Anti-Virus detects all known variations of BOZA, and will likely
detect any future versions, or other viruses that use a similar
infection scheme.  F/WIN doesn't tell you the name of the virus it
finds, but it may very well detect the presence of a virus in files
that some other scanners may miss.  Please feel free to download an
eval copy from our web site and try it out.

Gary Martin            
Computer Virus Solutions    E-mail:  fwin_sup@ix.netcom.com
Voice:   (614) 337-0995     Fax:     (614) 476-6884
WWW: http://www.entrepreneurs.net/fwin/index.htm 
Authorized Distributor of F/WIN Anti-Virus

------------------------------

Date: Thu, 28 Mar 1996 16:54 +0000 (GMT)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Dr Solomon - Questions (WIN)
X-Digest: Volume 9 : Issue 43

In-Reply-To: <01I2V51VSHUQS24DPB@csc.canterbury.ac.nz>
The Toad <notpc@ix.netcom.com> writes:

> I would like to buy Dr Solomon's Anti-Virus Toolkit for
> Windows 3.x. From the reviews, it sounds like the best of the
> pack, at least from my perspective.  (For example, see the
> March/April 1996 Infosecurity News.)
> 
> But, for some reason that I can't readily fathom, I can't find
> answers to the following questions:
> 
> 1. HOW DO I BUY IT?
> 
> a. I have tried several obvious sources (eg, CompUSA and Computer
> City).  They not only don't have it in stock, it isn't even a
> "stock item."

I'm based in our UK office so I'm not as familiar with the shop names 
over in the States.  But I believe places like MicroWarehouse sell it.  
Alternatively contact our USA office directly (see my sig for details) 
and they'll be able to point you in the right direction.

> c. Is this something one must download?  If so, from where?

Nope - it's commercial software.  Although an evaluation version of Dr 
Solomon's FindVirus for DOS (one component of the Toolkit) is available 
for download from our website: http://www.drsolomon.com.  Remember this 
is only one of the tools in the Toolkit - the commercial software 
includes much much more.

> 2. HOW DO I GET UPDATES?

> a. I want to buy the Dr. Solomon pkg because McAfee will neither let
> me download updates to WScan/VShield any more, nor answer my e-mail
> queries as to what I must do to be able to obtain updates again, as
> I have been doing for nearly a year.
>
> b. Because of a. above, I want some assurance that there is a simple,
> straightforward process for getting Dr Solomon updates, before I "sign
> on" with S&SS.

We send the disks snail-mail to you each month or each quarter (depending 
on which subscription plan you take out with us).  They land - splat! - 
slap-bang in the middle of your desk each month begging you to install 
them.  That means they can't be ignored, and you don't have to keep on 
checking out a web/ftp site to see if a new version is available.

Hope that answers your questions.  You'll find a number of comparative 
reviews on our website: http://www.drsolomon.com/avtk/reviews

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Wed, 27 Mar 1996 21:36:19 +0000 (GMT)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: Possible memory-resident virus HELP! (PC)
X-Digest: Volume 9 : Issue 43

With the limited amount of information available, I'll have to make
a few assumptions...

>Rebel Assault II did a diagnostics check on my 'puter and it said I 
>only had 6.9 megs of RAM (normally 8).

You are probably loading a memory manager of some sort.  That memory
manager, in turn, is allocating some of your computers memory as a 
type (expanded or extended) and is simply not reported by the 
Rebel Assault diagnostics program.

>Also, Norton AV wouldn't run (it said it needed 704 more bytes 
>of memory to run).

This refers to conventional memory (the first 640K.)  Typing "MEM /C"
will give you a summary of TSRs, devices, etc. that are currently 
loaded into this area.  It will also indicate how much conventional
memory is available.  Unloading some of the TSRs/devices or booting
clean (as you did) and then scanning will get around the
insufficient memory problem.

- - 
- --
Shane Coursen                                        Symantec Corporation
Computer Virus Researcher                http://www.symantec.com/avcenter
AntiVirus Research Center                                 CIS:  GO SYMWIN
scoursen@symantec.com                                           GO SYMNEW
      US Support:  541-465-8420                            AOL:  SYMANTEC
European Support:  31-71-353-111       Australian Support:  61-2-879-6577

------------------------------

Date: Wed, 27 Mar 1996 18:20:12 +0000 (GMT)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Virus??? (PC)
X-Digest: Volume 9 : Issue 43

In article <0009.01I2UER2C1TGS24DPB@csc.canterbury.ac.nz>
	   herb1@xs4all.nl "Herbert Slaghekke" writes:

> Can anyone tell me what the following message on my screen means?
>
> To see a world in grain of sand, and heaven in a wild flower
> Hold infinity in your hand
> And eternity in an hour
>
> The virus 16\3\91

Maltese Amoeba virus displays this message after it has 
triggered (March 15th and November 1st are the trigger dates).

> I have tried a clean boot disk. but it won't recognise my hard disk.

It also overwrites part of your hard disk when it triggers (the 
first 4 sectors on the first 30 cylinders).  This will render the 
disk unrecognisable to DOS, because the partition sector data is 
gone.  However, a good data recovery service could probably get 
most of your disk back, at a price.  Otherwise it is a case of 
reconfiguring your disk and restoring a backup- cheaper, if you 
have the backup.

> My virusscanner is also unable to access my hard disk.

Good virus scanners will be able to scan (and maybe clean) 
viruses infecting the partition sector regardless of whether 
DOS recognises the disk, but won't be able to access the files.  
Maltese Amoeba is a file virus.  

Unfortunately, you are now dealing with a damaged partition 
sector, not an infected one, though the message you see is being 
displayed by code in the partition sector.  You need more than an 
anti-virus to recover from this, but you had better scan 
everything you have once you are running again, or it will 
happen again on November 1.

- -
WE CAN'T                    BUT WE DO SUPPLY
	PROVIDE YOU                         THE BEST DARN BAIT
		   WITH A DATE                                Burma-Shave

------------------------------

Date: Wed, 27 Mar 1996 21:15:59 +0000 (GMT)
From: Mike McCarty <jmccarty@sun1307.spd.dsccc.com>
Subject: Re: Possible new virus??? (PC)
X-Digest: Volume 9 : Issue 43

In article <0033.01I2JN95HN9ARI5O92@csc.canterbury.ac.nz>,
The One and Only  <robin@thunder.ocis.temple.edu> wrote:

)HELP! I think I have a virus and nothing is picking it up.
)
)My friend is having a similar problem.  
)
)My story:  I have Windows 3.1.  I was in File Mangler copying

[success story gone]

)My friend's story:  She is using Windows 95.  She turned on her computer
)one day and it came up with a HDD controller failure. She by-passed
)it and ran Norton which showed allocation errors in the FAT.

She probably had a hardware failure.

[stuff gone]

)Then the HDD control failures began to reoccur, show she tried
)bootin with 3 different boot disks(DOS, WIN95bootdsk, WIN95startup)
)which worked 3 days ago, and it didn't recognize them as system
)disks.  She ran norton on the 3 disks and it showed that the
)system areas of the disks had been damaged beyond repair.
)Also, she tried to install a new IDE controller thinking that was
)the problem, but this did nothing.

She probably installed the new controller AFTER the discs had been
damaged. 

[pleas for help gone]

)[Moderator's note:  The second sounds like serious hardware problems to
)me.  The former, due to non-replication is likely "just one of those
)things".]

I concur.

Mike
- - 
- ---
char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}

I don't speak for DSC.         <- They make me say that.

------------------------------

Date: Wed, 27 Mar 1996 23:49:58 -0500 (EST)
From: Kenneth Albanowski <kjahds@kjahds.com>
Subject: Re: Viruses that damages hardware (PC)
X-Digest: Volume 9 : Issue 43

> [Moderator's note:  I disagree with this claim--it makes no difference
> whether the code is a function in a virus, a trojan horse or a worm, the
> issue being debated is -whether- hardware damage through the action of
> software is possible.  This discussion has diverged slightly to the
> -likelihood- of such damage ever being coded in a virus, but I see no
> reason why damaging hardware per se should be any more prone to inclusion
> in trojans than viruses.]

Trying to damage the video hardware requires both a larger amount of code
then one would normally need in a virus, and rather unusual behavior:
invoking the code is going to make the screen appear completely haywire,
on the off chance that this will damage the monitor.

My thought is that this would have slightly better survival
characteristics as a trojan horse then a virus -- a computer which
occasionally goes haywire for no explainable reason is one thing, while a
dumb little game that ocassionaly causes the computer to go haywire is
another. The latter can be attributed to a bug, while the former needs an
explanation.

In any case, since any attempt to damage the monitor in this way will
definitely produce such obvious results, I don't see how any virus, trojan
horse, or worm would have _significant_ survival rates in the first place,
if it attempted to damage any significant number of computers. (And the
number it actually _could_ damage would be a small fraction of the number
it _tried_ to damage. And the number it _would_ damage would be even
smaller, due to monitors being switched off quickly or turned off in the
first place.)

Most of this is just muttering about statistics. I don't have a strong
opinion one way or the other, but I doubt this will ever be a problem,
given current technology. Perhaps some other popular piece of hardware
will turn out to be suceptible, but that will have to be evaluated in it's
own time.

- -
Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126)

------------------------------

Date: Thu, 28 Mar 1996 08:32:13 -0500
From: Mike Michalowicz <ici@planet.net>
Subject: Re: Form Virus On A Lan (PC)
X-Digest: Volume 9 : Issue 43

D3lyr1uM? wrote:

> My lan at work is infected with the form virus, what will get rid of it?

The FORM virus is a boot sector virus.  So, if you have a Novell LAN for 
example, the virus will not infect the servers.

Removing this virus is pretty much like any other.  The following is the 
way our company proceeds in removal of this virus:
1. Backup data first! (Even though the backup is infected, improper 
removal of a boot sector virus may blow away your data and you'll need 
to restore).
2. Scan the workstation with a bootable, write-protected, clean McAfee 
scan disk (or other anti-virus package)
3. If a virus is detected, reboot PC with clean McAfee floppy.  Clean 
the infected drive with SCAN X: /CLEAN. In the case of FORM, use the SYS 
or FDISK /MBR command.
4. Once the virus is remove again reboot the PC and scan.  It should be 
clean, but sometimes there are secondary viruses, if so repeat step 3.
5. Once the virus is off the PC, start work on the next PC

Be aware that the FORM virus usually comes via floppy disk.  So make 
sure ALL diskettes in your office a scanned and cleaned (if needed).

- Mike Michalowicz
Inter-Com, Inc.
P(201)252-1100
F(201)252-9119
ici@planet.net

[Moderator's note:  If backing up to floppies while a BSI/MBR virus is
active, be -very- careful!  Many popular backup programs use non-standard
diskette formats to get more data on diskette.  Unfortunately, many
viruses cause corruption of these diskettes as they do not properly deal
with the non-standard format.  Also, many BSI/MBR viruses arbitrarily
write to specific sectors on diskettes when infecting them, overwriting
whatever was there, and hence corrupting your backups if that's what is on
the diskette.]

------------------------------

Date: Thu, 28 Mar 1996 09:04:03 -0500
From: Brian Ward <bward@stevens-tech.edu>
Subject: boot sector locked (PC)
X-Digest: Volume 9 : Issue 43

When I try to scan with NAV, I get a messag that says boot sector locked 
by, a bunch of wierd characters. I can then scan the file on the disk, 
but I can't scan the boot sectors. How can I unlock the boot sectors?

------------------------------

Date: Thu, 28 Mar 1996 08:58:47 -0500
From: STEVEN W MAY <SWM107@smtp.nwscc.sea06.navy.mil>
Subject: Re: Directory problem (PC)
X-Digest: Volume 9 : Issue 43

In Digest: Volume 9 : Issue 40 Mic Johnston <MIC@mpx.com.au> wrote:

>I have a directory that mirrors everything in the c: drive, and therefore
>becomes mirrored again and again and again etc. I have no idea how it got
>there, and I can't remove it because any file I remove from it is also
>removed from its directory under c: . 

I have seen this effect before, it was not really a mirror as it did not
take up disk space.  For some reason, I could not recreate the situation,
a sub-directory was cross-linked to the root directory.  Therefore, if you
attempted to delete in the sub-directory, MSDOS would actually delete in
the root.  NDD fixed the problem for us then, SCANDISK probably would have
but we were using an older version of MSDOS at that time.

- -----------------------------------------------------------------
Steve May,                                      | What have you  |
CERFAS.SWM107@SMTP.NWSCC.SEA06.NAVY.MIL         | done that you  |
						| believe in and |
These views and opinions are strictly my own,   | are proud of?  |
they do not represent those of the Navy or the
US Government in any way.
- -----------------------------------------------------------------

------------------------------

Date: Thu, 28 Mar 1996 14:58:54 +0000 (GMT)
From: Jens Arnold <Jens.Arnold@Informatik.TU-Chemnitz.DE>
Subject: Help: The IHC-virus does its work! (PC)
X-Digest: Volume 9 : Issue 43

Dr Solomon's detected the IHC-Virus on our PC, but cannot
remove it... McAfee and F-PROT do not detect any virus (?).
The virus corrupts the FAT and changes some other parts
of the filesystem, so that we have to use "scandisk" every
time after booting the system to keep the filesystem "alife".
Has anybody some information about this virus (called IHC by
Dr Solomons) and how can we remove it? 

Notice: The DOS "format"-command cannot wipe this virus!

Thanks a lot for sending your help to

   jarn@informatik.tu-chemnitz.de
or
   tschn@fbkws2.forst.tu-dresden.de

------------------------------

Date: Thu, 28 Mar 1996 16:36 +0000 (GMT)
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Virus??? (PC)
X-Digest: Volume 9 : Issue 43

In-Reply-To: <01I2UER2C1TGS24DPB@csc.canterbury.ac.nz>
Herbert Slaghekke <herb1@xs4all.nl> writes:

> Can anyone tell me what the following message on my
> screen means?
>
> To see a world in grain of sand, and heaven in a wild flower
> Hold infinity in your hand
> And eternity in an hour
>
> The virus 16\3\91

It is the message displayed by Maltese Amoeba virus.

Here is the description from Dr Solomon's:

Maltese Amoeba

Type:  Memory-resident file virus.

Affects:  COM and EXE files on execution, COM files must be between 450 
and 63000 bytes:

File growth:  2498 to 2565 bytes.

Description:
The virus is polymorphic which makes it more difficult for scanners to 
detect.

The virus includes the following text (partly taken from William Blake's 
poem Auguries of Innocence):

 To see a World in a Grain of Sand,
 And a heaven in a Wild Flower,

 Hold Infinity in the palm of your hand,
 And Eternity in an hour.
 THE VIRUS 16/3/91

The following text is also included:

AMOEBA virus by the Hacker Twins (C) 1991 This is nothing, wait for the 
release of AMOEBA II-The universal infector, hidden to any eye 
but ours! Dedicated to the University of Malta - the worst educational 
system in the universe, and the destroyer of 5x2 years of human life.

On November 1st and March 15th the payload is triggered on ATs and above. 
This overwrites the first four sectors, starting from (0,0,1), and 
repeats this on cylinders 1 to 29.  This is repeated on all floppy 
drives.  The next time the computer is started the poem is displayed.

> I have tried a clean boot disk. but it won't recognise my hard disk.
> My virusscanner is also unable to access my hard disk.
> What to do?

Unfortunately it sounds like the virus payload has triggered on your 
computer.  Do you have an image backup of your hard disk to restore from? 
If not you will need to rebuild the system areas of your hard disk before 
you can access them again.

A decent anti-virus product would have been able to warn you of this 
virus infection before it could do this much harm. :-(

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Wed, 27 Mar 1996 19:33:45 +0000 (GMT)
From: Billy <e9325010@stud1.tuwien.ac.at>
Subject: !DELWINBOOT.sys (PC)
X-Digest: Volume 9 : Issue 43

does anybody know something about the "delwinboot.sys" - virus?

tnx in advance.

		  Billy ( e9325010@stud1.tuwien.ac.at )

------------------------------

Date: Fri, 29 Mar 1996 00:15:04 +0000 (GMT)
From: Eleu <deleu@finland.it.earthlink.net>
Subject: lingering effects of Doom2Death (PC)
X-Digest: Volume 9 : Issue 43

My computer was infected with the Doom2 Death virus, which McAfee
wiped out. However, I can no longer run WordPerfect 6.0a, even after
wiping it off my hard drive and reinstalling it from the master disks.
Everything else I have runs fine, although I did have some corrupted
files (which haven't caused any problems that I can discern). As I am
not a computer genius, I would appreciate any help that anyone could
give me.

[Moderator's note:  WP for Windows 6.0a?  If so, what is the error when
running WP?  Does it GPF soon after startup?  If so it may be that your
.BIF file is one of the corrupted files.  The default location for this is
the Windows directory, so trashing the whole WP dir and reinstalling will
still likely see the .BIF file not replaced.]

------------------------------

Date: Thu, 28 Mar 1996 19:43:10 -0500
From: MIKE6099@aol.com
Subject: Stoned virus in blocked out partion of HD--help!!! (PC)
X-Digest: Volume 9 : Issue 43

We have a computer lab of aged 286's running dos 6.00 at our school.  At
my school we've had an infection of the stoned virus.  We ran msav ( I
know outdated virus software but this is a catholic school ;) )  We
uninfected the disks but stoned still came up.  We booted from a
uninfected disk and issued the commands: fdisk /mbr and sys C:.  We booted
up again ran AV in it was STILL there.  Frusterated, we did a low level
format of the drive.  We installed software from write protected disks,
ran AV and surprize there was are good, old friend (sarcasticly)  Stoned.

I found out that the donater of our aged 286's ran a network.  And part of
the hard drive is blocked off somehow.  We think that the virus is hiding
the MBR or something in there because nothing we do will get rid of it. 
ANY help would be greatly appreciated.  If you know the solution please
email me at 

Mike6099@aol.com

------------------------------

Date: Fri, 29 Mar 1996 01:57:34 +0000 (GMT)
From: Harrison Shao <hshao@ix.netcom.com>
Subject: Re: Tai_Pan438 Virus (PC)
X-Digest: Volume 9 : Issue 43

watcher <bud@varyloose.com> writes:

> Can someone give me some info on this little bug.

It's not know to but it's cleanable to PC-cillin 95 and it lives in high
memory.

------------------------------

Date: Thu, 28 Mar 1996 20:55:15 -0500
From: Ken Bell <syklb@babylon.giss.nasa.gov>
Subject: Re: Directory problem (PC)
X-Digest: Volume 9 : Issue 43

In article <0030.01I2V51VSHUQS24DPB@csc.canterbury.ac.nz>,
A.Appleyard <A.APPLEYARD@fs2.mt.umist.ac.uk> wrote:

>In a previous article, MIC@mpx.com.au (Mic Johnston) says:
>
>> I have a directory that mirrors everything in the c: drive, and therfore
>> becomes mirrored again and again and again etc. I have no idea how it got
>> there, and I can't remove it because any file I remove from it is also
>> removed from its directory under c: .
>
>This happened here at work once. Something wrote a copy of the C:\ root
>directory into a subdirectory as a directory entry. This created a
>directory tree with one of its twigs going down and round underneath and
>becoming its trunk again. (This was normal on the old Prime mainframe,
>where each diskpack's root directory was stored under itself under the
>name MFD, but it is NOT normal with PC's.) Norton Disk Doctor should sort
>it out. Or try the DOS command Scandisk, if you have DOS >= 6.20.

I found exactly that last week on a PC that, coincidentally ;-) had
several cracked/pirated games on it.  There were 4 directories that
actually pointed to the root directory, and we noticed it because, as
described in the original post, F-Prot just kept scanning, and
scanning, and scanning ...

When I did a DIR /S on any of these directories, it was clear what had
happened, as we got the expected recursive listing, just as F-Prot did.

Inspection (via Norton's NU) of the DOS directory entries in each case
showed that the directories in question simply had "0" as the starting
cluster.

My simple-minded fix was to:

	1.  Create a dummy directory (via MKDIR FOO).

	2.  Edit (via Norton's NU) the DOS directory entries for each
	    of the "strange" directories so that the starting cluster
	    was the same as that for the dummy directory FOO.

	3.  Check (via DIR) that the directories no longer pointed
	    to the root directory.

	4.  Remove each of the directories (via RMDIR).

My original suspicion was that these directories were not created by
accident, but that the intent was to trick an unsuspecting user into
saying "What's all that?  I don't need that junk!" and then deleting
the entire DOS filesystem.

The names of these spurious directories were:

	\ACCLAIM
	\JAMTE
	\NBAJAM
	\xxxxxx\NBAJAM

(where "xxxxxx" above was a real user's directory, in which some of the
cracked/pirated software was found).

I'd be very interested in hearing of similar recent experiences, as my
suspicion is that it's the work of a Trojan Horse program (no virus was
found on the PC).

- - 
Ken Bell :: syklb@giss.nasa.gov :: (212)-678-5516 (voice), 678-5552 (fax)
======== :: kenbell@panix.com   :: (212)-475-4976 (voice)

------------------------------

Date: Thu, 28 Mar 1996 18:25:19 -0800
From: Harrison Shao <hshao@ix.netcom.com>
Subject: Re: 10b7 (PC)
X-Digest: Volume 9 : Issue 43

Stephen, E., Clarke, slcfv@cc.usu.edu wrote:

> Does anyone know if any other virus detection program currently detects
> and cleans the 10b7 virus besides microsoft anti-virus.  Also I recently
> purchased Warcraft 2 and it appears that the save game files become
> corrupted with this virus directly from the game executable.  Has anyone
> else experienced this.

I have Warcraft 2 but I didn't get any problems. Get PC-cillin95. It 
monitors everything for known and unknown viruses.

------------------------------

Date: Fri, 29 Mar 1996 02:33:26 +0000 (GMT)
From: Wayne Riddle <riddler@agate.net>
Subject: Re: 10b7 (PC)
X-Digest: Volume 9 : Issue 43

"Stephen E. Clarke" slcfv@cc.usu.edu wrote:

>Does anyone know if any other virus detection program currently detects 
>and cleans the 10b7 virus besides microsoft anti-virus.  Also I recently 
>purchased Warcraft 2 and it appears that the save game files become 
>corrupted with this virus directly from the game executable.  Has anyone 
>else experienced this.

If MSAV can detect and clean a virus, any other of the better ones
will also be able to do the same. Take a look at ThunderBYTE, Dr.
Solomon's, F-Prot, or AVP for starters.

Wayne Riddle
riddler@agate.net
http://www.agate.net/~riddler

------------------------------

Date: Fri, 29 Mar 1996 03:58:22 +0000 (GMT)
From: Keith Richmond <keith@vcn.bc.ca>
Subject: HELP!!! Form virus..how to remove? (PC)
X-Digest: Volume 9 : Issue 43

Can anyone reccomend a virus program or any other methos to get rid of 
the "Form" virus? It came up on my fiancce's computer. She runs Windows 
95. 

- -

Keith Richmond    | "David Schreck should have his mouth |  Go Canucks!
Aldergrove, BC    |  washed out with soap." - Rafe Mair  | Go Grizzlies!
- -----------------+--------------------------------------+--------------
Mt. Baker Toppers | cdn@infoserve.net or keith@vcn.bc.ca |   SPEBSQSA

------------------------------

Date: Fri, 29 Mar 1996 04:58:37 +0000 (GMT)
From: F/WIN Anti-Virus Support/Ordering <fwin_sup@ix.netcom.com>
Subject: Re: Winword/Scanprot/FProt questions (PC)
X-Digest: Volume 9 : Issue 43

>What is BAD is, F-Prot still finds the string in the .DOC files
and still 
>reports them as infected with the CONCEPT virus.  
>
>My guess is that we either need a newer version of F-Prot, or a
newer 
>version of the "scanprot" macro from Microsoft.  Has anybody
else run 
>into this problem?
>
>Currently, the workaround is that we run fprot with the /nodoc
parameter 
>- but I would like to know when DOC files are actually
infected.  There's 
>gotta be a better way! 

I can't speak for the other AV vendors, but the reason that any
AV product might have this problem is because in most cases, in
order to remove the virus, only the macro definitions list is
being overwritten in the templates, not the virus code itself. 
This approach is effective in rendering the virus ineffective,
but it does leave behind some of the scan strings that could be
picked up.  To put it more plainly, this is similar to removing
the Table of Contents from a book.  The rest of the book is
there, but it's going to be real hard to find what you're
looking for in the book when the TOC is gone.  Except that with
Word, it's virtually impossible for it to ever find the
executable code again.  The virus or trojan is effectively
wiped.

F/WIN Anti-virus is the only non-macro based AV product that we are
aware of that is able to clean both the macro definitions list, AND the
virus code itself.  This feature is available only in the registered
version.  F/WIN has 3 levels of heuristic scanning for macro
viruses/trojans, and two levels of cleaning.  It can wipe just the
macro definitions list, or it can also wipe the virus code itself. 
Because some Word templates can be highly fragmented internally, F/WIN
will occasionally leave a template unreadable after the deeper cleaning
(wipes both areas), and in ever rarer cases on the more shallow
cleaning.  However, backup copies are made of all templates that are
cleaned with either method, so that an alternative approach can be
tried if the clean doesn't work.  

I know that we have tested F/WIN against files that have only had the
macro definitions list removed, but still have the virus code present. 
We have not yet experienced any situations in which F/WIN triggered a
false alarm on such templates, because F/WIN checkes to make sure that
the macro definitions list is present before looking for any virus
code.  

Please e-mail or call me if you have further questions.  

Gary Martin            
Computer Virus Solutions    E-mail:  fwin_sup@ix.netcom.com
Voice:   (614) 337-0995     Fax:     (614) 476-6884
WWW: http://www.entrepreneurs.net/fwin/index.htm 
Authorized Distributor of F/WIN Anti-Virus

------------------------------

Date: Fri, 29 Mar 1996 08:40:35 +0200
From: Antonio Godinho <antonio@nambu.uem.mz>
Subject: Multiple boot sector infections (PC)
X-Digest: Volume 9 : Issue 43

I have had several problems of multiple boot sector infections on my
computers and have never managed to clean them. Does anyone know if
and how it can be done? From what I gathered the infections where of
the UNASHAMED and ANTIEXE.a viruses. I tried using Dr. Solomon's
toolkit 7.56, F-prot 222 and  Thunderbyte 6.38 but all these failed.
Since I did not have access to the Hard disks in any of the cases, I
had to fdisk and reformat the hard disks.

If anyone has any ideas, I would really like to hear them.

Thanks in advance.

************************ Antonio Godinho
*  This  signature  is * Address:Av. Julius Nyerere 947 3rd floor esq 
*  part of a  program. * Maputo - Mozambique
*  Please do not alter * Phone  : 258-1-490741
*  it    in    anyway. * e-mail : ANTONIO@nambu.uem.mz
************************

------------------------------

Date: Fri, 29 Mar 1996 06:37:27 +0000 (GMT)
From: "Missie . . ." <msmissie@usa.pipeline.com>
Subject: ANTI-CMOS virus (PC)
X-Digest: Volume 9 : Issue 43

I work at home as a medical transcriptionist, contracted to a medical
transcription agency.  One day they sent me a anti-virus disk with a note
that stated they had found the Anti-CMOS virus running amok in their
office, and that I should use this disk to scan my computer.   

Being as I rarely download anything, and never exchange disks, I didn't
scan my drive right away, thinking that all was okay.  Then one day,
shortly after I installed win95, I decided to test out the Start-UP disk
that was created when I installed Win95 (windows upgrade cd rom version). 
It was then all my problems started.  The FAT got all scrambled, files
were everywhere, however the computer was usable.  I then ran scandisk and
fixed all that mess, and had zillion *.chk files, so I downloaded McAfee's
antivirus program, and ran that and it found the Anti-CMOS virus in the
boot sector and in a few other files on the hard drive.  It could fix the
other files, but not the boot sector ones.  I then scanned a few disks I
had lying around, and the win95 start-up disk was infected, and an old dos
6.2. boot disk that I had made a year ago was infected.   

I then reinstalled win95, and all has worked fine ever since, and McAfee's 
virus scan no longer reports the C-MOS virus.   

Is it possible it was a false-positive finding,and that a simple re-
install of the win95 fixed everything ??  Was it something the win95
STARTUP disk did to alter boot record that could have caused the false
positive?? I'm terrified now to ever use a win95 start-up disk...

Any thoughts on any of this would be appreciated...thankx !! 

- - 

Missie. . . 

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 43]
*****************************************


