From Lehigh.EDU!owner-virus-l  Sat Apr  6 14:23:12 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Mon, 08 Apr 96 13:59:07 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id OAA13565; Sat, 6 Apr 1996 14:23:12 +0200
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39053-97515>; Sat, 6 Apr 1996 07:22:30 EST
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39025-91884>; Sat, 6 Apr 1996 07:20:03 EST
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id HAA89616 for <virus-l@lehigh.edu>; Sat, 6 Apr 1996 07:19:52 -0500
Received: from 132.181.30.207 ("port 1029"@132.181.30.207)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I38O25UR8ISH3CBI@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Sun,
 07 Apr 1996 00:19:04 +1200
Message-Id: <01I38O2643KKSH3CBI@csc.canterbury.ac.nz>
Date: 	Sun, 07 Apr 1996 00:13:11 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #44
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest    Sunday, 7 Apr 1996    Volume 9 : Issue 44

Today's Topics:

VB96 Conference Submissions
Re: Mcafee support stinks
Help with Croatia virus
Re: Mcafee support stinks
Help Possible Virus
Re: QUESTION: Email Viruses
had antiexe now lost "d" drive (NT)
Re: Floppy Disk TSR scan software (PC)
Re: Good Mac Virus Software (MAC)
Is this a VIRUS? (WIN95)
Re: AntiEXE triggers McAfee problems? (WIN95)
Re: TBAV says WIN95 CD infected? (WIN95)
Re: Devices disappearing--virus? (WIN95)
Re: TBAV says WIN95 CD infected? (WIN95)
Re: Did Michelangelo Virus Wipe this PC's Hard Drive? (PC)
Re: Winword/Scanprot/Fprot questions (PC)
Re: Tai_Pan438 Virus (PC)
Recommended A-V software (PC)
Re: Could this be a virus? (PC)
Re: Date set to 2096--virus?? (PC)
Trabajo_hacer.b Virus (PC)
ripper virus (PC)
Re: RITT.6917 virus--false positive from SCAN 2.2.11? (PC)
Re: 10b7 (PC)
Junki Virus: Infection (PC)
mem = 639K (PC)
Re: Virus??? (PC)
Re: Readiosys - is it real? (PC)
Intermittant Problems with No Apparent Cause (PC)
Re: Virus??? (PC)
Re: LAN-based virus protection advice wanted (PC)
Re: Disappearing Partitions (PC)
NAV updates (PC)
Re: Winword/Scanprot/FProt questions (PC)
636k total base memory...virus? (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Fri, 29 Mar 1996 15:43:05 +0000 (GMT)
From: Ian Whalley <ian@virusbtn.com>
Subject: VB96 Conference Submissions
X-Digest: Volume 9 : Issue 44

Virus Bulletin is in the process of finalising the timetable its sixth
annual conference [VB96], and is interested in receiving submissions on
further topics, amongst which are:

* Macro viruses: beyond Word
* Writing virus-proof Macro environments
* Virus exchange over the Internet
* Viruses in Java
* Virus exchange bulletin boards
* Virus spread on Massive Area Networks (NetWare 4+)
* Scanning transformed files (e.g. ZIP, MIME, PGP [!] etc.)

Anyone interested is invited to submit a brief abstract either to me or to 
Alexandra Hothersall (Conference Coordinator) on ah@virusbtn.com.  The 
conference takes place on 19/20 September, 1996, at the Grand Hotel in 
Brighton, England.  Abstracts should be received on or before April 5th
1996.

Best,

Ian.

- -----------------------------------------------------------------------------
|---Ian Whalley, Editor, Virus Bulletin Magazine---|-Author of Project VGrep-|
|-Direct/Office/Fax: +44-1235-544039/555139/531889-|-virus name xref system--|
|-Key CRC: 2A02 96E5 5D77 4C8D EB22 146F E03B A0D3-|-Get it from the web at:-|
|-Unix/NT/W95/Win32/C/x86/Sed/Awk/Perl/Sh/Html/VBA-|http://www.virusbtn.com/ |
- -----------------------------------------------------------------------------

------------------------------

Date: Fri, 29 Mar 1996 10:33:47 -0700
From: Jim Powlesland <powlesla@acs.ucalgary.ca>
Subject: Re: Mcafee support stinks
X-Digest: Volume 9 : Issue 44

In article <0012.01I2UER2C1TGS24DPB@csc.canterbury.ac.nz>,
lf  <leaf@ix.netcom.com> wrote:

>I bought VirusScan 95, and my current version recognizes me as a
>licensed user.  Whenever I try to update it from FTP site, I get a
>"thank you for evaluating message" when I run the updated version, and
>it no longer recognizes me as a licensed user.  Over a month period, I
>have sent four emails to support@mcafee.com, without response.  I'm
>ready to dump the program and try Norton.  Any suggestions?

Just download the dat* file updates (ie., dat-9603.zip) and
install them. It will update your licensed executables and not
change them to the non-licensed evaluation versions.


- - 
Jim Powlesland                  | OFFICE:  403-220-7937
University Computing Services   | MESSAGE: 403-220-6201
University of Calgary           | FAX:     403-282-9199
Calgary, Alberta CANADA T2N 1N4 | URL: http://www.ucalgary.ca/~powlesla/

------------------------------

Date: Sat, 30 Mar 1996 02:58:42 +0000 (GMT)
From: ggaziano@capecod.net
Subject: Help with Croatia virus
X-Digest: Volume 9 : Issue 44

Does anyone have any info on the Croatia virus or know of an AV
program to clean it?

Thanks

Ggaziano@capecod.net

------------------------------

Date: Sat, 30 Mar 1996 00:22:29 +0000 (GMT)
From: Robert Michael Slade <rslade@vcn.bc.ca>
Subject: Re: Mcafee support stinks
X-Digest: Volume 9 : Issue 44

lf (leaf@ix.netcom.com) wrote:

: it no longer recognizes me as a licensed user.  Over a month period, I
: have sent four emails to support@mcafee.com, without response.  I'm
: ready to dump the program and try Norton.  Any suggestions?

This course of action is known as "out of the frying pan and into the 
fire"  :-)

Try F-PROT, Dr. Solomon's, or VET.

------------------------------

Date: Sat, 30 Mar 1996 02:54:21 +0000 (GMT)
From: Syahrul Sazli Shaharir <ssazli@hrsb563.resnet.upenn.edu>
Subject: Help Possible Virus
X-Digest: Volume 9 : Issue 44

After I run certain programs, everything crashes one by one.. (popup
message appears: "[program name] encounters an error (or sthing like
that), the application will be closed"), and after a few more clicks the
Explorer fails (with the same popup message) and then Win 95 crashes. If
this is a virus problem, what apps can be used to kill it? Thanks.

Sazli
ssazli@eniac.seas.upenn.edu

------------------------------

Date: Fri, 29 Mar 1996 21:58:36 -0500
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: QUESTION: Email Viruses
X-Digest: Volume 9 : Issue 44

In article <0002.01I2UER2C1TGS24DPB@csc.canterbury.ac.nz>, Greg Rice writes:

: I'm wondering, why isn't an email virus possible?  I read that no one
: really needs to worry about loading an email message from a service
: like AOL or Compuserve and recieving a virus on their home PC. 
: Wouldn't it be possible to write code that is an attached .EXE file and
: is called into downloading itself by the 'read mail' action of the
: service provider?

	To clarify, if someone had a UNIX shell account on an ISP and had 
something set up so that attachments are automatically decoded, exeuction 
wouldn't be practical.  You see, under UNIX, a program must be compiled 
from its source (usually C) on each system since each system has 
different hardware and different versions of UNIX.  Therefore, this rules 
out problems with shell accounts.

: I realize that if there was such a code, it would be service provider
: specific, but it seems plausible.

	The other scenario, which would require a SLIP/PPP connection, 
wouldn't be ISP specific, but rather specific to the machine of the 
user.  The user could configure his machine, most likely running 
MS-DOS/Windoze/Win 95 to decode and execute (no compilation required 
here, just send the binary) attachments.  In this respect, it is possible 
for a file infecting virus to be transmitted via e-mail.  However, it 
would be exetremely STUPID of the user to configure their software to run 
EXEs in this manner.

	My apologies for going off-topic with the explanation of UNIX, 
etc. but I felt it would help me make clear exactly what I was trying to say.

	Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code
Anti-virus software and utils:  | The Transformers fanfiction:
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html
-=-=-=-=-=-"Linux - The choice of a GNU generation"-=-=-=-=-=-

------------------------------

Date: Sun, 31 Mar 1996 04:46:15 +0000 (GMT)
From: Jeff Jarrell <jsj@metronet.com>
Subject: had antiexe now lost "d" drive (NT)
X-Digest: Volume 9 : Issue 44

This is the history:

1. Got new PC.
2. The 1.6 gig disk was formatted as 1 drive="c"
3. Wanted to partition disk so used FIPS, a Linux utility
   to make c:=900 meg and d:=600 meg.
4. Installed Windows NT on c: and formatted d: as a NTFS.
5. Was infected by antiexe.
6. Mcafee for NT detected it but couldn't remove it.
7. Norton for NT detected it and removed it.
8. Re-booted pc and now all I have is a C: drive 900 meg.
9. FDISK says it is 1.6 gig.

Anyone have any ideas? Please. I've learned my lesson the hard
way. I will invest in anti-virus software. Hopefully my negligence
by not having protection earlier didn't cost me 600 meg of my drive.

Sincerely,

Jeff

------------------------------

Date: Sun, 31 Mar 1996 03:16:36 +0000 (GMT)
From: Benedict Tam <BTAMHS@cxair.com>
Subject: Re: Floppy Disk TSR scan software (PC)
X-Digest: Volume 9 : Issue 44

Warwick Mortensen <wam@data3.com.au> wrote:

>I was woundering what's the best Anti Virus program on the 
>market that will scan a floppy disk when you put it in the 
>drive? It must be the TSR that does the scan.  No a menu 
>driven program.

NAV it scans A:

Cheers.

------------------------------

Date: Fri, 29 Mar 1996 09:56:02 +0000 (GMT)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Good Mac Virus Software (MAC)
X-Digest: Volume 9 : Issue 44

Joerg Erdei (a8101gbb@helios.edvz.univie.ac.at) wrote:

: On non-networked Macs, installing the free Disinfectant is sufficient in
: most cases (but it cannot scan compressed files).

Nor does it detect (or claim to detect) hypercard infectors, macro
viruses, or trojans. However, it does a good job on other viruses, it's
very well-behaved, and includes excellent on-line documentation.

David Harley

------------------------------

Date: Fri, 29 Mar 1996 07:56:33 +0000 (GMT)
From: aver@isomedia.com
Subject: Is this a VIRUS? (WIN95)
X-Digest: Volume 9 : Issue 44

I am having a problem with various programs in Win95 with 32 meg of ram
on a Pentium 133. Including NewsXpress 2.0, Netscape 2.0, Pc-Cillian 95
mIRC 3.92, Mplayer and Explorer.

My problem is that they keep performing an illegal funtion and locking
up the program, here are some of the errors that I have gotten while 
running them. Is this some kind of virus (though I have run McAfee Norton
and Pc-cillin 95 without finding any) Or a memory problem? Any clues as to
how to fix this would be really helpfull.

			   Error #1

NX caused an invalid page fault in
module NX.EXE at 0137:0041e8de.
Registers:
EAX=00000000 CS=0137 EIP=0041e8de EFLGS=00010202
EBX=00dfff78 SS=013f ESP=00dffbd8 EBP=00dffbe4
ECX=00000000 DS=013f ESI=0080b070 FS=0d8f
EDX=81a8db56 ES=013f EDI=0080b044 GS=0000
Bytes at CS:EIP:
8a 04 01 88 03 43 ff 47 28 66 ff 4d 10 75 eb 33 
Stack dump:
004204a9 00000008 81559478 00dfff94 004204ff 0080b044 00dfff78
00000002 004204a9 00000008 81559478 00000000 00000000 00000000
00000000 00000000  

				  Thanks,
					       Jen
					       aver@isomedia.com

[Moderator's note:  Jen submitted eight more stack dumps I haven't posted. 
Anyone keen on decyphering them should contact Jen for more details.]

------------------------------

Date: Fri, 29 Mar 1996 07:10:06 -0500
From: "Bob Witham Jr." <robert.l.witham.jr@state.me.us>
Subject: Re: AntiEXE triggers McAfee problems? (WIN95)
X-Digest: Volume 9 : Issue 44

J.Gonzalez wrote:

> I just came accross the AntiEXE virus.  One of my users detected it on
> a floppy he had and brought it up to me because his antivirus software
> could not remove it (cheyenne's Inoculan).  I have the newest
> VirusScan for Windows95 from Mcafee.  I placed the disk in my system,
> right mouse clicked on the B: drive icon and selected "San for Virus".
> BOOM, I got a wierd, DOS-like screen saying that it had detected the
> AntiEXE virus and gave me the option of cleaning it, which I did.
> Right after, I clicked on the B: drive icon again and my computer
> locked up.  So, I just tossed the disk.  Now, my computer has been
> crashing repeatedly.  Naturally I have Mcafee's scanner running all
> the time, I even scanned my entire harddrive, but my PC's still acting
> wierd.  Has anyone else had this problem?  What can I do?  HELP!

There is apparently a problem with the SCAN95 cleanup of ANTIEXE.  It 
seems to corrupt the diskette.  The best method of cleaning any virus is 
to cold-boot from a clean DOS diskette, and use SCAN A: /CLEAN to get 
rid of the infection.  SCAN.EXE and the data files are found in the 
SCAN95 directory C:\Program Files\McAfee

I had a similar problem, and someone else reported the problem here a 
few weeks ago.  At that time, one of the McAfee reps said he was going 
to look into it.  I haven't heard anything from them since, but then I 
have not checked the BBS for a WIN95 update either.

Bob W.

------------------------------

Date: Fri, 29 Mar 1996 16:45:31 +0000 (GMT)
From: Vegas Griff <kwiagrif@nicoh.com>
Subject: Re: TBAV says WIN95 CD infected? (WIN95)
X-Digest: Volume 9 : Issue 44

"Richard K.C. Ling" <rkcling@netcom.ca> wrote:

>Hi!  I just recently bought and set-up a DELL P166.  After virus
>warnings from a 32-bit TBAV under WIN95, I killed the affected files
>and re-installed WIN95.  Two of the same warnings appeared again during
>my first session.  I finally did a full scan on my WIN95 CD and three
>files were revealed infected.  They are:

>OTHER\CHANGE CP\1253.BIN
>WIN\95\OEMSETUP.BIN and
>WIN\95\SAVE32.COM

I have been having a similar problem using TBAV for Win95 Ver.700! I
am getting Heuristic flags on several files either residing on, or
newly installed, from the MS Win95 upgrade CD ROM. I am not a virus
expert, but I think common sence would indicate that the Win95 install
CD is probably NOT INFECTED. If it is, then you and I, and about 250
trillion other Win95 users are done for! And if that is the case, why
fight it? There would be no escape from a virus like that!!!!

Below please find three seperate log reports from scans I ran this
morning. Please note that when I scan the CD ROM directly, I get
different results depending on whether I have selected "Full Scan All
Drives", or "Scan CD ROM Only"! Go Figure......? 


VIRUS SCAN #1     Scan CD ROM ONLY (E:\)
**************************************************************************
TBAV for Windows 95 - (C) Copyright 1989-1996, Thunderbyte B.V.

TBAV for Windows 95 virus detection report, 29-3-1996 08:33:10.

      ** Unregistered evaluation version. Do not forget to register!
**

E:\OTHER\CHANGECP\1253.BIN might be infected by an unknown virus 


Found 1552 files in 273 directories, 112 files seem to be executable.

1 files are infected by one or more viruses.


VIRUS SCAN #2    Scan LOCAL DRIVES (C:\, D:\)
**************************************************************************
TBAV for Windows 95 - (C) Copyright 1989-1996, Thunderbyte B.V.

TBAV for Windows 95 virus detection report, 29-3-1996 08:35:22.

      ** Unregistered evaluation version. Do not forget to register!
**

D:\WIN95\INF\DRVIDX.BIN might be infected by an unknown virus 

D:\WIN95\INF\DRVDATA.BIN might be infected by an unknown virus 

D:\WIN95\COMMAND\SYS.COM might be infected by an unknown virus 
F Suspicious file access.  Might be able to infect a file. 
Z EXE/COM determination.  The program tries to check whether a file 
  is a COM or EXE file.  Viruses need to do this to infect a program. 

D:\WIN95\SYSTEM\UNICODE.BIN might be infected by an unknown virus 


Found 12924 files in 652 directories, 625 files seem to be executable.

4 files are infected by one or more viruses.


TBAV for Windows 95 - (C) Copyright 1989-1996, Thunderbyte B.V.


VIRUS SCAN #3   Scan ALL FIXED DRIVES  (C:\, D:\, E:\)
**************************************************************************
TBAV for Windows 95 virus detection report, 29-3-1996 08:37:24.

      ** Unregistered evaluation version. Do not forget to register!
**

D:\WIN95\INF\DRVIDX.BIN might be infected by an unknown virus 

D:\WIN95\INF\DRVDATA.BIN might be infected by an unknown virus 

D:\WIN95\COMMAND\SYS.COM might be infected by an unknown virus 
F Suspicious file access.  Might be able to infect a file. 
Z EXE/COM determination.  The program tries to check whether a file 
  is a COM or EXE file.  Viruses need to do this to infect a program. 

D:\WIN95\SYSTEM\UNICODE.BIN might be infected by an unknown virus 

E:\OTHER\CHANGECP\1251.BIN might be infected by an unknown virus 

E:\OTHER\CHANGECP\1252.BIN might be infected by an unknown virus 

E:\OTHER\CHANGECP\1253.BIN might be infected by an unknown virus 

E:\OTHER\CHANGECP\XLAT737.BIN might be infected by an unknown virus 

E:\OTHER\MISC\EPTS\PTS.BIN might be infected by an unknown virus 

E:\OTHER\OLDMSDOS\SIZER.EXE might be infected by an unknown virus 
c No checksum / recovery information (Anti-Vir.Dat) available. 
A Suspicious Memory Allocation.  The program uses a non-standard 
  way to search for, and/or allocate memory. 
K Unusual stack.  The program has a suspicious stack or an odd stack. 

E:\WIN95\SAVE32.COM might be infected by an unknown virus 
c No checksum / recovery information (Anti-Vir.Dat) available. 
M Memory resident code.  The program might stay resident in memory. 
U Undocumented interrupt/DOS call.  The program might be just tricky 
  but can also be a virus using a non-standard way to detect itself. 
@ Encountered instructions which are not likely to be generated by 
  an assembler, but by some code generator like a polymorphic virus. 


Found 14476 files in 924 directories, 737 files seem to be executable.

11 files are infected by one or more viruses.
**************************************************************************

Sincerely
Griffith C. Kwiat

[In other words, what you would expect if you ran a fairly paranoid
heuristic virus scan over a CD of new OS software for your platform??--
Moderator.]

------------------------------

Date: Fri, 29 Mar 1996 19:32:06 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Devices disappearing--virus? (WIN95)
X-Digest: Volume 9 : Issue 44

Douglas Grimes <grimes@airmail.net> writes:

>Last month I was running Disk Defragmenter under Windows 95 after 
>terminating all running programs when it reported an error and locked up 
>my PC.  The error was something like this, 'The file retrieved has 
>changed.'  Then I ran Scandisk to check for errors.  It reported that it 
>found an error and fixed it.  I ran Scandisk again to check if it really 
>corrected the error.  Scandisk reported the same error again.  I let 
>this go on for a couple of days when I started losing my devices - my 
>hard drives, CD-ROM, sound card, video card, etc..  During this time 
>when I pulled up the Control Panel it was taking up to 10 minutes to 
>open.  So, I decided to reformat my drives and reinstall my software.  
>After a couple days the same symptoms started to show up again.  I 
>purchased a copy of McAfee's Virus Scan 95 and ran it.  Virus Scan 
>reported that no virus was found.  I finally did an unconditional 
>format and reloaded all of my software.  To this day I have not had any 
>other problems.
>
>I am a system engineer and have a good technical knowlegde. So, I am 
>positive that I did not do anything 'Stupid'.  Some of my programmer 
>friends thought, based on the symptoms, sounded like I had a new virus 
>they heard about called SATAN.  Could this have been a virus or is this 
>some strange thing under Win95?  If so, which one?  Is there such a 
>thing called the Satan Virus, because I have never heard of it? 

My experience with disappearing devices says that at some point, you
converted your Win95 to not use 32-bit access and most of the devices
in Win95 have drivers that rely on 32-bit access.

You will have this experience if you also get hit by a boot sector virus.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Fri, 29 Mar 1996 19:31:14 +0000 (BUE)
From: ruben@ralp.satlink.net
Subject: Re: TBAV says WIN95 CD infected? (WIN95)
X-Digest: Volume 9 : Issue 44

Wed, 20 Mar 1996 17:01:00 +0000 (GMT) "Richard K.C. Ling"
<rkcling@netcom.ca> Wrote:

>Hi!  I just recently bought and set-up a DELL P166.  After virus
>warnings from a 32-bit TBAV under WIN95, I killed the affected files
>and re-installed WIN95.  Two of the same warnings appeared again during
>my first session.  I finally did a full scan on my WIN95 CD and three
>files were revealed infected.  They are:
>
>OTHER\CHANGE CP\1253.BIN
>WIN\95\OEMSETUP.BIN and
>WIN\95\SAVE32.COM
>
>Can this be possible?

Yes. But seems more likely to a false positive.
Remember that TBAV have some flags that could be setted up and make it
more sensitive (high heuristhic, in example) or not.

As a rule I suggest ALL THE PEOPLE WHO HAVE SIMILAR PROBLEMS to send the 
"suspicious files" directly to the author of the program.

I suppose that this helps so much to AV industry and gives a special
feedback to AV writers.

Regards

Ruben Arias
- ------------------------------------------------------------------------------
 Ruben M. Arias                                _   _      _                    
					      | ) |_| |  |_)                   
					      | \ | | |_ |                     
 E-Mail: Ruben@RALP.Satlink.net                                                
 Buenos Aires - ARGENTINA            RALP - Computer Security - Virus          
- ------------------------------------------------------------------------------

------------------------------

Date: Fri, 29 Mar 1996 02:41:23 -0500
From: "Bruce P. Burrell" <bpb@umich.edu>
Subject: Re: Did Michelangelo Virus Wipe this PC's Hard Drive? (PC)
X-Digest: Volume 9 : Issue 44

Mike Blackwell (mike.blackwell@pnn.com) wrote:

> I'm a Mac user (please, no flames :), and need help diagnosing a friend's
> PC problem. She has a 286, and doesn't know how much RAM or HD space she
> has, so I'd assume it's whatever's standard. 

   No such thing as "whatever's standard", I'm afraid, though some 
configurations are more likely than others.  Shouldn't matter in this 
case, though.

> Recently, she recalls hearing
> strange sounds from the hard drive, and the next time she booted, her hard
> drive was empty: a "DIR" command revealed no files.

   This was after booting from the hard drive?  And she succeeded in 
reaching a DOS prompt, right?  She wasn't just looking at a screen with 
nothing on it (at all!),  just typing DIR in the hopes of getting 
something, I'm assuming.

> The computer store that sold it to her told her she'd been struck by the
> Michelangelo virus, which, as I understand it, is programmed to go off on
> a certain date (March 6?) and delete the hard drive directory. 

   Worse than that.  Michelangelo, if booted on March 6th of any year,
will attempt to overwrite the first 17 sectors of the first 4 heads of the
first 256 cylinders of the first hard drive.  Most all hard drives have at
least that many sectors, heads, and cylinders, so 8.5MB gets zapped,
including the Master Boot Record and a lot of other stuff.  Since there is
no Partition Table, none of the partitions will be accessible;  hence
attempting to boot from the hard drive will fail totally, and a floppy
boot followed by DIR C: will probably result in "Invalid drive
specification". 

> However, the virus had to have been on the hard drive to begin with,
> since she has no modem, 

   Can't get Michelangelo over the modem, though other viruses can be
transferred that way, albeit rarely. 

> and by her admission, she hasn't used a floppy in a couple of years.

   At **all**?  I believe her if she says it, but that strikes me as
unlikely. I should point out that it suffices to spread Michelangelo to a
hard drive by having an infected diskette in the A: drive when the machine
is booted, whether by intent or power surge.  Doesn't have to be a
"bootable" floppy either. 

> One would think Michelangelo would have struck 12 months ago, 

   Not necessarily; the computer would have had to have been *booted* on
that day, not just left on.  Also, if that one infected floppy was in the
A: drive at any time during the subsequent year when the machine was
booted, the virus would have invaded after March 6th '95 anyway. 

> so I'm having trouble accepting a viral diagnosis. 

   I don't necessarily have a problem with a viral diagnosis, but if she
described the situation correctly as you've portrayed it, then I reject
the possibility of a _Michelangelo_ infection.  Were that the case, one
could never get to the C: prompt on a hard drive boot to type DIR, and I
suspect if the hard drive didn't show up at all she would have mentioned
that. 

> She has no anti-viral, diagnostic, recovery, or backup software of her
> own, so I advised her to leave the machine turned off and wait until I can
> learn something. 

   Reasonable suggestion.  There are several topnotch AV software 
packages available on the 'Net; some are even free for individual, 
non-commercial use.

> I suggested she get a second opinion from another store,
> but at $25 per opinion, I don't blame her for being loath to do so.

   If it's Michelangelo, a recovery will be expensive in one way or 
another.  If she decides to do it herself, it will cost time and a lot of 
agony.  If she decides to pay a professional, she'll find her purse a lot 
lighter. And if she just starts over from scratch, that's expensive in 
its own right.

   But the symptoms described are not those of Michelangelo.
 
> While I'm a consultant for Macs, I have only a rudimentary knowledge of
> the PC world, and would appreciate any advice you can offer. Thanks in
> advance for your input. E-mail replies are preferred; I read too many
> newsgroups already. :)

   Done, as well as a 'News followup.  Sorry not to do so sooner; it just 
appeared on my newsserver.

   -BPB

------------------------------

Date: Fri, 29 Mar 1996 13:15:30 +0000
From: Szappanos Gabor <szapi@reak.bme.hu>
Subject: Re: Winword/Scanprot/Fprot questions (PC)
X-Digest: Volume 9 : Issue 44

In Digest: Volume 9 : Issue 39 "Charles M. Robinson"
<charles.m.robinson@medtronic.com> wrote:

>We've had a major spreading of the Winword/Concept virus here at 
work.  
>The latest version of FProt (2.21) finds .DOC files with this macro 
virus 
>just fine.
>
>The problem is this:  We've downloaded the "scanprot" file from 
Microsoft 
>which scans all .DOC files and "cleans" them of this macro virus.  
Lo and 
>behold, the documents no longer affect the operation of Word.  This 
is good.
>
>What is BAD is, F-Prot still finds the string in the .DOC files and 
still 
>reports them as infected with the CONCEPT virus.  

I think that SCANPROT did not really disinfect the documents, only
saved them as documents. It means that the macros are phisically 
present in the file but since it is not a template any more, they are
"disconnected", never executed.  F-PROT still finds the 
search strings in the documents since the macros were not actually 
removed.

>My guess is that we either need a newer version of F-Prot, or a 
newer 
>version of the "scanprot" macro from Microsoft.  Has anybody else 
run 
>into this problem?
>
>Currently, the workaround is that we run fprot with the /nodoc 
parameter 
>- but I would like to know when DOC files are actually infected.  
There's 
>gotta be a better way! 

You can open the documents with Word (don't worry about the auto macros,
won't be executed in a document)  and save them as templates. Then you
can either manually delete the macros (with Tools|Macro) or disinfect
with F-PROT. 

Szapi

------------------------------

Date: Fri, 29 Mar 1996 07:20:01 -0500
From: Bill lambdin <vfreak@skn.net>
Subject: Re: Tai_Pan438 Virus (PC)
X-Digest: Volume 9 : Issue 44

>Can someone give me some info on this little bug.

Taipan.438 is an infector od .EXE files. The virus is appended to the
files. Infected files grow in size by 438 bytes. It hooks INT 21h, and
steals 496 bytes of RAM. The virus is not stealthed, polymorphic,
encrypted, or deliberately destructive.

You can find the following text in the infected files, "WHISPER PRESENTRAR
TAIPAN"

	Bill Lambdin

- --------------------------------------------------------------------------
vfreak@skn.net                     PGP fingerprints 9C CD 47 F3 C7 65 CA 33
102524.2206@compuserve.com                          C7 7D 69 8B 26 0C F8 08

------------------------------

Date: Fri, 29 Mar 1996 07:20:04 -0500
From: Bill lambdin <vfreak@skn.net>
Subject: Recommended A-V software (PC)
X-Digest: Volume 9 : Issue 44

I recommend the following scanners.

AVP
Dr. Solomon's Anti-Virus Toolkit (commercial)
F-Prot 
Integrity Master
Norman Data Defence (commercial)
Scan
TBAV

I recommend the following generic virus detectors.

ARF A-V utilities
F-Prot Professional (commercial)
Integrity Master
PC-cillin (commercial)
PC-Rx (commercial)
Untouchable (Commercial, but no longer supported)
Victor Charlie.

	Bill Lambdin

- --------------------------------------------------------------------------
vfreak@skn.net                     PGP fingerprints 9C CD 47 F3 C7 65 CA 33
102524.2206@compuserve.com                          C7 7D 69 8B 26 0C F8 08

------------------------------

Date: Fri, 29 Mar 1996 13:54:06 +0000 (GMT)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Could this be a virus? (PC)
X-Digest: Volume 9 : Issue 44

Gail Rider Craig (Mac.NewsWatcher@epix.net) wrote:

: A friend asked me for help on this and I was hoping I could find some
: answers for him here.  He has a 386 running a custom database for his
: work.  There were 8 mgs left on the hard disk and his son tried to install
: Borland Visual Turbo C++ which was supposed to be only 4 mgs.  

It may not be relevant to the problem, but I wonder which product has 
actually been installed here? Visual C++ sounds like Microsoft (takes
a lot more than 4Mb for a minimum installation, as does Borland C++). I
don't have recent experience of Turbo C++, but 4Mb still sounds light.
Even my aged Turbo C vs. 2 takes up the best part of 2Mb.

Could this have been the Borland Visual Solutions Pack? I've never heard
of Borland being implicated in any virus spreading incident: if the disks
are original disks, previously unused or, if used, write-protected, the
risk of any virus infection from them is negligible.

: Half way
: through the installation, he received a hard disk error message and quit
: the installation.

I assume this is a disk read/write error. This could be due to
* The installation routine needing more space than was available to unpack
  compressed files. This is particularly likely on a compressed drive, where
  the amount of drive space left can not be calculated to the last byte but
  changes dynamically. If it's not a compressed drive, it's less likely, at
  least with a Borland installation, which are usually pretty well-written.
* A hardware problem with the drive.

Viruses don't usually generate this sort of problem when they *infect*,
though they might when they *trigger*. 

: The next time the computer was booted up, it had changed the load
: sequence, 

Do you mean it was running the same programs in a different order, or that
it wasn't running everything it ought to? If the latter, this might well
be explained by a

: changed the color of the screen, 

Is that in applications, or at the DOS prompt? It may be that ANSI.SYS 
was installed previously, and used to change the screen colours at the
DOS prompt. In that case, it's likely from the description of the symptoms
here that either CONFIG.SYS or AUTOEXEC.BAT has been lost or modified.

:asks for the date and time each
: time you boot up 

That sounds like a missing AUTOEXEC.BAT. It may have been trashed while
the installation routine was trying to modify it. Look for files in the
root directory with names like AUTOEXEC.BAK, AUTOEXEC.001 etc.: it may be
possible to put it back together fairly painlessly from that. It may be
worth checking if CONFIG.SYS is there at the same time, and if not, seeing
if it can be reassembled from CONFIG.BAK etc..

: and appears to have erased some of the custom database
: files.

Have you actually checked that the files are physically there? If you're
getting FILE NOT FOUND or something similar, it may be the required files
are no longer on the command path, which would be a likely consequence of
a trashed AUTOEXEC.BAT. 

: Is this a virus and, if it is, what program can he purchase to clean it up?

Not impossible, but not the likeliest problem. However, he should certainly
invest in some virus protection. It's possible to get some excellent 
shareware/freeware packages, but perhaps in this case it would be worth
buying a reputable commercial package with printed manual, monthly or 
quarterly updates, and proper telephone support. I'd suggest F-Prot Pro
or Dr. Solomon's AntiVirus ToolKit. However, I'll mail you an FAQ with 
some resources information. The FAQ for this newsgroup is also well worth
reading (and referenced in the FAQ I'm sending you).

You should also consider the possibility that the hard disk is either
physically damaged in some way or has sustained damage to the directory
structure. Depending on which version of DOS/Windows he may be running,
you could start by running SCANDISK or CHKDSK to see if they report any
errors. If so, it may be appropriate to ask for further advice before
accepting any suggestions of remedial action offered by those programs.
By all means mail me, if you wish.

: If you could respond directly to my e-mail address it would help me
: facilitate this for him since I can't always access the newsgroups.  

Done.

David Harley
Support & Security Analyst
ICRF

------------------------------

Date: Fri, 29 Mar 1996 14:08:35 +0000 (GMT)
From: "Steven C. Zinski" <szinski@urvax.urich.edu>
Subject: Re: Date set to 2096--virus?? (PC)
X-Digest: Volume 9 : Issue 44

In article <0031.01I2V51VSHUQS24DPB@csc.canterbury.ac.nz>, 
bc6571@scs.ubbcluj.ro says...

>Does anyone know of a virus that sets the date & time control forward?
>(ex: to 2096). If you try to set back the date your c: drive's FAT will be 
>damaged. The only way (that I found) to correct this error is: reboot from
>a floppy and run the NDD.EXE and some of the files will be damaged, OR set
>the time back to 2096 !?
>
>I tried to find the "bug" with F-Prot 2.21 and Tbav650 without success.
>I need emergency help.
>
>(My battery isn't dead!)

I work at a university and have come across numerous instances of the date 
jumping ahead 100 years. Unlike your problem, we (University Computing)
have never had a problem setting the date back to the correct year.

We have a suspicion that the problem is caused by a buggy program. We
regularly use Eudora, WinQVT, Netscape, Trumpet Winsock and Word Perfect
(Perfect Office). We also have F-PROT and VIRSCAN loaded on the affected
machines and no virus has ever been detected. Changing the date back to
1996 seems to fix the problem.

If you are able to nail down the cause of this problem, PLEASE let us
know!

					--Steve

------------------------------

Date: Fri, 29 Mar 1996 11:00:58 -0500 (EST)
From: Richard Buchanan <Richard_Buchanan_at_BOSA01@ed.gov>
Subject: Trabajo_hacer.b Virus (PC)
X-Digest: Volume 9 : Issue 44

Our network is showing occassional infections of
"trabajo_hacer.b (MBSR virus) which is the name given by
Norman Data Defense Systems v.3.50 (espejo by F-PROT).

I have heard some "rumors" that the virus must be removed by
April or it will cause some HD damage.
Have you heard anything; when/where created and if there is
anything to the "rumor" concerning April?

Appreciation in advance for your efforts.

Richard Buchanan

------------------------------

Date: Fri, 29 Mar 1996 11:52:16 -0500
From: Peter Young-Hong <pyoung-hong@dynamic.ca>
Subject: ripper virus (PC)
X-Digest: Volume 9 : Issue 44

I have a ripper virus.

I tried using FPROT to clean the virus.  However, FPROT returns the 
message "ALERT!  Multiple sections infection have been found.  This 
means that the section which should contain the original boot sector is 
itself infected.  FPROT will not attempt to remove the virus."  Can I 
clean this virus without formatting my hard drive.

Thanks in advance.

------------------------------

Date: Fri, 29 Mar 1996 19:42:28 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: RITT.6917 virus--false positive from SCAN 2.2.11? (PC)
X-Digest: Volume 9 : Issue 44

Patrick Noyens <patrick.noyens@ping.be> writes:

>While scanning my system with SCAN V. 2.2.11 I got some files infected
>by the 'RITT.6917' virus... at least that's what McAfee 's SCAN told
>me.
>
>I scanned my system with several other major scanners :
[snip]
>I scanned with these scanners after cold-booting from a clean system
>disk.
>
>None of the scanners reported an infection. So, could this be a false
>possitive from McAfee's SCAN V. 2.2.11 ?

Yes it was and thank you for bringing it to my attention directly.

We removed the offending files and the package which has since been
available since March 19th no longer has this problem.  That package
is numbered 22C.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Fri, 29 Mar 1996 19:36:51 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: 10b7 (PC)
X-Digest: Volume 9 : Issue 44

"Stephen E. Clarke" slcfv@cc.usu.edu writes:

>Does anyone know if any other virus detection program currently detects 
>and cleans the 10b7 virus besides microsoft anti-virus.  Also I recently 
>purchased Warcraft 2 and it appears that the save game files become 
>corrupted with this virus directly from the game executable.  Has anyone 
>else experienced this.

No one outside of Symantec seems to know what Central Point called the
10b7 virus.  And you'd be hard pressed to find anyone at Symantec who does
either since they support NAV much more than CPAV.

So we can't answer the first issue.

But the second issue is that this whole thing is probably a false id
as it has been reported as a false id for years now.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Fri, 29 Mar 1996 15:06:25 -0400 (EDT)
From: Kim Graham <kimberley.graham@SheridanC.on.ca>
Subject: Junki Virus: Infection (PC)
X-Digest: Volume 9 : Issue 44

I am asking for assistance to combat a virus (or possible re-infection)
called "JUNKI".  Following is a short run down of the system and problems.
I am on a job placement at Sheridan College. (Co-op Student)

The network (single room) consists of 20 PC's.  We are running on
a Novell 3.12 and 4.10 platform.  There is a dual boot option for 
the original DOS 6.2 / Win 3.11 or Windows 95.

The problems started with a warning when booting into 'original DOS/Win
3.11'.

 "The following file is missing or corrupted: COMMAND.COM"
 "The following file is missing or corrupted: COMMAND.COM"
 "Type the name of the command interpreter (e.g., c:\windows\command.com"
 "C>"

I restarted the computer with a Novell Boot Disk (write protected).  The
command.com was visible on the 'C:' drive.  Next I used McAfee's 2.3.0 and
scanned the hard drive.  It found and cleaned the "junki virus". This
virus attached itself to any file with a ".com" extension, including
Netware IPX.COM, DI.COM.....also were infected were the Win95 files having
any ".com" extensions.....

After cleaning I rebooted from the hard drive.  The same messages came up.
I used clean files and overwrote each of the ".com" files.  The fix seemed
to take hold.  The only problem was an enviroment error when opening a DOS
prompt from Windows 95. I thought that to be a configuration error.

A week later the same computer has the "command.com" missing or corrupted.

I rescanned the hard drive with the same McAfee's scanner after booting
from a Boot Disk.  It found no infections.

Can anyone give me some help.

  I.E. 

Has anybody come across this virus and how do you combat it?
Do you think this is just a hardware problem the second time around?
Should I just reformat the drive and wish it good-bye?
(doing that when I had a "monkey virus" caused alot of unnecessary work)

Thanks. You can reach me @ kimberley.graham@sheridanc.on.ca

****************************************************************
Kim Graham                                e-mail: 
Novell & Teleconference         kimberley.graham@sheridanc.on.ca  
Lab Technician                   Voice Mail:(905)815-4040 X3742
****************************************************************                

------------------------------

Date: Fri, 29 Mar 1996 12:00:32 -0800
From: Andrea Brenton <abrenton@hurwitz.com>
Subject: mem = 639K (PC)
X-Digest: Volume 9 : Issue 44

I have a system (Acer Altos 486sx/33) that shouws only 639K total 
convential memory.  Usually that means a virus.  I have scanned, done 
fdisk /mbr, but alway comes up the same.  

	Am I missing something?

	Please send me e-mail directly, as our new server seems to be a 
few days behind.
	Thanks

abrenton@hurwitz.com

[Moderator's note:  For some machines 639KB is 'normal".  This is
discussed in the FAQ if you are looking for coverage of how to tell if
639KB is normal for your PC.]

------------------------------

Date: Thu, 28 Mar 1996 12:04:07 +0000 (GMT)
From: Jan Hruska <Jan_Hruska@sophos.com>
Subject: Re: Virus??? (PC)
X-Digest: Volume 9 : Issue 44

>To see a world in grain of sand, and heaven in a wild flower
>Hold infinity in your hand
>And eternity in an hour
>
>The virus 16\3\91
>
>I have tried a clean boot disk. but it won't recognise my hard disk.
>My virusscanner is also unable to access my hard disk.

You have had Maltese Amoeba, a.k.a. 'Irish' or 'Grain of Sand'.

Infects COM and EXE files, memory resident.

A destructive fast infecting polymorphic virus which overwrites the first
four sectors of tracks 0 to 29 of the hard disk and any diskette in the
disk drive, if the date is 1st November or 15th March of any year. A
psychedelic screen effect follows. When the machine is powered up, a
fragment of a poem (The Auguries of Innocence) by William Blake (1745-
1827) appears on the screen and the machine hangs.

Infection happens at load-and-execute and file close.

For full analysis see Virus Bulletin, December 1991.

>What to do?

If you need the data from the hd, you or a (usually expensive) data
recovery company could salvage a good deal of it. Otherwise, low level
reinitialise your hard disk and restore from backups. Make sure that you
use a positively uninfected restore program and then virus check the
restored files.

------------------------------

Date: Fri, 29 Mar 1996 22:32:59 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Readiosys - is it real? (PC)
X-Digest: Volume 9 : Issue 44

Cy Ulberg <cyu@u.washington.edu> writes:

>I inherited an old computer at work that Intel virus software labeled as 
>infected with "readiosys."  When the hard drive was disinfected, 
>everything on the c: drive was corrupted.  The same thing happened to a 
>floppy I tried to disinfect.  I find various references to "readiosys" as 
>a well-known false positive on the Web.  If it is well-known, why does 
>the latest version of Intel software detect it, and corrupt disks?  The 
>same software says my home computer is also infected.  Before I crash 
>another hard drive, I'd like to find out what is going on.  I haven't yet 
>received a satisfactory response from Intel.  Can anyone help?

Intel OEMs this software from Trend Microsystems.  Trend has recently
(or maybe not that recent) opened offices in CA.  Give them a call.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Sat, 30 Mar 1996 08:28:33 +0000 (GMT)
From: Chana Rossman <bonney@interpath.com>
Subject: Intermittant Problems with No Apparent Cause (PC)
X-Digest: Volume 9 : Issue 44

I am encountering some strange computer problems at work, and although
I'm not conviced we've encountered a virus, I thought I'd investigate
the possibility.  This message is rather long (sorry) but I tried to
include as much information about the problem as I could.  I'd
appreciate any suggestions you regarding this as I am about out of
ideas.  

Here's the environment:
Our department maintains seven college computer labs containing
various types of computer hardware.  In one lab, we have 20 486 DX
computers running DOS v 6.22.  We are also running Windows for
Workgroups.  (We have an isolated Ethernet network if it matters...)
Recently, we installed Microsoft Office.  The software on the
computers is identical on every system.  (We setup one master system
at the beginning of the quarter, then electronically transfer data to
each of the other systems through a parallel connection.)

The Problems:
I realize that I may be dealing with several different problems -- but
I am listing all of them just in case:
* Occasionally, when students attempted to change fonts in Windows 
	based programs,  the application crashs.  It is not isolated to 
	a particular font.  The errors seemed random.

* On over half the systems, Excel is giving an error saying one of 
	the  library files is missing.  
	-  We examined directory lisitngs of working machines vs. non-working 
		machines -- no difference in file count, file size, or file dates.
	-  We FDISKed and reformatted the computers which were having 
		problems.  We then copied the data from a working machine to 
		a non-working machine.  Excel worked.  Within one day, Excel  failed 
		again.
	- We reinstalled MSOffice from the installation disks.  Excel worked.

		Within a day, Excel started failing again.

*  On over half the systems we are experiencing file corruption.
	One day everything will be fine.  The next day,  files are
	corrupted.  Once one file becomes corrupted, it is as if a cascade 
	failure occurs!  (Note:  which files that are corrupted on each 
	system vary.  Some of the corrupted files on some sytems are
	Windows related.  On other systems, its the DOS based aps)


We have compared the CMOS settings between working and nonworking
machines -- there are no differences.  We have checked the specific
hard drive make and models in the various computers -- there are no
differences.  And yes, we have run virus scans (F-PROT and McAfee) --
nothing has shown up.

Does anybody have any ideas virus or otherwise?  I'd be very happy to
hear them!

Thanks in advance
Chana
bonney@interpath.com

------------------------------

Date: Sat, 30 Mar 1996 10:40:24 +0000 (BUE)
From: ruben@ralp.satlink.net
Subject: Re: Virus??? (PC)
X-Digest: Volume 9 : Issue 44

Fri, 15 Mar 1996 19:33:14 +0000 (GMT) Herbert Slaghekke <herb1@xs4all.nl>
wrote:

>Can anyone tell me what the following message on my screen means?
>
>To see a world in grain of sand, and heaven in a wild flower
>Hold infinity in your hand
>And eternity in an hour
>
>The virus 16\3\91

You're (regretably) infected with "Grain of Sand" virus. Also called
"Maltese Amoeba" or "Irish".

This program is a resident .exe and .com infector.
Activation date is November 1st and March 15 and the virus overwrite boot 
areas of the hard disk.
After overwriting, hangs the machine and displays the poem that You
describe above.

>I have tried a clean boot disk. but it won't recognise my hard disk.
>My virusscanner is also unable to access my hard disk.
>
>What to do?

I suppose that other AV packages could help You well. You don't describe 
which one You use but give a try to:

- Integrity Master v 2.61b
- F-prot v 2.22

Regards

Ruben Arias
- ------------------------------------------------------------------------------
 Ruben M. Arias                                _   _      _                    
					      | ) |_| |  |_)                   
					      | \ | | |_ |                     
 E-Mail: Ruben@RALP.Satlink.net                                                
 Buenos Aires - ARGENTINA            RALP - Computer Security - Virus          
- ------------------------------------------------------------------------------

------------------------------

Date: Sat, 30 Mar 1996 09:17:52 -0500
From: Mike Michalowicz <ici@planet.net>
Subject: Re: LAN-based virus protection advice wanted (PC)
X-Digest: Volume 9 : Issue 44

Glenn Rabut wrote:

> We are a graduate school of social work with a Novell LAN with 2 file
> servers and approx. 200 nodes, including 2 computer labs.  We would
> like advice on LAN-based virus protection schemes that you have found
> successful.  We are interested in:
> 
> 1. Ease of installation and maintenance of virus updates.
> 2. Cost
> 3. Effectiveness
> 4. Availability of updates when new viruses appear
> 
> What has worked well for you?  Thanks for your assistance.

In my experience,(I have installed about 50 LANs with some sort of virus 
protection), the following approach is the best:

1. Install both an NLM (on Novell systems, ofcourse) anti-virus engine on 
each and every server, and install a disparate anti-virus engine on each 
workstation.  The reason you want two different packages from two
different manufacturers is that they often use different scanning
algorythms and signatures, hence increasing your chance of still detecting
the virus even if one scanner misses it.  The best combo of products out
there are Intel VProtect NLM for your server (it does ship with a
workstation client, but to better your protection I would not use it), and
McAfee ViruScan for your workstation.

2.  Updating VProtect is a soooo easy.  Just copy the new signature
pattern into the Vprotect directory.  That's it!  To disseminate the
McAfee updates, you can write a simple Batch file (using the DOS 
replace.exe command for example).

3. Cost - There probably are cheaper alternatives, but this one is cost 
effective.  This, I feel, is the best protection out there.  If you want
to protect hundreds of thousands dollars worth of data this is the way to
go.

If you need help, you may contact me.

Mike Michalowicz
Inter-Com, Inc.
ici@planet.net
P  (201)252-1100
F  (201)252-9119

------------------------------

Date: Sat, 30 Mar 1996 10:23:40 -0800
From: Evan Hand <ehandjr@ibm.net>
Subject: Re: Disappearing Partitions (PC)
X-Digest: Volume 9 : Issue 44

Chaim Krause wrote:

> I was hoping someone could shed some light on this for me. It is
> probably a hardware problem, but last night it happend on a second
> machine and made me wonder if it might be a virus.
> 
> I have read every posting in this newgroup that my news server carries
> and can't find anything related, so I felt a new poting was in order.
> 
> Here is a fairly detailed description of my problem. There are some
> things that I am sure I am leaving out, but as I wasn't planning on
> having these problems I didn't keep a diary <g>
[snip]

I have had simalar problems in up-grading my machine.  I was able to 
solve the problem by contacting the drive manufacturer through the Web.  
I would reccomend that you do a web search for your drive manufacturer 
and look for help there.  I was able to find the up-dated software for my 
drive on the web server, downloaded it and have not had problems since.  
I was also able to find specific setup information for a friends 
machine/drive combination that I was asked to repair in the same way.

Good-luck in solving your problem,
Evan

------------------------------

Date: Sat, 30 Mar 1996 20:41:53 +0000 (GMT)
From: Paul Hollinger <prh1@ix.netcom.com>
Subject: NAV updates (PC)
X-Digest: Volume 9 : Issue 44

I m running win 3.1/dos 6.2 and have Norton AV, ver 3, installed. I m
trying to update the program with the UPDATEME.EXE file that I d/l ed 
into a temp dir called c:\nav1st. When I go to the c prompt and type
(as noted in the READ ME file directions)    update c:\nav1st     I get
a msg stating  bad command or file name . I don t know what to do now.
Any/all help would be greatly appreciated!. Have asked other groups &
Norton for help on this but have gotten no response. (BTW, this is my
1st attempt at updating the Norton  AV program)....Thanx, Paul.

------------------------------

Date: Sat, 30 Mar 1996 16:41:01 -0700
From: "James R. Bunch" <jbunch@primenet.com>
Subject: Re: Winword/Scanprot/FProt questions (PC)
X-Digest: Volume 9 : Issue 44

Charles M. Robinson <charles.m.robinson@medtronic.com> wrote:

[snip]

: The problem is this:  We've downloaded the "scanprot" file from Microsoft 
: which scans all .DOC files and "cleans" them of this macro virus.  Lo and 
: behold, the documents no longer affect the operation of Word.  This is good.

: What is BAD is, F-Prot still finds the string in the .DOC files and still 
: reports them as infected with the CONCEPT virus.  

[snip]

I've run into similar problems with macro fragments left by the old 
Micro$loth scan document & Vi-Spy.  The fragments the scanner doc left
were enough to trigger Vi-Spy.  The newer scanprot.dot scanner seems to
have eliminated the problem with Vi-Spy, but obviously not with F-Prot.

I think we'll be seeing these problems for a while now, at least till
the AV vendors get 100% up to speed on _both_ detection and cleaning.

- -
- ----------------------------
James R. Bunch         "A Byte is a terrible thing to waste ... 
jbunch@primenet.com     ... a MByte 1048576 times worse"

PGP Key available via finger
PGP Key fingerprint =  B5 31 10 77 BF B0 FD B2  10 54 CB E6 13 7C 26 58
- -----------------------------

------------------------------

Date: Sat, 30 Mar 1996 20:07:29 -0700 (PDT)
From: eriko@phoenix.net
Subject: 636k total base memory...virus? (PC)
X-Digest: Volume 9 : Issue 44

I am running Win95 *shudder* and whenever I run a dos prompt and type mem
I come up with 636k _TOTAL_ base memory.  This didn't happen before, so
something must have happened.  I also received a message that my master
boot records were changed and that might be from a virus.

When I reboot in MS-DOS mode I get 638k total base memory. 
I have run McAfee scan for Windows ver 2.2.9 and it doesn't detect
anything. 

Does anyone have any ideas?

Thanx, email replies would be great!

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 44]
*****************************************


