From Lehigh.EDU!owner-virus-l  Sun Apr  7 15:17:23 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Mon, 08 Apr 96 13:59:15 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id PAA01470; Sun, 7 Apr 1996 15:17:23 +0200
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39838-105928>; Sun, 7 Apr 1996 09:15:57 EDT
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39305-48071>; Sun, 7 Apr 1996 09:13:56 EDT
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id JAA104637 for <virus-l@lehigh.edu>; Sun, 7 Apr 1996 09:13:50 -0400
Received: from 132.181.30.207 ("port 1028"@132.181.30.207)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I3A48N3AH0SH3CBI@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Mon,
 08 Apr 1996 01:13:14 +1200
Message-Id: <01I3A48NCMPISH3CBI@csc.canterbury.ac.nz>
Date: 	Mon, 08 Apr 1996 00:43:49 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #45
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest    Monday, 8 Apr 1996    Volume 9 : Issue 45

Today's Topics:

Administrivia (ADMIN)
SWAMP - An April Fools Virus Hoax (PC)
Re: QUESTION: Email Viruses
Re: McAfee Dishonesty
Mcafee 2.2.11 Word DOC problem?
Re: Is MEANING.EXE a Trojan horse?
What REALLY matters in Commercial Anti-Virus Software
Re: QUESTION: Email Viruses
Re: How to Contact Command Software
Re: Trojan? - "Meaning of Life"
AV to check Internet Mail?
Help with resources for computer virus paper
Re: What REALLY matters in Commercial Anti-Virus Software
Re: help- possible virus that causes auto reboot
Re: help- possible virus that causes auto reboot
Re: Can two hard drives help keep viruses controlled?
Re: Trojan? - "Meaning of Life"
vsumx603.zip Virus Information Hypertext Summary List
Possible danger to Flash BIOS and ROM
LAN antivirus for Windows NT (NT)
Re: One byte added to .EXEs in Explorer (WIN95)
Re: McAfee 2.0 for Win95 "feature" (WIN95)
Re: McAfee 2.0 for Win95 "feature" (WIN95)
Virus or not (WIN)
Re: A small change to Word for Windows (WIN)
Re: Wanted TSR checks A: as used (PC)
AntiEXE virus (PC)
Re: Is ARJ 2.8 a trojan? (PC)
Re: Possible virus--adds to command.com (PC)
SPIRIT infection! (PC)
Re: Help w/ possible boot sector virus (PC)
Re: HELP stoned.michelangelo virus!!! (PC)
Re: Floppy Disk TSR scan software (PC)
1200 virus - how to remove? (PC)
Re: Did Michelangelo Virus Wipe this PC's Hard Drive? (PC)
Re: Wanted TSR checks A: as used (PC)
HELP with unknown virus (PC)
AntiCMOS virus (PC)
Effectiveness of DOS Scanners in Win95 (PC)
Re: Wanted TSR checks A: as used (PC)
Re: An aftereffect of Natas (PC)
Re: "Dis is one half" messages-Virus? (PC)
Re: NYB Virus (PC)
Re: Is ARJ 2.8 a trojan? (PC)
639K mem (PC)
Re: Directory problem (PC)
Re: Wanted TSR checks A: as used (PC)
Ripper question (PC)
Viruses that reset top of memory (PC)
Re: Jackal.B (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Mon, 08 Apr 1996 00:25:07 +1200 (NZT)
From: Nick FitzGerald <n.fitzgerald@csc.canterbury.ac.nz>
Subject: Administrivia (ADMIN)
X-Digest: Volume 9 : Issue 45

Please folks--no more "is PKZIP300 a virus" or "PKZIP300 is a virus"
posts.  I've answered many personally, and will not approve anymore of
them for posting unless something new comes up.  If you want the low-down
on this issue, contact PKWare themselves (http://www.pkware.com is a good
place to start if you have a web browser).

Another "hot" issue, though with noticably fewer messages, has been the
"SWAMP virus".  This appears to be another hoax virus warning, somewhat
along the lines of Good Times.  I guess a good indication of it being a
hoax is that it has been posted nearly everywhere -except- where the virus
experts typically hang out...  For a critical look at part of it, see the
following message forwarded to the list by Tom Zmudzinski.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
 n.fitzgerald@csc.canterbury.ac.nz  TEL:+64 3 364 2337, FAX:+64 3 364 2332
	      Virus-L/comp.virus moderator and FAQ maintainer
   PGP fingerprint =  2E 7D E9 0C DE 26 24 4F  1F 43 91 B9 C4 05 C9 83

------------------------------

Date: Tue, 02 Apr 1996 07:51:04 -0500 (EST)
From: Tom Zmudzinski <zmudzint@ncr.disa.mil>
Subject: SWAMP - An April Fools Virus Hoax (PC)
X-Digest: Volume 9 : Issue 45

_____________________________ Forward Header _____________________________
Subject: [C4I-Pro] An April Fools Virus Hoax-no joke
Author:  David M Kennedy <David_M_Kennedy@smtp.ord.usace.army.mil> at smtp
Date:    4/1/96 6:11 PM

There's a new virus hoax making the rounds, it has not yet 
hit the big time like Good Times, but it's still a hoax, 
semi-believable and has the potential to become another 
Good Times.  The purpose of this message is to educate 
others to recognize the hoax for the joke that it is. 
  
The hoax virus is called Swamp.  There is no such virus.  
In the alert are several references to today's date. 
Perhaps a big tip off to the silliness of it is in this paragraph:
  
> Background
> Experts in many countries have been working on ways
> to improve the carrying capacity, or bandwidth, of existing 
> networks using techniques such as multiplexing. 
> Scientists from the Avril Institute in Bern, Switzerland, 
> have developed a technique whereby a small number of 
> molecules of various substances can be attached to data 
> at the bit level.  Their goal is to cease using the bit as 
> a data item and to use it merely as a carrier for the data. 
> The data is physically mapped onto the molecules using 
> the protons and electrons, the neutrons and neutrinos 
> being used for control information and parity checking.  
> 
> Use of this technique will expand the capacity of a 
> network by the data capacity of the molecules.  The data 
> carrying capacity of the bit will depend on the size of the 
> attached molecules.  The only identified drawback with 
> this development is that a high speed communications 
> link is required.  This is because the molecules must 
> remain in a gaseous state to stay attached to the bit. 
> To remain in this state they require the friction - and 
> consequent heat - developed by the high speed link.  
> As soon as the friction and heat are removed the 
> molecules condense and lose their data carrying 
> capacity as well as their attachment to the bit.
  
Regards,
  
Dave Kennedy [US Army MP] [CISSP]
  

------------------------------

Date: Sun, 31 Mar 1996 14:57:39
From: ruben@ralp.satlink.net
Subject: Re: QUESTION: Email Viruses
X-Digest: Volume 9 : Issue 45

Tue, 12 Mar 1996 23:15:21 +0000 (GMT) Greg Rice <wyldryce@ix.netcom.com>
wrote:

>I'm wondering, why isn't an email virus possible?  I read that no one
>really needs to worry about loading an email message from a service
>like AOL or Compuserve and recieving a virus on their home PC.

I suppose You're thinking in a on-line compilation when message is
recieved by the user. I suppose too that this could be possible in Unix.

Are You thinking in Virus or Worms ??? 

>Wouldn't it be possible to write code that is an attached .EXE file and
>is called into downloading itself by the 'read mail' action of the
>service provider?

You need a very special OS to do this (see above).

Thanks GOD exist a VERY large diversity of software for e-Mail. The virus 
should be well programmed to include all the possible environments in
which survive or replicate.

Thanks GOD nobody programmed this yet. 

>I realize that if there was such a code, it would be service provider
>specific, but it seems plausible.

Plausible but difficult. I really Hope that people do MORE productive
things that program some kind of evil.

[BTW, don't give they good ideas! :-)         ]

Regards

Ruben Arias
- ------------------------------------------------------------------------------
 Ruben M. Arias                                _   _      _                    
					      | ) |_| |  |_)                   
					      | \ | | |_ |                     
 E-Mail: Ruben@RALP.Satlink.net                                                
 Buenos Aires - ARGENTINA            RALP - Computer Security - Virus          
- ------------------------------------------------------------------------------

------------------------------

Date: Sun, 31 Mar 1996 21:33:30 +0000 (GMT)
From: "Derek V. Giroulle" <Dirk.Giroulle@ping.be>
Subject: Re: McAfee Dishonesty
X-Digest: Volume 9 : Issue 45

Hunter <hunterj@nethost.multnomah.lib.or.us> wrote:

[your Mc Afee ordeal snipped]
>One of my main considerations in purchasing the McAfee Viruscan was its
>two-year free updating service.  It's rather disingenuous of them to
>nullify that promise almost immediately after my purchase.  It took two
>months to figure out what was happening, not counting the frustrating
>hours confronting their BBS and the exasperating "Out of Memory" message
>from VShield.  I'd like to get a refund, but can't get any response from
>them. 

You might of course leave them some more possibilities then just a
refund, you might get some possitive reactions.

There's some McAfee staff on this conference and in alt.comp.virus,
you might retrieve some email addresses out of that and write then
directly.

Dirk.Giroulle@ping.be
http://www.ping.be/~ping0010
Life is like a peepshow, through a little window you never get to see
what you went in for (based on fvu's definition of panning)

------------------------------

Date: Mon, 01 Apr 1996 02:03:53 +0000 (GMT)
From: John Bongiovanni <bongo@alumnae.caltech.edu>
Subject: Mcafee 2.2.11 Word DOC problem?
X-Digest: Volume 9 : Issue 45

For some reason I can't get Mcafee Scan 2.2.11 to reliably scan for
macro viruses in Microsoft Word DOC files.

For example, if I'm in a subdirectory with other subdirectories under it
which contain DOC files, the command

SCAN *.* /SUB

only seems to scan DOC files that are in the same directories as EXE
files.  Also, the command

SCAN *.DOC /SUB

doesn't find anything to scan, though there are plenty of DOC files there.

These behaviors are verified by using /RPTALL.

Am I doing something wrong, or is there something wrong with SCAN?

- -
FINGER for PGP public key - John T Bongiovanni <bongo@alumni.caltech.edu>

------------------------------

Date: Mon, 01 Apr 1996 11:27:08 +1000
From: Anthony Hancock <AHancock@dist.gov.au>
Subject: Re: Is MEANING.EXE a Trojan horse?
X-Digest: Volume 9 : Issue 45

Regarding the Meaning of Life program: I isolated my machine, tried it 
and then scanned my PC afterwards.  No apparent damage.  It is just a 
cute little annoying VB program, I don't think it has malicious 
intent.  Tread carefully though, In case I am wrong...

------------------------------

Date: Sun, 31 Mar 1996 22:30:29 +0000 (GMT)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: What REALLY matters in Commercial Anti-Virus Software
X-Digest: Volume 9 : Issue 45

In article <0002.01I30DCRYH72S5UZJP@csc.canterbury.ac.nz>
	   74777.171@compuserve.com "Enrico DePaolis" writes:

> Take a look at the EMD Armor line.  It is different then the rest
> of the AV pack.  Prevention is stressed and we don't get you
> on the updates.  Heck we don't have updates since we tackle
> the virus before it attacks the system. 

I'm sure I saw you claim that the EMD package could be updated in 
another newsgroup.

Most AV software also tackles the virus before it attacks the 
system, by the way.  All you have to do is scan software and 
disks before using them.  Some software packages have resident 
programs that do this automatically.

- -
WE CAN'T                    BUT WE DO SUPPLY
	PROVIDE YOU                         THE BEST DARN BAIT
		   WITH A DATE                                Burma-Shave

------------------------------

Date: Mon, 01 Apr 1996 14:09:39 +0000 (GMT)
From: Richard Evans <evansr@europa.lif.icnet.uk>
Subject: Re: QUESTION: Email Viruses
X-Digest: Volume 9 : Issue 45

Greg Rice (wyldryce@ix.netcom.com) wrote:

: I'm wondering, why isn't an email virus possible?  I read that no one
: really needs to worry about loading an email message from a service
: like AOL or Compuserve and recieving a virus on their home PC. 
: Wouldn't it be possible to write code that is an attached .EXE file and
: is called into downloading itself by the 'read mail' action of the
: service provider?

: I realize that if there was such a code, it would be service provider
: specific, but it seems plausible.

A virus can only work if the receving computer is tricked in to running
some infected code.

This could be done by attatching an infected file to the mail message,
but you would still need to run the infected file for the virus to work.

Anothe possability is to include an ANSI escape sequence, to re define
one of the keys on your keyboard, to do somthing that loads the virus.
This is unlikly because very few machines would be set up with enough
environment space for this to work. If you are paranoid about this then
don't load ANSI.SYS.

I have also heard that Netscape can be set up to do some undesirable
things, but I don't know the details.

Hope this answers some of your questions.

Richard.

[Moderator's note:  One "udesirable thing" to do in Netscape or any other
Mac or Windows application would be to automatically launch Word 6 (or 7
under Win95) to view what the app "thinks" are Word documents as they are
received/opened/extracted.]

------------------------------

Date: Mon, 01 Apr 1996 09:23:16 -0500
From: Megan Squire <megan@gate.net>
Subject: Re: How to Contact Command Software
X-Digest: Volume 9 : Issue 45

You can contact Command Software Systems at the following:

1061 E Indiantown Rd. #500
Jupiter, Fl 33477
(407)575-3200
(800)423-9147
http://www.commandcom.com
sales@commandcom.com
service@commandcom.com
support@commandcom.com

We thank you for your support, and for your interest in our products.

-megan alexander
malexander@commandcom.com

------------------------------

Date: Mon, 01 Apr 96 09:18:08
From: richardb@intecolor.com
Subject: Re: Trojan? - "Meaning of Life"
X-Digest: Volume 9 : Issue 45

On Thu, 21 Mar 1996, John Elsbury <jelsbur@clear.co.nz> uttered:

> I have had a couple of instances of people receiving a ZIPped Email attachment
>- MEANING.ZIP - which they are invited to unpack and run.
>
> I have told staff not to run programs they don't trust...
> Has anybody else come across this?

yes, John. This is a "brain-teaser" application that runs under windows
which has a button that moves away as your mouse gets close. The version
that I have seen is MEANING.EXE, 197,376 bytes large. It is not worth
running, since it is just one of those "IQ tests". The version here
contains no virus, nor has it caused any damage in a controlled
environment. (Incidentally, it fails under Win V4.0 (BETA) for some
unknown reason - but I will not be investigating the reason. Maybe the
author can try to fix it when he gets out of school for the summer <g> )

Your advise is still good. Why bother with these joke programs? The risks
far outweigh the benefits.

Ein seliger Sprung in die Ewigkeit.

------------------------------

Date: Mon, 01 Apr 1996 14:00:02 -0500
From: Doug Burnett <dburnett@booth-news.com>
Subject: AV to check Internet Mail?
X-Digest: Volume 9 : Issue 45

I am looking for a antivirus product that will check Internet mail 
attachments.  I do not want software that runs on the PC but prefer 
something that either runs on the Novell server or the mail server 
itself.  

We have two different configurations.  In the first case Internet mail 
to picked up by cc:Mail s Link to SMTP and moved immediately to the 
cc:Mail post office for distribution through a Novell 4.  In the other, 
mail is picked up via UUCP by a mail server running LINUX and then 
distributed to users over Ethernet using FTP. 

Doug Burnett
dburnett@booth-news.com
Booth Newspapers
Ann Arbor, MI

------------------------------

Date: Mon, 01 Apr 1996 16:02:54 -0500
From: SM014500 <sm014500@aol.com>
Subject: Help with resources for computer virus paper
X-Digest: Volume 9 : Issue 45

I am in need of Help

I have a research paper due on 4/15/96 on Computer Viruses.
My thesis statement is...Computer Viruses can be anything from
entertaining to dangerous.

Now that I have actually started my research I have come to the conclusion
that my surrounding area has less than 4 books on the subject!  
I can change my subject but I will lose 10 points for doing so.

I am stuck!  

I have come up with an outline which follows

Computer Viruses
 I   How created
     a) creators
     b) Why created
     c) How created
II  How they work and affect computer
    a)  Where they affect
    b)  Different aspects of computers
III How much damage can they do
    a) Different types
    b) Non dangerous Viruses
    c) Dangerous Viruses

I would appreciate if you could send me in the right direction or any help
You have to offer

Please mail me    

I am in my senoir year and this is a requirement to graduate.
please help me out.

[Moderator's note:  I've already pointed the poster to the FAQ and the
references therein.]

------------------------------

Date: Mon, 01 Apr 1996 17:39:58 -0500
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: What REALLY matters in Commercial Anti-Virus Software
X-Digest: Volume 9 : Issue 45

In article <0002.01I30DCRYH72S5UZJP@csc.canterbury.ac.nz>, Enrico
DePaolis writes:

: Take a look at the EMD Armor line.  It is different then the rest 
: of the AV pack.  Prevention is stressed and we don't get you 
: on the updates.  Heck we don't have updates since we tackle 
			   ^^^^^^^^^^^^^^^^^^
: the virus before it attacks the system.  Give it a try.  If you 
: don't like it return it.

	That part really worries me, it sounds a LOT like something Zvi 
Netiv would say about his product.  I'm not familliar with this product, 
but if it is an activity blocker, it would most definitely need updates 
for any new viruses that come out that could circumvent its protection.

	Any other AV people familliar with this product or who have 
tested it?

	Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for| "Est
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code | Sularus
Anti-virus software and utils:  | The Transformers fanfiction: | oth
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html            | Mithas!"
-=-=-=-=-=-"Linux - The choice of a GNU generation"-=-=-=-=-=- |

------------------------------

Date: Mon, 01 Apr 1996 17:44:47 -0500
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: help- possible virus that causes auto reboot
X-Digest: Volume 9 : Issue 45

In article <0006.01I30DCRYH72S5UZJP@csc.canterbury.ac.nz>,
ebbtide@cris.com writes:

: I am having a problem that I think might be a virus.  Without even
: touching my computer, not even running a program, the computer re-boots
: itself.  Sometimes I can be in the middle of running a program and it
: happens.  There doesn't seem to be any rhyme or reason, it just reboots.
: 
: [Moderator's note:  Without more details about the machine it is hard to
: know where to start.  There most likely are viruses that unintentionally
: or otherwise cause unprompted, spontaneous reboots, but in my experience
: with PCs (is this a PC??) such symptoms are more likely due to hardware
: faults (flakey RAM for example), over-optimistic BIOS/chipset settings
: (too few wait states maybe) or memory manager problems (check EMM386,
: QEMM, etc settings).]

	I would like to add as well that it may be an IRQ/address 
conflict.  I came across this problem on a system once with the modem and 
mouse sharing the same IRQ.

	Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for| "Est
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code | Sularus
Anti-virus software and utils:  | The Transformers fanfiction: | oth
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html            | Mithas!"
-=-=-=-=-=-"Linux - The choice of a GNU generation"-=-=-=-=-=- |

------------------------------

Date: Mon, 01 Apr 1996 23:00:17 -0600
From: "R. Zalk" <ez-zone@netmedia.net.il>
Subject: Re: help- possible virus that causes auto reboot
X-Digest: Volume 9 : Issue 45

It appears to be hardware or at least that's what I would check 1st.

#1. Check to see if your reset switch is stuck or contacts are bad. 
#2. Use a program such as Checkit to check system board and memory 
operations. Reboot often occurs when memory is bad. Also, check if there 
are any interrupt conflicts.
#3. See if you have added something recently; hardware or software. 
Often your last edition to your system is the cause of problems.

Good Luck,

R. Zalk 
E-Z Computer Consulting Ltd.
ez-zone@netmedia.net.il

------------------------------

Date: Tue, 02 Apr 1996 06:42:38 +0000 (GMT)
From: Steve VanSlyke <stevev@soar.com>
Subject: Re: Can two hard drives help keep viruses controlled?
X-Digest: Volume 9 : Issue 45

    It depends on the virus, if it is coded to do so, it can search and 
infect all drives. Also if it is a memory resident virus it will infect, 
any file executed ( unless it's executed from a write protected disk or 
from a read only media, such as a cd-rom.) *** Primitive Explination ***
Hope it helps. Grogan !!!

------------------------------

Date: Tue, 02 Apr 1996 12:02:54 +0000 (GMT)
From: Dominic Mancini <am4501@kestrel.fen.bris.ac.uk>
Subject: Re: Trojan? - "Meaning of Life"
X-Digest: Volume 9 : Issue 45

John Elsbury (jelsbur@clear.co.nz) wrote:

: I have had a couple of instances of people receiving a ZIPped Email
: attachment - MEANING.ZIP - which they are invited to unpack and run.
: 
: I have told staff not to run programs they don't trust...
: Has anybody else come across this? 

As far as I know, "The Meaning of Life" is not a trojan [as long as we're
talking about the same program] - I've run it with no apparent untoward
effects. It's a little windows program which is vaguely amusing, just the
sort of thing which would get passed around as an e-mail attachment. 

I woud most certainly agree that you can't afford to take risks with
unknown software. The brief amusment from programs like "The Meaning of
Life" is not worth the risk to your data. 

Dom

- ---------------------------------------------------------------------------
Dominic Mancini, am4501@bris.ac.uk  |  Electrical and Electronic Engineering
+44 (0)117 968 1438                 |  Badock Hall Network Administrator
				    |  University of Bristol, UK

------------------------------

Date: Tue, 02 Apr 1996 11:47:37 +0300
From: ts@UWasa.Fi (Timo Salmi)
Subject: vsumx603.zip Virus Information Hypertext Summary List
X-Digest: Volume 9 : Issue 45

Thank you for your contribution. This upload is now available as
1005932 Mar 31 11:08 ftp://garbo.uwasa.fi/pc/virus/vsumx603.zip

: Date: Mon, 01 Apr 1996 06:06:03 -0800
: From: Randy Young <rwyoun1@PacBell.COM>
: To: pc-up@uwasa.fi
: Subject: VSUMX603.ZIP, Patricia Hoffman's latest update.
:
: File name: VSUMX603.ZIP
: One line description: Patricia Hoffman's Virus Summary for Mar., 1996.
: Replaces: VSUMX602.ZIP
: Suggested Garbo directory: /pc/virus
: Uploader name & email: Randy Young  rwyoun1@pacbell.com
: Author or company:  Patricia Hoffman
: Email address:
: Surface address:
: Special requirements:
: Shareware payment required from private users: Y
: Shareware payment required from corporates: Y
: Distribution limitations: None
: Garbo CD-ROM distribution allowed: Yes
: Demo: No
: Nagware: No
: Self-documenting: Yes
: External documentation included: Yes
: Source included: No
: Size: 987094 bytes
: 10 lines description: Patricia Hoffman's "hypertext" led summary of most known
:                       viruses with detection method, removal method, what they
:                       do, brief history of them and much more.  Also includes
:                       her evaluation of the various virus detection and
:                       removal programs around.  Updated March 31, 1996.
:

   All the best, Timo

....................................................................
Prof. Timo Salmi   Co-moderator of news:comp.archives.msdos.announce
Moderating at ftp:// & http://garbo.uwasa.fi archives  193.166.120.5
Department of Accounting and Business Finance  ; University of Vaasa
ts@uwasa.fi http://uwasa.fi/~ts BBS 961-3170972; FIN-65101,  Finland

------------------------------

Date: Tue, 02 Apr 1996 12:45:26 -0500 (EST)
From: "Rob Slade, the famous sleep deprivation experiment" <roberts@mukluk.hq.decus.ca>
Subject: Possible danger to Flash BIOS and ROM
X-Digest: Volume 9 : Issue 45

   [In the AV field, we have been aware of the potential dangers of Flash
   BIOS for some time.  I have not yet checked for the report mentioned in
   comp.firewalls, but if this does turn out to be real it will be
   confirmation of the danger.  (It is quite possible that the report
   concerns a less dangerous piece of malware, such as a trojan.) - rms]

RISKS-LIST: Risks-Forum Digest  Monday 1 April 1996  Volume 17 : Issue 96

Date: Mon, 01 Apr 1996 15:14:09 WET
From: "J.R.Valverde (jr)" <jrvalverde@samba.cnb.uam.es>
Subject: Flash ROM virus

A recent posting in comp.firewalls describes a new kind of PC virus.
This one zaps the flash BIOS of Pentium motherboards.

What makes it more interesting is that on the Endeavour EV-2 motherboards
this behaviour is a killer, it renders it unusable; see:

   http://www.mrbios.com/ftp/big_risk.txt

As it seems, this particular motherboard features: "(1) Its flash ROM does
NOT implement a write-protected failsafe recovery "boot-block".  (2) The
flash ROM is soldered directly onto the system board.  If anything at all
happens to the flash that causes it to be inoperable, no practical method
exists to restore it.  No "recovery" utility can be run if the system won't
boot."

I can't but wonder what kind of demential design gave birth to such a
sensitive piece of hardware: the BIOS ROM in a PC is a fundamental part of
it: without it the machine is totally unusable. A FlashROM is by definition
writable, and as such one can expect that a variety of circumstances may
erase or rewrite it with bad data. And there are many!

Not having a protected recovery block is bad enough. But soldering it so it
can't be replaced is something I can't but qualify as "evil" (or "greedy" at
least).

The RISKs? Just let your imagination run wild: viruses like the
'Flash_killed' one, programming errors (yes, I've zapped the BIOS config of
a PC this way a couple of times), power failures, using the wrong BIOS image
or loader for an update, etc... Any of them (and many more) will render the
machine totally worthless.

------------------------------

Date: Mon, 01 Apr 1996 09:39:50 +0100
From: Bertrand de COATPONT <bcoatpon@dialup.francenet.fr>
Subject: LAN antivirus for Windows NT (NT)
X-Digest: Volume 9 : Issue 45

I and my company are looking for a LAN antivirus for Windows NT, 
client-server if possible and allowing to launch viruses scans from the 
server to DOS, Win 3.11 and Win 95 workstations. I don't know whether 
this product is a dream or not ... If you can help !

Bertrand de COATPONT
DESCO - Paris

------------------------------

Date: Sun, 31 Mar 1996 15:08:08
From: ruben@ralp.satlink.net
Subject: Re: One byte added to .EXEs in Explorer (WIN95)
X-Digest: Volume 9 : Issue 45

Sun, 17 Mar 1996 09:06:57 +0000 (GMT) Gil <gseward@wco.com> wrote:

>Using Windows 95, every time I look at the properties of an .EXE file
>the file gets one byte bigger. If I set the file to read-only this
>increase is prevented, but I have no idea if other changes are
>happening. McAfee's Vshield w/95 is active and does not see any virus
>activity. I have also booted from a clean write-protected DOS disk and
>run McAfee's Scan 229e and it sees no virus. I believe this is a
>virus, but have no idea what virus, or what program introduced it. I
>have had a friend try the same operation on his computer and he had no
>file size increase when viewing properties. 
>Also tried ThunderByte with same negative result. Any help would be
>appreciated. 


Because You're checking this with two AV packages I suppose this have NO 
virus relation.

I also read similar problems with addition of two bytes in other message 
posted here.

This is a software Bug that may be corrected. Relax.

Regards

Ruben Arias
- ------------------------------------------------------------------------------
 Ruben M. Arias                                _   _      _                    
					      | ) |_| |  |_)                   
					      | \ | | |_ |                     
 E-Mail: Ruben@RALP.Satlink.net                                                
 Buenos Aires - ARGENTINA            RALP - Computer Security - Virus          
- ------------------------------------------------------------------------------

[Moderator's note:  Indeed!  See the post from Pete Turner
(Pete_Turner@bakerbotts.com) with the Subject: "Bytes added to files
(WIN95)".]

------------------------------

Date: Mon, 01 Apr 1996 15:16:12 +0000 (GMT)
From: Benedict Tam <BTAMHS@cxair.com>
Subject: Re: McAfee 2.0 for Win95 "feature" (WIN95)
X-Digest: Volume 9 : Issue 45

Zack Jones <zack@hom.net> wrote:

>>Score stands 1 with false alarms vs 1 without.  Others?
> 
>No false alarms and 1 positive hit on the anti-exe virus which was on
>a floppy one of our customers brought to the office.
>
>The only odd behavior I've observed and I don't know if this is caused
>by McAfee or something else, but everytime I shut down the computer it
>tries to read the A Drive for a few seconds before I get the "It's
>save to turn off your computer screen".
>
>Have you or anyone else observed this?

I think it may cause by Norton Antivirus rather than Mcafee.

------------------------------

Date: Tue, 02 Apr 1996 18:01:24 +0000 (GMT)
From: Thomas O'Donohoe <mayo@dircon.co.uk>
Subject: Re: McAfee 2.0 for Win95 "feature" (WIN95)
X-Digest: Volume 9 : Issue 45

On 31 Mar 1996 16:09:56 -0000, Zack Jones <zack@hom.net> wrote:

>The only odd behavior I've observed and I don't know if this is caused
>by McAfee or something else, but everytime I shut down the computer it
>tries to read the A Drive for a few seconds before I get the "It's
>save to turn off your computer screen".

There is an option under the VShield properties to switch off scanning
on shutdown.

- - 
Thomas O'Donohoe <mayo@dircon.co.uk>
http://www.users.dircon.co.uk/~mayo/

------------------------------

Date: Sun, 31 Mar 1996 15:20:00 -0800
From: Vincent Taijeron <redleg1@foto.infi.net>
Subject: Virus or not (WIN)
X-Digest: Volume 9 : Issue 45

System:  486DX2/66
OS:  dos 6.22 win 3.1

Problem:  Can't tell if this a virus or a problem with windows.  I'm
inclined to think it's a problem with windows.  This problem started about
two days ago, up until that point this problem did not occur.  It started
after I entered the wrong registration code for a program called First Aid
95 which is supposed to run on win 3.1, when I rebooted the computer I got
a GP fault.  So I went and reinstalled it using the proper reg code, but
still the same thing.  So I decided not to use it and uninstalled it.  I
then got on the net and downloaded some windows programs.  After unzipping
the programs I tried to run them but they all gave me the following error:

"This program requires MS Windows"

If I didn't get this error it was a GP error.  This happened with about
four programs.  I tried the dos versions of some these programs and they seemed to be working fine.  Could this be a windows virus?  or maybe its a problem with my autoexec or config sys or an ini file.  any suggestions

------------------------------

Date: Tue, 02 Apr 1996 12:09:23 -0800
From: Kelson Vibber <kelson@uci.edu>
Subject: Re: A small change to Word for Windows (WIN)
X-Digest: Volume 9 : Issue 45

Larry Frank wrote:

> that over the last few weeks when Word for Windows opens a document via
> associated extension, my computer gives one beep as the program opens.
> pgms. without any indication of a problem. Does this sound like macro
> virus behavior?  Can I turn the beep off an if so how.  Would  

This *could* be the Word Concept Virus -- it's supposed to 
display a dialog box every time it finds itself, but doesn't 
always, and the beep may be a symptom of that.  Go to the Tools 
menu and select Macro -- if you see macros with names like 
AAAZAO, AAAZFS, Payload, AutoOpen, and AutoSaveAs, you've been 
infected -- delete them, close all files, and select Macro from 
the File menu.  Delete them if they're still there.  (If you 
can't delete the macros, edit them and delete the code.  Then 
you can delete them the next time you open the file.)  As a side 
note, if you put an empty macro with the name "Payload" in 
normal.dot, documents with the virus will assume it's already 
present and won't infect it.

Kelson Vibber
kelson@uci.edu

------------------------------

Date: Mon, 01 Apr 1996 14:58:16 +0000 (GMT)
From: Benedict Tam <BTAMHS@cxair.com>
Subject: Re: Wanted TSR checks A: as used (PC)
X-Digest: Volume 9 : Issue 45

Garry S <GarryS@win.tec.mn.us> wrote:

>Our site has licenses for Mcafee and F-prot.  Unfortunatley I have gotten 
>several virus onto our LAN becuase it does Not TEST as it READS diskettes 
>in A:.  Does anyone know of a TSR that does?

Norton Antivirus may do that!

------------------------------

Date: Sun, 31 Mar 1996 20:22:47 +0000 (GMT)
From: Angela Cowley <Angela@squig.demon.co.uk>
Subject: AntiEXE virus (PC)
X-Digest: Volume 9 : Issue 45

I recently wrote to this group about having found my new pc to have the
ANTIEXE virus and how the company, PC Science, had blamed it on the net.
Many of the posters replied, telling me it was a boot sector virus and
therefore from a floppy rather than the net. I installed Dr Solomon's,
cleaned my disks and left everything. This evening, I was asked by a
friend on the phone, to check the file names on my Windows 3.11 disks, as
she thought she might have wiped something accidentally. My disks were
still in the sealed envelope they came in, so I opened them and put them
in the machine, one at a time to read the info to her. When I placed disk
2 in the a drive, the alarm went and I found it had the anti exe virus.
This to me is proof that the virus has come from the company. Can anyone
advise me as to what I could or should do about this matter.

Thank you,

Angela

-Angela Cowley 

------------------------------

Date: Sun, 31 Mar 1996 12:09:45 -0500 (EST)
From: Devin Knight <dak@pgh.nauticom.net>
Subject: Re: Is ARJ 2.8 a trojan? (PC)
X-Digest: Volume 9 : Issue 45

Arj 2.8 is not a trojan, nor is it really a fake, what is consists
of is an earlier version of arj (I believe 2.4) some hackers cracked
the code to make it appear to be registered and put 2.8 on it. Anyone
who has a copy of 2.8 got it from a warez board. You can easily spot
this as not being a newer version because the dates on the arj.exe are
earlier on the 2.8 it says copywrite 1994 while the most current version
2.5 says copywrite 1995.

Hope this clears up the matter, no virus or trojan (I've checked it
thoughly) just a hack and not a good one at that

**************************************************
Devin Knight                  I Don't Do Windows!    
dak@pgh.nauticom.net            
**************************************************

------------------------------

Date: Sun, 31 Mar 1996 21:32:58 +0000 (GMT)
From: "Derek V. Giroulle" <Dirk.Giroulle@ping.be>
Subject: Re: Possible virus--adds to command.com (PC)
X-Digest: Volume 9 : Issue 45

Geert.Nijs@fys.kuleuven.ac.be wrote:

>Greg Wesson wrote:
>
>> I got an error when starting dos.  The error said "Bad or
>> missing command interpreter (i.e. c:\command.com)" and then promped me
>> with "c>" 
>> scaned a disk that I gave him of 2 bmp files that I scanned using a logitech 
>> scanman and  he said that there was a virus called "LEONARDO."

Whoosh Logitech will like this Greg just promoted their page-scanner
to a new revolutionary AV-device

 or do I read something wrong here...

If You have a disk with only BMP's on there and a virus recognised as
Leonardo it should be boot sector virus, however what AV-soft was used
to detect "leonardo" because the closest I could come up with was
Leandro (aka Kelly) a Partition and Bootsector infector 

However Geert you wrote this :

>When I boot the computer, DOS start loading. He begins with
>CONFIG.SYS en loads the HIMEM.SYS driver. When he comes at the line
>SHELL=C:\COMMAND.COM /P etc... he says :
> "INvalid Command.com. System Halted".
>(I do not get a prompt.)

You might just have fallen victim to a corupted command.com perhaps
soem program overwrote it, or someone installed soemthing on your PC
and replaced the command.com

I suggest you reinstall DOS and make sure you have the correct
Command.com file to put in your root directory

>I'm still not sure if it's a virus. It could be a hardware error also.
>But some other programs (network software) are also acting VERY strange.
>I installed this software on about 15 computers where it always worked.

That would be caused by the faulty Command.com

As I'm geographically close to you don't hesitate to contact me if you
have a problem.

Dirk.Giroulle@ping.be
http://www.ping.be/~ping0010
Life is like a peepshow, through a little window you never get to see what
you went in for (based on fvu's definition of panning)

------------------------------

Date: Sun, 31 Mar 1996 23:24:33 +0000 (GMT)
From: anne marie achico <achico@mik.uky.edu>
Subject: SPIRIT infection! (PC)
X-Digest: Volume 9 : Issue 45

Hey there.  I'm work over at the University of Kentucky.
One of our labs seems to have been ravaged by the SPIRIT virus.
It's kind of scary.  It seems to be pretty new or perhaps rare
because our latest version of Norton's did not even pick it up.
I'm not exactly sure how it works, but it apparently completely
trashes your files on your disks until they become unreadable.
When run through Norton it actually says the disk is physically
damaged.  Luckily we have another anti-virus software called
F-PROT that can pick up and disinfect the Spirit.

The sad thing is that you don't know you have it until your computer
tries to look at your disk and it says "Drive A not Valid".
We run F-PROT which saves the disk /most/ of the time, but usually
a bunch of files are completely trashed.  I've already had to tell
a teary eyed patron that she had just lost some dissertation, or
some equally huge work.

Perhaps everyone here already knows about this virus. Could you
send me some information on it?  We called up some National
Anti-Virus Association (its true name escapes me) and they said
that they had not heard of it.  Any help would be appreciated.

Sincerely,
	Anne

ps...I know that there can be a million jokes about catching the SPIRIT,
but trust me, this is virus really bites the proverbial big one.

- -
 -------------------------------------------------------
| Anne-Marie Achico        | If you have to walk       ----
| University of Kentucky   | on thin ice you might       ----
| achico@mik.uky.edu       |    as well dance.             ----
 ----------------------------------------------------------------

------------------------------

Date: Mon, 01 Apr 1996 06:50:48 +0000 (GMT)
From: Ian Mullins <obe4019@InfoNET.st-johns.nf.ca>
Subject: Re: Help w/ possible boot sector virus (PC)
X-Digest: Volume 9 : Issue 45

: Over the last few weeks there have been a large number of similar reports
: of VirusScan finding (traces of) viruses in memory at boot up under Win95
: and no other reputable scanners finding anything--would someone from
: McAfee's like to comment?]

This is happening because he mixed versions, most likely. He has the new 
DAT files, and the old VSHIELD.EXE file. He needs to totally delete the 
McAfee directory, and do a fresh reinstallation.

The problem happens in DOS as well, and is not related to Win '95. As he 
stated, the problem happens before Win '95 even takes control of the 
computer.

- -
Crash,
Remote SysOp of The Danger Zone (709)368-4709

------------------------------

Date: Mon, 01 Apr 1996 12:37:22 +0000 (GMT)
From: Pavel Machek <machek@atrey.karlin.mff.cuni.cz>
Subject: Re: HELP stoned.michelangelo virus!!! (PC)
X-Digest: Volume 9 : Issue 45

Eli Dickinson (eli_d@pipeline.com) wrote:
:       I went to go play a game and it informed me a file had been altered.
: I ran Mcaffe Virus Scan and found the Stoned.Michelangelo virus in one
: file.  My dad is out of town, and this virus is on his Red-hot new
: computer with a 9-gb SCSI drive. 

Strange. Michelangelo should not alter games. It is boot virus!

If it IS michelnagelo, run clean from McAffe, it will help you. Or run 
fdisk /mbr, if you are brave one and do not have any important data on
that drive...

- -
This looks like my signature...                                   Pavel Machek
If you want more info about me, http://novell.karlin.mff.cuni.cz/~pmac5296.

------------------------------

Date: Mon, 01 Apr 1996 12:35:50 +0000 (GMT)
From: Pavel Machek <machek@atrey.karlin.mff.cuni.cz>
Subject: Re: Floppy Disk TSR scan software (PC)
X-Digest: Volume 9 : Issue 45

Warwick Mortensen (wam@data3.com.au) wrote:
: I was woundering what's the best Anti Virus program on the 
: market that will scan a floppy disk when you put it in the 
: drive? It must be the TSR that does the scan.  No a menu 
: driven program.
: 
: Can you please e-mail thanks
Sorry... Too late.

  I do not think that will work. Users bring their .exe files packed into
.arj / .zip files. (and so on).

- -
This looks like my signature...                                   Pavel Machek
If you want more info about me, http://novell.karlin.mff.cuni.cz/~pmac5296.

------------------------------

Date: Mon, 01 Apr 1996 12:39:56 +0000 (GMT)
From: Pavel Machek <machek@atrey.karlin.mff.cuni.cz>
Subject: 1200 virus - how to remove? (PC)
X-Digest: Volume 9 : Issue 45

Someone <pferrera@tsai.es> asked me to help with 1200 virus. I found it
into virus list, as Sybille.1200 and note, that removal methods are
unknown.

Does someone know how to remove it?

(Also e-mail, if you can do it easily)

- -
This looks like my signature...                                   Pavel Machek
If you want more info about me, http://novell.karlin.mff.cuni.cz/~pmac5296.

[Moderator's note:  A quick check with VGrep suggests that if all you know
is "1200", there are at least eight other virus families that have "1200"
variants known to at least one major scanner.  These families are Abraxas,
Chameleon, Dark_Avenger/Uriel, Grog,, Jerusalem, KDG, Sarov and Shadow. 
Also note that at least two major scanners label some of the Sybille
family as "Aztech".  I also found a listing in VGrep where one sample
produced the following output:

   TS-1200
   Russel.1200
   TS.1200
   1200
   Rusty.1200
   Russel-1200

With six different names for the one sample, I guess this last one is a
quite new (or insignificant?) virus so therefore doesn't yet have anything
like a "standard" name yet.

Hopefully the "1200" example shows the importance of reporting not only a
name, but the software that told you the name as well.]

------------------------------

Date: Mon, 01 Apr 1996 12:48:05 +0000 (GMT)
From: Pavel Machek <machek@atrey.karlin.mff.cuni.cz>
Subject: Re: Did Michelangelo Virus Wipe this PC's Hard Drive? (PC)
X-Digest: Volume 9 : Issue 45

Mike Blackwell (mike.blackwell@pnn.com) wrote:

: I'm a Mac user (please, no flames :), and need help diagnosing a friend's
: PC problem. She has a 286, and doesn't know how much RAM or HD space she
: has, so I'd assume it's whatever's standard. Recently, she recalls hearing
: strange sounds from the hard drive, and the next time she booted, her hard
: drive was empty: a "DIR" command revealed no files.
: 
: The computer store that sold it to her told her she'd been struck by the
: Michelangelo virus, which, as I understand it, is programmed to go off on
: a certain date (March 6?) and delete the hard drive directory. However,
: the virus had to have been on the hard drive to begin with, since she has
: no modem, and by her admission, she hasn't used a floppy in a couple of
: years. One would think Michelangelo would have struck 12 months ago, so
: I'm having trouble accepting a viral diagnosis.
: 
: She has no anti-viral, diagnostic, recovery, or backup software of her
: own, so I advised her to leave the machine turned off and wait until I can
: learn something. I suggested she get a second opinion from another store,
: but at $25 per opinion, I don't blame her for being loath to do so.

  I think that Michelangelo cleans hard drive on low level way. She would
not be able to dir if Michelangelo deleted her harddrive. Bring norton
disk doctor (from Norton Utility) or run chkdsk from Dos to see what
happened.  (I suggest you NDD, it can recover whole directories).

  BTW There were probably kidding in computer store, and I would ask them
to refund money if I were her. Michelangelo can not do that.

- -
This looks like my signature...                                   Pavel Machek
If you want more info about me, http://novell.karlin.mff.cuni.cz/~pmac5296.

------------------------------

Date: Mon, 01 Apr 1996 07:02:01 -0700
From: Mark West <mwest@primenet.com>
Subject: Re: Wanted TSR checks A: as used (PC)
X-Digest: Volume 9 : Issue 45

On 31 Mar 1996 16:10:45 -0000, Garry S <GarryS@win.tec.mn.us> wrote:

>Unfortunatley I have gotten 
>several virus onto our LAN becuase it does Not TEST as it READS diskettes 
>in A:.  Does anyone know of a TSR that does?

	I believe NAV can be setup to do that.

===
Mark West <mwest@primenet.com>
http://www.primenet.com/~mwest/     With links to ...
Anti-Virus, PGP/Privacy, Roller Coasters, HTML, Martial Art & more
PGP FngPnt: 42 98 08 7D F5 AC B0 F7 89 A1 81 1A 97 FC F4 EC
Free Speech: It's not just a good idea, it's the law!

------------------------------

Date: Mon, 01 Apr 1996 08:29:11 +0000 (LOCAL)
From: DWL <weite@ix.netcom.com>
Subject: HELP with unknown virus (PC)
X-Digest: Volume 9 : Issue 45

I got an unknow virus. 

The report from anti-virus programs:

MS-antivirus: checksum error
TBAV: the file has been changed
McAFee: no virus found
F-PROT: no virus found

- It mostly happens to the *.exe files under c:\windows. 
- The size of the *.exe grows.
- The winhelp.exe corrupted first.

I have reinstalled the Winodws 3.11 many times but the symptoms come out
after a while.

I appreciate if someone can help me with this problem.

Thanks a lot.

Wei

[Moderator's note:  That's two similar reports in a week (see
guy@net-prophets.co.uk post in Digest #42).  Is anyone aware of something
these people should know?]

------------------------------

Date: Tue, 02 Apr 1996 01:50:56 +0800
From: "crash n' burn..." <juhari@teleview.com.sg>
Subject: AntiCMOS virus (PC)
X-Digest: Volume 9 : Issue 45

Hi, i need help with my PC. I am currently using WIN95 and occasionally I 
get a general protection fault failure and whatever that was running had 
to be shut down. I used McAfee's Scan95 and it did not detect the 
presence of any virus. A friend of mine used my PC and when he 
transferred some files over to his PC (by diskette), he detected the 
antiCMOS virus. He used another PC and it confirmed the presence of this 
virus.

Does anyone have any solution to this problem? Also, how come my Scan95 
did not detect the (abovementioned) virus?

THanks in advance.

KHAIRUL A JUHARI.
email: as above or 'bi7336561@ntuvax.ntu.ac.sg'

------------------------------

Date: Mon, 01 Apr 1996 13:21:00 -0500 (EST)
From: Rucker@ARL.MIL
Subject: Effectiveness of DOS Scanners in Win95 (PC)
X-Digest: Volume 9 : Issue 45

Are Scanners designed for use with DOS 6.x and Win3.x effective in a
Win95 environment?

Are DOS scanners just as effective for use in a Win95 environment
as scanners designed for use within the Win95 GUI?

Does it matter whether the code being scanned is a 16-bit or a
32-bit program?

Does it matter whether the code being scanned is real-mode or virtual
device driver?

Rucker

------------------------------

Date: Mon, 01 Apr 1996 17:43:56 +0000 (GMT)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Wanted TSR checks A: as used (PC)
X-Digest: Volume 9 : Issue 45

In article <0037.01I30DCRYH72S5UZJP@csc.canterbury.ac.nz>
	   GarryS@win.tec.mn.us "Garry S" writes:

> Our site has licenses for Mcafee and F-prot.  Unfortunatley I 
> have gotten several virus onto our LAN becuase it does Not TEST 
> as it READS diskettes in A:.  Does anyone know of a TSR that 
> does?

Dr. Solomon's does.  I thought McAfee and F-Prot did too.

- -
WE CAN'T                    BUT WE DO SUPPLY
	PROVIDE YOU                         THE BEST DARN BAIT
		   WITH A DATE                                Burma-Shave

------------------------------

Date: Mon, 01 Apr 1996 18:14:44 -0500
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: An aftereffect of Natas (PC)
X-Digest: Volume 9 : Issue 45

In article <0022.01I30DCRYH72S5UZJP@csc.canterbury.ac.nz>, A.Appleyard
writes:

: I have had attacks of NATAS in some PC's that students use. It seems that
: when NATAS has infected a file and McAfee SCAN has cleaned it out, there
: remains an odd effect:
:   `DIR' prints its date as correct (at least with DOS 5.00: I have no
: intention of letting NATAS into my own PC just to find if DOS 6.22's DIR
: does this also!)

	Then make a bootable disk with DOS 6.22 and use it on said system.

:   The DOS interrupts `AX=4E00, int21' & `AX=4F00, int21' read its date as
: 128 years in the future from correct.
:   `DIR /OD' sorts affected filenames by date as if the date was 128 years
: in the future from correct, but yet prints their dates as correct.
: Sometimes the only clue that NATAS is or has been about, is that DIR /OD
: sorts file dates wrong. Why is this? Is there a bug in DIR's date-printing
: routine? Or what? I can't see why DIR's print routine needs to ignore the
: 128-years bit; if some fault has set a file's creation year wildly wrong,
: I want to know about it!

	Well, I think we can assume that Natas uses this 128 years 
"aging" to mark which files have been infected.  As for the DIR, 
according to "Norton's PC Programmer's Bible", the date is a 16-bit 
unsigned integer.  The formula for setting that integer is as follows:

	date=((year-1980)*512)+(month*32)+day

	since we are working with 16 bits, I think the layout is like this:

bit     15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
		   year    | month | day

	Now toggling bit 15 will cause change of only 64 years.  So, I think 
you are right, that there Is a bug somewhere in DIR.  Now, the question 
remains, where?  Some attribute on the file Must be changed, probally a 
bit officialy marked as unused...but DIR must check it anyway.

	So, does anyone feel like tracing through Int 21h and figuring 
out what exactly is happening?

	Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for| "Est
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code | Sularus
Anti-virus software and utils:  | The Transformers fanfiction: | oth
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html            | Mithas!"
-=-=-=-=-=-"Linux - The choice of a GNU generation"-=-=-=-=-=- |

------------------------------

Date: Mon, 01 Apr 1996 18:19:59 -0500
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: "Dis is one half" messages-Virus? (PC)
X-Digest: Volume 9 : Issue 45

In article <0033.01I30DCRYH72S5UZJP@csc.canterbury.ac.nz>, Allen writes:

: When booting my computer a strange message has started appearing.
: The message appears before the computer starts MS-DOS.
: The Message is "Dis is one half."
: Then I get the message "Press any key to continue."
: After I type a key then I get the message Starting Dos.
: Is this an indicator of any known virus?

	Yes, it is the One_half virus, which I believe it multipartite.  
It is very hard to deal with since it encrypts files and you will not be 
able to access if you clean boot and/or remove the virus.  There is a 
special disinfector that I have in the utilities section on my virus 
homepage that should help you out.

	Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for| "Est
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code | Sularus
Anti-virus software and utils:  | The Transformers fanfiction: | oth
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html            | Mithas!"
-=-=-=-=-=-"Linux - The choice of a GNU generation"-=-=-=-=-=- |

------------------------------

Date: Tue, 02 Apr 1996 01:30:11 +0000 (GMT)
From: chad@kynet.com
Subject: Re: NYB Virus (PC)
X-Digest: Volume 9 : Issue 45

Eric Rossing <intec@vixc.voyager.net> wrote:

[much snipped]
>BTW: Does anyone know of a current Virus database?  I have the VSUM
>database from July, 1995, and would like something more current, if
>possible.  Thanks!

There is a much recent VSUM on oak.oakland.edu, I just got the edition
from I believe last month.

Chad

------------------------------

Date: Mon, 01 Apr 1996 18:31:45 -0500
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: Is ARJ 2.8 a trojan? (PC)
X-Digest: Volume 9 : Issue 45

In article <0046.01I30DCRYH72S5UZJP@csc.canterbury.ac.nz>, Sune Lundholm
writes:

: Can somebody tell us if PKZip 3.0, 4.1 and ARJ 2.8 are trojans or just 
: fakes. And if they are trojans what is the damage?

	I believe that PkZip 3.0 and 4.1 are Trojans.  AFAIK, the newest 
version of ARJ is 2.42 beta.  You could find the 'offical' release on any 
simtel mirror.

	Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for| "Est
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code | Sularus
Anti-virus software and utils:  | The Transformers fanfiction: | oth
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html            | Mithas!"
-=-=-=-=-=-"Linux - The choice of a GNU generation"-=-=-=-=-=- |

------------------------------

Date: Wed, 03 Apr 1996 05:23:50 +0000 (GMT)
From: qifei <qifei@server20.hust.edu.cn>
Subject: 639K mem (PC)
X-Digest: Volume 9 : Issue 45

I have a Compaq 586. The basic memory of this machine is always
639K when I test it with "mem" command,even when I reboot it with a clean
DOS soft disk. Then I think the virus maybe in CMOS. But after I clean up
the CMOS, there is still 639K basic memory in the memory.

The sign of the "virus" have two:
    a.) The machine often warn me the memory is not enough to run a
software.
    b.) The virus automaticly set a password on CMOS.

I don't know how to do with it. If you have some solution or advice,
please tell me.

	Thank you.

------------------------------

Date: Tue, 02 Apr 1996 08:07:57 -0700
From: William A Wenrich <wawenri@sandia.gov>
Subject: Re: Directory problem (PC)
X-Digest: Volume 9 : Issue 45

When I had the same problem I had use the BFMI method.  I copied all 
other branches to a network drive, used FDisk to clear the original and 
reinstalled.

------------------------------

Date: Tue, 02 Apr 1996 10:50:00 -0500
From: Ben Danielson <bendan@asu.edu>
Subject: Re: Wanted TSR checks A: as used (PC)
X-Digest: Volume 9 : Issue 45

>Our site has licenses for Mcafee and F-prot.  Unfortunatley I have gotten
>several virus onto our LAN becuase it does Not TEST as it READS diskettes
>in A:.  Does anyone know of a TSR that does?

FProt does have a tsr named Virstop.  I use it at my site and it will stop
access to the A: drive if it detects a virus.  I did have to configure the
program to check the boot sector of floppy drives by using the /boot switch.

Hope this helps,

Ben

------------------------------

Date: Tue, 02 Apr 1996 14:34:25 -0500 (EST)
From: "Paul R. Coen" <PCOEN@DRUNIVAC.DREW.EDU>
Subject: Ripper question (PC)
X-Digest: Volume 9 : Issue 45

This may be an obvious question, but is Ripper at all selective about what
types of disk writes it intereferes with? 

What I'm wondering is if it has the potential to interfere with the
updating of the physical copy of the FAT table, or directory entries on a
diskette or hard drive.

Thanks in advance.

------------------------------

Date: Tue, 02 Apr 1996 15:20:57 -0500 (EST)
From: "Jamon E. Bailey" <JB0269A@american.edu>
Subject: Viruses that reset top of memory (PC)
X-Digest: Volume 9 : Issue 45

I have a question concerning viruses that bite off the last 1K of
conventional memory and cause DOS to report a total of 639K of
conventional memory.  Suppose I was sure that my computer had
a virus at that location in memory.  Would it be possible to
write a program that would overwrite that 1K of memory and remove
the virus from memory even it was a stealth virus?

This is a somewhat hypothetical question - I did read the FAQ, including
the part about booting from a known clean floppy before trying to deal
with viruses.

Jamon Bailey

[Moderator's note:  You -can- do this, but unless you know exactly what
virus and what to set the interrupts it has hooked back to, you are
looking at hanging the machine.]

------------------------------

Date: Tue, 02 Apr 1996 20:35:49 +0000 (GMT)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: Jackal.B (PC)
X-Digest: Volume 9 : Issue 45

Byron Holdiman (LIS) (holdiman@luna.cas.usf.edu) wrote:

> We did do the FDISK /MBR on all of the computers that were reported as
> being infected and it seems to have taken care of the problem.  I noticed
> that you mentioned that this should not be done?

   The article that warns of the danger of using FDISK this way never
reached my server, but the problem is very real.  See the alt.comp.virus
FAQ for a subset of conditions under which it can make matters much worse.

> Could it still have survived the FDISK /MBR and not being picked up by
> McAfee now,

   As has already been reported here, the message you got was a false
alarm with that version of your AV scanner.  If you HAD had Jackal, and
you HAD used FDISK/MBR after a clean boot, you would have lost access to
all the data on your drive.  Yet another reason not to use this undocu-
mented switch; that's why using AV software is a much better idea. 

   Of course, one still has to live with the occasional false alarm....

> or does it appear that the virus was taken care of after all?

   Was never there in the first place.

   -BPB

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 45]
*****************************************


