From Lehigh.EDU!owner-virus-l  Mon Apr  8 17:42:35 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Mon, 08 Apr 96 19:47:44 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id RAA12555; Mon, 8 Apr 1996 17:42:35 +0200
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <40059-28971>; Mon, 8 Apr 1996 11:39:12 EDT
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39950-28971>; Mon, 8 Apr 1996 11:33:09 EDT
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id LAA92879 for <virus-l@lehigh.edu>; Mon, 8 Apr 1996 11:31:27 -0400
Received: from 172.31.30.201 ("port 1077"@misc9003.tacacs.canterbury.ac.nz)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I3BNBE1TBCSH3CBI@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Tue,
 09 Apr 1996 03:30:52 +1200
Message-Id: <01I3BNBEFQEYSH3CBI@csc.canterbury.ac.nz>
Date: 	Tue, 09 Apr 1996 03:28:05 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #46
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest   Tuesday, 9 Apr 1996    Volume 9 : Issue 46

Today's Topics:

HUGE files! What is going on?
viruslist
Re: NCSA certified products
Addendum Re[2]: FYI: SWAMP - An April Fools Virus Hoax
What is a "locust"?
Re: Flash BIOS viruses?
New AntiVirus Survival Kit
Dr Solomon's Virus Stats (March 96)
Re: McAfee Dishonesty
EZ!_Not_a_Virus
Re: Macro viruses
Re: NCSA certified products
Virus Writing? Why Do People Still Do it.
Re: Is MEANING.EXE a Trojan horse?
Unix Virus Scanning Software? (UNIX)
McAfee for NT (NT)
MacroWord helper apps... (MAC,WIN)
F-Prot for Win 95 evaluation version (WIN95)
Re: AntiEXE triggers McAfee problems? (WIN95)
Re: McAfee 2.0 for Win95 "feature" (WIN95)
Calling All Experts? Help! (WIN95)
Re: McAfee95 reports McWhale (WIN95)
Re: What detects BOZA virus? (WIN95)
Re: McAfee 2.0 for Win95 "feature" (WIN95)
Re: NAV says Stealth_Boot in memory (WIN95)
Scan 95 (WIN95)
Unable to open dynalink and EMM386 has detected error... (WIN)
Re: Dr Solomon - Questions (WIN)
Re: Bad CPU (was re: Wordperfect 6.1 Virus? (PC))
Need Help Removing Stealth_C Virus (PC)
Re: scn-22ce.zip McAfee VirusScan for DOS, SCAN.EXE (PC)
Help. My Hardisk is wipped out.on Aprils' Fools Day (PC)
Re: Bones Virus (PC)
Re: Virus scanners and web browsers? (PC)
Re: NRLG Virus (PC)
Ripper interrupt handling (PC)
Re: Command line scanners with "quiet" mode? (PC)
Re: Wanted TSR checks A: as used (PC)
pkunzip virus? or pc-perl virus? (PC)
Re: Wanted TSR checks A: as used (PC)
Re: McAfee Vshield 2.9 and windows (PC)
Re: Config of McAffee (PC)
Re: McAfee Vshield 2.9 and windows (PC)
Virus BYE (PC)
Re: Microsoft Anti-virus memory problems (PC)
Re: Directory problem (PC)
Virus Affecting .EXE Copying? (PC)
Re: Wanted TSR checks A: as used (PC)
Cow Creazy Virus (PC)
Automatic disk checking from a batch file (PC)
Re: Uncl: Re:Modem snag: Virus or NAV? (PC)
Keys remapped, other problems--April Fools trojan? (PC)
Possible Virus?  DeskJet 500C prints happy faces (PC)
Urkel virus (PC)
Re: Winword/Scanprot/FProt questions (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Wed, 03 Apr 1996 04:23:11 +0000 (GMT)
From: thompson@achilles.net
Subject: HUGE files! What is going on?
X-Digest: Volume 9 : Issue 46

I know this has been discussed before, but I have these huge (1.2 gig)
files of ascii appearing on my computer.

Is this the action of a virus?

Mike Thompson.

[Moderator's note:  Maybe if you told us some useful information, like
what sort of computer and what OS, someone will be able to give some
informed advice...]

------------------------------

Date: Mon, 03 Apr 1995 13:56:18 +0000
From: zeilein <zeilein@141.47.1.1>
Subject: viruslist
X-Digest: Volume 9 : Issue 46

Does someone know an listserver, wehere you will automaticly will be
informaed about the latest viruses.

Please send me a Mail:

zeilein@fh-pforzheim.de

------------------------------

Date: Wed, 03 Apr 1996 15:40 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: NCSA certified products
X-Digest: Volume 9 : Issue 46

In-Reply-To: <01I30DCRYH72S5UZJP@csc.canterbury.ac.nz>
Al Kimel <akimel@awod.com> writes:

> The products that have now been certified by the NCSA are InocuLan,
> F-Prot Professional, IBM, and NAV.  I understand that a couple of
> others (e.g., McAfee and Dr. Solomon's are in the testing phase).
>
> The certification means (I think) that these products successfully
> caught 100% of the in-the-wild viruses and 90% of the NCSA zoo.
> 
> For more, see:
>
> http://www.ncsa.com/avpdcert.html

Dr Solomon's Anti-Virus Toolkit is now also certified by the NCSA.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Wed, 03 Apr 1996 10:54:40 -0500 (EST)
From: Tom Zmudzinski <zmudzint@ncr.disa.mil>
Subject: Addendum Re[2]: FYI: SWAMP - An April Fools Virus Hoax
X-Digest: Volume 9 : Issue 46

More on the Swamp hoax from the C4I-Pro Maillist.  /z/

______________________________ Forward Header __________________________________
Subject: [C4I-Pro] Swamp Me!
Author:  Parker Vetrano <jpv@sappho.rl.af.mil>
Date:    4/3/96 10:41 AM

I don't know the twit that created the "Swamp virus" that Dave Kennedy 
reported, but think about the inventive mind of the creator.  There are 
some elements of genius in the drivel he/she spews:
The idea of using the modulation as a carrier for additional modulation 
isn't new, but it's seldom thought about.  Think about what one might 
do with some forms of burst communications and with direct sequence 
modulation (a form of spread spectrum).  Hmmmmmmm...

------------------------------

Date: Wed, 03 Apr 1996 15:01:24 +0000 (GMT)
From: joseph panella <jade71@ix.netcom.com>
Subject: What is a "locust"?
X-Digest: Volume 9 : Issue 46

what is a computer locust ?i've heard the term and also heard one was
part of the game hell:a cyberpunk thriller (not a real one).someone
told me it was like a virus but it went off at a certain date and
didn't infect files .this sounds a lot like a logic bomb to me.is there
even something called a locust or was this person full of it? 

any info would be greatly appreciated

jade phreak

------------------------------

Date: Wed, 03 Apr 1996 08:37:33 -0700
From: Britt Benedictson <brittb@bach.ccinet.ab.ca>
Subject: Re: Flash BIOS viruses?
X-Digest: Volume 9 : Issue 46

brian mitchell wrote:

> It's a convienience item. If you _DO_ need a upgraded bios, would you
> rather wait a week for the chip, have to open your computer, insert it,
> etc or download some program from AMI or whatever, run it, point on a
> little upgrade icon (gee, we cant do _anything_ without a GUI, y'know) and
> presto, be upgraded.
> 
> The security issues to be delt with, however, are horrific.

Most motherboards have a jumper on their Flash BIOS to enable/disable
programming.  When jumpered in the programming mode, the system will boot
up to allow you to program your BIOS and thats it.  You then have to
diable programming to make use of your computer.  ASUSTek does this and a
couple of other board manufactures do also though I can't remember their
names at the moment.

The jumper for enable/disable programming adjust voltage to the chip to
allow programming of it.  If I remember correctly, 5v to read, 12v to
program it.

Britt Benedictson
brittb@ccinet.ab.ca

------------------------------

Date: Wed, 03 Apr 1996 10:51:09 -0800
From: Clark Allen <clark.allen@odyssey.on.ca>
Subject: New AntiVirus Survival Kit
X-Digest: Volume 9 : Issue 46

CSI is pleased to announce the availability of a complete new antivirus 
survival kit with four levels of defense.

For more information please Email to clark.allen@odyssey.on.ca or fax 
toll free to 800-410-5202 in North America.

------------------------------

Date: Wed, 03 Apr 1996 18:13 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Dr Solomon's Virus Stats (March 96)
X-Digest: Volume 9 : Issue 46

In-Reply-To: <01I30DCRYH72S5UZJP@csc.canterbury.ac.nz>

Here are some statistics from the United Kingdom technical support 
department of S&S International (developers of Dr Solomon's Anti-Virus 
Toolkit).  These stats are for general interest and should not be treated 
as gospel regarding which viruses are causing the largest problem (for 
example, many corporate users dealing with Form, for example, will not 
need to call us up for hand-holding and advice)

 Virus Stats for March 1996
 
   WINWORD.CONCEPT    20
   EMPIRE MONKEY      18
   PARITY.B           16
   FORM               14
   ANTICMOS/D3        8
   EXEBUG             7
   RIPPER             7
   ANTIEXE            6
   MANZON 1400        6
   JUNKIE             3
   KAMPANA            3
   PETER II           3
   SAMPO              3
   TELEFONICA         3
   BEIJING            2
   DIR.BYWAY          2
   SHEHAS             2
   TENTACLE           2
   UNASHAMED          2
   VSIGN              2
   ANGELINA           1
   BOOT.451           1
   FLOSS              1
   FRODO.4096         1
   GNU                1
   JUMPER             1
   MTE                1
   NATAS              1
   NOINT              1
   SF2                1
   SPANISH            1
   TAIPAN             1
   TROJECTOR          1
   WORD MACRO.DMV     1
   WONKA              1

These figures are only for the UK.  They do not include data from our 
offices in the USA, Germany, or our distributors worldwide.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Wed, 03 Apr 1996 19:02:57 +0000 (GMT)
From: Pat A Brown <nitebee@ix.netcom.com>
Subject: Re: McAfee Dishonesty
X-Digest: Volume 9 : Issue 46

I had McAfee also.  Problems, problems & more.  I went to another product 
and requested a refund from McAfee for my two years registration, and got 
it

------------------------------

Date: Fri, 05 Apr 1996 06:14:02 +0000 (GMT)
From: James <bluefire@earthlink.net>
Subject: EZ!_Not_a_Virus
X-Digest: Volume 9 : Issue 46

Is anyone awae of a virus by this name and if so, what does it do?  

Thanks

------------------------------

Date: Fri, 05 Apr 1996 08:31:20 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Macro viruses
X-Digest: Volume 9 : Issue 46

"A.Appleyard" <A.APPLEYARD@fs2.mt.umist.ac.uk> writes:

>As a recent message said that the 2nd most common virus was
>WinWord.Concept, PLEASE!!!! what is the state of progress of getting (each
>of the commonly used antivirals) able to adequately safely detect and
>remove macro viruses?
>
>  In particular, what is the progress with McAfee Scan and with Vet?

[Answering for the "McAfee Scan" part.]

We just released 2.2.11.  It is now complete with detection and removal.
The removal not only invalidates the virus but also completely wipes out
the viral macro bodies so you won't have any problems with any other
antivirus products.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Fri, 05 Apr 1996 08:40:13 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: NCSA certified products
X-Digest: Volume 9 : Issue 46

Al Kimel <akimel@awod.com> writes:

>For everyone's interest:
>
>The products that have now been certified by the NCSA are InocuLan,
>F-Prot Professional, IBM, and NAV.  I understand that a couple of others
>(e.g., McAfee and Dr. Solomon's are in the testing phase).
>
>The certification means (I think) that these products successfully
>caught 100% of the in-the-wild viruses and 90% of the NCSA zoo.
>
>For more, see:
>
>http://www.ncsa.com/avpdcert.html

I am pleased to announce that at this time, both McAfee and Dr. Solomon
did pass the certification.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Fri, 05 Apr 1996 22:33:36 +0000 (GMT)
From: Alex Ross <alexross@alex01.idiscover.co.uk>
Subject: Virus Writing? Why Do People Still Do it.
X-Digest: Volume 9 : Issue 46

Every month we are told that guard your system against computer
viruses!! 

My question is, who writes these and where do they come from?
Could replies be submitted to the newsgroup. 

Alex.

------------------------------

Date: Fri, 05 Apr 1996 09:06:55 -0800 (PST)
From: Michael Schuyler <michael@linknet.kitsap.lib.wa.us>
Subject: Re: Is MEANING.EXE a Trojan horse?
X-Digest: Volume 9 : Issue 46

Regarding trhe "meaning.exe" file being distributed. It is a harmless 
Windows program. A box appears in Windows that says "Click here for the 
meaning of life" When you try to click on it, the box moves. There's an 
Exit button, and all is well. 

------------------------------

Date: Thu, 04 Apr 1996 22:17:45 -0500 (EST)
From: Pete Radatti <radatti@cyber.com>
Subject: Unix Virus Scanning Software? (UNIX)
X-Digest: Volume 9 : Issue 46

In VIRUS-L Digest  Saturday, 6 Apr 1996    Volume 9 : Issue 42, Charles
Henrich <henrich@crh.cl.msu.edu> wrote:

> I've been scouring the net for the last hour or so and have yet to come
> across any mention of scanning software for unix systems.  Does such a
> beast exist?

And

Tom KC Basham <thunk@cris.com> wrote:

> I'm doing some work with an FTP site and we'd like the ability to scan
> uploaded files on the server. (most of the uploaded files will be from the
> PC world). Could anyone provide any leads on commercial/shareware/whatever
> utilities?

Yes,  The following are known to me:
      VFind from CyberSoft (my company - on the market since 1991)
      Fortress from Los Altos Technology (been around a few years)
      Dr Solomon's AV for Unix (new in 1996)
      Micro Trend Devices (just announced)
      McAfee (just announced)

I can only speak to the quality of the product that my company makes. I
don't know if the Micro Trend Devices or McAfee products exist yet but
they have both made announcements.  If you want to know more feel free
to eamil me at radatti@cyber.com  or you can check our web site which
is still under constructions URL:\\www.cyber.com

Pete Radatti

------------------------------

Date: Fri, 05 Apr 1996 15:02:13 +0000 (GMT)
From: Glenn Painter <madmin@redstone.army.mil>
Subject: McAfee for NT (NT)
X-Digest: Volume 9 : Issue 46

We have 4 Windows NT Servers (3.51 with service pack 4) 
runnng Microsoft Mail version 3.2 with patches.  

During a recent outbreak of the 'concept' virus, I was told
that the McAfee version for Windows 95 would run ok on the
NT Server(s).

Has anyone done this and how did it work?  Any ideas or help
would be appreciated.

Email would be best, since I don't have a chance to check
the newsgroups as much as I would like.

Thanks in advance...

<gep>

------------------------------

Date: Fri, 05 Apr 1996 17:19:17 -0500
From: Ben Danielson <bendan@asu.edu>
Subject: MacroWord helper apps... (MAC,WIN)
X-Digest: Volume 9 : Issue 46

I have noticed that there are a ton of WordMacro fixit programs out there.
I have used Microsoft's, Mcafee's, and even edited the normal.dot to
disable all automacros, to name a few .  I have noticed something that has
not been discussed here recently. If you use a program that disables the
automacros, you cannot use the wizards that are a part of the Word
program.  This may not matter to most users, but I happen to work at a
university where people need Word's wizards for training purposes.  I know
that this discussion is for virus related issues, but I would like to just
remind AV developers that making a program virus proof and disabling an
important part of the program is not a viable solution. I downloaded
Command's newest WordMacro fixit and noticed that the Wizards would not
run.  Another tidbit, if you delete an infected normal.dot, Word will
create a new one that is clean.  This will not help if you have infected
.doc or .dot files, but if your scanner tells you the normal.dot is
infected and nothing else, just delete the thing and any new documents you
make will be clean.  Obviously this is not the best method of protection,
but it does the trick if you need a simple solution.

Ben Danielson
Information Technology
Arizona State University West

------------------------------

Date: Wed, 03 Apr 1996 03:14:12 -0800
From: Aidas Antanaitis <aidasa@ktl.mii.lt>
Subject: F-Prot for Win 95 evaluation version (WIN95)
X-Digest: Volume 9 : Issue 46

Does anybody know where it is possible to download an evaluation version 
of F-Prot forr Win 95? I've looked everywhere but cannot find one. There 
is one place in sweeden where the file is divided into teo, but you must 
have authorized access to download.   Thanks

------------------------------

Date: Wed, 03 Apr 1996 04:33:58 +0000 (GMT)
From: Jacqueline & David Brankley <jdbranks@oxford.net>
Subject: Re: AntiEXE triggers McAfee problems? (WIN95)
X-Digest: Volume 9 : Issue 46

The same thing happened to me with Mcafee. Same virus, same problem.
Sometimes I would see the message: Divide by zero   when I tried to
access the floppy.  Now I have a computer that has a damaged hard
drive! Be careful!!  Get Norton Antivirus!

------------------------------

Date: Wed, 03 Apr 1996 07:48:08 -0700
From: William A Wenrich <wawenri@sandia.gov>
Subject: Re: McAfee 2.0 for Win95 "feature" (WIN95)
X-Digest: Volume 9 : Issue 46

Zack Jones wrote:
 
> The only odd behavior I've observed and I don't know if this is caused
> by McAfee or something else, but everytime I shut down the computer it
> tries to read the A Drive for a few seconds before I get the "It's
> save to turn off your computer screen".
> 
> Have you or anyone else observed this?

I get the same "feature" on Norton.  I believs it's part of the close of 
the TSR scanner.  It doesn't seem to cause any problems snd directing 
attention to the A: drive during the shutdown sequence has helped me 
remember to remove diskettes.

------------------------------

Date: Fri, 05 Apr 1996 01:14:55 -0500
From: Janis Decker-Frisk <jfrisk@norden1.com>
Subject: Calling All Experts? Help! (WIN95)
X-Digest: Volume 9 : Issue 46

I am running Windows95, I have Dr. Solomon's Toolkit for Win95 V7.55 and 
a current version of PC-Cillian loading on start up and running in the 
background. I have IBM Anti-Virus v2.4.1 set to scan the same time every 
day. All anti-virus tools were installed properly.  My CMOS is set to 
not allow floppy boots and I scan all files I download or I insert into 
my drives. I am very diligent, a year ago I had Anti-EXE on my system, 
and I learned an expensive lesson. Now the problem, twice when I was 
changing my color from 24 bit to 256 colors, I have encountered a 
bizarre graphic. When I change the color settings the system need to 
reboot, after it starts backup the screen freezes for a moment, and on 
it is a graphic that consists of small multi colored boxes with 
characters in them, the most predominate one is a "smiley face." What 
concerns me is that I am quite sure I have seen an identical graphic on 
a web page that had virus screen shots. The only other strange thing 
going on with my computer is that there is a file that I cannot delete, 
I have tried deleting it in DOS, in Windows, using Uninstaller, I have 
tried renaming it, and changing the attributes, but I always get a 
message "access denied." Also, just recently I noticed that all .exe 
files I download off the Internet are corrupt. So, I had the line 
checked, bought a new modem, and checked with my ISP, but still I have 
this problem. I realize that these problems could be totally unrelated 
to the graphic, but I am giving you all the dirt on my computer. I have 
not received any indication from any one of the scanners that I have a 
virus on my system. Any assistance would be greatly appreciated, I setup 
peoples systems for Internet access and I would hate to think I was 
infecting anyone's system. Please respond to me personally through my 
e-mail as well as posting on Virus-L, if you have any suggestions.

Janis Frisk
- - 
e-mail: jfrisk@norden1.com
http://norden1.com/~jfrisk/index.html

"If liberty means anything at all it means the right to
tell people what they do not want to hear." - George Orwell

------------------------------

Date: Fri, 05 Apr 1996 07:58:58 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: McAfee95 reports McWhale (WIN95)
X-Digest: Volume 9 : Issue 46

mezzano@bccom.com writes:

>After I started loading McAfee Win95 virus program to upper memory, I
>get a message from vshield saying that the McWhale virus may be
>present or a trace from another operation.
>
>I booted with a known clean disk and scanned all the hard drives, but
>everything comes up clean.
>
>Anyone know anything about this.

The Scan95 team informs me that this situation (the use of upper memory
having the possibility of causing these scenarios) is documented in the
readme.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Fri, 05 Apr 1996 08:04:54 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: What detects BOZA virus? (WIN95)
X-Digest: Volume 9 : Issue 46

Christopher Jones <cjones@dsddi.eds.com> writes:

>news@dub-news-svc-5.compuserve.com wrote:
>> Which virus scanner can find this virus and can remove it ?
>
>Noton Anti-Virus 95, can detect this virus and remove it.

This is one of those "interesting" situations in the AV world.
If you could have a copy of the virus, you might be able to "detect
this virus and remove it."  But considering that the version of the
virus that was released doesn't work, there essentially is no virus
to detect.

This one is "hoopla gone awry."

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Fri, 05 Apr 1996 08:36:31 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: McAfee 2.0 for Win95 "feature" (WIN95)
X-Digest: Volume 9 : Issue 46

Doorblower <doorblower@aol.com> writes:

>I accidentally copied the new viruse dat files for the month for the dos
>version into the folder for McAfee for Win95 and that really messed things
>up because I am running V-Shield.
>I believe they had the same file name so I thought...
>I was wrong.

Please describe your problem.  The DAT files are supposed to work for
the whole line of AV products, unless specifically noted.

The only note of incompatibility relates to VShield for DOS, where you
need at least the 2.2.8 version.  All other versions of the product 
should be able to use the current DAT files, including NetShield NLM, 
Scan/VShield95, NetShield/VirusScan NT, the Win3.1 versions, the DOS 
versions, as well as the Linux/Solaris versions.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Fri, 05 Apr 1996 08:38:52 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: NAV says Stealth_Boot in memory (WIN95)
X-Digest: Volume 9 : Issue 46

Decius <bhill@usa.pipeline.com> writes:

>I have Norton Antivirus Scanner for Windows 95.  When I run it to search
>for viruses in memory it displays a message, "The virus Stealth_Boot.B was
>found.  Shutting down computer."  But when I run it to search everything
>but the memory, including the master boot file it finds no viruses.  I
>would very much like to irradicate this virus from my system but am having
>difficulties.  Any suggestions would be greatly appreciated. 

Please read the documentation that comes with the product.  Read about
stealth viruses.

Note that it says to boot from a clean DOS diskette.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Fri, 05 Apr 1996 10:35:51 +0000 (GMT)
From: eric Tanguy <tanguy@lcr.thomson.fr>
Subject: Scan 95 (WIN95)
X-Digest: Volume 9 : Issue 46

after installing Mcafee virus scan 95 .when i try to open a file by
double-clicking on it i have a word basic error message. scan 95 is an
english version and word 7 is a french version. How to resolve this
problem.

Thanks

------------------------------

Date: Tue, 02 Apr 1996 16:33:40 -0500
From: Henrik Risuang <cyberbob@pipeline.com>
Subject: Unable to open dynalink and EMM386 has detected error... (WIN)
X-Digest: Volume 9 : Issue 46

I read the privios postings about "unable to open dynalink", and I think
you are right when you refer to them as a virus, or at least some kind of
bug. 

My compnay recently bought a number of IBM 760 thinkpads with Dos 7.0 and
WFW3.11, and we have had a lot of trouble getting them to work. The
dynalink message whenever we try to open e.g. MS Words 6.0 and more and
more frequently "EMM386  has detected error at memory adress so and so,
restart etc." 

Furthermore memory enhancing programs like ramboost seemed to give less
andless memory rather than the opposite. When we install ABC flowcharter,
suddenly Powerpoint cannot strat, but throws you directly into DOS. 

We though all this was just setup and memory tuning problems until I had
the same problems the other day - on my home machine, and another laptop,
which has never been connected to our network and which had no SW
installed or ages. Only link is diskettes with ms-word and excel files.

We recently had a ms-word virus on the network (brought home from
hong-kong) which Dr. Solomon takes care of as we open infected files. 

But the other problem is out of Dr. solomons reach, even with the newest
(about one week) old update. 

Any advise highly appreciated!! 

Thanks 

Henrik Risvang 
cyberbob@pipeline.com 
London

------------------------------

Date: Wed, 03 Apr 1996 12:23:51 +0000
From: Mike Taylor <taylorm@it.postoffice.co.uk>
Subject: Re: Dr Solomon - Questions (WIN)
X-Digest: Volume 9 : Issue 46

The Toad wrote:

> I would like to buy Dr Solomon's Anti-Virus Toolkit for Windows 3.x.
> >From the reviews, it sounds like the best of the pack, at least from
> my perspective.  (For example, see the March/April 1996 Infosecurity
> News.)
> 
> But, for some reason that I can't readily fathom, I can't find answers
> to the following questions:
> 
> 1. HOW DO I BUY IT?
[snip]
> 2. HOW DO I GET UPDATES?
[snip]

To start with, I think you are making a good choice. We are Dr Solomons 
users, and have found the product and their support to be good.

To get information about their products, the company and distributors 
have a look on http://www.sands.com/company

Happy hunting,

Mike Taylor
mtaylor@bcs.org.uk --- --- taylorm@it.postoffice.co.uk
Amber Seam Ltd.  ( PC, Unix, Anti-virus & Security Consultancy )
TEL:44(0)1246-214595 POSTLINE:5415 4595
Visit my homepage at : http://www.geocities.com/Paris/2203

------------------------------

Date: Tue, 02 Apr 1996 16:44:29 +0000
From: "Denis Parslow (Almo Distributing)" <dgp@world.std.com>
Subject: Re: Bad CPU (was re: Wordperfect 6.1 Virus? (PC))
X-Digest: Volume 9 : Issue 46

From: Kenneth Albanowski <kjahds@kjahds.com>

>On Fri, 15 Mar 1996, DarStec wrote:
>
>> One other possiblity which I have run across several times - a bad CPU. 
>> It can play havoc with the HD controller card.  Sometimes this is hard to
>> track down because if the problem is intermittent then everything works
>> until the CPU acts up and if it acts up the test software shuts down and
>> can't tell you.  Substitution seems to be the only way to track this one
>> down.
>
>An excellent point, and one I can confirm with very recent experience (if
>slightly apocryphal: it was related to me that the CPU was damaged, and
>with a different CPU everything worked properly): a damaged 486 CPU, of
>which the only immediate sign was that the floppy drive didn't work quite
>right. Some floppy disks would boot, some wouldn't. F-prot (as a handy

A mildly off topic response...yesterday, I saw a system whose serial 
ports didn't work.  Why?  Bent pin on the CPU.  Repaired the pin, and 
the problems were solved.

Denis Parslow
Engineering Mgr
Almo Distributing, Trademark Computers
dgp@world.std.com
http://www.almo.com
http://world.std.com/~dgp/

------------------------------

Date: Tue, 02 Apr 1996 15:07:28
From: Brian Clark <tenor@news-e2c.gnn.com>
Subject: Need Help Removing Stealth_C Virus (PC)
X-Digest: Volume 9 : Issue 46

A soon to be ex-student has been downloading infected "porno" pictures off 
the net and contracted this virus. It has spread through the school. 
Fortunately, McAfee Scan was able to clean the virus from all but one 
machine...my favorite Windows NT 3.51 workstation. According to Scan 95,
the boot record cannot be cleaned and I must report to McAfee for removal 
instructions. Do I need to wipe out the hard disk and "volunteer" the
student to re-install NT(on 3 1/2s!)? Any information would be great!

Brian Clark
tenor@gnn.com

------------------------------

Date: Wed, 03 Apr 1996 07:49:15 +0300
From: Teodosiu Iulian <u9512279@runner.sorosis.ro>
Subject: Re: scn-22ce.zip McAfee VirusScan for DOS, SCAN.EXE (PC)
X-Digest: Volume 9 : Issue 46

What is the date of this  scan?

On 31 Mar 1996, Timo Salmi wrote:

> Date: 31 MAR 1996 16:09:46 -0000 
> From: Timo Salmi <ts@UWasa.Fi>
> Newgroups: comp.virus
> Subject: scn-22ce.zip McAfee VirusScan for DOS, SCAN.EXE 
> 
> Fri 22-Mar-96: Acquired to our archives
> 
>  435746 Mar 19 02:11 ftp://garbo.uwasa.fi/pc/virus/scn-22ce.zip
>  scn-22ce.zip McAfee VirusScan for DOS, SCAN.EXE
> 
>  444425 Mar 19 02:11 ftp://garbo.uwasa.fi/pc/virus/vsh-22ce.zip
>  vsh-22ce.zip McAfee antivirus TSR, VSHIELD.EXE

[Moderator's note:  I think you will find it is 19 March if you carefully
read the information Timo posted.]

------------------------------

Date: Wed, 03 Apr 1996 09:49:49 +0000 (GMT)
From: chewwe <chewwe@pacific.net.sg>
Subject: Help. My Hardisk is wipped out.on Aprils' Fools Day (PC)
X-Digest: Volume 9 : Issue 46

Hello, This is NOT a Aprils Fools Joke.

I am running Pentiuum 100 MHZ on 2 Hardisk drive and 32 Mb RAM

On 1 April 96 at 1.00 am in the morning , I deleted a file on 2nd drive D:
and suddenly the whole system hangs. But the drive is still running. After 
a message displayed that " information not writing, data may be lost".

After I restart, I cannot access D:  I ran scandisk and were told that FAT 
has problems and lost file were found. So i had FAT repaired and lost 
files recovered.  By then the entire is now Empty and all files are lost.

Now my Pc do not even reconised the presence of the 2 nd hardiskk.

I had just ran Norton AntiVirus W95 two days before 1 April.

Can some kind soul tell me if it is a Aprils Fools Virus or drive failure.
BTW the drive is only 7 weeks old. It's a Maxtor 1.6GB

thanks from chewwe@pacific.net.sg

------------------------------

Date: Wed, 03 Apr 1996 12:29:32 +0000
From: Mike Taylor <taylorm@it.postoffice.co.uk>
Subject: Re: Bones Virus (PC)
X-Digest: Volume 9 : Issue 46

Charlie Hill wrote:

> F-Prot Ver 2.21 reported that there was a MBR virus named Bones on a
> floppy disk of mine.  F-Prot and the program VSUM has no information
> about this virus.  Would appreciate any information that can be provided.

Information from S&S Virus Encyclopaedia:

"BONES is not in the field, but it could be in the future. 
It is quite infectious, and results in trivial damage (3 minutes repair 
time). Boot and/or partition sectors can be infected.
The virus has a memory-resident infection system. It has minimum stealth 
capability. Some messages in the virus are encrypted. The virus displays 
a message."

Not very helpful, but as I have not seen this one yet I cannot comment 
further. Hope this is useful,
- - 

Mike Taylor
mtaylor@bcs.org.uk --- --- taylorm@it.postoffice.co.uk
Amber Seam Ltd.  ( PC, Unix, Anti-virus & Security Consultancy )
TEL:44(0)1246-214595 POSTLINE:5415 4595
Visit my homepage at : http://www.geocities.com/Paris/2203

------------------------------

Date: Wed, 03 Apr 1996 12:40:32 +0000
From: Mike Taylor <taylorm@it.postoffice.co.uk>
Subject: Re: Virus scanners and web browsers? (PC)
X-Digest: Volume 9 : Issue 46

Howard Price wrote:

> I had PCTools for Windows2's virus scanner running as a tsr in dos and
> in the startup in win3.11; but when using Netscape 1.1, it would pause
> for 20secs each minute, which I eventually eliminated by not loading
> the virus scanner.  I assume the scanner kept trying to scan all the
> new info being brought in through Netscape.
> 
> Is this correct?  Do other or all virus scanners do this?  How to
> avoid it, yet have a resident scanner and c: drive protector running?

Netscape creates files in it's cache directory whilst you are browsing 
the web, so that if you go back to a page it doesn't have to reload it 
from source. It may be that your tsr scanner is attempting to check each 
one of these files as it is created.(As I write I have over 400 files 
created in the cache directory).

If your scanner has the facility to exclude directories then you could 
exclude the cache directory specificall, or you could exclude files of 
type htm, gif etc. (all the type normally found in the netscape cache)

I use S&S Dr Solomons AV Toolkit at work, and we have no problems using 
netscape and the TSR. It may be that the PC Tools scanner (and I have no 
knowledge of it, I may add) is not the latest version, or not as 
efficient as some others. Check http://www.sands.com for Dr Solomons 
information, or check my homepage for other AV companies that will 
probably have programs that cause no problems.

Mike Taylor
mtaylor@bcs.org.uk --- --- taylorm@it.postoffice.co.uk
Amber Seam Ltd.  ( PC, Unix, Anti-virus & Security Consultancy )
TEL:44(0)1246-214595 POSTLINE:5415 4595
Visit my homepage at : http://www.geocities.com/Paris/2203

------------------------------

Date: Wed, 03 Apr 1996 12:46:11 +0000
From: Mike Taylor <taylorm@it.postoffice.co.uk>
Subject: Re: NRLG Virus (PC)
X-Digest: Volume 9 : Issue 46

Joe Patterson wrote:

> Does anyone have information on the NRLG virus?  McAfee and F-Prot both
> detect this virus, but neither can remove it.  I have tried replacing the
> MBR and sysing the drives, and this works on about 1/2 of the infected
> machine.  Any info would be appreciated.

Dr Solomons AV Toolkit can repair this virus. You can down load an 
evaluation version of DOS FindVirus from http://www.sands.com.

Hope your dad doesn't read this newsgroup :-)

Mike Taylor
mtaylor@bcs.org.uk --- --- taylorm@it.postoffice.co.uk
Amber Seam Ltd.  ( PC, Unix, Anti-virus & Security Consultancy )
TEL:44(0)1246-214595 POSTLINE:5415 4595
Visit my homepage at : http://www.geocities.com/Paris/2203

------------------------------

Date: Wed, 03 Apr 1996 14:55:29 +0200
From: Luis Mariano Garcia Corral <luism@recoletos.es>
Subject: Ripper interrupt handling (PC)
X-Digest: Volume 9 : Issue 46

Does anyone knows why Interrupt Hooks are not visible while Ripper is
active in memory?

Thanks
griyo@recoletos.es

------------------------------

Date: Wed, 03 Apr 1996 12:52:43 +0000
From: Mike Taylor <taylorm@it.postoffice.co.uk>
Subject: Re: Command line scanners with "quiet" mode? (PC)
X-Digest: Volume 9 : Issue 46

kmahesh@CENTRALHOUSE.COM wrote:

> I am looking for information on virus scanners which can run from the
> command line in the silent mode without generating output to screen.
> I think F-PROT Professional may be one - would someone please have
> some idea on other scanners ?

FindVirus from Dr Solomons has a /SILENT option that supresses screen 
output.

- - 

Mike Taylor
mtaylor@bcs.org.uk --- --- taylorm@it.postoffice.co.uk
Amber Seam Ltd.  ( PC, Unix, Anti-virus & Security Consultancy )
TEL:44(0)1246-214595 POSTLINE:5415 4595
Visit my homepage at : http://www.geocities.com/Paris/2203

------------------------------

Date: Wed, 03 Apr 1996 15:47 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Wanted TSR checks A: as used (PC)
X-Digest: Volume 9 : Issue 46

In-Reply-To: <01I30DCRYH72S5UZJP@csc.canterbury.ac.nz>
Garry S <GarryS@win.tec.mn.us> writes:

> Our site has licenses for Mcafee and F-prot.  Unfortunatley I
> have gotten several virus onto our LAN becuase it does Not TEST
> as it READS diskettes in A:.  Does anyone know of a TSR that
> does?

Most anti-virus TSRs will check the boot sector of a floppy diskette when 
it is accessed.  This helps warn you of boot sector viruses.  They should 
also check files as they are copied from the floppy (or indeed executed).

Which viruses are infecting your LAN?  I would be surprised if F-Prot and 
McAfee's TSR were not checking the boot sector.

Of course, anti-virus TSRs vary in their quality of detection.  Some 
choose to only try and detect those viruses which are "in the wild", and 
others attempt to detect far more viruses.  The Virus Research Unit at 
the University of Tampere conducted a review of anti-virus TSRs.  It can 
be found on the web at http://www.uta.fi/laitokset/virus/  or 
alternatively check out some of the independent comparative reviews at 
http://www.drsolomon.com/avtk/reviews

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Wed, 03 Apr 1996 07:39:58 -0600
From: "Richard M. Potocki" <potock@cig.mot.com>
Subject: pkunzip virus? or pc-perl virus? (PC)
X-Digest: Volume 9 : Issue 46

Hello.  Hope you can help clarify an incident that has come to my
attenetion from one of our network users.  The correspondence written to
me was:

I've been doing some follow-up work on a suspected virus.  I reported
earlier that no viruses had been found after scanning two floppies: one
floppy with the perl.zip file and the other floppy with the unzipped perl
files.  I used an office PC running Windows 3.1 in our area to scan for
infection(s).  Well, hold on to your hats, folks....

I brought the two floppies, perl4036.zip and the other unzipped perl.exe +
perlglob.exe, home with me so I could run them through the latest and
greatest McAfee VirusScan95.  The diskette containing the University of
Florida supplied perl4036.zip checked out clean with McAfee95.  The
diskette with the unzipped perl.exe + perlglob.exe was reported to be
infected with the "Trojector.1561" virus in the perlglob.exe file.

By this time I was thinking, "Oh great, there really is a virus."  I did
the McAfee95 scan on my perl directories on my Pentium and 486-33.  Taking
the VirusScan one step further and scanning the whole 1 Gbyte HD showed
there was no virus found on any file in any directory on either of my
machines.  Even perlglob.exe checked out just fine on both machines. 
"Hmmmm, now what's different?"

The difference between having the virus or not having it seems to depend
on which PC you do your pkunzipping.  On Monday morning I had used my
office PC by to pkunzip the perl4036.zip file to another empty diskette. 
This was the diskette that McAfee reported that perlglob.exe was now
infected with the Trojector virus.  No other diskette was infected but
this one.

I used my home machines with my own pkunzip to uncompress the original
perl4036.zip file.  The result was a normal unzipping process and McAfee
scans showed that the uncompressed files were not infected with any virus
whatever.  So the difference right now appears to be which machine you use
to unzip your files.  I'd hold the office PC's pkunzip files suspect for
the time being.  FTP and other PC functions on that machine appear to be
working fine but so did pkunzip, didn't it?

In summary, the University of Florida perl4036.zip file is clean.  The
resulting uncompressed perl.exe + perlglob.exe files are clean as long as
they are not unzipped on the office PC.

In the next day or so, time permitting, I plan to use the office PC to
VirusScan95 scanner to see if any viruses turn up again.

The file sizes I found for PC-PERL files are:
	perl.exe	307198
	perlglob.exe	  6043 (clean)
	perlglob.exe	  7604 (infected)

First of all, I have seen reference to a Torjector.1463 virus, but not a
Trojector.1561.  Is this something new, or is it jsut anothe member of the
Trojector viruses.

Second, what does the Trojector virus do besides replicate and attach
itself to binaries?

Third, and last, ahs anyone else come across this problem with pkunzip or
the pc version of perl?

Thank you,
Rick

------------------------------

Date: Wed, 03 Apr 1996 13:35:51 -0500
From: Mike Michalowicz <ici@planet.net>
Subject: Re: Wanted TSR checks A: as used (PC)
X-Digest: Volume 9 : Issue 46

Garry S wrote:

> Our site has licenses for Mcafee and F-prot.  Unfortunatley I have gotten
> several virus onto our LAN becuase it does Not TEST as it READS diskettes
> in A:.  Does anyone know of a TSR that does?

McAfee does have a product that does that exactly.  It is called 
Vshield.  You possibly are only using the Viruscan product right now.  
The McAfee TSR will sit in memory and scan any access (read/write).  
There is many ways to configure it for optimum speed/accuracy, and I'm 
confident that Vshield will suit your needs.  I'm confiden F-Prot, 
Intel, NAV all have some form of a TSR that does that. 

Regards,
Mike Michalowicz
Inter-Com, Inc
469 Route 46 West
Kenvil, NJ 07847
P (201)252-1100
F (201)252-9119
E ici@planet.net

------------------------------

Date: Wed, 03 Apr 1996 13:45:40 -0500
From: Mike Michalowicz <ici@planet.net>
Subject: Re: McAfee Vshield 2.9 and windows (PC)
X-Digest: Volume 9 : Issue 46

Maxine Sheinin wrote:

> We installed McAfee Vshield 2.9 on a Novell Network.  Did the vshield and
> swap option before network connect and a vshield reconnect after.  Then
> loaded windows 3.11 (not workgroups enabled).  Many of the workstations
> started getting emm386 (#06) errors...reminds me of the black screen of
> death.  Does anyone have any similar conditions or any suggestions on what
> the problem might be?  We are checking with McAfee but you support would
> probably be quicker than theirs...

To me it sounds like a possible TSR conflict or invalid use of 
upper/extended memory.  First thing that I would try is to run vshield 
in conventional memory (I can't remember what the switch is, just type 
VSHIELD /? to get the right switch).  If that works with out conflict, 
you'll have to play around with the EMM386 settings and the LH of TSRS.

If that doesn't work, I would try booting with as few TSRs loading as 
possible and do deductive reasoning/testing until you find a conflicting 
TSR.

Best of Luck,
Mike Michalowicz
Inter-Com, Inc.
469 Route 46 West
Kenvil, NJ  07847
P (201)252-1100
F (201)252-9119
E ici@planet.net

------------------------------

Date: Wed, 03 Apr 1996 13:25:57 -0500
From: Mike Michalowicz <ici@planet.net>
Subject: Re: Config of McAffee (PC)
X-Digest: Volume 9 : Issue 46

Rosolowski, Tyler - FMS Auck wrote:

> In Digest: Volume 9 : Issue 38 Buster Maddog <buster@newnorth.net> wrote:
> 
> > I would like some help with my McAffee scanner, is there a way to limit
> > the primary scan on powerup to once a week, and would i want to
> 
> If you are using the DOS based SCAN then it's
> 
> SCAN /FREQUENCY <n>       Do not scan [n] hours after the previous scan.
> 
> eg
> 
> SCAN /FREQUENCY 168

The frequency of a once a week scan seems a little to infrequent for me. 
Of course, scan frequency is entirely contigent upon how much activity 
that PC gets (especially downloads and floppies swapping in/out).  My 
recommendation would be to scan once a day.  The switch that is best to 
use with McAfee (v229 or greater) is /FREQUENCY DAILY as opposed to 
/FREQUENCY 24.

Best of Luck,
Mike Michalowicz
Inter-Com, Inc.
469 Route 46 West
Kenvil, NJ  07847
P (201)252-1100
F (201)252-9119
E ici@planet.net

------------------------------

Date: Wed, 03 Apr 1996 12:36:15 -0800
From: Lieven Dhaenens <LLDHAE@ccmail.monsanto.com>
Subject: Re: McAfee Vshield 2.9 and windows (PC)
X-Digest: Volume 9 : Issue 46

Maxine Sheinin wrote:

> We installed McAfee Vshield 2.9 on a Novell Network.  Did the vshield and
> swap option before network connect and a vshield reconnect after.  Then
> loaded windows 3.11 (not workgroups enabled).  Many of the workstations
> started getting emm386 (#06) errors...reminds me of the black screen of
> death.  Does anyone have any similar conditions or any suggestions on what
> the problem might be?  We are checking with McAfee but you support would
> probably be quicker than theirs...
> 
> Thanks for any assistance, Maxine Sheinin

We use a Netbios network but experienced the same problems after the 
installation, mainly with portables.  We also went back to McAfee but 
didn't here from them yet.

Perhaps wait until 2.30 comes out ???

- - 
****************************************************************
* Lieven Dhaenens - MIS Department, Monsanto Gent              *
* LLDHAE@MONSANTO.COM                                          *
* Opinions expressed are my own and do not necessarily reflect *
* the company's opinions                                       *

------------------------------

Date: Wed, 03 Apr 1996 20:51:03 +0000 (GMT)
From: Andrea Nagar <nagar@sinet.it>
Subject: Virus BYE (PC)
X-Digest: Volume 9 : Issue 46

Can someone give me some technical information about the BYE virus?
What does it infects? What does it do? Is it dangerous? Thanx.

Andrea Nagar (nagar@sinet.it)

------------------------------

Date: Thu, 04 Apr 1996 00:57:50 +0100
From: Mats Larsson <mats.larsson@eductus.pp.se>
Subject: Re: Microsoft Anti-virus memory problems (PC)
X-Digest: Volume 9 : Issue 46

Brian Toone wrote:

> I have a 486/66 with 20 megs of RAM.  When I attempt to detect or clean
> viruses using Microsoft Anti-Virus, I get a not enough memory message.  I
> have no other applications running when this problem occurs.  Does anyone
> know what might be causing this problem?

It is not a virus.

MSWAV needs a lot of conventional memory to perform,
and refuse to scan if it is to low.

In my computer it is impossible to run mswav if I use more
than 16 colors. The graphics driver seems to much of
the conventional memory - there is not enough left for
MS Antivirus.

Try to reduce the number of colors and try again!

Mats Larsson, Husqvarna, Sweden.

------------------------------

Date: Wed, 03 Apr 1996 20:01:43 -0800
From: Linda Sabella <ls@ns.net>
Subject: Re: Directory problem (PC)
X-Digest: Volume 9 : Issue 46

I had the same problem on a machine at work once.  The linked directory 
was named XATAX (same backward as forward).  I don't know how it got 
there, but SCANDISK removed it.

- ---------------------------------------------------------------
Linda Sabella      ---   http://www.ns.net/~ls/
     ls@ns.net

------------------------------

Date: Thu, 04 Apr 1996 05:29:16 +0000 (GMT)
From: "David Stephen Bognaski, Jr" <dsb2u@virginia.edu>
Subject: Virus Affecting .EXE Copying? (PC)
X-Digest: Volume 9 : Issue 46

Purchased a new(er) computer recently, 486 machine, etc.
I have had no problems booting up my computer or accessing
programs which were installed previously by the former owner.
I am trying to add a few new programs onto the hard drive from
floppies and I am unable to transfer any of the .EXE files over
to my hard drive.

I performed SCANDISK on each of them, ran F-Prot/McAfees (sp)
on each of the disks in question, and tried (sucessfully) to
install the software on another machine I have access to...

This smells like a virus of some sort to me, but I am not sure
how to go about installing a Virus protocol on my "infected"
machine as it does not read any .EXE's from a: or allow me to
copy them onto my hard drive.  Do I need to create a boot disk
(config.sys/autoexec.bat) with my chosen anti-virus software on
it in order to successfully disinfect this machine?

Suggestions on solutions for this problem, with gobs of patience
to a novice at the virus game, would be greatly appreciated.

Steve Bognaski
(This space for rent)
E-mail: Bogs@virginia.edu

------------------------------

Date: Thu, 04 Apr 1996 06:18:35 +0000 (GMT)
From: Christopher Snell <bpanther@jhu.edu>
Subject: Re: Wanted TSR checks A: as used (PC)
X-Digest: Volume 9 : Issue 46

Garry S <GarryS@win.tec.mn.us> wrote:

>Our site has licenses for Mcafee and F-prot.  Unfortunatley I have gotten 
>several virus onto our LAN becuase it does Not TEST as it READS diskettes 
>in A:.  Does anyone know of a TSR that does?

F-prot (even the shareware version) comes with a utility called
Virstop (VIRSTOP.EXE).  Install this as a device line in your
config.sys and it should take care of that problem.

Christopher Snell
bpanther@hops.cs.jhu.edu

------------------------------

Date: Thu, 04 Apr 1996 18:32:02 +0100
From: Goran Vojkovic <Goran.Vojkovic@altbbs.fido.hr>
Subject: Cow Creazy Virus (PC)
X-Digest: Volume 9 : Issue 46

An my friend found on his PC "Cow creazy" virus. New F-PROT can
recognice it, but it can't clean, and SCAN even don't recognize that
virus.

Virus atack all .com and .exe files, and result of its work is that
after 10-15 minuts of work PC try to write on floppy disc and then
system stop to respond.

Can anybody help how to distroy it?

                                             G.
- -
: Fidonet:  Goran Vojkovic 2:381/100
: Internet: Goran.Vojkovic@altbbs.fido.hr
:
: Standard disclaimer: The views of this user are strictly his own.
: From: Alt::BBS  +385 21 320 444 (Split, Croatia)

------------------------------

Date: Thu, 04 Apr 1996 22:22:03 +0000 (GMT)
From: Troy Wolf <troy@chaos.connect-bbs.com>
Subject: Automatic disk checking from a batch file (PC)
X-Digest: Volume 9 : Issue 46

I want to be able to scan a file on a floppy from within a batch file.
If the disk is clean, then continue the batch file.  If one is found,
then I want to be able to branch to another part of the batch file,
halt, etc.  

Does Mcafee Viruscan return any DOS level error flags that I can
check, or does anyone recommend something.

In simplest terms, I need a tsr or small executable that will halt the
system if a virus is found on a disk.

Troy Wolf
Printing Inc
Wichita, KS

------------------------------

Date: Fri, 05 Apr 1996 00:47:44 +0000 (GMT)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: Uncl: Re:Modem snag: Virus or NAV? (PC)
X-Digest: Volume 9 : Issue 46

In article <0016.01I2V51VSHUQS24DPB@csc.canterbury.ac.nz>, 
RMORTON@TULSAJC.TULSA.CC.OK.US says...

>I would not throw out the fact that Norton's innoculation may be the
>problem.

One can never rule out the cause of a problem until one proves
(technically) they are not at fault.  

>
>We had a custom program that did usage for the college computer lab I work
>in, (things like how many students used computers for how long).  We had a
>student aid experiment with the Inoculation program one evening, and it
>totally trashed the program.  Took us almost a month to get the data
>re-entered
>
>    The inoculation program adds a bit to the program, and checks itself.
>I would imagine that if it was trashing these established programs, others
>would have written about it by now, but then again, I have been wrong
>before.

Your inoculation program works differently than the NAV inoculation.
NAV does not add/remove or modify the original executable.

- --
Shane Coursen                                        Symantec Corporation
Computer Virus Researcher                http://www.symantec.com/avcenter
AntiVirus Research Center                                 CIS:  GO SYMWIN
scoursen@symantec.com                                           GO SYMNEW
      US Support:  541-465-8420                            AOL:  SYMANTEC
European Support:  31-71-353-111       Australian Support:  61-2-879-6577

------------------------------

Date: Fri, 05 Apr 1996 05:12:12 +0000 (GMT)
From: Tsen Horn <scharny@ix.netcom.com>
Subject: Keys remapped, other problems--April Fools trojan? (PC)
X-Digest: Volume 9 : Issue 46

Please note that this is posted from a friend's account and CCs should
be sent to the above address.

I give up.
Being as I was incognizant of the date, I innocently booted my system
on that Day of Dupes...      April 1st.  And for all intents and
purposes I no longer have a computer.

These keys now produce the following results when used:

3-  `1234567890-=
e-  (two spaces)qwertyuiop[
f-  asdfghjkl;' (enter)
c-  |cvb<> (and activates capslock, scroll lock or both)

I've tried a clean boot as per the instructions in the FAQ but to no
avail.  However, the presence of SCSI drivers may have caused the
booting process to access my hard drive(?). (I'll make another attempt
without drivers when I am able and update all youz as to what
happens.)

I am (or rather would be) running a P90 w/A&C drives, a CDROM (all
SCSI interface), Flash BIOS, MSDOS 6.22 and 32megs of RAM. 

Below is my modified "clean configuration".

AUTOEXEC.BAT
- --------------------------
@ECHO OFF
PROMPT $P$G
rem SET TEMP=C:\DOS
REM SET MOUSE=C:\MOUSE
PATH A:\
rem LH C:\DOS\MSCDEX.EXE /D:MSCD001
rem LH C:\MOUSE\MOUSE.EXE /Q
rem LH C:\DOS\SMARTDRV.EXE /X
rem VER


CONFIG.SYS
- --------------------
DEVICE=A:\HIMEM.SYS
DEVICE=A:\EMM386.EXE NOEMS
DOS=HIGH,UMB
FILES=60
BUFFERS=40
STACKS=9,256
LASTDRIVE=Z
rem DEVICEHIGH=C:\DOS\SETVER.EXE
rem DEVICEHIGH=A:\DOSCAM.SYS
rem DEVICEHIGH=A:\ASPICAM.SYS
REM DEVICEHIGH=A:\CDROM.SYS /D:MSCD001

If you need more sufficient/relevent info, please let me know.
I would *greatly* appreciate the merest nudge in the right direction.
An outright solution would garner WORSHIPFUL REVERENCE.

Thank you for reading.

-svarek

------------------------------

Date: Fri, 05 Apr 1996 05:42:18 +0000 (GMT)
From: Cary Chien <carchien@wimsey.com>
Subject: Possible Virus?  DeskJet 500C prints happy faces (PC)
X-Digest: Volume 9 : Issue 46

I've got a 486 computer with a HP Deskjet 500C, and it's been giving be 
problems lately.  When I try to print anything, the printer takes up a
sheet of paper, prints out one line of tiny happy faces, then form feeds
to another page and does the same thing again.  Could there be something
wrong with the printer?  I thought it would be unlikely (because of the
nice string of happy faces).  I've tried a shareware virus program (
F-Prot, dated March 96).  Has anyone heard of a virus like this?  Your
reply would be much appreciated.

------------------------------

Date: Fri, 05 Apr 1996 05:50:58 +0000 (GMT)
From: SUZANNE FORTIN <aaa227@agora.ulaval.ca>
Subject: Urkel virus (PC)
X-Digest: Volume 9 : Issue 46

Okay, so I didn't rush to the library to find out this virus. Please have
pity as I have an essay to write soon. 

I'm wondering if the Urkel virus is *really* dangerous. I'm also wondering
what's the best way to clean it out. 

It appeared just now as I opened my computer. Nothing *seems* to be
damaged. As I open my computer and the MS-DOS is booting up, a message
which says "Urkel" comes on the screen, then the MS-DOS message. I've
tried my out-dated 1993 Micrpsoft Anti-Virus check, and indeed, my
config.sys file has been modified, though I could not detect any changes. 

I am using an IBM PS1 F29 486SX with 170MB Memory and 4MB of Ram. I also
run MS Windows 3.1. 

Please help me ASAP as I am not very good dealing with complicated
computer matters. 

Thank You!

Suzanne Fortin

------------------------------

Date: Fri, 05 Apr 1996 08:23:12 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Winword/Scanprot/FProt questions (PC)
X-Digest: Volume 9 : Issue 46

"Charles M. Robinson" <charles.m.robinson@medtronic.com> writes:

>We've had a major spreading of the Winword/Concept virus here at work.  
>The latest version of FProt (2.21) finds .DOC files with this macro virus 
>just fine.
>
>The problem is this:  We've downloaded the "scanprot" file from Microsoft 
>which scans all .DOC files and "cleans" them of this macro virus.  Lo and 
>behold, the documents no longer affect the operation of Word.  This is good.

As you noted, the files are no longer infected.

But Microsoft is not in the AV business and does not fully understand
the complexities of what it takes to be a "good corporate citizen" in
the AV arena.  The situation here is a combination of what the AV
industry calls "incomplete" disinfection and ... (I'll let the FProt
people tell you their side of the story).

In order to be a good corporate citizen, not only do you do the job,
but you try to do the job in a way that also removes any conflicts with
other AV programs.

>What is BAD is, F-Prot still finds the string in the .DOC files and still 
>reports them as infected with the CONCEPT virus.  

Whatever Microsoft did, they did NOT remove the strings from the macros.
FProt is obviously still finding the viral strings.

>My guess is that we either need a newer version of F-Prot, or a newer 
>version of the "scanprot" macro from Microsoft.  Has anybody else run 
>into this problem?

As I represent a competing company, we have our own solution to this
malady.  We spent two extra months before finally releasing our version
of a remover for this virus.

The version 2.2.11 (available from the usual download sites with the
packaging code of "22C") removes the virus by zeroing out the viral code
in addition to other "fixups" to avoid the situation of other AV programs
still flagging the file after the file is no longer viral.

>Currently, the workaround is that we run fprot with the /nodoc parameter 
>- but I would like to know when DOC files are actually infected.  There's 
>gotta be a better way! 
>
>If you can email an answer to me, that would be most appreciated.  I 
>will, however, try to stay current on this newsgroup to see any possible 
>responses...

[Insert plug for VirusScan 2.2.11.]

Jimmy
cjkuo@mcafee.com

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 46]
*****************************************


