From Lehigh.EDU!owner-virus-l  Wed Apr 10 01:31:21 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Wed, 10 Apr 96 01:46:49 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id BAA19543; Wed, 10 Apr 1996 01:31:21 +0200
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39332-116557>; Tue, 9 Apr 1996 11:20:32 EDT
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39307-121167>; Tue, 9 Apr 1996 11:19:20 EDT
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id LAA108110 for <virus-l@lehigh.edu>; Tue, 9 Apr 1996 11:19:03 -0400
Received: from 172.31.30.201 ("port 1065"@misc9003.tacacs.canterbury.ac.nz)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I3D16BCMJYSH3CBI@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Wed,
 10 Apr 1996 03:18:27 +1200
Message-Id: <01I3D16BVIK2SH3CBI@csc.canterbury.ac.nz>
Date: 	Wed, 10 Apr 1996 03:13:42 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #47
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest Wednesday, 10 Apr 1996    Volume 9 : Issue 47

Today's Topics:

Java security problem [was: Re: Anti exe virus (PC)]
New virus announcement - "Trevor Hoff"
Russian Virus Production?
Re: Trojan? - "Meaning of Life"
Re: Virus signatures
Re: McAfee Dishonesty
Re: LAN antivirus for Windows NT (NT)
Re: Word Macro Virus (MAC,WIN)
Re: McAfee 2.0 for Win95 "feature" (WIN95)
Re: Possilbe new virus? (WIN95)
Re: TBAV says WIN95 CD infected? (WIN95)
Re: TBAV says WIN95 CD infected? (WIN95)
PC-Cillin 95 is it any good? (WIN95)
Re: Junkie.MBR or other unknown virus appends command.com (WIN95)
Re: McAfee 2.0 for Win95 "feature" (WIN95)
Re: McAfee 2.0 for Win95 "feature" (WIN95)
Re: A small change to Word for Windows (WIN)
Re: Viruses from kids floppies - How I stopped them... (WIN)
Re: virus effecting winhelp.exe? (WIN)
One Half virus - help! (PC)
Re: Stoned.Empire.Monkey_B (PC)
Re: HELP stoned 4 virus (PC)
Help with Diablo virus (PC)
Re: Anti exe virus (PC)
Registered ThunderByte "expired" (PC)
Re: anticmos?? Help (PC)
Re: MS Macro Virus Tool (PC)
Crash or Leningrad virus (PC)
Stoned that Went Away & AntiCMOS in SUHDLOG.DAT (PC)
Re: Stoned.Empire.Monkey_B (PC)
Re: "loading bootstrap" message (PC)
Is ANTI-CMOS B able to change cmos-settings? (PC)
delwin question (PC)
Re: 636k total base memory...virus? (PC)
Warning:- PKZip 3.0 Trojan Horse (PC)
What Virus Is This???? (PC)
Re: how to get rid of Urkel (PC)
Re: 634K of RAM--virus? (PC)
Re: Does somebody know 'Partitori-B'? (PC)
re: Ripper question (PC)
re: An Aftereffect of Natas (PC)
re: Viruses that reset top of memory (PC)
AntiCMOS on JAZZ16 Inst. Disk (PC)
Re: Trabajo_hacer.b Virus (PC)
Re: McAfee Scan 2.3.0. Genuine? (PC)
Re: Jackal.B (PC)
ANTI VIRUS AND FIX YOUR PC FAST (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Tue, 09 Apr 1996 08:45:19 -0400
From: "Bob Witham Jr." <robert.l.witham.jr@state.me.us>
Subject: Java security problem [was: Re: Anti exe virus (PC)]
X-Digest: Volume 9 : Issue 47

Kelvin Chien wrote:

> Right and wrong. Provided you only "browse" on the net without clicking
> on links that automatically download executable files, you shouldn't have
> got it from the net. Java pages are, in this stage, not capable of
> letting Java applets tweak into your harddisk. 

Not so any longer according to this from comp.security.accounce yesterday:

Bob W.

Subject: CERT Advisory CA-96.07 - Weaknesses in Java Bytecode Verifier
Date: 29 Mar 1996 14:46:48 GMT
From: CERT Advisory <cert-advisory@cert.org>
Reply-To: cert-advisory-request@cert.org
Organization: CERT(sm) Coordination Center - +1 412-268-7090
Newsgroups: comp.security.announce

====================================================CERT(sm) Advisory CA-96.07
March 29, 1996

Topic: Weaknesses in Java Bytecode Verifier

- ----------------------------------------------------------------------------
The CERT Coordination Center has received reports of weaknesses in the
bytecode verifier portion of Sun Microsystems' Java Development Kit (JDK)
versions 1.0 and 1.0.1. The JDK is built into Netscape Navigator 2.0 and 
2.01.
We have not received reports of the exploitation of this vulnerability.

When applets written with malicious intent are viewed, those applets can
perform any operation that the legitimate user can perform on the machine
running the browser. For example, a maliciously written applet could remove
files from the machine on which the browser is running--but only if the
legitimate user could also.

Problem applets have to be specifically written with malicious intent, and
users are at risk only when connecting to "untrusted" web pages. If you use
Java-enabled products on a closed network or browse the World Wide Web but
never connect to "untrusted" web pages, you are not affected.

The CERT staff recommends disabling Java in Netscape Navigator and not using
Sun's appletviewer to browse applets from untrusted sources until patches are
available from these vendors.

As we receive additional information relating to this advisory, we will
place it in

	ftp://info.cert.org/pub/cert_advisories/CA-96.07.README

We encourage you to check our README files regularly for updates on
advisories that relate to your site.

- ----------------------------------------------------------------------------
I.   Description

     The Java Programming Language is designed to allow an executable
     computer program, called an applet, to be attached to a page viewable
     by a World Wide Web browser. When a user browsing the Web visits that
     page, the applet is automatically downloaded onto the user's machine
     and executed, but only if Java is enabled.

     It is possible for an applet to generate and execute raw machine code
     on the machine where the browser is running. This means that a
     maliciously written applet can perform any action that the legitimate
     user can perform; for example, an applet can read, delete, or change
     files that the user owns. Because applets are loaded and run
     automatically as a side-effect of visiting a Web page, someone could
     "booby-trap" their Web page and compromise the machine of anyone 
visiting
     the page. This is the problem described in the Wall Street Journal on
     March 26, 1996 ("Researchers Find Big Security Flaw in Java Language," 
by
     Don Clark).

     Note: The security enhancements announced by Sun Microsystems in
	   JDK version 1.0.1 and by Netscape Communications in Netscape
	   Navigator version 2.01 do *not* fix this flaw.

II.  Impact

     If Java is enabled and a Web page containing a maliciously written
     applet is viewed by any of the vulnerable browsers or Sun's 
appletviewer,
     that applet can perform any operation that the legitimate user can
     perform. For example, the applet could read, delete, or in other ways
     corrupt the user's files and any other files the user has access to, 
such
     as /etc/passwd.

III. Solution

     We recommend obtaining vendor patches as soon as they become available.
     Until you can install the patches, we urge you to apply the workarounds
     described below.

     A. Java Development Kit users

	Sun reports that source-level fixes will be supplied to source
	licensees in the next few days. The fixes will also be included in
	the next JDK version, v1.0.2, which will be released within the next
	several weeks.

	The JDK itself is a development kit, and it can safely be used to
	develop applets and applications. If you choose to use the
	appletviewer as a rudimentary browser, do not use it to browse
	applets from untrusted sources until you have installed the v1.0.2
	browser.

     B. Netscape users

	If you use Netscape 2.0 or 2.01, disable Java using the
	"Security Preferences" dialog box. You do not need to disable
	JavaScript as part of this workaround.

	For the latest news about fixes for Netscape Navigator, consult
	the following for details:

		http://home.netscape.com/

IV.  Information for HotJava (alpha3) users

     Sun Microsystems has provided the following information for users of
     HotJava (alpha3).

	  Sun made available last year a demonstration version of a browser
	  called "HotJava." That version (alpha3) is proof-of-concept
	  software only, not a product. HotJava (alpha3) uses an entirely
	  different security architecture from JDK 1.0 or JDK 1.0.1. It will
	  not be tested for any reported security vulnerabilities that it
	  might be susceptible to, and Sun neither supports it nor recommends
	  its use as a primary browser. When HotJava is released as a 
product,
	  it will be based on an up-to-date version of the JDK and fully
	  supported.

- --------------------------------------------------------------------------
The CERT Coordination Center thanks Drew Dean, Ed Felten, and Dan Wallach of
Princeton University for providing information for this advisory. We thank
Netscape Communications Corporation and Sun Microsystems, Inc. for their
response to this problem.
- --------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).

We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact 
the
CERT staff for more information.

Location of CERT PGP key
	 ftp://info.cert.org/pub/CERT_PGP.key

CERT Contact Information
- -----------------------
Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
		CERT personnel answer 8:30-5:00 p.m. EST
		(GMT-5)/EDT(GMT-4), and are on call for
		emergencies during other hours.

Fax      +1 412-268-6989

Postal address
	CERT Coordination Center
	Software Engineering Institute
	Carnegie Mellon University
	Pittsburgh PA 15213-3890
	USA

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
	http://www.cert.org/
	ftp://info.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup
	comp.security.announce

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
	cert-advisory-request@cert.org

Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided 
it
is used for noncommercial purposes and the copyright statement is included.

CERT is a service mark of Carnegie Mellon University.

------------------------------

Date: Mon, 08 Apr 1996 13:26:51 -0500 (EST)
From: "Rob Slade, the doting grandpa of Ryan and Trevor" <roberts@mukluk.hq.decus.ca>
Subject: New virus announcement - "Trevor Hoff"
X-Digest: Volume 9 : Issue 47

 Entry...............: "Trevor Allen(sp?) Hoff".  A final CARO name has not
			been determined as their may be variant bytes at offset
			08h and following.
 Alias...............:  Baby2
 Strain..............:  Furneaux.Meeter.Slade.Hoff, related to the earlier
			Furneaux.Meeter.Slade.Hoff.Ryan
 Detected when.......:  960407 1735H ADT
	  where......:  IWK Grace Hospital, Halifax.  There is evidence to
			suggest that the virus was programmed in the Vancouver
			area, like the earlier "Ryan Erik Hoff" virus.
 Clssification.......:  A full assessment has not been made as the sample is
			considered too fragile to ship, and qualified
			researchers will not be able to travel to the area for
			another three weeks.
 Length of virus.....:  Fits within a boot.  Not sector, just boot.
 ------------------------Preconditions---------------------------------
 Operating System(s).:  This strain will likely be exposed to Windows 95 before
			Grandpa can get there and fix the damage.
 -------------------------Attributes-----------------------------------
 Infection Trigger...: I'll explain it when you're older ...
 Media affected......: I haven't been online at all for two days
 Interrupts hooked...: Everything on Saturday night and Sunday
 Damage..............: None.  Thank you, God.
 Similarities........: Red, sleeps and cries a lot
 ----------------------------------------------------------------------
 Countermeasures.....: None yet attempted.  Likely never will  :-)
 -----------------------Acknowledgements-------------------------------
 Location............: V.I.R.U.S., Vancouver, BC, Canada
 Classification by...: all grandparents
 Documentation by....: Grandpa
 Date................: 960408
 
======================
roberts@decus.ca           rslade@vcn.bc.ca           rslade@vanisl.decus.ca
     "Watch me disappear!"  CLICK.  - Ryan's version of the "Treasure" Cat

------------------------------

Date: Sat, 06 Apr 1996 11:42:24 -0700
From: Evan Jones <jonesev@cadvision.com>
Subject: Russian Virus Production?
X-Digest: Volume 9 : Issue 47

In school right now I am required to do some sort of recherch project on 
Russia, the former USSR, or on Communism. I was thinking of topics and I 
remembered that Russia and Bulgaria are the world's biggest virus
producers.

I am looking for references to see if there is enough information on this 
subject to do a project. If you know of ANY files or books that talk about 
Russia and Bulgaria and thier virus productions, please send me the 
refrences! (URL or Bibliography). I don't speak Russian but I do speak 
English and French so anything in those two languages would be GREAT. 

Thank you!

- ------
Evan Jones: 
jonesev@cadvision.com         Internet or ....
Evan Jones,Macremote          First Class Onenet
Chain Tagline: Now Stolen [1] time! (Add one as Stolen!)

------------------------------

Date: Sat, 06 Apr 1996 20:37:30 +0000 (GMT)
From: Wayne Riddle <riddler@agate.net>
Subject: Re: Trojan? - "Meaning of Life"
X-Digest: Volume 9 : Issue 47

John Elsbury <jelsbur@clear.co.nz> wrote:

>I have had a couple of instances of people receiving a ZIPped Email
>attachment - MEANING.ZIP - which they are invited to unpack and run.

>I have told staff not to run programs they don't trust...
>Has anybody else come across this? 

I just downloaded a file with this description and it was a harmless
little file.  Of course that doesn't mean all the programs called
meaning.zip are harmless.

Wayne Riddle
riddler@agate.net
http://www.agate.net/~riddler

------------------------------

Date: Mon, 08 Apr 1996 13:12:58 +0000
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: Virus signatures
X-Digest: Volume 9 : Issue 47

In <0001.01I37FTNL19GSH3CBI@csc.canterbury.ac.nz> James Kruger
<jkruger@ucg.com> writes:

>I was wondering if there is a library of virus signitures.

The only publically available ones are those posted in the Virus
Bulletin.   Of course they only list strings for non-polymorphic
viruses.

>I have a couple virus scanners that allow you to add signitures
>to look for and I wish to update the files.

Why ?   Why not simply get an up-to-date scanner that can also
detect polymorphic viruses ?

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Mon, 08 Apr 1996 12:58:52 -0400
From: "David G. Kalbfell" <cd001701@interramp.com>
Subject: Re: McAfee Dishonesty
X-Digest: Volume 9 : Issue 47

Mike Michalowicz wrote:

> Hunter wrote:
> 
> > In October 1995 I prepaid to McAfee for a registered copy of their
> > Viruscan for Windows.  It wasn't till 8 weeks later that the software
> > finally arrived in the mail; and they sent the DOS version, not the
> > Windows.  They rectified their error by sending me the Windows disks for
> > the version 2.2.5 from August 1995.
> >
> > After finally locating and downloading the updating .dat files, which were
> > supposed to be provided to me free for two years as a registered user,
> > they disabled the Vshield.  McAfee support, such as it is, did not respond
> > to two email messages, nor to a telephone call.
> >
> > Now 2 months later, McAfee finally updates its Web page with the
> > announcement that the .dat files are not backwards compatible. In effect
[snip]
> My former company, and specifically myself, are an authorized agent for
> the McAfee anti-virus software.  You experience is quite unfortunate,
> and has been reported by other people when dealing with McAfee directly.
> 
> McAfee should have made you aware of the BBS access password for
> (r)egistered files.  All you need is a modem and this password, and you
> will be able to download the updates as frequently as you want for two
> years (you can use either the BBS or the Web).

Still doesn't matter, now you only get to download ONCE and that is it, 
no free support for 2 years, and your pc will be outdated by the time 
you get an email response.  Thats allright though, i will just use 
Norton Antivirus when it is time to upgrade to something different.

McAfee #1 in Virus Protection
We BLOW in Customer Support.

dgk

------------------------------

Date: Mon, 08 Apr 1996 15:34:59 +0000 (GMT)
From: Ken Stieers <ken_stieers@ontrack.com>
Subject: Re: LAN antivirus for Windows NT (NT)
X-Digest: Volume 9 : Issue 47

look at McAFee's NetShield 2.5 for NT. 

Ken

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Sun, 07 Apr 1996 07:39:34 +0000 (GMT)
From: "Richard J. Martin" <bd326@torfree.net>
Subject: Re: Word Macro Virus (MAC,WIN)
X-Digest: Volume 9 : Issue 47

Lee Morgan (lmorgan@pepperdine.edu) wrote:

: Until 2 days ago I was able to use the "scanprot.dot" macro from Microsoft
: to get rid of the "concept" virus that has plagued MS Word for some time
: now.  2 Days ago, it started giving me a "load error", or an application
: error.
: 
: Does anybody body have any suggestions???

Any chance you simply have a corrupted copy of the tool?  Try a fresh 
copy.  I've found that people running DOS 6.0 Doublespace and 
SCANPROT.DOT sooner or later corrupt the macro.  It has little to do with 
the *.DOT file, but is a problem nevertheless.

Lates

P.S.  Wouldn't hurt to acquire some recent copies of TBAV, F-PROT, etc. :)

------------------------------

Date: Fri, 05 Apr 1996 18:20:25 +0000 (GMT)
From: "Louis Dupuy, F.M.P." <poboys@worldnet.att.net>
Subject: Re: McAfee 2.0 for Win95 "feature" (WIN95)
X-Digest: Volume 9 : Issue 47

Someone suggested that I get McAfee.  Is it as good as the Norton 
anti virus program

------------------------------

Date: Sat, 06 Apr 1996 07:45:09 +0000 (GMT)
From: Aryeh Goretsky <goretsky@netcom.com>
Subject: Re: Possilbe new virus? (WIN95)
X-Digest: Volume 9 : Issue 47

Have you checked the System Agent to see if some program is trying to run
when the strange event occurs?

Also, if you disconnect the PC's does the problem still occur on both and
at the same frequency?

Regards,

Aryeh Goretsky

------------------------------

Date: Sun, 07 Apr 1996 04:50:36 +0000 (GMT)
From: dkstewart <dkstewart@csra.net>
Subject: Re: TBAV says WIN95 CD infected? (WIN95)
X-Digest: Volume 9 : Issue 47

In article <0012.01I38O2643KKSH3CBI@csc.canterbury.ac.nz>, 
kwiagrif@nicoh.com says...

>"Richard K.C. Ling" <rkcling@netcom.ca> wrote:
>
>>Hi!  I just recently bought and set-up a DELL P166.
>warnings from a 32-bit TBAV under WIN95, 

Richard, log onto www.thunderbyte.com and download the latest release of 
TBW95700.ZIP or TBW95701.ZIP  These are NEW and have cleared the most if 
not all of your hits on those suspected files.  Post another message or 
send me Email after you install the NEW ThunderBYTE.  Also NEW to 
ThunderBYTE for WIN 95 is a VXD drivewr that will keep a constant watch 
over your system.

Duncan Stewart
dkstewart@csra.net
ThunderBYTE Agent

------------------------------

Date: Sat, 06 Apr 1996 22:54:38 -0500
From: Comfortably Anonymous <gt7746c@prism.gatech.edu>
Subject: Re: TBAV says WIN95 CD infected? (WIN95)
X-Digest: Volume 9 : Issue 47

Vegas Griff wrote:

> "Richard K.C. Ling" <rkcling@netcom.ca> wrote:
> 
> >Hi!  I just recently bought and set-up a DELL P166.  After virus
> >warnings from a 32-bit TBAV under WIN95, I killed the affected files
> >and re-installed WIN95.  Two of the same warnings appeared again during
> >my first session.  I finally did a full scan on my WIN95 CD and three
> >files were revealed infected.  They are:

I may be way off base, but maybe not.  TBAV does a heuristic scan, which
is not like the traditional virus scan.  The "heuristic" scan just looks
for suspicious characteristics in a file, so you may get false positives. 
This is why a crack program or the like may be detected, because it alters
parts of the file causing an unconditional jump instead of a conditional
one.  

If I am wrong in any of my above statements please let me know.  I don't
want to mislead other people, but I believe I am correct.

------------------------------

Date: Mon, 08 Apr 1996 00:50:43 +0100
From: Simon <Simon@churwell.demon.co.uk>
Subject: PC-Cillin 95 is it any good? (WIN95)
X-Digest: Volume 9 : Issue 47

I am looking to buy myself a good anti-virus program and have read an
advert for PC-Cillin. It claims to be the best, detecting all known
virus and future ones.

Seems to be the all-singing all-dancing antivurus. Is it really better
than the established 'big' names like Dr Solomon and Mcafee? The price
is certainly much better. 

Does anyone have any recommendations, good or bad. Please email me.

Many Thanks, 
- - 
Simon

------------------------------

Date: Mon, 08 Apr 1996 12:50:50 +1100
From: "Carl I. Weibgen" <cweibgen@netspace.net.au>
Subject: Re: Junkie.MBR or other unknown virus appends command.com (WIN95)
X-Digest: Volume 9 : Issue 47

P Boutros wrote:

> My friend has a P100, running win 95 and scan 95 1.00.
> 
> Mcafee Scan told him he had Junkie.MBR on his computer, but it couldn't
> remove until a clean boot up was made.
> 
> He tried to boot off of his gateway 2000 bootup disk, which in turn made
> him boot off of a CD.  Mcafee still couldn't clean.

The Junkie virus is one of the hugest pains i have ever come across.

It infects *.com files and boot sectors.  It moves easily from PC to PC 
on floppy disks.

At first it is relatively harmless but it eventually it destroys file 
allocation tables which is a nightmare if you have something important 
on your PC.

The are a few ways to get rid of it - I used McAfee so I'll tell you 
with specific reference to that.  Note that only McAfee only finds this 
from approximately 2.1.4 onwards.  I recommend the latest version 
possible.

Clean boot your PC with a clean system disk.

Run scanner (with /clean option) through all files.

Reboot PC (DOS only) and scan to make sure.

Type FDISK /MBR - this rewrites your boot sector.

Now the painfull part:  Scan every diskette you have.  You only need to 
read one infected diskette and the nightmare begins again (arg!).

Have fun.

Carl

------------------------------

Date: Mon, 08 Apr 1996 00:15:40 -0400
From: MKW94 <mkw94@aol.com>
Subject: Re: McAfee 2.0 for Win95 "feature" (WIN95)
X-Digest: Volume 9 : Issue 47

In article <0012.01I30DCRYH72S5UZJP@csc.canterbury.ac.nz>, Zack Jones
<zack@hom.net> writes:

>The only odd behavior I've observed and I don't know if this is caused
>by McAfee or something else, but everytime I shut down the computer it
>tries to read the A Drive for a few seconds before I get the "It's
>save to turn off your computer screen".

It must be McAfee because mine does the same thing.

Mark Whaley
MKW94@aol.com
Ohio  USA

------------------------------

Date: Mon, 08 Apr 1996 15:38:06 +0000 (GMT)
From: Ken Stieers <ken_stieers@ontrack.com>
Subject: Re: McAfee 2.0 for Win95 "feature" (WIN95)
X-Digest: Volume 9 : Issue 47

Since shutdown could mean "shutdown and restart" VSHIELD scans the boot 
sector of the floppy in drive A to make sure you don't boot from an
infected floppy.  You can turn this off. 

Ken 

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Sat, 06 Apr 1996 00:38:38 +0000 (GMT)
From: hgjh@ghfh.hhj
Subject: Re: A small change to Word for Windows (WIN)
X-Digest: Volume 9 : Issue 47

When you scan for virsuses, did you add the .doc and .dot extensions to
the list of files to scan?  Also, if you used NAV, did you update it with
the update to recognize macro viruses?

------------------------------

Date: Sat, 06 Apr 1996 20:40:05 +0000 (GMT)
From: Wayne Riddle <riddler@agate.net>
Subject: Re: Viruses from kids floppies - How I stopped them... (WIN)
X-Digest: Volume 9 : Issue 47

Mike Lawrence <webber@va.pubnix.com> wrote:

>I believe most viruses enter from a floppy or modem. 
>If your kids are introducing viruses to your computer, you can 
>try IconHideIt. I use it to lock down the DOS box, groups, 
>icons, directories, communication and printer ports. 

Floppies are a good bet. What type of protection against infected
floppies does IconHideit offer against infected boot sectors?

Wayne Riddle
riddler@agate.net
http://www.agate.net/~riddler

------------------------------

Date: Sun, 07 Apr 1996 03:11:27 +0000 (GMT)
From: Ray Kennedy <rkennedy@hookup.net>
Subject: Re: virus effecting winhelp.exe? (WIN)
X-Digest: Volume 9 : Issue 47

On 5 Apr 1996 15:57:17 -0000, "G.h.van den Berg" <guy@net-prophets.co.uk>
wrote:

>Does any one know of a virus that infects at least winhelp.exe...my
>copy has corrupted lately and when I reinstall it it corrupts again.
>The version on the install disks is 256,192 bytes after a windows
>session that has refused to run winhelp winhelp.exe is now
>258,150...does any one know what is going on. I have also noticed a
>drop in system performance of late. Do  I have a virus...all the scan
>I have run so far don't detect anything.

You've got the so-called TENTACLE virus, I'd bet.  It affects windows
executables.  So far, there doesn't appear to be a "cure" other than
removing ALL .exe's that contain the signature word tentacle....

Get hold of Dr. Solomon's home page at http://www.drsolomon.com . They
have a patch to their program that can detect it.

Hope you have backups.  Every time you run a program that's infected,
it'll infect others. 

Good luck.    [BTW - I think it originally came from a program called
DOGZCODE.zip.  Ring any bells?]

------------------------------

Date: Fri, 05 Apr 1996 11:45:56 -0500
From: yl08@Lehigh.EDU
Subject: One Half virus - help! (PC)
X-Digest: Volume 9 : Issue 47

One Half virus attacked my computer today.  It wiped out everything in my
logic drives D and E, while left all my softwares on drive C intact.  I
got the virus removed from Drsolom's findviru.  But, my hard drive is
still a mess.  I can't see my D drive at all, while E drive is accessible
but everything is lost.  I am not a computer specialist.  Can anyone tell
me how can I recover the lost data from these logic drives?  I need them
so bad for my graduation in May, yet I don't have a backup for most of
them (about 150 MB data)!

My email is YL08@Lehigh.edu.

Yanzun Li

------------------------------

Date: Fri, 05 Apr 1996 19:29:36 +0000 (GMT)
From: "B. Gilbert" <bgilbert@blue.weeg.uiowa.edu>
Subject: Re: Stoned.Empire.Monkey_B (PC)
X-Digest: Volume 9 : Issue 47

Joe Wallace <yusuf@chelsea.ios.com> writes:

>In article <0022.01I2G0808C12RI5O92@csc.canterbury.ac.nz>,
>Virex1<virex1@aol.com> says:

>>I had a floppy disk infected with the Soned.Empire.Monkey_B virus, while
>>attempting to disinfect the floppy I ended up infecting my internal HD by

I too have found the Stoned Monkey on a friend's system.  Booting from
a clean floppy, I can't access the hard disk, but by itself it seems
to boot and run fine.  F-Prot couldn't see it either, although it did
find the infected MBR (!)  C: seems to be inaccessable due to the
infected MBR.

On another occasion I had this same virus, and applying fdisk /mbr
(from a floppy) killed the drive (it would no longer boot).  So I'm
naturally reluctant to try this again!  What should I do this time to
clean up?
- -
 =========================      All Science is Physics;
  Brian-Gilbert@UIowa.edu       everything else is 
 =========================      stamp collecting.     -Ernest Rutherford

------------------------------

Date: Fri, 05 Apr 1996 15:22:17 -0800
From: Kevin Yee <chuckyee@triumf.ca>
Subject: Re: HELP stoned 4 virus (PC)
X-Digest: Volume 9 : Issue 47

hanbinde wrote:

> Does anyone have documentation on how to remove the stoned 4 virus. It
> was detected by Microsoft's MSAV which doesn't remove it and F-Prot
> (Dec 95 version) doesn't see it..

I had the same problem before. I couldn't clean it with MSAV even when I 
booted with a write protected disk. I had a 386sx. When I switched to 
MWAV I cleaned it, but my hard disk crashed. It might happen to you, but 
you might want to try.

------------------------------

Date: Sat, 06 Apr 1996 00:59:55 +0000 (GMT)
From: "Amador Ahumada Z." <ahumadaz@netup.cl>
Subject: Help with Diablo virus (PC)
X-Digest: Volume 9 : Issue 47

HOLA HELP MI WITH  DIABLO :

      I need string for research.

     Disculpen mi ingles soy de Chile, necesito ese virus, si se puede 
una imagen de disco.

amador ahumada z.
Valparaiso Chile

------------------------------

Date: Sat, 06 Apr 1996 00:58:40 +0000 (GMT)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: Anti exe virus (PC)
X-Digest: Volume 9 : Issue 47

owner-virus-l@fidoii.cc.lehigh.edu wrote:
[snip]
> We had AntiExe here at the library where I work. It is an almost
> completely beingn virus. All it really does is exist. 
			   ^^^^^^^^^^^^^^^^^^^^^^^^^^^

> It has no
> stealth capability nor can it execute anything. You get it when you
> try to boot up your machine, but have left an infected disk in the A:
> drive. The machine's hard drive picks up the virus when it trys to
> boot of the disk. From then on it infects any disk you use in the A:
> drive.            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  ^^^^^

   I would maintain that these two statements are contradictory.  If it 
merely existed, then it wouldn't spread to diskettes.  That would be moot 
but for the fact that (a) it takes time to disinfect diskettes; (b) the 
more of them that are infected, the longer it takes; (c) the virus can 
cause data loss on those diskettes.

   I think you're saying that AntiEXE has no payload to speak of, but one
who doesn't know better might interpret the first statement I've high-
lighted as meaning "Don't worry about it; you don't need to remove it (or
at least tend to other matters first)." 

> Programs like F-Prot will easily clear this virus, but, as you
> know, you have to boot with clean (non-infected) disks in order to
> clear. Hope this helps.   Bob Davis

   Agreed.  From this, I'm pretty sure that you're -not- advocating 
leaving AntiEXE (or any other virus) around, but I figure it's a 
worthwhile point to reinforce that all viruses should be removed at the 
earliest safe opportunity.

   -BPB

------------------------------

Date: Fri, 05 Apr 1996 23:17:53 -0800
From: Tegan Blackbird <blackbird@psu.edu>
Subject: Registered ThunderByte "expired" (PC)
X-Digest: Volume 9 : Issue 47

I purchased TBAV about a year ago, from the BBS of a distributor in 
Dagsboro, DE, after trying it as shareware.  I tried recently to log onto 
the bbs to download an upgrade, but the # has been disconnected.

Meanwhile, every time I log onto my computer I get a series of obnoxious 
beeps and messages "warning" me that my "evaluation key date has 
expired."

Can anyone help me?  What would I need to do to get a legitimate upgrade 
for TBAV?

Thanks.

------------------------------

Date: Sat, 06 Apr 1996 04:41:58 +0000 (GMT)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: anticmos?? Help (PC)
X-Digest: Volume 9 : Issue 47

philski@spirit.com.au wrote:

> help!!! I am running 486 dx4 120 award with 12 meg ram win 95. My problem
> is that I get a "checksum error defaults loaded" and/or "cmos battery
> failed" but it  is a brand new mo'board and I have replaced battery since
> first occ!
> 
> Please help me I'm melting.
> 
> PS I have tried clean boot with fdisk/mbr and formatting hd.

   Since you think that it might be a virus, have you examined your 
system with antivirus software?  There are several excellent products 
that may be downloaded via ftp, e.g. 
   ftp://ftp.simtel.net/pub/simtelnet/msdos/virus/fp-222.zip  for F-PROT
 and
   ftp://ftp/drsolomon.com/pub/progs/dsav758.zip    for DSAVTK

The former is free for non-commercial, individual use; the latter is
evaluationware. There are others, but that should get you started. 

Make sure that you boot from a clean floppy before you scan.

   -BPB

------------------------------

Date: Sat, 06 Apr 1996 06:07:48 +0000 (GMT)
From: Larry Cooper <lcooper@ix.netcom.com>
Subject: Re: MS Macro Virus Tool (PC)
X-Digest: Volume 9 : Issue 47

Maxine Sheinin <msheinin@ix.netcom.com> wrote:

>> Am evaluating the option of using either Microsoft's Macro Virus
>> eradicator, or just going with the latest Norton AntiVirus version and
>> signature files.... any experience, pro or con, either way?
>
>I installed the Microsoft Protection Macro for Word.  Found a few minor 
>irritable differences (one is that you cannot open multiple files at
>once), but the alternative seems worse.  We started scanning (using
>McAfee) the document files but found that some people had so many
>documents on their hard drives that it took foreverrrrrrrrrrrrrrrrrr to
>scan.  There is no noticeable file open or close delay in Word (6.0), so
>we went with that.

Odd.  I haven't encountered any problem opening multiple files.  The
biggest problem we have with using the MS protection, SCANPROT.DOT, is
that you have to open the document from Word using the File-Open
commands.  That means that e-mail attachments can't be opened from
within the e-mail (e.g., cc:Mail) program or by double clicking from
file manager.

Larry Cooper
(lcooper@ix.netcom.com)

------------------------------

Date: Sat, 06 Apr 1996 09:03:16 -0500
From: MKW94 <mkw94@aol.com>
Subject: Crash or Leningrad virus (PC)
X-Digest: Volume 9 : Issue 47

I *had* what I now think was this virus, but cannot confirm it.
About 2 months ago, my PC done something really *weird*.

All the directories were doubled on the HD. (not all, but 90%).  I
originally attributed it to a failed HD. Saved what files I could get
to on floppies. After I purchased a new HD and installed all the old
files....I discovered something. Some of the data in a text document
was missing and contained *weird* characters. While I was trying to
delete those Characters, the PC screen went to a checkerboard maze of
different colored squares...some blinking. The PC was locked up and I
had to re-boot. 

After doing some looking on the WWW on virus info, I found the same
exact picture at <http://www.datafellows.fi/v-pics/>. (Screen shots of 
Computer Viruses). The one called "Crash or Leningrad". The info on 
this web site is temporarily out of order. I was wondering if any of the 
people here could give me info on this virus??

I still have that file on a floppie disk that makes it lock up. Mcaffee's
Vshield does not report any virus on it,  or on my system now. It only
appears when I try to delete or scroll down past the weird characters
contained in that text document.

Any info you have on this will be greatly appreciated.

Mark Whaley
MKW94@aol.com
Ohio  USA

------------------------------

Date: Sat, 06 Apr 1996 15:25:00 +0000 (GMT)
From: "David J. Fionda" <dfionda@misinc.com>
Subject: Stoned that Went Away & AntiCMOS in SUHDLOG.DAT (PC)
X-Digest: Volume 9 : Issue 47

My home computer was recently infected by Anti CMOS, Stoned (4) and NYB-B! 
Viruses.

I used McAfee's scan to get rid of the Anti CMOS and NYB from the boot 
sector  ( Anti CMOS was on the C Drive and NYB was on the D Drive)  Mc 
Afee scanned the disk and said that it was fine.

First, why did it not tell me that it wiped out the Stoned Virus ?  I then 
went to install MC Afee Virus Scan for Windows 95 and it found a file that 
was infected by Anti CMOS  The file name is SUHDLOG.DAT, an * K file.  In 
printing it out , it looks like some hard disk informaiton.  McAfee 
offered to erase it and told me to reload it from the original source, but 
I cannot find it on the Win 95 CD  From everything I have researched, anti 
cmos is not supported to infect files?

Dave Fionda
DFIONDA@SHORE.NET

------------------------------

Date: Sat, 06 Apr 1996 17:21:54 +0000 (GMT)
From: "B. Gilbert" <bgilbert@blue.weeg.uiowa.edu>
Subject: Re: Stoned.Empire.Monkey_B (PC)
X-Digest: Volume 9 : Issue 47

>In article <0022.01I2G0808C12RI5O92@csc.canterbury.ac.nz>,
>Virex1<virex1@aol.com> says:

>>I had a floppy disk infected with the Soned.Empire.Monkey_B virus, while
>>attempting to disinfect the floppy I ended up infecting my internal HD by

I too seem to have this Stoned Empire Monkey virus, on a friend's
machine.  When I boot from a clean floppy, C: is not recognized.
F-Prot finds the infected MBR, but doesn't see the hard disk (!).
Otherwise the machine seems to boot and run fine.

The last time this happened (with this same virus) I tried the fdisk
/mbr, but this rendered the hard disk unbootable.  I had to do a
complete restore from tape, and then clean the restored files before
the MBR reinfected.

Have I missed a step?  I'm reluctant to try the fdisk /mbr again!
- -
 =========================      All Science is Physics;
  Brian-Gilbert@UIowa.edu       everything else is 
 =========================      stamp collecting.     -Ernest Rutherford

------------------------------

Date: Sat, 06 Apr 1996 20:48:22 -0600
From: "R. Zalk" <ez-zone@netmedia.net.il>
Subject: Re: "loading bootstrap" message (PC)
X-Digest: Volume 9 : Issue 47

The bootstrap message was displayed on Olivetti computers. Perhaps you 
have that bran or was using an Olivetti DOS disk.

------------------------------

Date: Sat, 06 Apr 1996 13:45:34 -0500
From: Stematt <stematt@aol.com>
Subject: Is ANTI-CMOS B able to change cmos-settings? (PC)
X-Digest: Volume 9 : Issue 47

Today, I detected a Anitcmos B virus in the boot sector. To clean my
harddisk is shut down my system (W95) and then tried to reboot from a
clean floppy disk (MS-DOS 6.0 with McAfees newest Dos-scan). But no
chance. Every time I try to boot from floppy-disk my system stops.
(Reading floppy-disks with W95 explorer is no problem). Does ANTICMOS
prevent me from booting ? Has ANTICMOS changed or "damaged" my
cmos-setting (Boot sequence is still A: C: / boot from floppy is enabled)
?

What can I do ????

Steffen

------------------------------

Date: Sat, 06 Apr 1996 21:50:15 +0100
From: Dominik Witkiewicz <kvas@idsserv.waw.ids.edu.pl>
Subject: delwin question (PC)
X-Digest: Volume 9 : Issue 47

I have (rather not-short) question.
My HDD is infected with DELWIN (probably 1759, but i'm not sure).
When i look into the absolute sector 3, i can see there the word 
"delwin".
During a start of windows, something tries to write in mbr (but my bios
prevents that).
That is typical for delwin (as i heared)

Now some less typical stuff (IMO)

I tried various anti-vir programs, but none can see it (probably they're 
not ooking into this area or what...). Some behave strange... While they 
should scan HDD partition table they write that they are doing so, but
they are intenively reading (/writing?) FDD. On clean system this antyvir
progs run ok, i mean they write that they check HDD PT, and they are doing
that.

Virus is invisible for anti-virus program even after booting form
"surely clean and not infected" floppy.

Q: Does anyone know what the hell is it? How to get rid of it?
   Where can i find any resources about delwin stuff (except for p-prot
   pages).

Thanx in advance

Dominik Witkiewicz

------------------------------

Date: Sun, 07 Apr 1996 00:43:38 +0000 (GMT)
From: James Gryga <jamesgry@netcom.com>
Subject: Re: 636k total base memory...virus? (PC)
X-Digest: Volume 9 : Issue 47

eriko@phoenix.net wrote:

: I am running Win95 *shudder* and whenever I run a dos prompt and type mem
: I come up with 636k _TOTAL_ base memory.  This didn't happen before, so
: something must have happened.  I also received a message that my master
: boot records were changed and that might be from a virus.
: 
: When I reboot in MS-DOS mode I get 638k total base memory. 
: I have run McAfee scan for Windows ver 2.2.9 and it doesn't detect
: anything. 

I too have this problem.  I started when I tried to install the Qualitas 
Max8 Memory Manager.  After several problematic starts, and some e-mail 
to Qualitas, i finally did get it to install.  However, I only have 638K 
Base Memory.  One thing that did change is that when my system (P90, PCI 
SCSI, 16M RAM, etc, running regular Work Group for Windows and DOS) 
starts up I no longer see the message that does something like

...handler 13h redirected...

I wish I paid more attention to it before but this is about all I can 
remember of it.

I did run a mem /c and mem /d from DOS and it appears that something that 
was once handled by the BIOS is now sitting in DOS.  This happens in each 
of my config sections (I have a six part Multi-Config file).  I tried to 
reset my BIOS but that did not help.

Any help to this problem would be appreciated as I think our problems are 
the same.

Thanks in advance.

	jim

------------------------------

Date: Sun, 07 Apr 1996 00:44:21 +0000 (GMT)
From: "Frederick W. Randall" <fwrandal@prairienet.org>
Subject: Warning:- PKZip 3.0 Trojan Horse (PC)
X-Digest: Volume 9 : Issue 47

Got this from the PageMaker newsgroup:

******************************************************

From: ciac@llnl.gov
To: HAVEL Christopher A  <christopher.a.havel@state.or.us>
Cc: CIAC
Subject: RE:PKZIP trojan horse?
Date: Monday, April 01, 1996 11:26AM
Christopher,
The following is from PKWare --

It  has come to PKWARE's attention that a trojan version of PKZIP is being
distributed under the name PKZ300B.ZIP or PKZ300B.EXE. This version is not
an offical version and will attempt to destroy your HD. Delete it immediately
if you have downloaded this version. If you have any further questions about
this trojan version, contact PKWARE at: support@pkware.com.

 ============================ End PKWare Message ==========================

PKWare lists the following as known PKZIP related hacks (modified or bogus
versions)
as of 06/01/95:
     PKZIP120       Early hack of 1.1
     PKZIP20B       Hack of 1.1
     PKZIP_V2.EXE   Trojan, will erase hard drive
     PKZ201.ZIP     Hack of 1.93
     PKZ201.EXE          "
     PKX201.EXE          "
     PKZ201.EXE          "
     PKX201.EXE          "
     PKZ210F.EXE    Unknown
     PKZIPV2        **TROJAN** will erase hard drives
     PKUNZIP.COM    Unknown
     PKZIP203.EXE   Unknown
     PUTAV 1.93     Fake putav program (Trojan)
     PKZIP 1.99     Unknown
     PKZIP 2.02     Unknown
     PKZIP 2.2      **TROJAN** destroys hard drives
     PKZ305.EXE     Hack of 1.93, fave AV, **VIRUS**
     PKZ41V.EXE     Hack of 1.93
     PKZ300B.ZIP    Trojan, will erase hard drives
     PKZ300B.EXE         "
 If you have any questions or problems, please let us know.
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Computer Incident Advisory Capability (CIAC)    David L. Crawford
(510)422-8193                                   (510)423-9905
ciac@llnl.gov                                   crawford1@llnl.gov
(510)422-8193                                   (510)423-9905
ciac@llnl.gov                                   crawford1@llnl.gov
 ----------------------------------------------------------------------

******************************************************

- - 
Frederick W. Randall
Wordsmith and Alleged Graphic Artist
(aka A Cute, Cuddley, Curmedgeon)

------------------------------

Date: Sun, 07 Apr 1996 04:16:40 +0000 (GMT)
From: "R. Barclay" <save_on@uniserve.com>
Subject: What Virus Is This???? (PC)
X-Digest: Volume 9 : Issue 47

In qemm ver 8, I notice when I look in the manifest the  irq's read :  #11
says IBM mouse event and #13 (I think) says co-processor error. 

Also at the does prompt the Largest Free Upper Memory Block is at 49K It
usually reads 14K

When I'm in windows I get irregular mouse problems, other than that
everything runs fine?

Any help would greatly be appreciated & Who knows I may even be able to
return the favour one day.

Thanks

------------------------------

Date: Sun, 07 Apr 1996 05:18:55 +0000 (GMT)
From: Benedict Tam <BTAMHS@cxair.com>
Subject: Re: how to get rid of Urkel (PC)
X-Digest: Volume 9 : Issue 47

Jim Wu <yenchun@engin.umich.edu> wrote:

>My computer was infected with Urkel.  Is there anyone knowing how to
>get rid of it?  Also, I couldnot have access to my D drive (harddisk).
>Does this problem result from the virus?

Yes, this the sign of virus attaced and so you cannot access to your 
harddisk. Try to use anti-virus scanner to get rid of it.

Good luck.


------------------------------

Date: Sun, 07 Apr 1996 05:32:05 +0000 (GMT)
From: Benedict Tam <BTAMHS@cxair.com>
Subject: Re: 634K of RAM--virus? (PC)
X-Digest: Volume 9 : Issue 47

Sayitmean <sayitmean@aol.com> wrote:

>I don't know the name of this virus, but my memory shows 634K.  I can't
>run the 32 bit access through windows.  I looked on the FAQ but didn't see
>any reference to it.  Can someone help?

Decressing of conventinal memory (640K) is not the only way to be  caused 
by virus. Use antivirus tools to make sure whether your pc was affect by 
virus.

Good Luck

------------------------------

Date: Sun, 07 Apr 1996 16:08:18 +0000 (GMT)
From: Wayne Riddle <riddler@agate.net>
Subject: Re: Does somebody know 'Partitori-B'? (PC)
X-Digest: Volume 9 : Issue 47

Oliver Heidelbach <oheiabbd@fub46.zedat.fu-berlin.de> wrote:

>does anybody ever heard of a virus called 'Partitori-B'?
>
>I have to deal with it, but I can't find any reference,
>not in McAfee's VSUM, not anywhere else.

What program is telling you that you have a virus called
"Partitori-B"? Make sure to include the version of the program you are
using.

Wayne Riddle
riddler@agate.net
http://www.agate.net/~riddler

------------------------------

Date: Sun, 07 Apr 1996 14:49:35 +0000
From: Tarkan Yetiser <tyetiser@yrkpa.kias.com>
Subject: re: Ripper question (PC)
X-Digest: Volume 9 : Issue 47

>This may be an obvious question, but is Ripper at all selective about
>what types of disk writes it intereferes with? 

The only thing that is "selective" is the condition it uses to 
activate the damage routine. If the low 10 bits of the DX register 
after an INT 1Ah is 0, then it will swap two words.

>What I'm wondering is if it has the potential to interfere with the
>updating of the physical copy of the FAT table, or directory entries
>on a diskette or hard drive.

It doesn't care about the location. It can damage pretty much 
anywhere on the disk during write attempts if the condition is 
satisfied.

Regards,

Tarkan Yetiser
VDS Advanced Research Group
tyetiser@yrkpa.kias.com
tyetiser@postoffice.ptd.net
VDS-BBS: (717) 846-3873
Latest VDS is at http://home.aol.com/Tyetiser
Or you can get it at http://yrkpa.kias.com/~tyetiser
Or even at http://home.ptd.net/~tyetiser

------------------------------

Date: Sun, 07 Apr 1996 15:01:54 +0000
From: Tarkan Yetiser <tyetiser@yrkpa.kias.com>
Subject: re: An Aftereffect of Natas (PC)
X-Digest: Volume 9 : Issue 47

>:   The DOS interrupts `AX=4E00, int21' & `AX=4F00, int21' read its
>date as : 128 years in the future from correct. :   `DIR /OD' sorts
>affected filenames by date as if the date was 128 years : in the
>future from correct, but yet prints their dates as correct. :
>Sometimes the only clue that NATAS is or has been about, is that DIR
>/OD : sorts file dates wrong. Why is this? Is there a bug in DIR's
>date-printing : routine? Or what? I can't see why DIR's print routine
>needs to ignore the : 128-years bit; if some fault has set a file's
>creation year wildly wrong, : I want to know about it!

>> Well, I think we can assume that Natas uses this 128 years 

Nope. Natas.47xx adds/subs 0C8h to/from the year field. When you 
take the upper 7 bits of that for the year, that translates into 
100 years of adjustment to the date.

> since we are working with 16 bits, I think the layout is like this:

>bit     15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
>                year    | month | day

This is not correct either. The fields are:

   0-4    : Day      ==> 31 days max
   4-8    : Month    ==> 15 months max
   9-15   : Year     ==> 127 years max

>you are right, that there Is a bug somewhere in DIR.  Now, the
>question remains, where?  Some attribute on the file Must be changed,
>probally a bit officialy marked as unused...but DIR must check it

Well, it's a feature :-) DOS counts up to year 2099, not the maximum 
possible of 2107. For example, if you try to set the system date to 
4-7-2100, you will get an invalid date message. 

Regards,

Tarkan Yetiser
VDS Advanced Research Group
tyetiser@yrkpa.kias.com
tyetiser@postoffice.ptd.net
VDS-BBS: (717) 846-3873
Latest VDS is at http://home.aol.com/Tyetiser
Or you can get it at http://yrkpa.kias.com/~tyetiser
Or even at http://home.ptd.net/~tyetiser

------------------------------

Date: Sun, 07 Apr 1996 15:13:44 +0000
From: Tarkan Yetiser <tyetiser@yrkpa.kias.com>
Subject: re: Viruses that reset top of memory (PC)
X-Digest: Volume 9 : Issue 47

From: "Jamon E. Bailey" <JB0269A@american.edu> wrote:

>I have a question concerning viruses that bite off the last 1K of
>conventional memory and cause DOS to report a total of 639K of
>conventional memory.  Suppose I was sure that my computer had a virus
>at that location in memory.  Would it be possible to write a program
>that would overwrite that 1K of memory and remove the virus from
>memory even it was a stealth virus?

Not exactly. You need to understand why the virus needs that 1K. Most 
boot sectors viruses load themselves in that 1K, and also redirect 
disk access to their handler. After DOS comes up, it stores the virus 
disk access handler address inside its kernel data area. Now, every 
disk access will go thru the virus handler, which is at the top of 
memory. If you overwrite it, then you will get bizarre results. The 
correct way to handle a case like this would be to find the virus 
handler in memory, and find the original disk access handler address 
and then patch the virus code in memory. That way, the virus handler 
becomes a pass-thru, and you would be able to gain access to the disk 
without the virus interfering. Of course, this assumes that the virus 
is not checking for this sort of thing...

In many common boot sector incidents, the above procedure is simple 
and very effective even without needing to boot clean. Note that this 
is handled on a virus-by-virus basis. When in doubt, you should find 
a clean diskette and boot off of that first. Once the virus is no 
longer in control, you can pop in your emergency diskette and restore 
your MBR or BR. You do have an E-disk, don't you :-)

Regards,

Tarkan Yetiser
VDS Advanced Research Group
tyetiser@yrkpa.kias.com
tyetiser@postoffice.ptd.net
VDS-BBS: (717) 846-3873
Latest VDS is at http://home.aol.com/Tyetiser
Or you can get it at http://yrkpa.kias.com/~tyetiser
Or even at http://home.ptd.net/~tyetiser

------------------------------

Date: Sun, 07 Apr 1996 14:36:29 -0500
From: "John K. Harris" <jkharris@airmail.net>
Subject: AntiCMOS on JAZZ16 Inst. Disk (PC)
X-Digest: Volume 9 : Issue 47

I (Actually McAfee) found the ANTICMOS virus on my MediaVision JAZZ16 
soundcard installation disk.  I'm 80% sure it originated there, as it's 
not on any of my other recently used floppies.

Be sure to check yours if you have it.

The diskette is a 3 1/2" black diskette with a B/W label that says "JAZZ 
16/IDE SOUND CARD INSTALLATION DISK".

Immediately after booting with this diskette accidentally left in the 
drive, Windows 95 tried to come up and complained that my boot partition 
had changed, it was probably a virus, and that it would be running in 
MS-DOS compatibility mode until I fixed it.  

john k. harris
jkharris@airmail.net

------------------------------

Date: Mon, 08 Apr 1996 00:50:49 +0300 (EET DST)
From: "Mikko H. Hypponen" <Mikko.Hypponen@datafellows.com>
Subject: Re: Trabajo_hacer.b Virus (PC)
X-Digest: Volume 9 : Issue 47

Richard Buchanan <Richard_Buchanan_at_BOSA01@ed.gov> wrote:

> Our network is showing occassional infections of
> "trabajo_hacer.b (MBSR virus) 
 
Do note that the network itself has nothing to do with the spread 
of the virus: it's a boot sector virus and only travels on 
floppies.

> (espejo by F-PROT)

Current versions of F-PROT detect this virus by it's CARO name
Fifteen_Years. I recall it was renamed in F-PROT version 2.22.
							      
> I have heard some "rumors" that the virus must be removed by
> April or it will cause some HD damage.                      

Indeed it does, and I'm afraid you're already late. The virus 
activates on April 7th (which is the date when I received the
virus-l digest your message was in), and overwrites parts of the 
hard drive with a Spanish message.

For a full description, please see the virus description database
at http://www.DataFellows.com/.

- - 
	 Mikko Hermanni Hypp nen - Mikko.Hypponen@DataFellows.com  
   Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com
 Computer virus information available via web: http://www.DataFellows.com/
Paivantaite 8, 02210 Espoo, Finland. Tel +358-0-478444, Fax +358-0-47844599

------------------------------

Date: Mon, 08 Apr 1996 15:28:18 +0000 (GMT)
From: Ken Stieers <ken_stieers@ontrack.com>
Subject: Re: McAfee Scan 2.3.0. Genuine? (PC)
X-Digest: Volume 9 : Issue 47

Is it a beta??  They did release a 2.3.0 beta version, but since it didn't 
fulfill all the promises made for 2.3.0, the released it as 2.2.A. 

Ken 

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Mon, 08 Apr 1996 15:41:50 +0000 (GMT)
From: Ken Stieers <ken_stieers@ontrack.com>
Subject: Re: Jackal.B (PC)
X-Digest: Volume 9 : Issue 47

You may be ok, but note everything that Bruce mentioned about FDISK /MBR.

As a side note, the writer of Jackal.B pirated the boot record that 
DiskManager 6.x (ships with Western Digital drives) installs, and uses it
to load his virus.  Hence the false alarm on some machines.  

Ken

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Mon, 08 Apr 1996 11:02:24 -0700
From: Clark Allen <clark.allen@odyssey.on.ca>
Subject: ANTI VIRUS AND FIX YOUR PC FAST (PC)
X-Digest: Volume 9 : Issue 47

CSI Computer Diagnostics Now has available solutions for any of the 
following on PC s. Please Email me at clark.allen@odyssey.on.ca or Fax me 
toll free at 800-410-5202 anywhere in Canada or the US for further 
information on any of these solutions.

Drive Crashes
Data Loss
Windows Problems
Memory Problems
CD-ROM Problems
Hardware Component failure
IRQ/DMA conflicts
PC upgrades
Configuration Problems
Dead PC s
Hard Drive installation or repair
Viruses
Intermittent failures
Lack of Hardware specifications
File Server crashes or downtime
Network design or upgrades
CNE certification

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 47]
*****************************************


