From Lehigh.EDU!owner-virus-l  Wed Apr 10 17:46:54 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Wed, 10 Apr 96 18:57:04 GMT
	for mikael
Received: from mn6.swip.net by mn3.swip.net (8.6.8/2.01)
	id RAA23383; Wed, 10 Apr 1996 17:46:54 +0200
Received: from fidoii.CC.Lehigh.EDU (fidoii.CC.Lehigh.EDU [128.180.1.4]) 
          by mn6.swip.net (8.7.5/8.7.3) with ESMTP 
          id RAA00023 for <mikael@vhc.se>; 
          Wed, 10 Apr 1996 17:19:30 +0200 (MET DST)
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39712-94165>; Wed, 10 Apr 1996 11:03:03 EDT
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39385-76499>; Wed, 10 Apr 1996 10:49:46 EDT
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id KAA31359 for <virus-l@lehigh.edu>; Wed, 10 Apr 1996 10:49:23 -0400
Received: from 172.31.30.201 ("port 1076"@misc9003.tacacs.canterbury.ac.nz)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I3EEEWC6GOSKU6UC@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Thu,
 11 Apr 1996 02:47:57 +1200
Message-Id: <01I3EEEWQ4GQSKU6UC@csc.canterbury.ac.nz>
Date: 	Thu, 11 Apr 1996 02:42:02 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #48
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest  Thursday, 11 Apr 1996    Volume 9 : Issue 48

Today's Topics:

Re: Is MEANING.EXE a Trojan horse?
Re: HUGE files! What is going on?
Re: Possible danger to Flash BIOS and ROM
Re: Virus Writing? Why Do People Still Do it.
Policies & Procedures
Re: Virus Writing? Why Do People Still Do it.
Trojan Horse detector/protector
Re: Dr Solomon's Virus Stats (March 96)
Re: help- possible virus that causes auto reboot
Re: Virus scanning tools running on Unix? (UNIX)
Re: Unix Virus Scanning Software? (UNIX)
Re: Removal of Antiexe (OS/2,WIN)
Re: McAfee for NT (NT)
Re: concept virus on macintosh (MAC)
Re: MacroWord helper apps... (MAC)
Re: MacroWord helper apps... (MAC,WIN)
Re: MacroWord helper apps... (MAC,WIN)
Re: Possilbe new virus? (WIN95)
Disturbing happenings with McAfee (WIN95)
Re: Calling All Experts? Help! (WIN95)
Re: Calling All Experts? Help! (WIN95)
Re: McAfee95 reports McWhale (WIN95)
McAfee WSCAN Auto start? (WIN)
Re: virus effecting winhelp.exe? (WIN)
Re: Form Virus On A Lan (PC)
Re: Virus Affecting .EXE Copying? (PC)
Re: boot sector locked (PC)
Re: NAV updates (PC)
Re: 10b7 (PC)
Re: Lost Harddrive (PC)
Re: Need Help Removing Stealth_C Virus (PC)
Re: Effectiveness of DOS Scanners in Win95 (PC)
Re: Server DEAD! Virus? Lantastic prob? Netscape prob? (PC)
Re: "loading bootstrap" message (PC)
Re: Need Help Removing Stealth_C Virus (PC)
Re: Help: The IHC-virus does its work! (PC)
Beethoven?? (PC)
Good scanner with smallest TSR memory footprint (PC)
Monkey and partitioned drives (PC)
My disk has a DIVIDE OVERFLOW ERROR? (PC)
Re: AntiExe.a infection from Win95 Workstation? (PC)
Re: Help w/ possible boot sector virus (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Mon, 08 Apr 1996 21:57:36 +0000 (GMT)
From: John Elsbury <jelsbur@clear.co.nz>
Subject: Re: Is MEANING.EXE a Trojan horse?
X-Digest: Volume 9 : Issue 48

Anthony Garcia <agarcia@starbase.neosoft.com> wrote:

>I noticed the file MEANING.EXE being forwarded around our mail system
>yesterday. 
<snip>

>Has anyone else seen this program, and does anyone know of any possible
>harmful behavior it may exhibit?

I have also seen this - indications are that the program itself - or
at least the copy _I_ saw - does no harm.

The harmful behaviour is people running programs when they don't know
what they might do....

John Elsbury

------------------------------

Date: Tue, 09 Apr 1996 02:21:10 +0000 (GMT)
From: Savio Wong <swong@wat.hookup.net>
Subject: Re: HUGE files! What is going on?
X-Digest: Volume 9 : Issue 48

In article <0001.01I3BNBEFQEYSH3CBI@csc.canterbury.ac.nz>
thompson@achilles.net writes:

thompson@achilles.net wrote:

>I know this has been discussed before, but I have these huge (1.2 gig)
>files of ascii appearing on my computer.
>
>Is this the action of a virus?

I too encountered some huge (4 gig) files when I used 'dir'.  When I used
the March version of F-Prot, I found the 'burglar' virus.  After cleaning
the infected files, the huge files are back to normal.

I have a 486 system with Dos 6.0.

Regards,

Savio Wong
Waterloo, Ontario
CANADA

p.s. I am the sys-op of my school networks -- two Novell with approx. 60 
workstations.  Both networks were also infected with this nasty Burgar
virus.  We could not run Windows 3.1 for a while because the EMM386.SYS is
infected.  Took me a few days to finally figured a way to get a clean
workstation to clean the fileserver.  Yikes.

------------------------------

Date: Tue, 09 Apr 1996 05:31:41 +0000 (GMT)
From: Aryeh Goretsky <goretsky@netcom.com>
Subject: Re: Possible danger to Flash BIOS and ROM
X-Digest: Volume 9 : Issue 48

This is a little off-topic but since it may be of interest to readers of
comp.virus I thought I would bring it up:

I did manage to "kill" a Mylex MGPT-PNTM Rev. A motherboard by
accidentally flashing it with a Mylex MGPT-PNTM Rev. B BIOS.  The MGPT-
PNTM Rev. A motherboard does not implement a protected recovery block so
in order to fix this I had to request a new chip from Mylex.  

While awaiting the new chip I ordered an AMI Atlas PCI-II motherboard
which does implement a "programmable bookblock."

Since the AMI motherboard seems to work as well as the Mylex one I have
not bothered to re-install the Mylex motherboard (or even install the new
BIOS into its socket).

I'm just reporting my experiences as an end-user.  For more information,
check out Mylex'es WWW site at <URL:http://www.mylex.com> or AMI's site
at <URL:http://www.megatrends.com>.

Regards,

Aryeh Goretsky
 
- - 
______________________________________________________________________________
Mr Aryeh Goretsky                               EMAIL goretsky@netcom.com
627 W Midland Ave                               CompuServe     76702,1714
Woodland Park, CO                               TEL     +1 (719) 687-0480
USA    80863-1100                               FAX     +1 (719) 687-0716

------------------------------

Date: Mon, 08 Apr 1996 21:19:48 -0400
From: George Hill <hill001@sover.net>
Subject: Re: Virus Writing? Why Do People Still Do it.
X-Digest: Volume 9 : Issue 48

Alex Ross wrote:

> My question is, who writes these and where do they come from?
> Could replies be submitted to the newsgroup.

Why do people do anything stupid and hurtful to other people?

------------------------------

Date: Tue, 09 Apr 1996 11:26:50 -0400
From: "Richard M. Entrup" <riche@pipeline.com>
Subject: Policies & Procedures
X-Digest: Volume 9 : Issue 48

Does anyone have any documentation that covers Virus Protection Policies
and Procedures in a Corporate Environment? Any help is appreciated. 

Please email responses to squilliv@itg.viacom.com or I will forward for
you. 

Thank You

------------------------------

Date: Tue, 09 Apr 1996 15:43:04 +0000 (GMT)
From: Matthew Kennedy <q9522772@usq.edu.au>
Subject: Re: Virus Writing? Why Do People Still Do it.
X-Digest: Volume 9 : Issue 48

Alex Ross <alexross@alex01.idiscover.co.uk> writes:

>My question is, who writes these and where do they come from?
>Could replies be submitted to the newsgroup. 

What do you mean by *still*?  What makes you imply the writting of virii 
is redundant these days?

>From my personal research I have found the following.  Let's catagorise the 
different virus authors.

1.      Lots of virii are simple, uninspiring bombs - ie on 1st execution 
	they wipe your hard drive.  What could be simpler?  The motives 
	of these authors is anyone's guess.

2.      Lots of virii are produced by some virus creation program.  Yes, 
	there are such programs.  Creation of virii boils down to a few 
	'clicks' of a mouse.  The beholder of such a program need therefore 
	know nothing about the technical details of virus construction.

Moving further up the chain....

3.      There are plenty of clever dicks get some virus code, tweak it 
	so it won't be picked up by the current scanner than reassemble it.  
	Walla - a new strain!  Again - no skill involved.

4.      The _TRUE_ writter of virii writter is someone who really 
	understands the operating system, knows how their virus might be 
	detected and then counters it - you know - stealth, polymorphism 
	etc.  A descent few of these programmers do not support wanton 
	destruction of files, drives,even hardware.

The motives for group 4?  Well its a challenge isn't it - with such a 
broad range of virus scanners these days?  Its survival of their smart 
program in a harsh environment of scanners - I suppose.  

Matt

------------------------------

Date: Tue, 09 Apr 1996 15:40:12
From: Joshua Ecklund <BEcklund@news-e2c.gnn.com>
Subject: Trojan Horse detector/protector
X-Digest: Volume 9 : Issue 48

Does anyone know of a good Trojan Horse protector?? I could really use one 
because I am running a BBS and I don't want anyone trying to ruin my
computer system!

------------------------------

Date: Mon, 08 Apr 1996 22:37:12 +0100
From: "B.MacDonald" <burns@nthwd.demon.co.uk>
Subject: Re: Dr Solomon's Virus Stats (March 96)
X-Digest: Volume 9 : Issue 48

In article <0008.01I3BNBEFQEYSH3CBI@csc.canterbury.ac.nz>, Graham Cluley
<sandspm@cix.compulink.co.uk> writes

>In-Reply-To: <01I30DCRYH72S5UZJP@csc.canterbury.ac.nz>
>
>Here are some statistics from the United Kingdom technical support 
>department of S&S International (developers of Dr Solomon's Anti-Virus 
>Toolkit).

I'm a happy Dr S customer and subscriber who has found your tech support
folks here in the UK to be absolutely 1st class and recommend AVTK at
every opportunity. :+)

Regarding your stats posting, it would be useful if you could also
include a column(s) which showed the infection medium/source, if known
eg; Internet, PC-PC dial-up, cd rom, diskette transfer, etc. These might
prove very interesting and allow people to make more informed judgements
about the risks associated with certain types of communications.

Regards
- - 
B.MacDonald, Northwood, Middlesex, UK
E-mail burns@nthwd.demon.co.uk or burns@dircon.co.uk

------------------------------

Date: Tue, 09 Apr 1996 19:53:07 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: help- possible virus that causes auto reboot
X-Digest: Volume 9 : Issue 48

ebbtide@cris.com writes:

>I am having a problem that I think might be a virus.  Without even
>touching my computer, not even running a program, the computer re-boots
>itself.  Sometimes I can be in the middle of running a program and it
>happens.  There doesn't seem to be any rhyme or reason, it just reboots.
>
>Has anyone had the problem?  Are there any ways to correct it?

We had someone come into our office complaining of the same thing.
I said, you have a loose wire, probably the wire going to your reset
button on the machine chasis.

It turned out, he had just taken his machine apart and the wire was
dangling.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Tue, 09 Apr 1996 10:47 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Virus scanning tools running on Unix? (UNIX)
X-Digest: Volume 9 : Issue 48

> I'm doing some work with an FTP site and we'd like the ability to scan
> uploaded files on the server. (most of the uploaded files will be from 
> the PC world). Could anyone provide any leads on ommercial/ shareware/
> whatever utilities?

Dr Solomon's Anti-Virus Toolkit is available in a Unix version, as well 
as DOS, Windows 3.x, Windows 95, Windows NT, OS/2, and Novell NetWare.  
You can find out more info on our website.  Our Unix version (like our 
other versions) supports all the popular compression formats, scanning 
recursively inside ZIP, ARJ, ARC, LZH, PKLite, LZExe, ICE, Diet, MS 
Expand compressed files without writing to the hard disk.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Tue, 09 Apr 1996 10:47 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Unix Virus Scanning Software? (UNIX)
X-Digest: Volume 9 : Issue 48

In-Reply-To: <01I37FTNL19GSH3CBI@csc.canterbury.ac.nz>
Charles Henrich <henrich@crh.cl.msu.edu> writes:

> I've been scouring the net for the last hour or so and have yet to come
> across any mention of scanning software for unix systems.  Does such a
> beast exist?

Dr Solomon's Anti-Virus Toolkit for Unix was released in the fall of last 
year.

> Im looking for a program that will go through a directory and unzip zip
> files, un-tar tarfiles, and scan for Mac/PeeCee virus.

Dr Solomon's AVTK for Unix can scan recursively inside ZIP, ARJ, ARC, 
ICE, LZH, DIET, CRYPTCOM, MS EXPAND, PKLITE, LZEXE compressed and 
archived files without writing a single byte to the hard disk.  We do not 
currently support tar but we are adding new formats on a regular basis.  
Dr Solomon's AVTK for Unix scans for PC and Unix viruses - it does not 
currently support detection for Mac viruses.

You'll find more information on our website, or call one of the numbers 
in my sig below.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Tue, 09 Apr 1996 18:55:33 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Removal of Antiexe (OS/2,WIN)
X-Digest: Volume 9 : Issue 48

fleur-de-lis <hagen@vipunen.hut.fi> writes:
>I have the following problem:

[Inability to remove AntiExe from OS/2 machine with McAfee VirusScan]

1) Please update to the current version.

2) You need to create a clean bootable diskette.  Please follow the
instructions in the manual on how to create such and which programs
to put on that disk.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Tue, 09 Apr 1996 14:30:02 +0000 (GMT)
From: Ken Stieers <ken_stieers@ontrack.com>
Subject: Re: McAfee for NT (NT)
X-Digest: Volume 9 : Issue 48

I haven't tried it, mainly because there are NT specific versions of
McAfee software.  

Ken 

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Mon, 08 Apr 1996 18:29:53 +0000 (GMT)
From: Michael Messuri <MMESSURI@SYMANTEC.COM>
Subject: Re: concept virus on macintosh (MAC)
X-Digest: Volume 9 : Issue 48

In article <0013.01I37FTNL19GSH3CBI@csc.canterbury.ac.nz>, 
dtutor@uclink2.berkeley.edu says...

>Can anyone tell me whether the Symantec Antivirus for Macintosh (SAM) 
>removes the concept macro virus from MS Word files or it simply 
>deactivates, as per the MS 'Scanprot.dot' macro?

The latest version of SAM (ver 4.08) will provide you with the ability to
remove the macro virus from infected file while the previous version of
SAM will only detect infected file.

  Please let me know if there is anything else that I can help you with.

- - 
==========================================================================
Michael Messuri                                       Symantec Corporation
Virus Specialist            http://www.symantec.com/avcenter/avcenter.html
AntiVirus Research Center                                  CIS:  GO SYMWIN
mmessuri@symantec.com                                            GO SYMNEW
US Support:  541-465-8420                                   AOL:  SYMANTEC
European Support:  31-71-353-111        Australian Support:  61-2-879-6577
==========================================================================

------------------------------

Date: Tue, 09 Apr 1996 19:26:43 +0000
From: Szappanos Gabor <szapi@reak.bme.hu>
Subject: Re: MacroWord helper apps... (MAC)
X-Digest: Volume 9 : Issue 48

Ben Danielson <bendan@asu.edu> wrote:

>I have noticed that there are a ton of WordMacro fixit programs out there.
>I have used Microsoft's, Mcafee's, and even edited the normal.dot to
>disable all automacros, to name a few .  I have noticed something that has
>not been discussed here recently. If you use a program that disables 
the
>automacros, you cannot use the wizards that are a part of the Word
>program.  

The reason of this behaviour is that a Word wizard is nothing else 
but a document template containing (among others) an AutoNew macro. 
Technically when you activate the wizard Word creates a new document 
based on that template and (automatically) runs the AutoNew macro. 
With auto macros disabled this macro won't be run, the wizard is 
therefore not operational.

>This may not matter to most users, but I happen to work at a
>university where people need Word's wizards for training purposes. 

You might want to try the latest version (1.3) of Anti-Macro Kit 
(available at http://www.valleynet.com/~joe/avsingle.html). This 
gives you control over the execution of auto macros (you can disable 
and reenable it any time).

Szapi

------------------------------

Date: Tue, 09 Apr 1996 02:52:11 +0000 (GMT)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: MacroWord helper apps... (MAC,WIN)
X-Digest: Volume 9 : Issue 48

Ben Danielson (bendan@asu.edu) wrote:

> I have noticed that there are a ton of WordMacro fixit programs out there.
> I have used Microsoft's, Mcafee's, and even edited the normal.dot to
> disable all automacros, to name a few .  I have noticed something that has
> not been discussed here recently. If you use a program that disables the
> automacros, you cannot use the wizards that are a part of the Word
> program.  This may not matter to most users, but I happen to work at a
> university where people need Word's wizards for training purposes.  I know
> that this discussion is for virus related issues, but I would like to just
> remind AV developers that making a program virus proof and disabling an
> important part of the program is not a viable solution. 
[snip]

   I agree, but this is, I believe, a problem that should be addressed by 
MicroSoft, not the AV industry.  While it would be nice if they can 
disable viruses while retaining other functionality, and I suspect that 
VxDs can attain this, let's lay the fault squarely where it belongs: on 
the virus authors first, then on MS.

   -BPB

------------------------------

Date: Tue, 09 Apr 1996 02:25:39 -0500
From: Alan Shutko <ats@hurd193.wustl.edu>
Subject: Re: MacroWord helper apps... (MAC,WIN)
X-Digest: Volume 9 : Issue 48

>>>>> "BD" == Ben Danielson <bendan@asu.edu> writes:

BD> discussion is for virus related issues, but I would like to just
BD> remind AV developers that making a program virus proof and
BD> disabling an important part of the program is not a viable
BD> solution.

Remind Microsoft.  There's not much else AV developers can do.
Esp. since turning off AutoMacros doesn't stop the viruses.
Microsoft needs to modify their design to make it more secure.

- -
Alan Shutko <ats@hubert.wustl.edu> - The Few, the Proud, the Remaining.
Oxymoron: rolling stop

------------------------------

Date: Mon, 08 Apr 1996 12:36:17 -0700
From: Lonnie Howell <lhowell@bright.net>
Subject: Re: Possilbe new virus? (WIN95)
X-Digest: Volume 9 : Issue 48

JaegerSoft wrote:

> I think we may have a possible virus on our systems. The Mcafee and Norton
> AV both show everything as clean.
[snip]
> At first I thought this was a network problem and have been checking
> things with that until the day before yesterday.  Every so often ( There
> was no definite pattern), one of the machines would do the hiccup and
> generate sound out of the speakers.  This sound was that of a poor
> recording with someone saying (kind of unintellibly) something about over
> and over.  I am not going nuts, this was witnessed by several of our
> people.  It coincided with the cpu usage spikes.
> 
> Since that day, no more sound, but the hiccups continue.

I know of one virus (older) that repeats a message over and over to the 
pc's speaker, its called Hitler, (that is also what is said over the 
speaker) this is a rather old one, so you might try one of the other 
virus scanners, (tbav, f-prot, ect.) and see if they come up with 
anything. Hope this helps!

 -Lonnie-

------------------------------

Date: Mon, 08 Apr 1996 10:08:23 -0800 (PST)
From: Tim Adamec <TAdamec@smtplink.simsci.com>
Subject: Disturbing happenings with McAfee (WIN95)
X-Digest: Volume 9 : Issue 48

We've recently been struck with a rash of WELCOMB outbreaks at my office
and each time we think we've eradicated it, it comes back.

I was wondering if the following might be a possible entrance point. I
have an isolated Win95 machine that I've verified clean with several
scanners and will become re-infected upon doing the following:

Boot the machine with all of the stuff that comes with McAfee.

Insert an infected diskette into drive A:

Right click in explorer and select the SCAN option added to the menu by
McAfee.

Change the text in the dialog box to A:

What we've noticed is that as soon as you type A: (without pressing OK,
the Enter key, Cancel, etc.) the drive starts spinning as if being read.
McAfee doesn't complain about anything until after you press OK; it then
says that the computer is infected with WELCOMB. From there on out, it
seems to be.

Any help is greatly appreciated! Please cc any Virus-L posts to me: 

   tadamec@simsci.com.

Thanks!

Tim

------------------------------

Date: Mon, 08 Apr 1996 14:13:56 -0400
From: support@vse.ac-copy.com
Subject: Re: Calling All Experts? Help! (WIN95)
X-Digest: Volume 9 : Issue 48

On: Fri, 05 Apr 1996 01:14:55 -0500
Janis Decker-Frisk <jfrisk@norden1.com> wrotre:

...

>Now the problem, twice when I was changing my color from 24 bit to 256
colors, I >have encountered a bizarre graphic. When I change the color
settings the system >need to reboot, after it starts backup the screen
freezes for a moment, and on 
>it is a graphic that consists of small multi colored boxes with characters
in them, >the most predominate one is a "smiley face."
[snip happens]

This is most likely a {badly written | corrupt | old} video driver or,
maybe, a defective video adapter. It would have helped, if you had
included the brand of it and the driver Win95 uses.

> The only other strange thing going on with my computer is that there is a
file that I > cannot delete, 
[snip happened again]

And what is the name of that file? In which driectory? Could it be you are
trying to delete a {system | temorary} file that actually IS in use?

>Also, just recently I noticed that all .exe files I download off the
Internet are corrupt. [last snip for today]

Download off the Internet? What protocol? What program for downloading?
What files? Which modem? Which ISP?... etc, etc...

But again: no virus here!

Ciao, Guido

- 
voerste edv beratung, Theaterstr.22, 52062 Aachen, Germany
fon (++49) (0)241 404 888   |    fax (++49) (0)241 404 876
-

------------------------------

Date: Mon, 08 Apr 1996 23:33:07 -0400
From: "Bruce P. Burrell" <bpb@umich.edu>
Subject: Re: Calling All Experts? Help! (WIN95)
X-Digest: Volume 9 : Issue 48

This sounds much more like a corrupted operating system, given what 
you've used to scan.  DSAVTK (DOS version) is up to v.7.58; you might 
want to grab that off the web using another computer.

   I'd do the following:

   1. Boot from an uninfected Win95 or DOS floppy
   2. Scan with FINDVIRU 7.58; disinfect if necessary.  (I daresay with 
      your name, you should be using F-PROT ;-))
   3. Back up your important files and test them on another computer.  
      Assuming your losses are insignificant, go to (4); otherwise, seek 
      personalized expert assistance.
   4. Reinstall Win95 from floppy or CD, and auxiliary software.
   5. Reboot from the hard drive.

   That has good chances of working, assuming that you don't have a 
hardware problem.  

   -BPB

------------------------------

Date: Tue, 09 Apr 1996 14:14:42 +0000
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: McAfee95 reports McWhale (WIN95)
X-Digest: Volume 9 : Issue 48

In <0016.01I37W48WZM4SH3CBI@csc.canterbury.ac.nz> Graham Cluley
<sandspm@cix.compulink.co.uk> writes:

>In-Reply-To: <01I2UER2C1TGS24DPB@csc.canterbury.ac.nz>
>mezzano@bccom.com writes:
>
>> After I started loading McAfee Win95 virus program to upper
>> memory, I get a message from vshield saying that the McWhale
>> virus may be present or a trace from another operation.
>
>If I may quote the Dr Solomon's Virus Encyclopedia: "Whale is such a 
>large and clumsy virus that on most computers it doesn't actually work at 
>all.

but he was not asking about Whale...McWhale is a totally different
virus...also known as PS-MPC.1124 and PS-MPC.1125.

That does not change the fact that this is probably a false alarm, though.

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Mon, 08 Apr 1996 13:57:55 -0500 (EST)
From: bframpto@eia.doe.gov
Subject: McAfee WSCAN Auto start? (WIN)
X-Digest: Volume 9 : Issue 48

I am running the McAfee WSCAN in Windows for Workgroups and would like 
it to start up and scan when the PC is booted the first time each day.

I can put the WSCAN icon in startup but cannot find a way to have it 
start scanning. (I can put a time in the schedule but that is good for 
that time only and not each time I start the PC.  I can also put the 
DOS version in my autoexec.bat.)

Any ideas?

Brent Frampton
bframpto@eia.doe.gov

------------------------------

Date: Tue, 09 Apr 1996 20:39:19 +0200
From: Gerard Mannig <mannig@world-net.sct.fr>
Subject: Re: virus effecting winhelp.exe? (WIN)
X-Digest: Volume 9 : Issue 48

>On 5 Apr 1996 15:57:17 -0000, "G.h.van den Berg" <guy@net-prophets.co.uk>
>wrote:
>
>>Does any one know of a virus that infects at least winhelp.exe...my
>>copy has corrupted lately and when I reinstall it it corrupts again.
>>The version on the install disks is 256,192 bytes after a windows
>>session that has refused to run winhelp winhelp.exe is now
>>258,150...does any one know what is going on. I have also noticed a
../..]
>You've got the so-called TENTACLE virus, I'd bet.  It affects windows
>executables.  So far, there doesn't appear to be a "cure" other than
>removing ALL .exe's that contain the signature word tentacle....

False. I discovered this virus on March 15 and sent a warning posting
about March 24 in VIRUS-L. AVP (AntiVIRAL toolkit PRO )successfully
detects *and* disinfects Win.Tentacle virus. Unfortunately, AVPlite (
'lite' version of AVP ) does not handle Windows virus (except
'Boza'/'Bizatch' virus )

I seize the opprtunity to announce that checking presence of

C:\TENTACLE.$$$

file is a proof of Win.Tentacle presence ( past or current ) 

Of course, AVP user can succesfully handle this virus with UP960325.AVB
weekly update

>Good luck.    [BTW - I think it originally came from a program called
>DOGZCODE.zip.  Ring any bells?]

Wrong. The oldest track of this .ZIP in UseNet is date March 7th. If
anybody can report me earlier one, I would be very pleased. The precsie
name is ADOTPDOG.ZIP which contains a DOGZCODE.EXE

You are the third user to report a Win.Tentacle infection 8-(

Any further detail about AVP can be asked to  vfreidin@cix.compulink.co.uk

Regards,

- ----------------------------------------------------------------
Gerard MANNIG                                    Virus Consultant 
    Phone : +33 (16) 3559-9344     Fax     : +33 (16) 3560-5011               
Report a virus attack: http://www.primenet.com/~mwest/vir-vrf.htm
Member of   R . E . C . I . F 
data +33 1 3415-4959                Voice machine +33 1 3072-9443
=-=-=- I do NOT speak for RECIF unless otherwise specified -=-=-

------------------------------

Date: Mon, 08 Apr 1996 10:49:40 -0500 (est)
From: A Bruce Peck <bruce_peck@utgw2.aici.com>
Subject: Re: Form Virus On A Lan (PC)
X-Digest: Volume 9 : Issue 48

>>D3lyr1uM? wrote:

> My lan at work is infected with the form virus, what will get rid of 
it?

And on Thu, 28 Mar 1996, someone responded:

>>The FORM virus is a boot sector virus.  So, if you have a Novell LAN 
>>for example, the virus will not infect the servers.
- --------------------------------------------------------------------
This is true in that the infection on the workstation will not pass to 
the server and is the most likely scenario in the mind of the original 
writer, but please remember that the server can become infected by 
FORM or most other boot sector viruses by technicians who work with 
the server.  Our company has had four servers infected over time (one 
of them being FORM) by careless technicians who boot a server to DOS 
to run memory diagnostics, etc. via an infected diskette.  Our NLM 
anti-virus software saw the infection immediately upon loading and we 
were able to remove the virus from the server.

Bruce_Peck@aici.com

------------------------------

Date: Mon, 08 Apr 1996 14:15:34 -0400
From: support@vse.ac-copy.com
Subject: Re: Virus Affecting .EXE Copying? (PC)
X-Digest: Volume 9 : Issue 48

On: Thu, 04 Apr 1996 05:29:16 +0000 (GMT)
 "David Stephen Bognaski, Jr" <dsb2u@virginia.edu> wrote:

>I am trying to add a few new programs onto the hard drive from
>floppies and I am unable to transfer any of the .EXE files over
>to my hard drive.
[snip happens]

You want to say that you can other files, but none of the .EXE type?
Have you tried renaming one of those files to, say .TST, copy it to the
HDD and rename it back to .EXE? 

I suspect that this will not be successful either.

On the other hand, try creating short file, say 50 bytes with an editor
and rename it to TEST.EXE, it will copy flawlessly.

I suspect what you are really seeing, is a defunct DMA controller, which
has problems to tranfer anything bigger then 64KB.

You can test that with any decent hardware diagnostics program, Symantecs
NDIAGS comes to mind. But there alternatives plenty available on the net.

Good luck!

Ciao, Guido

- 
voerste edv beratung, Theaterstr.22, 52062 Aachen, Germany
fon (++49) (0)241 404 888   |    fax (++49) (0)241 404 876
-

------------------------------

Date: Mon, 08 Apr 1996 18:34:31 +0000 (GMT)
From: Michael Messuri <MMESSURI@SYMANTEC.COM>
Subject: Re: boot sector locked (PC)
X-Digest: Volume 9 : Issue 48

In article <0027.01I37W48WZM4SH3CBI@csc.canterbury.ac.nz>, 
bward@stevens-tech.edu says...

>When I try to scan with NAV, I get a messag that says boot sector locked 
>by, a bunch of wierd characters. I can then scan the file on the disk, 
>but I can't scan the boot sectors. How can I unlock the boot sectors?

I have seen this type of report from the Stacker disk compression software 
when it encounters a damaged drive.  Should your system be running under a 
disk compression program then you will need to run that programs drive 
integrity checker / drive repair program before the boot sector will
become unlocked.

  Please let me know via private e-mail if you have any other questions.

- - 
==========================================================================
Michael Messuri                                       Symantec Corporation
Virus Specialist            http://www.symantec.com/avcenter/avcenter.html
AntiVirus Research Center                                  CIS:  GO SYMWIN
mmessuri@symantec.com                                            GO SYMNEW
US Support:  541-465-8420                                   AOL:  SYMANTEC
European Support:  31-71-353-111        Australian Support:  61-2-879-6577
==========================================================================

------------------------------

Date: Mon, 08 Apr 1996 18:38:34 +0000 (GMT)
From: Michael Messuri <MMESSURI@SYMANTEC.COM>
Subject: Re: NAV updates (PC)
X-Digest: Volume 9 : Issue 48

In article <0033.01I38O2643KKSH3CBI@csc.canterbury.ac.nz>,
prh1@ix.netcom.com says...

>I m running win 3.1/dos 6.2 and have Norton AV, ver 3, installed. I m
>trying to update the program with the UPDATEME.EXE file that I d/l ed 
[Snip]

Please give the following instructions a try and see if they do not clear 
things up for you:

1.Label 3 formatted 1.44mb floppies:  Norton AntiVirus 3.0  March, 96'
update, disk 1, disk 2, disk 3.

2.Create a temporary directory for example, UPDATE

3.Find the location of the Updateme.Exe file. Leave Windows and go to DOS
(not a DOS window). Switch to the directory where the UPDATEME.EXE file is
located, example, C:\CSERVE\DOWNLOAD\.

4.At the DOS prompt, C:\CSERVE\DOWNLOAD> type UPDATEME.EXE  C:\UPDATE  and 
then hit ENTER. This will expand 4 compressed files into the UPDATE
directory.

5.Switch to the UPDATE directory and at the prompt C:\UPDATE> type
UPDATE.EXE  A:\

6.The Update program will search your hard drive for the path that locates
the NAV directory. If it finds the NAV path, you will instructed to insert
a floppy and hit any key to begin expanding the compressed files onto the
disk.  You will be prompted when to change disks.

7.If the Update program can't find the path statement in your AUTOEXEC.BAT 
file it prompts you to type the path that locates the NAV directory, for 
example, C:\NAV and hit ENTER. You will be given  instructions to proceed 
expanding the installation files onto the 3 floppies.

8. When finished, switch back to the DOS prompt C:\> and you are now ready
to install the update.

9.To install the UPDATE program, insert disk 1 of the 3 installation disks 
that you just made. At the DOS prompt, C:\>  type INSTALL.EXE and the 
instructions on the screen will guide you through the installation
process.

Thanks.

- - 
==========================================================================
Michael Messuri                                       Symantec Corporation
Virus Specialist            http://www.symantec.com/avcenter/avcenter.html
AntiVirus Research Center                                  CIS:  GO SYMWIN
mmessuri@symantec.com                                            GO SYMNEW
US Support:  541-465-8420                                   AOL:  SYMANTEC
European Support:  31-71-353-111        Australian Support:  61-2-879-6577
==========================================================================

------------------------------

Date: Mon, 08 Apr 1996 17:44:50 +0000 (GMT)
From: Michael Messuri <MMESSURI@symantec.com>
Subject: Re: 10b7 (PC)
X-Digest: Volume 9 : Issue 48

In article <0024.01I38O2643KKSH3CBI@csc.canterbury.ac.nz>, 
cjkuo@alumnae.caltech.edu says...

>"Stephen E. Clarke" slcfv@cc.usu.edu writes:
>
>>Does anyone know if any other virus detection program currently detects 
>>and cleans the 10b7 virus besides microsoft anti-virus.  

>No one outside of Symantec seems to know what Central Point called the
>10b7 virus.  And you'd be hard pressed to find anyone at Symantec who does
>either since they support NAV much more than CPAV.
>

Here is the information that I have on the detection of this virus:  while 
CPAV detects this virus under the name 10b7, NAV will find this virus
under the name IMI.1538 while Scan will detect this virus as IMI.A

- - 
==========================================================================
Michael Messuri                                       Symantec Corporation
Virus Specialist            http://www.symantec.com/avcenter/avcenter.html
AntiVirus Research Center                                  CIS:  GO SYMWIN
mmessuri@symantec.com                                            GO SYMNEW
US Support:  541-465-8420                                   AOL:  SYMANTEC
European Support:  31-71-353-111        Australian Support:  61-2-879-6577
==========================================================================

------------------------------

Date: Mon, 08 Apr 1996 20:03:26 +0000 (GMT)
From: Robert Michael Slade <rslade@vcn.bc.ca>
Subject: Re: Lost Harddrive (PC)
X-Digest: Volume 9 : Issue 48

Frode Brean Sorken (fsorken@sn.no) wrote:

: I was trying to help a friend of mine with his PC today. He didn't have 
: proper sound, and his cd-rom wouldn't work in MS-dos modus (he runns with 
:  Windows 95).

Sounds more like driver problems.

: I found that he had severalproblems, and decided to delete his windows 
: directory, to reinstall it. After using the command "deltree windows", it 

Now, wait a minute.  Were you still *in* Windows?

: all came cribbled. The result of using the "dir" command was a lot of 
: strange symbols. I thendecided to check for virus, using the f-prot 
: software. This program was too big for the memory. After restarting the 
: computer, I got the message "non system disk..." (there was no diskettes 

There really isn't enough information here to make a proper 
determination, but ...

: in the diskdrive). Restarting with a systemdiskette in a: worked fine, 
: BUT now, trying to get in contact with the harddrive (typing "c:") 
: results "C: is an invalid drive" (or simmilar). So now I can't delete the 
: rest of c:, and I can't reinstall any software.

*This* is a fairly distinctive indication of the Monkey virus.  F-PROT 
*should* be able to deal with this: if not, then look for KILLMNK3.ZIP 
and use KILLMONK.

(Of course, given all the preceding, the system may just be screwed up ...)

======================
roberts@decus.ca           rslade@vcn.bc.ca           rslade@vanisl.decus.ca
   "Ignorance is never out of style.  It was in fashion yesterday, it is the
      rage today, and it will set the pace tomorrow." -- Franklin K. Dane
Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER)

------------------------------

Date: Mon, 08 Apr 1996 19:05:04 +0000 (GMT)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Need Help Removing Stealth_C Virus (PC)
X-Digest: Volume 9 : Issue 48

In article <0030.01I3BNBEFQEYSH3CBI@csc.canterbury.ac.nz>
	   tenor@news-e2c.gnn.com "Brian Clark" writes:

> A soon to be ex-student has been downloading infected "porno"
> pictures off the net and contracted this virus. 
> It has spread through the school.

There is no connection between porno pictures and your virus 
problem.  Stealth_C is a boot sector virus, and is almost 
impossible to catch via net access.  It is certainly impossible 
to catch it from a graphic file.  The virus came to you by some 
other route, and possibly some other party.

Since you are revealed to have jumped to one highly suspect 
conclusion in this case, I hope that you will re-examine your 
reasons for believing that the student is guilty of downloading 
pornography.  It has been noted in commercial workplaces that 
perceived victimisation of personnel found to be infected with a 
virus can bring about future non-cooperation with anti-virus 
measures and reporting of problems by the remaining personnel.

- -
CUTIE INVITED                   OF WHISKERS
	     VARSITY HOP                   PARTY A FLOP
			GUY FULL                       Burma-Shave

------------------------------

Date: Mon, 08 Apr 1996 20:24:54 +0000 (GMT)
From: Robert Michael Slade <rslade@vcn.bc.ca>
Subject: Re: Effectiveness of DOS Scanners in Win95 (PC)
X-Digest: Volume 9 : Issue 48

Rucker@ARL.MIL wrote:

: Are Scanners designed for use with DOS 6.x and Win3.x effective in a
: Win95 environment?

Generally speaking, yes.  There are some oddities, but scanners really 
only need to read the file, and, since Win95 is supposed to be designed 
to be compatible with DOS programs, this should be sufficient for 
scanning needs.  Other types of antivirals may have other problems.

: Are DOS scanners just as effective for use in a Win95 environment 
: as scanners designed for use within the Win95 GUI?

My suggestion would be, yes.

: Does it matter whether the code being scanned is a 16-bit or a
: 32-bit program?

At the moment, no.  There is only one program known to successfully 
infect Windows 95 format executable files, and the only successful 
version is not found in the wild.  The major virus problem concerns DOS 
infectors, and, even more importantly, boot sector infectors which are 
basically operating system independent.

: Does it matter whether the code being scanned is real-mode or virtual
: device driver?

Viral code for device drivers has not been particularly successful, so, no.

======================
roberts@decus.ca           rslade@vcn.bc.ca           rslade@vanisl.decus.ca
"If you do buy a computer, don't turn it on." - Richards' 2nd Law of Security
Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER)

------------------------------

Date: Mon, 08 Apr 1996 16:24:01
From: Barbara Ecklund <BEcklund@news-e2b.gnn.com>
Subject: Re: Server DEAD! Virus? Lantastic prob? Netscape prob? (PC)
X-Digest: Volume 9 : Issue 48

In article <0001.01I2LFSELJ3CRI6EE6@csc.canterbury.ac.nz> MiCornwell
wrote:

>A few weeks ago our office experienced a major disk crash on one of the
>servers.  At the time I passed it off as a faulty hard drive or some other
>random bug, but now I know it had nothing to do with the hard drive, as
>the same exact problem occured this evening, while performing the exact
>same operation.
>
>About the crash (identical situations both times):  While copying a folder
>containing Netscape 2.0, Eudora, and some other communications tools from
>a workstation's hard drive to the server's hard drive, the server died
>with a message saying a Serious disk error has occured.  After rebooting,
>I rec'd a message saying Missing Operating System.  The first time we took
>the disk to a Data Recovery Specialist who said the disk had started to
>write files all over the front half of the disk (over the FAT etc...) and
>was pretty unrecoverable.  I bought a new HD and restored from backups. 
>This time I just formatted the disk and am doing a restore on it as we
>speak.
[snip]

Try to get the latest data file which was just relesed in March... It is 
available from McAfee... That might find something... Also, try another 
anti-virus software package, like F-Prot for example....

------------------------------

Date: Tue, 09 Apr 1996 02:45:33 +0000 (GMT)
From: Tim Husted <thusted@rams.alsnet.peachnet.edu>
Subject: Re: "loading bootstrap" message (PC)
X-Digest: Volume 9 : Issue 48

"J. L. Packer" <jpack@nicoh.com> writes:

> I recently dealt with (and hopefully eliminated!) what McAffee Identified 
> as anti-cmos, as well as a stealth virus. When I first began experiencing 
> symtoms of these viruses on my pc, I noticed a message at bootup (which I 
> do not recall having seen previously) reading "loading bootstrap". After 
> eliminating the virus infections (I reformated my hard drive and restored 
> from backup.... just to be on the safe side), my pc no longer displays 
> the mystery message. Question: does anyone know what the "loading 
> bootstrap" business was all about?

Last time I "cleaned" Anti-CMOS with Mcafee, I got the same message.
Mcafee tech. said that this was a standard boot banner placed by their
cleaner... 

------------------------------

Date: Tue, 09 Apr 1996 12:13:36 +0100
From: "David W. Hanson" <hansond@afrc.garmisch.army.mil>
Subject: Re: Need Help Removing Stealth_C Virus (PC)
X-Digest: Volume 9 : Issue 48

From: Brian Clark <tenor@news-e2c.gnn.com>

>A soon to be ex-student has been downloading infected "porno" pictures
>off the net and contracted this virus. It has spread through the

It is -extremely- unlikely that you got infected from the downloading 
of image files (.GIF, .JPG, .BMP, etc.).  In order to get infected, 
you have to -execute- some kind of code.

>school. Fortunately, McAfee Scan was able to clean the virus from all
>but one machine...my favorite Windows NT 3.51 workstation. According
>to Scan 95, the boot record cannot be cleaned and I must report to
>McAfee for removal instructions. Do I need to wipe out the hard disk

If your boot sector got infected, it is most likely that that 
workstation was infected by a diskette.  It is again -extremely- 
unlikely that you are going to get a boot sector infection from a 
network.  You need to use however many different scanners as it takes 
to get an -exact- identification of the virus in question.  You also 
need to take a look at your diskettes, since they are the transport 
mechanism for boot sector infectors.

>and "volunteer" the student to re-install NT(on 3 1/2s!)? Any
>information would be great!

While the student may have been violating your policies by 
downloading "porno" images, you need to stop chasing illusions and 
find the real source of your virus problems.  OK, we all need 
a scapegoat now and then, but you should be aware that you are 
probably putting the blame in the wrong place for the wrong reason.

David Hanson
Armed Forces Recreation Center Europe
Garmisch-Partenkirchen Germany
hansond@afrc.garmisch.army.mil

------------------------------

Date: Tue, 09 Apr 1996 11:17 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Help: The IHC-virus does its work! (PC)
X-Digest: Volume 9 : Issue 48

In-Reply-To: <01I3BNBEFQEYSH3CBI@csc.canterbury.ac.nz>
Jens Arnold <Jens.Arnold@Informatik.TU-Chemnitz.DE> writes:

> Dr Solomon's detected the IHC-Virus on our PC, but cannot
> remove it... McAfee and F-PROT do not detect any virus (?).
> The virus corrupts the FAT and changes some other parts
> of the filesystem, so that we have to use "scandisk" every
> time after booting the system to keep the filesystem "alife".
> Has anybody some information about this virus (called IHC by
> Dr Solomons) and how can we remove it? 

Here's some information on this virus from Dr Solomon's (by the way, 
we're now calling it Quandary rather than IHC):

Quandary

Aliases: IHC, Parity.boot.enc, Newboot_1, Boot-c

Quandary is a stealthing boot sector virus, infecting the boot sectors of 
floppies and the partition sector (MBR) of hard disks.  The virus only 
takes up one sector and in fact the infected partition sector looks very 
similar to an infected floppy disk boot sector.

Part of the beginning of the virus is encrypted (34 bytes).  This is an 
attempt to avoid detection by heuristic scanners (the most suspicious 
actions of the virus code are encrypted - memory installation and 
interception of Int_13).

The virus infects write-enabled floppies when they are accessed. Before 
infecting the floppy the virus checks to see whether it has already been 
infected.  It then analyses the diskette parameters (number of FATs, 
number of root directory entries, number of sectors per FAT, number of 
reserved sectors).  The limitations applied allows the virus to infect 
only standard 1.44MB floppies.

Quandary is stealth virus and the original floppy boot sector is saved at 
the very end of the root directory (head=1, sector=15 on track 0). On the 
hard disk the original partition sector (MBR) is stored in sector 15 (0F) 
of track 0.

I thought FindVirus (the latest shipping version is v7.58) could clean-up 
this virus, but if you're having difficulty try the CLEANPART program 
found in the Dr Solomon's Anti-Virus Toolkit package.

> Notice: The DOS "format"-command cannot wipe this virus!

That's because it has infected the partition sector.  Formatting will get 
rid of everything *apart* from the virus!

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Tue, 09 Apr 1996 08:56:58 -0400
From: "James P. O'Brien" <jpobrien@kodak.com>
Subject: Beethoven?? (PC)
X-Digest: Volume 9 : Issue 48

I am running Windows NT and I recently seemed to contract the Classical
music virus from hell.  The symptoms are whenever I need to reboot (hard
OR soft, which incidentally is quite often on this quality Intel Brand PC)
the PC Speaker (no sound card) plays the first 4 notes in what I believe
is Beethoven's 5th symphony (though I'm not a classical music expert). 
Da-Da-Da-Dummmm.  It plays the sequence once immediately upon hard reset
and then several times just as NT is booting up (beginning of Microsofts
beautiful blue screen).  On soft restarts, only the several tunes play. 
The company who built the system got a chuckle (Avnet)... Ha, Ha.  They
claim this isn't any trouble tone they are familiar with.  Intel support
was clueless.  Other than this annoyance, nothing else seems to be
happening.

Macafee found nothing (though my version is a year old).

Has anybody seen or heard of this virus with classical taste??  Has it 
possibly attacked the BIOS (hard-boot thing)??

jpobrien@kodak.com

------------------------------

Date: Tue, 09 Apr 96 9:58
From: "Chastain, Brian" <chastaib@stifel.com>
Subject: Good scanner with smallest TSR memory footprint (PC)
X-Digest: Volume 9 : Issue 48

I just subscribed to the list, and I downloaded and read the FAQ like a 
good boy.  I have a question that was not answered on the FAQ but may have 
been discussed in previous postings.  If that's the case, I apologize for 
the duplication - please point me towards the appropriate digests if you 
think that would help me.

We're beginning to have some problems with viruses here, notably the 
FORM virus.  While this isn't a destructive virus, it is, nevertheless, a 
pain in the butt.  Anyway, my boss wants me to look into virus detection
for our company.  Myself and several others in my department are using
Norton's Anti-Virus, and it seems to be working nicely.

My main concern, however, is memory overhead.  The NAVTSR occupies 30K 
of RAM.  I took a look at F-PROT, and their TSR occupies over 40K of RAM.

Since we're a token-ring network, and token-ring drivers are 
notoriously large, we can't afford to give up that much memory.

My question (finally!) is, which scanning program is effective, yet has 
the smallest TSR footprint?

Thanks for your time,

Brian
 -----
Brian Chastain, LAN Administrator
USnail: Stifel, Nicolaus, 500 N. Broadway, St. Louis, MO  63102
E-mail: chastaib@stifel.com  Voice:314-342-2211 FAX: 314-342-2707

------------------------------

Date: Tue, 09 Apr 1996 10:51:07 -0500 (CDT)
From: Jarrod Henry <JARRODH@ASMS3.k12.ar.us>
Subject: Monkey and partitioned drives (PC)
X-Digest: Volume 9 : Issue 48

Here's how it is.  If you have Monkey on a multi partitioned (yes 
Double / Drive Space users, that means you), and you run FDISK /MBR, 
it is gone.  You have to reformat and start over.  I know this 
because I sent my computer in, and those idiots ran FDISK with the 
MBR command, and shot my hard drive out of the water.  

The reason is this....  (I think)

You replace the partitioned (and infected) header with a normal 
(unpartitioned) header.  This causes the disk to not understand how 
to read itself.  Thus, all data is lost.  (unless you wish to rewrite 
your MBR by use of a disk utility.

BTW, I learned this from experience.

Jarrod Henry
jarrodh@asms3.k12.ar.us

------------------------------

Date: Tue, 09 Apr 1996 18:47:00 +0000 (GMT)
From: Peter Pieda <ppieda@engr.mun.ca>
Subject: My disk has a DIVIDE OVERFLOW ERROR? (PC)
X-Digest: Volume 9 : Issue 48

I had a virus on my disk. Removed antiExe and antiCMOS from it. Now, 
whenever you try to scan it with virus program (f-prot) it causes a
- this program caused a divide overflow error - error. 
Do I still have a virus on the disk?

Is it a new virus?

Do I have te obliterated results of a virus?

- -
*****************************************************************}-
** Peter Pieda              | "It's hard to feel imposing when ***}-
** Facualty of engineering  |  people are laughing at you ..   *****}- 
** Mermorial University, NF |           - Peter Pieda  ***********}-

------------------------------

Date: Tue, 09 Apr 1996 19:00:41 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: AntiExe.a infection from Win95 Workstation? (PC)
X-Digest: Volume 9 : Issue 48

"Walter C. Dove" <dove.walter@epamail.epa.gov> writes:

>Had a visit today from a vendor, all four of their demo installation
>diskettes were infected with common AntiExe.a (it was a Windows 3.1
>application, standard Windows app. installation diskettes).
>
>As usual, the diskettes were write enabled, and the rep. was essentially
>clueless:  the last site visit the rep had done was a demo using an
>Intel/IBM/ISA machine running Windows 95.
>
>Is it credible that the infection with AntiExe.a was from the Win95
>machine, or is it more likely that it occurred earlier?

In most cases, Win95 machines can be infected with boot viruses but will
not spread them.

So in all likelihood, the diskettes were infected by something other than
a Win95 machine.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Tue, 09 Apr 1996 20:16:05 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Help w/ possible boot sector virus (PC)
X-Digest: Volume 9 : Issue 48

>[Moderator's note:  Or maybe he should just take VirusScan out of his
>AUTOEXEC until McAfee fix what sounds like a false positive??
>
>Over the last few weeks there have been a large number of similar reports
>of VirusScan finding (traces of) viruses in memory at boot up under Win95
>and no other reputable scanners finding anything--would someone from
>McAfee's like to comment?]

Read the documentation?  :-)

In the original post, the person mentioned having MSAV.  That's a
well known incompatibility.  Being from McAfee, we recommend that you
throw away MSAV.  But I'm sure I can find any number of recommendations
from other people also to that effect.

However, the documentation for Scan95 mentions something about the usage
memory management programs as it relates to this area.

Jimmy
cjkuo@mcafee.com

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 48]
*****************************************


