From lehigh.edu!owner-virus-l  Thu Apr 11 16:50:05 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Thu, 11 Apr 96 19:47:16 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id QAA07747; Thu, 11 Apr 1996 16:50:05 +0200
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <40268-91614>; Thu, 11 Apr 1996 09:53:04 EDT
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <40262-99040>; Thu, 11 Apr 1996 09:50:43 EDT
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id JAA121271 for <virus-l@lehigh.edu>; Thu, 11 Apr 1996 09:49:51 -0400
Received: from 132.181.30.207 ("port 1027"@132.181.30.207)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I3FQNPROCUSKU6UC@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Fri,
 12 Apr 1996 01:49:13 +1200
Message-Id: <01I3FQNQ0S3KSKU6UC@csc.canterbury.ac.nz>
Date: 	Fri, 12 Apr 1996 01:38:04 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #49
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest    Friday, 12 Apr 1996    Volume 9 : Issue 49

Today's Topics:

Re: Mcafee 2.2.11 Word DOC problem?
Re: Virus scanning tools running on Unix? (UNIX)
Re: Calling All Experts? Help! (WIN95)
Re: Identification (not detection): Dr Solomons vs F-Prot (PC)
Re: Cmos-corrupting Virus (Monkey?) (PC)
Scream 2b virus (PC)
Re: Need Help Removing Stealth_C Virus (PC)
Re: 634K of RAM--virus? (PC)
Re: anticmos?? Help (PC)
Re: how to get rid of Urkel (PC)
Re: Jerus X (PC)
Re: "loading bootstrap" message (PC)
Re: McAfee Scan 2.3.0. Genuine? (PC)
Re: WelcomB Virus (PC)
Re: ANTI-CMOS virus (PC)
Re: AntiCMOS virus (PC)
Re: Could this be a virus? (PC)
Re: Help: The IHC-virus does its work! (PC)
Re: Multiple boot sector infections (PC)
Re: Trabajo_hacer.b Virus (PC)
Burglar 1150 virus on a Novel Network -- HELP!!! (PC)
Re: MS Macro Virus Tool (PC)
What AV software should I get? (PC)
SVC Virus (PC)
Re: !DELWINBOOT.sys (PC)
Re: One Half virus - help! (PC)
Re: Help with Diablo virus (PC)
Re: Readiosys - is it real? (PC)
Analyze.exe--Trojan Warning!! (PC)
Telecom PT1 (PC)
Re: Anti exe virus (PC)
Where to get a virus check up grade? (PC)
Re: An Aftereffect of Natas (PC)
Re: Stoned that Went Away & AntiCMOS in SUHDLOG.DAT (PC)
Re: "loading bootstrap" message (PC)
Re: Urkel virus (PC)
Re: Winword/Scanprot/FProt questions (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Wed, 10 Apr 1996 01:24:00 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Mcafee 2.2.11 Word DOC problem?
X-Digest: Volume 9 : Issue 49

John Bongiovanni <bongo@alumnae.caltech.edu> writes:

>For some reason I can't get Mcafee Scan 2.2.11 to reliably scan for
>macro viruses in Microsoft Word DOC files.
>
>For example, if I'm in a subdirectory with other subdirectories under it
>which contain DOC files, the command
>
>SCAN *.* /SUB
>
>only seems to scan DOC files that are in the same directories as EXE
>files.  Also, the command
>
>SCAN *.DOC /SUB
>
>doesn't find anything to scan, though there are plenty of DOC files there.
>
>These behaviors are verified by using /RPTALL.

Scan does scan the DOC files.  But it figures out that they are not 
templates.  So it doesn't take credit for "scanning" them.  If it was a
template, it would have scanned them.

This is actually a matter in its reporting.  The scanning activity
actually does take place.

>- -
>FINGER for PGP public key - John T Bongiovanni <bongo@alumni.caltech.edu>

Hi John.

Jimmy
cjkuo@alumni.caltech.edu, I mean cjkuo@mcafee.com

------------------------------

Date: Tue, 09 Apr 1996 20:43:04 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Virus scanning tools running on Unix? (UNIX)
X-Digest: Volume 9 : Issue 49

Tom KC Basham <thunk@cris.com> writes:

>I'm doing some work with an FTP site and we'd like the ability to scan
>uploaded files on the server. (most of the uploaded files will be from the
>PC world). Could anyone provide any leads on commercial/shareware/whatever 
>utilities?

Please specify the UNIX you're running.  As you probably know, one
object module does not work for all *IX.

McAfee offers a Linux and a Solaris (4, I think) scanner for PC viruses
as would be used in your situation.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Wed, 10 Apr 1996 01:44:13 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Calling All Experts? Help! (WIN95)
X-Digest: Volume 9 : Issue 49

Janis Decker-Frisk <jfrisk@norden1.com> writes:

>I am running Windows95, I have Dr. Solomon's Toolkit for Win95 V7.55 and 
>a current version of PC-Cillian loading on start up and running in the 
>background. I have IBM Anti-Virus v2.4.1 set to scan the same time every 
>day. All anti-virus tools were installed properly.  My CMOS is set to 
>not allow floppy boots and I scan all files I download or I insert into 
>my drives. I am very diligent, a year ago I had Anti-EXE on my system, 
>and I learned an expensive lesson. Now the problem, twice when I was 
>changing my color from 24 bit to 256 colors, I have encountered a 
>bizarre graphic. When I change the color settings the system need to 
>reboot, after it starts backup the screen freezes for a moment, and on 
>it is a graphic that consists of small multi colored boxes with 
>characters in them, the most predominate one is a "smiley face." What 
>concerns me is that I am quite sure I have seen an identical graphic on 
>a web page that had virus screen shots. The only other strange thing 
>going on with my computer is that there is a file that I cannot delete, 
>I have tried deleting it in DOS, in Windows, using Uninstaller, I have 
>tried renaming it, and changing the attributes, but I always get a 
>message "access denied." Also, just recently I noticed that all .exe 
>files I download off the Internet are corrupt. So, I had the line 
>checked, bought a new modem, and checked with my ISP, but still I have 
>this problem. I realize that these problems could be totally unrelated 
>to the graphic, but I am giving you all the dirt on my computer. I have 
>not received any indication from any one of the scanners that I have a 
>virus on my system. Any assistance would be greatly appreciated, I setup 
>peoples systems for Internet access and I would hate to think I was 
>infecting anyone's system. Please respond to me personally through my 
>e-mail as well as posting on Virus-L, if you have any suggestions.

happy faces: that's the character associated with ascii 1.  If you get
a momentary flash of all smileys, it would appear that your memory is
initialized to 1s.

cannot delete files: there are many files that you cannot delete.  They
are usually hidden, system files.  They usually are swap files or some
other system related file.  To remove them, you would have to change
their attributes first.  But you realy don't want to remove them.
What's the name of the file you're interested in?

AVTK + PC-cillin: are you saying that both are resident and active
throughout?  If so, pick just one.  You should only be using one TSR/VxD
at any one time.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Tue, 09 Apr 1996 20:25:03 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Identification (not detection): Dr Solomons vs F-Prot (PC)
X-Digest: Volume 9 : Issue 49

Iolo Davidson <iolo@mist.demon.co.uk> writes:
[some snipping]
>Ok, I see your problem.  You were testing against a collection of 
>viruses.  FindVurus goes into a rapid "review" mode when it 
>encounters more than about ten different viruses on a computer.  
>It does this because the situation is an unreal one indicating 
>that someone is doing a performance test, not coping with a 
>genuine virus outbreak.
>
>If you want it to do the exact identification that it would 
>normally do, there is a command line switch that makes it stay in 
>precise identification mode.  I think it is /IDENTIFY. 
>
>> I do know that these examples are somewhat arbitrary, and I still do
>> believe that both products are among the best in their class, but I also do
>> believe that we can draw at least some conclusions from these results.
>
>The conclusion is that you ran it on a collection of viruses and 
>it went into "review" mode.  The word "like" is the giveaway.  

I am constantly hearing about "independent reviews" which give
S&S a very high ranking.

Are you saying that they have a special mode to recognize when they're
being tested?  Are the reviewers told about this?

Jimmy
cjkuo@mcafee.com

PS.  I always thought my job was to help users.  I guess I'll have to
add "win reviews" to my job duties.  *sigh*

------------------------------

Date: Tue, 09 Apr 1996 16:29:55 -0400
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: Cmos-corrupting Virus (Monkey?) (PC)
X-Digest: Volume 9 : Issue 49

In article <0027.01I37FTNL19GSH3CBI@csc.canterbury.ac.nz>, Wayne Shanks
writes:

: Ther is mow a full blown epidemic in the Maryland area (maby overstated, 
: but I know of over 70 computers at dozens of sites infected).  This 
: Virus deletes the Cmos setup info.  You can go back in and reset 
: everything, but at the next reboot you have to do it again.  My father 
: helps run the computer lab at the elemantary school where he teaches.  A 
: bunch of the computer in the lab had these problems, and he thought the 
: clock/cmos went bad.  These computers were IBM PS2.  He talked with a 
: tech support guy at IBM, and the Tech guy thought that it was not a 
: Hardware problem, but a new Monkey Virus. The guy said It has poped up 
: in the last 6 months.  When my father told me about this, a light went 
: on.  For the last 2 or three months I have been hearing dozens of people 
: complain about there Cmos droping out.  

	Well, it would be of some help if you actually ran some AV 
software on these systems and told us what the results were.  IMHO, it 
SOUNDS like a hardware problem, but is so widespread that unless this is 
a defective shipment of computers, that there is either a virus or 
trojan/worm at work.

: Do you know how to kill it.

	Like any other virus.  Find out what the medium of infection is, 
(MBR, COM/EXE, DOC files) and disinfect or delete where there are 
instances of infection.

	Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for| "Est
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code | Sularus
Anti-virus software and utils:  | The Transformers fanfiction: | oth
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html            | Mithas!"
-=-=-=-=-=-"Linux - The choice of a GNU generation"-=-=-=-=-=- |

------------------------------

Date: Tue, 09 Apr 1996 15:34:38 -0500 (CDT)
From: JACKSON <a0148329@metro.mccneb.edu>
Subject: Scream 2b virus (PC)
X-Digest: Volume 9 : Issue 49

Would appreciate any information about the subject Scream 2b virus.  Have 
had it, thought I got rid of it (by complete format), only to have it 
back again.  Would love to know how/if can rid of this one, once and for 
all.  Norton's Anti-Virus found it and named it when Dos Anti-Virus 
did/could not.  Appreciate any information about it, and/or how to get it 
gone.  Thank you.   Dan Jackson-- 

------------------------------

Date: Tue, 09 Apr 1996 21:18:22 +0000 (GMT)
From: "Walter C. Dove" <dove.walter@epamail.epa.gov>
Subject: Re: Need Help Removing Stealth_C Virus (PC)
X-Digest: Volume 9 : Issue 49

Brian Clark <tenor@news-e2c.gnn.com> wrote:

>A soon to be ex-student has been downloading infected "porno" pictures
>off the net and contracted this virus. It has spread through the school. 

Well, FWIW, your soon to be ex-student may have been downloading nasty 
pictures, but he didn't infect your machine that way.  ["Infected" 
pictures?  Infected with what, and what AV product has detected the 
infection?  This'll be a first if verifiable!]

Stealth_Boot.C is just that, a boot virus.  Unless you've gotten an as 
yet unreported dropper (and droppers are rare -- none that I know of for 
any of the Stealth_Boot. family), your NT machine got it the old 
fashioned way -- boot from infected diskette (not necessarily a system 
diskette, just a formatted diskette -- in the DOS world, all formatted 
diskettes contain the bootstrap loader code in the boot sector [the 
bootstrap code is what is subverted by BSV]).

>Fortunately, McAfee Scan was able to clean the virus from all but one 
>machine...my favorite Windows NT 3.51 workstation. According to Scan 95,
>the boot record cannot be cleaned and I must report to McAfee for
>removal instructions.

Contact McAfee for help, then -- after all, you're paying them for the 
service.

> Do I need to wipe out the hard disk and "volunteer" the
>student to re-install NT(on 3 1/2s!)? Any information would be great!
>

Well, if you "volunteer" the student for reinstalling NT out of some 
punishment for infecting the machine, it's sort of unjust.  As you say, 
it's all over your school -- common as dirt boot virus, probably all over 
your student labs.

Volunteer the student for punishment re. misuse of computing resources if 
you wish, but don't BLAME his/her download habits for a common boot 
sector virus infection.

rgds.  wcd.

------------------------------

Date: Tue, 09 Apr 1996 23:43:38 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: 634K of RAM--virus? (PC)
X-Digest: Volume 9 : Issue 49

Sayitmean <sayitmean@aol.com> writes:

>I don't know the name of this virus, but my memory shows 634K.  I can't
>run the 32 bit access through windows.  I looked on the FAQ but didn't see
>any reference to it.  Can someone help?

You gave two symptoms which together do point to you having a boot
virus.  Please get a scanner and tell us what it says, or follow
its instructions.

Jimmy
cjkuo@mcafee.com        (download from http://www.mcafee.com)

------------------------------

Date: Tue, 09 Apr 1996 23:51:10 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: anticmos?? Help (PC)
X-Digest: Volume 9 : Issue 49

philski@spirit.com.au writes:

>help!!! I am running 486 dx4 120 award with 12 meg ram win 95. My problem
>is that I get a "checksum error defaults loaded" and/or "cmos battery
>failed" but it  is a brand new mo'board and I have replaced battery since
>first occ!

"It is a brand new mo'board" which hasn't been tested enough.
Chances are, the ports to your CMOS is bad or some of the data 
lines are crossed or grounded.  (Or maybe the wires from the 
battery have fallen off.)  Sadly, your most likely thing is 
that you need to replace the motherboard.

You don't have the AntiCMOS virus, not by your description.  
AntiCMOS does not do anything to CMOS.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Tue, 09 Apr 1996 23:54:04 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: how to get rid of Urkel (PC)
X-Digest: Volume 9 : Issue 49

Jim Wu <yenchun@engin.umich.edu> writes:

>My computer was infected with Urkel.  Is there anyone knowing how to
>get rid of it?  Also, I couldnot have access to my D drive (harddisk).
>Does this problem result from the virus?

Yes.

You may have to swap the wires on your drives so your D becomes C and
clean your system again.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Tue, 09 Apr 1996 23:58:31 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Jerus X (PC)
X-Digest: Volume 9 : Issue 49

"Luciano A. Martinez" <hh805@cleveland.freenet.edu> writes:

>Has anyone heard of this virus, I ran a virus detection utility on my PC
>and it told me I had Jerus X. I was just wondering if anyone knows what to
>do about this virus, and some noticeable side effects. 

I'll venture to guess that you have a Jerusalem varient and you happen
to be looking at an EXE file (Jerusalems infect EXEs and COMs differently).
There are a number of Jerusalem varients in the wild so I can't tell you
what you might have.

You'll need to tell us which scanner you're using and exactly what it
says.  (Better yet, have 3 scanners and tell us what they all say.)

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Wed, 10 Apr 1996 00:02:20 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: "loading bootstrap" message (PC)
X-Digest: Volume 9 : Issue 49

"J. L. Packer" <jpack@nicoh.com> writes:

>I recently dealt with (and hopefully eliminated!) what McAffee Identified 
>as anti-cmos, as well as a stealth virus. When I first began experiencing 
>symtoms of these viruses on my pc, I noticed a message at bootup (which I 
>do not recall having seen previously) reading "loading bootstrap". After 
>eliminating the virus infections (I reformated my hard drive and restored 
>from backup.... just to be on the safe side), my pc no longer displays 
>the mystery message. Question: does anyone know what the "loading 
>bootstrap" business was all about?

It was a message placed by Scan, versions prior to 2.2.7, into the bootup
process after it has cleaned off some boot sector viruses.

Because of confusion such as you had, this message was removed.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Wed, 10 Apr 1996 00:04:11 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: McAfee Scan 2.3.0. Genuine? (PC)
X-Digest: Volume 9 : Issue 49

sg7248613@omega.ntu.ac.sg writes:

>I recently encountered an evaluation copy of McAfee Antivirus Scan ver
>2.3.0, which was released on 17 Jan 96. 
>
>This is however, not available for download at McAfee's WWW site.
>I wonder if this is a valid and genuine antivirus software, or is this
>a dangerous copy of a virus?

It is a legitimate copy of a beta.  A later version has since been
released and is version 2.2.11.

Our next scheduled release in May will bear the number 2.3.0 (unless
marketing changes their mind again).

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Wed, 10 Apr 1996 00:10:05 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: WelcomB Virus (PC)
X-Digest: Volume 9 : Issue 49

Stephen Weller <stevefw@u.washington.edu> writes:

>Yes, as a matter of fact it has been dormant in my machine for some time
>now. Tried to kill it with McAfee's program, but had the same luck as you.
>All my floppy disks seem to be infected as well. Where can I get this NAV
>Antivirus program? I would really like to know.

You need to update your McAfee version.  And if /CLEAN doesn't work,
use /CLEAN /FORCE.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Wed, 10 Apr 1996 00:18:15 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: ANTI-CMOS virus (PC)
X-Digest: Volume 9 : Issue 49

"Missie . . ." <msmissie@usa.pipeline.com> writes:
[snip]
>I then reinstalled win95, and all has worked fine ever since, and McAfee's 
>virus scan no longer reports the C-MOS virus.   
>
>Is it possible it was a false-positive finding,and that a simple re-
>install of the win95 fixed everything ??  Was it something the win95
>STARTUP disk did to alter boot record that could have caused the false
>positive?? I'm terrified now to ever use a win95 start-up disk...

I presume you installed off a network or CD-ROM?

Yes, installation of Win95 will wipe out some boot sector viruses.
Instead, it will be saved into a file named SUHDLOG.DAT (hidden) on
your harddisk, in your root.

>Any thoughts on any of this would be appreciated...thankx !! 

Delete SUHDLOG.DAT now or don't uninstall Win95 with this SUHDLOG.DAT.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Wed, 10 Apr 1996 00:23:38 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: AntiCMOS virus (PC)
X-Digest: Volume 9 : Issue 49

"crash n' burn..." <juhari@teleview.com.sg> writes:

>Hi, i need help with my PC. I am currently using WIN95 and occasionally I 
>get a general protection fault failure and whatever that was running had 
>to be shut down. I used McAfee's Scan95 and it did not detect the 
>presence of any virus. A friend of mine used my PC and when he 
>transferred some files over to his PC (by diskette), he detected the 
>antiCMOS virus. He used another PC and it confirmed the presence of this 
>virus.
>
>Does anyone have any solution to this problem? Also, how come my Scan95 
>did not detect the (abovementioned) virus?

If your machine is infected, it won't be detected unless you're scanning 
memory.

Boot clean and clean your machine with the DOS component that comes with
your Scan95.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Tue, 09 Apr 1996 19:33:20 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Could this be a virus? (PC)
X-Digest: Volume 9 : Issue 49

Gail Rider Craig <Mac.NewsWatcher@epix.net> writes:

>First of all, I work with a network of all Macintosh computers, so I have
>very little knowledge about the Dos system and have been very fortunate in
>not running into any viruses.
>
>A friend asked me for help on this and I was hoping I could find some
>answers for him here.  He has a 386 running a custom database for his
>work.  There were 8 mgs left on the hard disk and his son tried to install
>Borland Visual Turbo C++ which was supposed to be only 4 mgs.  Half way
>through the installation, he received a hard disk error message and quit
>the installation.

This says that the installation process was not completed.  Furthermore,
subsequent text show that the installation process was not given a chance
to cleanup, and that no cleanup of the installation was attempted.

>The next time the computer was booted up, it had changed the load
>sequence, changed the color of the screen, asks for the date and time each
>time you boot up and appears to have erased some of the custom database
>files.

The machine asks for date and time if no AUTOEXEC.BAT exists.  Since
complex installation processes usually change AUTOEXEC.BAT by moving
it to a backup first, you probably died from the installation process
right at the moment when the AUTOEXEC.BAT was renamed.  Look for the
latest AUTOEXEC.something and rename that to AUTOEXEC.BAT.

The boot process is indeed sometimes changed so the machine can do
some intermediate bootups.  The bootup process is changed to boot from
C:.  Presumably, the installation would have restored the original
bootup process if allowed to complete.

>Is this a virus and, if it is, what program can he purchase to clean it up?

I doubt it's a virus.

>Any help would be appreciated.

>If you could respond directly to my e-mail address it would help me
>facilitate this for him since I can't always access the newsgroups.  
>dvrnet@epix.net

OK.  *sigh*

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Wed, 10 Apr 1996 00:54:23 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Help: The IHC-virus does its work! (PC)
X-Digest: Volume 9 : Issue 49

Jens Arnold <Jens.Arnold@Informatik.TU-Chemnitz.DE> writes:

>Dr Solomon's detected the IHC-Virus on our PC, but cannot
>remove it... McAfee and F-PROT do not detect any virus (?).
>The virus corrupts the FAT and changes some other parts
>of the filesystem, so that we have to use "scandisk" every
>time after booting the system to keep the filesystem "alife".
>Has anybody some information about this virus (called IHC by
>Dr Solomons) and how can we remove it? 
>
>Notice: The DOS "format"-command cannot wipe this virus!

You need to update your scanners.  And all of them should be standardized
on QUANDARY as the name of this virus which is in-the-wild primarily in
Germany.

As for your corrupted situation, I would recommend that you do some
sort of backup and format your disk and put everything back.
Probably the peculiarities of your setup caused a corruption which
is not common across other configurations.

(BTW, people say you never have to format your machine to fix a virus
problem.  Yes, this is true.  My recommendation is that you *backup*
then format...  I find that too few people ever backup.  If some event
forces you to back up everything every once in a while, without that
event being catastrophic, it's goodness.  After you backup your whole
machine, you will actually feel better for it.  *Believe me*  :-)  )

McAfee called this virus Parity.Boot.Enc until CARO agreed on a name
for it.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Wed, 10 Apr 1996 01:00:30 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Multiple boot sector infections (PC)
X-Digest: Volume 9 : Issue 49

Antonio Godinho <antonio@nambu.uem.mz> writes:

>I have had several problems of multiple boot sector infections on my
>computers and have never managed to clean them. Does anyone know if
>and how it can be done? From what I gathered the infections where of
>the UNASHAMED and ANTIEXE.a viruses. I tried using Dr. Solomon's
>toolkit 7.56, F-prot 222 and  Thunderbyte 6.38 but all these failed.
>Since I did not have access to the Hard disks in any of the cases, I
>had to fdisk and reformat the hard disks.
>
>If anyone has any ideas, I would really like to hear them.

We added the /FORCE switch to address these cases.

You can try Scan C: /CLEAN /FORCE.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Wed, 10 Apr 1996 02:25:35 +0000 (GMT)
From: Raul Quintanilla <rquintan@intercable.net>
Subject: Re: Trabajo_hacer.b Virus (PC)
X-Digest: Volume 9 : Issue 49

Richard Buchanan <Richard_Buchanan_at_BOSA01@ed.gov> wrote:

>Our network is showing occassional infections of
>"trabajo_hacer.b (MBSR virus) which is the name given by
>Norman Data Defense Systems v.3.50 (espejo by F-PROT).
>
>I have heard some "rumors" that the virus must be removed by
>April or it will cause some HD damage.
>Have you heard anything; when/where created and if there is
>anything to the "rumor" concerning April?

Espejo's name is 15_Years according to F-Prot Professional.
What we have found is that it activates between the 5th and the 7th
starting january and from there on, every three months. We get some
hard drives with 15_Years virus activated more or less every 3 months
(Jan, April, etc) just after the 7th. As a fact we are expecting half
a dozen HDrives "espejeados" this week.

fdisk /mbr before it activates is the answer and if you have Windows95
use fdisk provided.

Cheers!
Raul

------------------------------

Date: Wed, 10 Apr 1996 03:36:47 +0000 (GMT)
From: Savio Wong <swong@wat.hookup.net>
Subject: Burglar 1150 virus on a Novel Network -- HELP!!! (PC)
X-Digest: Volume 9 : Issue 49

Help!
I am the computer system manager for two Novell Networks at my school.  
Network #1 used Netware 3.11 with about 70 workstations and Network #2 is 
a 3.12 with 60 stations.  The two network are backboned with a switch. 
The configurations for both are EtherNet (both 10B2 and 10BT) and
Baseband.  Most of the machine have 8M of RAM but no harddrive.  On top of
Novell, we run an interface by IBM called Iclas (v 1.5), Windows Enabler
(which is a shared version of Windows 3.1) and LanSpool for the printers.
We also run virstop (from F-Prot)  on each workstation at bootup.  Anyway,
about 1 week ago,  Windows Enabler (Windows 3.1) quit working and I did a
scan using the Jan. version of F-Prot.  It found two viruses (Tai-Pan and
Little Brother).  Both of which were cleaned.  However, Windows Enabler
still would not run and some of the files in the system are huge (over
4 Gig) when listed with Dir.

I got a copy of Mar. 96 of F-Prot from the School Board computer 
technician and found another virus -- Burglar 1150.

After many hours of work to boot a clean workstation, I was managed 
to clean both fileservers the past weekend.  Today being the first 
day back from the Easter holiday, both networks ran smoothly until about
2:00 p.m.  Within 20 minutes, both fileservers were infected with Burglar
1150 again!  Yikes.  So, I was in school until 10:00 pm to clean both
fileservers again.  In order for me to do this, I have to play around with
the net$dos.dat file which is the contains a list of boot up commands. 
Since both login.exe and logout.exe plus a bunch of exe files were
infected, it took me a long time to get a clean workstation.  I ran F-Prot
(F-Prot) and it took another couple of hours to clean the files.

I ran F-Prot (March 96) again just to be sure and it did not find 
anything.  It did state that a number of files in one of the older dirs 
(DOS5.1) are inoculated by Central Point Anti-virus which we used a few
years back.  Are they really protected from the new and improved virus. 
Also, several EXE files could not be accessed.

Wish me luck tomorrow and any comments and suggustions are much 
appreciated.

Regards,

Savio Wong
WODSS 
Waterloo, Ontario
CANADA

p.s.  I did find out some information from Netscape about this virus.  
Originated from Taiwan in Jan. 96.  A message 'Burglar/ H' flashed on the
top left corner whenever the time contains '14'.  It is a stealth virus
and will spread itself whenver the DIR or ATTRIB are used (plus another
other DOS commands that affect the boot sector).  I did not find anything
about those huge files listing in DIR though.

------------------------------

Date: Wed, 10 Apr 1996 04:06:07 +0000 (GMT)
From: Anti-Virus <anti-vir@ix.netcom.com>
Subject: Re: MS Macro Virus Tool (PC)
X-Digest: Volume 9 : Issue 49

>>irritable differences (one is that you cannot open multiple files at
>>once), but the alternative seems worse.  We started scanning (using
>>McAfee) the document files but found that some people had so many
>>documents on their hard drives that it took foreverrrrrrrrrrrrrrrrrr
to
>>scan.  There is no noticeable file open or close delay in Word (6.0),
so
>>we went with that.

I don't know from your message what operating system you're using, but
what you're experiencing may not be related to the AV scanner at all.  
It's possible that by doing some performance tuning on the PC you can
experience significant improvements in how long it takes to scan the
hard drive.  For instance, if you're running MS-DOS 6.22, and you have
a C: and D: drive as an example, try adding this statement to your
AUTOEXEC.BAT file and see if it doesn't speed things up (if you don't
already have a SMARTDRV statement in it):

LH C:\DOS\SMARTDRV.EXE C D

There are several other things you can do to performance tune your PC
as well.  

------------------------------

Date: Tue, 09 Apr 1996 21:33:47 +0900
From: asjcw3@uaa.alaska.edu
Subject: What AV software should I get? (PC)
X-Digest: Volume 9 : Issue 49

Hello, I'll get right to the point. Our 540-meg HD has crashed several
times in the last few months. Norton Disk Doctor tells us that the FAT has
a glitch, and, though it knows what files are on the disk, it doesn't know
where on the drive the files are stored. Generally between 85-100% of our
HD is unusable until the HD is reformatted. Then we have no problems until
the HD crashes again. (BTW, the first crash occurred on the day the
warranty ran out, marking the computer's first birthday.) We have loaded
NDD into the autoexec.bat file, but this has had only limited success. The
HD has crashed since then, but we have gone for about three weeks without
a crash now.

My question is this: A friend knowledgeable in these matters said these 
ymptoms sound like a virus, but MSAV & MWAV have found none. Our first PC
died of a virus under similar circumstances, but MSAV detects and cleans
the virus from our old PC disks as soon as we put them in. (This virus was
the Form virus.) So, I'm inclined to think that our problems come from a
virus, but not our old Form virus. 

What AV program should I get to clean this virus off? Where can I get
this program? And can someone please explain how a virus can stay on a
computer after multiple HD reformats?

				Thanking you in advance,

					Joshua Walton

------------------------------

Date: Wed, 10 Apr 1996 12:39:25 +0200
From: Kostja.Reim@sct.DE
Subject: SVC Virus (PC)
X-Digest: Volume 9 : Issue 49

Is there anybody who knows an application to kill the
SVC virus version 6.0 in the MBR ?

- --------------------------------------
SCHMUDE Computertechnik Potsdam
Kostja Reim

------------------------------

Date: Wed, 10 Apr 1996 10:55:36 +0000 (GMT)
From: Aquiles Luna-Rodriguez <pz4a004@rzaix07.uni-hamburg.de>
Subject: Re: !DELWINBOOT.sys (PC)
X-Digest: Volume 9 : Issue 49

Billy (e9325010@stud1.tuwien.ac.at) wrote:

: does anybody know something about the "delwinboot.sys" - virus?

I got the delwin.boot virus about three months ago. My turbo-C++ 3.0
hanged up, so after a week or so I downloaded a copy of McAfee anti-virus.
Though it detected it and erased copies on programs, the boot-virus in the
Master Boot Record wasn't touched. I waited for release 2.2.7 of McAfee,
only to discover it wouldn't work either. In the end, I just had to wipe
the hard drive and reinstall everything from a back-up, so I'm not paying
a penny for the anti-virus. The friend from whom I got infected in the
first place still has it, and on her machine McAfee's program gives false
error messages, like saying that your write-protected floppys are also
infected, including ones formatted in a virus-free machine and carrying
the anti-virus software itself!

*********************************************************************
*  Aquiles Luna-Rodriguez         //I've found it! here's the bg!   *
*  Universitaet Hamburg, Germany  //nobody expects...               *
*  pz4a004@rrz.uni-hamburg.de     //..the Spanish Inquisition!      *
*********************************************************************

------------------------------

Date: Wed, 10 Apr 1996 14:58:35 +0200 (MET DST)
From: "MICHAL ml." <kovac@crick.fmed.uniba.sk>
Subject: Re: One Half virus - help! (PC)
X-Digest: Volume 9 : Issue 49

> One Half virus attacked my computer today.  It wiped out everything in my
> logic drives D and E, while left all my softwares on drive C intact.  I
> got the virus removed from Drsolom's findviru.  But, my hard drive is
> still a mess.  I can't see my D drive at all, while E drive is accessible
> but everything is lost.  I am not a computer specialist.  Can anyone tell
> me how can I recover the lost data from these logic drives?  I need them
> so bad for my graduation in May, yet I don't have a backup for most of
> them (about 150 MB data)!

The trouble with OneHalf is that virus encrypts HD . If you wipe virus ,
your data'll be lost .My PC was infected with this virus about 1 year ago
, and i saved all my data by using revomer which also decrypts encrypted
HD . 

This remover can overyone find on ftp site :

	ftp.elf.stuba.sk /pub/pc/sac/onehalf.zip 

Another usefull file is ice19b.zip in the same directory .
___________________________________________________________________________

   Peter Kovac , Faculty of Medicine , Comenius University , Bratislava 
   E-mail :             kovac@crick.fmed.uniba.sk

------------------------------

Date: Wed, 10 Apr 1996 10:42:09
From: ruben@ralp.satlink.net
Subject: Re: Help with Diablo virus (PC)
X-Digest: Volume 9 : Issue 49

Sat, 06 Apr 1996 00:59:55 +0000 (GMT) "Amador Ahumada Z."
<Ahumadaz@netup.cl> wrote:

AAZ>HOLA HELP MI WITH  DIABLO :

AAZ>I need string for research.

AAZ>Disculpen mi ingles soy de Chile, necesito ese virus, si se puede 
AAZ>una imagen de disco.

Well I'will act as the official "Spanish/Portuguese"  translator for the
forum (sounds OK, uhh Nick ???) :-)

This person is requesting an image of Diablo virus. But wait, don't blame
him.  He is a very reputable investigator of CHILE also a professor of an
institute since years.I reply him in private explaining this is no an
interchange zone and also posting the analisys made by me some months ago.

Diablo was an epidemy here in Argentina.

DESCRIPTION OF VIRUS IS IN SPANISH AND ENGLISH.
(and all the people happy!) :-)

- ----------------------------------------------------------------------------
DESCRIPCION DETALLADA DEL VIRUS DIABLO.

 -----------------
|  Virus Diablo   | 
 -----------------

Analisis preliminar del Virus Diablo por Ruben M. Arias.  RALP Seguridad 
Informatica.


Nombre      : Diablo (variacion local del virus Music Bug ???)
Tamano      : ??? bytes.
Infecta     : MBR de Hard disks y Bootsector de Diskettes.

Scan string : C0 8E D8 A1 4C 00 2E A3 22 7D A1 4E 00 2E A3 24.
	      (Leer Informacion)


Interrupc.  : -----
Direcc carga: -----
Polymorfico : No.
Residente   : Si.
Tam. en RAM : 2048 bytes. 
Stealth     : No.
Texto       : Puede leerse la palabra "Diablo".

Tipo        : Infecta Cylindro 0, Lado 0, Sector 1 de diskettes y MBR de   
	      Hard disk.
	      Usa algunas tecnicas menores de stealth que involucran dar
	      mensajes falsos de DOS durante su carga.
	      Una vez que el virus infecta el HD (Hard Disk) procede a  
	      infectar cualquier diskette ubicado en las disketteras (A/B).
	      El registro de Bootsector original es ubicado en el Cylindro 0,
	      Lado 1, Sector 14.
	      NO es recomendada la restauracion manual de este registro.
	      ##
	  
	      La remocion de este virus en diskettes es facil:

	      1) Bootee su PC desde un disquette booteable protegido contra 
		 escritura. 
	      2) Inserte el disquette infectado en la diskettera y copie sus
		 datos en algun directorio de C:\.
	      3) Formatee el diskette y vuelva a copiar sus datos o programas
		 al mismo.
	       
	      La remocion del Hard Disk debe efectuarse de la siguiente
	      manera:

	      1) Repita el paso 1 anteriormente citado, pero asegurese de que
		 el diskette contenga el archivo FDISK de la version de DOS
		 que Ud. este usando.

	      2) Luego del paso 1), pruebe de acceder al Hard Disk.
		 (DE NO PODER ACCEDER DETENGA EL PROCEDIMIENTO Y BUSQUE AYUDA
		 PROFESIONAL ESPECIALIZADA)
	    
	      3) Solo si pudo acceder al Hard Disk, realice ...

			      FDISK /MBR

Efectos     : Destruye Hard Disks luego de bootear algunas veces una maquina 
	      infectada con el virus.      

Inusual     : No fue analizado todavia.

Otra
Informacion : Este virus fue encontrado en distintos lugares y es considerado
	      actualmente como una epidemia.
	      Bajo ningun concepto encienda su PC con diskettes en las 
	      disketteras o introduzca diskettes antes de la finalizacion o
	      durante la secuencia de arranque.
	      
	      Anti Virus que lo detectan:
	      -  Integry Master 2.42 d detecta este virus como Music_Bug.
	      -  Si posee F-Prot introduzca la secuencia ASCII citada mas
		 arriba para su deteccion.
==============================================================================


DESCRIPTION OF VIRUS DIABLO (DEVIL).

 -----------------
|  Diablo Virus   | 
 -----------------

Preliminary analysis of Diablo virus by Ruben M. Arias (RALP Computer 
Security)


Name        : Diablo (Music Bug variation ???)
Size        : ??? bytes.
Infects     : MBR of Hard disks and Bootsector of Diskettes.
Scan string : C0 8E D8 A1 4C 00 2E A3 22 7D A1 4E 00 2E A3 24.
In the wild : Yes. (In Argentina)
Interrupts  : -----
Load Address: -----
Polymorphic : No.
Resident    : Yes.
Size in RAM : 2048 bytes. 
Stealth     : No.
Text        : The word "Diablo" could be read.

Type        : Infects Cylinder 0, Side 0, Sector 1 of diskettes and MBR of  
	      Hard disks.
	      Use some minor stealth technics that involves giving false
	      DOS messages during its load. Once the virus infect the HD 
	      proceed to infect any diskette placed in the drives (A/B).
	      Original Bootsector register was placed in Cylinder 0, Side 1,
	      Sector 14.
	      It is NOT recommended the manual restauration of this register.
	  
	      The virus remotion of the diskettes is easy. Just Boot clean 
	      from a Write-protected diskette, then copy the data placed in 
the 
	      diskette to a subdirectory placed in the HD. Format the 
diskette 
	      and restore the data from HD to the diskette.  

	      Remotion of Hard Disk is simple too. As equal to diskettes, just
	      Boot clean and perform a FDISK /MBR (ONLY IF YOU COULD ACCESS TO
	      HARD DISK!).


Payload     : Destroy Hard Disks after boot some times an infected machine.   
   

Unusual     : Not analyzed yet.

Other info  : This virus was found in some places, Universities, Enterprises,
	      etc.
	      Integry Master 2.42 d detects this virus as Music_Bug.
	      Virus was submitted to W. Stiller 08/07/1995.
==============================================================================

- --------------------------------- end of description ----------------------

Regards all

Ruben Arias
- ------------------------------------------------------------------------------
 Ruben M. Arias                                _   _      _                    
					      | ) |_| |  |_)                   
					      | \ | | |_ |                     
 E-Mail: Ruben@RALP.Satlink.net                                                
 Buenos Aires - ARGENTINA            RALP - Computer Security - Virus          
- ------------------------------------------------------------------------------

[Moderator's note:  I screwed up.  My -very- rudimentary understanding of
Spanish suggested the message was OK.  Not having easy, timely access to a
group of free translators, I will revert to my earlier approach of not
approving any non-English submissions.]

------------------------------

Date: Wed, 10 Apr 1996 15:38:17 +0000 (GMT)
From: "Kathleen.Smith@mhafc.production.compuserve.com, CNA" <103505.520@compuserve.com>
Subject: Re: Readiosys - is it real? (PC)
X-Digest: Volume 9 : Issue 49

I am running Intel's Virus Protect 3.0 D.  Readiosys, I believe, 
is Intel's synonym for AntiCMOS.  You can verify this by 
looking up Readiosys in Virus Protect's Virus dictionary. 

My company recently inherited quite a few computers infected with 
this virus.  It seems to be fairly harmless.  Of the 50 computers 
infected, only two exhibited blatant symptoms. According to a 
posting to alt.comp.virus by Henri Delger, "The virus has code to 
tamper with CMOS data, with a one in 256 chance, at floppy 
diskette accesses".

- - 
The opinions expressed herein are not necessarily those of my 
employer.

------------------------------

Date: Wed, 10 Apr 1996 15:07:59 +0000 (GMT)
From: Renato Oppio <oppior@dns.easynet.it>
Subject: Analyze.exe--Trojan Warning!! (PC)
X-Digest: Volume 9 : Issue 49

I have downloaded from a packet radio BBS a file named ANALYZE.EXE.
It's selfextracting and the .doc says it's an utility to check hard
disk. After running it I have found that all files in my hard disk
became directories  <DIR> !!!

Before I have to format my HD has anyone a solution to the problem ??

Thank you

Renato I3EJ

------------------------------

Date: Wed, 10 Apr 1996 16:07:02 +0000 (GMT)
From: Freak Power <lono@indy.net>
Subject: Telecom PT1 (PC)
X-Digest: Volume 9 : Issue 49

It seems I've picked up something called Telecom PT1. I scanned using
MWAV, and it picked this one up in C:\. However, I tried ThunderBYTE
and The Doctor, and neither one found it. When I tried to clean it with
MWAV, my system shuts down and messes up the screen.

I don't know if it's related, but my modem communications have slowed 
considerably and my printer won't print Postscript anymore.

Thanks in advance for any info you might throw my way.

Jason

------------------------------

Date: Wed, 10 Apr 1996 10:21:01 -0700
From: "J.E.M." <jimmac@primenet.com>
Subject: Re: Anti exe virus (PC)
X-Digest: Volume 9 : Issue 49

>We had AntiExe here at the library where I work. It is an almost
>completely beingn virus. All it really does is exist. It has no
>stealth capability nor can it execute anything. You get it when you
>try to boot up your machine, but have left an infected disk in the A:
>drive. The machine's hard drive picks up the virus when it trys to
>boot of the disk. From then on it infects any disk you use in the A:
>drive. Programs like F-Prot will easily clear this virus, but, as you
>know, you have to boot with clean (non-infected) disks in order to
>clear. Hope this helps.   Bob Davis

I have seen (and disinfected) the antiexe virus on a number of
machines and it is not always benign.  One common problem
experienced is that new programs won't install properly from
diskettes with false  "out of memory" and/or "disk full" messages
(or something similar) given off.

Jefrino 103213.103@compuserve.com

------------------------------

Date: Tue, 09 Apr 1996 10:02:26 -0700
From: "Glenn P. Siegrist" <teamsieg@snowhill.com>
Subject: Where to get a virus check up grade? (PC)
X-Digest: Volume 9 : Issue 49

I have a Packard Bell Legend 36CD its a 486/50. It came with Win 3.11 on 
it I have had it for over a year now and I would like to know is there an 
upgrade to the Microsoft virus scan program that came with it.

Glenn Siegrist

------------------------------

Date: Wed, 10 Apr 1996 19:37:48 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: An Aftereffect of Natas (PC)
X-Digest: Volume 9 : Issue 49

Tarkan Yetiser <tyetiser@yrkpa.kias.com> writes:

>Well, it's a feature :-) DOS counts up to year 2099, not the maximum 
>possible of 2107. For example, if you try to set the system date to 
>4-7-2100, you will get an invalid date message. 

Reason is, 2100 is not a leap year and none of the software written
today is likely to account for that (and probably DOS doesn't).

Hell, we have enough trouble with 2000 coming up.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Wed, 10 Apr 1996 20:17:07 +0000 (GMT)
From: Ken Stieers <kstieers@ontrack.com>
Subject: Re: Stoned that Went Away & AntiCMOS in SUHDLOG.DAT (PC)
X-Digest: Volume 9 : Issue 49

The SUHDLOG.DAT file has a copy of the MBR that was on the machine
before you installed Win95.  Since it finds the virus in this file,
you were infected before you installed Win95.  

Ken 

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Wed, 10 Apr 1996 20:19:34 +0000 (GMT)
From: Ken Stieers <kstieers@ontrack.com>
Subject: Re: "loading bootstrap" message (PC)
X-Digest: Volume 9 : Issue 49

Possibly, but more likely he cleaned a virus from the machine using McAfee 
2.2.3 through 2.2.7 or so.  These versions would overwrite the MBR with a 
generic one when cleaning some viruses.  This MBR had this message in it. 

Ken 

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Wed, 10 Apr 1996 15:07:06 -0400
From: SUZANNE FORTIN <aaa227@agora.ulaval.ca>
Subject: Re: Urkel virus (PC)
X-Digest: Volume 9 : Issue 49

On Wed, 10 Apr 1996, Elton Tucker wrote:

> I just had a poke through my viral datalist (Norton 95) and according to that 
> you should be OK.  Urkel apparently doesn't do any damage but does fire off 
> that message every hour, on the hour which will get *really* annoying if 
> you're in the middle of a paper (been there, done that).  

Nice to know. Nothing drastic has occurred, but every so often when I try 
to save something in my C drive, I get a message saying it's full, when 
my file manager says it's not.

> Once you get a chance, fire me a reply back and I'll gladly walk you through 
> removing it and getting some protection in place. 

I've tried to download "F-Prot" twice now, but I still get a message 
saying that there is a problem with the Pkzipfix. I will try with a 
Z-modem. I have a 2400 modem (it came with the computer, and I can't 
afford a faster one) and so it takes a *long* time (like an hour) to 
download. So if you have something simpler in mind, I would appreciate it.

Suzanne Fortin

------------------------------

Date: Thu, 11 Apr 1996 08:59:14 +1200
From: "stephen.betts" <stephen.betts@nz.eds.com>
Subject: Re: Winword/Scanprot/FProt questions (PC)
X-Digest: Volume 9 : Issue 49

>What is BAD is, F-Prot still finds the string in the .DOC files and still
> >reports them as infected with the CONCEPT virus.
> 
> Whatever Microsoft did, they did NOT remove the strings from the macros.
> FProt is obviously still finding the viral strings.

We had a similar outbreak here with documents being mailed between 
secretaries only compounding the problem.

What I discovered was that there were a few errors in the Scanprot.dot 
macro issued by Microsoft and made the adjustments to the one we 
distributed in our organisation.

1:      The macro failed to update the Registry of the computer if it 
was run from a write protected disk or a read only network drive. This 
meant that double clicking on a document re-loaded the macrovirus onto 
the computer, although when Word Exited it usually found the macro and 
removed it. This was fixed by adding C:\ to the location where the Reg 
update file was created.

2:      I am not sure what the search string for the Macro Virus is but 
is not just AAAZFS or payload as during my testing I tried to fake the 
virus. The problem actually resides with the Word Tools, Options. Allow 
Fast Saves on the Save Tab. What this does is save the old document 
appended to the new document. and hence the doc Still contains the Virus 
search sting. Changing this option however does not solve all problems 
either as bugs in some releases of OLE2 code often appended data from 
memory to the OLE data. 

I noticed this (Fast Save) because documents I was righting quite often 
jumped from 50K to 100K when I only edited one word. Try it your self by 
saving a blank document then open if and save it again it will start at 
8-11K depending on the version of Word 6/7 you are running, and jump to 
16K+ . I call this the Microsoft Word Virus.

Note: Word 7 includes a picture of the document for easy browsing and 
hence another 4k or more is appended to the file

And you wonder why your file servers are using 10's of MB per Week

[Moderator's note:  I think the effect Stephen alludes to at the end of
the first para in point 2., is because OLE "blocks" are fixed sizes, and
hence final and other partial ones are "padded", usually with what happens
to have been left in memory or a buffer at that point in time.]

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 49]
*****************************************


