From Lehigh.EDU!owner-virus-l  Sun Apr 14 08:14:48 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Sun, 14 Apr 96 10:46:26 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id IAA07268; Sun, 14 Apr 1996 08:14:48 +0200
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39965-99469>; Sun, 14 Apr 1996 02:01:49 EDT
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39956-99212>; Sun, 14 Apr 1996 02:00:03 EDT
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id BAA05827 for <virus-l@lehigh.edu>; Sun, 14 Apr 1996 01:59:36 -0400
Received: from 132.181.30.207 ("port 1050"@132.181.30.207)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I3JH3PC8GASKU6UC@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Sun,
 14 Apr 1996 17:58:59 +1200
Message-Id: <01I3JH3PLOGSSKU6UC@csc.canterbury.ac.nz>
Date: 	Sun, 14 Apr 1996 17:53:20 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #50
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest    Sunday, 14 Apr 1996    Volume 9 : Issue 50

Today's Topics:

Re: Virus Writing? Why Do People Still Do it.
Re: Macro viruses
Re: Detecting Trojans
Re: Dr Solomon's Virus Stats (March 96)
Re: LAN antivirus for Windows NT (NT)
Re: F-Prot for Win 95 evaluation version (WIN95)
Re: virus effecting winhelp.exe? (WIN)
Re: McAfee WSCAN Auto start? (WIN)
Re: Monkey and partitioned drives (PC)
ripper-virus, who can help (PC)
Re: Beethoven?? (PC)
Re: Cmos-corrupting Virus (Monkey?) (PC)
Re: CONCEPT/Wordperfect macro:really no cure? (PC)
virus or hardware problem? (PC)
Batman 2.2844 (PC)
Re: HELP with unknown virus (PC)
Re: Winword/Scanprot/FProt questions (PC)
Re: Crash or Leningrad virus (PC)
Re: Is ANTI-CMOS B able to change cmos-settings? (PC)
Re: Stoned that Went Away & AntiCMOS in SUHDLOG.DAT (PC)
Re: Stoned.Empire.Monkey_B (PC)
Re: Crash or Leningrad virus (PC)
Re: Good scanner with smallest TSR memory footprint (PC)
Re: Good scanner with smallest TSR memory footprint (PC)
FORM_D (PC)
Re: Beethoven?? (PC)
Re: ripper virus (PC)
RE: Good scanner with smallest TSR memory footprint (PC)
Re: Multiple boot sector infections (PC)
Re: Stoned.Empire.Monkey_B (PC)
Re: 639K mem (PC)
virus in macromedia plug-in (PC)
Re: AntiCMOS virus (PC)
Over 1644 Virus (PC)
Re: McAfee Vshield 2.9 and windows (PC)
xcopy /v ?? (PC)
Re: Where to get a virus check up grade? (PC)
Re: Burglar 1150 virus on a Novel Network -- HELP!!! (PC)
Re: 636k total base memory...virus? (PC)
Re: Wanted TSR checks A: as used (PC)
Re: Virus BYE (PC)
Re: Where to get a virus check up grade? (PC)
Re: Crash or Leningrad virus (PC)
Re: Good scanner with smallest TSR memory footprint (PC)
Re: Identification (not detection): Dr Solomons vs F-Prot (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Wed, 10 Apr 1996 21:48:25 +0000 (GMT)
From: John Elsbury <jelsbur@clear.co.nz>
Subject: Re: Virus Writing? Why Do People Still Do it.
X-Digest: Volume 9 : Issue 50

Alex Ross <alexross@alex01.idiscover.co.uk> wrote:

>My question is, who writes these 

sociopaths

>and where do they come from?

under stones

John

------------------------------

Date: Thu, 11 Apr 1996 00:32:56 +0000 (GMT)
From: Brukhman <brukh3@mars.superlink.net>
Subject: Re: Macro viruses
X-Digest: Volume 9 : Issue 50

The WinWord concept virus is very easy to get rid of.  Searching for a
program that will do it for you is a hassle.  All you have to do is open a
document that is believed to contain the concept virus.  Go to tools and
macro, and remove any macros under the names AAAZAO, AAAZFS, AutoOpen,
PayLoad, and FileSaveAs.  When this is done, click the "Organizer" button,
and make sure that none of these macros are there.  If they are, there is
a good chance that the virus will re-appear.  If you are not sure if a
document has the concept virus, you may check the document by opening it
and searching for a dialog box with a "1" popping up.

------------------------------

Date: Wed, 10 Apr 1996 22:29:16 -0400 (EDT)
From: Devin Knight <dak@pgh.nauticom.net>
Subject: Re: Detecting Trojans
X-Digest: Volume 9 : Issue 50

In post #48 someone was asking about the best way to detect trojans. I
have found the program Red Alert to be my best friend in that regards. It
will safely read the code of any program and tell you what it will do
without executing the program. It will scan your whole drive and look for
ansi bombs, any mention of virus in the program code or delete code in a
program and warn you. It also looks for format commands hidden in the
code.  You can find it from several of AV boards on the Web. Red Alert
should be run along with a good virus scanner as it is a supplement to
scanners not a replacement. 

**************************************************
Devin Knight                  I Don't Do Windows!    
dak@pgh.nauticom.net            
**************************************************

------------------------------

Date: Thu, 11 Apr 1996 11:23:46 +0800
From: Daren Palmer <dpalmer@bunbury.iap.net.au>
Subject: Re: Dr Solomon's Virus Stats (March 96)
X-Digest: Volume 9 : Issue 50

Dear Graham,

Personally, I don't think your posting of statistics on Virus 'hits' was 
a good idea.

I'm sure the authors of the Winword Concept, Empire Monkey, and Parity 
B, if they saw your posting, would be filled with glee at the sight of 
their creations in the top three of the 'UK Virus Charts'.

These sick gits don't need anymore encouragement.  I've wasted enough 
money, and time on troubleshooting, anti-virus programmes - not to 
mention their sapping memory in the background which could be put to 
better use.

I, for one, would like to ask you to refrain from posting it again.

Regards,

Daren Palmer

------------------------------

Date: Thu, 11 Apr 1996 23:10:41 +0300 (EET DST)
From: "Mikko H. Hypponen" <Mikko.Hypponen@datafellows.com>
Subject: Re: LAN antivirus for Windows NT (NT)
X-Digest: Volume 9 : Issue 50

Bertrand de COATPONT <bcoatpon@dialup.francenet.fr> wrote:

> I and my company are looking for a LAN antivirus for Windows NT, 
> client-server if possible and allowing to launch viruses scans from the 
> server to DOS, Win 3.11 and Win 95 workstations. I don't know whether 
> this product is a dream or not ... If you can help !

It is not a dream: F-PROT Professional has a communication mechanism
which allows you to force scans from the administrators NT/Win95/Win 3.11
machine to all the other workstations in the network at any given time.
You also send version updates and receive notifications of found viruses
with the same mechanism.

F-PROT's communication method is network-independent, so this works in
all the popular networks (NT, WfWG, Novell, Pathworks, Lan Server,
Lantastic, PC/TCP etc).

For local availability info, contact France@F-PROT.com (all F-PROT
Professional distributors can be e-mailed to with this address
convention).

- - 
	 Mikko Hermanni Hypp nen - Mikko.Hypponen@DataFellows.com  
   Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com
 Computer virus information available via web: http://www.DataFellows.com/
Paivantaite 8, 02210 Espoo, Finland. Tel +358-0-478444, Fax +358-0-47844599

------------------------------

Date: Wed, 10 Apr 1996 22:15:47 +0000 (GMT)
From: Wayne Riddle <riddler@agate.net>
Subject: Re: F-Prot for Win 95 evaluation version (WIN95)
X-Digest: Volume 9 : Issue 50

Aidas Antanaitis <aidasa@ktl.mii.lt> wrote:

>Does anybody know where it is possible to download an evaluation version 
>of F-Prot forr Win 95? 

I don't think there is an evaluation version of F-Prot for Win95, only
for DOS. F-Prot can be found at:

   http://www.datafellows.com/f-prot.htm

Wayne Riddle
riddler@agate.net
http://www.agate.net/~riddler

------------------------------

Date: Wed, 10 Apr 1996 22:12:01 +0000 (GMT)
From: Pete Hodbod <peteyhods@private.nethead.co.uk>
Subject: Re: virus effecting winhelp.exe? (WIN)
X-Digest: Volume 9 : Issue 50

"G.h.van den Berg" <guy@net-prophets.co.uk> wrote:

>Does any one know of a virus that infects at least winhelp.exe...my
>copy has corrupted lately and when I reinstall it it corrupts again.
>The version on the install disks is 256,192 bytes after a windows
>session that has refused to run winhelp winhelp.exe is now
>258,150...does any one know what is going on. I have also noticed a
>drop in system performance of late. Do  I have a virus...all the scan
>I have run so far don't detect anything.

>From what I've heard you could have the "tentacle" virus which infects
win.help files, and makes other files randomly grow.  This is a very
new virus and so far I don't know of any checkers that can detect it.
that's all I know,
unless anyone else knows otherwise....

Pete.

[Moderator's note:  Tentacle infects Windows New Executable (NE) style
.EXEs, not "win.help" (presumably "Windows Help"--.HLP--files.]

------------------------------

Date: Thu, 11 Apr 1996 14:14:45 +0000 (GMT)
From: Ken Stieers <kstieers@ontrack.com>
Subject: Re: McAfee WSCAN Auto start? (WIN)
X-Digest: Volume 9 : Issue 50

Do the following:

1. Create a profile file with the options you want to run.  This is just a 
simple text file with your command line switches in it.  Call it
profile3.prf.
2. On the command line put WSCAN /LOAD PROFILE3.PRF.  Make sure you mark
the Run Minimized box also. 

Ken 

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Wed, 10 Apr 1996 14:02:07 -0700
From: Tom Simondi <tsimondi@slonet.org>
Subject: Re: Monkey and partitioned drives (PC)
X-Digest: Volume 9 : Issue 50

In article <0039.01I3EEEWQ4GQSKU6UC@csc.canterbury.ac.nz>,
Jarrod Henry <JARRODH@ASMS3.k12.ar.us> penned:

> Here's how it is.  If you have Monkey on a multi partitioned (yes 
> Double / Drive Space users, that means you), and you run FDISK /MBR, 
> it is gone.  You have to reformat and start over.  I know this 
> because I sent my computer in, and those idiots ran FDISK with the 
> MBR command, and shot my hard drive out of the water.  

Actually, you can recover. You can decode the original partition
information the Monkey stored and put it back or many AV programs
will do that for you, even after FDISK /MBR.

> The reason is this....  (I think)
> 
> You replace the partitioned (and infected) header with a normal 
> (unpartitioned) header.  This causes the disk to not understand how 
> to read itself.  Thus, all data is lost.  (unless you wish to rewrite 
> your MBR by use of a disk utility.

Actually, Monkey encrypts the MBR and stores it elsewhere on the
disk and then replaces the MBR with its own code. When you FDISK /MBR
you replace the virus code, but the partition info can no longer be
seen because it is encrypted and there is now no virus code to
decrypt it on the fly.

AV software can find the original encrypted information, decode it
and replace it. A reformat is almost NEVER necessary.

- - 
=-=- Tom Simondi -=-= Visit the Computer Knowledge home page -=-=
=-=- http://www.slonet.org/~tsimondi/ck.htm      -=-=-=-=-=-=-=-=
=-=- E-mail: 75655.210@compuserve.com -or- tsimondi@slonet.org -=

------------------------------

Date: Wed, 10 Apr 1996 22:33:01 +0000 (GMT)
From: volker Biedermann <100343.3164@compuserve.com>
Subject: ripper-virus, who can help (PC)
X-Digest: Volume 9 : Issue 50

I have a problem with the *ripper-virus*. I found the virus with 
scan/vshield-program from McAfee. I got these programs from the 
SCNI22CE.ZIP file, which i found in my local BBS.

My main problem is, how to TERMINATE the ripper-virus? Which 
software or treatment do you suggest? Can you help me?

Bye,

Volker Biedermann
100343.3164@compuserve.com

------------------------------

Date: Thu, 11 Apr 1996 01:59:45 -0500
From: "R. Zalk" <ez-zone@netmedia.net.il>
Subject: Re: Beethoven?? (PC)
X-Digest: Volume 9 : Issue 50

For starters update your Mcafee at www.mcafee.com. There are at least 
>8000 viruses and more added daily!. Or any other qualified program.If
this is a virus, you could be right as far as it attacking the c-mos 
&/or bios.

------------------------------

Date: Thu, 11 Apr 1996 02:03:21 -0500
From: "R. Zalk" <ez-zone@netmedia.net.il>
Subject: Re: Cmos-corrupting Virus (Monkey?) (PC)
X-Digest: Volume 9 : Issue 50

Are you sure this isn't a case of replacing the battery backup?

------------------------------

Date: Thu, 11 Apr 1996 02:06:08 -0500
From: "R. Zalk" <ez-zone@netmedia.net.il>
Subject: Re: CONCEPT/Wordperfect macro:really no cure? (PC)
X-Digest: Volume 9 : Issue 50

Re-install Word. If at all possible, remove your current version. Then 
you can narrow down specific files [DOC] with the problem and the cut 
and paste to a new DOC. This usually does the trick.

------------------------------

Date: Wed, 10 Apr 1996 14:47:11 -0500
From: "david.j.ahnen" <ahnen@att.com>
Subject: virus or hardware problem? (PC)
X-Digest: Volume 9 : Issue 50

My sister was babysitting my brother's PC while he was out of the
country when it started to behave badly. She referred the problem
to me, but I'm not sure what I might be dealing with here.  Perhaps
someone has some insight that they can lend.

The system is a 386 16 with 4 Meg of memory.  The behavior problems
consist of the system locking up not long after a reboot.  The lock-up
does not discriminate against any rpobgram that may be running at the
time.  It locks up both in and out of windows - while a program is
executing or while nothing is running (I come back to the keyboard
after a while and hit CR only to get no response.)  I don't know if
this is a hardware problem, or if the system somehow was infected with
a virus.

Since I suspected a virus, I reformatted the 42 Meg hard drive, and
began re-installing the operating system (Dos 6.2 and windows 3.1)
I think I got most of it reinstalled, however the system began locking
up again.

There is one strange behavior that I was able to get the machine to
repeat regularly, however I don't know if it is significant or not.
Upon rebooting the machne (hard reboot), the boot sequence runs through
the memory check.  The memory chack can be skipped by hitting the
ESC key.  After the first reboot, hitting the excape key exits the
memory check as it should.  However, after the system locks up, I 
reboot the system again (aoft reboot, by pushing the reset button).
Again, it begins to run through the memory check, but this time in
order to concel it, I must hit the ESC key twice.  When I reboot again,
I have to hit the ESC key three times to kill the memory check.  Like
I said, I'm not sure about the significance of this, but I find this
to be very strange, and it is the only other evidence that I can pass
along.

Any help would be greatly appreciated.

Thanks,
Dave Ahnen
ahnen@att.com

[Moderator's note:  Sounds and "feels" like a hardware problem.  IMHO,
most likely a poor/dirty connection somewhere, though it could be caused
by a component overheating (this can be -very- localized).  In a machine
of that age, be careful if you decide to reseat the SIMMs yourself (if it
has SIMMS!), as some of the early plastic SIMM sockets are getting quite
fragile now, and the locator or latch lugs can be easily broken off.]

------------------------------

Date: Wed, 10 Apr 1996 19:43:34 -0500 (CDT)
From: Hank Skelton <SKELTON@CCVAX.MMC.EDU>
Subject: Batman 2.2844 (PC)
X-Digest: Volume 9 : Issue 50

We are digging out from an epidemic of Batman 2.2844.  Shortly after 
April 1 (is that date significant?) PC users of two of our three 
Netware 3.12 servers began complaining that their PCs were "acting 
funny".  We ran F-Prot V2.22 and Mcafee (don't remember the version 
but just downloaded), and neither found anything.  We noticed some 
.EXE files were 12 bytes larger than they should be.  We then ran Dr 
Solomon's FINDVIRU V2.58 and it reported Batman 2.2844 in many (if 
not all) .EXE files.  FINDVIRU/REPAIR cleaned it but left the .EXE 
files 12 bytes larger than normal.  

There were several concomitant symptoms.  Many files in the /DOS 
directory simply disappeared.  A few .DOC files were corrupted.  
Some of the PCs showed bogus and recursive directories named 
/NAWIAT/NAWIAT/NAWIAT/... (TAIWAN spelled backwards); SCANDISK took 
care of this.  The two servers were pretty well trashed and were 
essentially rebuilt from scratch.  The third server wasn't affected; 
it's separated from the other two by a spanning-tree bridge, but I 
don't know if that's why it wasn't hit.  An NT 3.51 server was also 
unaffected.

Can anybody tell me more about this beast?  I assume it's pretty new 
since the latest versions of F-Prot and Mcafee both missed it.  

	   Hank Skelton - Meharry Medical College
	     Nashville TN 37208   615/327-6231
		       SKELTON@MMC.EDU 

------------------------------

Date: Thu, 11 Apr 1996 00:49:45 +0000 (GMT)
From: F/WIN Anti-Virus Support/Ordering <fwin_sup@ix.netcom.com>
Subject: Re: HELP with unknown virus (PC)
X-Digest: Volume 9 : Issue 50

In <0037.01I3A48NCMPISH3CBI@csc.canterbury.ac.nz> DWL
<weite@ix.netcom.com> writes: 

>I got an unknow virus. 
>
>The report from anti-virus programs:
>
>MS-antivirus: checksum error
>TBAV: the file has been changed
>McAFee: no virus found
>F-PROT: no virus found
>
>- It mostly happens to the *.exe files under c:\windows. 
>- The size of the *.exe grows.
>- The winhelp.exe corrupted first.
>
>I have reinstalled the Winodws 3.11 many times but the symptoms > come
out after a while.
>
>I appreciate if someone can help me with this problem.

This sounds a bit like Tentacle, which specifically targets
the C:\WINDOWS directory (as well as others).  perhaps its a
new variation on Tentacle.  In any event, may I suggest the
following:

1.  Boot the PC from a clean, uninfected floppy.  If
    you're dealing with a memory resident virus that has good
    enough stealth capabilities to hide from the scanners you've
    already used, this is the best way to defeat its defenses.
    Also, if it's a retro virus that has targeted these AV
    products in an attempt to disable them, again, booting from
    a floppy and running the AV software from the floppy can
    defeat that as well.

2.  Try rerunning F-PROT from the floppy, pointing at the
    C:\WINDOWS directory and using the /PARANOID option.  You
    may get some false alarms, but you may also identify the
    infected files.  Also try running TBAV using high 
    heuristics.  If it is indeed a new virus, the McAfee
    product probably won't be any help because it lacks
    heuristic scanning capabilities.

3.  If you are dealing with a variant of Tentacle, then
    F/WIN Anti-virus will probably both detect and remove it.
    I won't waste bandwidth here, but check out F/WIN's
    web site for a list of these kinds of viruses and new,
    unknown strains of them that F/WIN can detect and 
    remove.

I would also encourage you to send copies of some of the 
files that have grown in size to F-Prot and TBAV support.
You may also send them to F/WIN support for evaluation.
If you are dealing with something new, any of them should
be able to tell you pretty quickly.

Gary Martin            
Computer Virus Solutions    E-mail:  fwin_sup@ix.netcom.com
Voice:   (614) 337-0995     Fax:     (614) 476-6884
WWW: http://www.entrepreneurs.net/fwin/index.html 
Authorized Distributor of F/WIN Anti-Virus

------------------------------

Date: Wed, 10 Apr 1996 23:43:22 +0000 (GMT)
From: Bruce Hore <AUMSad01.WZ6MT9@EDS.COM>
Subject: Re: Winword/Scanprot/FProt questions (PC)
X-Digest: Volume 9 : Issue 50

I have contacted Datafellows to get a response concerning F-Prot.

They tell me that version 2.23 (2.22 has been released recently)
"should" have the ability to zero the Macro String.

I wait patiently for this release.

Bruce
aumsad01.wz6mt9@eds.com

------------------------------

Date: Wed, 10 Apr 1996 21:15:41 -0400
From: MKW94 <mkw94@aol.com>
Subject: Re: Crash or Leningrad virus (PC)
X-Digest: Volume 9 : Issue 50

In article <0028.01I3D16BVIK2SH3CBI@csc.canterbury.ac.nz>, MKW94
<mkw94@aol.com> writes:

>After doing some looking on the WWW on virus info, I found the same
>exact picture at <http://www.datafellows.fi/v-pics/>. (Screen shots of 
>Computer Viruses). The one called "Crash or Leningrad". The info on 
>this web site is temporarily out of order. I was wondering if any of the 
>people here could give me info on this virus??

After more checking..... in the file of <msdos.sys> I found <;FORMAT> !!
Now I know I had a virus! Which one would write <;format> to that file??

When would this comand be executed? I'm assuming the <;> is a "rem"
statement preventing it from being executed . Any sugestions would be
helpful.

Mark Whaley
MKW94@aol.com
Ohio  USA

------------------------------

Date: Wed, 10 Apr 1996 21:50:38
From: ruben@ralp.satlink.net
Subject: Re: Is ANTI-CMOS B able to change cmos-settings? (PC)
X-Digest: Volume 9 : Issue 50

Sat, 06 Apr 1996 13:45:34 -0500 Stematt <stematt@aol.com> wrote:

>Today, I detected a Anitcmos B virus in the boot sector. To clean my
>harddisk is shut down my system (W95) and then tried to reboot from a
>clean floppy disk (MS-DOS 6.0 with McAfees newest Dos-scan). But no
>chance. Every time I try to boot from floppy-disk my system stops.
>(Reading floppy-disks with W95 explorer is no problem). Does ANTICMOS
>prevent me from booting ? Has ANTICMOS changed or "damaged" my
>cmos-setting (Boot sequence is still A: C: / boot from floppy is enabled)
>What can I do ????

First of all You may check the CMOS setting.
(Maybe CMOS change something)

- Boot Sequence (A: C:)
- Drive A, is it enabled ?????

Then, try to repair Your system with any reputable AV.
You'll have NO problem to do this but dont let WIN 95 start.
(Repair the damage from DOS, if You have any problem with CMOS
configuration -in example with HD- try autodetection, this detect the
parameters of Your Hard disk)

I strongly recommend Integrity Master (Actual version is 2.61b).
With this software You also could save vital parts of Your machine like
(Boot, Partitions and CMOS) and restore them if necessary.

Regards

Ruben Arias
- ------------------------------------------------------------------------------
 Ruben M. Arias                                _   _      _                    
					      | ) |_| |  |_)                   
					      | \ | | |_ |                     
 E-Mail: Ruben@RALP.Satlink.net                                                
 Buenos Aires - ARGENTINA            RALP - Computer Security - Virus          
- ------------------------------------------------------------------------------

------------------------------

Date: Thu, 11 Apr 1996 01:41:41 +0000 (GMT)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: Stoned that Went Away & AntiCMOS in SUHDLOG.DAT (PC)
X-Digest: Volume 9 : Issue 50

In article <0029.01I3D16BVIK2SH3CBI@csc.canterbury.ac.nz>, 
dfionda@misinc.com says...

>First, why did it not tell me that it wiped out the Stoned Virus ?  I then 
>went to install MC Afee Virus Scan for Windows 95 and it found a file that 
>was infected by Anti CMOS  The file name is SUHDLOG.DAT, an * K file.  In 
>printing it out , it looks like some hard disk informaiton.  McAfee 
>offered to erase it and told me to reload it from the original source, but 
>I cannot find it on the Win 95 CD  From everything I have researched, anti 
>cmos is not supported to infect files?

When installing Win95, a file named SUHDLOG.DAT is created.
Within SUHDLOG.DAT are images (2 ea. I believe) of what the
master boot record (MBR), and boot sector (BS) were *prior*
to installing Win95.

If, prior to installing Win95, your computer is infected with
an MBR or BS virus, the infected MBR/BS image will be copied
into SUHDLOG.DAT.

The reasoning behind SUHDLOG.DAT is as follows:  If you elect
to uninstal Win95, the original MBR and BS images will be
transferred from SUHDLOG.DAT back to the appropriate locations.
To my knowledge (and Microsoft technical support) SUHDLOG.DAT is
used only by the Win95 UNINSTAL program.

I guess that was a long answer to a short question.  The short
answer to the same question is that SUHDLOG.DAT is not infectious
_unless_ you UNINSTAL Win95.

- --
Shane Coursen                                        Symantec Corporation
Computer Virus Researcher                http://www.symantec.com/avcenter
AntiVirus Research Center                                 CIS:  GO SYMWIN
scoursen@symantec.com                                           GO SYMNEW
      US Support:  541-465-8420                            AOL:  SYMANTEC
European Support:  31-71-353-111       Australian Support:  61-2-879-6577

------------------------------

Date: Wed, 10 Apr 1996 21:37:31
From: ruben@ralp.satlink.net
Subject: Re: Stoned.Empire.Monkey_B (PC)
X-Digest: Volume 9 : Issue 50

Sat, 06 Apr 1996 17:21:54 +0000 (GMT) "B. Gilbert"
<bgilbert@blue.weeg.uiowa.edu> wrote:

>>In article <0022.01I2G0808C12RI5O92@csc.canterbury.ac.nz>,
>>Virex1<virex1@aol.com> says:

>>>I had a floppy disk infected with the Soned.Empire.Monkey_B virus, while
>>>attempting to disinfect the floppy I ended up infecting my internal HD by
>
>I too seem to have this Stoned Empire Monkey virus, on a friend's
>machine.  When I boot from a clean floppy, C: is not recognized.

This is normal with Monkey. You can read Your Hard disk ONLY if the virus
is present in memory.
If You Boot clean, the virus is NOT in memory and You can read the HD.

>F-Prot finds the infected MBR, but doesn't see the hard disk (!).
>Otherwise the machine seems to boot and run fine.
>The last time this happened (with this same virus) I tried the fdisk
>/mbr, but this rendered the hard disk unbootable.  I had to do a
>complete restore from tape, and then clean the restored files before
>the MBR reinfected.

The million question is:
Why You didn't proceed the same Your friend's machine ????
All You need with Monkey is boot clean and then run the AV.

>Have I missed a step?  I'm reluctant to try the fdisk /mbr again!

Yes You miss the principal step.

PLEASE DON'T RUN FDISK /MBR IF THE MACHINE IS INFECTED WITH MONKEY.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

After restore ALL the files. Boot clean and run AV (F-prot) Again.
It will solve Your problem.

Regards

Ruben Arias
- ------------------------------------------------------------------------------
 Ruben M. Arias                                _   _      _                    
					      | ) |_| |  |_)                   
					      | \ | | |_ |                     
 E-Mail: Ruben@RALP.Satlink.net                                                
 Buenos Aires - ARGENTINA            RALP - Computer Security - Virus          
- ------------------------------------------------------------------------------

------------------------------

Date: Wed, 10 Apr 1996 22:00:23
From: ruben@ralp.satlink.net
Subject: Re: Crash or Leningrad virus (PC)
X-Digest: Volume 9 : Issue 50

Sat, 06 Apr 1996 09:03:16 -0500 MKW94 <mkw94@aol.com> wrote:

>I *had* what I now think was this virus, but cannot confirm it.
>About 2 months ago, my PC done something really *weird*.
>
>All the directories were doubled on the HD. (not all, but 90%).  I
>originally attributed it to a failed HD.

This could happen sometimes if You abort a process while Your HD is
working.  I remember some time ago I halt a process and my directory tree
grows and doubled a lot.

To solve this (if this is NOT a virus) You could use Norton Disk Doctor.
	       ^^^^^^^^^^^^^^^^^^^^^^
>Saved what files I could get to on floppies. After I purchased a new HD and 
>installed all the old files....I discovered something. Some of the data in a 
>text document was missing and contained *weird* characters. While I was 
>trying to delete those Characters, the PC screen went to a checkerboard maze 
of different colored squares...some blinking. The PC was locked up and I
>had to re-boot. 
>
>After doing some looking on the WWW on virus info, I found the same
>exact picture at <http://www.datafellows.fi/v-pics/>. (Screen shots of 
>Computer Viruses). The one called "Crash or Leningrad". The info on 
>this web site is temporarily out of order. I was wondering if any of the 
>people here could give me info on this virus??

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Crash (Leningrado)

Size 543 (exist other variant of 600 bytes)
*.com files infector // Non-TSR.
Activation date: Friday the 13th.
Display the message "That could be a crash, crash, crash!"
Sometimes types the random signs on the screen.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Regards

Ruben Arias
- ------------------------------------------------------------------------------
 Ruben M. Arias                                _   _      _                    
					      | ) |_| |  |_)                   
					      | \ | | |_ |                     
 E-Mail: Ruben@RALP.Satlink.net                                                
 Buenos Aires - ARGENTINA            RALP - Computer Security - Virus          
- ------------------------------------------------------------------------------

------------------------------

Date: Thu, 11 Apr 1996 02:21:19 +0000 (GMT)
From: Kevin Grant <K.Grant@its.gu.edu.au>
Subject: Re: Good scanner with smallest TSR memory footprint (PC)
X-Digest: Volume 9 : Issue 50

"Chastain, Brian" <chastaib@stifel.com> wrote:

>I just subscribed to the list, and I downloaded and read the FAQ like a 
>good boy.  I have a question that was not answered on the FAQ but may have 
>been discussed in previous postings.  If that's the case, I apologize for 
>the duplication - please point me towards the appropriate digests if you 
>think that would help me.
>
>We're beginning to have some problems with viruses here, notably the 
>FORM virus.  While this isn't a destructive virus, it is, nevertheless, a 
>pain in the butt.  Anyway, my boss wants me to look into virus detection
>for our company.  Myself and several others in my department are using
>Norton's Anti-Virus, and it seems to be working nicely.
>
>My main concern, however, is memory overhead.  The NAVTSR occupies 30K 
>of RAM.  I took a look at F-PROT, and their TSR occupies over 40K of RAM.

Just a quick note.  This is straight from thr F-Prot Virstop doco:

VIRSTOP supports the following command-line switches:

	/DISK:X - do not store search strings in memory, but read them
	in from disk when necessary.  This reduces the memory requirements
	down to around 3500 bytes.  The :X indicates which drive to use to
	store the two "swap" files, _VIRSTOP.TMP (which stores the part
	of memory overwritten by VIRSTOP) and _VIRSTOP.SWP, which is a
	copy of VIRSTOP.EXE, allowing the original copy to be updated
	while VIRSTOP is running.

I use this method and although the tsr takes longer to load it is pretty 
effective.

Kev

- -----------------------------------------------------------------------
Kevin Grant                                        K.Grant@its.gu.edu.au
Griffith University                                            Australia
- -----------------------------------------------------------------------

------------------------------

Date: Wed, 10 Apr 1996 22:46:13 -0400 (EDT)
From: Devin Knight <dak@pgh.nauticom.net>
Subject: Re: Good scanner with smallest TSR memory footprint (PC)
X-Digest: Volume 9 : Issue 50

By far the smallest TSR I have found and the best IMHO is
Thunderbyte,if you load the program using EMS or XMS it will
take less than 2K of ram. You must have usually 4mg of ram
or higher to take advantage of this, with computers running
less you will have the same problem of using close to 30K.
Thunderbyte also gives the option of loading into memory viruses
only found in the wild. This will save considerable memory
if ram is a problem, also this option with XMS will use only
1k from your conventional memory. Hope this can be of help.

Not sure of this but, believe I heard that the F-Prot Professional
Version had an option of loading into XMS and took about 5K.
This is the professional version and not an option on the shareware.
If I am wrong on this, I am sure I will be corrected.

**************************************************
Devin Knight                  I Don't Do Windows!    
dak@pgh.nauticom.net            
**************************************************

------------------------------

Date: Thu, 11 Apr 1996 02:44:07 +0000 (GMT)
From: MIKE SHEETS <mother@aztec.asu.edu>
Subject: FORM_D (PC)
X-Digest: Volume 9 : Issue 50

I am seeking information describing the virus FORM_D.

Thankyou, Mike Sheets

------------------------------

Date: Thu, 11 Apr 1996 03:58:58 +0000 (GMT)
From: rogue419@usa.pipeline.com
Subject: Re: Beethoven?? (PC)
X-Digest: Volume 9 : Issue 50

Sounds like Beethoven but from what I know the infection is rare. 
Try downloading the newest version of McAffee that you can find. 
And search some hacker news groups. They can be quite helpful in such
situations. 

			   J-man

------------------------------

Date: Wed, 10 Apr 1996 22:36:23 -0700
From: Ron Martell <rmartell@islandnet.com>
Subject: Re: ripper virus (PC)
X-Digest: Volume 9 : Issue 50

Peter Young-Hong <pyoung-hong@dynamic.ca> wrote:

>I have a ripper virus.
>
>I tried using FPROT to clean the virus.  However, FPROT returns the 
>message "ALERT!  Multiple sections infection have been found.  This 
>means that the section which should contain the original boot sector is 
>itself infected.  FPROT will not attempt to remove the virus."  Can I 
>clean this virus without formatting my hard drive.

I have only encountered the Ripper virus on one computer so far.  That
one was cleaned up okay by Dr. Solomon with no apparent data loss.

Ron Martell     Duncan B.C.    Canada

"Anyone who thinks that they are too small to make a difference
has never been in bed with a mosquito."

------------------------------

Date: Thu, 11 Apr 1996 09:57:07 +0100
From: "David W. Hanson" <hansond@afrc.garmisch.army.mil>
Subject: RE: Good scanner with smallest TSR memory footprint (PC)
X-Digest: Volume 9 : Issue 50

From: "Chastain, Brian" <chastaib@stifel.com>

>We're beginning to have some problems with viruses here, notably the
>FORM virus.  While this isn't a destructive virus, it is,
>nevertheless, a pain in the butt.  Anyway, my boss wants me to look
>into virus detection for our company.  Myself and several others in my
>department are using Norton's Anti-Virus, and it seems to be working
>nicely.
>
>My main concern, however, is memory overhead.  The NAVTSR occupies 30K
>of RAM.  I took a look at F-PROT, and their TSR occupies over 40K of
>RAM.

One thing that you should do immediately, wherever possible, 
is disable booting from diskette on every PC that has that option in the 
setup.  Nearly all newer BIOS have an option, either to disable 
diskette booting or to set up the boot order so that the hard drive 
comes first.

What that will do is completely eliminate the boot sector as an 
avenue for infection.  FORM is a boot sector infector.

If you need to boot from diskette at a later time (for instance, to 
get a clean boot to remove a file-infecting virus), you simply go 
into setup before you boot to enable diskette booting.  And of 
course, you remember to disable diskette booting when you are 
finished.

This solution costs only the time it takes to run setup on each 
machine, and requires no precious RAM.  It is a permanent solution 
that eliminates one entire class of infections.  It is something that 
you should do to every new machine that you set up.

If there is no mention of this in the FAQ, there -certainly- should 
be.

That said, this does not eliminate the need for, or replace scanners 
or resident protection.  I will leave that recommendation to others.

David Hanson
Armed Forces Recreation Center Europe
Garmisch-Partenkirchen Germany
hansond@afrc.garmisch.army.mil

?????????????????????

------------------------------

Date: Thu, 11 Apr 1996 09:32:08 +0000 (GMT)
From: Pavel Machek <machek@atrey.karlin.mff.cuni.cz>
Subject: Re: Multiple boot sector infections (PC)
X-Digest: Volume 9 : Issue 50

Antonio Godinho (antonio@nambu.uem.mz) wrote:
: I have had several problems of multiple boot sector infections on my
: computers and have never managed to clean them. Does anyone know if
: and how it can be done? From what I gathered the infections where of
: the UNASHAMED and ANTIEXE.a viruses. I tried using Dr. Solomon's
: toolkit 7.56, F-prot 222 and  Thunderbyte 6.38 but all these failed.
: Since I did not have access to the Hard disks in any of the cases, I
: had to fdisk and reformat the hard disks.

So you had more than one virus, and you could not clean it?
Well, I use following scheme to do such things: (It proves, that 
computer viruses CAN be usable after all...)

  I have one floppy (I have to pay a lot of attention when working with
it :-( ) with ANTICMOS virus. WHen you boot from such floppy, it replaces
original masterboot with itself, thereby killing any viruses but installing
new one. But after that, I'm able to boot up and launch *something* (usually
disk editor, but scan would do the job) to destroy ANTICMOS.

  Nice way of removing viruses, isn't it?

------------------------------

Date: Thu, 11 Apr 1996 06:06:06 -0400
From: "Bruce P. Burrell" <bpb@umich.edu>
Subject: Re: Stoned.Empire.Monkey_B (PC)
X-Digest: Volume 9 : Issue 50

B. Gilbert (bgilbert@blue.weeg.uiowa.edu) wrote:

> >In article <0022.01I2G0808C12RI5O92@csc.canterbury.ac.nz>,
> >Virex1<virex1@aol.com> says:
> 
> >>I had a floppy disk infected with the Soned.Empire.Monkey_B virus, while
> >>attempting to disinfect the floppy I ended up infecting my internal HD by
> 
> I too seem to have this Stoned Empire Monkey virus, on a friend's
> machine.  When I boot from a clean floppy, C: is not recognized.
> F-Prot finds the infected MBR, but doesn't see the hard disk (!).
> Otherwise the machine seems to boot and run fine.
> 
> The last time this happened (with this same virus) I tried the fdisk
> /mbr, but this rendered the hard disk unbootable.  I had to do a
> complete restore from tape, and then clean the restored files before
> the MBR reinfected.
> 
> Have I missed a step?  

   Try F-PROT /HARD /DISINF  after a clean floppy boot.

> I'm reluctant to try the fdisk /mbr again!

   And well you should be; it's demon spawn, at least when not 
recommended by an expert.

   JUST SAY NO TO FDISK/MBR !!

   -BPB

[Moderator's note:  I agree fully with Bruce here.  Unless you -really-
know what you are doing, FDISK /MBR is outright dangerous.  Read the FAQ
for guidelines on its use and to get an idea of why it is increasingly a
bad idea to "try fdissk /mbr" as so many "would-be experts" recommend.]

------------------------------

Date: Thu, 11 Apr 1996 10:46:19 +0000 (GMT)
From: Richard Evans <evansr@europa.lif.icnet.uk>
Subject: Re: 639K mem (PC)
X-Digest: Volume 9 : Issue 50

qifei (qifei@server20.hust.edu.cn) wrote:

: I have a Compaq 586. The basic memory of this machine is always
: 639K when I test it with "mem" command,even when I reboot it with a clean
: DOS soft disk. Then I think the virus maybe in CMOS. But after I clean up
: the CMOS, there is still 639K basic memory in the memory.
: 
: The sign of the "virus" have two:
:     a.) The machine often warn me the memory is not enough to run a
: software.
:     b.) The virus automaticly set a password on CMOS.

A virus can not be loaded from CMOS, as ther is nothing in CMOS
that is actually executed. If this is a virus it is more likly
that it has also infected your floppy disk. Hence the same
sysmptoms when you beet from the floppy.

Another point, I am not sure that finding 639K is a sign of a
virus. Can you remember if there was ever a time when you found
more than 639K?

------------------------------

Date: Thu, 11 Apr 1996 19:44:22 +0530
From: Parameshwar Babu <p.babu@giasmd01.vsnl.net.in>
Subject: virus in macromedia plug-in (PC)
X-Digest: Volume 9 : Issue 50

I use Scan V.2.2.6 for dos, McAfee

I downloaded macromedia plug-in for Netscape.
I got the report like this in my machine:

Scanning C: [DRIVE1VOL00]
C:\NETSCAPE\PLUGINS\NP16DSW\MACROMIX.DLL
	Found the SMEG virus or variant

Is this really true? Why should Macromedia do such a thing!
I invite comments from you all.

Regards
B.P.Babu

------------------------------

Date: Thu, 11 Apr 1996 15:16:28 +0000 (GMT)
From: Glen Mann <gmann@haven.ios.com>
Subject: Re: AntiCMOS virus (PC)
X-Digest: Volume 9 : Issue 50

crash n' burn... (juhari@teleview.com.sg) wrote:

: Hi, i need help with my PC. I am currently using WIN95 and occasionally I 
: get a general protection fault failure and whatever that was running had 
: to be shut down. I used McAfee's Scan95 and it did not detect the 
: presence of any virus. A friend of mine used my PC and when he 
: transferred some files over to his PC (by diskette), he detected the 
: antiCMOS virus. He used another PC and it confirmed the presence of this 
: virus.

I think fdisk /mbr will rewrite the boot record to rid this.  Norton can 
rebuild the boot sector too, though I'm not sure about Win95.

: Does anyone have any solution to this problem? Also, how come my Scan95 
: did not detect the (abovementioned) virus?

Scan95 should've found it, I thought.

- -
gmann@haven.ios.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Gary Willis: "If I had to put D'Addario strings on my bass, I'd 
		  give up music and become a drummer."
Scott Henderson: "GHS Progressives suck."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Moderator's note:  Please read Bruce Burrell's recent post about
Stoned.Empire.Monkey_B, as FDISK /MBR should be used very judiciously.  I
should be OK with AntiCMOS so long as you only have that virus.  You may
do better to chack your machine from a clean, DOS 6 boot and running a
couple of DOS scanners against it.]

------------------------------

Date: Thu, 11 Apr 1996 17:35:43 +0200
From: Jean-Paul BLANC <blanc@llaic.univ-bpclermont.fr>
Subject: Over 1644 Virus (PC)
X-Digest: Volume 9 : Issue 50

Could someone give me some information
about OVER1644 Virus ?

	Jpaul.

[Moderator's note:  the very limited info I have on it suggests it is a
corrupting, overwriting virus, so disinfection is impossible.]

------------------------------

Date: 8 Apr 1996 15:22:24 GMT
From: ken_stieers@ontrack.com (Ken Stieers)
Subject: Re: McAfee Vshield 2.9 and windows (PC)
X-Digest: Volume 9 : Issue 50

Get rid of /swap.  I know it hurts, but do it.  As Windows loads, it
conflicts with Vshield trying to swap back into memory causeing the #6
error. 

Ken 

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Thu, 11 Apr 1996 17:02:33 +0000 (GMT)
From: ak8188@CNSVAX.ALBANY.EDU
Subject: xcopy /v ?? (PC)
X-Digest: Volume 9 : Issue 50

this is NOT a virus question; however it is a data security question;
therefore, i hope that the moderator and others in this group will
consider it worthy of consideration

i work in a place where the folks who buy the computer diskettes are
not the same folks who use them; inevitably, they purchase bad media
(sony 10mfd-2hd), and we get stuck using them; i think that close to
ten percent of the diskettes come with bad sectors, right out of the
box

whenever i copy a file to a diskette, i have to actually wonder whether
the file has been copied correctly!!  my solution to this is to stop
using the ms-dos COPY command to copy from the hard drive to diskettes;
instead i use the XCOPY /V command; my questions are the following:

a) what does XCOPY /V actually do; what does ms-dos do when it "verifies"
	the copying?  is it the same as using COPY and then FC to compare
	the versions of the files?

b) what does Windows 3.11 File Manager do when it is "copying" a file to
	a diskette?  does it use a "verification" scheme?  is there a
	default setting that i can change to make it do so?

c) what does Windows 95 Explorer do when it is "copying" a file to a
	diskette?

thank you for reading

alfredo b goyburu

------------------------------

Date: Thu, 11 Apr 96 10:54
From: "Chastain, Brian" <chastaib@stifel.com>
Subject: Re: Where to get a virus check up grade? (PC)
X-Digest: Volume 9 : Issue 50

     I spoke with Microsoft just yesterday concerning the same thing, 
upgrading the virus signatures for the Microsoft Anti-Virus program that 
came with DOS 6.2.  Since we have DOS 6.2 on a boatload of our computers,
I figured this would be the cheapest way to get up-to-the date virus
scanners for all my users.
     The Microsoft Tech guy was surprisingly honest.  He said that I could 
probably download a virus signature update from the Symantec BBS, as 
Symantec took it upon themselves to offer an update.  He said he thought 
that it was dated September of 1995.  He further stated that Microsoft 
doesn't plan on updating the program - Symantec or someone else would need 
to take it upon themselves.
     He also suggested that I purchase some third-party virus scanner,
that Microsoft only intended for their program to be an "introductory"
virus scanner, and that they didn't intend to support it any more.
     Looks like you need to look elsewhere.  Good luck.

Brian
 -----
Brian Chastain, LAN Administrator
USnail: Stifel, Nicolaus, 500 N. Broadway, St. Louis, MO  63102
E-mail: chastaib@stifel.com  Voice:314-342-2211 FAX: 314-342-2707
MailSig 1.6 - Is there a BBS-aholics Anonymous?

------------------------------

Date: Thu, 11 Apr 1996 17:23:17 +0000 (GMT)
From: Ken Stieers <kstieers@ontrack.com>
Subject: Re: Burglar 1150 virus on a Novel Network -- HELP!!! (PC)
X-Digest: Volume 9 : Issue 50

Here's the problem: someone with write rights in the public directory
logged on, thereby infecting the server's files.  

Here's what you HAVE to do, (assuming that F-PROT can clean the virus
without damaging the files).

1.  Login and copy ATTACH.EXE and MAP.EXE to a workstation hard drive.  
2.  Logout. 
3.  Cold boot the workstation from a known clean bootable floppy and run 
    F-PROT C: /ALL /DISINF 
    You can add /AUTO to that if you don't want it to ask about cleaning
    each file.
4.  Run your net drivers.  DON'T reboot.  You don't want to run ANYTHING
    from the server.
5.  Run the local copy of ATTACH and attach to both servers.  Attach as 
    supervisor.
6.  Disable login and clear all of the connections except yourself at the 
    server console.  You might contemplate physically disconnecting the
    network, except for the workstation you are using and the servers.
7.  Map to the root of each volume.
8.  Run F-PROT /NET /ALL /DISINF   This will scan all network drives.
    You can add /AUTO to that command as well.
9.  Go to EVERY machine, and do step 3 above to it.  
10. Collect every floppy and scan those too. 
11. Reenable login on the servers. 

If you don't do this, you will continually get this virus back. 

Netware is secure, as long as you are secure.  How many people have
supervisor equivalency??  Anyone who logs on to the server with SE, can
infect the whole network.  A virus will only have the rights the user who
logs in has.

You might want to do this over the weekend, and if you can, enlist some
students to do the legwork of scanning every machine and every floppy. 
They may learn something and it would make your job a little easier. 

Ken

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Thu, 11 Apr 1996 22:12:52 -0500
From: "R. Zalk [E-Z Computers Ltd.]" <ez-zone@netmedia.net.il>
Subject: Re: 636k total base memory...virus? (PC)
X-Digest: Volume 9 : Issue 50

#1. Boot up bypassing your dos and see if you get the same base memory.
#2. If the the answer to #1 is 'no' then your bios is using your 640k 
area. Most likely for HD address.
#3. If the answer to #1 is 'yes' then start 'rem'ing lines in your 
config &/or autoexec to see the cause of the missing memory.

Good Luck!

RZ of EZ

------------------------------

Date: Thu, 11 Apr 1996 23:01:45 +0300 (EET DST)
From: "Mikko H. Hypponen" <Mikko.Hypponen@datafellows.com>
Subject: Re: Wanted TSR checks A: as used (PC)
X-Digest: Volume 9 : Issue 50

Ben Danielson <bendan@asu.edu> wrote:

> FProt does have a tsr named Virstop.  I use it at my site and it will stop
> access to the A: drive if it detects a virus.  I did have to configure the
> program to check the boot sector of floppy drives by using the /boot switch.

Actually, the /boot option is on by default in VIRSTOP, you don't need
to specify it at all to make VIRSTOP to check floppy boot sectors on
access. 

The /noboot and /boot commands can be useful if run into a floppy with a
boot sector virus and just want to copy the files from it to hard drive
and toss the floppy; you can turn the boot sector scanning off for the
duration of the copying so you get access to the floppy.

- - 
	 Mikko Hermanni Hypp nen - Mikko.Hypponen@DataFellows.com  
   Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com
 Computer virus information available via web: http://www.DataFellows.com/
Paivantaite 8, 02210 Espoo, Finland. Tel +358-0-478444, Fax +358-0-47844599

------------------------------

Date: Thu, 11 Apr 1996 23:18:50 +0300 (EET DST)
From: "Mikko H. Hypponen" <Mikko.Hypponen@datafellows.com>
Subject: Re: Virus BYE (PC)
X-Digest: Volume 9 : Issue 50

Andrea Nagar <nagar@sinet.it> wrote:

> Can someone give me some technical information about the BYE virus?
> What does it infects? What does it do? Is it dangerous? Thanx.

See the description of Bye in the virus description database at
www.datafellows.com (or www.europe.datafellows.com). Many antivirus
products can detect and disinfect it (F-PROT does it for sure).

- - 
	 Mikko Hermanni Hypp nen - Mikko.Hypponen@DataFellows.com  
   Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com
 Computer virus information available via web: http://www.DataFellows.com/
Paivantaite 8, 02210 Espoo, Finland. Tel +358-0-478444, Fax +358-0-47844599

------------------------------

Date: Thu, 11 Apr 1996 20:11:09 +0000 (GMT)
From: Wayne Riddle <riddler@agate.net>
Subject: Re: Where to get a virus check up grade? (PC)
X-Digest: Volume 9 : Issue 50

"Glenn P. Siegrist" <teamsieg@snowhill.com> wrote:

>I have a Packard Bell Legend 36CD its a 486/50. It came with Win 3.11 on 
>it I have had it for over a year now and I would like to know is there an 
>upgrade to the Microsoft virus scan program that came with it.

Instead of upgrading the MSAV, I would suggest dumping it for a better
program. Some anti-virus programs that I like are:

ThunderBYTE
Dr. Solomon's
F-Prot
AVP
Integrity Master

Wayne Riddle
riddler@agate.net
http://www.agate.net/~riddler

------------------------------

Date: Thu, 11 Apr 1996 23:16:07 +0300 (EET DST)
From: "Mikko H. Hypponen" <Mikko.Hypponen@datafellows.com>
Subject: Re: Crash or Leningrad virus (PC)
X-Digest: Volume 9 : Issue 50

MKW94 <mkw94@aol.com> wrote:

> After doing some looking on the WWW on virus info, I found the same
> exact picture at <http://www.datafellows.fi/v-pics/>. (Screen shots of 
> Computer Viruses). The one called "Crash or Leningrad". 

Well, you can get a similar display full of random character by just
crashing your machine regularily - I don't think you have a virus.

> The info on this web site is temporarily out of order.

That's strange, I don't think we've had the virus description database
off-line since 1994. I assume the site itself wasn't down since you
could access the screen shot.

Anyway, here's the description:

NAME:   Leningrad
ALIAS:  Crash
ORIGIN: Russia
TYPE:   Non-resident COM files
SIZE:   600
 
This simple Russian non-resident virus infects COM files. It will
sometimes display random garbage on-screen.

- - 
	 Mikko Hermanni Hypp nen - Mikko.Hypponen@DataFellows.com  
   Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com
 Computer virus information available via web: http://www.DataFellows.com/
Paivantaite 8, 02210 Espoo, Finland. Tel +358-0-478444, Fax +358-0-47844599

------------------------------

Date: Thu, 11 Apr 1996 20:21:01 +0000 (GMT)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Good scanner with smallest TSR memory footprint (PC)
X-Digest: Volume 9 : Issue 50

In article <0038.01I3EEEWQ4GQSKU6UC@csc.canterbury.ac.nz>
	   chastaib@stifel.com "Chastain, Brian" writes:

> My main concern, however, is memory overhead.  The NAVTSR occupies 30K
> of RAM.  I took a look at F-PROT, and their TSR occupies over 40K of RAM.
>
> Since we're a token-ring network, and token-ring drivers are
> notoriously large, we can't afford to give up that much memory.
>
> My question (finally!) is, which scanning program is effective, yet has
> the smallest TSR footprint?

That would be VirusGuard, from Dr. Solomon's Anti-Virus Toolkit.  
It has ballooned a bit since the days when I programmed it, but 
I believe it still fits in less than 10K.  It is probably also 
the most effective, but there are few independent tests of TSR 
scanners to be found.

- -
CUTIE INVITED                   OF WHISKERS
	     VARSITY HOP                   PARTY A FLOP
			GUY FULL                       Burma-Shave

------------------------------

Date: Thu, 11 Apr 1996 19:49:37 +0000 (GMT)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Identification (not detection): Dr Solomons vs F-Prot (PC)
X-Digest: Volume 9 : Issue 50

In article <0004.01I3FQNQ0S3KSKU6UC@csc.canterbury.ac.nz>
	   cjkuo@alumnae.caltech.edu "Chengi J. Kuo" writes:

> Iolo Davidson <iolo@mist.demon.co.uk> writes:
>
> >The conclusion is that you ran it on a collection of viruses and
> >it went into "review" mode.  The word "like" is the giveaway.
>
> I am constantly hearing about "independent reviews" which give
> S&S a very high ranking.

Yep, it is pretty constant, isn't it?

> Are you saying that they have a special mode to recognize when
> they're being tested?  Are the reviewers told about this?

Don't know what they are told.  I'm not with S&S.  It is an
undocumented feature, but S&S's Dmitry Gryaznof just gave it out
the switch to turn it off in this group, so it isn't a secret.

What happen is that FindVirus stops doing the extra checking
necessary to determine the precise variant of the virus when it
has encountered ten or more different viruses, so it is a bit
less precise about virus naming when this happens.

The reason would seem to be that some reviewers do their virus
scanning speed tests when scanning a collection of viruses.  It
doesn't make sense to do this from the customers point of view.
The customer wants to know how long the scanner will take in
normal use, when he most likely doesn't have any viruses on his
system.  He is very unlikely ever to have more than one or two at
the same time.

A sensible test would test detection rates against a collection
of viruses, and scanning speed against a clean machine with a
disk full of normal files, the kind of machine a customer would
normally scan.

FindVirus is one of the fastest scanners when scanning 
clean files, but FindVirus' precise variant detection takes 
longer than just detecting a virus by its main name, so doing 
speed tests on virus collections penalises FindVirus for its 
precision.  The precision is really only needed when doing 
repair, so it can be turned off to speed up scanning of 
collections.  All that does is redress the balance with those 
scanners that don't have FindVirus' precision in any mode.  
Obviously it doesn't affect detection ability; failing to detect 
viruses would be much worse than a slow scan speed.

You can force precise identification mode to stay on by using the 
/VID switch, as Dmitry says.  If you are doing repair, then it 
also stays on.

> PS.  I always thought my job was to help users.  I guess I'll
> have to add "win reviews" to my job duties.  *sigh*

What could you turn off in McAfee that would speed things up but
still not cause it to fail to detect any viruses?

- -
CUTIE INVITED                   OF WHISKERS
	     VARSITY HOP                   PARTY A FLOP
			GUY FULL                       Burma-Shave

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 50]
*****************************************


