From Lehigh.EDU!owner-virus-l  Mon Apr 15 22:25:36 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Mon, 15 Apr 96 22:47:40 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id WAA02185; Mon, 15 Apr 1996 22:25:36 +0200
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39091-101740>; Mon, 15 Apr 1996 16:20:43 EDT
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <38997-101740>; Mon, 15 Apr 1996 16:17:55 EDT
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id QAA97337 for <virus-l@lehigh.edu>; Mon, 15 Apr 1996 16:17:41 -0400
Received: from 132.181.30.207 ("port 1028"@132.181.30.207)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I3LPCXWZW8SKU6UC@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Tue,
 16 Apr 1996 08:16:55 +1200
Message-Id: <01I3LPCY7RXOSKU6UC@csc.canterbury.ac.nz>
Date: 	Tue, 16 Apr 1996 01:16:16 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #51
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest   Tuesday, 16 Apr 1996    Volume 9 : Issue 51

Today's Topics:

Need a way to automatically update Virus Checkers.
Re: What REALLY matters in Commercial Anti-Virus Software
Re: What REALLY matters in Commercial Anti-Virus Software
Re: Help Possible Virus
EliaShin (sp?) antivirus software
Re: Virus Writing? Why Do People Still Do it.
Re: McAfee 2.0 for Win95 "feature" (WIN95)
Re: 386SPARTN.PRN and Win 95 boot sector modification (WIN95)
Drive Space 3 Problems (WIN95)
Brand New Win95 User w/ "Form" Virus -- Help!! (WIN95)
Norton Anti-virus or McAfee (WIN95)
Re: TBAV says WIN95 CD infected? (WIN95)
Re: F-Prot for Win 95 evaluation version (WIN95)
Re: Possilbe new virus? (WIN95)
Re: McAfee 2.0 for Win95 "feature" (WIN95)
Flesh Eating Virus? (PC)
Re: Anti exe virus (PC)
Re: Good scanner with smallest TSR memory footprint (PC)
Re: My disk has a DIVIDE OVERFLOW ERROR? (PC)
Re: Viruses that reset top of memory (PC)
Re: Stoned.Empire.Monkey_B (PC)
Re: Where to get a virus check up grade? (PC)
Help on DESPERADO A/B required (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Thu, 11 Apr 1996 15:48:34 -0700
From: Ken Griffin <kgriffin@busweb.com>
Subject: Need a way to automatically update Virus Checkers.
X-Digest: Volume 9 : Issue 51

Can anyone help with automation?

Any help appreciated...

Thanks.

------------------------------

Date: Sat, 13 Apr 1996 05:37:20 +0000 (GMT)
From: Enrico DePaolis <74777.171@compuserve.com>
Subject: Re: What REALLY matters in Commercial Anti-Virus Software
X-Digest: Volume 9 : Issue 51

Iolo wote:

>>I'm sure I saw you claim that the EMD package could be updated 
in another newsgroup.<<

Yes it can be updated to add additional features such as 
encryption, diagnostics, etc.  It has its own onboard protected 
memory.

>>Most AV software also tackles the virus before it attacks the 
system, by the way.  All you have to do is scan software and 
disks before using them.  Some software packages have resident 
programs that do this automatically.<<

Most users do not scan their disks before using them and using 
TSR based systems are not as effective since there is no way you 
can monitor all of the system interrupts via software.  This is 
why we developed the hardware and software base system.

Enrico DePaolis
EMD Enterprises

- - 
EMD Enterprises                         CompuServe: GO EMDENT
WWW Site: http://www.emdent.com         e-mail: 74777,171
e-mail: emd@emdent.com                  Phone: 717-235-4423
	sales@emdent.com                FAX: 717-227-9746

------------------------------

Date: Sat, 13 Apr 1996 05:45:18 +0000 (GMT)
From: Enrico DePaolis <74777.171@compuserve.com>
Subject: Re: What REALLY matters in Commercial Anti-Virus Software
X-Digest: Volume 9 : Issue 51

Doug Muth wrote:

>>I'm not familliar with this product, but if it is an activity 
blocker, it would most definitely need updates for any new 
viruses that come out that could circumvent its protection.<<

We haven't seen one yet that could.  It is not a simple activity 
blocker as you call it.  It uses proactive techniques such as 
real time integrity checking and system monitoring, as well as 
scanning, immunization and system level detection schemes.

We have included a feature to utilize external scanners and 
cleaners from other vendors since users can download fully 
functional demo versions of products for free.  Since we stop 
access before the infection occurs (using hardware and software 
in one of our lines of products) the problem is resolved quite 
quickly.

We do have a scanner and cleaner included for virus infection but 
we also stress the the user restore any infected file from a 
clean backup.  Nothing special just solid protection.

We will be releasing new apps at SprngCOMDEX.Stop in booth N6522.
Enrico DePaolis
EMD Enterprises

- - 
EMD Enterprises                         CompuServe: GO EMDENT
WWW Site: http://www.emdent.com         e-mail: 74777,171
e-mail: emd@emdent.com                  Phone: 717-235-4423
	sales@emdent.com                FAX: 717-227-9746

------------------------------

Date: Sat, 13 Apr 1996 22:03:38 +0000 (GMT)
From: Wayne Riddle <riddler@agate.net>
Subject: Re: Help Possible Virus
X-Digest: Volume 9 : Issue 51

Syahrul Sazli Shaharir <ssazli@hrsb563.resnet.upenn.edu> wrote:

>After I run certain programs, everything crashes one by one.. (popup
>message appears: "[program name] encounters an error (or sthing like
>that), the application will be closed"), and after a few more clicks the
>Explorer fails (with the same popup message) and then Win 95 crashes. If
>this is a virus problem, what apps can be used to kill it? Thanks.

Many fine anti-virus programs are available on the internet. A page
with links to many of them can be found at www.nha.com. Download one
and scan your computer. Please note, scanning is best performed after
booting cold from a clean floppy.

You might also want to look at the FAQ for this newsgroup.

Wayne Riddle
riddler@agate.net
http://www.agate.net/~riddler

------------------------------

Date: Sun, 14 Apr 1996 12:39:43 -0500
From: Frank Christensen <frankc@aquila.com>
Subject: EliaShin (sp?) antivirus software
X-Digest: Volume 9 : Issue 51

Hello!  A friend at a nearby university learned they are going to be 
installing an antivirus program that neither he nor I had heard about:

"....they are installing an antivirus called "EliaShin" in
our PC labs - the main file itself is called "ViruSafe" - however,
unlike Symantec's Norton Antivirus and McAfee's VirusScan and the
Finish Datafellow's F-PROTECT, and IBM's IBM Antivirus, and/or the
British "Dr.Solomon" - I can find out NOTHING about this product,
other than it comes from Israel!"

Does anyone have any firsthand knowledge about this product, and possible 
site of reviews/evaluations?

MANY thanks!

	Frank

------------------------------

Date: Mon, 15 Apr 1996 04:23:57 +0000 (GMT)
From: Pmaynard@apci.net
Subject: Re: Virus Writing? Why Do People Still Do it.
X-Digest: Volume 9 : Issue 51

In <0013.01I3BNBEFQEYSH3CBI@csc.canterbury.ac.nz>, Alex Ross
<alexross@alex01.idiscover.co.uk> writes:

>My question is, who writes these and where do they come from?
>Could replies be submitted to the newsgroup. 

It's a challenge to make something that sneaks around on one's system.
There are a surprising number of viruses written that never get spread. Only 
the sources are passed around so others can see the techniques.
You should be asking why do people intentionally distribute harmful viruses.
There are also many viruses that don't do anything except funny stuff like 
display a bouncing ball on the side of the screen or something.

Rob

------------------------------

Date: Fri, 12 Apr 1996 02:17:05 +0000 (GMT)
From: Kendall Trent Berkey <kberkey@visus.jnj.com>
Subject: Re: McAfee 2.0 for Win95 "feature" (WIN95)
X-Digest: Volume 9 : Issue 51

On 7 Apr 1996 13:41:25 -0000, Benedict Tam <BTAMHS@cxair.com> wrote:

>Zack Jones <zack@hom.net> wrote:
>
>>>Score stands 1 with false alarms vs 1 without.  Others?
>> 
>>No false alarms and 1 positive hit on the anti-exe virus which was on
>>a floppy one of our customers brought to the office.
>>
>>The only odd behavior I've observed and I don't know if this is caused
>>by McAfee or something else, but everytime I shut down the computer it
>>tries to read the A Drive for a few seconds before I get the "It's
>>save to turn off your computer screen".
>>
>>Have you or anyone else observed this?
>
>I think it may cause by Norton Antivirus rather than Mcafee.

Many anti virus tsr programs check the a: drive on reboot.
f-prots virstop.exe and nortan antivirus ALWAYS check the floppies 
upon rebooting. they call it an a drive warm boot check.

------------------------------

Date: Fri, 12 Apr 1996 09:05:41 +0000 (GMT)
From: Mechman <robotek@ix.netcom.com>
Subject: Re: 386SPARTN.PRN and Win 95 boot sector modification (WIN95)
X-Digest: Volume 9 : Issue 51

You might try leaving the Windows environment altogether, and change
the attributes of the file in question in DOS.  Chances are this is
just a hidden file, so all you'll have to do is type attrib -h (or -s
if it turns ou to be a system file) at the prompt.  After that you can
move it, rename it, or whatever you wish.  I doubt, however that this
would be an infected; more likely it is a system file for a printing
device.  Things that make you go hmmmmmm.  Good luck.

------------------------------

Date: Fri, 12 Apr 1996 07:57:09 -0600 (cst)
From: "Arif, Rahan" <rarif@chiaolink.dcmdc.dla.mil>
Subject: Drive Space 3 Problems (WIN95)
X-Digest: Volume 9 : Issue 51

I have been having some trouble with my compressed hard drive. I had 
Windows 95 with PLUS! installed in my computer using PLUS!'s version 
of Drive Space. Due to some unrecoverrable errors in the system 
registry, I almost gave up after many attempts to fix it. Finally, I 
erased the entire c:\windows tree and I installed Windows 95 again.  
It barely installed, but I was lucky.  Well the wierd registry problem 
was fixed, but now every time I start my computer I get a blue screen 
with a message saying that my DRIVESPACE DRIVER doesn't match with 
current driver it is using. Thats because Windows 95 is trying to use 
its own older version of Drive space and it can't recognize the Drive 
space 3 format.  So logically after seeing this appear, I tried to 
install PLUS! again.  But after several attempts, PLUS! didn't install 
at all.  A message saying that TOP LEVEL INFORMATION COULD NOT BE 
PROCESSED kept appearing.  Also when I go to My Computer and click on 
Properties, it show that I have 1.6 GIGABYTES of FREE SPACE, when my 
original hard drive was only 200 MEGABYTES to begin with! and after 
being compressed, it should only have been around 380 megabytes!!!  I 
really need some help in figuring out how I can possibly reinstall 
Drive Space 3 or some way I can extract the Drive Space 3 compenents 
from the .CAB files found on the PLUS! CD-ROM.  Also can anyone tell 
me the address of the Windows 95 Tips list. I was once on it and I 
lost the subscription address.  Any help will be highly appreciated.

Thanks you very much,

rarif@chiaolink.dcmc.dla.mil

------------------------------

Date: Fri, 12 Apr 1996 22:35:58
From: "Eric M. North" <enorth@culaw.com>
Subject: Brand New Win95 User w/ "Form" Virus -- Help!! (WIN95)
X-Digest: Volume 9 : Issue 51

Help!!

After 10+ years without a virus I've been hit w/ one after loading a program 
on a brand new Win95 machine.  I just got the machine yesterday and am still 
learning Win95.  The first program I attempted to load was a "Perfect Office" 
I bought at a liquidation auction.  The setup disk worked fine, but Windows 
said it couldn't read the "Program Disk # 1" disk and said a virus might have 
infected the system.  I ran both the setup disk and the first program disk 
through NAV and McAffee running on another machine, and both detected the 
"Forms" virus.  Both say they can disinfect.

Several questions result, and I'd really appreciate any info I can get
quickly -- hopefully over the weekend.  I've got a guy scheduled to come in
Monday morning to help me network the office, and this PC is the one I'll be
managing the network from.

First, how do I get this thing off the system?  I've read a couple of posts, 
including Dr. Solomon's, saying to pull a program from his web site; boot my 
system w/ a clean disk; and run the disinfect program.  I want to be sure
I've got the facts right.  Am I to pull the program and put it on the "clean
disk" and use it to disinfect the new machine (will it fit on a floppy?) or
am I to download the program onto the infected machine; boot w/ a clean disk;
and disinfect?  Question might sound foolish to some of you who know, but I
need to get this right quickly.

Second, since the machine is new I haven't yet made (yeah, I know this is 
stupid) a clean boot disk.  Can I create a basic boot disk from another 
machine running DOS and Win3.11 and use it to boot up the Win95 machine?  Is 
there anything special I need to do to the boot disk?

Third, is "Form" a virus which can be removed w/o damage to the system?  Or 
should I be reinstalling Windows95? 

Fourth and finally, if "Form" can be safely removed, then can I safely remove 
it from all of the Perfect Office disks and then go ahead (some people never 
learn) and use those disks to install Perfect Office?

I'd appreciate any help.  Thanks.

Eric North
San Jose, CA

------------------------------

Date: Sat, 13 Apr 1996 06:44:21 -1000
From: Sachi Noma <snoma@aloha.net>
Subject: Norton Anti-virus or McAfee (WIN95)
X-Digest: Volume 9 : Issue 51

which is better under win95:norton anti virus or McAfee?
- - 

Aloha & best regards (Big Island of Hawaii)
Sachi Noma
E-mail:snoma@aloha.net

------------------------------

Date: Sat, 13 Apr 1996 22:06:04 +0000 (GMT)
From: Wayne Riddle <riddler@agate.net>
Subject: Re: TBAV says WIN95 CD infected? (WIN95)
X-Digest: Volume 9 : Issue 51

Vegas Griff <kwiagrif@nicoh.com> wrote:

>I have been having a similar problem using TBAV for Win95 Ver.700! I
>am getting Heuristic flags on several files either residing on, or
>newly installed, from the MS Win95 upgrade CD ROM. 

Take a look at my page at www.agate.net/~riddler/virus/. It has a
paper from ThunderBYTE (re-printed with their permission) explaining
heuristics.

Wayne Riddle
riddler@agate.net
http://www.agate.net/~riddler

------------------------------

Date: Sun, 14 Apr 1996 10:24:05 +0000 (GMT)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: F-Prot for Win 95 evaluation version (WIN95)
X-Digest: Volume 9 : Issue 51

Wayne Riddle (riddler@agate.net) wrote:

> Aidas Antanaitis <aidasa@ktl.mii.lt> wrote:
> 
> >Does anybody know where it is possible to download an evaluation version 
> >of F-Prot forr Win 95? 
> 
> I don't think there is an evaluation version of F-Prot for Win95, only
> for DOS. F-Prot can be found at:
> 
>    http://www.datafellows.com/f-prot.htm

   Nope; that's just info about the products, not the software.  There 
-is- a demo there, but it's not an actual scanner; it's a Dan Bricklin 
type demo.
   Try instead
ftp://ftp.simtel.com/pub/simtelnet/msdos/virus/
ftp://garbo.uwasa.fi/pc/virus/

for the ShareWare version.  One can make it work well under Win95, but 
it's not ideal.  For the cost, though, it is excellent; in fact, you 
can't do much better for any price.

   Of course, if you want a better interface for GUI-based use, and if you
want VxDs (which you should, by the way), the ShareWare version is not for
you. 

   -BPB

------------------------------

Date: Sun, 14 Apr 1996 09:45:06 +0000
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: Possilbe new virus? (WIN95)
X-Digest: Volume 9 : Issue 51

In <0018.01I3EEEWQ4GQSKU6UC@csc.canterbury.ac.nz> Lonnie Howell
<lhowell@bright.net> writes:

>I know of one virus (older) that repeats a message over and over to the 
>pc's speaker, its called Hitler,

I know of one virus called Hitler by its author, however, that name was
rejected and the official CARO name for that one is Dreamer.4808.

I wonder if that is the same virus.....

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Mon, 15 Apr 1996 04:47:01 -0400
From: Kenneth Weiss <kweiss@bway.net>
Subject: Re: McAfee 2.0 for Win95 "feature" (WIN95)
X-Digest: Volume 9 : Issue 51

On 8 Apr 1996 16:28:01 -0000, William A Wenrich <wawenri@sandia.gov>
wrote:

>I get the same "feature" on Norton.  I believs it's part of the close of 
>the TSR scanner.  It doesn't seem to cause any problems snd directing 
>attention to the A: drive during the shutdown sequence has helped me 
>remember to remove diskettes.

Actually, both McAfee & Norton are checking for boot sector viruses in
that drive in case you're using a boot disk.  Good feature.

Home Page: http://www.bway.net/~kweiss
  "The Boycott Everything O.J. Page"
	  =================
"If it isn't fit for a five year old child,
      shut it down." - U.S. Government

------------------------------

Date: Thu, 11 Apr 1996 22:09:59 +0000 (GMT)
From: Steve Anthony <santhony@morgan.ucs.mun.ca>
Subject: Flesh Eating Virus? (PC)
X-Digest: Volume 9 : Issue 51

Recently I've been made aware of a possible virus in my university.  
Apparently, this computer Flesh Eating Virus, is a new one, corrupting 
disks and scrambling their contents.  

I recently received a disk from a friend, and attempted to access it.  It 
replied with a Divide by Zero error on EVERY attempt, ie:  DIR, F-PROT, 
Norton, debug.... EVERYTHING.

I was able to manage a hack with norton to let me view some of the 
physical sectors, and I found partial documents all over the place.  

I was told that a new Flesh Eating pc virus was detected locally, but 
most scanners don't yet reconize it.  Any truth?  If so, what can I do?

S.

- -
- ----------
Stephen K. Anthony, 401 Burke House, Paton College, St. John's, NF, CANADA
Local Phone:  (709) 753-0937   Web Server:  http://www.cs.mun.ca/~santhony  
Geek Code V3.1:  GCS d- s:+ a-- C++ U++ P L+ E--- W++ N++ K++ w---(+) M-- 
		 V-- PS+ PE Y+ PGP- t++ 5 X+ R* tv b+ DI- D+ G e+>++ h-- r y?

------------------------------

Date: Thu, 11 Apr 1996 18:15:59 -0400
From: Artemis <naheyart@vela.acs.oakland.edu>
Subject: Re: Anti exe virus (PC)
X-Digest: Volume 9 : Issue 51

I was reading through the virus discriptions provided by F-Prot, and it
said that any *.exe file of some certain size can suddenly
disappear...                 

			-Artemis

------------------------------

Date: Fri, 12 Apr 1996 00:22:22 +0000 (GMT)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: Good scanner with smallest TSR memory footprint (PC)
X-Digest: Volume 9 : Issue 51

In article <0038.01I3EEEWQ4GQSKU6UC@csc.canterbury.ac.nz>,
chastaib@stifel.com says...

>We're beginning to have some problems with viruses here, 
>notably the FORM virus.  While this isn't a destructive virus,
>it is, nevertheless, a pain in the butt.  Anyway, my boss wants
>me to look into virus detection for our company.  Myself and
>several others in my department are using Norton's Anti-Virus,
>and it seems to be working nicely.
>
>My main concern, however, is memory overhead.  The NAVTSR
>occupies 30K of RAM.  I took a look at F-PROT, and their TSR
>occupies over 40K of RAM.
[snip]

I've included a section from the NAV READ.ME file.  It is a chart of
memory requirements by the NAVTSR.

Option                                        TSR size
				  5K     11K    15K    21K  34-64K
- -----------------------------------------------------------------
Run                               ON     ON     ON     ON     ON
Open                              OFF    OFF    OFF    OFF    ON
Create                            OFF    OFF    OFF    OFF    ON
Use Virus Sensor Technology       OFF    OFF    ON     ON     ON
Low-Level Format of Hard Disk     OFF    OFF    OFF    OFF    ON
Write to Hard Disk Boot Records   OFF    OFF    OFF    OFF    ON
Write to Floppy Disk Boot Records OFF    OFF    OFF    OFF    ON
Write to Program Files            OFF    OFF    OFF    OFF    ON
Read-Only Attribute Change        OFF    OFF    OFF    OFF    ON
Check Floppies For Boot Viruses   OFF    ON     ON     ON     ON
  Upon Access
When Rebooting, Check Both Drives OFF    ON     ON     ON     ON
Alert Network Users               ON     ON     OFF    ON     ON
Alert Norton AntiVirus NLM        ON     ON     OFF    ON     ON
Inoculate Boot Records and        ON     ON     ON     ON     ON
  System Files
Inoculate Program Files           ON     ON     ON     ON     ON
Inoculate Files on Floppies       ON     ON     ON     ON     ON
- -----------------------------------------------------------------

As you can see, selecting only the options that you feel you need 
most will reduce the memory footprint of the TSR.

Hope this helps!

- --
Shane Coursen                                        Symantec Corporation
Computer Virus Researcher                http://www.symantec.com/avcenter
AntiVirus Research Center                                 CIS:  GO SYMWIN
scoursen@symantec.com                                           GO SYMNEW
      US Support:  541-465-8420                            AOL:  SYMANTEC
European Support:  31-71-353-111       Australian Support:  61-2-879-6577

------------------------------

Date: Fri, 12 Apr 1996 00:56:30 +0000 (GMT)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: My disk has a DIVIDE OVERFLOW ERROR? (PC)
X-Digest: Volume 9 : Issue 51

In article <0040.01I3EEEWQ4GQSKU6UC@csc.canterbury.ac.nz>,
ppieda@engr.mun.ca says...

>I had a virus on my disk. Removed antiExe and antiCMOS from it. Now, 
>whenever you try to scan it with virus program (f-prot) it causes a
>- this program caused a divide overflow error - error. 
>Do I still have a virus on the disk?

What you are probably seeing is a corrupted diskette.  I have not
experienced this problem first hand, so I can only repost what has
already been stated...

A problem in the Win95 version of another product may be causing
this.  If you are using that product, it is recommended that you
instead use their DOS version to clean any remaining AntiEXE 
infected diskettes.

You should also contact the vendor for an update. I believe 
they may have a fix for the problem.

- --
Shane Coursen                                        Symantec Corporation
Computer Virus Researcher                http://www.symantec.com/avcenter
AntiVirus Research Center                                 CIS:  GO SYMWIN
scoursen@symantec.com                                           GO SYMNEW
      US Support:  541-465-8420                            AOL:  SYMANTEC
European Support:  31-71-353-111       Australian Support:  61-2-879-6577

------------------------------

Date: Wed, 10 Apr 1996 19:42:48 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Viruses that reset top of memory (PC)
X-Digest: Volume 9 : Issue 51

Tarkan Yetiser <tyetiser@yrkpa.kias.com> writes:

>From: "Jamon E. Bailey" <JB0269A@american.edu> wrote:
>>I have a question concerning viruses that bite off the last 1K of
>>conventional memory and cause DOS to report a total of 639K of
>>conventional memory.  Suppose I was sure that my computer had a virus
>>at that location in memory.  Would it be possible to write a program
>>that would overwrite that 1K of memory and remove the virus from
>>memory even it was a stealth virus?
>
>Not exactly. You need to understand why the virus needs that 1K. Most 
>boot sectors viruses load themselves in that 1K, and also redirect 
>disk access to their handler. After DOS comes up, it stores the virus 
>disk access handler address inside its kernel data area. Now, every 
>disk access will go thru the virus handler, which is at the top of 
>memory. If you overwrite it, then you will get bizarre results. The 
>correct way to handle a case like this would be to find the virus 
>handler in memory, and find the original disk access handler address 
>and then patch the virus code in memory. That way, the virus handler 
>becomes a pass-thru, and you would be able to gain access to the disk 
>without the virus interfering. Of course, this assumes that the virus 
>is not checking for this sort of thing...
>
>In many common boot sector incidents, the above procedure is simple 
>and very effective even without needing to boot clean. Note that this 
>is handled on a virus-by-virus basis. When in doubt, you should find 
>a clean diskette and boot off of that first. Once the virus is no 
>longer in control, you can pop in your emergency diskette and restore 
>your MBR or BR. You do have an E-disk, don't you :-)

Just one note, most viruses will steal 2K or more.  For more information
about this data area and situations where you have less than 640K, please
see a paper I just presented at the NCSA conference, titled, "It's NOT
a Virus."  It's on www.ncsa.com and soon to be on www.mcafee.com.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Fri, 12 Apr 1996 02:12:59 +0000 (GMT)
From: Kendall Trent Berkey <kberkey@visus.jnj.com>
Subject: Re: Stoned.Empire.Monkey_B (PC)
X-Digest: Volume 9 : Issue 51

On 9 Apr 1996 16:05:47 -0000, "B. Gilbert"
<bgilbert@blue.weeg.uiowa.edu> wrote:

>>In article <0022.01I2G0808C12RI5O92@csc.canterbury.ac.nz>,
>>Virex1<virex1@aol.com> says:
>
>>>I had a floppy disk infected with the Soned.Empire.Monkey_B virus, while
>>>attempting to disinfect the floppy I ended up infecting my internal HD by
>
>I too seem to have this Stoned Empire Monkey virus, on a friend's
>machine.  When I boot from a clean floppy, C: is not recognized.
>F-Prot finds the infected MBR, but doesn't see the hard disk (!).
>Otherwise the machine seems to boot and run fine.
>
>The last time this happened (with this same virus) I tried the fdisk
>/mbr, but this rendered the hard disk unbootable.  I had to do a
>complete restore from tape, and then clean the restored files before
>the MBR reinfected.
>
>Have I missed a step?  I'm reluctant to try the fdisk /mbr again!

The monkey virus can be destroyed by rewriting the mbr. I replaced one
by using f-prot. The rescue feature can either take a backup or one
off of an identicle drive and rewrite it, destoying the virus. We have
several alike disk drives at work to get a good "copy" from. I imagine
you should make a backup "rescue file" for the boot record as soon as
you get a clean boot f-prot disk. 

As for not seeing the disk, are you using any disk manager software
for your hard drive? we have gotten rid of viruses on 1.6gig drives
that have disk manager software by rewriting the MBR with the software
that came with the drive.

kberkey@visus.jnj.com

------------------------------

Date: Fri, 12 Apr 1996 01:24:23 -0400
From: GenMelchit <genmelchit@aol.com>
Subject: Re: Where to get a virus check up grade? (PC)
X-Digest: Volume 9 : Issue 51

In article <0032.01I3FQNQ0S3KSKU6UC@csc.canterbury.ac.nz>, "Glenn P.
Siegrist" <teamsieg@snowhill.com> writes:

>I have a Packard Bell Legend 36CD its a 486/50. It came with Win 3.11 on 
>it I have had it for over a year now and I would like to know is there an
>upgrade to the Microsoft virus scan program that came with it.

I was just thinking the same thing, Glenn.  My MS Anti-virus is about two
years old (!), and I'm wondering if it's the right thing to use for
detection. 

Anybody have an opinion on MS Anti-virus performance?  Something better?

Todd Miller
- -
amok@bright.net
genmelchit@aol.com
toddm%laba%wayne@banyan.uakron.edu

------------------------------

Date: Fri, 12 Apr 1996 09:04:56 +0300
From: Ake Gustafsson <ake.gustafsson@kommun.kalmar.se>
Subject: Help on DESPERADO A/B required (PC)
X-Digest: Volume 9 : Issue 51

Anyone who knows how to get rid of the virus DESPERADO A/B. There seem 
to be no remover available????

//Ake Gustafsson

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 51]
*****************************************


