From Lehigh.EDU!owner-virus-l  Wed Apr 17 09:23:43 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Wed, 17 Apr 96 11:11:33 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id JAA03485; Wed, 17 Apr 1996 09:23:43 +0200
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39334-104171>; Wed, 17 Apr 1996 03:22:17 EDT
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39296-104171>; Wed, 17 Apr 1996 03:18:28 EDT
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id DAA130163 for <virus-l@lehigh.edu>; Wed, 17 Apr 1996 03:18:05 -0400
Received: from 132.181.30.50 ("port 1047"@nick.csc.canterbury.ac.nz)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I3NQQ7OFNMSKU6UC@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Wed,
 17 Apr 1996 19:17:20 +1200
Message-Id: <01I3NQQ7OQ0KSKU6UC@csc.canterbury.ac.nz>
Date: 	Tue, 16 Apr 1996 01:24:03 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #52
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest   Tuesday, 16 Apr 1996    Volume 9 : Issue 52

Today's Topics:

Administrivia (ADMIN)
Re: HELP with unknown virus (PC)
Re: Monkey and partitioned drives (PC)
Re: What AV software should I get? (PC)
Re: Identification (not detection): Dr Solomons vs F-Prot (PC)
Re: Residual effects of a virus? (PC)
Need help with whacked PC (PC)
Re: Cmos-corrupting Virus (Monkey?) (PC)
Re: What AV software should I get? (PC)
Re: Where to get a virus check up grade? (PC)
Help Do I have to worry!!! (PC)
Help ,welcomb virus (PC)
Parity boot? What should I do? (PC)
Re: Multiple boot sector infections (PC)
Re: ripper-virus, who can help (PC)
Re: xcopy /v ?? (PC)
virus in macromedia plug-in (PC)
Re: Identification (not detection): Dr Solomons vs F-Prot (PC)
"Eat at grandma's grave" message--virus?? (PC)
Re: Stoned.Empire.Monkey_B (PC)
Re: Good scanner with smallest TSR memory footprint (PC)
Help uninstalling TBAV (PC)
Re: Registered ThunderByte "expired" (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Wed, 17 Apr 1996 19:09:51 +1200 (NZT)
From: Nick FitzGerald <n.fitzgerald@csc.canterbury.ac.nz>
Subject: Administrivia (ADMIN)
X-Digest: Volume 9 : Issue 52

Well--I've had a bit more fun with the listserv.  I think I won't try
sending out back-to-back digests again--as doing so seems to precede
problems...

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
 n.fitzgerald@csc.canterbury.ac.nz  TEL:+64 3 364 2337, FAX:+64 3 364 2332
	      Virus-L/comp.virus moderator and FAQ maintainer
   PGP fingerprint =  2E 7D E9 0C DE 26 24 4F  1F 43 91 B9 C4 05 C9 83

------------------------------

Date: Fri, 12 Apr 1996 03:15:01 -0700
From: Mark West <mwest@primenet.com>
Subject: Re: HELP with unknown virus (PC)
X-Digest: Volume 9 : Issue 52

On 7 Apr 1996 13:41:55 -0000, DWL <weite@ix.netcom.com> wrote:

>I got an unknow virus. 
>
>The report from anti-virus programs:
>
>MS-antivirus: checksum error
>TBAV: the file has been changed
>McAFee: no virus found
>F-PROT: no virus found
>
>- The size of the *.exe grows.

	I'd suggest reporting via the Virus Attack Reporting Web page
(URL in sig).  It's a simple fill in the blank and check box form.
You will have the option of file attaching suspect, infected files.

	Reports and files submitted in this manner are instantly sent
to roughly a half dozen antivirus researchers & developers worldwide.

	I believe this to be one of the quickest ways to get this sort
of information into the right hands.

Regards,
Mark

cc: via email

===
Mark West <mwest@primenet.com>
http://www.primenet.com/~mwest/     With links to ...
Anti-Virus, PGP/Privacy, Roller Coasters, HTML, Martial Art & more
PGP FngPnt: 42 98 08 7D F5 AC B0 F7 89 A1 81 1A 97 FC F4 EC
Free Speech: It's not just a good idea, it's the law!

------------------------------

Date: Fri, 12 Apr 1996 11:05:08 +0000 (GMT)
From: Stefan Kurtzhals <kurtzhal@wmwap1.math.uni-wuppertal.de>
Subject: Re: Monkey and partitioned drives (PC)
X-Digest: Volume 9 : Issue 52

>Here's how it is.  If you have Monkey on a multi partitioned (yes 
>Double / Drive Space users, that means you), and you run FDISK /MBR, 
>it is gone.  You have to reformat and start over.  I know this 
>because I sent my computer in, and those idiots ran FDISK with the 
>MBR command, and shot my hard drive out of the water.  

Well, the FDISK /MBR deleted all the data not because of DBLSPACE
or DRVSPACE but because Monkey uses a special way to infect the
partition sector. (Or at least it changes the sector in a
special way)

>You replace the partitioned (and infected) header with a normal 
>(unpartitioned) header.  

This is correct, FDISK /MBR rewrites the first 1bdh bytes of the
partition sector with the standard DOS code. This will remove
the virus code completely (this will remove every boot virus
which is located in the partition sector).

> This causes the disk to not understand how 
>to read itself.  Thus, all data is lost.  

Monkey (and other boot viruses) invalidates the partition
entries located in the partition sector. Because the
virus itself has stealth functions and shows the original
uninfected sector to the system, your computer still
boot up normaly.

But when you boot from a clean disk and the virus is
disabled in memory, DOS can't access the hard drive
anymore (you still can read sectors on the BIOS level).
If you try to access C: you just get "Invalid drive C:".
FDISK /MBR kills the virus, but does not repair the
partition entries. In this case, FDISK /MBR will make
all data unaccessable.

>(unless you wish to rewrite 
>your MBR by use of a disk utility.

Or you use the "Store partition sector" function offered
by almost every antivirus program.

That's the problem: most people just scan for viruses 
but don't use the full features of their antivirus program.
It's so easy to remove a boot virus!

>BTW, I learned this from experience.

Don't forget to switch the boot-up sequence in the
BIOS from "A: C:" to "C: A:". It's the cheapest
and most effective protection against boot virus.

bye, Stefan Kurtzhals

- -- SUSPICIOUS & F/WIN * HEURISTIC VIRUS DETECTION ---

------------------------------

Date: Sat, 13 Apr 1996 01:42:25 +0000 (GMT)
From: dkstewart <dkstewart@csra.net>
Subject: Re: What AV software should I get? (PC)
X-Digest: Volume 9 : Issue 52

In article <0023.01I3FQNQ0S3KSKU6UC@csc.canterbury.ac.nz>, 
asjcw3@uaa.alaska.edu says...

>Hello, I'll get right to the point. Our 540-meg HD has crashed several
>times in the last few months.>
>My question is this: A friend knowledgeable in these matters said these 
>ymptoms sound like a viruswas
>the Form virus.) So, I'm inclined to think that our problems come from a
>
>What AV program should I get to clean this virus off? Where can I get
>this program? 

I recommend ThunderBYTE Anti - Virus Utilities for your needs.  
ThunderBYTE has a complete set of Anti Virus Utilities that are 
comprehensive, yet simple to use.  You may Download ThunderBYTE from my 
BBS at 1-706-860-5070 or from the www.thunderbyte.com website.  
You may call me voice at 1-706-860-3388.......ThunderBYTE sells for $99.95 
for a Cross Platform Lifetime license.......VISA, MasterCard, American 
Express are welcome......

Duncan

------------------------------

Date: Fri, 12 Apr 1996 14:12 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Identification (not detection): Dr Solomons vs F-Prot (PC)
X-Digest: Volume 9 : Issue 52

"Chengi J. Kuo" <cjkuo@alumnae.caltech.edu> writes:

> Iolo Davidson <iolo@mist.demon.co.uk> writes:
> [some snipping]
> >Ok, I see your problem.  You were testing against a collection of 
> >viruses.  FindVurus goes into a rapid "review" mode when it 
> >encounters more than about ten different viruses on a computer.  
> >It does this because the situation is an unreal one indicating 
> >that someone is doing a performance test, not coping with a 
> >genuine virus outbreak.
> >
> >If you want it to do the exact identification that it would 
> >normally do, there is a command line switch that makes it stay in 
> >precise identification mode.  I think it is /IDENTIFY. 

/VID actually.

> >> I do know that these examples are somewhat arbitrary, and I still do
> >> believe that both products are among the best in their class, but I 
> > also do
> >> believe that we can draw at least some conclusions from these 
> > results.
> >
> >The conclusion is that you ran it on a collection of viruses and 
> >it went into "review" mode.  The word "like" is the giveaway.  
> 
> I am constantly hearing about "independent reviews" which give
> S&S a very high ranking.

Don't just hear about them Jimmy, you can read them for yourself at 
http://www.drsolomon.com/avtk/reviews.  :-)  And yes, they are of course 
independent - from the likes of Virus Bulletin, etc..

> Are you saying that they have a special mode to recognize when they're
> being tested?

FindVirus normally does extremely precise identification - this means 
that when it comes across a virus infection it can be slightly slower 
(not a problem in an infected situation after all).  However, some 
reviewers think its a good idea to time how quickly a scanner is when 
scanning viruses, whereas in fact the correct way to time a scanner's 
speed is when it is scanning clean files (which after all is how the 
scanner is going to be run 99.99% of the time).

So, when FindVirus notices it is being tested against a large number of 
viruses it turns identification down a notch.  Notice: this does not 
affect *detection* only precise identification.  It still finds the same 
number of viruses, it's just more likely to say "is like" rather than 
"identified as".  This makes no difference whatsoever to Dr Solomon's 
high level of detection.

> Are the reviewers told about this?

It's certainly no secret.  Dicky Ford at the NCSA knows about it, Ian 
Whalley at Virus Bulletin knows about it, Vesselin Bontchev knew about it 
(both when he was at Hamburg and now he's with Frisk), Marko Helenius at 
the University of Tampere knows about it, and other members of the 
anti-virus community know about it and don't seem to have any objection 
to it.  I guess other products may do the same.

After all, it doesn't affect detection whatsoever: the same number of 
viruses are still found.  And anyone of the virus-gurus who is interested 
in precise identification can enable that with the /VID switch.

> Jimmy
> cjkuo@mcafee.com
> 
> PS.  I always thought my job was to help users.  I guess I'll have to
> add "win reviews" to my job duties.  *sigh*

But winning reviews does help users!  It helps them make the right choice 
as to which anti-virus to purchase!  That has to be good news..

Sure, there are occasional incompetent reviews, but there are some very 
well respected reviews also. What's important is not that an anti-virus 
wins one or two reviews but instead has a consistent track record at 
scoring extremely highly in reviews.  That way, it makes up for the 
occasional "fluke" where a bad product wins an incompetent review.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Fri, 12 Apr 1996 16:46:10 -0200
From: Henry Pieters <gnhmhp@med.uovs.ac.za>
Subject: Re: Residual effects of a virus? (PC)
X-Digest: Volume 9 : Issue 52

Douglas M. Munro wrote:

> I have recently overcome the Havoc ][ virus on my system and have noticed
> that two of my floppies which were flagged as having the virus had a
> volume lable of "COMPAT  FUL".  I am sure that I didn't lable those
> floppies with that and according to one Norton guy, he doesn't think that
> NAV did either.  Has anyone ever seen this before and is it virus related?

Did you use the floppy for a comtibility test with MS Backup or Norton 
Backup ?  I vaguely remember seeing a similar volume label on a diskette 
that I had used for the compatibility test with MS Backup.  Shouldn't be 
a virus.... :>)

- - 

o--------------------------------------------------------------------o
| Henry Pieters, PhD.             Internet:  gnhmhp@med.uovs.ac.za   |
| P O Box 339 (G2)                                                   |
| Department of Haematology                                          |
| University of the Orange Free State                                |
| Bloemfontein, RSA             PHONE(Voice/Fax: +27 51 405 3571     |
|                               FAX (alternative): +27 51 473222     |
|                                                                    |
|====================================================================|
|    <<<<<<<<<<<<<    DISCLAIMER    >>>>>>>>>>>>>>>                  |
|    All messages are my own, not those of the University            |
o--------------------------------------------------------------------o

------------------------------

Date: Fri, 12 Apr 1996 11:12:45 -0400
From: Frank Terhaar-Yonkers <fty@mcnc.org>
Subject: Need help with whacked PC (PC)
X-Digest: Volume 9 : Issue 52

Tell me more.  I've a situation where *something* ate my son's PC/win3.11.

It walked the directory tree, and deleted every file. Norton unerase works
just fine, but is tedious.  I'd like a utility that lists EVERY restorable
deleted file, writes that list to a floppy file or another hard drive.
I'd could then use the list to process those names against a list of names
from a healthy machine to determine the appropriate first character which
could be fed back to the unerase process.

- - 
Frank Terhaar-Yonkers
High Performance Computing and Communications Research
MCNC
PO Box 12889    3021 Cornwallis Road
Research Triangle Park,  North Carolina  27709-2889
fty@mcnc.org   voice (919)248-1417   FAX (919)248-1455
http://www.mcnc.org/HTML/ITD/ANT/HPCCResearch.html

------------------------------

Date: Sat, 13 Apr 1996 01:20:09 +0000 (GMT)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: Cmos-corrupting Virus (Monkey?) (PC)
X-Digest: Volume 9 : Issue 52

>In article <0027.01I37FTNL19GSH3CBI@csc.canterbury.ac.nz>, Wayne Shanks
>writes:
>
>: Ther is mow a full blown epidemic in the Maryland area (maby overstated, 
>: but I know of over 70 computers at dozens of sites infected).  This 
>: Virus deletes the Cmos setup info.  You can go back in and reset 
>: everything, but at the next reboot you have to do it again.  My father 
>: helps run the computer lab at the elemantary school where he teaches.  A 
>: bunch of the computer in the lab had these problems, and he thought the 
>: clock/cmos went bad.  These computers were IBM PS2.  He talked with a 
>: tech support guy at IBM, and the Tech guy thought that it was not a 
>: Hardware problem, but a new Monkey Virus. The guy said It has poped up 
>: in the last 6 months.  When my father told me about this, a light went 
>: on.  For the last 2 or three months I have been hearing dozens of people 
>: complain about there Cmos droping out.  

Are all CMOS erased?  Or only some?  If some, which?  
Who is the computer manufacturer?  Was it IBM in all cases?

Something to try: 

 1) Boot the computer from the hard drive.  
 2) Fix the CMOS
 3) Reboot (cold) from a known clean diskette, and make sure it 
    is the diskette you *actually* boot from.

At this point, does the CMOS need to be fixed again?  If so, 
chances are it is a hardware problem.  Think about cleaning the 
battery contacts, or replacing the battery.

If the CMOS goes out only after booting from the hard disk, chances
are it is a _virus_, or an _unruly_program_.  

_virus_:  For example, Feint (alias: DelCMOS.A), which has been
reported in the wild, modifies CMOS, but it only modifies CMOS 
when cold booting the computer from an infected diskette/hard disk.

_unruly_program_: Unlikely, but a program that is run when the 
computer first starts could also be the cause of the problem.  This 
program could be loaded from CONFIG.SYS, AUTOEXEC.BAT, WIN.INI, or 
any number of places.  It's a lengthy process, but the method of 
elimination can help in determining *exactly* which program is 
causing the problem.

>: Do you know how to kill it.

Before a problem can be eliminated, you must first know the 
cause.  You did not mention attempts to scan, so I'd recommend 
that.  If one scanner does not find anything, get a second opinion
(try another scanner.)

- --
Shane Coursen                                        Symantec Corporation
Computer Virus Researcher                http://www.symantec.com/avcenter
AntiVirus Research Center                                 CIS:  GO SYMWIN
scoursen@symantec.com                                           GO SYMNEW
      US Support:  541-465-8420                            AOL:  SYMANTEC
European Support:  31-71-353-111       Australian Support:  61-2-879-6577

------------------------------

Date: Sat, 13 Apr 1996 01:49:41 +0000 (GMT)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: What AV software should I get? (PC)
X-Digest: Volume 9 : Issue 52

In article <0023.01I3FQNQ0S3KSKU6UC@csc.canterbury.ac.nz>,
asjcw3@uaa.alaska.edu says...

>Hello, I'll get right to the point. Our 540-meg HD has crashed 
>several times in the last few months. Norton Disk Doctor tells 
>us that the FAT has a glitch, and, though it knows what files 
>are on the disk, it doesn't know where on the drive the files 
>are stored. Generally between 85-100% of our HD is unusable until
>the HD is reformatted. Then we have no problems until the HD crashes
>again. (BTW, the first crash occurred on the day the warranty ran out,
>marking the computer's first birthday.) We have loaded NDD into the
>autoexec.bat file, but this has had only limited success. The HD has
>crashed since then, but we have gone for about three weeks without
>a crash now.

1st Question: Which OS are you running?  DOS, DOS/Win, Win95?
2nd Question: Which version of NU did your NDD come from?

>My question is this: A friend knowledgeable in these matters said these 
>ymptoms sound like a virus, but MSAV & MWAV have found none. [snip]

You might want to get a second or third opinion from other scanner(s).
Evaluation scanners can be downloaded from many AV vendors.  The
URL in my sig will take you to the Symantec WWW.  Once there, an
eval version of NAV is available (NAVSCANZ.EXE)

[snip]
>And can someone please explain how a virus can stay on a
>computer after multiple HD reformats?

Simple: Formatting a hard drive rewrites the boot sector,
(which is usually located at Cylinder 0, Side 1, Sector 1)
but it does not rewrite the master boot record (located
at Cylinder 0, Side 0, Sector 1.)

If a virus sits in the MBR, FORMAT will not touch it.

- --
Shane Coursen                                        Symantec Corporation
Computer Virus Researcher                http://www.symantec.com/avcenter
AntiVirus Research Center                                 CIS:  GO SYMWIN
scoursen@symantec.com                                           GO SYMNEW
      US Support:  541-465-8420                            AOL:  SYMANTEC
European Support:  31-71-353-111       Australian Support:  61-2-879-6577

------------------------------

Date: Sat, 13 Apr 1996 02:06:31 +0000 (GMT)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: Where to get a virus check up grade? (PC)
X-Digest: Volume 9 : Issue 52

In article <0032.01I3FQNQ0S3KSKU6UC@csc.canterbury.ac.nz>,
teamsieg@snowhill.com says...

>I have a Packard Bell Legend 36CD its a 486/50. It came with Win 3.11 on 
>it I have had it for over a year now and I would like to know is there an 
>upgrade to the Microsoft virus scan program that came with it.

No upgrades, per se', to the product itself, but quarterly definition 
updates are available at the WWW site listed in my .sig.

- --
Shane Coursen                                        Symantec Corporation
Computer Virus Researcher                http://www.symantec.com/avcenter
AntiVirus Research Center                                 CIS:  GO SYMWIN
scoursen@symantec.com                                           GO SYMNEW
      US Support:  541-465-8420                            AOL:  SYMANTEC
European Support:  31-71-353-111       Australian Support:  61-2-879-6577

------------------------------

Date: Fri, 12 Apr 1996 23:29:07 -0700
From: Fletcher Davidson <fletcher@postoffice.sandybay.utas.edu.au>
Subject: Help Do I have to worry!!! (PC)
X-Digest: Volume 9 : Issue 52

I have recently discovered the loss of the DOS mem command?? I have also lost 
a few other commands, such as more!!, i am not sure, but are these internal,
or external commands, and is my pc currently infected???

Please reply by e-mail, as i may not be able to read this group for a while, 
but i will be able to check my mail, thanks a lot for any response.

Regards
Fletch Davidson

E-mail -fletcher@postoffice.sandybay.utas.edu.au

[Moderator's note:  MORE and MEM certainly are external DOS commands.  As to
whether you have a virus--from what you tell us the answer is entirely
unclear.  More details are needed, or better for you (i.e. quicker), try
downloading a couple of the freeware and/or shareware scanners commonly
available around the net and check your system with them.]

------------------------------

Date: Sat, 13 Apr 1996 03:03:16 +0000 (GMT)
From: LEE SENG HUAT <sci30530@leonis.nus.sg>
Subject: Help ,welcomb virus (PC)
X-Digest: Volume 9 : Issue 52

Any idea how to clean this memory resident virus???
I tried using f-prot but got stuck when it scans the 
memory. A red box appeared and I couln't get into the
main menu to clean the virus.

thanks.

------------------------------

Date: Sat, 13 Apr 1996 18:33:40 +0000 (GMT)
From: Mat Joyce <mjoyce@acjoyce.demon.co.uk>
Subject: Parity boot? What should I do? (PC)
X-Digest: Volume 9 : Issue 52

I have heard that PARITY BOOT is irremovable from a system
once on, is this true? 

Why? 
Because I have it and NEED to get rid of it.

Can you help?
Can anyone tell me how to remove this from my system or where I 
can get a decent virus killer from.

	     Thanks
		 
		 Mat J

		    mjoyce@acjoyce.demon.co.uk

P.S. Please mail me a copy of anything you post.

------------------------------

Date: Sun, 14 Apr 1996 10:47:13 +0000 (GMT)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: Multiple boot sector infections (PC)
X-Digest: Volume 9 : Issue 52

Pavel Machek (machek@atrey.karlin.mff.cuni.cz) wrote:

> Antonio Godinho (antonio@nambu.uem.mz) wrote:
> : I have had several problems of multiple boot sector infections on my
> : computers and have never managed to clean them. Does anyone know if
> : and how it can be done? From what I gathered the infections where of
> : the UNASHAMED and ANTIEXE.a viruses. I tried using Dr. Solomon's
> : toolkit 7.56, F-prot 222 and  Thunderbyte 6.38 but all these failed.
> : Since I did not have access to the Hard disks in any of the cases, I
> : had to fdisk and reformat the hard disks.
> 
> So you had more than one virus, and you could not clean it?
> Well, I use following scheme to do such things: (It proves, that 
> computer viruses CAN be usable after all...)
> 
>   I have one floppy (I have to pay a lot of attention when working with
> it :-( ) with ANTICMOS virus. WHen you boot from such floppy, it replaces
> original masterboot with itself, thereby killing any viruses but installing
> new one. But after that, I'm able to boot up and launch *something* (usually
> disk editor, but scan would do the job) to destroy ANTICMOS.
> 
>   Nice way of removing viruses, isn't it?

   No.  It is a VERY BAD way of "removing" viruses.  Suppose the hard
drive was infected with Monkey; as you may know, that virus does not
preserve the partition table.  Hence using your "solution" on a
Monkey-infected hard drive would effectively remove access to all data on
the hard drive.  The damage can be worse; for example, if two non-MBR
preserving viruses happen to write (0,0,1) to the same place, then even
the backup information is lost, and it's probably data recovery time. 

This suggestion is just a hair worse than suggesting that users execute 
FDISK with a certain heinous undocumented switch.  Unless you have no 
interest in preserving your data,

       D O     N O T     T R Y     T H I S !!  

Infecting with another virus won't make the situation better, and it may
well make it worse.  Instead, use antivirus software for the task for
which it was designed. 

   -BPB

------------------------------

Date: Sun, 14 Apr 1996 07:00:24 -0400
From: "Bruce P. Burrell" <bpb@umich.edu>
Subject: Re: ripper-virus, who can help (PC)
X-Digest: Volume 9 : Issue 52

volker Biedermann (100343.3164@compuserve.com) wrote:

> I have a problem with the *ripper-virus*. I found the virus with 
> scan/vshield-program from McAfee. I got these programs from the 
> SCNI22CE.ZIP file, which i found in my local BBS.
> 
> My main problem is, how to TERMINATE the ripper-virus? Which 
> software or treatment do you suggest? Can you help me?

   I suspect you can use McAfee to remove Ripper; note well, however, 
that it can't remove Ripper's *damage*.  Ripper corrupts data at random; 
I suggest reinstalling all software from originals, and restoring from 
backups any documents that are corrupted.

To remove Ripper with McAfee, first make sure that you have the current 
version (2.2.11, I believe, soon to be 2.3.0).   Make a clean bootable 
floppy on an uninfected machine, and put the DOS version of SCAN on it.

Write protect the floppy, and cold boot boot from it.  At the A:\> 
prompt, type SCAN C: /CLEAN

Then boot from the hard drive, but enter CMOS and set the boot 
sequence to start up from C: instead of A:; most computers allow 
this.  Then install the AV software if the current version isn't on your 
machine, and scan all your floppies -- ALL OF THEM -- and disinfect any 
with Ripper.  Those diskettes are also at risk for Ripper's corruption, I 
believe, so check the data carefully.

That ought to do it.  If you have documents so damaged that they won't 
load, and no acceptable backups, you'll probably need a data recovery 
unless you can reenter the data

   -BPB

------------------------------

Date: Sun, 14 Apr 1996 11:20:41 +0000 (GMT)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: xcopy /v ?? (PC)
X-Digest: Volume 9 : Issue 52

ak8188@CNSVAX.ALBANY.EDU wrote:

> this is NOT a virus question; however it is a data security question;
> therefore, i hope that the moderator and others in this group will
> consider it worthy of consideration
> 
> i work in a place where the folks who buy the computer diskettes are
> not the same folks who use them; inevitably, they purchase bad media
> (sony 10mfd-2hd), and we get stuck using them; i think that close to
> ten percent of the diskettes come with bad sectors, right out of the
> box

   I would advise that instead you reformat the diskettes with the /U
switch. 

> whenever i copy a file to a diskette, i have to actually wonder whether
> the file has been copied correctly!!  my solution to this is to stop
> using the ms-dos COPY command to copy from the hard drive to diskettes;
> instead i use the XCOPY /V command; 

   Good solution, but only because XCOPY is faster and more efficient.

> my questions are the following:
> 
> a) what does XCOPY /V actually do; what does ms-dos do when it "verifies"
>       the copying?  is it the same as using COPY and then FC to compare
>       the versions of the files?

   XCOPY /V behaves as if the VERIFY=ON had been set.  Unfortunately, 
this is utterly useless.  After the data are copied to disk, the BIOS 
checks to see whether the sector just written to EXISTS; it does not 
examine the data therein.
   Think about this for a moment.  You just wrote to the disk without 
error, so the sector was there a few milliseconds ago.  What use is it to 
check to see whether it is still there?!?

> b) what does Windows 3.11 File Manager do when it is "copying" a file to
>       a diskette?  does it use a "verification" scheme?  is there a
>       default setting that i can change to make it do so?

   I suspect that it will do the same verification as in (a) if you have 
set VERIFY=ON in CONFIG.SYS or AUTOEXEC.BAT, but it's a waste of CPU 
cycles.  The error-checking done by the BIOS should be more than 
sufficient, and there's no way to fiddle with that, short of hacking the OS.

> c) what does Windows 95 Explorer do when it is "copying" a file to a
>       diskette?

   Hmmm.  That would be done in protected rather than real mode, so I'll 
defer.  I suspect that the WD1007 spec doesn't actually compare data, but 
will return a fault on a write error.  Again, that should suffice.

   If you have particularly important data, check it with e.g., FC. 
Otherwise, the error shold be apparent when you attempt to write to disk. 

> thank you for reading

   How about for answering?

> alfredo b goyburu

[Moderator: I hope you'll allow the receding flippant remark, since Al and
I were co-op housemates at Cornell one summer a few years back.  I promise
to answer your private mail soon, Al; honest!]

   -BPB

------------------------------

Date: Sun, 14 Apr 1996 12:44:51 +0000 (GMT)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: virus in macromedia plug-in (PC)
X-Digest: Volume 9 : Issue 52

In article <0032.01I3JH3PLOGSSKU6UC@csc.canterbury.ac.nz>
	   p.babu@giasmd01.vsnl.net.in "Parameshwar Babu" writes:

> I use Scan V.2.2.6 for dos, McAfee
>
> I downloaded macromedia plug-in for Netscape.
> I got the report like this in my machine:
>
> Scanning C: [DRIVE1VOL00]
> C:\NETSCAPE\PLUGINS\NP16DSW\MACROMIX.DLL
>         Found the SMEG virus or variant

Probably not.  Even if it is, I greatly doubt that this virus 
would be able to spread from a Windows .DLL.  Try scanning with a 
couple of other products to see if they agree with McAfee.  SMEG 
is polymorphic, and it is difficult for a scanner to detect all 
replications without allowing a heightened possibility of false 
alarms.

> Why should Macromedia do such a thing!

They shouldn't, and wouldn't.  Most incidences of virus infection 
are cases of just another victim.  Viruses spread without the 
intention or knowledge of victims.  Where the infection is 
deliberate, it is very unlikely that the person/product whose 
name is most evident is the person who is to blame.

- -
CUTIE INVITED                   OF WHISKERS
	     VARSITY HOP                   PARTY A FLOP
			GUY FULL                       Burma-Shave

------------------------------

Date: Sun, 14 Apr 1996 19:08:27 +0000 (GMT)
From: 'Mike' M Ramey <mramey@u.washington.edu>
Subject: Re: Identification (not detection): Dr Solomons vs F-Prot (PC)
X-Digest: Volume 9 : Issue 52

Iolo, Graham, Dr. Solomon, and development folks at S&S:

   Please print an *explicit* message in the FindVirus output that
*clearly* indicates the occurrance, cause, and consequences of switching
into "review" mode.  The word "like" is *not* a substitute for a clear 
explanation of what is going on!
   I have sent you messages in the past (and I will send you more soon) 
about the lack of clarity (or inaccuracy) of messages from the FindVirus
program.  I do not doubt that your programs are of excellent quality, but
if the output messages are inaccurate, incomplete, sloppy, or even only
confusing, ... then it is natural for a new user to conclude that the
program will be of similar construction throughout. 
   I can imaging that you are putting most of your development effort into
AVTK for the newer platforms (including Macintosh, I hope!) and that
FindVirus may be getting less attention, ... but if FindVirus is your 
downloadable demonstration & evaluation program, then it must be at least 
as good as your other, more flashy, products.

   Thank you,  --Mike Ramey

- - 
 -Mike Ramey  685-0940  FAX:685-3836  Wilcox-171  Box:35-2700  UofW  98195

------------------------------

Date: Mon, 15 Apr 1996 04:30:02 +0000 (GMT)
From: Pmaynard@apci.net
Subject: "Eat at grandma's grave" message--virus?? (PC)
X-Digest: Volume 9 : Issue 52

One day I was writing an assembly program and forgot to leave the $ on the 
end of a string I was displaying. (the $ means the end of the string the 
function is to print, for those who aren't familiar with assembly). 
So it displayed some junk after it, and included in the junk was:

	Eat at grandma's grave.

So, there must be something going on....however TBAV and scan don't detect 
anything. The only thing I have noticed that is strange is that I can't get 
simple print statements to work in assembly, I always get some garbage.

So, if anyone has a clue what this may be I would greatly appreciate it.
Please E-Mail....

Thanx,
Rob

------------------------------

Date: Sun, 14 Apr 1996 23:39:54 -0700
From: Ron Martell <rmartell@islandnet.com>
Subject: Re: Stoned.Empire.Monkey_B (PC)
X-Digest: Volume 9 : Issue 52

I have encountered another problem with the stoned-empire-monkey_b.
The infected computer is an older 486 with a 1 gb hard drive using
Disk Manager to get around the 528 barrier.  

You can't access the hard drive properly by booting from a floppy
because disk manager is not loaded.  You have to wait until you see
the message "press space bar to boot from diskette", and of course by
then the virus is in memory and AV won't work.

Suggestions please.

Ron Martell     Duncan B.C.    Canada

"Anyone who thinks that they are too small to make a difference
has never been in bed with a mosquito."

------------------------------

Date: Mon, 15 Apr 1996 08:40:32 +0000 (GMT)
From: Richard Evans <evansr@europa.lif.icnet.uk>
Subject: Re: Good scanner with smallest TSR memory footprint (PC)
X-Digest: Volume 9 : Issue 52

Chastain, Brian (chastaib@stifel.com) wrote:

: We're beginning to have some problems with viruses here, notably the 
: FORM virus.  While this isn't a destructive virus, it is, nevertheless, a 
: pain in the butt.  Anyway, my boss wants me to look into virus detection
: for our company.  Myself and several others in my department are using
: Norton's Anti-Virus, and it seems to be working nicely.
: 
: My main concern, however, is memory overhead.  The NAVTSR occupies 30K 
: of RAM.  I took a look at F-PROT, and their TSR occupies over 40K of RAM.
: 
: Since we're a token-ring network, and token-ring drivers are 
: notoriously large, we can't afford to give up that much memory.
: 
: My question (finally!) is, which scanning program is effective, yet has 
: the smallest TSR footprint?

1st. I am wondering if you have considered loading a virus guard program
into "Upper Memory Blocks". This requires a 386 or later processor, also
slightly more than 1Mb of memory, and a version of DOS that supports
this. MS-DOS 5.0 and later versions support this, I'm not sure about
earlier versions. The virus Guard must also be capable of being loaded
into Upper Memory Blocks. Both Mcafee and Dr. Solomons can be loaded
in this way, plus probably many others that I am not aware of.

2nd. Another posability is to load the virus guard using a swap file.
The only snag with this is that it can make systems rather slow.
Mcafee can do this using only about 3K of conventional memory. I'm
not sure about Dr. Solomons and others.

3rd. A virus guard is only one option. Another option is to run some
type of scan when the computer boots up. I have implemented this very
sucessfully using Dr. Solomons, thioug it did require a bit of knoledge
of DOS batch files, to create a satisfactory system. We have a number
of older computers that can not load a virus guard without becoming
uncomfortably slow. I have set these up to check themselves for any
changes in executable files about every 2 weeks. If a change is
detected I then run a full scan. This polocy works because it is hard
for viruses to spread on a well managed network. Therefore viruses are
spotted long before thay have time to spread. The worst that has
happened so far was finding the a FORM virus on two machines. A little
more searching revealed it on just two floppys. I used Dr. Solomons
to remove it, a trivial task, and there has been no more problams since.

Hope this information is of some use to you. I would listen to
several people, before making a decision.

All the best

Richard.

------------------------------

Date: Mon, 15 Apr 1996 11:50:16 +0000 (GMT)
From: "W. W. Martin" <jack_martin@usa.pipeline.com>
Subject: Help uninstalling TBAV (PC)
X-Digest: Volume 9 : Issue 52

I installed a shareware  evaluation copy of Thunderbyte AntiVirus (rel 7.0)
on my PC/DOS 6.3 system and now want to remove it but am not having any
success in taking it off my system.  Any suggestions would be very welcome.

- - 

Jack Martin

------------------------------

Date: Tue, 16 Apr 1996 02:56:12 +0000 (GMT)
From: dkstewart <dkstewart@csra.net>
Subject: Re: Registered ThunderByte "expired" (PC)
X-Digest: Volume 9 : Issue 52

In article <0025.01I3D16BVIK2SH3CBI@csc.canterbury.ac.nz>,
blackbird@psu.edu says...

>I purchased TBAV about a year ago, from the BBS of a distributor in 
>Dagsboro, DE, after trying it as shareware.  I tried recently to log onto 
>the bbs to download an upgrade, but the # has been disconnected.
>
>Meanwhile, every time I log onto my computer I get a series of obnoxious 
>beeps and messages "warning" me that my "evaluation key date has 
>expired."
>
>Can anyone help me?  What would I need to do to get a legitimate upgrade 
>for TBAV?

Legitimate upgrades are available from:

The Public's Domain BBS
1-706-860-5070

This BBS is used as a distribution site for ThunderBYTE and is run by
Duncan Stewart - Authorized ThunderBYTE Agent.

Please feel free to call and download the updates as you require them.  
First time callers are allowed downloads of ThunderBYTE on the first call.
The Current release is version 7.00 for DOS and Windows 3.1x and 7.01 for 
WIN 95.

Bye
Duncan

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 52]
*****************************************


