From Lehigh.EDU!owner-virus-l  Wed Apr 17 16:35:58 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Wed, 17 Apr 96 19:47:37 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id QAA22771; Wed, 17 Apr 1996 16:35:58 +0200
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39680-103913>; Wed, 17 Apr 1996 10:29:55 EDT
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39688-104171>; Wed, 17 Apr 1996 10:22:08 EDT
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id KAA70286 for <virus-l@lehigh.edu>; Wed, 17 Apr 1996 10:20:59 -0400
Received: from 132.181.30.50 ("port 1065"@nick.csc.canterbury.ac.nz)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I3O5HCRBV0SKU6UC@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Thu,
 18 Apr 1996 02:20:05 +1200
Message-Id: <01I3O5HCRZF2SKU6UC@csc.canterbury.ac.nz>
Date: 	Thu, 18 Apr 1996 02:09:30 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #53
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest  Thursday, 18 Apr 1996    Volume 9 : Issue 53

Today's Topics:

Re: QUESTION: Email Viruses
Re: Macro viruses
Form virus ate my NT boot sector! (NT)
Re: Form virus ate my NT boot sector! (NT)
Re: MacroWord helper apps... (MAC,WIN)
hacking DELWIN.BOOT and DELWIN.17** (PC)
Re: ripper-virus, who can help (PC)
"Twitch" and "Flybynite" viruses (PC)
A possible virus! (PC)
Re: Good scanner with smallest TSR memory footprint (PC)
Re: Multiple boot sector infections (PC)
Re: ripper-virus, who can help (PC)
Re: AntiCMOS virus (PC)
Stoned.Spirit Virus: How do i remove it? (PC)
850MB HD now 333MB--virus? (PC)
Re: anticmos?? Help (PC)
Re: Good scanner with smallest TSR memory footprint (PC)
Program to backup mbr and boot sector (PC)
Re: Over 1644 Virus (PC)
Re: virus in macromedia plug-in (PC)
Bang virus? (PC)
Multiple ParityBootA (PC)
Re: virus or hardware problem? (PC)
Monkey virus (PC)
what is FORM virus???? (PC)
Stoned side effects? (PC)
Ebola virus!!! (PC)
Re: Help Possible Virus
Re: What AV software should I get? (PC)
Re: Need Help Removing Stealth_C Virus (PC)
Re: Over 1644 Virus (PC)
Re: Urkel virus (PC)
Re: Trabajo_hacer.b Virus (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Mon, 15 Apr 1996 13:41:26
From: Gerard Mannig <mannig@world-net.sct.fr>
Subject: Re: QUESTION: Email Viruses
X-Digest: Volume 9 : Issue 53

In article <0002.01I37W48WZM4SH3CBI@csc.canterbury.ac.nz> "Chengi J. Kuo"
<cjkuo@alumnae.caltech.edu> writes:

>Greg Rice <wyldryce@ix.netcom.com> writes:
>
>>I'm wondering, why isn't an email virus possible?  I read that no one
>>really needs to worry about loading an email message from a service
>>like AOL or Compuserve and recieving a virus on their home PC. 
>>Wouldn't it be possible to write code that is an attached .EXE file and
>>is called into downloading itself by the 'read mail' action of the
>>service provider?
>>
>>I realize that if there was such a code, it would be service provider
>>specific, but it seems plausible.

>It's a matter of semantics.  An email virus is not possible.  That's
>basically because there are just too many standards and packages
>handling email.
[../..]
>garbage in the middle of my message.  Is it a virus?"  And all those
>PGP blocks, UUENCODE blocks, base64.  To the average person, he's
>likely to misinterpret them if he sees the raw data.

...and NETSENDed files !!

Don't forget NETSEND allwo any user to send via reader-off-line ( whatever
it is ) any binary file in such way the recipient needs *NO* utility/program  to reverse-engeneer process

Jim TUCKER wrote this program by June 95 and, evidently, didn't figure out 
what 'dark' use his program could be victim of

Anyway, I sucessfully use it for months and my users are very fond of it
given its 'poor' requirements

Regards,

- ----------------------------------------------------------------
Gerard MANNIG                                    Virus Consultant 
    Phone : +33 (16) 3559-9344     Fax     : +33 (16) 3560-5011               
Report a virus attack: http://www.primenet.com/~mwest/vir-vrf.htm
Member of   R . E . C . I . F 
data +33 1 3415-4959                Voice machine +33 1 3072-9443
=-=-=- I do NOT speak for RECIF unless otherwise specified -=-=-

------------------------------

Date: Tue, 16 Apr 1996 03:29:24 +0000 (GMT)
From: F/WIN Anti-Virus Support/Ordering <fwin_sup@ix.netcom.com>
Subject: Re: Macro viruses
X-Digest: Volume 9 : Issue 53

>The WinWord concept virus is very easy to get rid of.  Searching for a
>program that will do it for you is a hassle.  All you have to do is
open a
>document that is believed to contain the concept virus.  Go to tools
and
>macro, and remove any macros under the names AAAZAO, AAAZFS, AutoOpen,
>PayLoad, and FileSaveAs.  When this is done, click the "Organizer"
button,
>and make sure that none of these macros are there.  If they are, there
<snip>

This is OK if only a few files are infected.  But if there are
hundreds, finding and using an AV product to do the job for you is a
much easier way to go.

Gary Martin   Computer Virus Solutions         
E-mail:       fwin_sup@ix.netcom.com
WWW:          http://www.entrepreneurs.net/fwin
Authorized Distributor of F/WIN Anti-Virus

------------------------------

Date: Mon, 15 Apr 1996 14:51:43 +0000 (GMT)
From: Brent Olson <night@halcyon.com>
Subject: Form virus ate my NT boot sector! (NT)
X-Digest: Volume 9 : Issue 53

I installed a new piece of hardware and needed to load drivers from a
floppy that had "been around the offic" and inadvertantly left the
floppy in the NT3.51 Server during the reboot...I got the lovely "non-
system disk" error, took the floppy out and rebooted.

NT does not boot.  It goes through the usual memory check etc, but
just when the boot screen is supposed to come up, it just sits there.
Scanning the floppy indicated it is infected with Form A virus, which
is a master-boot-record inflicting vermon.  The machine is set up with
only 1 2 gig disk (SCSI) with no DOS lying about anywhere.  

If this were a DOS/Win95 box, I'd just boot with a clean boot floppy,
do a fdisk /mbr on drive C:, and I'd be done.  Drive C: is NTFS.

I thought that NT was impervious to these types of DOS viruses?

Any help is most appreciated.

Brent
night@halcyon.com

------------------------------

Date: Mon, 15 Apr 96 11:38:25
From: Tarkan Yetiser <tyetiser@yrkpa.kias.com>
Subject: Re: Form virus ate my NT boot sector! (NT)
X-Digest: Volume 9 : Issue 53

In article <4ktnea$1l6@news1.halcyon.com>, you say...

>Scanning the floppy indicated it is infected with Form A virus, which
>is a master-boot-record inflicting vermon.  The machine is set up with
>only 1 2 gig disk (SCSI) with no DOS lying about anywhere.  
>
>If this were a DOS/Win95 box, I'd just boot with a clean boot floppy,
>do a fdisk /mbr on drive C:, and I'd be done.  Drive C: is NTFS.
>
>I thought that NT was impervious to these types of DOS viruses?

Most of your info is incorrect Brent. First, Form-A doesn't infect the
MBR, but rather the boot sector of the active partition. Second, FDISK
/MBR updates the code in the MBR, not the boot sector; so it wouldn't
remove this virus even under DOS. Third, NT is not anywhere being in
control when this virus is loaded off the diskette. NT loader gets control
after the MBR loader and after the boot sector loader. And Form-A is now
the boot sector loader.

You need to find your original boot sector and write it back where it
belongs. The last sector of the partition will have your original boot
sector. So, find a clean bootable diskette (DOS is fine), and get a copy
of Norton DiskEdit or VITALFIX, read the last sector and look at it. As a
minimum, you should see a 55AA as the last two bytes. Now, save that to a
diskette. You just got your original boot sector. Now, read the boot
sector (logical sector 0, or usually head 1, trk 0, sec1, which can be
ascertained by checking the partition table in the MBR), and save that as
the virus boot sector on the diskette. This is for examination. Now, write
the good boot sector to the logical sector 0 where the virus was. Remove
the disks, cross your fingers and reboot. If nothing unusual happened, you
will have your stuff back. Now check and see if the last two sectors of
the partition were being used. Usually, they aren't, so you should be
fine.

The only complication is NTFS. Form-A is probably confusing things.

Good luck. If you survive this, get into the system settings in CMOS and
change the boot sequence to C: and then A:. Of course, scan your diskettes
just to be sure.

Regards,
Tarkan Yetiser
VDS Advanced Research Group
http://home.prolog.net/~tyetiser

------------------------------

Date: Mon, 15 Apr 1996 20:25:05 +0000 (GMT)
From: "Derek V. Giroulle" <Dirk.Giroulle@ping.be>
Subject: Re: MacroWord helper apps... (MAC,WIN)
X-Digest: Volume 9 : Issue 53

Ben Danielson <bendan@asu.edu> wrote:

>I have noticed that there are a ton of WordMacro fixit programs out there.
>I have used Microsoft's, Mcafee's, and even edited the normal.dot to
>disable all automacros, to name a few .  I have noticed something that has
>not been discussed here recently. If you use a program that disables the
>automacros, you cannot use the wizards that are a part of the Word
>program. 

Give me any useful use for wizzard that cannot be done with a decent
program

> This may not matter to most users, but I happen to work at a
>university where people need Word's wizards for training purposes.  

Try changing universities... if you use WORD (which is a
WORDPROCESSOR) as a CBT programming and execution tool (what it was
not designed for) then that your universities problem isn't it?

Why can't you people check the market BEFORE you start a project and
check what is the most APPROPRIATE tool ?
If you want to drill a whol in a concrete wall what do you use
- screwdriver
- saw
- hammer
- sledgehammer
- a fish
- a loaf of bread
- an electric drill
If you have any doubt please cunsult your local  DIY-shop...

>I know
>that this discussion is for virus related issues, but I would like to just
>remind AV developers that making a program virus proof and disabling an
>important part of the program is not a viable solution. 
>
>  Another tidbit, if you delete an infected normal.dot, Word will
>create a new one that is clean.  This will not help if you have infected
>.doc or .dot files, but if your scanner tells you the normal.dot is
>infected and nothing else, just delete the thing and any new documents you
>make will be clean.  Obviously this is not the best method of protection,
>but it does the trick if you need a simple solution.

But if it infected your wizzards etc  it's no use is it???

>Ben Danielson
>Information Technology
>Arizona State University West

Look I've been working for research centers all over the place and the
scientists all have that same desease :

They think that with the one tool they know they can doo everything :
eg like the lotus wizzards

they use 123 as their : spreadsheet, statprogram (and complain about
the lack of functionality), graphics program (and complain), database
(and complain about lack of data retrieval functions), wordprocessor
(and complain) and last but not least they complain it doesn't make
them coffee, doesn't keep their diaries, does sit on their lap and
they can't squeeze its butt ... 

repeat teh picture for the wordperfect and word wizz's

derek V. Giroulle
Dirk.Giroulle@ping.be
http://www.ping.be/~ping0010
Life is like a peepshow, through a little window you never get to see
what you went in for (based on fvu's definition of panning)

------------------------------

Date: Mon, 15 Apr 1996 14:57:38 +0000 (GMT)
From: Aquiles Luna-Rodriguez <pz4a004@rzaix03.uni-hamburg.de>
Subject: hacking DELWIN.BOOT and DELWIN.17** (PC)
X-Digest: Volume 9 : Issue 53

I got infected with the DELWIN.BOOT and DELWIN.17** (can't remember
the last two digits). McAfee 2.2.7 would get rid of the version
that infects .exe programs, but no the one in the Master Boot Record.
To get rid of it, I had to wipe the hard-disk clean and use FDISK to
recreate a MBR, them recuperate from a back-up.

After that, I made a copy of the MBR using st0.exe and rt0.exe,
written as freeware by Dave Bushong and stored in Simtel.

But surprise: in the copy of track 0 that st0.exe makes, I found
a copy of the DELWIN.17**, which apparently doesn't works when
stored in the MBR; at least it doesn't reaches thr RAM.

Though I can't write assembler, out of desperation I began to
hack the f***ing .17** version, and found out that: 

-It changes 7 bytes at the bginning of .exe files, apparently
 making a jump to the end of the original file, where the main
 part of the virus is stored.

-After the virus code, another jump is done using a copy of the 
 first lines of the original program.

-DELWIN is polimorphic, only the first docen of instructions of
 the main chunk are always the same, except one. My hunch is that
 this piece of code is a kind of random-number generator, the 
 variable byte being the seed.  When running, the random numbers
 may be XORed with the rest of the code to restore the virus.

-the .17** version stored in the MBR doesn't seem to be encrypted,
 you can read "DELWIN" on it; does somebody knows what it stays
 for? maybe DELete WINdows?

-The virus does not tries to hide its size.

I suppose that as long as the virus dosen't reaches the main
memory, there's no trouble with it; but: instead of being a bug,
this funny behavior of putting the false version in the MBR may
be a trap, because it remains undetected there. 

McAfee won't clean my copy of the MBR, but I could do it by hand
and put it back in the hard-disk. However, I know that toying
with the MBR is not for amateurs, and I don't want to destroy
my Linux partition after having so much troble with the DOS one.

What do the experts recomend?

*********************************************************************
*  Aquiles Luna-Rodriguez         //I've found it! here's the bg!   *
*  Universitaet Hamburg, Germany  //Nobody expects...               *
*  pz4a004@rrz.uni-hamburg.de     //..the Spanish Inquisition!      *
*********************************************************************

------------------------------

Date: Mon, 15 Apr 1996 15:02:37 +0000 (GMT)
From: news@chaos.kulnet.kuleuven.ac.be
Subject: Re: ripper-virus, who can help (PC)
X-Digest: Volume 9 : Issue 53

In article <0010.01I3JH3PLOGSSKU6UC@csc.canterbury.ac.nz>, volker
Biedermann <100343.3164@compuserve.com> says:

>I have a problem with the *ripper-virus*. I found the virus with 
>scan/vshield-program from McAfee. I got these programs from the 
>SCNI22CE.ZIP file, which i found in my local BBS.
>
>My main problem is, how to TERMINATE the ripper-virus? Which 
>software or treatment do you suggest? Can you help me?

Boot from a CLEAN disk and use McAffee or something.......
(McAffee is also in my homepage under /software)


Stijn Buys aka Ingar, the Immortal Avatar 
____________________________________________________________________
E-Mail & finger: ingar@tristan.arts.kuleuven.ac.be
URL: http://tristan.arts.kuleuven.ac.be/~ingar

------------------------------

Date: Mon, 15 Apr 1996 15:52:07 +0000 (GMT)
From: "Keith D. Anthony - NAIC/TATA - 513-257-6351" <kda36@mailhubu.naic.wpafb.af.mil>
Subject: "Twitch" and "Flybynite" viruses (PC)
X-Digest: Volume 9 : Issue 53

Need information about these two viruses.  Can anyone help?

------------------------------

Date: Mon, 15 Apr 1996 15:58:35 +0000 (GMT)
From: D3lyr1uM? <kore8@usa.pipeline.com>
Subject: A possible virus! (PC)
X-Digest: Volume 9 : Issue 53

Often when playing games on my pc, I get the statement, system is
dangerously low on resources.  One day for no apparent reason the computer
shut off totally.  A black dos like screen came up and said Ok to shut off
computer.  Another problem is that my sound just dies some times.  I don't
know how the system could be low on resources when it's a P100 with 400
megs free, 16 megs of ram.  I look at the system monitor and it always says

92% free?  Any ideas would be appreciated to solve my delemmas.  I have
scanned with nav and nothing comes up.  I also tried tba, mcaffee. Please
help this is getting annoying 
- - 

							D3lyr1uM? 
-I don't hang out with a bunch of joy popping  
bubble gummers, my friends can take their highs- 

------------------------------

Date: Mon, 15 Apr 1996 18:48:37 -0700
From: Harald Horgen <73323.2516@compuserve.com>
Subject: Re: Good scanner with smallest TSR memory footprint (PC)
X-Digest: Volume 9 : Issue 53

Iolo Davidson wrote:

> In article <0038.01I3EEEWQ4GQSKU6UC@csc.canterbury.ac.nz>
>            chastaib@stifel.com "Chastain, Brian" writes:
> 
> > My main concern, however, is memory overhead.  The NAVTSR occupies 30K
> > of RAM.  I took a look at F-PROT, and their TSR occupies over 40K of RAM.
> >
> > Since we're a token-ring network, and token-ring drivers are
> > notoriously large, we can't afford to give up that much memory.
> >
> > My question (finally!) is, which scanning program is effective, yet has
> > the smallest TSR footprint?
> 
> That would be VirusGuard, from Dr. Solomon's Anti-Virus Toolkit.
> It has ballooned a bit since the days when I programmed it, but
> I believe it still fits in less than 10K.  It is probably also
> the most effective, but there are few independent tests of TSR
> scanners to be found.

I think Vi-Spy from RG Software can lay claim to being the best product 
in this area.  About a year ago the Virus Bulletin did a comparison of 
most products on the market, and Vi-Spy was the only one that uses the 
same front-end and TSR scanner.  The reason is that most programs have 
become memory hogs, and don't have room to maintain all the sig files.

I think Vi-Spy is the only product that is written in Assembler, so it 
has a real advantage in that it's code is nice and efficient.

Harald Horgen

------------------------------

Date: Mon, 15 Apr 1996 18:53:24 -0700
From: Harald Horgen <73323.2516@compuserve.com>
Subject: Re: Multiple boot sector infections (PC)
X-Digest: Volume 9 : Issue 53

Pavel Machek wrote:

> Antonio Godinho (antonio@nambu.uem.mz) wrote:
> : I have had several problems of multiple boot sector infections on my
> : computers and have never managed to clean them. Does anyone know if
> : and how it can be done? From what I gathered the infections where of
> : the UNASHAMED and ANTIEXE.a viruses. I tried using Dr. Solomon's
> : toolkit 7.56, F-prot 222 and  Thunderbyte 6.38 but all these failed.
> : Since I did not have access to the Hard disks in any of the cases, I
> : had to fdisk and reformat the hard disks.

You should buy and install NoMore Viruses from RG Software.  It is 
designed specifically to prevent boot sector viruses.  According to 
recent review in Virus Bulletin, it is 100% effective, and it never needs 
to be updated.

A note of caution, though.  It does not check for file infectors, nor 
does it identify a virus, so you should use it with a regular, commercial 
scanner.  But if you want to have 100% protection against boot sector 
viruses, and never have to worry about upgrades, this is the product to 
buy.

------------------------------

Date: Mon, 15 Apr 1996 17:41:27 +0000 (GMT)
From: Don Doane <ddoane@win.bright.net>
Subject: Re: ripper-virus, who can help (PC)
X-Digest: Volume 9 : Issue 53

volker Biedermann <100343.3164@compuserve.com> wrote:

>I have a problem with the *ripper-virus*. I found the virus with 
>scan/vshield-program from McAfee. I got these programs from the 
>SCNI22CE.ZIP file, which i found in my local BBS.
>
>My main problem is, how to TERMINATE the ripper-virus? Which 
>software or treatment do you suggest? Can you help me?

I had the ripper virus on 3 (1.6 gig) hd's. Purchased McAfee Virus Scan 
and it worked on the C: drive only. After 15 hours, I was still getting a 
reading that Ripper was still there..disconnected all drives and ran 
syntax C:scan /clean/nomem on each drive separately using the one cable 
only. Finally cleaned it up. If you have only 1 drive, McAfee should do a 
fine job...Any questions, advise

Don

------------------------------

Date: Tue, 16 Apr 1996 11:43:45 -0700
From: Todd Tanber <todd@netval.com>
Subject: Re: AntiCMOS virus (PC)
X-Digest: Volume 9 : Issue 53

Glen Mann wrote:

> crash n' burn... (juhari@teleview.com.sg) wrote:
> 
> : Hi, i need help with my PC. I am currently using WIN95 and occasionally I
> : get a general protection fault failure and whatever that was running had
> : to be shut down. I used McAfee's Scan95 and it did not detect the
> : presence of any virus. A friend of mine used my PC and when he
> : transferred some files over to his PC (by diskette), he detected the
> : antiCMOS virus. He used another PC and it confirmed the presence of this
> : virus.
> 
> I think fdisk /mbr will rewrite the boot record to rid this.  Norton can
> rebuild the boot sector too, though I'm not sure about Win95.
> 
> : Does anyone have any solution to this problem? Also, how come my Scan95
> : did not detect the (abovementioned) virus?
> 
> Scan95 should've found it, I thought.

I recommend using a clean boot disk with the latest version of Mcafee on
it. Boot and then scan your hdd with the command  'scan c: /clean' with c
being your hdd. Often times when running a anti-virus checker on your
computer it doesn't scan a specific section of memory where the virus
tends to live. This may be why your anti-virus didnt see it. 
- - 
Todd Tanber
todd@netval.com
NetValue Sales Group
(805)374-6042

------------------------------

Date: Mon, 15 Apr 1996 14:42:35 -0500 (CDT)
From: "S.Sajjad Lateef" <U10891@uicvm.cc.uic.edu>
Subject: Stoned.Spirit Virus: How do i remove it? (PC)
X-Digest: Volume 9 : Issue 53

Many PCs in my lab seem to be infected with Stoned.Spirit and
I can't seem to be able to remove this.

   McAfee Scan 2.2.11 reports it infecting the MBR but cannot clean it
and says something like "no remover available".

   It does not appear to be harming anything but when I run FPROT on
floppies that have this virus, the disk appears to be unreadable.

   Patricia Hoffman's latest VSUM does not include this virus.

   How do I get rid of this virus?

( Side Track:
 Scan 2.2.11 totally messed up Normal.Dot when it was removing
the Word Concept Virus from it.)

   Please email me directly at sajjad@uic.edu or post to this newsgroup.

Thanks,
Sajjad
- -
S. Sajjad Lateef              Association for Computing Machinery at UIC
sajjad@uic.edu                         acm@eecs.uic.edu
http://www.eecs.uic.edu/~slateef       http://www.eecs.uic.edu/~acm

------------------------------

Date: Mon, 15 Apr 1996 16:07:30 -0500
From: bfd1225@vax1.mankato.msus.edu
Subject: 850MB HD now 333MB--virus? (PC)
X-Digest: Volume 9 : Issue 53

Hi, I recently lost my HDD and possibly Bios to my first encounter with
a virus.  I believe it's Monkey or some variation.  What happened is that
all my disk sectors went bad, when I boot it says "Bad disk or non-system
disk" even if there is not a disk in Drive A.  When I do boot with a clean
(?) disk, and go to C, there is only one file that reads 39482something
then 15-3-99 and some time stamp.  Also, the drive is 850MB in an IDE
486DX2/50, so it had to be specially partitioned (don't remember exactly
what was done, only because of the 540MB or so limit).  Now the drive
claims I only have 333MB total on the disk.  So, I have a couple questions:

1) Does anyone know what the virus is, if it's not Monkey or a variation I
have a bad feeling that it might have physically damaged the drive.

2) What is the best protection I can get? I have F-Prot, I bought a
program called PC-cillin, but it didn't detect anything (this was before
the big crash).

------------------------------

Date: Mon, 15 Apr 1996 23:36:02 -0500
From: Joe Webster <trustno1@fbi.gov>
Subject: Re: anticmos?? Help (PC)
X-Digest: Volume 9 : Issue 53

Chengi J. Kuo wrote:

> philski@spirit.com.au writes:
> 
> >help!!! I am running 486 dx4 120 award with 12 meg ram win 95. My problem
> >is that I get a "checksum error defaults loaded" and/or "cmos battery
> >failed" but it  is a brand new mo'board and I have replaced battery since
> >first occ!
> 
> "It is a brand new mo'board" which hasn't been tested enough.
> Chances are, the ports to your CMOS is bad or some of the data
> lines are crossed or grounded.  (Or maybe the wires from the
> battery have fallen off.)  Sadly, your most likely thing is
> that you need to replace the motherboard.
> 
> You don't have the AntiCMOS virus, not by your description.
> AntiCMOS does not do anything to CMOS.

I agree with Jimmy on your mo'board but you have two alternatives;

#1. Let the machine run at least 24-48 hrs. Sometimes new boards need 
there batteries charged.

#2. Replace the battery or add a battery pack [depending on the system 
board]. Even though your board is new, there is no telling how long your 
board has been sitting on the shelf or battery suppliers shelf.

Good Luck!

RZ of EZ
E-Z Computers Ltd.

------------------------------

Date: Tue, 16 Apr 1996 00:00:41 -0500
From: "R. Zalk" <ez-zone@netmedia.net.il>
Subject: Re: Good scanner with smallest TSR memory footprint (PC)
X-Digest: Volume 9 : Issue 53

Chastain, Brian wrote:

> We're beginning to have some problems with viruses here, notably the
> FORM virus.  While this isn't a destructive virus, it is, nevertheless, a
> pain in the butt.  Anyway, my boss wants me to look into virus detection
> for our company.  Myself and several others in my department are using
> Norton's Anti-Virus, and it seems to be working nicely.
> 
> My main concern, however, is memory overhead.  The NAVTSR occupies 30K
> of RAM.  I took a look at F-PROT, and their TSR occupies over 40K of RAM.
> 
> Since we're a token-ring network, and token-ring drivers are
> notoriously large, we can't afford to give up that much memory.
> 
> My question (finally!) is, which scanning program is effective, yet has
> the smallest TSR footprint?

I'm a firm believer in  'there is no such thing as a free lunch' and 
also live 'dangerously' and don't run an AV as a TSR. I use at least 
3-5 AV programs and instruct clients to scan ANYTHING new coming in and 
even run a daily/weekly scan [yes, they're backed up!]. AV TSRs have 
been known to cause system problems, conflicts, and crashes. The above 
solution gives you more memory available and doesn't allow for the 'I 
have an AV TSR, what do I have to worry about' and then they get a 
virus.

Good Luck,

RZ of EZ
E-Z Computers Ltd.

------------------------------

Date: Mon, 15 Apr 1996 18:08:57 -0400
From: MIKE6099@aol.com
Subject: Program to backup mbr and boot sector (PC)
X-Digest: Volume 9 : Issue 53

Is there a (cheap) ;) program that backs up the mbr and bootable area of a
hard disk in case of a boot virus or corruption?  Or is there an option
like this in virusscan 95 or TBAV??

Mike6099@aol.com

------------------------------

Date: Mon, 15 Apr 1996 22:34:28 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Over 1644 Virus (PC)
X-Digest: Volume 9 : Issue 53

Jean-Paul BLANC <blanc@llaic.univ-bpclermont.fr> writes:

>Could someone give me some information
>about OVER1644 Virus ?

This was a false id from a version of Scan, circa Fall95.  Please update
your scanner.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Mon, 15 Apr 1996 22:35:33 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: virus in macromedia plug-in (PC)
X-Digest: Volume 9 : Issue 53

Parameshwar Babu <p.babu@giasmd01.vsnl.net.in> writes:

>I use Scan V.2.2.6 for dos, McAfee
>
>I downloaded macromedia plug-in for Netscape.
>I got the report like this in my machine:
>
>Scanning C: [DRIVE1VOL00]
>C:\NETSCAPE\PLUGINS\NP16DSW\MACROMIX.DLL
>       Found the SMEG virus or variant
>
>Is this really true? Why should Macromedia do such a thing!
>I invite comments from you all.

This is a false id from a version of Scan from summer of 95.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Mon, 15 Apr 1996 23:07:33 +0000 (GMT)
From: Scott Schiller x2554 <schiller@nicmad.nicolet.com>
Subject: Bang virus? (PC)
X-Digest: Volume 9 : Issue 53

My sister apparently has a virus by the name of "bang" on her computer. 
The way she describes it, her machine started acting strangely and she
couldn't load certain files, and she was experiencing memory problems.
She started investigating, and when she opened her win.ini file there was
a message that simply said, "Bang! by <somebody...Michelangelo?>"  She has
tried the newest versions of McAfee and Norton as well as an older version
of MS Virus but none of them can find and eradicate the virus.  Has anyone
heard of this virus and if it can be removed, what should she use?  Please 
respond only in e-mail as my usenet server doesn't carry the two
newsgroups in which I've posted.  Thanks!

- -scott

- - 
		Scott Schiller (schiller@nicolet.com)
		      Nicolet Biomedical, Inc.
		       Madison, Wisconsin USA

------------------------------

Date: Mon, 15 Apr 1996 23:47:22 +0000 (GMT)
From: Frank Zimmermann <101324.2242@compuserve.com>
Subject: Multiple ParityBootA (PC)
X-Digest: Volume 9 : Issue 53

I think, after (two times :-( )installing a Corel Ventura 5.0 (CD-ROM) on
my hardisk, F-prot detected a multiple infection of the partition record.

It therefore couldn't erase the virus.

When I tried to boot up from a clean MS-DOS 6.22 (original) disk, always
the parityboot was in memory (how??).

Then I tried to boot up with a W95 start disk and the virus was at least
not detected in memory. So I started F-prot, but as I said, it could't
help.

Then I ran fdisk /mbr and f-prot never more detected a virus. 
Did I destroy the virus or what?

My hardisk: 2Mb OS/2 boot manager, 400Mb Dos/Pri, 400MbW95/Pri

My CD-ROM still have some trouble with some disks after the infection; is
there a connection?

Thanks for every little clue,
Frank.
(Please answer via email too)
101324.2242@compuserve.com

PS: A friend reported that his mcaffee reported recently a parityboot B on
his machine. Perhaps f-prot and mcaffee see this differently and it's the
same virus.
- -
Frank Zimmermann (PGP key on demand) 
101324.2242@compuserve.com
FrankZi@aol.com

------------------------------

Date: Tue, 16 Apr 1996 00:13:09 -0500
From: "R. Zalk" <ez-zone@netmedia.net.il>
Subject: Re: virus or hardware problem? (PC)
X-Digest: Volume 9 : Issue 53

david.j.ahnen wrote:

> My sister was babysitting my brother's PC while he was out of the
> country when it started to behave badly. She referred the problem
> to me, but I'm not sure what I might be dealing with here.  Perhaps
> someone has some insight that they can lend.
> 
> The system is a 386 16 with 4 Meg of memory.  The behavior problems
> consist of the system locking up not long after a reboot.  The lock-up
> does not discriminate against any rpobgram that may be running at the
> time.  It locks up both in and out of windows - while a program is
> executing or while nothing is running (I come back to the keyboard
> after a while and hit CR only to get no response.)  I don't know if
> this is a hardware problem, or if the system somehow was infected with
> a virus.

#1 Try a few AV programs to see if there is a virus.

#2. I agree with the moderator that it sounds like a hardware problem.
To verify that;
	a. Get a hold of a program like Checkit to analyze your hardware.
	b. Reformat everything and see if the problem repeats itself.
	c. Doing a&b together is HIGHLY recommended.

Good Luck,
RZ of EZ
E-Z Computers Ltd.

------------------------------

Date: Tue, 16 Apr 1996 00:53:00 +0000 (GMT)
From: rostislav lyudmirsky <hbcsc093@csun.edu>
Subject: Monkey virus (PC)
X-Digest: Volume 9 : Issue 53

Please help me: recently Intel's viruscan found a "Moneys" virus on my
PC. After reformating the hard drive and installing Windows 95,
I still get a problem: General Protection Fauld at randome occurences.
The system reports busy and the only way to bypass it is to reboot.

Could it be that the virus is still in boot sectors (I reformated
HD form clean system disk!  If so, would low level format solve
the problem.

Could you please send me information on how to solve this problem,
also any information on that particular viruse would be welcome.

Thanks you all.

P.S. I do not have an access to Usenet and using my friend's acct.
Please send your replies to: sdispun@jefco.com

------------------------------

Date: Tue, 16 Apr 1996 01:15:31 +0000 (GMT)
From: cin <cin@ix.netcom.com>
Subject: what is FORM virus???? (PC)
X-Digest: Volume 9 : Issue 53

   my virus checker said it claned up the form virus about 6 months
ago. now it showed up on a disk i brought in to work(how embarassing.)
what the heck does it do??? i haven't noticed any overt symptoms.

  cin@ix.netcom.com

------------------------------

Date: Tue, 16 Apr 1996 05:10:48 +0000 (GMT)
From: stevesny@ix.netcom.com
Subject: Stoned side effects? (PC)
X-Digest: Volume 9 : Issue 53

I got the STONED.STANDARD virus 2 weeks ago. I became suspicious when
an unusual crash occured. F-Prot reported it, then removed it. Since
this time,my PC (486/66/500MB SCSI with 2 partitions) has encountered
numerous occassions of performing a reboot on exiting Windows to DOS.
However, there have been a number of other things added to my system
since that time.

F-Prot reports 2 MBRs and 3 DOS boot sectors. I do not recall what was
previously reported.

Does it seem as if any of this could have been from stoned? Are 2 MBRs
and 3 DOS boot sectors normal? Any other side effects of stoned I may
wish to look into?

Help greatly appreciated!

Thanks,

Steve

------------------------------

Date: Tue, 16 Apr 1996 06:42:04 +0000 (GMT)
From: Rein Ketelaars <R.Ketelaars@student.KUN.NL>
Subject: Ebola virus!!! (PC)
X-Digest: Volume 9 : Issue 53

Can somebody please tell me something about the EBOLA virus?

Somebody told me it should exist and be activated on the 16th of april
on 08.00 (am) It should destroy FAT-table and processor (?)

Is this reality or just a hoax???? Please let me know more..

Please do reply to my e-mail and not to this newsgroup!!!
<R.Ketelaars@student.kun.nl>

Many thanks, Rein Ketelaars

------------------------------

Date: Tue, 16 Apr 1996 01:27:46 +0000 (GMT)
From: Lawrence Young <lyoung@cris.com>
Subject: Re: Help Possible Virus
X-Digest: Volume 9 : Issue 53

Wayne Riddle <riddler@agate.net> wrote:

>Syahrul Sazli Shaharir <ssazli@hrsb563.resnet.upenn.edu> wrote:
>
>>After I run certain programs, everything crashes one by one.. (popup
>>message appears: "[program name] encounters an error (or sthing like
>>that), the application will be closed"), and after a few more clicks the
>>Explorer fails (with the same popup message) and then Win 95 crashes. If
>>this is a virus problem, what apps can be used to kill it? Thanks.
>
>Many fine anti-virus programs are available on the internet. A page
>with links to many of them can be found at www.nha.com. Download one
>and scan your computer. Please note, scanning is best performed after
>booting cold from a clean floppy.
>
>You might also want to look at the FAQ for this newsgroup.

It seems like you encounter some hardware or software crash rather
than viruses. Viruses are subtle enough that you usually don't know it
exists especially in windows environment. If a virus crashs the system
like you described, it'll never get chance to spread out widely
because it will be caught in very early stage.

Routinely check you disk with scandisk will help you identify most
hardware/software problems.

Lawrence Young

------------------------------

Date: Mon, 15 Apr 1996 22:12:00 -0500 (EST)
From: keith@command-bbs.com
Subject: Re: What AV software should I get? (PC)
X-Digest: Volume 9 : Issue 53

>What AV program should I get to clean this virus off? Where can I get
>this program? And can someone please explain how a virus can stay on a
>computer after multiple HD reformats?

There are many good antivirus scanners available. One would be AntiViral
Toolkit Pro. You can get a evaluation copy from our Web, ftp, Compuserve
and heck even off our BBS. See the signature below for directions.

Also, check out Dr. Solomon's and F-Prot they are very reliable to.

Keith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.               USA  Distributor  for
P.O. Box 856                       AntiViral Toolkit Pro
Bruswick, Ohio 44212               
Internet: info@command-hq.com      Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp     :GO AVPRO
WWW: http://www.command-hq.com/command
Phone: 330-273-2820  Fax: 330-220-4129  BBS: 330-220-4036
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

Date: Mon, 15 Apr 1996 23:05:00 -0500 (EST)
From: keith@command-bbs.com
Subject: Re: Need Help Removing Stealth_C Virus (PC)
X-Digest: Volume 9 : Issue 53

>A soon to be ex-student has been downloading infected "porno" pictures off
>the net and contracted this virus. It has spread through the school.
>Fortunately, McAfee Scan was able to clean the virus from all but one
>machine...my favorite Windows NT 3.51 workstation. According to Scan 95,
>the boot record cannot be cleaned and I must report to McAfee for removal
>instructions. Do I need to wipe out the hard disk and "volunteer" the
>student to re-install NT(on 3 1/2s!)? Any information would be great!

Well you might still want to tar a feather that student but he did not
download Stealth.C. It travels via diskettes only. Lives in the boot
sectors and only infects the MBR and boot sectors of floppies. Actually we
call it Havoc.Amse.

No need to wipe the drive... Get a NT virus cleaner. A good bet would be
Dr. Solomon's or F-Prot Professional (Command Software or Datafellows)
until the AVP for NT comes out.

Keith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.               USA  Distributor  for
P.O. Box 856                       AntiViral Toolkit Pro
Bruswick, Ohio 44212               
Internet: info@command-hq.com      Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp     :GO AVPRO
WWW: http://www.command-hq.com/command
Phone: 330-273-2820  Fax: 330-220-4129  BBS: 330-220-4036
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

Date: Mon, 15 Apr 1996 22:40:00 -0500 (EST)
From: keith@command-bbs.com
Subject: Re: Over 1644 Virus (PC)
X-Digest: Volume 9 : Issue 53

>Could someone give me some information
>about OVER1644 Virus ?

This is a McAfee name right? AVP calls this virus Bat2Exec.1644

 Bat2Exec
	 
It is dangerous not memory resident overwriting virus. It searches for
.COM- and .EXE-files and overwrites them. The virus code is of EXE-format,
but the virus source code is the BAT-file with the commands such as:

 FOR %%i IN (*.com) DO copy %0 %%i > nul
 FOR %%i IN (*.exe) DO copy %0 %%i > nul

That source BAT-file was converted to EXE-file with BAT2EXEC utility, and
then packed with PRO-PACK compression utility.

The virus (EXE-file) contains the internal text string (after unpacking):

 Compiled by BAT2EXEC 1.5
 PC Magazine   Douglas Boling
 DUMMY   FCB     DUMMY   FCB
 COMSPEC
 nul *.com /C COPY %0 %
 nul *.exe /C COPY %0 %

Hope this helps!

Keith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.               USA  Distributor  for
P.O. Box 856                       AntiViral Toolkit Pro
Bruswick, Ohio 44212               
Internet: info@command-hq.com      Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp     :GO AVPRO
WWW: http://www.command-hq.com/command
Phone: 330-273-2820  Fax: 330-220-4129  BBS: 330-220-4036
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

Date: Mon, 15 Apr 1996 22:25:00 -0500 (EST)
From: keith@command-bbs.com
Subject: Re: Urkel virus (PC)
X-Digest: Volume 9 : Issue 53

>Okay, so I didn't rush to the library to find out this virus. Please have
>pity as I have an essay to write soon.
>
>I'm wondering if the Urkel virus is *really* dangerous. I'm also wondering
>what's the best way to clean it out.

 Urkel

It's not dangerous memory resident encrypted stealth boot virus.
It hooks INT 13h and writes itself into MBR of hard drive and boot sectors
of the floppy disks. It displays the string:

 Urkel

Keith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.               USA  Distributor  for
P.O. Box 856                       AntiViral Toolkit Pro
Bruswick, Ohio 44212               
Internet: info@command-hq.com      Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp     :GO AVPRO
WWW: http://www.command-hq.com/command
Phone: 330-273-2820  Fax: 330-220-4129  BBS: 330-220-4036
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

Date: Mon, 15 Apr 1996 22:52:00 -0500 (EST)
From: keith@command-bbs.com
Subject: Re: Trabajo_hacer.b Virus (PC)
X-Digest: Volume 9 : Issue 53

>Our network is showing occassional infections of
>"trabajo_hacer.b (MBSR virus) which is the name given by
>Norman Data Defense Systems v.3.50 (espejo by F-PROT).
				     ^^^^^^
				    McAfee name?

We have found that McAfee uses this name. I was unable to determine the
exact virus you have since my cross references can up with 3 possible
viruses.

 ACV.1342
 Algerian.1400
 15years.a

Keith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.               USA  Distributor  for
P.O. Box 856                       AntiViral Toolkit Pro
Bruswick, Ohio 44212               
Internet: info@command-hq.com      Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp     :GO AVPRO
WWW: http://www.command-hq.com/command
Phone: 330-273-2820  Fax: 330-220-4129  BBS: 330-220-4036
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 53]
*****************************************


