From Lehigh.EDU!owner-virus-l  Sat Apr 20 17:12:49 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Sat, 20 Apr 96 19:47:12 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id RAA09953; Sat, 20 Apr 1996 17:12:49 +0200
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <40298-32133>; Sat, 20 Apr 1996 09:35:11 EDT
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <40290-36486>; Sat, 20 Apr 1996 09:30:45 EDT
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id JAA134000 for <virus-l@lehigh.edu>; Sat, 20 Apr 1996 09:30:26 -0400
Received: from 132.181.30.50 ("port 1031"@nick.csc.canterbury.ac.nz)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I3SAM0GZE4SKVG0S@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Sun,
 21 Apr 1996 01:29:48 +1200
Message-Id: <01I3SAM0H7VISKVG0S@csc.canterbury.ac.nz>
Date: 	Sun, 21 Apr 1996 01:24:14 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #54
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-To: virus-l@LeHigh.EDU
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest    Sunday, 21 Apr 1996    Volume 9 : Issue 54

Today's Topics:

Re: HUGE files! What is going on?
Re: Virus Writing? Why Do People Still Do it.
Re: Virus Writing? Why Do People Still Do it.
Re: Policies & Procedures
Re: Need a way to automatically update Virus Checkers.
ViruSafe-WEB by Eliashim
Re: What REALLY matters in Commercial Anti-Virus Software
Re: Need a way to automatically update Virus Checkers.
Re: Help Possible Virus
Re: Detecting Trojans
Re: Virus Writing? Why Do People Still Do it.
Re: Virus Writing? Why Do People Still Do it.
Re: Virus Writing? Why Do People Still Do it.
SHZ virus ??
New AV Info & Progs Page
MimeSweeper
Re: EliaShin (sp?) antivirus software
LANDesk Virus Protect for WindowsNT 2.0 BETA (NT)
Re: Form virus ate my NT boot sector! (NT)
Re: Calling All Experts? Help! (WIN95)
re:Brand New Win95 User w/ "Form" Virus -- Help!! (WIN95)
Re: McAfee 2.0 for Win95 "feature" (WIN95)
Re: Drive Space 3 Problems (WIN95)
Re: Brand New Win95 User w/ "Form" Virus -- Help!! (WIN95)
Re: Norton Anti-virus or McAfee (WIN95)
Lost PC-cillin 95 serial #--How to install?? (WIN95)
Re: McAfee 2.0 for Win95 "feature" (WIN95)
Re: Possilbe new virus? (WIN95)
Re: Norton Anti-virus or McAfee (WIN95)
Windows font changes--virus? (WIN)
Autoscan new files in dir? (WIN)
Re: Anti exe virus (PC)
bye virus (PC)
MSAV (PC)
Help! Is this a virus??? (PC)
Brain2 Virus on web page ?!?! (PC)
Antiexe and strange behavior of VSHIELD (PC)
Re: CONCEPT/Wordperfect macro:really no cure? (PC)
Re: 636k total base memory...virus? (PC)
What does the TAI-PAN (TAIPAN) virus do? (PC)
Tbav for dos differs from tbw95 (PC)
Re: Monkey and partitioned drives (PC)
Re: virus or hardware problem? (PC)
Re: Monkey virus (PC)
Re: "Eat at grandma's grave" message--virus?? (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Tue, 16 Apr 1996 07:18:33 +0000 (GMT)
From: Pavel Machek <machek@atrey.karlin.mff.cuni.cz>
Subject: Re: HUGE files! What is going on?
X-Digest: Volume 9 : Issue 54

thompson@achilles.net wrote:
: I know this has been discussed before, but I have these huge (1.2 gig)
: files of ascii appearing on my computer.
: 
: Is this the action of a virus?

  And you have less than 300M hard drive, do you? (Well, I saw 400MB file
on 1.44MB floppy). This happens frequently under MS-DOS and can happen if
computer crashes. Just run chkdsk on it. And forget about virus.

- -
This looks like my signature...                                   Pavel Machek
If you want more info about me, http://novell.karlin.mff.cuni.cz/~pmac5296.

------------------------------

Date: Tue, 16 Apr 1996 09:27:21 +0000 (GMT)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: Virus Writing? Why Do People Still Do it.
X-Digest: Volume 9 : Issue 54

Pmaynard@apci.net wrote:

> In <0013.01I3BNBEFQEYSH3CBI@csc.canterbury.ac.nz>, Alex Ross
> <alexross@alex01.idiscover.co.uk> writes:
> 
> >My question is, who writes these and where do they come from?
> >Could replies be submitted to the newsgroup. 
> 
> It's a challenge to make something that sneaks around on one's system.
> There are a surprising number of viruses written that never get spread. 
> Only the sources are passed around so others can see the techniques.

   Unless "others" happen to be a trusted set of colleagues, that's no
guarantee that the virus "never gets spread"; to wit, see the
disassemblies of several well-respected virus researchers that fell into
disreputable hands and are now available on the vx side.  One can easily
compile and release a virus distributed in source form; in fact, one would
hope that anyone with the technical expertise to be able to understand a
source code listing would be able to convert it into binary form. 

> You should be asking why do people intentionally distribute harmful viruses.
> There are also many viruses that don't do anything except funny stuff like 
> display a bouncing ball on the side of the screen or something.

   Your proposed question is reasonable, but doesn't cover the whole 
field.  The key words are "intentionally" and "harmful".  It doesn't 
matter whether the virus is harmful on purpose or not; see e.g., Flip 
after the advent of DOS 4.0.  Also, I have yet to see a compelling 
argument that there exists or indeed can exist a virus that is not in 
some way harmful; should such a beast be possible, one must still show 
that its function is not better served by non-replicating code.

   -BPB

------------------------------

Date: Tue, 16 Apr 1996 10:38:17 +0000 (GMT)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Virus Writing? Why Do People Still Do it.
X-Digest: Volume 9 : Issue 54

Pmaynard@apci.net wrote:

: You should be asking why do people intentionally distribute harmful viruses.
: There are also many viruses that don't do anything except funny stuff like 
: display a bouncing ball on the side of the screen or something.

You imply that there are harmless viruses. Not so. Any virus which spreads
to systems where it doesn't belong is capable of doing damage. Direct 
attacks on disks and data are only one part of the picture.

* They take up diskspace, memory, and CPU cycles
* They frequently cause unintended damage
* Dealing with them costs (a lot of) time and money
* They can be very frightening to people who have no previous experience
  of them.
* Innocent people lose work-time, their reputations, and sometimes their
  jobs through unwittingly receiving or passing on viruses.

Why do people spread viruses? From close reading of postings to
alt.comp.virus etc., because:

* they don't understand or prefer not to think about the consequences 
  for other people
* they simply don't care
* they don't consider it to be their problem if someone else is 
  inconvenienced
* they draw a false distinction between creating/publishing viruses
  and distributing them
* they consider it to be the responsibility of someone else to protect
  systems from their creations
* they get a buzz, acknowledged or otherwise, from vandalism
* they consider they're fighting authority
* they like 'matching wits' with antivirus vendors
* it's a way of getting attention, getting recognition from their peers and
  their names (or at least that of their virus) in the papers and the
  Wild List
* they're keeping the antivirus vendors in a job

How seriously you take some of these assertions is up to you...

David Harley
Support & Security Analyst
Imperial Cancer Research Fund

------------------------------

Date: Tue, 16 Apr 1996 09:53:03 +0000 (GMT)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Policies & Procedures
X-Digest: Volume 9 : Issue 54

Richard M. Entrup (riche@pipeline.com) wrote:

: Does anyone have any documentation that covers Virus Protection Policies
: and Procedures in a Corporate Environment? Any help is appreciated. 
: 
: Please email responses to squilliv@itg.viacom.com or I will forward for
: you. 

The NCSA have a Corporate Virus Prevention Policy disk/document which
can be ordered via their web page (www.ncsa.com) for around $20, or
downloaded from Compuserve.

In the UK, the British Standards Institution have a Code of Practice for
Information Security Management which includes virus-management (BS7799).

	BSI
	389 Chiswick High Road
	London W4 4AL

	DTI (Dept. of Trade & Industry)
	IT Security Policy Unit
	151 Buckingham Palace Road
	London SW1W 9SS

The last time I looked at the S&S International web page (www.drsolomon.com)
they had a paper on Guidelines for an Anti-Virus Policy by David Emm which
is a reasonable starting point, though a comprehensive virus management
policy is no small undertaking.

David Harley
Support & Security Analyst
Imperial Cancer Research Fund

------------------------------

Date: Tue, 16 Apr 1996 13:56:41 +0000 (GMT)
From: Richard Evans <evansr@europa.lif.icnet.uk>
Subject: Re: Need a way to automatically update Virus Checkers.
X-Digest: Volume 9 : Issue 54

Ken Griffin (kgriffin@busweb.com) wrote:

: Can anyone help with automation?

It would help if you gave more details here.
I assume that you are talking about updating workstations on a
network.

If this is the case many anti virus systems include a method
that allow updated files to be coppied to from a directory
on the file server, when a user loggs in.

For example we are using Dr. Solomons anto virus toolkit, and we
run a batch file on each workstation to load up the network
drivers and log in.
I simply had to add a line to this batch file on each workstation.
In our case the line was
C:\TOOLKIT\TKUTIL UPDATE Z:\PUBLIC\TOOLKIT C:\TOOLKIT.
This compares the C:\TOOLKIT directory of the workstation with
the Z:\PUBLIC\TOOLKIT directory on the server, and coppies any
files that have been updated.

If you include more detaild about your setup, and the type of
antivirus software you are using, perhaps somboby can be of more help.

Hope this info is of some use.

Richard.

------------------------------

Date: Tue, 16 Apr 1996 11:31:57 -0700
From: Khufu <ronv@sonic.net>
Subject: ViruSafe-WEB by Eliashim
X-Digest: Volume 9 : Issue 54

This virus program for Netscape and other WWW browsers can be found at 
<http://www.eliashim.com/index.html>.  Check it out, it is for Internet 
browsers and downloads.

------------------------------

Date: Tue, 16 Apr 1996 18:06:34 +0000 (GMT)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: What REALLY matters in Commercial Anti-Virus Software
X-Digest: Volume 9 : Issue 54

In article <0003.01I3LPCY7RXOSKU6UC@csc.canterbury.ac.nz>
	   74777.171@compuserve.com "Enrico DePaolis" writes:

> Doug Muth wrote:
>
>> I'm not familliar with this product, but if it is an activity
>> blocker, it would most definitely need updates for any new
>> viruses that come out that could circumvent its protection.
>
> We haven't seen one yet that could.

How about the Word macro viruses, like Concept?  Did you need to 
update any part of your system when these appeared?  Did it 
handle them without updating?  Does it handle them now?

- -
CUTIE INVITED                   OF WHISKERS
	     VARSITY HOP                   PARTY A FLOP
			GUY FULL                       Burma-Shave

------------------------------

Date: Tue, 16 Apr 1996 19:19:07 +0000 (GMT)
From: Ken Stieers <kstieers@ontrack.com>
Subject: Re: Need a way to automatically update Virus Checkers.
X-Digest: Volume 9 : Issue 54

What do you want to happen automatically?  Copy the new files in?? Reload
the software?  You could set up something in a login script that copies
the files to the workstation.  Doing a test on the dates is trivial as
well.  Software distribution packages are also available for spreading
software around.  McAfee includes SiteExpress in site licenses of
Netshield, if that's what you are looking for. 

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Tue, 16 Apr 1996 22:05:29 +0000 (GMT)
From: Wayne Riddle <riddler@agate.net>
Subject: Re: Help Possible Virus
X-Digest: Volume 9 : Issue 54

Syahrul Sazli Shaharir <ssazli@hrsb563.resnet.upenn.edu> wrote:

>After I run certain programs, everything crashes one by one.. (popup
>message appears: "[program name] encounters an error (or sthing like
>that), the application will be closed"), and after a few more clicks the
>Explorer fails (with the same popup message) and then Win 95 crashes. If
>this is a virus problem, what apps can be used to kill it? Thanks.

You should first get a good virus program to see if it is even a virus
problem. It could be a software/hardware problem (that would be my
guess).

Wayne Riddle
riddler@agate.net
http://www.agate.net/~riddler

------------------------------

Date: Tue, 16 Apr 1996 18:41:43 -0400
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: Detecting Trojans
X-Digest: Volume 9 : Issue 54

In article <0003.01I3JH3PLOGSSKU6UC@csc.canterbury.ac.nz>, Devin
Knight writes:

: In post #48 someone was asking about the best way to detect trojans. I
: have found the program Red Alert to be my best friend in that regards. It
: will safely read the code of any program and tell you what it will do
: without executing the program. It will scan your whole drive and look for
: ansi bombs, any mention of virus in the program code or delete code in a
: program and warn you. It also looks for format commands hidden in the
: code.  You can find it from several of AV boards on the Web. Red Alert
: should be run along with a good virus scanner as it is a supplement to
: scanners not a replacement. 

	Heuristics do many of the things that you mentioned.  And, unless 
Red alert has updated, the newest version from sometime in 92 or 93.  
There is also the fact that just looking for certain sequences of 
instructions is nullified by a simple encryption program, such as Cryptcom.

	Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for| "Est
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code | Sularus
Anti-virus software and utils:  | The Transformers fanfiction: | oth
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html            | Mithas!"
-=-=-=-=-=-"Linux - The choice of a GNU generation"-=-=-=-=-=- |

------------------------------

Date: Tue, 16 Apr 1996 18:29:09 -0400
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: Virus Writing? Why Do People Still Do it.
X-Digest: Volume 9 : Issue 54

In article <0001.01I3JH3PLOGSSKU6UC@csc.canterbury.ac.nz>, John
Elsbury writes:

: >My question is, who writes these 
: >and where do they come from?
: 
: under stones

	You obviously have made the generalization that all virus writers 
are malicious and spread their viruses.  I have read many virus "zines" 
and have noticed that this is not always the case.  Some virus writers 
only do their thing to see how good they are compared to the latest 
scanners, kinda like an ego boost.  Another thing to consider is that the 
authors do not necessarily distribute them.  Once they publish them in 
the zines, the responsibility lies on whoever reads them and compiles the 
code.

	Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for| "Est
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code | Sularus
Anti-virus software and utils:  | The Transformers fanfiction: | oth
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html            | Mithas!"
-=-=-=-=-=-"Linux - The choice of a GNU generation"-=-=-=-=-=- |

------------------------------

Date: Wed, 17 Apr 1996 02:31:38 +0000 (GMT)
From: JFK <tearsx@execpc.com>
Subject: Re: Virus Writing? Why Do People Still Do it.
X-Digest: Volume 9 : Issue 54

Alex Ross <alexross@alex01.idiscover.co.uk> writes:

>My question is, who writes these and where do they come from?
>Could replies be submitted to the newsgroup. 

well i probally dont speak 4 all virus writters,<i may not even be a 
true virus writter> but making a virus with an assembler not vcl and 
having it show up in california <i am in wisconsin> before i do would 
give me a great feeling. i dont write virii to damage , just to travel 
and sorta say I WAS THERE!

tearsx@execpc.com

p.s. if u r an f.b.i. agent or some other type of cop reading this then 
i want you to know that i just wrote this to sound cool,i dont't even 
know what an assembler is :->

------------------------------

Date: Wed, 17 Apr 1996 01:27:13 -0400 (EDT)
From: Tarkan Yetiser <tyetiser@yrkpa.kias.com>
Subject: Re: Virus Writing? Why Do People Still Do it.
X-Digest: Volume 9 : Issue 54

In article <0006.01I3LPCY7RXOSKU6UC@csc.canterbury.ac.nz>,
Pmaynard@apci.net says...

>It's a challenge to make something that sneaks around on one's system.
>There are a surprising number of viruses written that never get spread.
>Only the sources are passed around so others can see the techniques.

There are many other challenges that may be more fruitful :-) IMHO,
there are deeper reasons for writing viruses...

>You should be asking why do people intentionally distribute harmful
>viruses.  There are also many viruses that don't do anything except funny
>stuff like display a bouncing ball on the side of the screen or something.

There's nothing funny about turning many of somebody's programs into ball
bouncers without his/her permission. Although the number of viruses in the
wild are nowhere close to the number of those in collections, there are
enough to cause nuisance and disrupt work.

Intentional distribution of anything harmful is irresponsible at least,
and criminal in some places. The fallacy many of those who belive
"information wants to be free" is that somehow they can pass on the
responsibility to the other guy. After all, they are only providing
information. This is based on the incorrect assumption that the
receipients are capable of handling such a responsibility. It's tricky to
handle viruses, and plain vicious to give them to those who may not even
be able to tell if they have a virus on their system. There are some very
bright individuals who suffer from this faulty line of reasoning. A pity.

Regards,
Tarkan Yetiser
VDS ARG

------------------------------

Date: Wed, 17 Apr 1996 08:06:52 +0000 (GMT)
From: Renne A Tergujeff <tergujef@cc.Helsinki.FI>
Subject: SHZ virus ??
X-Digest: Volume 9 : Issue 54

What kind of virus is SHZ virus? Is it dangerous?
It was found on my machine by McAfee's 2.2.9 (on Win95).
However I can't find any info on virus of that name. So what it is?

Thanks,
Renne

------------------------------

Date: Wed, 17 Apr 1996 12:43:56 +0200 (METDST)
From: mbrunner@ix.urz.uni-heidelberg.de (Matthias Brunner)
Subject: New AV Info & Progs Page
X-Digest: Volume 9 : Issue 54

I like to announce Digedag's Web Page 

   <http://www.rzuser.uni-heidelberg.de/~mbrunner>

with a very big list of links to computer virus infos, researchers & 
AV prog companies.

There you could also find a lot concerning PGP, Cryptography & Privacy 
and other (hopefully) interesting stuff. - Yes, the items should be 
better organized and discribed what should be done soon.

Please, take the chance to visit that page and send any comments, 
suggestions & worth additions to the address included.

Best greetings
		Matthias

------------------------------

Date: Wed, 17 Apr 1996 13:08:43 -0700
From: Patrick Macnamara <pmc.emi@ix.netcom.com>
Subject: MimeSweeper
X-Digest: Volume 9 : Issue 54

Looking for anyone who has used this product.  I heard that earlier 
versions had problem with re-packing internet messages after scanning.  
Considering it's outrageous pricing I wouldn't mind hearing from anyone 
who has used this either successfully or unsuccessfully.

-Patrick

------------------------------

Date: Wed, 17 Apr 1996 21:44:06 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: EliaShin (sp?) antivirus software
X-Digest: Volume 9 : Issue 54

Frank Christensen <frankc@aquila.com> writes:

>Hello!  A friend at a nearby university learned they are going to be 
>installing an antivirus program that neither he nor I had heard about:
>
>"....they are installing an antivirus called "EliaShin" in
>our PC labs - the main file itself is called "ViruSafe" - however,
>unlike Symantec's Norton Antivirus and McAfee's VirusScan and the
>Finish Datafellow's F-PROTECT, and IBM's IBM Antivirus, and/or the
>British "Dr.Solomon" - I can find out NOTHING about this product,
>other than it comes from Israel!"

That would be Eliashim, a company based in Israel.  They are members
of NCSA so you may be able to contact NCSA for an opinion.  (try
www.ncsa.com)

>Does anyone have any firsthand knowledge about this product, and possible 
>site of reviews/evaluations?

Jimmy
cjkuo@mcafee.com  (Of course, we recommend that you just buy ours.  :-)  )

------------------------------

Date: Tue, 16 Apr 1996 21:42:45 -0600
From: "Robert D. Cranston" <Robertx_Cranston@ccm.ut.intel.com>
Subject: LANDesk Virus Protect for WindowsNT 2.0 BETA (NT)
X-Digest: Volume 9 : Issue 54

To all admins,

Intel is getting ready to ship LANDesk Virus Protect 2.0 BETA.  This
is a whole new version, unlike the web releases that can be found on
Intel's Homepage.  Included in the package is Real-Time Scanning along
with many other features.  If you'd like to take part in this Beta you
can go to Intel's Beta page at:

http://www.intel.com:80/comm-net/sns/showcase/netmanag/ld_virus/beta/NTbeta.htm

On the page there is a .pdf file which can be downloaded.  If you do
not have the Adobe Acrobat reader that too can be downloaded.  Then fax
in the information and your ready to go.  Look forward to hearing from
you.  If you have any questions about the 2.0 Beta please contact us at: 

ldvp_ut@ccm.ut.intel.com

Thanks for your time.

Robert Cranston
- - 
__________________________________________
Robert D. Cranston
Software Test Engineer - Intel Corp.
email:  RobertX_Cranston@ccm.ut.intel.com
Student - Brigham Young University
email:  Robert_Cranston@byu.edu
hompage:  http://students.cs.byu.edu/~douglas
__________________________________________

------------------------------

Date: Wed, 17 Apr 1996 20:42:06 +0000 (GMT)
From: Lawrence Young <lyoung@cris.com>
Subject: Re: Form virus ate my NT boot sector! (NT)
X-Digest: Volume 9 : Issue 54

Brent Olson <night@halcyon.com> wrote:

>I installed a new piece of hardware and needed to load drivers from a
>floppy that had "been around the offic" and inadvertantly left the
>floppy in the NT3.51 Server during the reboot...I got the lovely "non-
>system disk" error, took the floppy out and rebooted.
>
>NT does not boot.  It goes through the usual memory check etc, but
>just when the boot screen is supposed to come up, it just sits there.
>Scanning the floppy indicated it is infected with Form A virus, which
>is a master-boot-record inflicting vermon.  The machine is set up with
>only 1 2 gig disk (SCSI) with no DOS lying about anywhere.  

Did you try the NT emergency repair disk? When you install NT server,
it will generate such kind of diskette for you. Whenever you found
your server in trouble, boot your server from this diskette. It can
repair most damage to system but I donno whether it's effective for
remove virus.

Lawrence Young

------------------------------

Date: Tue, 16 Apr 1996 07:34:30 +0000 (GMT)
From: Pavel Machek <machek@atrey.karlin.mff.cuni.cz>
Subject: Re: Calling All Experts? Help! (WIN95)
X-Digest: Volume 9 : Issue 54

  Bypass (by pressing F5) config.sys / autoexec.bat and delete that file 
from plain DOS. If it does not help, kill file using Disk Editor.)

: Also, just recently I noticed that all .exe 
: files I download off the Internet are corrupt. So, I had the line 
: checked, bought a new modem, and checked with my ISP, but still I have 
: this problem.

Do you use binary mode when transfering files?

- -
This looks like my signature...                                   Pavel Machek
If you want more info about me, http://novell.karlin.mff.cuni.cz/~pmac5296.

------------------------------

Date: Tue, 16 Apr 1996 11:50:05 +0100
From: "David W. Hanson" <hansond@afrc.garmisch.army.mil>
Subject: re:Brand New Win95 User w/ "Form" Virus -- Help!! (WIN95)
X-Digest: Volume 9 : Issue 54

From: "Eric M. North" <enorth@culaw.com>

>After 10+ years without a virus I've been hit w/ one after loading a
>program on a brand new Win95 machine.  I just got the machine
>yesterday and am still learning Win95.  The first program I attempted
>to load was a "Perfect Office" I bought at a liquidation auction.  The
>setup disk worked fine, but Windows said it couldn't read the "Program
>Disk # 1" disk and said a virus might have infected the system.  I ran
>both the setup disk and the first program disk through NAV and McAffee
>running on another machine, and both detected the "Forms" virus.  Both
>say they can disinfect.
>
>Several questions result, and I'd really appreciate any info I can get
>quickly -- hopefully over the weekend.  I've got a guy scheduled to
>come in Monday morning to help me network the office, and this PC is
>the one I'll be managing the network from.

That's the problem with digests, no real-time help.  But I do see the 
need for moderation, so I'll shut up...

>First, how do I get this thing off the system?  I've read a couple of
>posts, including Dr. Solomon's, saying to pull a program from his web
>site; boot my system w/ a clean disk; and run the disinfect program. 
>I want to be sure I've got the facts right.  Am I to pull the program
>and put it on the "clean disk" and use it to disinfect the new machine
>(will it fit on a floppy?) or am I to download the program onto the
>infected machine; boot w/ a clean disk; and disinfect?  Question might
>sound foolish to some of you who know, but I need to get this right
>quickly.

You download the AV software on a known clean machine and set it up 
on a known clean diskette.  Then you take a known clean system 
diskette and cold boot (power off - power on) the suspect machine 
from the known clean system diskette.  Then you scan the suspect 
machine with the AV software.

>Second, since the machine is new I haven't yet made (yeah, I know this
>is stupid) a clean boot disk.  Can I create a basic boot disk from
>another machine running DOS and Win3.11 and use it to boot up the
>Win95 machine?  Is there anything special I need to do to the boot
>disk?

Yes, I believe you can do this, at least for the scanning portion of 
things.

>Third, is "Form" a virus which can be removed w/o damage to the
>system?  Or should I be reinstalling Windows95? 

I think you would need a Win95 aware cleaner.  At this point, it may 
be best to remove the virus using whatever (I like F-prot), and then 
if Win95 doesn't come up after, re-install it.

>Fourth and finally, if "Form" can be safely removed, then can I safely
>remove it from all of the Perfect Office disks and then go ahead (some
>people never learn) and use those disks to install Perfect Office?

Yes, you may -after- you have verified that the diskettes have truely 
been cleaned.

If you scan the hard drive and it comes up clean, then 
congratulations, you found the virus before it infected your hard 
drive and you can be reasonably certain that the infection is limited 
to the Perfect Office diskettes.  If the hard drive comes up 
infected, then you need to take a good look at -all- of your 
diskettes.

Extra Info:

The Form infection process works something like this.  A diskette 
comes to you that is infected.  You use the diskette, no infection 
occurs, it stays on the diskette.  One day, you accidently leave the 
diskette in the drive and reboot.  The system attempts to boot from 
diskette.  At that point, the virus infects your hard drive.

>From that point on, just about any diskette you use on that system 
will become infected.

So, first of all, set any computer that you can to -not- boot from 
the diskette drive.  That will eliminate the possibility of the hard 
drive getting infected by Form (or any other BSI for that matter).

Next, scan -every- diskette that might have come in contact with an 
infected machine, and clean if necessary.  If you miss just one 
diskette and you don't/can't set up your systems to not boot from 
floppy, then you -will- get reinfected eventually.

I also like to try to figure out where the infection originally came 
from, usually a bit of detective work, not always possible.

David Hanson
Armed Forces Recreation Center Europe
Garmisch-Partenkirchen Germany
hansond@afrc.garmisch.army.mil

------------------------------

Date: Tue, 16 Apr 1996 17:58:17 +0000 (GMT)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: McAfee 2.0 for Win95 "feature" (WIN95)
X-Digest: Volume 9 : Issue 54

In article <0007.01I3LPCY7RXOSKU6UC@csc.canterbury.ac.nz>
	   kberkey@visus.jnj.com "Kendall Trent Berkey" writes:

> Many anti virus tsr programs check the a: drive on reboot.
> f-prots virstop.exe and nortan antivirus ALWAYS check the floppies
> upon rebooting. 

Well no, not ALWAYS.  They can only check on a warm reboot, the 
Ctrl-Alt-Del reboot.  A reset or power-off reboot cannot be 
intercepted by a TSR.  Dr. Solomon's VirusGuard does this too, 
incidentally, but it is something of a party trick.

> they call it an a drive warm boot check.

"Warm" being the operative word.

TSRs are still good protection against booting with an infected 
disk accidentally left in the drive, though, because the boot 
sector is also inspected on first access to a floppy.  The only 
way to bypass that check is to put a disk in the drive and not 
access it, which is not a likely real world scenario.

- -
CUTIE INVITED                   OF WHISKERS
	     VARSITY HOP                   PARTY A FLOP
			GUY FULL                       Burma-Shave

------------------------------

Date: Tue, 16 Apr 1996 19:24:49 +0000 (GMT)
From: Ken Stieers <kstieers@ontrack.com>
Subject: Re: Drive Space 3 Problems (WIN95)
X-Digest: Volume 9 : Issue 54

I'd bet my eyeteeth that this isn't viral.  If the data that's in the 
DriveSpace 3 volume isn't critical, I'd wipe the drive completely and
start over.  I also wouldn't use DriveSpace in the future, disk space is
too cheap to go through the hell you are going through now.  If the data
is critical you may have to look at data recovery.  Once a DriveSpace file
is corrupted, it can be extremely difficult(maybe impossible) to get the
data out without special tools.  We (Ontrack) can do it, and I assume a
few other DR firms can as well. 

Best of luck 

Ken 

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Tue, 16 Apr 1996 22:13:28 +0000 (GMT)
From: Shane Coursen <scoursen@symantec.com>
Subject: Re: Brand New Win95 User w/ "Form" Virus -- Help!! (WIN95)
X-Digest: Volume 9 : Issue 54

In article <0010.01I3LPCY7RXOSKU6UC@csc.canterbury.ac.nz>, 
enorth@culaw.com says...

>After 10+ years without a virus I've been hit w/ one after loading
>a program on a brand new Win95 machine.  I just got the machine
>yesterday and am stil l learning Win95.  The first program I
>attempted to load was a "Perfect Office" I bought at a liquidation
>auction.  The setup disk worked fine, but Windows said it couldn't
>read the "Program Disk # 1" disk and said a virus might ha ve infected
>the system.  I ran both the setup disk and the first program disk
>through NAV and McAffee running on another machine, and both detected
>the "Forms" virus.  Both say they can disinfect.

They certainly can.  Form is a very well known virus -- one which has
been found in the wild for many years.  There should be no problems
cleaning Form from your system.

>First, how do I get this thing off the system?

Your in luck.  Form does not infect files; only the boot sectors of
hard drives and diskettes.  This fact simplifies things greatly.

The most important part of this whole process is that you are able to
boot from a known clean write-protected diskette.

This could be an original DOS diskette, a rescue diskette, a Win95
startup diskette, etc. The important part is that is a known clean
diskette.

Once you have completed the previous step, you have a few choices.
Unfortunately, you did not really mention if you were running Win95,
so I will not try to explain all of your options.

The end result of any of the options is, either from diskette, or the
installed copy on the hard drive, run your scanner.

(PLEASE NOTE: Since you have booted clean AND since the Form virus
does not infect files, in this case, you are allowed to run the
scanner from the infected hard drive.  In other cases, this shortcut
method may not work.)

The scanner will report Form, and you will then be able to clean the
infected drive.

>I've read a couple of posts , including Dr. Solomon's, saying to
>pull a program from his web site; boot m y system w/ a clean disk;
>and run the disinfect program.  I want to be sure I've got the
>facts right.  Am I to pull the program and put it on the "clea n
>disk" and use it to disinfect the new machine (will it fit on a
>floppy?) or am I to download the program onto the infected machine;
>boot w/ a clean dis k; and disinfect? Question might sound foolish to
some of you who know, but I need to get this right quickly.

Dr. Alan Solomon helps to produce another AV scanner product that
is available at the Solomon WWW site.  While it is not absolutely
necessary to download that product to clean the Form virus, it may
be worth your while to download it anyway.  I for one am a strong
proponent of utilizing multiple scanners.  

As for the second half of your question:  In this particular case,
running the scanner from a diskette or the hard drive will work. The
important part (again) is booting clean.

>Second, since the machine is new I haven't yet made (yeah, I know
>this is stupid) a clean boot disk.  Can I create a basic boot disk
>from another machine running DOS and Win3.11 and use it to boot up
>the Win95 machine?  Is there anything special I need to do to the
>boot disk?

Uh-oh.  The answer is probably yes.  HOWEVER...

Does the infected machine have disk drivers/compression/encryption or
another piece of software (required for normal boot up) installed on
it? If so, you will probably have to transfer that software to the boot
diskette.

ALSO: Is the infected machine's hard drive partitioned with multiple
filesystems?  A "Yes" answer here would make things very complex, at
which point I would strongly recommend allowing somebody who is *very*
familiar with the structure of the disk to perform the repair.

>Third, is "Form" a virus which can be removed w/o damage to the
>system?

Absolutely.  Remember to boot clean first.

>Or should I be reinstalling Windows95?

This option can usually be avoided.

>Fourth and finally, if "Form" can be safely removed, then can I
>safely remo ve it from all of the Perfect Office disks and then
>go ahead (some people neve r learn) and use those disks to install
>Perfect Office?

More than likely, the answer is yes.  In some cases, manufacturers
place their software on specially formatted diskettes.  From this
message, it is impossible for me to tell you whether the Perfect
Office diskettes are "normal" or if they are they use the "special"
format.

Hope this information helps!

- --
Shane Coursen                                        Symantec Corporation
Computer Virus Researcher                http://www.symantec.com/avcenter
AntiVirus Research Center                                 CIS:  GO SYMWIN
scoursen@symantec.com                                           GO SYMNEW
      US Support:  541-465-8420                            AOL:  SYMANTEC
European Support:  31-71-353-111       Australian Support:  61-2-879-6577

------------------------------

Date: Tue, 16 Apr 1996 22:57:46 +0000 (GMT)
From: Don Doane <ddoane@win.bright.net>
Subject: Re: Norton Anti-virus or McAfee (WIN95)
X-Digest: Volume 9 : Issue 54

Sachi Noma <snoma@aloha.net> wrote:

>which is better under win95:norton anti virus or McAfee?

For my money and experience, McAfee is best with Virus Scan plus they have 
a toll free number. If you do get Virus Scan, Comp USA has it on sale here 
in Minnesota for $34.99. I used VS to get rid of Ripper which worked 
successfully. The VS pkg also contains emergency disk and 311 disk as 
well. Couldn't ask for anything better plus their bbs is excellent for 
upgrades....

Just my 2cents

DED

------------------------------

Date: Wed, 17 Apr 1996 03:55:37 +0000 (GMT)
From: "Alan Richard Taylor Jr." <alan.taylor@mail.utexas.edu>
Subject: Lost PC-cillin 95 serial #--How to install?? (WIN95)
X-Digest: Volume 9 : Issue 54

I lost my registration card, and you need the serial number
to install this program.  Anyone have any ideas?

------------------------------

Date: Tue, 16 Apr 1996 20:21:13 -0500
From: Nils Decker <dnils@okstate.edu>
Subject: Re: McAfee 2.0 for Win95 "feature" (WIN95)
X-Digest: Volume 9 : Issue 54

On 9 Apr 1996, MKW94 wrote:

> In article <0012.01I30DCRYH72S5UZJP@csc.canterbury.ac.nz>, Zack Jones
> <zack@hom.net> writes:
> 
> >The only odd behavior I've observed and I don't know if this is caused
> >by McAfee or something else, but everytime I shut down the computer it
> >tries to read the A Drive for a few seconds before I get the "It's
> >save to turn off your computer screen".
> 
> It must be McAfee because mine does the same thing.
 
I don't run win95, but I could imagine, that McAfee is checking for
disks in A: and is giving a warning if there is one. ( Maybe it warns
only if it detects a virus on the disk ? )

Nils Decker ( dnils@okstate.edu )

------------------------------

Date: Wed, 17 Apr 1996 16:28:37 -0700
From: Lonnie Howell <lhowell@bright.net>
Subject: Re: Possilbe new virus? (WIN95)
X-Digest: Volume 9 : Issue 54

Fridrik Skulason wrote:

> In <0018.01I3EEEWQ4GQSKU6UC@csc.canterbury.ac.nz> Lonnie Howell
> <lhowell@bright.net> writes:
> 
> >I know of one virus (older) that repeats a message over and over to the
> >pc's speaker, its called Hitler,
> 
> I know of one virus called Hitler by its author, however, that name was
> rejected and the official CARO name for that one is Dreamer.4808.
> 
> I wonder if that is the same virus.....

Possible, the virus I'm talking about is HUGE due to the .voc data 
attached (someone yelling hitler!)
Sound like the same one?

 -Lonnie-

------------------------------

Date: Wed, 17 Apr 1996 21:56:40 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Norton Anti-virus or McAfee (WIN95)
X-Digest: Volume 9 : Issue 54

Sachi Noma <snoma@aloha.net> writes:

>which is better under win95:norton anti virus or McAfee?

Getting away from detection level debates, where each of us will
argue that we're better than the other, probably the most obvious
difference between the two products is that Norton's Win95 NAV's
interface is derived from Win3.  Whereas McAfee's Scan95 was 
written specifically for Win95 to fit into the Win95 paradigm
where a right-click gives you the ability to scan.

Our basic argument is that you can't *find* any viruses if you
don't use the product.  So, it's important to fit the product to
what the user is familiar with, so he'll use it more often.

And of course, you can just download Scan95 and try it out.  You
can decide where you put your money after a first hand trial.
(http://www.mcafee.com)

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Wed, 17 Apr 1996 11:24:07 +0200
From: PARODI <staff.ssc@galactica.it>
Subject: Windows font changes--virus? (WIN)
X-Digest: Volume 9 : Issue 54

After few minutes that I'm working in ms-windows something strange 
happen to the system font, they become spotted.

I use the last version of McAfee antivirus but nothing I get.

Is it due to a virus or bad configuration of my system ?

I invite comments from you all.

Thanks

------------------------------

Date: Wed, 17 Apr 1996 09:00:34 -0500 (CDT)
From: John Meyer <ccjohn@showme.missouri.edu>
Subject: Autoscan new files in dir? (WIN)
X-Digest: Volume 9 : Issue 54

Are there any anti virus packages, commercial, shareware freeware) that 
can be configured to autoscan new files placed in a directory.  I've got 
a user who would like every file he downloads off the net to be 
automatically scanned for infection, as soon as it arrives in his d/l 
directory.  He's running Win 3.1, with no plans to move to Win95.

Thanks in advance, JOHN 

------------------------------

Date: Tue, 16 Apr 1996 09:17:10 +0000 (GMT)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: Anti exe virus (PC)
X-Digest: Volume 9 : Issue 54

Artemis (naheyart@vela.acs.oakland.edu) wrote:

> I was reading through the virus discriptions provided by F-Prot, and it
> said that any *.exe file of some certain size can suddenly
> disappear...                 

   It doesn't disappear; it fails to load and execute properly.  There is 
no damage to the file on disk.

   -BPB

------------------------------

Date: Tue, 16 Apr 1996 12:08:00 -0700
From: sandro arnetoli <toarneto@hesp.it>
Subject: bye virus (PC)
X-Digest: Volume 9 : Issue 54

I try to install a copy of WISP programm (for WIN 3.1)from a new set of 
diskette.

When the install program use the tird diskette a receive a error message, 
error reading sector (or somethings else).  I try to copy the diskette 
into HD but with the same result.

I send back the diskettes to manufacture and he replay that BYE virus is 
inside the diskette.

The computer where I try to install the WISP programm has been used for 
20 days w/o problems.

Can someone confirm that this problem can be caused by BYE virus and 
suggest how I can resolve?

Tanks
S.ARNETOLI

------------------------------

Date: Tue, 16 Apr 1996 06:23:00 -0400
From: Bill lambdin <vfreak@skn.net>
Subject: MSAV (PC)
X-Digest: Volume 9 : Issue 54

GenMelchit <genmelchit@aol.com> wrote

>I was just thinking the same thing, Glenn.  My MS Anti-virus is about two
>years old (!), and I'm wondering if it's the right thing to use for
>detection. 
>
>Anybody have an opinion on MS Anti-virus performance?  Something better?

I have an opinion for MSAV. "DON'T USE IT".

	Bill Lambdin

- --------------------------------------------------------------------------
vfreak@skn.net                     PGP fingerprints 9C CD 47 F3 C7 65 CA 33
102524.2206@compuserve.com                          C7 7D 69 8B 26 0C F8 08

------------------------------

Date: Tue, 16 Apr 1996 15:48:42 +0000 (GMT)
From: xtreme@nucleus.com
Subject: Help! Is this a virus??? (PC)
X-Digest: Volume 9 : Issue 54

I don't really know how to explain what happens in technical terms, so
here it goes.

Sometimes especially when running Nortons Optimize my machine (a IBM clone
486-DX2 50) starts to whine, it almost sounds like the harddrive speeds up
for a moment and does a file transfer and then the harddrive makes a
clonking noise.  When looking at the files accessed in optimize they are
always "Fat Directories"

I have use a purchased version of McAfee vers.2.2.5. as well as the newest
version of DRSolomon (downloaded) and the newest version of Thunderbyte
(downloaded) They all come up with nothing.

I have tryed to use NU wipe and government wipe as well as format and it
is still occuring. So far it seems to have only affected graphic files
especially large one created in Corel Draw 3.

Any information or help is greatly appreciated. As mentioned before, I am
not well versed in computer tech talk.

Thank You again,

Sincerely.

Jake Roland

------------------------------

Date: Tue, 16 Apr 1996 20:48:04 +0000 (GMT)
From: Chris <cfh@galstar.com>
Subject: Brain2 Virus on web page ?!?! (PC)
X-Digest: Volume 9 : Issue 54

- Someone went to one of my web pages, and said that his McAfee(?)
program told him that it found a "Brain2" virus... What the heck is that,
and why would it be on my Web page, and how do I get rid of it? -- Thanks

   -------------------
Christopher & Kristina Hebertson
email:cfh@galstar.com
home page:http://www.galstar.com/~cfh/
"The way your heart beats makes all
difference in Learning to Live."
- Dream Theater

------------------------------

Date: Tue, 16 Apr 1996 21:33:41 +0000 (GMT)
From: Roland Ortloff <roland@studbox.uni-stuttgart.de>
Subject: Antiexe and strange behavior of VSHIELD (PC)
X-Digest: Volume 9 : Issue 54

you really seem to know what you're talking about,
so here's my question:

1) Three days ago I put a friend's disk in my drive. Vshield
said immediately that antiexe would be on the disk. I tried to
clean with vshield and not the 'divide by zero' error happens,
as mentioned already. However, I didn't boot from that disk,
could there still be some files affected?
What exactly is Antiexe doing?

2) Several days now I used Vshield (VS95I20e.zip). Sometimes
there happened a critical error with the file mcutil.vbx from Vshield.
It happened when I opened the DosEdit in a dosbox and tried to save
a file from there. The same mistakes happenes always with
VS95I2AE.zip.

Does anyone know this problem, or did a virus change there something?

Please answer as follow-up, thanx for your help.

Ciao Roland :)

   http://www.informatik.uni-stuttgart.de/fachschaft/adressen/ortlofrd.html
				     /;^;\        I'm definitly not tolerant,
roland@studbox.uni-stuttgart.de     ( o o )     but sometimes it's just enough
- -------------------------------oOOO--(_)--OOOo-------------------------------

------------------------------

Date: Tue, 16 Apr 1996 22:08:11 +0000 (GMT)
From: trowe@uhclem.cdr.wisc.edu
Subject: Re: CONCEPT/Wordperfect macro:really no cure? (PC)
X-Digest: Volume 9 : Issue 54

This is actually about the subject line.
Has the virus *really* been converted to WordPerfect also?
Or are people just typing the wrong application?

Tom Rowe
UW-Madison

------------------------------

Date: Sun, 14 Apr 1996 22:57:16 -0700
From: Liquid Man <aren6840@uriacc.uri.edu>
Subject: Re: 636k total base memory...virus? (PC)
X-Digest: Volume 9 : Issue 54

What the fuck are you all talking about???  It ain't no virus,
it is just QEMM !!!  The little thing that gives you more memory,
remember?  So it loads everything high and into XMS so you get
more base RAM for your progs.

		Read PC for Dummies.

------------------------------

Date: Wed, 17 Apr 1996 11:15:10 +0000 (GMT)
From: Oliver Siepmann <siepmann@wfn.do.eunet.de>
Subject: What does the TAI-PAN (TAIPAN) virus do? (PC)
X-Digest: Volume 9 : Issue 54

Yesterday I found the TAIPAN (Tai-Pan.438) virus on my systems.
It has infected all DOS programs with are not called via a batch-file.
Is this virus harmful ?

Oliver

------------------------------

Date: Wed, 17 Apr 1996 13:56:04 +0200 (MET DST)
From: v942427@si.hhs.nl
Subject: Tbav for dos differs from tbw95 (PC)
X-Digest: Volume 9 : Issue 54

Hello, I tested some av-packages with some live
virusses (not an well-thought collection, but just a few I could get
my hands on).

The test showed, that tbav650 found the "V2pX" virus.
This was confirmed by fprot, IM 251A and mcafee.
TBW95 found an "unknown virus", instead of "V2pX".

Also, tbav650 found "Trivial.333", others found "Danish_tiny.Kennedy.A"
(mcaffee & fprot) or Kennedy (msav & IM 251A) or "Dutch_tiny.Kennedy"
(avp).  Again, tbw95 found an "unknown virus".

And what tbav650 called "Phalcon", was called "Psychosis" by tbw95.
I've now also checked tbav 7.00 and tbw95 7.00.

The results were the same, with the exception that tbw95 no longer finds
the whale virus (the dos-version still does).

One would expect the two versions to be exactly the same, why do the two
differ anything but user-interface?

P.S. none of those viruses is in the wild.

Dimar van Rietschoten,
The cold but beautifull Netherlands.

------------------------------

Date: Wed, 17 Apr 1996 14:10:55 +0000 (GMT)
From: Lawrence Young <lyoung@cris.com>
Subject: Re: Monkey and partitioned drives (PC)
X-Digest: Volume 9 : Issue 54

Stefan Kurtzhals <kurtzhal@wmwap1.math.uni-wuppertal.de> wrote:

>>Here's how it is.  If you have Monkey on a multi partitioned (yes 
>>Double / Drive Space users, that means you), and you run FDISK /MBR, 

FYI, Double/Drive Space doesn't create multi partiioned disk. It looks
like you got two partitions in one disk, but the compressed one is
actually a large file one the host drive.  The dblspace.bin driver
fools the DOS.

Lawrence

>From    "Jim Leo" <ADMIN@everett.pitt.cc.nc.us>
Date:   Wed, 17 Apr 1996 13:10:47 EST5EDT
From:   "Jim Leo" <ADMIN@everett.pitt.cc.nc.us>
To:     virus-l@Lehigh.EDU
Subject: Lamar_Surprize and cost of false positives (PC)

I have a 'client' here on our campus that recently installed Norton 
Antivirus. All of the sudden she was getting an alert for 
Lamar_Surprize (Gen1). As I recall Lamar_Surprize was strictly a 
research virus and had not been detected 'in the wild'....

So on the assumption that it was a false positive, I began 
isolation/troubleshooting procedures. I also called Norton. Imagine 
my surprise to find out  "Yes, we know about that." Argh.....

What ever happened to automatic notifications on software bug 
fixes....

Anyhow, solved the problem by 
	1. replacing her 3c503 with a 3c509 and the appropriate drivers.
	2. verifying machine through a multi-av scan.

Just goes to show that a Virus scare, this one was due to Concept 
word macro, goes a whole lot deeper that just file damage. Total time 
from start to finish? Roughly 45 manhours. 

------------------------------

Date: Wed, 17 Apr 1996 16:42:43 -0500 (EST)
From: GUY NOCE/COMPUTING AND NETWORK SERVICES/X-3956
Subject: Re: virus or hardware problem? (PC)
X-Digest: Volume 9 : Issue 54

>david.j.ahnen wrote:

{snip}
>> The system is a 386 16 with 4 Meg of memory.  The behavior problems
>> consist of the system locking up not long after a reboot.  The lock-up
>> does not discriminate against any rpobgram that may be running at the
>> time.  It locks up both in and out of windows - while a program is
>> executing or while nothing is running (I come back to the keyboard
>> after a while and hit CR only to get no response.)  I don't know if
>> this is a hardware problem, or if the system somehow was infected with
>> a virus.

Multiple problems of this sort are probably either environmental, i. e. 
flaky power--I have seen this sort of thing where the line voltage was
flaky--or a pattern sensitivity problem in memory. Cheap memory is
notorious for this sort of thing:  Memory cells in one location toggle
activity in another location. 

Run a chart recorder to check for power drops or surges on the same line
on which the computer is running, and if that checks out, buy good
memory.  The best is Japanese, if you can get it:  Toshiba or Hitachi,
OKI, Panasonic, Samsung (Korean), or even, (gulp), Goldstar, in a pinch.
No DOS based memory checker like CheckIt can detect pattern sensitivity
problems.

Probably not a virus.

Guy, Desktop Services Specialist at Towson State University, Towson, MD
at e7taguy@toe.towson.edu

------------------------------

Date: Wed, 17 Apr 1996 20:58:37 +0000 (GMT)
From: Lawrence Young <lyoung@cris.com>
Subject: Re: Monkey virus (PC)
X-Digest: Volume 9 : Issue 54

rostislav lyudmirsky <hbcsc093@csun.edu> wrote:

>Please help me: recently Intel's viruscan found a "Moneys" virus on my
>PC. After reformating the hard drive and installing Windows 95,
>I still get a problem: General Protection Fauld at randome occurences.
>The system reports busy and the only way to bypass it is to reboot.
>
>Could it be that the virus is still in boot sectors (I reformated
>HD form clean system disk!  If so, would low level format solve
>the problem.
>
>Could you please send me information on how to solve this problem,
>also any information on that particular viruse would be welcome.

Formating a HD actually cann't remove any boot viruses unless you use
low-level format which is not practicle in today's harddisks. If it's
'Monkey' virus, you should use AV software which can SPECIFICALLY deal
with this virus because 'Monkey' virus change the original partition
table and MBR. If you are farmilier with debug and BIOS int 13
operation. You can read the HD MBR(head 0, Cylinder 0, Sector 1) when
virus is active in memory(don't boot with clean diskette!) and save it
on to a floppy disk. Then, boot the computer with clean dos disk and
load the resaved MBR data and write back to your HD.

If your HD is not infected by 'Monkey', boot with clean disk and run
FDISK/MBR then SYS C:. This procedure can erase almost all boot
viruses. Never try to format your HD. It only deletes useful programs
and data except viruses.

Lawrence Young

[Moderator's note:  Nooooo!!!!!  Monkey is not the only MBR infector in
the wild for which FDISK /MBR is a -VERY BAD- "solution".  In fact,
there are MBR viruses which will leave (large chunks of) your disk
wasted (unless you have the money to pay the very best data recovery
professionals) should you use FDISK /MBR.  More details in the FAQ.]

------------------------------

Date: Wed, 17 Apr 1996 21:59:50 +0000 (GMT)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: "Eat at grandma's grave" message--virus?? (PC)
X-Digest: Volume 9 : Issue 54

Pmaynard@apci.net writes:

>One day I was writing an assembly program and forgot to leave the $ on the 
>end of a string I was displaying. (the $ means the end of the string the 
>function is to print, for those who aren't familiar with assembly). 
>So it displayed some junk after it, and included in the junk was:
>
>       Eat at grandma's grave.
>
>So, there must be something going on....however TBAV and scan don't detect 
>anything. The only thing I have noticed that is strange is that I can't get 
>simple print statements to work in assembly, I always get some garbage.

You have Burglar.1150.

Please download an up-to-date scanner and you should be able to deal
with it.

Jimmy
cjkuo@mcafee.com

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 54]
*****************************************


