From Lehigh.EDU!owner-virus-l  Sun Apr 21 09:07:42 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Sun, 21 Apr 96 10:48:11 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id JAA05258; Sun, 21 Apr 1996 09:07:42 +0200
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39195-34610>; Sun, 21 Apr 1996 01:52:53 EDT
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39018-36399>; Sun, 21 Apr 1996 01:50:00 EDT
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id BAA125896 for <virus-l@lehigh.edu>; Sun, 21 Apr 1996 01:49:48 -0400
Received: from 132.181.30.50 ("port 1067"@nick.csc.canterbury.ac.nz)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I3T8T91CWISKVG0S@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Sun,
 21 Apr 1996 17:49:10 +1200
Message-Id: <01I3T8T91R10SKVG0S@csc.canterbury.ac.nz>
Date: 	Sun, 21 Apr 1996 17:39:30 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #56
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest    Sunday, 21 Apr 1996    Volume 9 : Issue 56

Today's Topics:

Re: Need a way to automatically update Virus Checkers.
Re: Dr Solomon's Virus Stats (March 96)
Download Dr Solomon's FindVirus 7.59
Re: Computer Viruses - A Dying Art???
Anti virus hardware?
McAfee No Longer NCSA Certified?
The old "Good Times"
H A V S WWW Site
Unix Based Viruses (UNIX)
Re: Form virus ate my NT boot sector! (NT)
OS/2 Warp Virus Shield? (OS/2)
Re: Effects of Word.Concept Virus? (MAC,WIN)
How to disable Word AutoMacro (MAC,WIN)
Re: Norton Anti-virus or McAfee (WIN95)
fprot professional (WIN95)
McAfee-VShield-error with mcutil.vbx? (WIN95)
Memory Virus or NAV problems? (WIN95)
Norton AntiVirus(NAV) CommandLine Switches or DDE (WIN)
Re: what is FORM virus???? (PC)
Re: Where to get a virus check up grade? (PC)
Re: Program to backup mbr and boot sector (PC)
Re: Multiple ParityBootA (PC)
Re: 639K mem (PC)
JACKELB virus - how do I remove it (PC)
Re: CONCEPT/Wordperfect macro:really no cure? (PC)
Croatia virus? (PC)
Re: Program to backup mbr and boot sector (PC)
Re: Bang virus? (PC)
Re: Stoned.Empire.Monkey_B (PC)
Re: Help Possible Virus (PC)
Predator virus (PC)
Re: xcopy /v ?? (PC)
Re: Flesh Eating Virus? (PC)
Re: Multiple boot sector infections (PC)
Re: Where to get a virus check up grade? (PC)
A Trojan trashed my partition tables... (PC)
Re: what is FORM virus???? (PC)
Re: Program to backup mbr and boot sector (PC)
Re: 850MB HD now 333MB--virus? (PC)
ONEHALF.3544 HELP!!!!  (PC)
Any information on IntAA? (PC)
Re: Program to backup mbr and boot sector (PC)
3132 bytes missing in base memory (PC)
Any Cure For Lemmings Virus?????HELP! (PC)
Re: Winword/Scanprot/FProt questions (PC)
Re: Batman 2.2844 (PC)
NYB Virus (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Thu, 18 Apr 1996 09:05:06 -0400
From: Mike Michalowicz <ici@planet.net>
Subject: Re: Need a way to automatically update Virus Checkers.
X-Digest: Volume 9 : Issue 56

Ken Griffin wrote:

> Can anyone help with automation?
> 
> Any help appreciated...

Well, it depends on the anti-virus software your using, and what your 
consider automating.  With Intel VProtect NLM, it will dial out to the
BBS, download the signature updates and install it.  With other packages
like McAfee you have to do some tricky manuvers with login scripts and
batch files.  The DOS REPLACE command comes in handy on a Novell network.

Tell me what you have and how much you need to automate, and I will try to 
help you further.

- - 
Mike Michalowicz

Inter-Com, Inc.
469 Route 46 West
Kenvil, NJ  07847
Phone (201)252-1100
Fax   (201)252-9119
Email ici@planet.net

------------------------------

Date: Thu, 18 Apr 1996 16:15 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Dr Solomon's Virus Stats (March 96)
X-Digest: Volume 9 : Issue 56

Daren Palmer <dpalmer@bunbury.iap.net.au> writes:

> Personally, I don't think your posting of statistics on Virus
> 'hits' was a good idea.
>
> I'm sure the authors of the Winword Concept, Empire Monkey, and
> Parity B, if they saw your posting, would be filled with glee
> at the sight of their creations in the top three of the 'UK
> Virus Charts'.
>
> These sick gits don't need anymore encouragement.  I've wasted
> enough money, and time on troubleshooting, anti-virus programmes
> - not to mention their sapping memory in the background which
> could be put to better use.
>
> I, for one, would like to ask you to refrain from posting it
> again.

Hmm.. that's an interesting point of view - and not one I've heard 
before. Most of the response I have had from that posting was requests 
from users as to whether I had similar information from our USA and other 
offices (unfortunately this isn't yet available) as they would like to 
know what viruses are most common in their area of the world.

It should also be remembered that this kind of data is not new.  Joe 
Wells has been compiling a monthly "In the Wild" list for some time, and 
Virus Bulletin print a "Top Twenty" in their magazine each month.  There 
are also a number of places on the net where this kind of information can 
be found.

In fact, I feel there is an argument that a posting like mine could 
actually *discourage* virus authors.  After all, anyone looking at the 
list will see that the vast majority of viruses "in the wild" are 
actually a few years old.  Anyone writing a virus today is pretty 
unlikely (unless they get lucky like Concept did) to see their virus 
actually out there causing a big problem.  Of the 8500+ viruses only a 
very small percentage appear to be causing a big problem to everyday, 
normal users.

I think there's useful information to be gleaned from such statistics: 
boot sector viruses are much more common than file viruses, Concept is by 
far the most common virus in the world.  Knowing this helps us to address 
the virus problem better and those readers of virus-l who are putting 
together an anti-virus policy can address issues like changing the CMOS 
to boot their PCs from drive C: (thus avoiding pure boot sector viruses), 
installing a VxD which can stop macro viruses (to prevent the spread of 
Concept).

But I'd be interested in hearing what other virus-l readers think of 
posting statistics in this forum about which viruses are out there.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Thu, 18 Apr 1996 16:18 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Download Dr Solomon's FindVirus 7.59
X-Digest: Volume 9 : Issue 56

Dr Solomon's FindVirus v7.59 is now available for download and evaluation 
via the web and ftp.  You can also now have FindVirus emailed direct to 
your mailbox (see below for details).

Here's what's new

    New in Version 7.59
    ===================
    1.  This version of Dr Solomon's FindVirus detects 265 new viruses
    bringing the total detected to 8546 (including an additional driver
    for detecting the new Tentacle virus).

    2.  This version may be evaluated until June 16th 1996 - see
    README.TXT for more information.

Archive formats now supported: ZIP, ARJ, ARC, LZH (also known
as LHA)

Compression formats now supported: PKLite, LZExe, ICE, Diet,
CryptCom, and Microsoft Expand

This version of Dr Solomon's FindVirus is for evaluation purposes only. 
It is NOT free, shareware or public domain.  The evaluation period for 
this version ends 16th June 1996.  At that point the evaluation 
period will have expired, and the program will no longer run.

If you require longer to evaluate the product then we recommend that you 
download a more recent version of the evaluation software from the 
approved sites (see DISTRIB.TXT in the zip file), as this will be more 
up-to-date and detect more viruses.

FindVirus can scan recursively inside compressed and archived files (ZIP, 
LZH, ARJ, ARC, ICE, Diet, CryptCom, Microsoft Expand, PKLite, and LZExe) 
without writing to the hard disk.  Additionally its advanced heuristic 
capability means it can detect a large number of new and unknown viruses 
without the false alarm problem found in some other products.

If you are interested in purchasing the full commercial version of Dr 
Solomon's Anti-Virus Toolkit then contact S&S International (USA: +1 617 
273 7400, or UK: +44 (0)1296 318700), or take a look at our website: 
http://www.drsolomon.com

You can download the evaluation version of FindVirus v7.59 from:

     Website:    http://www.drsolomon.com
     AnonFTP:    ftp.drsolomon.com/pub/progs/dsav759.zip
     CompuServe: GO DRSOLOMON
  
NEW!! Email:  Send a blank email to findvirus@info.drsolomon.com
      and you'll have the latest version of FindVirus sent to you in
      UUEncoded form.  This should be of particular use to those of
      you who have experienced difficulties downloading FindVirus from
      our website.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Thu, 18 Apr 1996 16:06:00 -0700
From: Corey Lawson <csl@u.washington.edu>
Subject: Re: Computer Viruses - A Dying Art???
X-Digest: Volume 9 : Issue 56

All someone needs to do is patch one of the VxD's or DLLs in Windows...
The details are in Shulman's "Undocumented WindowsX" books, and if one
had the VxD info from Microsoft...

Windows uses VxDs to "catch" software DOS interrupt calls and do its own
thing with them... For example, the 32-bit HD software for Windows 3.x is
a VxD.

-Corey Lawson

------------------------------

Date: Fri, 19 Apr 1996 09:38:41 -0400
From: Mike Davis <admin@beardsley.com>
Subject: Anti virus hardware?
X-Digest: Volume 9 : Issue 56

I was on the web the other day and I came across some anti-virus hardware. 
I forgot the name of it and where to find it.  Can someone recomend some
A-V hardware?  Is it any good compared to software?  Right now any one
that wants to load any thing on our system had to take it to us on
floppies so we can scan it before we put it on our file server.  We are
looking to allow users access to the 'Net, but are of course concerened
about viruses.  Suggestions?

Mike Davis
- - 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-
Beardsley, Beardsley, Cowden & Glass A/E P.C.

------------------------------

Date: Fri, 19 Apr 1996 17:44:12 +0000 (GMT)
From: clarence_rogers@dayton.saic.com
Subject: McAfee No Longer NCSA Certified?
X-Digest: Volume 9 : Issue 56

I have heard that McAfee has dropped off the NCSA list of certified AV
apps. I was wondering if anyone has any information on this?

[Moderator's note:  You could try looking at the NCSA's web site.  The URL
for thier pages describing their certification scheme is:

   http://www.ncsa.com/avpdcert.html,

although I have to admit I cannot clearly decide -exactly- what that page
is trying to tell me about the status of the products mentioned.]

------------------------------

Date: Fri, 19 Apr 1996 20:54:21 +0000 (GMT)
From: brad@wrdis02.robins.af.mil
Subject: The old "Good Times"
X-Digest: Volume 9 : Issue 56

You might be interested to know that the "Good Times" e-mail
virus hoax is, yet again, making it's way through the net.  This
time, however, there was a new twist.  In the set of forwarded
messages, was the following text

   >In addition to the FCC warning below, this virus was  confirmed as a
   >malicious virus by Jerry
   >Kuehn of the Madison office of the U.S. Secret  Service.

Just thought you might find it interesting.  Please post a reply if you
have seen this variation.

------------------------------

Date: Sat, 20 Apr 1996 17:32:10 +0000 (GMT)
From: "Rae B. Creedle" <raebc@roanoke.infi.net>
Subject: H A V S WWW Site
X-Digest: Volume 9 : Issue 56

Does anyone know where the H A V S web site is now located? It's not at
the address I was using, and I can't find any it with search tools?

Rae B. Creedle
raebc@roanoke.infi.net

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Old mainframe programmers never die....
They just get Warped.

------------------------------

Date: Thu, 18 Apr 1996 16:18:21 +0000 (GMT)
From: "David B. Cross" <dbcross@gapac.com>
Subject: Unix Based Viruses (UNIX)
X-Digest: Volume 9 : Issue 56

Has anyone on the net heard of a virus that affects SCO boxes that gives a
message "Too many live wires - you are dead"?

------------------------------

Date: Thu, 18 Apr 1996 20:53:28 +0000 (GMT)
From: Zvi Netiv <netz@actcom.co.il>
Subject: Re: Form virus ate my NT boot sector! (NT)
X-Digest: Volume 9 : Issue 56

Brent Olson <night@halcyon.com> wrote:

> I installed a new piece of hardware and needed to load drivers from a
> floppy that had "been around the offic" and inadvertantly left the
> floppy in the NT3.51 Server during the reboot...I got the lovely "non-
> system disk" error, took the floppy out and rebooted.
> 
> NT does not boot.  It goes through the usual memory check etc, but
> just when the boot screen is supposed to come up, it just sits there.
> Scanning the floppy indicated it is infected with Form A virus, which
> is a master-boot-record inflicting vermon.  The machine is set up with
> only 1 2 gig disk (SCSI) with no DOS lying about anywhere.  
> 
> If this were a DOS/Win95 box, I'd just boot with a clean boot floppy,
> do a fdisk /mbr on drive C:, and I'd be done.  Drive C: is NTFS.

Fdisk/mbr won't help as Form is a boot infector, not an MBR one. BTW,
fdisk/mbr-ing an NTFS drive won't do any harm - just useless in Form's
case.

> I thought that NT was impervious to these types of DOS viruses?

Now you know, first hand, that it isn't. If you had a rescue diskette
prepared before it happened then you could recover in seconds. Consider
preparing one after you recover the drive. You'll find guidance how to
make a rescue disk in InVircible.

> Any help is most appreciated.

If lucky, the original boot sector should be relocated by Form to the last
cylinder on the drive, last head, in one of the last sectors on the track.
Pick it with Norton's DiskEdit and paste it back to where it belongs,
usually on head 1, cylinder 0, sector 1.

ResQdisk from the InVircible Pro package can do wonders in your case,
especially if you cannot find the original boot sector on the last track
or it was overwritten for some reason. 

You are invited to join the InVircible forum on Compuserve (go
INVIRCIBLE). There is a section dedicated to disk recovery and we'll be
glad to help and answer your questions. 

Regards, Zvi
- --------------------------------------------------------------------
NetZ Computing Ltd, Israel          Producer of InVircible & ResQdisk
Voice +972 3 532 4563, +972 52 494 017 (mobile)   Fax +972 3 532 5325
http://invircible.com/  ftp.invircible.com  CompuServe: go INVIRCIBLE
E-mail: netz@actcom.co.il netz@invircible.com  Compuserve: 76702,3423
- --------------------------------------------------------------------

------------------------------

Date: Fri, 19 Apr 1996 09:13:42 -0400
From: lauders@ix.netcom.com
Subject: OS/2 Warp Virus Shield? (OS/2)
X-Digest: Volume 9 : Issue 56

I was wondering if anyone knows of a Virus Shield for OS/2 Warp Connect. 
We are also running Lan Server if this helps. Please reply to message if 
you know of anything. Thanks

------------------------------

Date: Thu, 18 Apr 1996 17:02:04 -0700
From: Corey Lawson <csl@u.washington.edu>
Subject: Re: Effects of Word.Concept Virus? (MAC,WIN)
X-Digest: Volume 9 : Issue 56

No, Word *KNOWS* it's a template (because it looks at magic chars inside
the file when its opened, not the extension), so it won't let you save it
again. Doesn't matter if there is macro code or not in it.

Luckily this is the only non-benign effect of the Concept virus.

-Corey Lawson
csl@u.washington.edu

------------------------------

Date: Fri, 19 Apr 1996 07:26:03 -0700
From: Goro Miyano <miyano@chapman.edu>
Subject: How to disable Word AutoMacro (MAC,WIN)
X-Digest: Volume 9 : Issue 56

The computer lab I work for has been attacked by Macro Virus.
I didn't save the edit you make to normal.dot to disable AutoMacro.
Could someone e-mail me how it's done?  I appreciate it.

------------------------------

Date: Thu, 18 Apr 1996 09:06:32 -0400
From: Mike Michalowicz <ici@planet.net>
Subject: Re: Norton Anti-virus or McAfee (WIN95)
X-Digest: Volume 9 : Issue 56

Sachi Noma wrote:

> which is better under win95:norton anti virus or McAfee?

Even though I'm a huge propponent for Mcafee, I actually liked the 
Norton anti-virus under Win95 a little bit better.

- - 
Mike Michalowicz

Inter-Com, Inc.
469 Route 46 West
Kenvil, NJ  07847
Phone (201)252-1100
Fax   (201)252-9119
Email ici@planet.net

------------------------------

Date: Thu, 18 Apr 1996 12:52:54 +0000 (EST5EDT)
From: Mark Hazen <MHAZEN@hestia.fcs.uga.edu>
Subject: fprot professional (WIN95)
X-Digest: Volume 9 : Issue 56

Recieved this from one of our on-campus support persons, and I was 
interested in seeing if anyone has had similiar problems, and/or 
knew of a solution. Please reply both to the list and to 
myself. Thanks!

- ------ Forwarded Message Follows ------- 

One of the people I support has fprot professional for win95 - we
have noticed that when installed on either of 2 different win95 pcs,
it causes the diskette drives to be accessed whenever we print
anything (either print screens from tcp3270, or an F4 print from
contac, or even printing test document from wordpad).  We have
completely redone both computers, and until fprot professional is
installed we do not have this problem.  Has anyone else noticed
symptoms like this?  I thought the computer had a virus at first, but
it appears to be the antivirus software that is causing the problem.

    -Mark H.
    
- ---------------------------------------------------------------------
*/ Mark Hazen                                    mhazen@fcs.uga.edu /*
*/ Computer & Network Support              mhazen@spock.fcs.uga.edu /*
*/ College of Family & Consumer Sciences      phone: (706) 542-4864 /*
*/ FCS Users:Send Service Requests/Questions to helpdesk@fcs.uga.edu/*

------------------------------

Date: Sat, 20 Apr 1996 15:59:33 +0000 (GMT)
From: Roland Ortloff <roland@studbox.uni-stuttgart.de>
Subject: McAfee-VShield-error with mcutil.vbx? (WIN95)
X-Digest: Volume 9 : Issue 56

Several days ago I tried Vshield (VS95I20e.zip). Sometimes
there happened a critical error with the file mcutil.vbx from Vshield.
It happened when I opened the DosEdit in a dosbox and tried to save
a file from there. The same mistakes happenes everytime with
VS95I2AE.zip. Does anyone know this problem, or did a virus change
there something?

Please answer as follow-up, thanx for your help.

Ciao Roland :)

   http://www.informatik.uni-stuttgart.de/fachschaft/adressen/ortlofrd.html
				     /;^;\        I'm definitly not tolerant,
roland@studbox.uni-stuttgart.de     ( o o )     but sometimes it's just enough
- -------------------------------oOOO--(_)--OOOo-------------------------------

------------------------------

Date: Sat, 20 Apr 1996 17:53:24 +0000 (GMT)
From: Julie Pecenco <jnpecenc@mailbox.syr.edu>
Subject: Memory Virus or NAV problems? (WIN95)
X-Digest: Volume 9 : Issue 56

I'm running NAV for Win95 and have been having trouble when I try to
update it.  I'm not sure if I have a virus or just a problem related
to NAV.  I upgraded with the January '96 virus definitions with no
problem.  However, when I tried to load the February set, I ran into
problems.  The March and April sets cause pretty much the same results
(yes, I know I should have asked this a long time ago.)

Here's what happens:

- I scan with NAV (updated to Jan '96 version)
- restart Win95
- before Windows loads, I get the error message:
	"XMS cache problem.  Registry services may be inoperative this 
	session.
	Not enough extended memory able to run Windows.
	Quit one or more applications to increase available memory or restart 
	your computer.
	Press any key to continue..."

- I restart the computer.

- The previous step hasn't occured recently.  It goes right to the   
  Windows95  Start Menu, which tells me that Windows95 did not load
properly the last  time, and should be restart in safe mode.

- I restart in Safe Mode.  From here, I can reload the January
updates, and  everything goes back to normal.

- When this first happened, didn't reinstall the January updates, but
simply  rebooted or restarted to try to get back to normal mode.  I
think NAV popped  up at this point saying I had a memory virus, and it
was stopping the computer.  No virus identification was made, and it
didn't let me proceed from there.  I tried to reboot from the NAV
rescue disks with no luck.  (I'm afraid I don't  recall the details.)
Rebooting brought up the "Windows95 Start Menu" (DOS).

- If I reinstall in Normal Mode rather than Safe Mode, NAV pops up the
error   message:
	"Error
	 Unable To Complete Scan

	 NAV has found more viruses or inoculation changes than it can track
	 in a single scan.

	 Correct of the problems and restart the scan or scan fewer files at 
	 a  time."

- Everything runs fine from this point.  However, the next time I
reboot/restart  the previous message comes up.

I'm most concerned because I did get a "virus found" warning which
stopped the computer entirely at one point, though I haven't had that
problem recently, and haven't noticed any problems other than this.

At the very least, I want to keep my NAV updated, and this has been
preventing me from doing so.

Incidentally, the Symantec Web Site FAQ for NAV95 has a question about
getting memory errors when installing the software.  The fix is to
increase the virtual memory minimum to at least 20MB.  I tried this,
but it doesn't help.

Thanks,
Julie

- -
Julie Pecenco                                    jnpecenc@mailbox.syr.edu
"If I live through this job, without completely losing my mind, it will
 be a miracle of biblical proportions."
				- Commander Susan Ivanova, Babylon 5

------------------------------

Date: Fri, 19 Apr 1996 10:13:35 -0700
From: ericr@skypoint.com
Subject: Norton AntiVirus(NAV) CommandLine Switches or DDE (WIN)
X-Digest: Volume 9 : Issue 56

Is there a way to have NAV be used to just scan a given file and return an
error code without it displaying a dialog box that a virus was found?

I've tried NAV for DOS and its set of switches, but none of them seem to
cause NAV not to display a dialog box when a virus is found.

Can NAV for Windows be a DDE server for such things? If so: what commands
can it accept? where is this documented?

Please post your responses to comp.virus, and email me them also. Thanks.

Eric Romo
Computer Consultant
Stillwater, MN 55082
ericr@skypoint

------------------------------

Date: Thu, 18 Apr 1996 09:12:28 -0400
From: Mike Michalowicz <ici@planet.net>
Subject: Re: what is FORM virus???? (PC)
X-Digest: Volume 9 : Issue 56

cin wrote:

>    my virus checker said it claned up the form virus about 6 months
> ago. now it showed up on a disk i brought in to work(how embarassing.)
> what the heck does it do??? i haven't noticed any overt symptoms.

The FORM virus originated in Switzerland.  It is a memory resident virus 
that infectes the boot sector of hard drives and floppy drives.  It 
usually infects the boot sector of the first access, but sometimes skips 
over it.  To remove, but from a clean floppy (with the same DOS version 
and your HDD) and use FDISK /MBR.  For Floppies use SYS A: or SYS B: to 
remove.

- -
Mike Michalowicz

Inter-Com, Inc.
469 Route 46 West
Kenvil, NJ  07847
Phone (201)252-1100
Fax   (201)252-9119
Email ici@planet.net

------------------------------

Date: Thu, 18 Apr 1996 09:15:00 -0400
From: Mike Michalowicz <ici@planet.net>
Subject: Re: Where to get a virus check up grade? (PC)
X-Digest: Volume 9 : Issue 56

GenMelchit wrote:

> In article <0032.01I3FQNQ0S3KSKU6UC@csc.canterbury.ac.nz>, "Glenn P.
> Siegrist" <teamsieg@snowhill.com> writes:
> 
> >I have a Packard Bell Legend 36CD its a 486/50. It came with Win 3.11 on
> >it I have had it for over a year now and I would like to know is there an
> >upgrade to the Microsoft virus scan program that came with it.
> 
> I was just thinking the same thing, Glenn.  My MS Anti-virus is about two
> years old (!), and I'm wondering if it's the right thing to use for
> detection.
> 
> Anybody have an opinion on MS Anti-virus performance?  Something better?

You get what you pay for!  The "free" MS-Antivirus is really not a good 
package, but if you choose to stay with it, you can get updates from the 
Microsoft BBS.  

Better packages are F-Prot, McAfee and NAV.

- - 
Mike Michalowicz

Inter-Com, Inc.
469 Route 46 West
Kenvil, NJ  07847
Phone (201)252-1100
Fax   (201)252-9119
Email ici@planet.net

------------------------------

Date: Thu, 18 Apr 1996 14:46:52
From: "S. Widlake" <s.widlake@rl.ac.uk>
Subject: Re: Program to backup mbr and boot sector (PC)
X-Digest: Volume 9 : Issue 56

MIKE6099@aol.com writes:

>Is there a (cheap) ;) program that backs up the mbr and bootable area of a
>hard disk in case of a boot virus or corruption? 

VERY smart move... 

Mirror /Partn

If you haven't got a copy of Mirror.Exe "rob" one off an earlier version
of MS DOS 5.0 - It will still work :-)

Is free cheap enough ?

S.;-) 

- --
.sig II Found and Restored ...

------------------------------

Date: Thu, 18 Apr 1996 14:52:06 +0000 (GMT)
From: Ken Stieers <kstieers@ontrack.com>
Subject: Re: Multiple ParityBootA (PC)
X-Digest: Volume 9 : Issue 56

Is probably the same virus, you and your friend are most likely passing it
back and forth.  Did you EVER pass a floppy around??

FDISK /MBR killed the virus, but it can be very dangerous to use so don't
depend on it.

There probably isn't any connection between Corel and your infections. 
Scan all of your floppies, you are bound to find more copies of the virus.

Ken

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prairie, MN          |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Thu, 18 Apr 1996 10:50:13 -0500
From: Kurt Evans <kevans@excel.net>
Subject: Re: 639K mem (PC)
X-Digest: Volume 9 : Issue 56

qifei wrote:

> I have a Compaq 586. The basic memory of this machine is always
> 639K when I test it with "mem" command,even when I reboot it with a clean
> DOS soft disk. Then I think the virus maybe in CMOS. But after I clean up
> the CMOS, there is still 639K basic memory in the memory.
> 
> The sign of the "virus" have two:
>     a.) The machine often warn me the memory is not enough to run a
> software.
>     b.) The virus automaticly set a password on CMOS.
> 
> I don't know how to do with it. If you have some solution or advice,
> please tell me.

I have several Compaq machines that consistently report 639k using MEM or
MSD. If I run chkdsk, they report 655,360 total bytes memory, which is the
correct amount (655360/1024=640k).  Run chkdsk and you should see the same
amount.

You don't have a virus, just a PC that needs help with long division ;)

- -Kurt

------------------------------

Date: Thu, 18 Apr 1996 16:12:00 +0000 (GMT)
From: Hinnerk Hagenah <hg@groucho.lft.uni-erlangen.de>
Subject: JACKELB virus - how do I remove it (PC)
X-Digest: Volume 9 : Issue 56

We have a virus on some PCs called JACKELB.
It seems to be located in the Master Boot Record (MBR).
The partitiontabel may be infected too.

McAfee is not able to remove the virus. 

Does anybody know how we can get rid of the virus?

Thanx for helping

Hinnerk
- -
Dipl.-Inf. Hinnerk Hagenah LFT, FAU Erlangen-Nuernberg hg@lft.uni-erlangen.de
	 --- Disclaimer: Ich spreche ausschliesslich fuer mich ---
 "Doctor, I must confess I am uncertain as to why pushing
   someone into freezing, shark-infested water is amusing."
			DATA, Generations

------------------------------

Date: Thu, 18 Apr 1996 09:22:32 -0700
From: templeton <rzrogers@teleport.com>
Subject: Re: CONCEPT/Wordperfect macro:really no cure? (PC)
X-Digest: Volume 9 : Issue 56

R. Zalk wrote:

> Re-install Word. If at all possible, remove your current version. Then
> you can narrow down specific files [DOC] with the problem and the cut
> and paste to a new DOC. This usually does the trick.

That is a bit more extreme than might be necessary. Resinstalling Word 
won't buy you anything if you then turn around and open a doc. with 
the macro in it. The Concept virus will only "infect", that is to say 
inhabit, your normal.dot template file 
c:\MSOFFICE\WINWORD\TEMPLATE\NORMAL.DOT if you have office loaded> if it 
does not find the payload portion of the macro installed. I ran the MS 
anti virus document against one pc which installes a bogus macro named 
payload to prevent reinfection, an autoclose macro that scans docs on 
closing and a cleanall macro that allows you to scan your files. If you 
create a good normal.dot with these in it, you can then copy it around to 
others without their having to run the program for a limited amount of 
protection. The latest McFee also scans for files with the concept macro 
virus, which is a heck of a lot faster than the MS document does. 

Try some of these and it will save you a complete reinstall of Word. 

-Richard Rogers
======================
LAN Admin, Oregon Dept. of Environmental Quality
Disclaimer: my employer is the general public, and they NEVER agree with 
me. 
"Harthahorne City Ordinance, Section 363, states that it shall be
  unlawful to put any hypnotized person in a display window. "

------------------------------

Date: Thu, 18 Apr 1996 18:32:19 +0000 (GMT)
From: Seamus Shortall <sshortal@iol.ie>
Subject: Croatia virus? (PC)
X-Digest: Volume 9 : Issue 56

Has anyone any information on a virus (trojan?) called 'Croatia' ?

I found it apparently dormant, in WINMINE.EXE.

Thanks.

Seamus.

- ----------------
Seamus Shortall
Dublin, Ireland

For news and results of Irish Cycling:
http://ireland.iol.ie/~sshortal/

------------------------------

Date: Thu, 18 Apr 1996 20:53:36 +0000 (GMT)
From: Zvi Netiv <netz@actcom.co.il>
Subject: Re: Program to backup mbr and boot sector (PC)
X-Digest: Volume 9 : Issue 56

MIKE6099@aol.com wrote:

> Is there a (cheap) ;) program that backs up the mbr and bootable area of a
> hard disk in case of a boot virus or corruption?  Or is there an option
> like this in virusscan 95 or TBAV??

InVircible (available on AOL too) prepares a comprehensive rescue diskette
that backs up the whole boot chain, not only the MBR and boot sector. 

It's freeware to private users (cheap enough?).  :-)  You can register the
software later if you wish. However, the disk recovery features are fully
available in the free version.

BTW, if you are using a dynamic boot overlays (Ontrack's DDO) then IV's
ResQdisk is the only backup tool that can see through the DDO stealthing
and properly back up the boot chain and overlay and restore it when
needed.

Regards, Zvi
- --------------------------------------------------------------------
NetZ Computing Ltd, Israel          Producer of InVircible & ResQdisk
Voice +972 3 532 4563, +972 52 494 017 (mobile)   Fax +972 3 532 5325
http://invircible.com/  ftp.invircible.com  CompuServe: go INVIRCIBLE
E-mail: netz@actcom.co.il netz@invircible.com  Compuserve: 76702,3423
- --------------------------------------------------------------------

------------------------------

Date: Fri, 19 Apr 1996 01:24:04 +0300 (EET DST)
From: "Mikko H. Hypponen" <Mikko.Hypponen@datafellows.com>
Subject: Re: Bang virus? (PC)
X-Digest: Volume 9 : Issue 56

Scott Schiller x2554 <schiller@nicmad.nicolet.com> wrote:

> My sister apparently has a virus by the name of "bang" on her computer. 
> The way she describes it, her machine started acting strangely and she
> couldn't load certain files, and she was experiencing memory problems.
> She started investigating, and when she opened her win.ini file there was
> a message that simply said, "Bang! by <somebody...Michelangelo?>" 

First of all, you probably do not have a virus. The WIN.INI modifications
you are referring to are created by a harmless game.

By the way, you usually can find a solution to problems like this by
using a good web search engine. Connecting to 

   http://altavista.digital.com/ 

and giving 'bang' and 'virus' as keywords will find the following 
description from http://www.datafellows.com/v-descs/bang.htm:

NAME: Bang
ALIAS: WinDoom, Death to Mickeysoft

This is not a virus, but we sometimes get support calls about it. 

Bang is a Windows-based game, which is distributed in BANG20.ZIP. It
will display an icon with the text 'Death To Mickeysoft', and will
change your mouse cursor to a crosshair and allow you to shoot holes
to the visible windows.

In addition to that, Bang inserts the following lines to your WIN.INI:


  [BANG]

     BBBBBB         AA       N     N     GGGGGG
     B      B     A    A     NN    N    G
     B      B    A      A    N N   N    G
     BBBBBB      A      A    N  N  N    G   GGG
     B      B    AAAAAAAA    N   N N    G      G
     B      B    A      A    N    NN    G      G
     BBBBBB      A      A    N     N     GGGGGG
 
  Written by REMBRANDT, POWER MIKE and JOSH
 
  Each WinDoom application is adding some rubbish to the WIN.INI
  file. This one too !!!
 
  Enjoy it
 
The game is harmless and can be considered to be a joke.

- - 
	 Mikko Hermanni Hypponen - Mikko.Hypponen@DataFellows.com  
   Data Fellows Ltd's F-PROT Pro Support: F-PROT-Support@DataFellows.com
 Computer virus information available via web: http://www.DataFellows.com/
Paivantaite 8, 02210 Espoo, Finland. Tel +358-0-478444, Fax +358-0-47844599

------------------------------

Date: Fri, 19 Apr 1996 02:26:22 +0000 (GMT)
From: Guru <finnigan@wilde.oit.umass.edu>
Subject: Re: Stoned.Empire.Monkey_B (PC)
X-Digest: Volume 9 : Issue 56

Kendall Trent Berkey (kberkey@visus.jnj.com) wrote:

: On 9 Apr 1996 16:05:47 -0000, "B. Gilbert"
: <bgilbert@blue.weeg.uiowa.edu> wrote:
: 
: >>In article <0022.01I2G0808C12RI5O92@csc.canterbury.ac.nz>,
: >>Virex1<virex1@aol.com> says:
: >
: >>>I had a floppy disk infected with the Soned.Empire.Monkey_B virus, while
: >>>attempting to disinfect the floppy I ended up infecting my internal HD by
: >
: >I too seem to have this Stoned Empire Monkey virus, on a friend's
: >machine.  When I boot from a clean floppy, C: is not recognized.
: >F-Prot finds the infected MBR, but doesn't see the hard disk (!).
: >Otherwise the machine seems to boot and run fine.
: >
: >The last time this happened (with this same virus) I tried the fdisk
: >/mbr, but this rendered the hard disk unbootable.  I had to do a
: >complete restore from tape, and then clean the restored files before
: >the MBR reinfected.
: >
: >Have I missed a step?  I'm reluctant to try the fdisk /mbr again!
: 
: The monkey virus can be destroyed by rewriting the mbr. I replaced one
: by using f-prot. The rescue feature can either take a backup or one
: off of an identicle drive and rewrite it, destoying the virus. We have
: several alike disk drives at work to get a good "copy" from. I imagine
: you should make a backup "rescue file" for the boot record as soon as
: you get a clean boot f-prot disk. 
: 
: As for not seeing the disk, are you using any disk manager software
: for your hard drive? we have gotten rid of viruses on 1.6gig drives
: that have disk manager software by rewriting the MBR with the software
: that came with the drive.

Using FDISK /MBR won't get you anywhere with the Monkey virus.  Monkey 
moves and encrypts the entire MBR when the Hard disk becomes infected... 
FDISK /MBR will repear the MBR but the Partition Table is not 
valid...leading to the invalid drive specification.  Booting off of an 
diskette leads to the same problem... DOS is unable to properly recognize 
the drive due to the lack of a valid Partition Table... use F-PROT or the 
like running off a clean bootable floppy and you'll be just fine... also 
it might be good to use the MIRROR /PARTN command of DOS 5+ you can then 
restore your partition table after FDISK /MBR *note* only good if you 
mirror when the machine is not infected...

J
finnigan@oitunix.oit.umass.edu

------------------------------

Date: Thu, 18 Apr 1996 20:26:34 -0400
From: Mario Pitre <mpitre@kpmg.ca>
Subject: Re: Help Possible Virus (PC)
X-Digest: Volume 9 : Issue 56

I just want to let you know that I had the same errors. ("xxxx has 
performed an illegal operation and will be shut down", followed by 
everything elses ending with the same message, even the shut-down 
operation, crashing WIN95). 

After about a week of trying to re-install, correct, change parameters 
and running NAV, I decided to completely erase WINDOWS and all its 
sub-directories. This had to be done from after re-booting in DOS-mode 
since you cannot erase the files currently used by WIN95. 

Then I reinstalled WIN95 from the CD and it has been 3 weeks with no 
problem. I do not necessarily suspect a virus, I think that it's 
probably because I installed and incorectly uninstalled too many 
software, which somewhat scrwed-up something in WIN95. 

This is not an elegant solution but it worked for me.

Good luck!!

------------------------------

Date: Fri, 19 Apr 1996 04:12:22 +0000 (GMT)
From: adrown <adrown@e2.empirenet.com>
Subject: Predator virus (PC)
X-Digest: Volume 9 : Issue 56

We have a Predator virus on one of the computers at the school where I 
teach.  We're having great difficulty removing it.  We've use McAfee, 
we've formatted the drive, and it is still there.

Can anyone help or offer suggestions for us to try?

Ann Drown <adrown@empirenet.com>
Riverside, CA

------------------------------

Date: Fri, 19 Apr 1996 08:31:41
From: "S. Widlake" <s.widlake@rl.ac.uk>
Subject: Re: xcopy /v ?? (PC)
X-Digest: Volume 9 : Issue 56

In article <0036.01I3JH3PLOGSSKU6UC@csc.canterbury.ac.nz> 
ak8188@CNSVAX.ALBANY.EDU writes:

>i work in a place where the folks who buy the computer diskettes are
>not the same folks who use them; inevitably, they purchase bad media
>(sony 10mfd-2hd), and we get stuck using them; i think that close to
>ten percent of the diskettes come with bad sectors, right out of the
>box
>
>whenever i copy a file to a diskette, i have to actually wonder whether
>the file has been copied correctly!!  my solution to this is to stop
>using the ms-dos COPY command to copy from the hard drive to diskettes;
>instead i use the XCOPY /V command; my questions are the following:
>
>a) what does XCOPY /V actually do; what does ms-dos do when it "verifies"
>        the copying?  is it the same as using COPY and then FC to compare
>        the versions of the files?

I don't have full answers to your questions though I can say that adding
"Verify On" [ same as /V ] to your AUTOEXEC.BAT might help a bit (?)

Tip: "Format /U" ALL of these disks before you use them and if any of 
them have even a single bad sector send them back to the purchaser for
replacement... they'll change suppliers soon enough ;-)

OTOH, it could that your PC's disk drive is in need of a clean (?)

S.

- --
.sig II Found and Restored ...

------------------------------

Date: Fri, 19 Apr 1996 08:51:14
From: "S. Widlake" <s.widlake@rl.ac.uk>
Subject: Re: Flesh Eating Virus? (PC)
X-Digest: Volume 9 : Issue 56

In article <0016.01I3LPCY7RXOSKU6UC@csc.canterbury.ac.nz> 
Steve Anthony <santhony@morgan.ucs.mun.ca> writes:

>Recently I've been made aware of a possible virus in my university.  
>Apparently, this computer Flesh Eating Virus, is a new one, corrupting 
>disks and scrambling their contents.  

I've never heard of that one & I doubt that this virus-name would exist.

>I recently received a disk from a friend, and attempted to access it. It 
>replied with a Divide by Zero error on EVERY attempt, ie:  DIR, F-PROT, 
>Norton, debug.... EVERYTHING.

This is a symptom of a damaged BPB in the floppy's boot sector. Replace
the boot sector with a valid one (from a working floppy) or if there is
nothing on this diskette that you can't get from somewhere else, simply
Format /U it.

S.

- --
.sig II Found and Restored ...

------------------------------

Date: Fri, 19 Apr 1996 09:28:00
From: "S. Widlake" <s.widlake@rl.ac.uk>
Subject: Re: Multiple boot sector infections (PC)
X-Digest: Volume 9 : Issue 56

In article <0029.01I3JH3PLOGSSKU6UC@csc.canterbury.ac.nz> 
Pavel Machek <machek@atrey.karlin.mff.cuni.cz> writes:

>: Since I did not have access to the Hard disks in any of the cases,
>: I had to fdisk and reformat the hard disks.

I cannot understand why people continue to destroy their data to
get rid of such a simple problem as a lost MBR. There are products
that can restore or even rebuild them and many people have already
got one...

Mirror /Partn  - will make this backup. DO IT NOW !!! Ready to...

UnFormat /Partn  - which will restore it over any MBR virus :-)

[ Is this in the FAQ ? If not, why not ? ] 

Rebuilding a damaged MBR isn't THAT difficult... I've done this
over the phone for someone with only half a clue before now ;-)

>So you had more than one virus, and you could not clean it?
>Well, I use following scheme to do such things: (It proves, that 
>computer viruses CAN be usable after all...)
>
>  I have one floppy (I have to pay a lot of attention when working with
>it :-( ) with ANTICMOS virus. WHen you boot from such floppy, it replaces
>original masterboot with itself, thereby killing any viruses but installing
>new one. But after that, I'm able to boot up and launch *something* (usually
>disk editor, but scan would do the job) to destroy ANTICMOS.
>
>  Nice way of removing viruses, isn't it?

It might be... if only I could see the remotest possibility of this
ever working. So, does this virus automagically rebuild scrapped MBR
partition tables ? Can anyone confirm this ? No ?

S.

- --
.sig II Found and Restored ...

------------------------------

Date: Fri, 19 Apr 1996 04:26:10 +0000 (GMT)
From: Eric Waid <Waide@Valero.com>
Subject: Re: Where to get a virus check up grade? (PC)
X-Digest: Volume 9 : Issue 56

GenMelchit <genmelchit@aol.com> writes:

> In article <0032.01I3FQNQ0S3KSKU6UC@csc.canterbury.ac.nz>, "Glenn P.
> Siegrist" <teamsieg@snowhill.com> writes:
> 
> >I have a Packard Bell Legend 36CD its a 486/50. It came with Win 3.11 on 
> >it I have had it for over a year now and I would like to know is there an
> >upgrade to the Microsoft virus scan program that came with it.
> 
> I was just thinking the same thing, Glenn.  My MS Anti-virus is about two
> years old (!), and I'm wondering if it's the right thing to use for
> detection. 
> 
> Anybody have an opinion on MS Anti-virus performance?  Something better?

At the risk of hurting someone's feelings, it is my opinion that ANYTHING
would be better than the MS Anti-virus program.  It was a poor version of
Central Point's anti-virus program when it first came out and, IMHO,
Central Point's program was never very good.  So, look for something like
F-Prot, The Doctor (soon to be called Virus Trac), Thunderbyte, etc.  In
other words, anything else would be better.  I have always felt that the
MS-Anti-Virus program was more dangerous than no scanner because it was so
poor.  If a person did not know any better, they would think that had
adequate protection when they really didn't.  At least if they didn't have
anything, they would be aware of it and take some kind of precautions. 
Again, this is just my opinion and not meant to start anything. 

------------------------------

Date: Fri, 19 Apr 1996 08:30:10 -0400
From: Parasite <chendi@math.umbc.edu>
Subject: A Trojan trashed my partition tables... (PC)
X-Digest: Volume 9 : Issue 56

I recently ran a trojan horse program that scrambled my partition data.  
My drive C:, which contained a linux, dos, and linux-swap partition, is 
now unaccessable.  Is there any way to fix the partitions or do I have to 
reformat the hard disk?

Thanks in advance,
Chendi Z.

------------------------------

Date: Fri, 19 Apr 1996 04:45:26 +0000 (GMT)
From: Eric Waid <Waide@Valero.com>
Subject: Re: what is FORM virus???? (PC)
X-Digest: Volume 9 : Issue 56

cin <cin@ix.netcom.com> writes:

>    my virus checker said it claned up the form virus about 6 months
> ago. now it showed up on a disk i brought in to work(how embarassing.)
> what the heck does it do??? i haven't noticed any overt symptoms.

This virus could almost be called innocuous because it really does not do
any intentional damage.  However, there are no good viruses and all should
be removed for the system.  This one is a boot infector and will infect
the boot sector of either diskettes or the PC's hard drive.  I don't know
what the "trigger" is, but when it goes off, it can manifest itself in
several ways:  It may display an obsecene message about a girl named
Corinne, it may slow down the keyboard, or it may cause a clicking sound
to come from the speaker on the 24th of the month.  Any good virus scanner
can remove it.  We have had it several times at my company and we have
always been able to remove it without any trouble.

------------------------------

Date: Fri, 19 Apr 1996 05:49:01 -0700
From: "Scott A. Hauert" <shauert@primenet.com>
Subject: Re: Program to backup mbr and boot sector (PC)
X-Digest: Volume 9 : Issue 56

MIKE6099@aol.com wrote:

>Is there a (cheap) ;) program that backs up the mbr and bootable area of a
>hard disk in case of a boot virus or corruption? 

Invircible makes a really good "Resque Diskette." For just such
occasions, and that option is included in its FREE version.

I have used it on two occassions on two different machines and it
worked splendidly.

I am pretty sure Invircible is available on AOL in its anti-virus
section.  I know they are on compuserve.  If you can't find it, e-mail
me and I'll get you a copy off CIS and you can pick-it up out of my
public FTP directory.

Scott Hauert

Internet: shauert@primenet.com
Compuserve: 76342,1400
WWW: http://www.primenet.com/~shauert/

------------------------------

Date: Fri, 19 Apr 1996 05:45:00 -0700
From: "Scott A. Hauert" <shauert@primenet.com>
Subject: Re: 850MB HD now 333MB--virus? (PC)
X-Digest: Volume 9 : Issue 56

bfd1225@vax1.mankato.msus.edu wrote:

>1) Does anyone know what the virus is, if it's not Monkey or a variation I
>have a bad feeling that it might have physically damaged the drive.

Don't know about the virus.  But as for the disk space:  Most
motherboards made before 1994 did not have a bios that directly
supported hard drives larger than 540MB.  It did not really matter
what your processor was (30/50/66).  When people started upgrading to
big drives, like your 850, there had to be a way to make the machine
recognize all that disk space.  This is typically accomplished by
using a little translation-type program that is written to the track 0
(I believe) of the hard disk.

One such program, and the most common, is On-Track's Disk Manager,
which installs a "Dynamic" overlay on the boot track.  Disk Manager
also resets your drive parameters in the BIOS to what it needs.
Typically, for an 850 MB drive, around 330 MB, which is what you are
having reported.  The "Dynamic" overly is loaded at boot and, in
essence, translates certain info between the physical drive and the
bios, to make your machine able to utilize 850 MB.

So, when you install a new 850 drive, you install the dynamic overly,
it resets your BIOS, and when you do a DIR, you are told you have 850
MB disk space.  But, if you were to look at your BIOS, it would be set
for a drive showing only about 333 MB.

You said you got a "bad system disk" type message at boot.  This means
your track 0/boot sector were destroyed or seriously damaged.  As a
result, you lost the Dynamic overlay that made your system see the
whole 850.  Now, your BIOS is still set for 333MB. (Unlikely that the
virus reset your bios).  So, when you boot from a floppy, and check
your hard drive space, all you see is what your BIOS can report.

>2) What is the best protection I can get? I have F-Prot, I bought a
>program called PC-cillin, but it didn't detect anything (this was before
>the big crash).

I won't speculate on "best" as it only starts arguments!  There are
only a fewl good ones.  If you want my personal opinion, e-mail me.

You need to boot from a clean floppy, then use a trusted AV product to
disinfect.

If not, you will need to make sure it is disinfected, then you will
have to reinstall the Disk Manager program that came with your hard
drive so it can once again see all 850.  After that, you can start
reloading your information.  But you should first get an anti-virus
program you are comfortable with and start checking for the source of
the infection, unless you already know where it came from.

Scott Hauert

Internet: shauert@primenet.com
Compuserve: 76342,1400
WWW: http://www.primenet.com/~shauert/

------------------------------

Date: Fri, 19 Apr 1996 16:30:12 +0000 (GMT)
From: Jens Quickner <quickn01@fsrz1.rz.uni-passau.de>
Subject: ONEHALF.3544 HELP!!!!  (PC)
X-Digest: Volume 9 : Issue 56

Who can help me? I've got a virus called Onehalf.3544! How can I get it 
off my hard-disk?

------------------------------

Date: Fri, 19 Apr 1996 17:59:45 -0400
From: John Guynn <jag@univel.telescan.com>
Subject: Any information on IntAA? (PC)
X-Digest: Volume 9 : Issue 56

I just discovered a virus identified as IntAA by Dr. Solomon and Fprot
(using the /analyse switch).  As best I can tell it's a BS and MBR
infector and you can find the text Gnu Gpu and Roxette in the boot sector
of an infected floppy.  It seems to store the real floppy boot sector in
sector 32 (1.44 floppy).

Does anyone know if this virus has a payload or does it just replicate?
Also why did Fprot 2.22 only find it with the analyse switch?

John Guynn              jag@univel.telescan.com
Network Admin           Telescan Inc.

"I really didn't say everything I said."
Yogi Berra

------------------------------

Date: Fri, 19 Apr 1996 23:48:44 +0000 (GMT)
From: Robert Michael Slade <rslade@vcn.bc.ca>
Subject: Re: Program to backup mbr and boot sector (PC)
X-Digest: Volume 9 : Issue 56

MIKE6099@aol.com wrote:

: Is there a (cheap) ;) program that backs up the mbr and bootable area of a
: hard disk in case of a boot virus or corruption?  Or is there an option
: like this in virusscan 95 or TBAV??

There are any number of programs that'll do this for you.  The boot 
sector isn't that big a deal, since you can always get it back with SYS 
or some such, and you can back it up yourself with DEBUG.  Any utility 
program should backup the MBR for you.  As far as ThunderByte goes, the 
original TBRescue did this, and it's unlikely that they've thrown it 
away.  Most other antivirals with added utilities will do this as well.

The cheapest, though, is probably DISKSECURE.  It's free.  (Look around 
for DS-242.ZIP.)  Very solid, thorough and compatible protection.

======================
roberts@decus.ca     rslade@vanisl.decus.ca     aa046@freenet.victoria.bc.ca
      If you're not part of the solution, you're part of the precipitate
Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER)

------------------------------

Date: Sat, 20 Apr 1996 00:00:32 +0000 (GMT)
From: Thomas Back <am678@cleveland.freenet.edu>
Subject: 3132 bytes missing in base memory (PC)
X-Digest: Volume 9 : Issue 56

I think I have a boot virus taking up 3132 bytes of base
memory (655360/652228 bytes). I have tried 4 different virus
scanners with no luck. BTW, the hard drive and CD-ROM now
flash every three seconds, I get random screen refreshes and
slower performance now. Any help would be appreciated.

Thank you,

Thomas M. Back

------------------------------

Date: Sat, 20 Apr 1996 16:08:35 +0800
From: Trevor Le'SaX De Ginola <s5100850@mercury.np.ac.sg>
Subject: Any Cure For Lemmings Virus?????HELP! (PC)
X-Digest: Volume 9 : Issue 56

				The Most Unfortunate thing just 
happened..My PC is struck with the Lemmings Virus..SigH~..Is There anyway 
to remove it?...My McAfee Virus Shield(228) detect this virus but when i 
tried to scan it using McAfee Virus Scan(226-230) it couldn't be 
detected...SigH~..NOw i cannot even install my DOS and WINDOWS. I tried 
Formating My Harddisk (At least 5 Times) But the Virus Is still there...I 
really need help urgently..some one who knows how to cure Virus PLease 
Email Me back and tellme how please..I am just a student who needs to USe 
My Computer Urgently to do my project..Sigh~..Anyone who knows how to 
cure this Virus..PLease Do Not Hesitate To Email me at s5100850@np.ac.sg

You Help would be most appreciated..Thank You..:)

------------------------------

Date: Sat, 20 Apr 1996 12:05:06 +0000 (GMT)
From: harvest <harvest@indigo.ie>
Subject: Re: Winword/Scanprot/FProt questions (PC)
X-Digest: Volume 9 : Issue 56

Can anybody tell me where I can get a FAQ on the Winword macro virus?

- - 
Brian McCarthy <harvest@indigo.ie>

[Moderator's note:  I have the following bookmarked in Netscape:

   http://www.datafellows.fi/macrovirus.html

This page has a couple of pointers to other Word macro FAQs and
collections of interesting Word macro information.  I also would
appreciate any other good pointers to related information.]

------------------------------

Date: Sat, 20 Apr 1996 14:18:53 -0700
From: Dawn Emery <demery@kinetic1.com>
Subject: Re: Batman 2.2844 (PC)
X-Digest: Volume 9 : Issue 56

Hank Skelton wrote:

> There were several concomitant symptoms.  Many files in the /DOS
> directory simply disappeared.  A few .DOC files were corrupted.
> Some of the PCs showed bogus and recursive directories named
> /NAWIAT/NAWIAT/NAWIAT/... (TAIWAN spelled backwards); SCANDISK took
> care of this.  The two servers were pretty well trashed and were
> essentially rebuilt from scratch.  The third server wasn't affected;
> it's separated from the other two by a spanning-tree bridge, but I
> don't know if that's why it wasn't hit.  An NT 3.51 server was also
> unaffected.

I also just ran into something similar.  I didn't notice any difference 
in the size of the exe files, however, there was the recursive 
directories.  They completely mirrored the c drive.  It isn't my computer 
and the people who's it is have no idea when this recursive directory 
structure started.  I also don't know what is was originally as they 
renamed it DARKSIDE.  

When I started to delete the directory from Windows, Windows crashed, I 
had to reboot with a boot diskette and discovered that it had completely 
wiped out DOS and Windows directories.  I've scanned (with McAfee) and no 
virus shows up.  Any information provided would be great.  I was thinking 
about fdisking the drive and starting over.  Would that take care of it?

Thanks, 

Dawn Emery
demery@kinetic1.com

------------------------------

Date: Sun, 21 Apr 1996 03:01:38 +0000 (GMT)
From: "John F. Passafiume" <colflgg@redwood.cs.clemson.edu>
Subject: NYB Virus (PC)
X-Digest: Volume 9 : Issue 56

Need information on NYB Virus. Understand it is 512 bytes long and
infects boot sectors. Would like to know specifically what it does and
how one might get rid of it. Help would be appreciated.

- -
- -----------------------------------
John F. Passafiume, AKA Colonel Flagg
Department of Computer Science, Clemson University, Clemson SC  29634
Phone: (864) 656-2638 Fax: (864) 656-0145  Internet: colflgg@clemson.edu

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 56]
*****************************************


