From lehigh.edu!owner-virus-l  Mon Apr 22 15:23:26 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Mon, 22 Apr 96 16:48:21 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id PAA22080; Mon, 22 Apr 1996 15:23:26 +0200
Received: from Lehigh.EDU ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39604-35371>; Mon, 22 Apr 1996 09:20:37 EDT
Received: from nss2.CC.Lehigh.EDU ([128.180.1.26]) by fidoii.cc.lehigh.edu with ESMTP id <39063-31533>; Mon, 22 Apr 1996 09:19:31 EDT
Received: from cantva.canterbury.ac.nz (cantva.canterbury.ac.nz [132.181.30.3]) by nss2.CC.Lehigh.EDU (8.7.1/8.7.1) with ESMTP id JAA102636 for <virus-l@lehigh.edu>; Mon, 22 Apr 1996 09:18:29 -0400
Received: from 132.181.30.50 ("port 1097"@nick.csc.canterbury.ac.nz)
 by csc.canterbury.ac.nz (PMDF V5.0-6 #7295)
 id <01I3V2QL3NYUSKVMCQ@csc.canterbury.ac.nz> for virus-l@lehigh.edu; Tue,
 23 Apr 1996 01:16:47 +1200
Message-Id: <01I3V2QL3VI0SKVMCQ@csc.canterbury.ac.nz>
Date: 	Tue, 23 Apr 1996 01:12:12 +1200 (NZT)
Reply-To: virus-l@Lehigh.EDU
Sender: owner-virus-l@Lehigh.EDU
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
Subject: VIRUS-L Digest V9 #57
MIME-version: 1.0
Content-transfer-encoding: 7BIT
X-Sender: cctr132@cantva.canterbury.ac.nz
X-Listprocessor-Version: 7.2 -- ListProcessor by CREN

VIRUS-L Digest   Tuesday, 23 Apr 1996    Volume 9 : Issue 57

Today's Topics:

Re: H A V S WWW Site
Re: H A V S WWW Site
Re: Dr Solomon's Virus Stats (March 96)
Re: Dr Solomon's Virus Stats (March 96)
extend module virus? (ACORN)
Wazzu macro virus (MAC,WIN)
Re: Clean Boot Floppy (WIN95)
Re: Clean Boot Floppy (WIN95)
RE: Clean Boot Floppy (WIN95)
Re: Windows font changes--virus? (WIN)
Re: NYB virus(PC)
Re: Identification (not detection): Dr Solomons vs F-Prot (PC)
Re: Any Cure For Lemmings Virus?????HELP! (PC)
Re: Predator virus (PC)
Newbug virus, how to clean? (PC)
Re: Program to backup mbr and boot sector (PC)
Re: Winword/Scanprot/FProt questions (PC)
Re: NYB Virus (PC)
Re: Winword/Scanprot/FProt questions (PC)
Re: ONEHALF.3544 HELP!!!! (PC)
Re: SHZ virus ?? (PC)
Re: Help! Is this a virus??? (PC)
Re: NYB Virus (PC)
STONED.LZR virus! What to do??? (PC)
DIE_HARD Virus (PC)
Re: what is FORM virus???? (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://cs.ucr.edu/pub/virus-l.  The current
FAQ document is in a file called vlfaq200.txt.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Sun, 21 Apr 1996 14:55:21 +0000 (GMT)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: H A V S WWW Site
X-Digest: Volume 9 : Issue 57

Rae B. Creedle (raebc@roanoke.infi.net) wrote:
: Does anyone know where the H A V S web site is now located? It's not at
: the address I was using, and I can't find any it with search tools?

http://www.valleynet.com/~joe/

David Harley <harley@icrf.icnet.uk>
Support & Security Analyst
Imperial Cancer Research Fund

------------------------------

Date: Sun, 21 Apr 1996 17:02 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: H A V S WWW Site
X-Digest: Volume 9 : Issue 57

"Rae B. Creedle" <raebc@roanoke.infi.net> writes:

> Does anyone know where the H A V S web site is now located? It's not
> at the address I was using,

http://www.valleynet.com/~joe/

> and I can't find any it with search
> tools?

I found it via the link at http://www.drsolomon.com/avtk/reviews

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Sun, 21 Apr 1996 12:08:36 -0600
From: Bruce Ediger <bediger@csn.net>
Subject: Re: Dr Solomon's Virus Stats (March 96)
X-Digest: Volume 9 : Issue 57

Graham Cluley <sandspm@cix.compulink.co.uk> wrote:

:But I'd be interested in hearing what other virus-l readers think of 
:posting statistics in this forum about which viruses are out there.

I think that reporting (accurate) statistics about virus prevalence is
the first step to take if you want raise "anti-virus" from the status
of alchemy to that of a scientific discipline.

As you say, its interesting to note that the only widespread viruses
are either boot sector or "Word" macro viruses.  Why is this?  Perhaps
the person who discovers the reason didn't even know of the fact until
it was reported.  Sharing raw information is vital to any kind of
scientific or engineering progress.

------------------------------

Date: Sun, 21 Apr 1996 21:12:05 +0000 (GMT)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Dr Solomon's Virus Stats (March 96)
X-Digest: Volume 9 : Issue 57

Graham Cluley (sandspm@cix.compulink.co.uk) wrote:

: Daren Palmer <dpalmer@bunbury.iap.net.au> writes:

: > I'm sure the authors of the Winword Concept, Empire Monkey, and
: > Parity B, if they saw your posting, would be filled with glee
: > at the sight of their creations in the top three of the 'UK
: > Virus Charts'.

Ah: referred to in other contexts as the oxygen of publicity.....

: > These sick gits don't need anymore encouragement.  I've wasted
: > enough money, and time on troubleshooting, anti-virus programmes
: > - not to mention their sapping memory in the background which
: > could be put to better use.

I suppose these people may well be sad enough to get a bit of a buzz from
seeing their babies poo-ing on so many people. However, I doubt if these 
postings have a significant negative impact on the virus problem, compared
to the use that some people are able to make of them. The fact is that
every time we post information to a public forum, we post to the black
hats as well as the good guys. However, if information was passed only
through trusted channels, the black hats would still be black-hatting
and Jo(e) Average would know even less about virus management than (s)he
does at the moment.

: > I, for one, would like to ask you to refrain from posting it
: > again.

I'm afraid you might be the only one.

: Hmm.. that's an interesting point of view - and not one I've heard 
: before. Most of the response I have had from that posting was requests 
: from users as to whether I had similar information from our USA and other 
: offices (unfortunately this isn't yet available) as they would like to 
: know what viruses are most common in their area of the world.

Understandably.  The Wild List is a useful resource, but it can be 
time-consuming to abstract data from it into management-friendly
form (one page tops, at least one graphic, no technical words unless
they're economic terms - cost centre is fine, transmission vector is
kiss of death....), and it doesn't really demonstrate frequency
(isn't meant to).

: It should also be remembered that this kind of data is not new.  Joe 
: Wells has been compiling a monthly "In the Wild" list for some time, and 
: Virus Bulletin print a "Top Twenty" in their magazine each month.  There 
: are also a number of places on the net where this kind of information can 
: be found.

In fact, since S&S contribute figures to the Wild List, Graham's list is
really a subset thereof.

: In fact, I feel there is an argument that a posting like mine could 
: actually *discourage* virus authors.  After all, anyone looking at the 
: list will see that the vast majority of viruses "in the wild" are 
: actually a few years old.  Anyone writing a virus today is pretty 
: unlikely (unless they get lucky like Concept did) to see their virus 
: actually out there causing a big problem.  Of the 8500+ viruses only a 
: very small percentage appear to be causing a big problem to everyday, 
: normal users.

Agreed.

: I think there's useful information to be gleaned from such statistics: 
: boot sector viruses are much more common than file viruses, Concept is by 
: far the most common virus in the world.  Knowing this helps us to address 
: the virus problem better and those readers of virus-l who are putting 
: together an anti-virus policy can address issues like changing the CMOS 
: to boot their PCs from drive C: (thus avoiding pure boot sector viruses), 
: installing a VxD which can stop macro viruses (to prevent the spread of 
: Concept).

Precisely. A couple of times I've pasted this list into a document,
put in another column indicating what type of virus each one in the list
is, put in a standard definition of each virus type, and summarized the
significance of the figures in terms of local virus-control. Instant
report. (I hope you don't mind me doing this, Graham!) Obviously this
isn't a definitive document in any sense: it's a list of sightings by
one vendor among many in one bit of the globe (fortunately, a bit of
the globe just up the road from the bit I'm in). Nevertheless, it's
a handy tool for giving people who have no understanding of virus
issues some sort of feel for what's actually happening.

: But I'd be interested in hearing what other virus-l readers think of 
: posting statistics in this forum about which viruses are out there.

Publish and be damned! (But not by me....) I'm sure its usefulness 
outweighs any comfort it may give to the ungodly....

David Harley <harley@icrf.icnet.uk>
Support & Security Analyst
Imperial Cancer Research Fund

------------------------------

Date: Sun, 21 Apr 1996 14:39:46 +0100
From: Michael White <mike@teapots.demon.co.uk>
Subject: extend module virus? (ACORN)
X-Digest: Volume 9 : Issue 57

Does NE1 know how 2 get rid of the extend virus on Acorns? It doesn't 
do anything except write these bugging 1K files into nearly every 
directory....
help.
- - 
       _ _        
      (_) |  _ _____ _   _   mike@teapots.demon.co.uk
 ____ | | |_/ ) ___ | | | |  mike@PObox.co.uk 
|    \| |  _ (| ____| |_| | 
|_|_|_|_|_| \_)_____)\__  |  http://www.angel.co.uk/ac
		    (____/    

------------------------------

Date: Mon, 22 Apr 1996 02:43:24 +0000 (GMT)
From: F/WIN Anti-Virus Support/Ordering <fwin_sup@ix.netcom.com>
Subject: Wazzu macro virus (MAC,WIN)
X-Digest: Volume 9 : Issue 57

A well meaning person seeking help recently posted actual virus
code for a Word macro virus on another news group.  Since the
cat is out of the bag on this, I feel it might be helpful to
deal with this virus on this forum as well.

I have already written a private e-mail regarding the posting of
live viruses on the newsgroup.  I believe that the person who
posted it was sincerely looking for help, and was not trying to
be malicious.  However, there is still the problem that a virus
was posted and must now be dealt with.

I conducted several tests with F/WIN Anti-Virus using this new
virus.  Because F/WIN uses heuristic detection, it both found
and removed this virus just as I thought it would.  However,
this particular virus is a "data diddler".  That means that it
changes data within the document, in this case, the one thats
being opened.  Once the data has been modified, no virus scanner
including F/WIN is going to be able to change it back, because
the scanner has no idea what the document looked like before it
was modified by the virus.  

So my suggestion with this virus is get rid of it fast, then
carefully check all files that were infected.  If using F/WIN
anti-virus, make sure to use the /REPORT= option when cleaning
so you know which files to check for damage.

I also noticed that just after infection, some files get a
memory error when you try to open them a second time.  This
memory error disappeared after F/WIN cleaned the files.

Gary Martin         Computer Virus Solutions
E-mail:             fwin_sup@ix.netcom.com
WWW:                http://www.entrepreneurs.net/fwin
Authorized Distributor of F/WIN Anti-Virus

------------------------------

Date: Sun, 21 Apr 1996 20:28:04 +0000 (GMT)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Clean Boot Floppy (WIN95)
X-Digest: Volume 9 : Issue 57

cle <0007.01I3T4WGFHFYSKVG0S@csc.canterbury.ac.nz>
	   elfrank@globalone.net "Larry Frank" writes:

> Can a clean boot floppy be created using Win'95 

Yes.  It is the Windows 95 Startup Disk that you are advised to 
make when you install Win95.  You can also make it later, from 
some button buried in the installation or setup utilities (can't 
remember exactly).  

It doesn't boot all the way into Windows, but into DOS, just like 
any other version of DOS.  You didn't believe that stuff about 
Windows 95 having done away with the DOS layer, did you?

> or should it be created using an older version of dos?

Booting with DOS 5 or 6 will give access to the disk sufficient 
to run an AV scanner, unless you are using disk compression.  

- -
THE CANNONEERS                        USED TIN SHEARS
	    WITH HAIRY EARS                        UNTIL THEY FOUND
			 ON WIRY WHISKERS                        Burma-Shave

------------------------------

Date: Sun, 21 Apr 1996 21:33:14 +0000 (GMT)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Re: Clean Boot Floppy (WIN95)
X-Digest: Volume 9 : Issue 57

Larry Frank (elfrank@globalone.net) wrote:

: Can a clean boot floppy be created using Win'95 or should it be created 
: using an older version of dos?  Why?

You can and should create a boot floppy using Win '95, simply 
because it can make it easier to repair system problems not necessarily
virus-related. Create it from the Windows desktop (Create Startup Disk
from Add/Remove Programs Properties) rather than with FORMAT /S. NB
you need at least a 1.2Mb disk to do this.

You can certainly use a DOS clean boot floppy to scan a Win 95 system,
though. If the system is double-spaced, it will need to be a DOS 6 or
later floppy if you want to scan files, since a system without 
doublespace drivers won't read the compressed drive as a drive, but
as a file.

David Harley

------------------------------

Date: Mon, 22 Apr 1996 00:22:51 -0400
From: Larry Mecca <lazaryth@jagat.com>
Subject: RE: Clean Boot Floppy (WIN95)
X-Digest: Volume 9 : Issue 57

>Can a clean boot floppy be created using Win'95 or should it be created
>using an older version of dos?  Why?

You should have no problem formating a system disk because '95 is using 
DOS commands.  They're just not in the DOS directory ("folder") any 
longer.  Take a peek in \windows\command.

------------------------------

Date: Sun, 21 Apr 1996 14:14:23 -0400
From: support@vse.ac-copy.com
Subject: Re: Windows font changes--virus? (WIN)
X-Digest: Volume 9 : Issue 57

On:      Wed, 17 Apr 1996 11:24:07 +0200
PARODI <staff.ssc@galactica.it> wrote:

>After few minutes that I'm working in ms-windows something strange 
>happen to the system font, they become spotted.

This happens mostly due to video adapters being used beyond their
specifications. Especially on VL or ISA adapters which have to fight with
a bus clock set too high.

It could also be a defective videodriver, which does strange things to the
fontcache.

Solution: double check your bus clock rate and try installing a generic
(i.e MS) videodriver, and see if the problem continues. If so, you have
the last alternative:

a defective RAM on your video card, depends on the type of card, whether
this can be repaired (i.e. exchanged) easily.

But again, no virus here...

Ciao, Guido
- 
voerste edv beratung, Theaterstr.22, 52062 Aachen, Germany
fon (++49) (0)241 404 888   |    fax (++49) (0)241 404 876

------------------------------

Date: Sun, 21 Apr 1996 01:56:14 -0500 (CDT)
From: Russell Smith <rssmith@tenet.edu>
Subject: Re: NYB virus(PC)
X-Digest: Volume 9 : Issue 57

> Need information on NYB Virus. Understand it is 512 bytes long and
> infects boot sectors. Would like to know specifically what it does and
> how one might get rid of it. Help would be appreciated.

    Take a look at F-PROT's description at this URL:

   Linkname: Data Fellows Ltd's Virus Information Pages
	URL: http://www.DataFellows.com/v-descs/b1.htm
   Filename: http://www.DataFellows.com/v-descs/info/name.htm

     I just helped a school which had an extensive outbreak of NYB
(previously known as the B1 virus). It was unknown to them before I
arrived and scanned with F-PROT and McAfee antivirus. Both programs
detected and cleaned this boot sector virus quickly and easily after
booting into the infected machines with a clean write-protected system
floppy and then running the AV software from a write-protected floppy. 

     After cleaning a couple of machines I installed a copy of the
antivirus software on the hard drives and had several of the high school
students bring all the floppies and check them while I disinfected the
rest of the lab machines. Then after they had a huge pile of infected
floppies I showed them how to disinfect them. They were very businesslike
and had great attitudes...one girl exclaimed: "I feel just like Sandra
Bullock!" 

     I tried leaving one fresh formatted floppy in the A: drive during 
boot on an infected machine to see if I could capture the virus easily. 
It failed to infect it on several tries. I did save one infected floppy 
for future workshop training to educators as NYB is a very common and 
stealthy opponent. The next day the computer teacher began the process 
of cleaning other machines in the school and discovered more NYB and the 
Stoned virus, some machines having a double dose.

    As for damage the NYB virus can cause data corruption on floppies 
according to the FPROT archives. The behavior experienced by the 
computer class was not that type however. The teacher, unaware of the 
virus, expressed her concern over random freeze-ups on her Toshiba 
laptops (which were all infected) and printer freeze-ups while printing     
Word Perfect for Windows files. Her 486 DX/2 clones had 7 machines 
infected out of 20. Over 50 floppies in that lab were infected including 
master install sets of Word Perfect and several other commercial programs.

   I emphasized to the teacher about the need to keep floppies 
write-protected in the future, especially master sets which didn't need 
to have the tabs open. Write-protected floppies will not normally get 
infected. 

Good luck! I have no doubt you will whip the NYB virus in your lab.

	Russell Smith   rssmith@tenet.edu   rssmith@camalott.com
Region 14 ESC Abilene, Tx   Edtech Consultant, Certified teacher, Journalist 

------------------------------

Date: Sun, 21 Apr 1996 07:08:00 +0000 (GMT)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: Identification (not detection): Dr Solomons vs F-Prot (PC)
X-Digest: Volume 9 : Issue 57

Iolo Davidson (iolo@mist.demon.co.uk) wrote:

> In article <0018.01I3NQQ7OQ0KSKU6UC@csc.canterbury.ac.nz>
>          mramey@u.washington.edu "'Mike' M Ramey" writes:
> 
> > Iolo, Graham, Dr. Solomon, and development folks at S&S:
>
> I am not an S&S employee, and have no influence on their 
> development decisions.

   Neither am I, as if there were any doubt.

> >    Please print an *explicit* message in the FindVirus output that
> > *clearly* indicates the occurrance, cause, and consequences of switching
> > into "review" mode.  The word "like" is *not* a substitute for a clear
> > explanation of what is going on!
> 
> The word "like" is not an indicator for review mode.  The word 
> "like" means that the virus has not been precisely identified by 
> the extra thorough checksumming method that FindVirus normally 
> uses.  This can mean that you are in review mode, or it can mean 
> that you have a variant of the virus that does not match the 
> checksum. 

   Fair enough.  But wouldn't it make sense both on screen and in any 
output file generated  to say something like:

   "DSAV has detected more than 10 different viruses on your computer.  In
order to speed analysis, FINDVIRUS is switching to 'fast mode'.  In this
mode, viruses are identified less precisely during the scan, although
thorough analysis will be performed in order to disinfect safely.  If you 
wish to use the slower but more accurate identification throughout the 
scan, press P to continue in precise mode for run FINDVIRU with the 
<whatever> switch."

   I hereby release full rights to S&S International to use the above
wording or a derivative of it.   This is offered as a public service, 
without any restriction monetary or otherwise.

> >    I have sent you messages in the past (and I will send you more soon)
> > about the lack of clarity (or inaccuracy) of messages from the FindVirus
> > program.  
> 
> The message is accurate.  Since the precision checksumming turns 
> off after 10 different viruses are encountered, FindVirus no 
> longer says that viruses are "identified as" whatever precise 
> virus variant name, but says that they are "like" whatever main 
> virus name.  This does not miss any viruses, nor does it increase 
> the possibility of false alarms.  It just doesn't distinguish 
> precisely between the different variants of a particular virus.  

   While it may be accurate, it may also be confusing to someone who 
isn't intimately involved with S&S.  Unless the message states explicitly 
that it is intended for the use of tech support only, one should expect 
the text to be clear and unambiguous to the user.

> This review mode only happens when more than ten different 
> viruses are found during a scan.  That means that it is extremely 
> unlikely to happen to any real user, but only when someone is 
> running FindVirus on a large collection of viruses.

   Ten is small; eleven or more is large?  While I think that ten is a 
supportable decision, certainly for one who doesn't have viruses on the 
computer intentionally, that class is no the only version of user who 
might be testing DSAV.  I'll not suggest that you -want- to be supporting 
that other group, but at least one such member of the vx community has 
posted on alt.comp.virus that he purchased DSAV.

> Findvirus' precise identification checksumming is an extra level 
> of precision not found in other anti-virus scanners.  It is 
> really only needed during repair, or when reporting a virus name 
> to tech support, neither of which are applicable to the 
> situation when someone runs a scanner on a large collection of 
> viruses.  
> 
> If a user has more than ten viruses on his machine, no doubt he 
> will run FindVirus /REPAIR to get rid of them.  The /REPAIR 
> switch stops FindVirus going into review mode, because it uses 
> the precise identification to do repairs. 
> 
> There really isn't any downside to this.    

   I suggest that there is:  Suppose someone downloads a bunch of viruses
from somewhere -- an "educational project", no doubt.  S/he fears that
s/he has gotten infected by accident (doing a DIR, probably), but neither
states the fact that there are other viruses on the system nor how the
infection might have occurred.  S/he merely says "I was using <some other
product than DSAV>, and it reported ...."  Doughnuts will get you dollars
that at least one of the following {Dr. Solly, Graham Cluley, Dmitry
Gryaznov, Jack Clark} will post a reply that says something like "Try two
other scanners and see what they say; consider using DSAV, which you can
get from...." 

   So our intrepid novice researcher does just that, and discovers that
while the other scanners identify all the viruses in the same way, DSAVTK
just says "like FORM" or "like Concept".  Now tell me:  without benefit of
critical independent reviews, which product would you expect him or her to
purchase?  I certainly would be surprised if DSAV got the nod.  Hence an
inferior product may be selected merely because of an ill-chosen text
string that gets displayed to the user. 

   I wonder what the marketroids would say to that?!?

   -BPB

------------------------------

Date: Sun, 21 Apr 1996 02:21:07 -0500 (CDT)
From: Russell Smith <rssmith@tenet.edu>
Subject: Re: Any Cure For Lemmings Virus?????HELP! (PC)
X-Digest: Volume 9 : Issue 57

> happened..My PC is struck with the Lemmings Virus..SigH~..Is There anyway 
> to remove it?...My McAfee Virus Shield(228) detect this virus but when i 

F-PROT will remove several versions of this resident .COM/.EXE 
infector. 

     http://simtel.coast.net/SimTel/SimTel/msdos/virus/fp-222.zip

	Russell Smith   rssmith@tenet.edu   rssmith@camalott.com
Region 14 ESC Abilene, Tx   Edtech Consultant, Certified teacher, Journalist 

------------------------------

Date: Sun, 21 Apr 1996 02:16:40 -0500 (CDT)
From: Russell Smith <rssmith@tenet.edu>
Subject: Re: Predator virus (PC)
X-Digest: Volume 9 : Issue 57

> We have a Predator virus on one of the computers at the school where I 
> teach.  We're having great difficulty removing it.  We've use McAfee, 
> we've formatted the drive, and it is still there.
> Can anyone help or offer suggestions for us to try?

   It's a nasty little bugger as some versions are encrypted and it often 
corrupts data on the .COM files it infects. F-PROT version 2.22 will get 
rid of one strain (Predator.1063), but at least 7 more versions are at 
present undeterred by F-PROT disinfection including the 1072.A and 1072.B 
strain. Have you tried the Format /U parameter (unconditional format)?

   Get F-PROT at the following URL:

     http://simtel.coast.net/SimTel/SimTel/msdos/virus/fp-222.zip

Good luck!

	Russell Smith   rssmith@tenet.edu   rssmith@camalott.com
Region 14 ESC Abilene, Tx   Edtech Consultant, Certified teacher, Journalist 

------------------------------

Date: Sun, 21 Apr 1996 10:05:15 -0700
From: Bjarne Havnen <bhavnen@sn.no>
Subject: Newbug virus, how to clean? (PC)
X-Digest: Volume 9 : Issue 57

I've had a hard time removing the virus Newbug on some of my floppies. 
Bootsector or partition-table virus.

Does anybody now how to get rid of it, which cleaner to use? VSCAN find 
it, but do not clean since it is not in files.

Grateful for any help

- - 
- Bjarne Havnen
	Medved http://www.sn.no/~bhavnen/
			bhavnen@sn.no

------------------------------

Date: Sun, 21 Apr 1996 11:53:42 +0200
From: Gerard Mannig <mannig@world-net.sct.fr>
Subject: Re: Program to backup mbr and boot sector (PC)
X-Digest: Volume 9 : Issue 57

>MIKE6099@aol.com writes:
>> 
>> Is there a (cheap) ;) program that backs up the mbr and bootable area of a
>> hard disk in case of a boot virus or corruption?  Or is there an option
>> like this in virusscan 95 or TBAV??

Yes, it exist such a program and, as you suggest, rather cheap named
SYSGuard. Here is a 'short' explanation. Feel free to ask a more complete
one if needed

-_-

In short, all statistical virus studies show that BSI ( boot sector
infector) cause 85-90% of disasters. SYSGuard manages this in
detecting/restoring both boot sectors and MBR, **even** in stealth-
infected environment

Furthermore, end-users _really_ can handle disinfection process
themselves, letting MIS people doing more interesting things <g>. 

**Full** feedback is allowed as SYSGuard, when restoring things,
creates/feeds an *invisible* log. This clearly means that you will be able
to see what happened a day/week/month/year ago on a particular computer
even if the user swears he never saw the big red SYSGuard alarm window
when booting up his machine. Figure out !

Best of the best, this log *includes* past infected boot sectors for later
analysis ! This allows you to not only see WHEN infections occured but
also WHICH viruses hit the machine at a particular date !

SYSGuard is now available for DOS/Windows 3.x/WIN95 environments

Hope this helps

Regards,

- ----------------------------------------------------------------
Gerard MANNIG                                    Virus Consultant 
    Phone : +33 (16) 3559-9344     Fax     : +33 (16) 3560-5011               
Report a virus attack: http://www.primenet.com/~mwest/vir-vrf.htm
Member of   R . E . C . I . F 
data +33 1 3415-4959                Voice machine +33 1 3072-9443
=-=-=- I do NOT speak for RECIF unless otherwise specified -=-=-

------------------------------

Date: Sun, 21 Apr 1996 23:25:30 -0700
From: LEUT Nick Tate <ntate@exec.navy.gov.au>
Subject: Re: Winword/Scanprot/FProt questions (PC)
X-Digest: Volume 9 : Issue 57

The following pointer may help:

http://www.mcafee.com/support/techdocs/vinfo/concept.html

NT

- - 
-=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- 
-=+=-
Lieutenant Nick Tate, RAN JP                         Phone  (+61 6) 265 
5115
Staff Officer 2 Current Coordination                 Fax    (+61 6) 265 
2036
Directorate of Naval Current Policy and Plans        Mobile    (014) 423 
496
Naval Policy and Warfare Branch                   
A-3-14  Russell Offices                   http://navmat.navy.gov.au/dcns
CANBERRA  ACT  2600                       e-mail: ntate@exec.navy.gov.au

		 "Don't talk to me about life" - Marvin

------------------------------

Date: Sun, 21 Apr 1996 17:02 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: NYB Virus (PC)
X-Digest: Volume 9 : Issue 57

"John F. Passafiume" <colflgg@redwood.cs.clemson.edu> writes:

> Need information on NYB Virus. Understand it is 512 bytes long
> and infects boot sectors. Would like to know specifically what
> it does and how one might get rid of it.
> Help would be appreciated.

Here is some information on NYB from Dr Solomon's:

NYB

Aliases: New York Boot, B1

Type: Memory-resident boot and partition sector virus.

Affects: Floppy and hard disks.

Description:
NYB infects the boot sector of floppy disks and the partition sector 
(MBR) of hard disks. The partition sector becomes infected when the PC is 
booted from an infected floppy disk (even if the floppy disk is not 
bootable). The virus then goes memory resident, infecting floppy disks 
which are accessed (even if floppy disks are just being read).  The 
original partition sector is re-located to cylinder 0, head 0, sector 17. 
 On floppy disks, the original boot sector is re-located to one of the 
root directory sectors.  The virus uses stealth to conceal itself when 
memory resident.

NYB can crash a PC if the hard disk is written to at midnight (00:00).

Most good anti-virus programs should have no difficulty in cleaning-up 
this virus.  You can download an evaluation version of Dr Solomon's 
FindVirus (part of the full commercial version of Dr Solomon's Anti-Virus 
Toolkit) from our website.  Remember to scan your floppy disks as well.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Sun, 21 Apr 1996 17:13 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Winword/Scanprot/FProt questions (PC)
X-Digest: Volume 9 : Issue 57

harvest <harvest@indigo.ie> writes:

> Can anybody tell me where I can get a FAQ on the Winword
> macro virus?

Try http://www.drsolomon.com/vircen/macrovir.html

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Sun, 21 Apr 1996 17:13 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: ONEHALF.3544 HELP!!!! (PC)
X-Digest: Volume 9 : Issue 57

Jens Quickner <quickn01@fsrz1.rz.uni-passau.de> writes:

> Who can help me? I've got a virus called Onehalf.3544!

Here's a description from Dr Solomon's:

One_Half

Aliases: FreeLove, Slovak Bomber, Explosion II

Type: Memory-resident file and partition sector virus (multipartite)

Affects:  Fast infector: COM and EXE files on execution, open, rename 
etc. Hard disk's partition sector is infected when an infected program is 
executed.

File Growth:  3544 bytes

Description:
The virus in infected files is variably encrypted and polymorphic.

The virus demonstrates stealth capabilities - when it is active in 
memory, it conceals all changes to infected hard disk's partition sector 
and file size increase.

Partition sector is infected when an infected program is executed. COM 
and EXE files are infected on virtually any access to them - it's a fast 
infector.

The most nasty feature of One_Half is its payload. When a hard disk is 
infected, the virus calculates the position of the last cylinder of the 
last DOS partition. Then every time the computer is booted, the virus 
encrypts two disk's cylinders starting from the last two cylinders and 
moving towards the begining of the partition. The pointer to the last 
encrypted cylinder is updated in the infected partition sector. When the 
pointer falls below approximately one half of the total number of 
cylinders in the partition (i.e. when half of the disk partition is 
encrypted), the virus triggers, provided the date is multiple of 4. In 
the case the virus displays the message

  Dis is one half
  Press any key to continue ...

Variants: There is another variant of the virus 3577 bytes long.

> How can I get it off my hard-disk?

Dr Solomon's FindVirus (part of Dr Solomon's Anti-Virus Toolkit) can 
detect and clean-up this virus, including decrypting your hard disk.  You 
can download an evaluation version of FindVirus from our website, or send 
a blank email to findvirus@info.drsolomon.com to receive it in UUEncoded 
chunks.

Remember to check all your floppies as well.

Regards
Graham
- --
Graham Cluley                                 CompuServe: GO DRSOLOMON
Senior Technology Consultant,     UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit.  US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com             UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com                 USA Tel: +1 617-273-7400

------------------------------

Date: Sun, 21 Apr 1996 17:53:16 +0000 (GMT)
From: Christiane + Mario Laboch <Laboch@t-online.de>
Subject: Re: SHZ virus ?? (PC)
X-Digest: Volume 9 : Issue 57

Renne A Tergujeff <tergujef@cc.Helsinki.FI> wrote:

>>What kind of virus is SHZ virus? Is it dangerous?
>>It was found on my machine by McAfee's 2.2.9 (on Win95).
>>However I can't find any info on virus of that name. So what it is?

I have read that Mc Afee has had a bug. It detected SHZ in some
PC-TOOLS Files. so it may be you don't have the virus. So use some
other scanner to find out.

I have had the same problem , but there was no virus.

Mario
Laboch@t-online.de

------------------------------

Date: Sun, 21 Apr 1996 14:28:43 -0400
From: support@vse.ac-copy.com
Subject: Re: Help! Is this a virus??? (PC)
X-Digest: Volume 9 : Issue 57

On      Tue, 16 Apr 1996 15:48:42 +0000 (GMT)
	xtreme@nucleus.com wrote:

>Sometimes especially when running Nortons Optimize my machine (a IBM clone
>486-DX2 50) starts to whine, it almost sounds like the harddrive speeds up
>for a moment and does a file transfer and then the harddrive makes a
>clonking noise.  When looking at the files accessed in optimize they are
>always "Fat Directories"
[snip happens]

I suspect that the settings in your CMOS do not reflect the true geometry
of your harddrive. If you are using Norton Utilities, you should check
with NDD and NDIAGS. They will tell you, whether there are any obvious
problems. Howver, there can be hidden problems, that both of these
progroms will not recognize off hand. Those will always be dependent of
the special setup of your machine (what kind of harddrive, any special
partion manager, such as Ontrack) DO try to get a hold on someone
experienced in these matters (maybe the one who sold the machine?),
because these problems WILL give you a lot of trouble.

Ciao, Guido
- 
voerste edv beratung, Theaterstr.22, 52062 Aachen, Germany
fon (++49) (0)241 404 888   |    fax (++49) (0)241 404 876

------------------------------

Date: Sun, 21 Apr 1996 20:53:41 -0500
From: cyberloc@airmail.com
Subject: Re: NYB Virus (PC)
X-Digest: Volume 9 : Issue 57

John F. Passafiume wrote:

> Need information on NYB Virus. Understand it is 512 bytes long and
> infects boot sectors. Would like to know specifically what it does and
> how one might get rid of it. Help would be appreciated.

The NYB (New York Blues) virus can be cleaned with the latest version of 
McAfee.

------------------------------

Date: Mon, 22 Apr 1996 08:53:35 +0000 (GMT)
From: "DOORDUYN S.C.A." <S.C.A.Doorduyn@kub.nl>
Subject: STONED.LZR virus! What to do??? (PC)
X-Digest: Volume 9 : Issue 57

Finally my virusscanner (Mcafee x.x) detected the STONED.LZR Virus in the
boot sector. However, the scanner does not recognize the virus again if
I boot and scan from the A-drive, nor if I boot again from the HD.
Unfortunately the virus causes that much problems that nothing runs
normally anymore. The million question that remains is:

Can the virus be detected if inactive and be destroyed, and how can I 
re-install my computer knowing for sure I'm not installing the virus 
again (as the scanner only detects it after too many problems have 
occurred already)???????


Symptons:
- As well data- as program files are slowly written full with vvvvv 
  (HEX DEC F6)
- Sectors are not defenitely totaly filled up with vvv
- The more is written to the HD, the more vvv I find. Using Speed-disk
  from Norton a few times results in that many vvv that I can't use any
  programs anymore. (I do not let run disk-caching programs [Smartdrive]
  while using Speeddisk.)
- There is no virus-scanner (or I'have not yet found) that gives any alarm
  when I install my computer from cradle to grave. I followed all
  nessecary procedures (as far as I know) to 'desinfect'. (wiping HD,
  corrupting MBR+BR,
  shorting cmos battery, and starting clean with a scanner memory
  resident) I've tried : - McFee, March 1995
	       - Toolkit 7.1
	       - F-Protect february 1995
  
- I'm sure that it is not caused by conflicting hardware, because the 
  problem occurred already a few years ago '92, I had cleaned everything,
  got rid of it, I thought. I bought a new computer in '94 (sold the other 
  one) and now it's back (Boomerang??) but there is still no scanner that 
  notices anything during the installation of software!
- Strange enough people with whom I share do not (yet) have the same
  problem, nor symptons have been found yet.
- When looking with the diskeditor from Norton at the HD I find the
  following strange 'file' starting at cluster 0:

					  Cluster Arc  R/O Sys Hid Dir Vol
  IO.SYS     40934 31-05-94   6:22 am       2           X   X   X
  MSDOS.SYS  38200 31-05-94   6:22 am     122           X   X   X
  AP.r.o.g.r.    0 12-03-80   0:03 am       0           X   X   X       X

  (I can't select cluster 0 with the diskeditor)
  As Mcafee confirms, the virus is in the bootsector, and the command
  label does not allow to change the volume name. (the label mentioned by
  dos using the dir-command is different from the label Norton DE
  mentions, so I guess the virus has copied the bootsector that is used by
  dos to another spot on the HD. Norton: NO VOLUME   (Select Object with
  the DE)
       Dos   : AP          (Trying to change: Dos message: Directory entry
			    cannot be made)

- Too many lost clusters, FAT-copy's often don't match, even invalid Media 
  Descriptor Byte in FAT.
- Memory Dump: Text "Stoned" can be found on several adresses. (So I guess
  Mcafee's suggestions are correct.
- I can run software that was already on my HD, but I can't run nor even 
  install new software from CD-rom.
- EMM386: memory ranges given by user are overlapping.


Software Configuration:
- Dos 6.22
  I do not use compressing programs
- Windows 3.11


Is there anyone who could help me somehow to supersede this virus?

Marco Helmendag. 

[Moderator's note:  You say March and February -95- versions of scanners.
If these are not typographical errors, I would suggest that first you
try more current copies of your scanners than you mention here.]

------------------------------

Date: Mon, 22 Apr 1996 13:31:27
From: Bryce Powell <BPOWELL@uctlib.uct.ac.za>
Subject: DIE_HARD Virus (PC)
X-Digest: Volume 9 : Issue 57

The abovementioned virus managed to infect some files on our file server
(Novell 4.02). McAffee v2.9.9 managed to remove it from the infected
files. However, after a users logs in from a pc and has run a few software
apps, and then you run Scan again  -- traces of the DIE_HARD virus are
found in pc memory. I can only speculate that a 'ghost' of the virus has
been left attached to some of the originally infected files ( in the form
of a few bytes of the original code ? ). My question is :   How do I get
rid of it ??!

You can imagine the panic created when a user scans his/her harddrive
and is presented with that message !

I thought of running DEFRAG ( DOS )  on all the volumes of the file
server, but that would mean scheduling downtime ( not good ... ).

Any ideas ?

Thanks,
Bryce Powell.

Network Assistant
University of Cape Town
South Africa
tel:  (021) 650-3129
e-mail :  bryce@uctlib.uct.ac.za

------------------------------

Date: Mon, 22 Apr 1996 07:57:25 +0000 (GMT)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: what is FORM virus???? (PC)
X-Digest: Volume 9 : Issue 57

Mike Michalowicz (ici@planet.net) wrote:

> cin wrote:
> 
> >    my virus checker said it claned up the form virus about 6 months
> > ago. now it showed up on a disk i brought in to work(how embarassing.)
> > what the heck does it do??? i haven't noticed any overt symptoms.
> 
> The FORM virus originated in Switzerland.  It is a memory resident virus 
> that infectes the boot sector of hard drives and floppy drives.  It 
> usually infects the boot sector of the first access, but sometimes skips 
> over it.  To remove, but from a clean floppy (with the same DOS version 
> and your HDD) and use FDISK /MBR.  For Floppies use SYS A: or SYS B: to 
> remove.

   NO!    FORM infects the DOS Boot Sector (DBS) on both hard and floppy 
drives.  FDISK only affects the Master Boot Record and, when used with 
the undocumented switch you specify, can trash data.  See the 
alt.comp.virus FAQ, section 14, for more details.

   If no other virus is affecting the system, SYS C: will remove the FORM 
infection from the hard drive, as will SYS A: remove it from floppies *if 
there is room for the system files*.  This is -not- a good solution in 
general, however; it is far better to use an antivirus program to fix the 
problem.  SYS and FDISK know nothing of viruses; they have no checks to 
prevent doing their thing of there's a problem.  Use the tool intended 
for the job.

   Oh yes: there are high quality products available to do just this
disinfection out there on the 'Net; at least one of the best is free for
individual, non-commercial use.  In my opinion, it is ill-considered at
best and unethical at worst to recommend using SYS or FDISK as a first
option, given the availability of safer, more powerful tools.  Remember,
it's someone else's data that we who make suggestions are putting at risk. 

   -BPB

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 57]
*****************************************


