To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #156 -------- VIRUS-L Digest Wednesday, 8 Dec 1993 Volume 6 : Issue 156 Today's Topics: info on Draft Swiss Re: anti-virus legislation Re: More Liabilies.. Re: Fictional virus and antivirus in Dr. Dobb's Journal , December 1993 anti-virus DOS -> UNIX (UNIX) Netware Approved Virus Protection? (Novell) Re: Commercial Virus Scanners in the dark??? (PC) Re: Re[2]: Which antivirus program (PC) Re: QUESTION: F-PROT virstop (PC) Scanning archives with F-PROT (PC) Re: BEB* virus (PC) ??? Re: Getting rid of V-sign (PC) Re: Re[2]: November 17th virus at Manchester England? (PC) Re: QUESTION: F-PROT virstop (PC) Re: NAV Clinic 2.0 false alarm or bd SCAN 108? (PC) Re: BEB* virus (PC) ??? Re: Monkey is not cute! (PC) Re: S-Bug info?? (PC) About that *&%$@! BEB* non-virus (PC) Re: WinNT + Dos 6.0 + Form VIRUS!! (PC) Re: BEB* virus (PC) ??? Has anyone heard of the the reaper virus V Cpav (PC) Re: BEB* virus (PC) ??? New (?) variant of Stoned virus (PC) Using A-V software to remove vir (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: 02 Dec 93 09:28:22 -0500 From: lfernand@umiami.ir.miami.edu Subject: info on Draft Swiss I could really use the help of all you computer people out there I'm trying to make a Freelance presentation for my computer class and I'll be doing it on the Draft Swiss topic. I could really use all information that you could offer me. Thanks Linda Fernandez 11511 SW 84 St. Miami, FL 33173 (305)596-5208 email lfernand@umiami.ir.miami.edu ------------------------------ Date: Thu, 02 Dec 93 13:26:47 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: anti-virus legislation OS R & D (ksaj@pcscav.com) writes: > Sweden's legal definition of a virus would be impossible to uphold in > court, unless it is drastically changed. Could somebody post the official English translation of the relevant part of the Swedish legislation? It may be that you are interpreting it incorrectly; recall the case with the Swiss legislation, which didn't explicitely stated that malicious intent is required - and people jumped on conclusions, just because they didn't know that this is required by default. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 02 Dec 93 16:53:19 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: More Liabilies.. Karl Tarhk (src4src!ktark@imageek.york.cuny.edu) writes: > Agree Totally, just a people who manufacture weapons cannot be held liable > for the actions other take with them. Well, my ethical system seems to differ from yours, because I don't agree even with the above. I am against *any* manifacturing, distribution, or usage of destructive weapons. Yes, I know that sometimes it is necessary. But this does not make it more ethical in my eyes. > The point here is not to judge who writes viruses or not, the point > here is responsibility. Yes, and the point is that those who writes viruses must *also* share the responsability when/if his viruses are found somewhere where they are not wanted. > Who is to say if you are responsible or not? > The law. Not always. > Being responsible applies to everyday life's behaviour, for example you have > to be responsible when you drive your car, responsible to other drivers and > pedestrians, if you are not (driving under the influence of alcohol is an > example,) then you go to jail if caught, simple as that. It's not as simple as that. If a responsible person makes a mess, s/he will do their best to help cleaning up, regardless of whether failing to do so has any legal implications or not. An irresponsible person will do their best to avoid having to do anything with the mess they have made, again regardless of the legal implications. Of course, if the legal implications are severe enough, they might be forced to do what a responsible person will do on their good will. > K>but it is pretty unethical to write the virus in the first > K>place. > This argument is ridiculous! Actually, what *is* ridiculous is your way of reasoning and those of the other virus writers like you, or of those to are helping for the wide dissemination of viruses. > Using the same logic you used before, it can be proven that your train > of thought is contradictory: I didn't see you to prove it. > Who are you to decide whether something is > unethical or not? For instance, a responsible member of the society. Responsible members of the society don't do things that the society in general considers unethical. > Who is the one to decide whether something is unethical or not? The society, of course. > Writing a virus has nothing to do with ethics, It certainly does, or more exactly with the lack of them. > as I said before > it is yet to be proven than a virus has no benefits, then writing a virus > is in no way unethical. This is fallacious. First of all, it is very difficult to prove a negative - I thought that you know at least such elementary things. Second, while it has yet to be proven that a virus cannot be beneficial, it *has* been proved that a virus can be destructive. Third, whether something is beneficial or not often has nothing to do with ethics. But all this is just useless logistics, because, from a practical point of view, your arguments are completely flawed. Can you show me *one* *real* beneficial virus? As opposed to that, many of the virus that you have written can cause damage in several environments. > Notice that I am refering just to the act of creating a virus. As it has been observed severala time, this is OK, if nobody but the creator sees it. However, we are talking here about those who write viruses and post them on the virus exchange BBSes or publish them in the underground virus writing magazines, where any malicious person can get them and use them to cause damage. > K>Why would you want to write one? > There are a million possible reasons; just because you cannot see the sun > it does not mean it does not exist. OK, so enlighten us, tell us those million possible reasons. And beware if they are only 999,999. :-) > What benefit could a scientist receive from studying Anthrax viruses? Do you mean the computer virus called Anthrax? :-) > The mistake here again is that viruses are not inherently destructive What we call *real* viruses - the things that you write - *are* inherently destructive. > they may have (at least in theory) a useful purpose. You are obviously not understanding the theory. > You have problems undertanding the basic premise that we, are not like others, > i.e. everyone is different, including virus writers, and they all don't have > a need to let people 'see' their work. The problem that we, the people, have with the kind like you is that you *do* release your work to be seen. If you wouldn't, everything would be OK. > Some people are beyond the adolescent > stage of 'showing off.' (Some people are not :) ) Obviously, most virus writers are not. > What about to study how it spreads in a particular with a particular > operating system and particular software, to run an epidiological > statistical study? Big words. Have you read e.g., Kephart-White's epidemiological model for virus spread? Do you understand it? If yes, prove it to us, by posting a summary. If not, bug off and get to your school textbooks. Oh, yes, and such models can be perfectly created by examining simulations, instead of spreading a real virus in the wild. That's what the computers are for - to be used for simulations of different processes. And, in a simulation, you get much more control over the process, and get all kinds of useful data that wouldn't be available in a real experiment, and so on. Just create simulated viruses in a simulated computer and nobody will say that you are doing something wrong. > K>Even if it were forbidden, how effective do you think any of the laws > K>which state that would be? > It will be useless, enforcing it would be like enforcing free speech > and free writing. Again you are talking from US-centric positions. From own 30-year experience, I can tell you that free speech and free writing can be forbidden and that this can be enforced pretty effectively. :-( > K>Murder is unethical and malicious, by society's > K>standards today, it also has a lot of legislation against it. But, it > K>still happens. > It always has and it always will, regardless of laws and enforcement. > It is part of human nature. Well, unlike you, I have a better oppinion of the human race. Besides, statements like yours remind me very strongly of the words of some German leader in the 30s... > No, virus writing is impossible to enforce, short of being in a totalitarian > state where public speech and writing is banned, because it is not in the > state's best interests. Really? Well, FYI, Sweden seems to have banned virus writing, Switzerland is about to follow, in the UK they are prosecuting the virus writers pretty effectively... And nobody is calling those countries "totalitarian". Except maybe a few virus writers... :-) > It cannot be proven that writing viruses does not serve an educational > purpose. Even if it were so, it is not an excuse to write viruses. It cannot be proven that cracking into other people's computers does not serve an educational purpose too, yet hacking is a criminal offense in most states of your country. All we want to do is to make virus writing and distribution the same. > The whole point is, viruses are more than destructive code, and are more > than the 2 dimensional pieces of code some people would like them to appear. Two dimensional? They look pretty mono-dimensional to me - just a string of bytes... :-) And the whole point is that the real viruses *are* a piece of potentially destructive code, regardless of whether they are also something else. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 02 Dec 93 17:14:21 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Fictional virus and antivirus in Dr. Dobb's Journal , December 1993 hstroem@hood.ed.unit.no (hstroem@hood.ed.unit.no) writes: > While reading the most recent issue of Dr. Dobbs I found an interesting > short-story in Michael Swaine's column; Swaine's Flames. The story is > set in the year 1995. It concerns the InterNet and describes some kind > of new law that demands that everyone connected to the InterNet have a > Guardian on their machines. [stuff deleted] > So, maybe the benign virus can exist after all? It depends on your definition of the term "virus". The drawback of the above example is that it uses Internet; what it describes is pretty impossible to inforce there. However, consider the following example. A large network services provider (something like CompuServe, but providing more services, like ftp, telnet, and so on), owned by a company or government. They don't want viruses on their network. To protect it, they have a policy that each of their customers must be running the latest version of their Super Duper ScanRes (a resident scanner) and scan all executed or accessed executable objects. They have set their network in such a way, that when the user requests to log in, the remote host instructs the network driver of the local computer to check whether the latest version of the mentioned anti-virus product is present and active. A secure cryptographic protocol is used (e.g., public key encryption and authentication). If no anti-virus program is found to be active, the login is refused and the user is informed about the reason. If an older version of the anti-virus program is found, the remote computer offers to send a newer version. If the user refuses, login is refused. If the user agrees, the newer version is sent to his/her computer (again using a cryptographically secure protocol), the old one is automatically replaced, and the user is offered to reboot (so that the new version of the program gets activated). Strictly speaking, the antivirus program, together with the software for automatic update, is a virus (or more exactly - a worm). It automatically spreads from the remote site to all machines that log in. There are no ethical or legal problems involved, because the user can always refuse the update and only the files belonging to the "virus" itself are updated - no user files are touched. On the other hand, the network services provider owns the network and has the full right to state what software its customers must be running, in order to access the network. Everybody who doesn't like it is free not to use it and not to use the network services. Of course, all this has nothing to do with the "real" viruses that are written by some low-level form of dirth, who likes so much to brag about its "rights of free speech". Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 02 Dec 93 05:11:41 -0500 From: acomm@swiss.sun.com (SunService contractor ACOMM.) Subject: anti-virus DOS -> UNIX (UNIX) Hi there, As I have read in the last FAQ, there are special cases for which scanning a Unix system for DOS viruses makes sense (Unix server for PC systems w/ PC-NFS). I am actually looking for a shareware/freeware product that could help me with that so-called 'special case'. The anti-virus should run on Sun machines (with SunOS 5.x or 4.1.x) and detect/correct DOS viruses (or _eventually_ run on a PC and scan SUN disks). Does anyone like to help ? Thanks in advance, Kind regards, - -- Laurent Jaccard PS: please reply by e-mail, as I cannot often read the News. e-mail to : acomm@swiss.sun.com ------------------------------ Date: Sat, 04 Dec 93 12:43:35 -0500 From: martyz@netcom.com (Marty Zigman) Subject: Netware Approved Virus Protection? (Novell) Has anyone heard of a Netware approved NLM virus Protection program? Marty martyz@netcom.com ------------------------------ Date: Thu, 02 Dec 93 08:02:30 -0500 From: bondt@dutiws.twi.tudelft.nl (Piet de Bondt) Subject: Re: Commercial Virus Scanners in the dark??? (PC) R. Wallace Hale wrote: >>> and one person (Rock Steady) developed a virus called "Varicella" >> >>However, TbScan was not able to detect the virus in the first place, >>so few people would have the idea to run TbClean on an infected file - > >If I may quibble a bit, both versions 6.04 and 6.05 of TBScan >detected the specimen of Varicella that I have, and the relevant >versions of TBClean did allow the virus to become active... > >>However, I agree with you that that particular version of >>TbClean was dangerously buggy. The bug has been fixed, however, since >>a long time. > >Two months (or thereabouts) is a long time? > Well, the guys at Thunderbyte consider more than *one* month a long time. If they haven't released a new TBAV within about a month, they will at least release a new signature-file. - -- Piet de Bondt E-mail: bondt@dutiws.twi.tudelft.nl =================================================================== FTP-Admin for MSDOS Anti-virus software at: ftp.twi.tudelft.nl ------------------------------ Date: Thu, 02 Dec 93 08:23:11 -0500 From: bondt@dutiws.twi.tudelft.nl (Piet de Bondt) Subject: Re: Re[2]: Which antivirus program (PC) Jimmy Kuo wrote: >Piet de Bondt complains: [...] > >then makes the following conclusion: >>I think that these test give at least one clue (but I'll mention >>some other things too) : >>***1) avoid ......... and Norton > >So, from someone who complains about improper test results, he offers >test results from November of this year, which tests a product over a >year old against fresh versions of other products. Well, to get some more light on this: * vsumx : there have been 'cpomplaints' from a lot of 'famous' people on virus-l about it not being up-to-date and correct. i made the assumption about mcafee scoring so well, because P. Hoffmann offers vsumx though mcafee.com * nav2.1: the most recent version up to the test was 2.1 * test : if a test appears in November, of course a product announced in September cannot be included anymore, as the release date of the magazine is the last week of September... Two remarks: ok. they missed v3.0 bacause of the reason I mentioned. other products just could be included, or not, but nav gets a lower score because of this Second: I have seen a lot of bad reports on 3.0, so I *think* (NOT sure) that the results for 3.0 compared to 2.1 will not be significantly better. If you have any more proof to the contrary I think it will be very good to post these to the net, eg. a list of improvements from 2.1 to 3.0 This will be 1) good for your users as they have more trust in you and could try the new version and 2) it is good for the good name of your company. Another remark: I'll try to refrain from harsh judgements, but I did not make the judgement you mentioned in ***1) it was the concluding remark in the magazine. Just to inform you some more. > >NAV 3.0 was announced in September of this year!!!! I know you didn't >do the tests. But you did make this idiotic conclusion. I didn't make the judgement, although I tend to give TBAV and F-Prot the better chances... But indeed they missed your 3.0 upgrade. > >Jimmy Kuo cjkuo@symantec.com >Norton AntiVirus Research > - -- Piet de Bondt E-mail: bondt@dutiws.twi.tudelft.nl =================================================================== FTP-Admin for MSDOS Anti-virus software at: ftp.twi.tudelft.nl ------------------------------ Date: Thu, 02 Dec 93 08:37:00 -0500 From: kdc@ccu.umanitoba.ca (Ken De Cruyenaere) Subject: Re: QUESTION: F-PROT virstop (PC) kwakely@uoguelph.ca (Kent J Wakely) writes: >I run in MS Windows most of the time. I know that F-PROT's virstop >scanning utility won't pop infection alerts into Windows. I'm ^^^^ ?? >wondering, though, whether it will let you know about a possible >infection after you exit Windows or not. > >Replies to the newsgroup or direct to kwakely@uoguelph.ca. I just double checked and VIRSTOP (2.10) does indeed pop an infection alert into Windows (3.0). Top left corner of my screen: VIRSTOP alert! BOOT SECTOR VIRUS on diskette. Press [ENTER] to continue. Ken De Cruyenaere U of Manitoba Computer Services ------------------------------ Date: Thu, 02 Dec 93 09:42:35 -0500 From: alm@sotona.phys.soton.ac.uk Subject: Scanning archives with F-PROT (PC) I am looking for a program which will allow me to scan inside archives (ZIP, ARJ, ZOO etc.) with F_PROT. I have found a number which will use McAfee's SCAN, but are not configurable. REARJ a program which comes with ARJ will perform a scan when converting between archive types is configurable, but I don't want to have to wait while a NEW archive is created (and carefully tested). Cheers, Andrew - -- Andrew McLean e-mail: alm@soton.ac.uk Department of Physics, phone: +44 (0)703 593084 University of Southampton, fax: +44 (0)703 585813 Southampton, S09 5NH, UK. ------------------------------ Date: Thu, 02 Dec 93 11:19:40 -0500 From: Otto Stolz Subject: Re: BEB* virus (PC) ??? On Fri, 26 Nov 93 23:17:09 -0500 John Husvar said: > (...) virus infected his DOS directory, inserting 2 files to DOS. The > files he found were " BEB_____ " (8 letters, no extensions) The final > 5 letters changed each time the directory was accessed [...] > when more was used, e.g. DIR | more [...] The "virus" John's friend has is called "DOS"; apparently, it is very infective: you will find it on almost every PC... :-) DOS has no genuine pipelining (such as, e.g. CMS Pipelines); all it has is I/O re-directing. Whenever Command.com sees the pipline delimiter "|" in a command line, it generates some auxiliary files, then it invokes the pipeline stages, in turn, re-directing their standard I/O to the auxiliary files, as appropriate. E.g., when you issue the "dir \*.* | more"command, four auxiliary files will be created, two of which will be seen by the Dir stage. In a PC-DOS 3.30 system, these files are created in the root directory of the current drive. Whenever the current drive is on a write-protected disk, you will see the notorious message (on my system, it reads "Schreibfehler Laufwerk A:", the wording on your system may vary :-) four times for the four auxiliary files. The names of these files are derived from the current system time. That can easily be demonstrated by the following batch file: @echo off echo.| time dir 1*. | more echo.|time (Note that no space is allowed between the dot and the bar after the echo commands.) A test run showed that the time commands run at 16.31.59,18 h, and 16.32.00,34 h, respectively, and the two files were named 101F3B23 and 101F3B28. Now read pairs of characters of these file names as hexadekadic numbers, and you will get 16, 31, 59, 35 and 16, 31, 59, 40, respectively -- apparently the creation times of these files. In newer DOS versions, the names are formed according to a different rule but still based on the system time; I am not sure about the directory used for the files. > The virus has remained on the HD through a low-level format and on a > 3.25 floppy through a Norton Utilities WIPE command. Oh no! Not again a low-level format! Of course, the culprit, viz. Command.com, has not survived the low-level format; it was re-installed via the format, or sys, command. Moral: thou shallst know thy system. Best wishes, Otto Stolz ------------------------------ Date: Thu, 02 Dec 93 13:23:13 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Getting rid of V-sign (PC) Keith Breckenridge (kdbreck@casbah.acns.nwu.edu) writes: > A number of us have discovered the v-sign virus in the MBR of our dos 6. > double=spaced hard-disks. Does anyone know of an anti-virus application > that will remove this virus? Most applications don't even recognize it. One which I can easily check whether it can remove this virus is F-Prot 2.10 and yes, it should be able to remove it. BTW, the virus is rather well known and many other anti-virus programs should be able to deal with it too. If all else fails, use FDISK/MBR. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 02 Dec 93 15:23:32 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Re[2]: November 17th virus at Manchester England? (PC) Jimmy Kuo (cjkuo@symantec.com) writes: > >the November 17 855 virus. Dr Solomon's Toolkit gave two different messages > >for infected files: "filename identified as November 17.855 virus" or > >"filename This virus is like November 17". Microsoft anti-virus in DOS 6 has > >November 17 virus on its info list but did not identify this infection. > >Neither did VET 7.3. The user had an old version of McAfees SCAN which did > >report it (but apparently failed to clean despite saying it had). Dr Solomon > >seemed to clean OK but Scan would still report the files as infected > >afterwards. John Smith, Economics > The fact that your report indicates the "November 17th" but not quite would > lead me to point you in this direction. The 855 strain is the most popular > and the repairs for this virus is most likely based on the virus having a > length of 855. If the virus is only 800 bytes long, the repair would not > be correct anyway. However, when Dr. Solomon's scanner says "identified", it usually *does* mean it. There are very few exceptions. By "identified", it means that every single bit of the virus is identified and it is reasonably certain that it is exactly the variant it claims to be. (I said "reasonably", instead of "absolutely", because a CRC of the non-variable parts of the virus is used, instead of a bit-by-bit comparison.) I have not tested this for NAV 3.0, but I got the impression that this is not the case for it. Also, Dr. Solomon's scanner *never* attempts to remove a virus it cannot identify. Not all identified viruses are removable by it, though. However, there might be a bug in the removal routine, or the user might be infected by more than one virus, or something else. To check the first case, I did a test of the removal capabilities of several anti-virus scanners for all known variants of this virus. Here are the results. Virus: VET 7.52 FV 6.51 NAV 2.1 NAV 3.0 F-Prot 2.10 ====== ======== ====== ======= ======= ========== November_17th.584 Detects Repairs Misses Detects Repairs November_17th.690 Repairs Renames Damages Misses Repairs November_17th.706 Repairs Renames Misses Detects Detects November_17th.768.A Repairs Repairs DetectsR Repairs Repairs November_17th.768.B Repairs Repairs DetectsR Repairs Repairs November_17th.768.C Repairs Repairs Misses Repairs Repairs November_17th.800.A Repairs Repairs Goofs Misses Repairs November_17th.800.B Detects Repairs Misses Misses Repairs November_17th.855.A Repairs Repairs DetectsR DetectsR Repairs November_17th.855.B Repairs Renames Misses Misses Repairs November_17th.880 Deletes Repairs Damages Detects Repairs November_17th.1007 Misses Misses Misses Misses Detects Notes: 1) "Detects" means "detects the virus but nothing more". "Repairs" means "repairs the virus *correctly*". "Deletes" means "detects the virus and deletes the infected file". "Renames" means "detects the virus and renames the infected file, without disinfecting it". "Misses" means "does not detect a virus in the file". "Damages" means "detects a virus and attempts to repair the file, but actually damages it". "Goofs" means "repairs the entry point of the file correctly, but doesn't cut the whole virus, potentially allowing the resulting file to cause a false positive". "DetectsR" means "detects the virus in the files, but can repair only the COM files". 2) Version 6.51 of FindVirus was used. I don't know which is the respective version of Dr. Solomon's Anti-Virus Toolkit that contains this version of the scanner. 3) FindVirus said "like" about the 690-byte variant and "identified" about all the rest. 4) NAV 2.1 is with the November updates of the virus definitions - the ones that you sent me and that are on our ftp site. The same goes for NAV 3.0. > The definition for NOV17.800 with repair is in the December update of NAV > 3.0. Having in mind that you wrote the above in November, I would bet that the person you were replying to can't use it. :-) Any chance of getting it (the update) for distribution on our ftp site? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 02 Dec 93 15:27:12 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: QUESTION: F-PROT virstop (PC) Kent J Wakely (kwakely@uoguelph.ca) writes: > I run in MS Windows most of the time. I know that F-PROT's virstop > scanning utility won't pop infection alerts into Windows. I'm The VirStop that comes with the commercial (professional) version will. It would be really nice if this could be included in the shareware version too. However, this particular feature has been developped not by Frisk, but by his Finnish distributor (Data Fellows), so I guess the decision does not depend only on him. > wondering, though, whether it will let you know about a possible > infection after you exit Windows or not. I'm not sure that I understand your question. VirStop is a resident scanner, and as such it raises an alert when and infected object is accessed or about to be executed. Windows probably "steals" control from it, or just prevents the alerts from being displayed, but when you exit from Windows, everything should be as before. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 02 Dec 93 15:27:18 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NAV Clinic 2.0 false alarm or bd SCAN 108? (PC) Mads Syrak Larsen (msyrak@emma.ruc.dk) writes: > A friend of mine has told me that his antivirus program Norton Antivirus > Clinic ver. 2.0, has found virus in som PK-ware files he has received > from me. > The virus is the Maltese Amoeba . This is a known false positive with a (very) old version of NAV. Tell your friend to update his scanner and the problem will go away. > I just wanted to know whether anybody knows if it is a known bug in > NAV Clinic 2.0 or whether the other 2 simply dont do their jobs properly. It is a known, rather old, and fixed since a long time bug in NAV 2.0. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 02 Dec 93 16:04:59 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: BEB* virus (PC) ??? John Husvar (jhusvar@nimitz.mcs.kent.edu) writes: > A friend just found a virus on a download of Blue Wave Offline Mail Reader. Nope. Your friend is a typical example of the case "observed something I don't know how to explain, must be a virus". Sigh... > This virus infected his DOS directory, inserting 2 files to DOS. the files > he found were " BEB_____ " (8 letters, no extensions) The final 5 letters > changed each time the directory was accessed using the more command. ( A > simple DIR command always failed to show the files at all. But when more > was used, e.g. DIR | more, the files showed up as noted) The files did not > seem to do anything to the system, but one has to wonder what would have > happened when or if the two filenames finally matched. When you use pipes (the '|' character), DOS automatically creates two temporary files with unique names for each pipe. Theoretically, only one should be sufficient; dunno why DOS needs two. They are created by the command interpreter (usually COMMAND.COM) when it parses the command line and *before* the first command of the pipe (DIR in your case) is executed. The files are deleted after the pipe terminates. That's why the files are present in the directory listing observed by MORE, but not in a normal directory listing. Relax, it's not a virus. It's normal. > The virus has remained on the HD through a low-level format and on a 3.25 > floppy through a Norton Utilities WIPE command. On the HD format, two files First, it has "remained", because DOS has remained (or more exactly - has been re-installed). Second, there has been no virus in the first place. Third, the above action is a typical example of the damage a panicked and ignorant user can do. The moral of the story is: If you suspect a virus infection and don't know how to deal with it, consult somebody more competent than you. And, before evrything, DON'T PANIC! Does some company sell buttons with "DON'T PANIC" written on them with large, friendly letters? :-) > were created with a .FIL extension, attributed RO, hidden, and archive. > Norton screen message said "Saving unformatted data." Any attempt to delete Yup, it saves unformatting data in those two files. > or otherwise manipulate those files resulted in the usual "access denied." Unless, of course, you remove the ReadOnly attribute. For instance, with the ATTRIB command. > Does anyone know anything about this virus? Yes, it isn't one. :-) Or, more exactly, it is called COMMAND.COM. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 02 Dec 93 16:15:33 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Monkey is not cute! (PC) sullivan@cobra.uni.edu (sullivan@cobra.uni.edu) writes: > > Yes, Monkey is one of the MBR infectors that CANNOT be removed with > > FDISK /MBR. Even worse, using this approach with such viruses could > > (and usually does) lead to data loss and a knowledgeable technical > > person should be consulted to repair the damage. > Sure, now you tell me ;-} Well, I told you as soon as I read your message. The moderation of this newsgroup introduces sligth delays in the communication, but it helps to sieve out the junk. A slightly faster way to get information would be to e-mail me directly. But, please, anybody who does this - ask short and particular questions. I am already getting about 50 messages per day and my task here is to write my Ph.D., not to be a free net.virus.consultant. > > It is easy to check whether the MBR infector you want to remove is of > > this type. When you boot from your MS-DOS 5.0+ floppy, do a DIR on the > > hard disk. If DOS is still able to recognize the volume, FDISK/MBR > > will work. If you get "Invalid drive C:" or something like that, don't > > use FDISK/MBR. > Is this common enough to be added to the FAQ? Or is it there and I just misse > it? I try to pay attention. It is not explained in the FAQ. I agree with you that it should be. Sigh, I am one of the authors of the FAQ... :-( Now I only need some free time to write an appropriate entry. (Free time? Huh? What's that?) > After posting, I called the support number and talked to one of the people > working on this specific problem. He said that it was a bug in the VIRSTOP > code that failed to recognize it on anything other than a 360K diskette. This was a problem in F-Prot below 2.10. I didn't know that it also exists in VirStop 2.10. > > With VShield you could use the /SWAP option - it is roughly equivalent > > to VirStop's /disk and reduces the memory used by the program to only > > a few Kb - for the price of some slowdown. > That would help, but we already have complaints about response time. How much > slowdown are we talking here? Noticeable? Depends on how fast your computer and hard disk is. I would say - noticeable, but not very annoying. (But, hey, I am using a 486!) The biggest delay is when you press Alt-Ctrl-Del, because then the program has to reset the drive, try to read the boot sector from the floppy in it, and wait for the timeout if there's no floppy there at all. > > > We've tried forcing a scan with F-Prot each time a diskette drive is > > > chosen, but on anything less than a 386 it's just too time consuming. > > > > Just curious, how did you achieve this? With 4DOS (or something like > > that) and "a:" aliased to some command? > We have a little in-house utility written in Pascal that asks the students wha > diskette drive they're going to use. It's built into our standard batch files Oh, your users are using a shell. I see... I keep forgetting that not everybody is working from the command line... :-( > I got it and it works!!! But it's re-active. I was hoping to stay pro-active > with an intercept. > > Another good idea is to install some kind of program that > > automatically restores the boot sector(s) if they are modified. > > DiskSecure II is a pretty good solution. If you are not happy with > This, I will probably implement where I can. The problem with this is that, > 1) it needed to be done before the fact and Well, you wanted a pro-active solution. The pro-active solutions must be installed/activated *before* the "fact" happens. :-) > 2) we can only control this in the student computer centers. We're still not > going to get campus wide protection. Why? Just install the program campus-wide. How is it different from installing a resident scanner? > Actually, 2.10 (which is now out) does detect and identify this properly now, > but Frisk said that VIRSTOP still doesn't intercept correctly. They patched i > and e-mailed me a copy of VIRSTOP 2.10a and it works perfectly. Thank you, a > million times. Too bad... :-( Frisk, any chance to release the patch for the public? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 02 Dec 93 17:07:11 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: S-Bug info?? (PC) Glenn Bock (gbock@yorick.umd.edu) writes: > I just spend the past few hours removing a virus that fp-209f > called S-Bug (?) as it called it, a particularly ichy com,exe,ovl > infecting program virus. I have no information on this virus > ans was wondering if anyone has any info on it. I've reptedly The virus was discussed here rather recently. I am attaching a CARObase entry for it. > tried re-infecting a 'protected' machine 'virstop.exe loaded as > a device driver' and found the machine became masively reinfected The reason is that VirStop 2.10 is not able to detect this virus. F-Prot is, but only when run in "Secure scan" mode (the default). An easy way to check whether VirStop is able to detect a particular virus is to run F-Prot in "Quick scan" mode and check whether in this mode the program detects the virus. VirStop uses the same scanning engine as F-Prot's Quick Scan. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany NAME: Satan-Bug (preliminary analysis) ALIASES: Satin-Bug TARGETS: PC - files opened with Int 21h Fn 3Dh, 4Bh, or 6Ch - attempts to determine if .EXE or .COM RESIDENT: Top of Memory MEMORY_SIZE: DOS 9k, BIOS 10k - see comments STORAGE_SIZE: varies (polymorphic), .COM files grow between 4k and 5k bytes WHERE: appending with redirection of first four bytes. STEALTH: none POLYMORPHIC: yes ENCRYPTED: yes ARMOURING: no TUNNELING: no INFECTIVITY: 5 (on open if identified as .COM or .EXE) OBVIOUSNESS: 5 (memory mismatch) COMMONNESS: ? COMMONNESS_DATE: September, 1993 TRANSIENT_DAMAGE: none apparent PERMANENT_DAMAGE: none TRANSIENT_DAMAGE_TRIGGER: none PERMANENT_DAMAGE_TRIGGER: none SIDE_EFFECTS: .EXE & overlay files may fail - similar to Jerusalem or Sunday INFECTION_TRIGGER: when resident in memory infects everything that appears executable, program must exceed minimum size (abt 200 bytes - coding error ?) to infect. MESSAGES_DISPLAYED: none MESSAGES_NOT_DISPLAYED: "Satan Bug virus - Little Loc" INTERRUPTS_HOOKED: 21h SELF_RECOGNITION_IN_MEMORY: Int 21h Fn F9h returns AC0Ah SELF_RECOGNITION_ON_DISK: Adds 100 to year record (not normally displayed) LIMITATIONS: will only become resident if "COMSPEC=" is first entry in environment string and "COMMAND.COM" (both in uppercase) is last element of first entry. COMMENTS: Coding appears to have been done in MicroSoft MASM version 5.0 or earlier. Numerous examples of "monkey motion". Used flawed mechanism for memory allocation resulting in mismatch between DOS and BIOS reports. Programmer appently also unfamiliar with flags. Some scanners correctly identify virus in memory and files but not original .COM (size/offset function ?) Virus attempts to remove/correct validation code added to file by McAfee "SCAN" and CPAV "Immune" ANALYSIS_BY: Padgett Peterson DOCUMETATION_BY: Padgett Peterson ENTRY_DATE: 93/09/23 LAST_MODIFIED: SEE_ALSO: END: ------------------------------ Date: Thu, 02 Dec 93 22:23:25 -0500 From: jhusvar@nimitz.mcs.kent.edu (John Husvar) Subject: About that *&%$@! BEB* non-virus (PC) To all who replied to my post, thank you all. After having cost the net hundreds, if not thousands, of dollars only to discover that it was *not* a virus at all, I have referred my friend to the time-honored First Solution, RTFM. :) I, on the other hand will plead ignorance to any charges that *I* should have done the same. ( I just *love* hypocrisy, it's sooooo guilt-free!) I can't seem to find any "man" pages on this thing! (Whaddaya mean there's no manual entry for @$&^*$! ?) I only got my first "real" home computer 3 months ago and it will not produce those temporary files no matter what I do with DIR or MORE, perhaps because it came with DOS 6 installed and was upgraded (?) to DOS 6.2 before Martin approached me with his problem. (Until I bought this 486, I used a decrepit PC-Convertible with one functional floppy and no HD as a terminal only to modem to Kent State where I did all my computing on our UNIX machines.) Anyway, thanks Jimmy Kuo, Iolo Davidson, and Otto Stolz for your informative and (in your case, Otto ) humorous replies. Maybe DOS itself *is* a virus. Can we add a corollary to the old adage and say that any sufficiently advanced virus is indistinguishable from a feature? Well, there go another few hundreds, if not thousands, of dollars. Thanks again, John P.S. The guy *still* doesn't believe it's not a virus! ( You can spend hundreds, if not thousands, of dollars leading a horse to water......) - -- John Husvar, Art History, Kent State University (Yes, THAT Kent State :) jhusvar@mcs.kent.edu - john.husvar@akron-info.com - bf910@cleveland.freenet.edu Pres. ICBAGWA (Int'l Confraternity of Bad-Ass Gimps With Attitudes) ------------------------------ Date: Fri, 03 Dec 93 07:19:41 -0500 From: hstroem@ed.unit.no Subject: Re: WinNT + Dos 6.0 + Form VIRUS!! (PC) lestat@pearl.ctt.bellcore.com (David Gonzalez) writes: > I am having a bit of a problem with a boot sector >virus called Form. > It has managed to contaminate the Boot sector of >my PC. Up to this morning, I was still able to boot WinNT >and Dos, but now, it seems that the boot loader has >been damaged since the machine just locks up. > Now, I know how to remove the virus, and all that >stuff, the part I don't know is how to avoid damaging the >NT Loader. As far as I recall the NT loader is a system file named NTLDR.SYS, or similar. You don't damage it, unless you delete it. You say you know how to remove the Form boot infector from a system running DOS and Windows NT 3.1. I think it would be a god idea to share this information with the rest of us. I assume you have booted from a DOS system disk and executed the command SYS C: This WILL remove the virus, BUT it will also result in the misfeature of not having the Windows NT loader executed at boot-time. Your system will either hang or boot DOS. I do not have access to any machines where Windows NT is installed, at the moment. So, all this is faint memories of the past summer. The MS-DOS operating system have a DOS Boot Sector (DBR) containing code, that among other tasks, loads and executes the file IO.SYS from the active partition (usually drive c:). PC-DOS and DR-DOS also loads such a file, but they use the name IBMBIO.COM, instead of IO.SYS. This is the first file executed during a boot with DOS, and IO.SYS takes control after the DBR, then handles other files like MSDOS.SYS (IBMDOS.COM on PC-DOS and DR-DOS), DBLSPACE.BIN (on MS-DOS 6.x), and the different statements in the CONFIG.SYS. Windows NT is different, but the boot is quite similar. Its boot sector also loads a file, but with a different name from that of the different DOS versions. If my memory serves me right, the name is NTLDR.SYS. When you boot the MBR will load the DOS Boot Sector, or System Boot Sector as it might be called when not talking about DOS, and the System Boot Sector will load and execute the NTLDR.SYS file which displays the Flexboot menu. Running SYS C: from a DOS system disk will result in a loss of the NT Boot Sector, and a DOS Boot Sector will be inserted instead. The NTLDR.SYS file will never get loaded, and instead the DBR will try to load and execute the file IO.SYS or IBMBIO.COM. Possible solutions: 1) Boot from a DOS system disk and do a DIR C:\ /AS it will display the system files. One of the system files should be ca. 120KB in size, and have a name similar to NTLDR.SYS. Then use a disk editor (e.g., Norton Disk Editor or NU.EXE) to replace the IO.SYS or IBMBIO.COM filename, with the NTLDR filename. I have NOT tried this, and can not promiss that it will work, but it is worth a try if nobody else comes up with a better solution. 2) Wait until I can get my hands on a machine that runs NT and DOS. I will then probably write a small utilitity to fix this problem. At least I will come up with a tested solution. To prevent this from happening again: 1) Use my anti boot virus program, HS v3.5. It should detect and remove such a virus if you install it on a computer BEFORE it gets infected by a bootinfector. You should also make a DOS system disk with a copy of the MBR and DBR or SBR. The floppy should also contain a utility that is able to write the copies of the bootsectors to the harddisk. HS v3.5 is, among other things, such a program. 2) Use another anti boot virus program, like Padgett's DiskSecure II. IMHO, the current antivirus packages are not very strong when it comes to boot infectors. The same goes for the build-in antivirus code of most BIOS'es I've seen. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Fri, 03 Dec 93 08:41:31 -0500 From: hstroem@ed.unit.no Subject: Re: BEB* virus (PC) ??? jhusvar@nimitz.mcs.kent.edu (John Husvar) writes: >A friend just found a virus on a download of Blue Wave Offline Mail Reader. > >This virus infected his DOS directory, inserting 2 files to DOS. the files >he found were " BEB_____ " (8 letters, no extensions) The final 5 letters >changed each time the directory was accessed using the more command. ( A >simple DIR command always failed to show the files at all. But when more >was used, e.g. DIR | more, the files showed up as noted) The files did not >seem to do anything to the system, but one has to wonder what would have >happened when or if the two filenames finally matched. Why do you think this is a virus? Have any antivirus software indicated that this may be a virus? Have you ever heard of the term "Panic"? :-) You should give some information about what version of DOS your friend have problems with, and what kind of computer it is, etc. Most likely this is NOT a virus. DOS have been known to make two files with random file names when you use the MORE command. Using MORE with DIR or another command that displays the directory where DOS puts those two files will often result in the "discovery" of those two files. In more recent versions of DOS you can specify where such files should be put. This is done by setting the environment variable TEMP. Make a directory C:\TEMP and put the following in your AUTOEXEC.BAT: SET TEMP=C:\TEMP Now those two files should only appear in the TEMP directory, and not in the current directory. To verify that this is working, do the following: C: CD \ DIR /O-D /A | more ; Works with DOS 5 and greater CD \TEMP DIR /O-D /A | more The first dir command should NOT display the two mentioned files. While the second dir command should display two such files, as the two first entries in the listing. The filenames will be different all the time, and it is not possible to make two files with the same filename. The files are deleted when the MORE command has completed, and you are returned to the command line. Also the size of the files, as displayed by DIR , are usually zero bytes. (A virus usually needs a bit more to infect :-)). If your friend is using an old version of DOS (the current version is 6.20) the TEMP vari able may not be supported, and he should leave the system as is. If there are other reasons to suspect a virus infection on your friends system, I would suggest that he scans his hardd isk with e.g., FSI's F-Prot 2.10 or McAfee's Scan 109. >Does anyone know anything about this virus? It is called DOS and it is quite widespread :-) You should probably read the FAQ for this newsgroup. And maybe also Robert Slades panic guide. Henrik Stroem Stroem System Soft ------------------------------ Date: Fri, 03 Dec 93 13:08:29 -0500 From: adam@lbs.lon.ac.uk (Adam S. Nealis) Subject: Has anyone heard of the the reaper virus V Cpav (PC) Can any tell me about the reaper virus? Center Point Anti-Virus software does not seem to pick this one up. Dominic Stocqueler DStocqueler@LBS.LON.AC.UK ------------------------------ Date: Fri, 03 Dec 93 13:19:07 -0500 From: gerald@vmars.tuwien.ac.at Subject: Re: BEB* virus (PC) ??? jhusvar@nimitz.mcs.kent.edu (John Husvar) writes: >This virus infected his DOS directory, inserting 2 files to DOS. the files >he found were " BEB_____ " (8 letters, no extensions) The final 5 letters >changed each time the directory was accessed using the more command. ( A >simple DIR command always failed to show the files at all. But when more >was used, e.g. DIR | more, the files showed up as noted) This is definitively NOT a virus. What happened is the following: When you use the pipe (="|") operator on the command line, DOS (better: COMMAND.COM) creates two temporary files - named as you write - in the directory pointed to by the TEMP environment variable, or - if TEMP is not defined - in the current directory. - - This is what you've been experiencing. Suggestion: Create a directory c:\tmp and put "SET TEMP=C:\TMP" in your autoexec.bat. [ I hate this: Nowadays, when anything with a computer seems strange, most people yell "Virus!" ] > The files did not seem to do anything to the system, Of course not... > but one has to wonder what would have happened when or if the two > filenames finally matched. Well, Microsoft programs often exhibit strange behaviour, but I dare say that THIS will NEVER happen. >The virus has remained on the HD through a low-level format and on a 3.25 >floppy through a Norton Utilities WIPE command. THIS IS - IN THEORY! - NOT POSSIBLE. (If you did boot and format from a clean disk, of course.) Regards, Gerald PS: >Does anyone know anything about this virus? I'm quite sure that you'll find a similar answer from Bontchev at least. :-)) - ---------------------------------------------------------------------------- Gerald Pfeifer (Jerry) Technical University Vienna, Austria . gerald@vmars.tuwien.ac.at . ........................................................................... Sorry, I'm not a native speaker (flames to /dev/null) . ------------------------------ Date: Fri, 03 Dec 93 21:33:33 +0000 From: du4@mace.cc.purdue.edu (Ted Goldstein) Subject: New (?) variant of Stoned virus (PC) F-PROT 2.10 reports that it has found a new variant of the Stoned virus on one my PC's. It does not try to disinfect it. Mcaffee SCAN 109 does not see any infection at all. After manually repairing the partition table, and reformatting the hard disk, F-PROT still reports the infection. Before I low-level format the drive, is this really something new that anti-virus authors want to see? Shouldn't SCAN 109 find something? If anyone has any interest in this let me know, the drive gets low-leveled Monday (12/6/93) afternoon. - -- Ted Goldstein E-mail: du4@mace.cc.purdue.edu Network and Systems Administrator Phone : (317) 494-9070 Purdue University School of Technology Office: Knoy Hall, Rm G009 ------------------------------ Date: Sat, 04 Dec 93 08:26:20 -0500 From: vfreak@aol.com Subject: Using A-V software to remove vir (PC) I keep telling people that A-V software is good, but cleaning viruses from files should only be used as a last resort. It is always best to delete the infected files, and restore the uninfected files from backup or original diskettes. Last month, one of my clients (Ms. L. Cain) contacted me and reported that her hard drive was no longer bootable, and after she booted from the clean bootable diskette I had prepared, most of the files no longer run. When I asked what had happened, she reported that she had used A-V software to clean the Green Catepillar (1575 according to Mcafee's scan) virus. However this was a modified variant of Green catepillar, and her A-V software hadn't recognized that the virus was larger that 1591 bytes, so the A-V software corrupted the files suring the cleaning process. I drove over, and spent several hours cleaning up the mess that the A-V software had made. Everyone has two good sources to prevent this type of mess from happening to you. 1. Write protected originals 2. A recent backup. I would suggesr at least two complete backups. If you find that you have some infected files, delete them, then restore the files from original diskettes, or backup. Bill ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 156] ******************************************