VIRUS-L Digest Monday, 7 Aug 1995 Volume 8 : Issue 70 Today's Topics: Things that Go Bump in the Net Re: physical damage to systems Re: Virii: A simple question Re: Virus Compatibility Re: Illegal to write viruses? Re: Virus Compatibility Re: Virus Compatibility Re: physical damage to systems Re: Virii: A simple question Re: physical damage to systems Re: physical damage to systems Re: Mischief virus on OS/2, it won't go away. (OS/2) Re: Boot sector infectors question...(all) Re: Boot sector infectors question...(all) Re: Viruses & OS/2 (OS/2) FORM.A and OS/2 Boot Manager (OS/2) Viruses & OS/2 (OS/2) Natas virus (PC) Gomb virus questions (PC) NYB [genp] (PC) Re: Invircible virus checker (PC) Re: Is it a virus? (PC) Re: Aniti Virus Program Suggestions? (PC) Info on "Ripper" virus (PC) Re: Greencat Virus (PC) Re: 1014 & win95 (PC) Re: A New virus? PKZ300B.EXE PKZ300B.ZIP (PC) Re: AV Software running under Win95 (PC) Re: Remover for WHISPER? (PC) Re: Will the BootSector Virus-option in the CMOS secure my PC ? (PC) Re: Jerusalem.sunday.nam virus help (PC) Re: Natas virus (PC) PLEASE HELP with NEWBUG! (PC) Re: NYB or ANTI EXEC virus (PC) Re: Aniti Virus Program Suggestions? (PC) Re: /\/\ Can't get that Stupid Stealth_C virus off!! /\/\ (PC) Re: HELP---Could an undetected virus affect hidden system files? (PC) Re: Stoned.Empire.Monkey Virus!!!! (PC) Re: Help with 10b7 virus !!!! (PC) Testing Antivirus Programs (PC) Re: Form Virus (PC) fixboot (PC) Re: Monkey_b Help??? (PC) Re: NYB Virus (PC) Re: MONKEY_B help!!!! (PC) Re: New Bug virus - also called ANTIEXE (?) (PC) Re: Parity Boot B (PC) Re: What to do if a virus is detected? (PC) Re: standard AV techniques for apps (PC) Re: NEW (STEALTH) VIRUS found (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 13 Jul 95 16:23:39 -0400 From: "David M. Chess" Subject: Things that Go Bump in the Net I'd like to plug two new additions to our Web page which may be of interest to readers of this list: - The Things that Go Bump in the Net page; an informal survey of some of the more colorful beasts in the menagerie of security and related problems in networky and agenty systems, and - A new brief technical report on the effects of computer viruses on OS/2 systems. Both things may be found hanging off of our web page: http://www.research.ibm.com/massdist - - -- - David M. Chess | High Integrity Computing Lab | Top Rack Diswasher Safe IBM Watson Research | ------------------------------ Date: Thu, 13 Jul 95 18:01:24 -0400 From: Kenneth Albanowski Subject: Re: physical damage to systems On Mon, 5 Jun 1995, Robert Pearlman wrote: > What about all those warnings that if you put your video chip in the > wrong mode the monitor will fry? Is somebody kidding us? As usual, the answer isn't quite as simple as it appears. Yes, it _used_ to be possible to fry a monitor from software. Some monitors. Monochrome monitors. _Old_ monochrome monitors. It is much more unlikely that you could damage a modern monitor. It still may be possible to damage a monitor with limited bandwidth by giving it to high a clock frequency, but I've never seen this, and it would neither be simple, or generally applicable -- it would depend on programming for a specific monitor and video board. But no, you definitely cannot just "poke" a value into memory and damage the monitor, or any other hardware. > A big difference between biological virii and software virii is that > the biological ones are not malicious, just trying to make a living > and reproduce their kind, like the rest of us. Software virii are > always malicious (to date). Neither of those are strictly true. First of all, neither a biological or software virus has an "intent". A software viruses _author_ has intent, but not the virus itself. Likewise, a biological virus doesn't have intent, but we can assign an anthropomorphized intent to it. While biological viruses are intentionally malicious, some work quite specifically by injuring or killing their host in the process of reproducing, to better the distribution or reproduction efficiency. Some software viruses are not malicious. Any virus that doesn't have a "payload" -- a malicious intent -- is technically friendly. The problem is that the mere presence of the virus can cause problems for some software, and if there are bugs in the virus, then it can be quite destructive. (I suppose a bug in a software virus could be likened to a mutation in a benign biological virus. If such a mutation caused the virus to kill off it's host before reproducing itself, then it would quickly be discovered, and would kill itself off or be killed.) > Unreliable ancecdote: in days of yore, programs were punched into > cards, and object code was punched into binary patterns, with often > a high density of holes. The punches, slightly modified tabulating > equipment, were not really designed for this load. The night operating > staff at MIT found a pattern that would break the baseplate if punched > repeatedly. Comp center management decided that Xmas eve work wasn't > truly necessary after the punch broke two years in a row. I'm not sure whether the punch would break, but I'm sure it could be jammed by a card with enough holes in it. Again, however, this is _old_ technoligy, and a piece of equipment that is much more reliant on physical state then modern computers. It's much harder to break one of todays computers. - -- Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126) ------------------------------ Date: Thu, 13 Jul 95 18:03:46 -0400 From: Kenneth Albanowski Subject: Re: Virii: A simple question On Mon, 5 Jun 1995, Chris Walker wrote: > Why is it not possible for a virus to infect various forms of computers? > If they are written in a language that both computers can [compile],then > I see no reason why it cannot harm both brands? Theoretically, it could, if the virus was distributed as source code, and compiled itself on each machine that it "infected". Very few viruses work like this. Certainly no PC or Mac ones do. - -- Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126) ------------------------------ Date: Thu, 13 Jul 95 18:07:04 -0400 From: Kenneth Albanowski Subject: Re: Virus Compatibility On Tue, 6 Jun 1995, Darknight wrote: > az092@torfree.net (Vic Boss Paredes Jr.) wrote: > >Can an IBM virus for instance infect a UNIX or an Apple Machine? Or can a > >UNIX virus infect the other systems. The same question goes for the Mac... > > Nope. Virii are completely processor dependant If the virus is written in machine language, yes. If it's written in a high-level language, then no. For any virus you're likely to see on a PC or Mac, then it's not an issue. With Unix, it's a bit more of a possibility. (Machines that emulate the machine-code of other machines completely confuse the issue, BTW.) - -- Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126) ------------------------------ Date: Thu, 13 Jul 95 20:17:58 -0400 From: Topher.Hughes@lambada.oit.unc.edu (Christopher Hughes) Subject: Re: Illegal to write viruses? Most(all?) US states have laws regarding writing and/or disseminating viruses. If you have access to Compuserve, I believe there is still a cool program there that will show you a map of the us - click on the state you want, and up pops the relevant law (GO NCSAFORUM I believe). Sorry for lack of details, it was owrk done by another intern(a law student) --topher NCSA SysAdmin - -- - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Launchpad is an experimental internet BBS. The views of its users do not necessarily represent those of UNC-Chapel Hill, OIT, or the SysOps. - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- ------------------------------ Date: Thu, 13 Jul 95 23:49:37 -0400 From: Darknight@iCON-stl.net (Greg "Darknight" Bondy) Subject: Re: Virus Compatibility At 05:36 PM 7/13/95 -0400, Kenneth Albanowski wrote: >On Tue, 6 Jun 1995, Darknight wrote: > >> az092@torfree.net (Vic Boss Paredes Jr.) wrote: >> >Can an IBM virus for instance infect a UNIX or an Apple Machine? Or can a >> >UNIX virus infect the other systems. The same question goes for the Mac... >> Nope. Virii are completely processor dependant > >If the virus is written in machine language, yes. If it's written in a >high-level language, then no. For any virus you're likely to see on a PC >or Mac, then it's not an issue. With Unix, it's a bit more of a >possibility. (Machines that emulate the machine-code of other machines >completely confuse the issue, BTW.) >Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126) You're mistaken. Virus' are completely processor depended. Period. A trojan or a worm is a completely different matter, but a self replicating program with an intentional payload cannot function in an OS in which it was not designed. Period. You're right, emulators can sometimes be susceptible (sp?). greg ________________________________ ___ _________ __ _______ _ ____ __ _ __ Greg "Darknight" Bondy / _ \___ _____/ /__ ___ (_)__ _/ / / /_ Darknight@iCON-STL.net / // / _ `/ __/ '_// _ \/ / _ `/ _ \/ __/ "Welcome... to the machine" /____/\_,_/_/ /_/\_\/_//_/_/\_, /_//_/\__/ ________________________________________________________ /___/ _________ PGP public key available via keyservers http://www.iCON-stl.net/~gbondy ------------------------------ Date: Fri, 14 Jul 95 00:39:34 -0400 From: Kenneth Albanowski Subject: Re: Virus Compatibility On Thu, 13 Jul 1995, Greg Darknight Bondy wrote: > You're mistaken. Virus' are completely processor dependant. Period. > A trojan or a worm is a completely different matter, but a self replicating > program with an intentional payload cannot function in an OS in which > it was not designed. Period. You're right, emulators can sometimes be > susceptible (sp?). I'm sorry, but I just don't see this. I could easily write a some viral C code that attempts to insert itself into any .c files it finds. It would not be fully self replicating unless it then invoked the compiler, but it could certainly propegate through "host" programs, thus qualifying as a virus. Ignoring portability problems with dirent.h and such, the virus would be portable to any system which offers a reasonably similar C. Nothing to do with machine code at all. You could make an argument that the virus couldn't actually _spread_ across machine types, but even this is bypassed if there are networked drives mounted. If there is a multi-platform interpreted language in use, it becomes simpler, as no compilation stage is needed. Perl and Lisp come to mind. Sure, anybody who is working with actual virii is only likely to see PC and Mac types, and they are quite processor specific. But I don't think that is inherent in the definition of a virus. You may wish to argue that neither of these examples are actually self-replication, as a compiler or an interpreter is involved, but I should think this is just an example of a virus using a higher level host then the processor and OS. No matter whether a processor, OS, compiler, or interpreter is involved, it is still reproduction with the aid of a host, and _that_ is the definition of a virus. > greg > ________________________________ ___ _________ __ _______ _ ____ __ _ __ > Greg "Darknight" Bondy / _ \___ _____/ /__ ___ (_)__ _/ / / /_ > Darknight@iCON-STL.net / // / _ `/ __/ '_// _ \/ / _ `/ _ \/ __/ > "Welcome... to the machine" /____/\_,_/_/ /_/\_\/_//_/_/\_, /_//_/\__/ > ________________________________________________________ /___/ _________ > PGP public key available via keyservers http://www.iCON-stl.net/~gbondy > > - -- Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126) ------------------------------ Date: Fri, 14 Jul 95 07:40:21 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: physical damage to systems rp@esp.bellcore.com (Robert Pearlman) writes: >like the rest of us. Software virii are always malicious (to date). well, I cannot agree with this. Software viruses (NOT virii) are always harmful, annoying, a waste of time and resources, yes...but not necessarily malicious. As I understand the word "malicious" it implies intent - requires a certain mental state....now, a virus cannot have intentions on its own...a mindless creation, so how could it be malicious ? Even if we consider the programmer's mind instead, it is quite possible that some viruses were written with the intent to be useful...(Denzuko is one example), and even though the author failed, and the virus did actually cause problems, one could argue that the author had nothing malicious in mind.....now, this happened in '89...making the same argument today would be silly, as the knowledge that viruses are harmful, annoying, etc. is far more widespread... - -frisk ------------------------------ Date: Fri, 14 Jul 95 07:45:58 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virii: A simple question walkerc@capitalnet.com (Chris Walker) writes: >Why is it not possible for a virus to infect various forms of computers? What do you mean...of course it is possible...somebody could for example write a virus that could infect both DOS and Macintosh programs...but what you would have would simply be two modules...one Mac, other DOS, and a short assembly stub at the beginning that would branch to the correct module, depending on the processor type. Another, easier possibility would be an Atari ST (if anybody is still using those machines) and DOS virus...slightly easier becaue of the common disk format. Still easier (because of the common processor) would be an ST/MAC virus... - -frisk ------------------------------ Date: Fri, 14 Jul 95 08:12:44 -0400 From: Martin Veasey Subject: Re: physical damage to systems rp@esp.bellcore.com (Robert Pearlman) wrote: > A big > difference between biological virii and software virii is that the biological > ones are not malicious, just trying to make a living and reproduce their kind, > like the rest of us. Software virii are always malicious (to date). Define malicious. Malicious by intent - neither form of virus is sentient so they look similar to me (I acknowledge the virus writer is sentient, but so is God if you believe in him!). Malicious in effect - not all bio viruses are, but enough of them do damage. Similarly, some comp viruses just seem to sit there and not do too much. Martin Veasey | INTERNET lives e-mail : martin@cheam.demon.co.uk | in Cheam, Surrey, England ------------------------------ Date: Fri, 14 Jul 95 19:13:27 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: physical damage to systems Robert Pearlman (rp@esp.bellcore.com) writes: > What about all those warnings that if you put your video chip in the wrong > mode the monitor will fry? Is somebody kidding us? A big Yes. The roots of this roumor originate from the time when IBM built a buggy monochrome video controlled which could be damaged by switching it to a wrong video mode. When they figured this out, they sent a warning message. Needless to say, this controller is not produced any more. Of course, using your video controller or monitor (or anything else) in an improper mode can wear it out faster than usual, but it cannot "fry" it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 13 Jul 95 18:00:14 -0400 From: Kenneth Albanowski Subject: Re: Mischief virus on OS/2, it won't go away. (OS/2) On Fri, 2 Jun 1995, Kyle Barrow wrote: > Unfortunatly it's still here. I have run IBM Antivirus/2 and F-Prot and > IBM Antivirus/Dos but they cannot recognise the virus. Are you using OS/2? Then you are looking up a blind alley. There is a screen hack call "Mischief" for the _Amiga_, which has absolutely nothing to do with OS/2 whatsoever. > The symptoms of the virus are irratic mouse movements every 5 to 10 mins. Could be serial port trouble, could be OS/2 not liking your motherboard or serial port, could be a very dirty mouse. > The virus was accidently downloaded while searching gopherspace using > veronica. My host was: gopher.eunet.cz > The path was: g2go4 70 sunsite.doc.ic.ac.uk /aminet/game/gag > There seem to be 2 files associated with the virus, they are: mischief.read and > mischief.lha aminet is an archive of Amiga programs. Not OS/2 programs. > I have have reinstalled mouse.sys but the virus remains. The mischief.read file, > which I think installed the virus, states that the virus is a "display hack" > using the imput.device to cause mischief. Mischief.read does not install the virus. There is no virus, and it's just a text file. Mischief.lha, does contain a display hack, and it does use the input.device, but that's something specific to the Amiga, and _not_ OS/2. > I would greatly appreciate any info/suggestions on how to remove it. You can't, because it isn't there. > Thanks in advance :..-( I hope this helps. - -- Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126) ------------------------------ Date: Fri, 14 Jul 95 07:20:52 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Boot sector infectors question...(all) rp@esp.bellcore.com (Robert Pearlman) writes: >boot source by a huge factor, it would hardly slow operation to ask for >confirmation before booting from the floppy. This can't break anybody's >code. Practically all new machines solve this "problem" by allowing the user to change the boot sequence, so that the machine will boot from the hard disk, even if there is a diskette in the A: drive. Unfortunately, this is not foolproof, as some disk controllers will cause a boot from A:, regardless of the CMOS setting...ah, well...at least they are trying. - -frisk ------------------------------ Date: Fri, 14 Jul 95 08:00:42 -0400 From: Martin Veasey Subject: Re: Boot sector infectors question...(all) rvdkam@focus.synapse.net (Rob Vanderkam) wrote: > On 24 May 1995 18:00:02 -0000, David M. Chess said... > Not only that but Winscan elimated one FORM_A from the disks but > could not remove the second one so as far as I can tell, these > disks are still infected. > By the way, does anyone know where I can find out what harm this > virus does. If it's been on my machine since I installed V4.01...! FORM isn't a real killer, more of a pain really. The only "payoff" is that it makes your keys "click" on one day in the month (the 18th, I think). Having said that, I'm always suspicious because who knows what knock on effects it could catalyse. If legitimate hardware and software manufacturers have problems designing products that can co-exist without crashing, how much harder for the virus writers! Martin Veasey | INTERNET lives e-mail : martin@cheam.demon.co.uk | in Cheam, Surrey, England ------------------------------ Date: Fri, 14 Jul 95 07:53:56 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Viruses & OS/2 (OS/2) kbennett@cpcug.org (Keith Bennett) writes: >1) How vulnerable are OS/2 systems to DOS viruses? Assuming an OS/2 >system's MBR or boot sector is infected, will the virus code remain >active after OS/2 boots? in general no....however...if the virus has a payload that triggers on a set date, it will be activated...for example, Michelangelo can trash an OS/2 machine, even if it cannot spread from it, and becomes inactive when OS/2 loads. >Do any of these viruses do damage as soon as they are loaded? Michelangelo, J&M and a few others, yes.... >2) How helpful would DOS antivirus software be if run in a DOS window >under OS/2? Certainly it could only inspect its own RAM and not that of >other processes. Would it be able to bypass the OS and access the disk >directly? Depends on the DOS anti-virus....in general it will be useful against the DOS viruses, but possibly of limited use against the OS/2 ones. >3) Can anyone recommend good software to use? I tried McAfee, but it >cannot remove the FORM_A virus it found. Ah...you may have a problem...you see, removing MBR viruses from an OS/2 machine is not a big problem, but removing viruses that infect what they think is the DOS boot sector may cause cartain damage...depending on the file system. If this is a FAT system...just boot from a dos diskette and clean...if it is an HPFS one....well...the virus may have damaged it, when it attempted to store the original boot sector in what it assumed was free disk space. - -frisk ------------------------------ Date: Fri, 14 Jul 95 09:36:36 -0400 From: "HAGWOOD.BILLY" Subject: FORM.A and OS/2 Boot Manager (OS/2) We've had an outbreak of FORM.A in our training lab/use center. These workstations use OS/2 Boot Manager to boot into a 40M DOS/Windows partition or a 120M OS/2 partition. The virus seems to have infected and destroyed the Boot Manager partition. We've used OS/2 FDISK to delete the Boot Manager partition and then recreate it; however, I'm not sure we've gotten rid of the virus because I can't figure out how to scan the Boot Manager partition. If anyone has any suggestions for scanning and cleaning a OS/2 Boot Manager partition, I'd *really* appreciate the help. You can email me direct. Also, if any one has any suggestions for setting up virus monitoring and protection for this environment [other than get rid of it :^)], I'd appreciate the words of advise. ______________________________________________________________ Billy Hagwood "If a man does not keep pace with his Computer Consultant IV companions, perhaps it is because he ISD-End User Services hears a different drummer. Let him step UNC Hospitals to the music which he hears, however (919) 966-7610 measured or far away" Henry David Thoreau BHAGWOOD.ISD2@MAIL.UNC.UNC.EDU ______________________________________________________________ ------------------------------ Date: Fri, 14 Jul 95 16:31:02 -0400 From: Iolo Davidson Subject: Viruses & OS/2 (OS/2) kbennett@cpcug.org "Keith Bennett" writes: > 1) How vulnerable are OS/2 systems to DOS viruses? They can be infected by boot/partition sector infectors, and some file viruses will work in a DOS session. > Assuming an OS/2 > system's MBR or boot sector is infected, will the virus > code remain active after OS/2 boots? Probably not. Shouldn't be able to spread to further floppies at least. > Do any of these viruses do damage as soon as they are loaded? Yes. Michelangelo does its disk wiping before the operating system loads for instance. I know of a case of a PC running under Unix which was disk-wiped by Michelangelo. > If they > just sit and wait until later, does OS/2 erase or nullify it when it boots > because of its protective features (protected memory, inaccessibility of > memory across process boundaries, etc.)? Don't know if any of this matters. What does matter is that OS/2 doesn't use the DOS or BIOS system interrupts, so the virus interception of interrupts is cut off. However, in a DOS session, OS/2 simulates int 21 well enough for some file viruses to work, and there are viruses that don't go resident anyway. On top of that, there are at least two native OS/2 viruses. > 2) How helpful would DOS antivirus software be if run in a DOS window > under OS/2? Certainly it could only inspect its own RAM and not that of > other processes. Would it be able to bypass the OS and access the disk > directly? Anti-virus software does not primarily scan RAM. It scans disks. The memory scan is there to stop stealth viruses spoofing. Most scanners do not need to bypass the operating system to scan the disk. They just use DOS and BIOS calls which OS/2 simulates. What they won't be able to do is write to the disk using BIOS calls, which means they won't be able to repair boot/partition infections. You will have to boot clean from a DOS system disk to do that. But you would normally have to do that anyway, in a DOS machine, if the boot/partition sector was infected. If you are thinking of memory resident (TSR) DOS anti-virus programs, some work to some extent under OS/2, in a DOS session, but they won't see infected floppy disk boot sectors and they don't protect you in the OS/2 session/window. > 3) Can anyone recommend good software to use? I tried McAfee, but it > cannot remove the FORM_A virus it found. This software should be OS/2 > software ideally, but if DOS software is better, and it can be run under > OS/2 effectively, we can use that instead. Dr. Solomon's has an OS/2 version of the Toolkit. - -- CHEER UP FACE OF SHAVE THE WAR IS PAST AT LAST THE "H" IS OUT Burma-Shave ------------------------------ Date: Thu, 13 Jul 95 15:01:05 -0400 From: Iolo Davidson Subject: Natas virus (PC) warrakkk@medio.mh.se "Mikael hrberg" writes: > I have the Natas virus, but I just can't seem to get rid of it... > Neither the latest Dr Solomon's Toolkit nor the latest F-prot can > remove it. Well, that is, they both claim they can remove it, but > none of them even FIND/DETECT the virus... :( If they don't find it, I doubt that it is there. > Now, then how do I know I have it? Simple. The GUARD program that > comes with Dr Solomon's detects the virus, but does nothing about it. VirusGuard is a memory resident program. It normally would warn you that some disk or program you were trying to copy or use was infected, without letting you use it. That is, you should get the warning before your computer's hard disk is infected. When it warns you that you are already infected it is probably finding the virus in memory. VirusGuard is not meant to do anything but prevent you from copying or running viruses inadvertantly, and warning you when you try. FindVirus is the program supplied to remove viruses. > What should I do? I'm on the edge of switchin OS to OS/2 :) It would help a lot if you report what various anti-virus programs actually say when you believe you have a problem. I am the author of the original VirusGuard, and supported it up to version 4.50, but I can't figure out what is happening from what you said. What does Guard report exactly? - -- CHEER UP FACE OF SHAVE THE WAR IS PAST AT LAST THE "H" IS OUT Burma-Shave ------------------------------ Date: Thu, 13 Jul 95 15:15:47 -0400 From: Rick Horlick Subject: Gomb virus questions (PC) F-Prot is reporting an inactive strain of "Gomb" virus on two floppies from a single office, after finding AntiEXE with a different virus program (Virex's vpcscan) on the office computer's hard disk. I suspect there may be something to it, since Gomb is not analyzed by F-Prot (according to the most recent F-Prot virus list and DataFellows' WWW page), and because of the two floppies, and because Virex behaved differently than when it usually detects AntiEXE (which we just can't get rid of). Can anyone tell me anything about Gomb? Are there any applications out there that understand and can clean out Gomb? Any help would be appreciated. ------------------------------ Date: Thu, 13 Jul 95 16:34:06 -0400 From: dfuller@panix.com (David Fuller) Subject: NYB [genp] (PC) I have recently come across this virus also, yet can find no documentation on it. Does anyone have any information? David Fuller dfuller@panix.com ------------------------------ Date: Thu, 13 Jul 95 20:40:38 -0400 From: ferguson@dma.org (Frank C. Ferguson) Subject: Re: Invircible virus checker (PC) cc (sparrow@alaska.net) wrote: : We have been using invircible virus checker for some time. : : We like the way it works and it has caught virus' that none of my other : software has. : : Does anyone know how to contact the author?? We have been trying to register : it for months now and cannot contact anyone. We have called the phone numbers : listed in the readme with no luck. : : I have contacted thier support BBS and left many many messages they have all : been ignored. : : I really wish to contact the author, can someone help?? : They have moved to their own site: ftp invircible.com The author's E-Mail is netz@actcom.co.il and his name is Zvi Netiv. Frank C. Ferguson ferguson@dmapub.dma.org ------------------------------ Date: Thu, 13 Jul 95 21:14:12 -0400 From: Raul Quintanilla Subject: Re: Is it a virus? (PC) Vitaliy Razhanskiy wrote: >Last f-prot version says that I have a "backform.a" in the command.com >file (I have ms-dos 6.22). but nothing strange happens. None of my Simply reboot your computer with a non infected, write protected floppy. If command.com is larger than "normal" then you have a virus. Raul Quintanilla ------------------------------ Date: Fri, 14 Jul 95 03:37:39 +0000 From: heuman@mtnlake.com (R.S. (Bob) Heuman) Subject: Re: Aniti Virus Program Suggestions? (PC) Bob1@ibl.bm (Martin J Walsh) wrote: >kaplan@usernomics.com (Dr. Robert Kaplan) wrote: >>I was wondering what was considered the best configuration for anti >>virus software (PC). >> >> 1. Is there an optimum program combination? >> 2. Is there an advantage to registering and getting the regular >> updates etc? >I am currently investigating virus checkers and came across the following >document, which I found gave a very detailed & comprehensive comparison of >5 different NLM based PC virus checkers - Central Point Anti-Virus 2.5, >InnocuLAN 3.0, LANdesk 2.1, Norton 1.0, Dr Solomon 6.69 & mentions McAfee >Netshield 2.1 (though not fully assessed as released at time of study) - >Feb'95. This covers their ability in detecting 2000 known PC viruses, >their impact on machine performance, their ability to clean up from >existing virus infections, their ease of updating, their administration, >their speed in scanning, their support & pricing. >They recommended using Central-Point (as this got the top overall marking, >by a fair gap) + Dr Solomon's (as even though this came last, it got the >highest mark for detection). >The article was published in InfoWorld - Feb 13th, 1995 (Vol 17, Issue 07, >p84) is 83K (30+ pages) in size. I retreived it by use of InfoSeek (an >excellent search tool of WWW, newsgroups, computer periodicals, wires etc. >- - if you haven't used it), but it does cost a small fee. Hope this is of >some use. >If anyone has read this article & disagrees with anything stated, I'd be >interested in hearing it. The real problem with the article is that it IGNORED several excellent products, because they are non-US or the US agent was not involved. One example is F-PROT Professional. The NLM version is produced by Command Software of Jupiter, Fla, and it uses the F-PROT engine from Frisk in Iceland. The OS/2 LAN version of F-PROT Professional is produced by Data Fellows in Finland. There is no coverage of AVP from Moscow, Russia, or AVScan from Germany, just to name two other excellent AV products. The article, therefore, is extremely biased... and its conclusions are not the best advice, as a result. As far as updates, the simple rule is ALWAYS run the latest version. A typical update will include approximately: 150+ new viruses if it is monthly 300+ new viruses if it is bimonthly 450+ new viruses if it is quarterly With this degree of change, and the odds that if you are going to be hit it will be by either by a very new virus that is NOT detected yet or by an ancient virus that has circulated widely. The latest version defends you against the new viruses better. All should defend you against the ancient viruses. R.S. (Bob) Heuman Willowdale, ON. Canada ============================================================================== or An inquiring mind in an aging body... My opinions are my own... (I hope) Copyright retained as per Canadian and International law... ------------------------------ Date: Fri, 14 Jul 95 06:39:18 -0400 From: Mark Johnson Subject: Info on "Ripper" virus (PC) I can't find any information on "Ripper" virus. Does anyone know anything about it? I know it is a Boot/MBR virus but that's all I know. I know McAfee 2.2.1 can find it but McAfee does not tell any- thing about damage or triggers. Any information would help. Thanks, Johnson Sends ------------------------------ Date: Fri, 14 Jul 95 07:33:24 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Greencat Virus (PC) ivory@netcom.com (Ivory Dragon) writes: >+------------------------------------- 1575+-------------------------------- > Virus Name: 1575 > Aliases: 1577, 1591, Green Caterpillar > V Status: Common > Discovery: January, 1991 > Symptoms: .COM & .EXE growth; decrease in total system & available > memory; sluggishness of DIR commands; file date/time changes, > "green caterpillar" appears on display > Origin: Taiwan > Isolated: Ontario, Canada > Eff Length: 1,575 Bytes > Type Code: PRfAk - Parasitic Resident .COM & .EXE Infector > Detection Method: ViruScan, AVTK, F-Prot, NAV, CPAV, VNet, Sweep, UTScan, > VirexPC, VBuster, Panda, IBMAV, DrVirus, Vi-Spy, MSAV, > PCRX, > LProt, CPAV/N, Sweep/N, Innoc, NShld, NProt, AVTK/N, > NAV/N > Removal Instructions: CleanUp, or delete infected files and of course, this is incorrect, or rather incomplete. VSUM describes some of the variants (there are 10 1575 byte ones, and one 1989 byte), but the descriptions of the differences are quite inaccurate. Also, the disinfection information is *VERY* misleading. Patty seems generally to look at just one particular (and rather bad) disinfection program, and ignores the disinfection capabilities of other programs. This used to cause problems in the past, as people incorrectly assumed that this particular program was the best one available - but today the shortcomings of VSUM are so well known that most people don't seem to take it seriously any more...or at least I hope so. - -frisk ------------------------------ Date: Fri, 14 Jul 95 07:57:17 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: 1014 & win95 (PC) ssartor@TRENTU.CA (Sergio T. Sartor) writes: > I just noticed this evening that I have been plagued by the 1014 >virus. Hmmm..."1014" is not the official name of any virus, but the only one that I know of that is 1014 bytes long is the "Screen" virus... If you have that, F-PROT and AVP (and probably others) should be able to remove it... - -frisk ------------------------------ Date: Fri, 14 Jul 95 07:58:26 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: A New virus? PKZ300B.EXE PKZ300B.ZIP (PC) dmackder@uk.oracle.com (Danny Mackdermott) writes: >>>>PKZ300B.EXE >>>>PKZ300B.ZIP yep...those are Trojans...also 2.06 that I have seen floating around, and well...some others... The last "real" version is (I think) 2.04g...anything claiming to be a later should be treated with extreme caution. - -frisk ------------------------------ Date: Fri, 14 Jul 95 08:04:03 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: AV Software running under Win95 (PC) a65si@csiunx.it.csi.cuny.edu (carroll herb) writes: >I am kind of curious about the stuff I hear concerning >Anti-Virus software not being able to be effective >in Win95. In general this is a misunderstanding. There are certain problem areas, but they may or may not cause problems for the various anti-virus products. Problem areas for scanners are long file names and possibly MBR disinfection. TSR programs are mor likely to have problems...in particular if the interrupts they hooked are not called any more. - -frisk ------------------------------ Date: Fri, 14 Jul 95 08:24:42 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Remover for WHISPER? (PC) henryhy@aol.com (HenryhY) writes: >Hi all, > I just wondering if there is a anti-virus program can remove the >WHISPER virus. most of them can...at least F-PROT and AVP, but I would expect every other program to...after all, this is a fairly common "in the wild" virus. - -frisk ------------------------------ Date: Fri, 14 Jul 95 08:24:49 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Will the BootSector Virus-option in the CMOS secure my PC ? (PC) sdkkah@mvs.sas.com writes: >Hi, world >If I set a CMOS-option called BootSector Virus = Enabled, >can I rest assured, that NO boot-sector virus will infect my PC ? Depends....If this is something you just change in the CMOS a virus could easily change it back, right ? If you change this with a DIP switch, you are pretty safe.. but not quite... What if the virus does not go through the BIOS, but accesses the ports directly when infecting ? what if the CMOS setting only protects the MBR on the hard disk, and you get infected with a DOS boot sector virus ? Or if it protects the DOS boot sector too, and you get infected with Brain, that only infects floopy boot sectors ? so, the answer is NO...but it helps quite a bit....it will prevent most past present and future boot sector viruses from infecting your MBR at least.... - -frisk ------------------------------ Date: Fri, 14 Jul 95 08:24:16 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Jerusalem.sunday.nam virus help (PC) sdsmith1@ix.netcom.com (Stephen D Smith) writes: >My office has come down with a virus called "jerusalem.sunday.nam" >today. >It seems to be a dropper, leaving jerusalem.westwood.a and/or >jerusalem.sunday.a in various .EXE and/or .COM files, but not infecting >the PC HD's. Eh...no...you just have a scanner that does not identify viruses properly, and just cannot determine which variant this is. >We are currently using McAfee 2.21. (Please no flames about that, it's >the best I could get the office to do.) >Tomorrow I'll be trying F-Prot 2.17, Dr Solomon, and TBAV. Good idea...that should solve the problem nicely... ------------------------------ Date: Fri, 14 Jul 95 08:24:27 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Natas virus (PC) warrakkk@medio.mh.se (Mikael hrberg) writes: >Help! *panic* >I have the Natas virus, but I just can't seem to get rid of it... >Neither the latest Dr Solomon's Toolkit nor the latest F-prot can >remove it. Well, that is, they both claim they can remove it, but >none of them even FIND/DETECT the virus... :( uh...they do. I see 3 possibilities: 1) You have a false alarm (complain to S&S) 2) You have a brand new variant (send the AV producers a sample) 3) You forgot to boot from a clean disktte before scanning. - -frisk ------------------------------ Date: Fri, 14 Jul 95 09:04:40 -0400 From: mus4dlw@cabell.vcu.edu (Daniel L. Wilson) Subject: PLEASE HELP with NEWBUG! (PC) Machine in question: Maximus 486DX4 100 mhz 16 mb RAM While installing PCTools, the virus checker said that it had found the newbug virus in memory and that it had cleaned and destroyed it, but everytime I run it, I get the same message. So far, I have not noticed any effects of the virus, except my machine *occasionally* locks up after prolonged use(probably not the virus) and I can not acces 32bit file or disk acces with Windows For Workgroups, no matter what I try. Questions:Does anyone know the possible ways I could have gotten it? What does it do? HOW DO I GET RID OF IT!!! Please help me. This computer is only 3 weeks old. Before it I had been using a 286 For years! I have waiteds forever for this machine, I really don't want it ruined. Thank you in advance. Please e-mail responses, I don't get to the news groups much. Dan Wilson wilson@indy.arclch.com ------------------------------ Date: Fri, 14 Jul 95 08:39:59 -0400 From: rogert@mindspring.com (Roger Thompson) Subject: Re: NYB or ANTI EXEC virus (PC) KTBG41A@prodigy.com (Dennis Boutsikaris) writes: >It infected my boot drives on both computers-laptop & regular-and Norton >ANTI VIRUS won't help. You have to boot the system from a clean floppy, and then try your a-v software. Regards Roger Thompson Thompson Network Software Developer of The Doctor Anti Virus System ------------------------------ Date: Fri, 14 Jul 95 13:53:48 +0000 From: heuman@mtnlake.com (R.S. (Bob) Heuman) Subject: Re: Aniti Virus Program Suggestions? (PC) Bob1@ibl.bm (Martin J Walsh) wrote: >kaplan@usernomics.com (Dr. Robert Kaplan) wrote: >>I was wondering what was considered the best configuration for anti >>virus software (PC). >> >> 1. Is there an optimum program combination? >> 2. Is there an advantage to registering and getting the regular >> updates etc? >I am currently investigating virus checkers and came across the following >document, which I found gave a very detailed & comprehensive comparison of >5 different NLM based PC virus checkers - Central Point Anti-Virus 2.5, >InnocuLAN 3.0, LANdesk 2.1, Norton 1.0, Dr Solomon 6.69 & mentions McAfee >Netshield 2.1 (though not fully assessed as released at time of study) - >Feb'95. This covers their ability in detecting 2000 known PC viruses, >their impact on machine performance, their ability to clean up from >existing virus infections, their ease of updating, their administration, >their speed in scanning, their support & pricing. >They recommended using Central-Point (as this got the top overall marking, >by a fair gap) + Dr Solomon's (as even though this came last, it got the >highest mark for detection). >The article was published in InfoWorld - Feb 13th, 1995 (Vol 17, Issue 07, >p84) is 83K (30+ pages) in size. I retreived it by use of InfoSeek (an >excellent search tool of WWW, newsgroups, computer periodicals, wires etc. >- - if you haven't used it), but it does cost a small fee. Hope this is of >some use. >If anyone has read this article & disagrees with anything stated, I'd be >interested in hearing it. The real problem with the article is that it IGNORED several excellent products, because they are non-US or the US agent was not involved. One example is F-PROT Professional. The NLM version is produced by Command Software of Jupiter, Fla, and it uses the F-PROT engine from Frisk in Iceland. The OS/2 LAN version of F-PROT Professional is produced by Data Fellows in Finland. There is no coverage of AVP from Moscow, Russia, or AVScan from Germany, just to name two other excellent AV products. The article, therefore, is extremely biased... and its conclusions are not the best advice, as a result. As far as updates, the simple rule is ALWAYS run the latest version. A typical update will include approximately: 150+ new viruses if it is monthly 300+ new viruses if it is bimonthly 450+ new viruses if it is quarterly With this degree of change, and the odds that if you are going to be hit it will be by either by a very new virus that is NOT detected yet or by an ancient virus that has circulated widely. The latest version defends you against the new viruses better. All should defend you against the ancient viruses. R.S. (Bob) Heuman Willowdale, ON. Canada ============================================================================== or An inquiring mind in an aging body... My opinions are my own... (I hope) Copyright retained as per Canadian and International law... ------------------------------ Date: Fri, 14 Jul 95 11:58:22 -0400 From: Rick Horlick Subject: Re: /\/\ Can't get that Stupid Stealth_C virus off!! /\/\ (PC) F-Prot is able to recognize a "circular virus" (in which the same or different virus infects the COPY of the boot record), and to replace the master boot record. This has been a problem several times in our organization, associated with an AntiEXE virus, and F-Prot seems smart enough about stealthy viruses to make it unnecessary to to the "fdisk /MBR". Others have successfully used some disk utilities that permit completely replacing the master boot rec. Anything is better than finding a second virus in the boot sector, right after a (seemingly) successful cleanup of the first. There are some dangers associated with replacing MBR, I guess, but Datafellows have the right idea in pre-scanning the back-up boot record and advising the AV user of the situation. ______________________________________________________________________ Rick Horlick, Lab Coord. rhorlick@mtholyoke.edu Mt. Holyoke College Voice: (413) 538-2386 S. Hadley, MA 01075 Fax: (413) 538-2246 ------------------------------ Date: Fri, 14 Jul 95 12:40:54 -0400 From: Martin Veasey Subject: Re: HELP---Could an undetected virus affect hidden system files? (PC) rchenier@writer.synapse.net (Ray Chenier) wrote: > A couple of months ago, I went down to the junkie (boot and mbr), > PS-MPC (or something like that), and ANTI-EXE. Compliments of my > educational institution and my stupidity... I have learned a lot > since. With clean bootable disks using latest Mcafee and TBAV I > cleaned everything (I hope). Something strange I have noticed is the > hidden system files (Dos 6.22) using CHKDSK show a size of 20+Mb. > Could this be something which is lingering on?? Does not look > normal... Any feedback appreciated Ray Chenier > (rchenier@writer.synapse.net) Sounds OK to me ... I bet you've got a Windows permanent swap file of 20MB or so? Martin Veasey | INTERNET lives e-mail : martin@cheam.demon.co.uk | in Cheam, Surrey, England ------------------------------ Date: Fri, 14 Jul 95 13:10:28 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Stoned.Empire.Monkey Virus!!!! (PC) reggie@community.net (reg vito) writes: >Does anyone know about this virus?? How to get rid of it???? >Any suggestions of sites where I can find any info. Anything. We have a special note dealing with this virus...see below. You can also use a program called KillMonk to remove it, but the usual "FDISK /MBR" does *NOT* work, and will make the disk inaccessible... - ----------------------------------------------- Frisk Software International - Technical note #7 Monkey virus removal The problem with removing the Monkey virus is that it changes the data part of the partition sector. This means that if you attempt to remove it after booting from the hard disk, the virus is active and able to hide by using stealth techniques. If you boot from a diskette, the partition data is invalid, and all the drives on the hard disk seem to be gone. What you need to do is: 1) Boot from a clean diskette 2) Run F-PROT /HARD /DISINF (not F-PROT C:) 3) Disinfect 4) Reboot the machine - the hard disk should re-appear, and the machine should be clean. ------------------------------ Date: Fri, 14 Jul 95 14:03:29 -0400 From: asman@com.msu.edu (Stephen W. Asman) Subject: Re: Help with 10b7 virus !!!! (PC) Mike wrote: >I need information on the 10b7 virus. All I know is that it infects .exe files >and is not memory resident. >I found 130 occourences of it on my HDD and I need to know what files i am >likely to have got it from. >The only new software on my system has been packaged software. > >I would greatly appreciate any help at all in the matter as No-one seems to be >able to tell me what the side effects, or long term affects of the virus are. > I just found this same virus on an end users machine this morning, and I would like as much information as I can get. - --------------------------------------------- Stephen W. Asman | Insert short but Microcomputer Hardware & Software Coordinator| Profound phrase here College of Osteopathic Medicine | asman@cranium.com.msu.edu | Michigan State University ------------------------------ Date: Fri, 14 Jul 95 14:04:43 -0400 From: JimBogart@aol.com Subject: Testing Antivirus Programs (PC) I would like to obtain some samples of "neutered" viruses to use in demonstrations of antivirus scanner accuracy. My reason for this is that some business people look at antivirus products as "elephant powder". I need to demonstrate to them that their commercial antivirus programs are capable (or are not capable) of identifying some viruses. To be clear on the subject, I might talk to a company which uses (only for example) Central Point AV and has never had an infection which CP did not handle. I might suggest that a switch to F-Prot or AVP or whatever would be appropriate. I would like to be able to demonstrate (in a safe manner) that there are some types of viruses that the "name brand" AV products don't handle. To put my request in context, I don't sell AV products, but I do provide network support. I am trying to find a better way get business owners to upgrade their AV protection. ------------------------------ Date: Fri, 14 Jul 95 16:25:18 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: Re: Form Virus (PC) J.Berg@sheffield.ac.uk "J.Berg" writes: > I found the form virus on my PC yesturday and removed it with the > disinfect/query scan of f-prot version 2.17. It told me that the virus > had been removed, and on further scanning didn't detect it any more. Is > this all I have to do? Is it really gone? The fun answer is, "It's behind you!" The boring answer is, if you haven't also scanned and cleaned ALL your floppy disks, you will get reinfected eventually. I like the fun answer best. - -- CHEER UP FACE OF SHAVE THE WAR IS PAST AT LAST THE "H" IS OUT Burma-Shave ------------------------------ Date: Fri, 14 Jul 95 16:32:13 -0400 From: Iolo Davidson Subject: fixboot (PC) Captain.Starlight@Adelaide.Edu.Au "Dave Sainsbury" writes: > I used Zvi Netiv's FIXBOOT. All disks are fixed, data apparently intact. > They scan clean with McAfee, F_PROT and VET. > > As I was breathing a sigh of relief I heard rumour that FIXBOOT > has been removed from the public domain following the accusation > that it is a Trojan Horse. There was a fuss about this in here a while back. Some of the tools in the Invircible package have been found to delete files with certain names without warning. It isn't really sinister, just sloppy programming, but a number of system administrators are taking the safe option. > Can any-one help restore my confidence? If you aren't missing any files, you are OK. If you want to read the whole, long dissertation, you can find it somewhere on: ftp.informatik.uni-hamburg.de:/pub/virus - -- CHEER UP FACE OF SHAVE THE WAR IS PAST AT LAST THE "H" IS OUT Burma-Shave ------------------------------ Date: Fri, 14 Jul 95 18:14:23 -0400 From: cjkuo@alumni.caltech.edu (Chengi J. Kuo) Subject: Re: Monkey_b Help??? (PC) darsidmoon@aol.com (DarSidMoon) writes: > I have Monkey_b on a disk and try to clean it with the new viruscanner >from Mcafee v2.20. It cleaned off my hard drive, but i can't seem to get >it off a floppy. If you can help please get back to me. Thanks alot We seemed to have had a problem cleaning diskettes on PC-DOS on that version. That's fixed now. Jimmy cjkuo@mcafee.com ------------------------------ Date: Fri, 14 Jul 95 18:26:49 -0400 From: cjkuo@alumni.caltech.edu (Chengi J. Kuo) Subject: Re: NYB Virus (PC) jcfrank@ix.netcom.com (Chris Franklin) writes: > This is not an Advertisment or Solicitation of ANY KIND!! >There is currently a uprising of the NYB Virus. This Virus is also >Known as the "None of Your Business" Virus. This Virus is a Boot NYB stood for "boot sector virus first received from New York." Anyway, that's why it got that name. The CARO name is B1. Since my arrival at McAfee earlier this year, I have made an effort to make McAfee conform more toward CARO names. But I prefer not to go back and change names. Jimmy Kuo cjkuo@mcafee.com PS. There was a post by someone who, being cute, wanted to name a virus Ebola. 1) There is already a virus called Ebola. 2) The CARO members have made a gentlemen's agreement not to name anything Ebola. 3) That virus was renamed to Greets. ------------------------------ Date: Fri, 14 Jul 95 20:10:47 -0400 From: cjkuo@alumni.caltech.edu (Chengi J. Kuo) Subject: Re: MONKEY_B help!!!! (PC) venturax@aol.com (VenturaX) writes: > I have two computer and have been transfering the data betweeen them by >tape and floppy disks. I have been scanning with McAfee v.2.1.3 and >nothing has come up.. I downloaded the new vshield and now it says i am >infected with Monkey_B. I downloaded the scan and it said the same >thing.. WHen I scan with nomem option it doesn't catch it so i assume it >is a stealth virus. The only problem is is whan i boot from a dos disk, >my computer doesn't recognize the hard drive and i can't scan it. The only I know this is not intuitive, but because you can't access C: does not mean you can't scan it. If you scan A:, it will automatically check your harddisk exactly because of this situation. And it will remove it. >disk that i have with scan on it is getting can;t read errors when i try >to scan.. I am assuming that monkey_b effects the disks too.. If you have >any suggestions please get back to me via e-mail. THanks alot Jimmy Kuo cjkuo@mcafee.com ------------------------------ Date: Fri, 14 Jul 95 20:14:17 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New Bug virus - also called ANTIEXE (?) (PC) Jack Linder (JLINDER@ccmail.turner.com) writes: > I'm trying to find out more about the New Bug virus. I'm told it is similar > (a derivitive?) to the ANTIEXE virus. Anyone have information on New Bug? New Bug is an alternative name of one of the AntiEXE variants (AntiEXE.B, I think). You we have a CARObase entry describing it; you can get the entire CARObase from ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/carobase/carobase.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 14 Jul 95 20:14:14 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Parity Boot B (PC) Tamara Borng (BORNG@bwl.bwl.th-darmstadt.de) writes: > I got the Parity Boot B virus on my computer. Not surprising. This is the most widespread virus in Germany. > I removed it with > Mc Affee. Now I always get the message "Loading Bootstrap" > before the message "Loading MS DOS". What does this mean? It probably means that McAfee's SCAN has overwritten the MBR with a small program which displays this message at boot time. Since the virus resides in the MBR, this is a "generic" way to remove it. > What does Parity Boot B? At random times it displays the message "PARITY CHECK" and halts the computer. It is also stealth and can survive a warm reboot on some machines. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 14 Jul 95 20:15:37 -0400 From: bpb@stimpy.us.itd.umich.edu (Bruce Burrell) Subject: Re: What to do if a virus is detected? (PC) KingRAC (kingrac@aol.com) wrote: > For years, I've recommended that when a virus is detected at my workplace, > the PC should be turned off and left unused until assistance is available > to remove the virus. Recently, I heard that when a virus has been > detected the PC should NOT be turned off. Can anyone advise me on the > correct approach and why one approach is better than the other? That would depend on the properties of the virus: 1. If the virus does random acts of violence only when the computer is booted, then leaving it turned on would *appear* to be the better strategy. 2. If the virus executes a payload at certain times while the computer is running, then clearly it is better to turn it off. I claim that it is better to turn it off. As long as you don't turn it back on until you boot from a write-protected, uninfected floppy, and as early as possible during startup you enter CMOS to make absolutely certain that it is a genuine diskette boot, you're doing about the best you can. You're going to want to do a clean boot eventually; why give a virus like one in case (2) have a chance to make things worse? Note that leaving it turned on runs the risk of inadvertently infecting a diskette put in one of the floppy drives. So turn it off. Take away the power cable and put a big note on it not to use it until the appropriate guru fixes it. -BPB ------------------------------ Date: Fri, 14 Jul 95 20:15:35 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: standard AV techniques for apps (PC) Karsten Hilbert (med94ecz@studserv.uni-leipzig.de) writes: > - - What standard code (technology/method) should be keyed into apps > to make them less prone to virus attacks ? e.g. crc'ing, header-scanning, > startup scan of the first say 5 instructions and the last 2 or so ? > Any suggestions ? Any of these techniques will make the applications less prone to virus attacks. Neither of them will make the applications totally immune to virus attacks. > - - Does it make any sense to intercept int 13h/26(27) to prevent absolute > disk writes to the boot sector to prevent some viruses from spreading ? Not really. It is trivial to bypass, no known viruses use INT 26h for replication (although some use it to cause damage), and DOS itself uses INT 13h all the time, so such a "watchdog" will simply annoy the user. > Those hints oughta be useful for numerous app-builders. Believe it or not, most app-builders don't care about computer viruses and known near to nothing about them. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 14 Jul 95 20:16:47 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NEW (STEALTH) VIRUS found (PC) erik lenhard (lenhard@rbg.informatik.th-darmstadt.de) writes: > Assuming that my computer is infected by a new virus, which I would like to call > EBOLA because it is very infectious but shows its symptoms relatively early, Whatever it turns out to be, please don't call it "Ebola" since this is likely to create confusion. First, there was a hoax about a computer virus called Ebola which infects humans. Second, there used to be a computer virus named like that but we (CARO) changed the name because of the hoax - to avoid confusions. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 70] *****************************************