VIRUS-L Digest Thursday, 10 Aug 1995 Volume 8 : Issue 71 Today's Topics: Re: methods of scanning Re: Illegal to write viruses? Cross linked file Re: physical damage to systems Re: Virii: A simple question Re: Virus Test Center Re: Unix/Dos Partition Virus Problem (PC) (UNIX) Re: Mischief virus on OS/2, it won't go away. (OS/2) Re: Viruses & OS/2 (OS/2) Re: Where is this virus hiding?? (PC) Re: Aniti Virus Program Suggestions? (PC) Re: D3 boot virus? Bangledeshi? (PC) Re: What to do if a virus is detected? (PC) Re: Crosslinked files (PC) Re: Dummy "Virus" for Test Purposes (PC) Re: Three tones or flip virus on PC (PC) Isralie Boot (PC) DA'BOYS virus (PC) Re: Crosslinked files (PC) Re: Info re FORM (PC) Re: WELCOMEB/Butpboot caught (PC) Re: Wanted Info on Junkie Virus (PC) Re: /\/\ Can't get that Stupid Stealth_C virus off!! /\/\ (PC) Re: MONKEY-A Information Sought (PC) Protecting a SCSI Drive (PC) Re: sblank/magic problems (PC) Re: Scanners getting slower (benchmarks) (PC) Re: NAV 3.0 - FORM Killing me!!! (PC) Re: Monkey B virus (PC) Re: EMM386 error #00 (PC) Re: What to do if a virus is detected? (PC) MONKEY_B virus (PC) Re: Where can I get AVP 2.2? (PC) Re: What is a virus .COV file? (PC) Re: AV Software running under Win95 (PC) Re: VIRUS 1575 (PC) Re: /\/\ Can't get that Stupid Stealth_C virus off!! /\/\ (PC) Re: Remover for WHISPER? (PC) Re: Doom II Death, what I know. (PC) Re: FORM_A virus on my MS-DOS system disks!?! (PC) Re: Ripper virus sighting (PC) Re: Jerusalem.sunday.nam virus help (PC) Re: CARO Naming Convention (PC) Re: NYB or ANTI EXEC virus (PC) Re: Stoned.Empire.Monkey Virus!!!! (PC) Re: Will the BootSector Virus-option in the CMOS secure my PC ? (PC) Re: follow up... (ide-hard disk driver prog, PC). (PC) Re: Virus "SHOO (PC) Re: MONKEY_B help!!!! (PC) "Editor" needed (PC) Re: NYB Virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 14 Jul 95 20:19:07 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: methods of scanning Planar (Damien.Doligez@inria.fr) writes: [about my algorithmical description how to detect V2Px] > Is there any good reason to do this instead of a search with a good > regular expression ? Yes - regular expressions do not easily support permutations. That is, you'll have to use 24 regular expressions for this particular virus - because the important instructions in the decryptor can be arranged in 24 different ways. There are viruses which are *much* more polymorphic; I gave a relatively easy example. (Gosh, if I knew, five years ago, that I'll call the polymorphism used in V2Px "easy"! It seemed something terribly sophisticated at the time - you know, death of all scanners and so on.) > Are there any polymorphic viruses that cannot be > detected with one or a few regular expressions ? Yes - for instance the MtE-related viruses. Actually, there is nothing magic in the regular expressions. Peter Radatti sells a Unix-based user-programmable scanner which can has a *much* more sophisticated and powerful pattern matching language but even it is helpless against such things like the MtE- (or TPE-, or...) based viruses. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 14 Jul 95 20:19:03 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Illegal to write viruses? ScottS95 (scotts95@aol.com) writes: > In the (US) state of Minnesota, it is a Class-C felony to knowingly write > and/or disseminate any destructive software (be it a virus or a database > that blows away products by competitors, or a time bomb in the payroll > program.) Penalties are 2 years in the jug and/or $5000 fine with > restitution possible as well. Could you please send me the exact text of the law? AFAIK, distributing computer viruses is, alas, not illegal in the USA, if their recepients know that they are indeed viruses. Only infecting someone's machine WITHOUT THEIR AUTHORIZATION is illegal. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 14 Jul 95 23:50:49 -0400 From: bill.lambdin@woodybbs.com (Bill Lambdin) Subject: Cross linked file iolo@mist.demon.co.uk writes >It could be a virus. With DIR II, all executables are cross >linked (though you can't tell when the virus is stealthing). >Some other viruses swap bits of the disk buffers at random as >their payload, which will give you crosslinks when the buffers >are being used to update the FAT. Cross linked files can also occur when users turn off the computer while while files are left opened. Bill bill.lambdin@woodybbs.com 9CCD47F3C765CA33 blambdin@aol.com PGP fingerprints C77D698B260CF808 - --- * CMPQwk 1.4 #1255 * Viruses often make my FAT go on a crash diet. ------------------------------ Date: Sat, 15 Jul 95 01:56:39 -0400 From: bpb@stimpy.us.itd.umich.edu (Bruce Burrell) Subject: Re: physical damage to systems Robert Pearlman (rp@esp.bellcore.com) wrote: [snip] > Is somebody kidding us? A big > difference between biological virii and software virii is that the > biological ones are not malicious, just trying to make a living and > reproduce their kind, like the rest of us. Software virii are always > malicious (to date). Hmmmph. Most software viruses are *not* malicious, although some are. Most, like their biological counterpart, try only to spread. They are pernicious in that they consume resources without permission and require an unwelcome expenditure of effort to remove, and some cause unintentional damage. We should expend effort to control, remore and, to the best extent possible, prevent them. Except for the few, however, they are benign. -BPB ------------------------------ Date: Sat, 15 Jul 95 12:25:11 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virii: A simple question Chris Walker (walkerc@capitalnet.com) writes: > Why is it not possible for a virus to infect various forms of computers? But it *is* possible to write a virus which would be able to infect completely different computers. Such viruses do not exist yet; it is easy to write them; but there is no point doing so - such a virus would be bigger, clumsier, and more difficult to spread than *two* viruses - each written for the particular platform. (BTW, viruses which can infect different platforms are called multi-platform viruses.) Different computers rarely share executable code, so there will be only a small chance for such a virus to spread from one platform to another. But it is definitely possible to do it. > If they are written in a language that both computers can comply,then > I see no reason why it cannot harm both brands? Correct - except that using the same language it not always sufficient - - some other parts of the environment are also important - like the file system used, etc. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 13:32:49 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus Test Center Ricerca (ricerca@pangea.ohionet.org) writes: > I am looking for information on the Computer Virus Catalog. What is the > cost? It's free. > How can I order it? By ftp. > I believe it is published by the Virus > Test Center in Hamburg, Germany. Correct. > Does anyone have their address, > Internet address or fax number? ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/catalog/ Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 14 Jul 95 20:20:32 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Unix/Dos Partition Virus Problem (PC) (UNIX) Ken O'Neil (koneil@ix.netcom.com) writes: > I am running a system with a dos and SCO unix partition. My dos > partition became infected with the Siglet and Cansu virus, and my boot > sector became corrupted. This is how MSAV/CPAV calls the V-Sign virus. This virus infects the MBR; not the OS Boot Sector. There is only one MBR on your hard disk and it doesn't matter what's in the partitions (DOS, Unix, etc.). > My problem is this. When I activate my Unix partition and boot to dos > by entering "dos" at my "BOOT:" prompt, the virus still seems to load > because my base memory drops from 655360 to 654336. This indeed sometimes indicates a virus but can be also caused by many other things - like memory managers, BIOSes, SCSI controllers, etc. The only certain way to tell whether you have the V-Sign virus or not is to run an anti-virus program which is able to detect it. > If the virus is not on the boot sector of either partition, and I have > restored my original Master Boot Record, then WHERE IS IT! Then this particular virus is *not* on your hard disk. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 12:29:39 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Mischief virus on OS/2, it won't go away. (OS/2) Kyle Barrow (etazura@ibm.net) writes: > Unfortunatly it's still here. I have run IBM Antivirus/2 and F-Prot and > IBM Antivirus/Dos but they cannot recognise the virus. The above (and your Subject: line) suggests that you are using OS/2. > The symptoms of the virus are irratic mouse movements every 5 to 10 mins. > The virus was accidently downloaded while searching gopherspace using > veronica. My host was: gopher.eunet.cz > The path was: g2go4 70 sunsite.doc.ic.ac.uk /aminet/game/gag > There seem to be 2 files associated with the virus, they are: mischief.read an > mischief.lha > I have have reinstalled mouse.sys but the virus remains. The mischief.read fil > which I think installed the virus, states that the virus is a "display hack" > using the imput.device to cause mischief. However, this suggest that you are using an Amiga. Could you please specify your environment more precisely? There *is* an Amiga (or Atari?) virus which causes erratic mouse behaviour but I am not aware of such a virus for OS/2. And, of course, a DOS or an OS/2 anti-virus program is not going to help you to remove an Amiga virus... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 12:39:04 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Viruses & OS/2 (OS/2) Keith Bennett (kbennett@cpcug.org) writes: > 1) How vulnerable are OS/2 systems to DOS viruses? This is a too general question. Some DOS viruses can run under OS/2 in a DOS window. > Assuming an OS/2 > system's MBR or boot sector is infected, will the virus code remain > active after OS/2 boots? Usually - not. However, in some cases the virus can remain active. For instance, one of out students has observed cases when a stealth MBR infector (Parity_Boot.B) successfully "stealths" its presence on the disk even after OS/2 has been loaded. (The virus is unable to infect floppies though - I don't know why.) This seems to happen when OS/2 can't recognize the hard disk controller and uses its generic disk driver (INT13something; don't recall the exact name). > Do any of these viruses do damage as soon as they are loaded? Yes, some do. A typical example is Michelangelo. Needless to say, such viruses will be able to cause their damage at boot time - regardless of which OS is loaded afterwards. > If they > just sit and wait until later, does OS/2 erase or nullify it when it boots > because of its protective features (protected memory, inaccessibility of > memory across process boundaries, etc.)? OS/2 *never* erases the virus. However, in most (all?) cases it prevents the boot sector viruses from replicating further. > 2) How helpful would DOS antivirus software be if run in a DOS window > under OS/2? Helpful enough. There might be some problems to remove boot sector viruses because (AFAIK) OS/2 does not allow direct disk writes. > Certainly it could only inspect its own RAM and not that of > other processes. Certainly. > Would it be able to bypass the OS and access the disk > directly? No, but it is not needed. > 3) Can anyone recommend good software to use? I tried McAfee, but it > cannot remove the FORM_A virus it found. This software should be OS/2 McAfee's is the only shareware OS/2 anti-virus software I know - the others are commercial. If you can afford a commercial package, several companies sell one - for instance, S&S International (sell Dr. Solomon's Anti-Virus Toolkit for OS/2), IBM (sell IBM Antivirus/2), etc. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 14 Jul 95 20:20:26 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Where is this virus hiding?? (PC) Ivory Dragon (ivory@netcom.com) writes: > Based on the fact that the virus is active even without the hard drive > being "present", it looks like this virus may have infiltrated your CMOS. This is impossible. The rest of your "advice" can be safely ignored. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 14 Jul 95 20:20:35 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Aniti Virus Program Suggestions? (PC) Martin J Walsh (Bob1@ibl.bm) writes: > I am currently investigating virus checkers and came across the following > document, which I found gave a very detailed & comprehensive comparison of [snip happens] > They recommended using Central-Point (as this got the top overall marking, At this point you should have stopped reading and should have thrown away the document as incompetent. CPAV is one of the worst anti-virus programs around. It even fails to complete any serious test against a good virus collection. The only good thing in it is its user interface and a "tester" who pays attention to this more than to the miserable anti-virus properties is incompetent. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 14 Jul 95 20:20:29 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: D3 boot virus? Bangledeshi? (PC) Jason Wareham (jrwareha@puc.edu) writes: > I have got this virus detected as the D3 Boot virus, my prog. will detect > but not clean. I got it when I went to bangledesh. PLEASE HELP!!!!!! I If I remember correctly, this is how an old version of Dr. Solomon's Anti-Virus Toolkit calls one of the variants of the AntiEXE virus. The best solution is to obtain an update for it. If, for some reasons, you can't do it, then consider getting one of the available good virus scanners like AVP or F-PROT. Both (and many others) can disinfect this particular virus. You can get them from e.g., ftp://oak.oakland.edu/SimTel/msdos/virus/ Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 14 Jul 95 20:22:52 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: What to do if a virus is detected? (PC) KingRAC (kingrac@aol.com) writes: > For years, I've recommended that when a virus is detected at my workplace, > the PC should be turned off and left unused until assistance is available > to remove the virus. Recently, I heard that when a virus has been > detected the PC should NOT be turned off. Can anyone advise me on the > correct approach and why one approach is better than the other? It doesn't really matter. Chances are that you have turned your PC on and off multiple times before discovering the virus, so turning it off one more time or not hardly matters. The important thing is to seek the assistence of a competent person. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 14 Jul 95 20:37:01 -0400 From: bpb@stimpy.us.itd.umich.edu (Bruce Burrell) Subject: Re: Crosslinked files (PC) Kenneth Albanowski (kjahds@kjahds.com) wrote, and others responded similarly: > Cross-linked files are usually caused by shutting off the machine, or > rebooting it, before files have been completely written to disk. Huh?!? Has anyone out there actually observed this phenomenon? I know that shutting off the machine can cause the CHKDSK message "xxx lost clusters found in yyy chains", but that's a different animal. Assuming that the system is uncorrupted at the time the machine is turned off, I believe that cross-linking is highly unlikely if not impossible. I offer a friendly challenge to any of the claimants that cross-linking can happen by turning off the machine to demonstrate it in a replicable fashion. -BPB ------------------------------ Date: Fri, 14 Jul 95 20:52:07 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Dummy "Virus" for Test Purposes (PC) JimBogart@aol.com (JimBogart@aol.com) writes: > I would like to put one or more dummy "viruses" on a disk in order to verify > that a TSR is properly hooked in to a networked workstation. You can't. A scanner is designed to detect *real* viruses, not dummy ones. Any test conducted with "dummy" viruses tells you absolutely nothing about the ability of the scanner to detect a real virus. > I have F-Prot > installed but am not sure that Virstop is set up correctly. This by the way > is running from C on the individual workstations rather than from the server. > If I ask MEM what is in memory I see Virstop but its own self test F-Test.Com > says that Virstop is not running. Trust what Virstop tells you. After all, it's created by the author of Virstop and he whould know better whether Virstop is loaded and active or not, right? Since you see that it is loaded, the only explanation is that it is not active. And indeed, loading the network shell disconnects many TSR programs. Run Virstop with the /REHOOK option and it will be re-activated. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 14 Jul 95 22:19:44 -0400 From: cjkuo@alumni.caltech.edu (Chengi J. Kuo) Subject: Re: Three tones or flip virus on PC (PC) "Mauricio A. Echeverr!a." writes: >I have the three tones virus which I believe to be a flip variant on my PC. >I have used Mcaffee 2.21e which called it a flip variant (hence my belief) >and f-prot 2.17 which called it three tones. The computer is a 4Mb 25mz 386 >compaq deskpro 3/25i with an 80mb internal hard disk and a 1.44m floppy. The >virus boots up with DOS 6.22 and continues playing its tune even when windows >is entered. As the name implies one of three depressing tunes are played >monotonously in the background, starting at boot time. The virus certainly >infects .com and .exe files. Infections also appeared in .386 and .ovl >files though all others came up clean. It does not appear to be a boot >infector, as neither program has reported infections there. Neither program >was able to disinfect the virus infected files. Can anyone tell me how to >get rid of it, and whether there are any hidden nasties like wiping the >harddisk one time in 512 or anything, that should prevent use of the >machine in the meantime? Many thanks in advance, McAfee's Scan 9507 DAT file update can now remove it under the name of Three Tunes. Jimmy Kuo cjkuo@mcafee.com ------------------------------ Date: Fri, 14 Jul 95 22:58:03 -0400 From: Charles Barilleaux Subject: Isralie Boot (PC) Hi! I ran McAfee's Virus Scan on a friend's computer, and it showed that there were traces of the "Isralie Boot" virus in his memory. I booted from a clean floppy, and scanned again, and it found *nothing* on the hard drive. He did have an old copy of vsafe in memory. How can I be sure he doesn't have a virus on his drive? Just what does the Isralie Boot do, anyway? Thanks in advance, Charles - ---------------------------------------------------------------------------- Charles Barilleaux OS/2, Linux, Windows, NetWare cbarilleaux@delphi.com PGP Public Key Available On Request cbarilleaux@miavx1.acs.muohio.edu Lake Charles, Louisiana "If this has been a rotten day, do one thing to turn it around-- without using alcohol, potato chips, [caffine,] or chocolate." --Lona O'Connor ------------------------------ Date: Fri, 14 Jul 95 23:00:18 -0400 From: bug3654@IMAP2.ASU.EDU Subject: DA'BOYS virus (PC) Last week I downloaded F-PROT 2.18a, ran it, and learned I had the DA'BOYS virus. I found-out later that there was an outbreak at Arizona State University and that's where we picked it up. F-PROT 2.17 and MSAV (included with DOS 6.22) DO NOT DETECT this virus. I looked up the virus at the Data Fellows Ltd www site (http://www.datafellows.fi) and it described it as boot sector infector that overwrites the DOS boot sector. I first tried disinfect. That made the computer unbootable from the c: drive (expectable). Booting from a clean floppy, I checked the c: directory and got a list of symbols and junk. Running F-PROT 2.18a from a clean floppy boot no longer detects the virus, but there's still the strange symbols and smiley faces. After a long learning period and a lot of screwing around, I think I finally got rid of this thing with "FDISK /MBR" and "SYS A: C:" from a clean DOS 6.22 installation disk I have. Although Data Fellows explained what it is, it didn't explain what it does (I didn't notice any symptoms). I haven't been able to find anything on it anywhere else. I would really appreciate any information anyone might have on this virus and how to get rid of it properly. I have a few friends who might have this thing too. Thanks, Forest Brown ------------------------------ Date: Fri, 14 Jul 95 23:07:08 -0400 From: hwardlow@freeside.fc.net (Houston Wardlow) Subject: Re: Crosslinked files (PC) Kenneth Albanowski (kjahds@kjahds.com) wrote: : > In my work environment, I've recently noticed the frequency with which : > the machines I maintain have problems with crosslinked files. The problem : > sometimes gets so bad that Norton Utilities can't unscramble the files. Low voltage conditions (esp. outside of a 5% tolerance) can cause this as well. Bad news for data, good news for UPS vendors. - -Houston ------------------------------ Date: Fri, 14 Jul 95 23:10:29 -0400 From: SLBENDER@aol.com Subject: Re: Info re FORM (PC) Keith Bennett @ Bennett Business Solutions, Inc. wrote about the FORM_A virus. I came across that one, from a malfunctioning computer I was upgrading. User was from a local college, what else. McAfee, would not remove it. Try Dr. Solomons Toolkit, version 7 if I recall. Its a DOS / Windows / NetWare package. - -- Ray Chenier - Hidden system files of 20MB+ Whoa Dude; try 220K for Windows 95, 50K for DOS 6.2. Make a backup of valuable data. !!! - - Steven L. Bender < slbender@aol.com > ------------------------------ Date: Fri, 14 Jul 95 23:28:21 -0400 From: cjkuo@alumni.caltech.edu (Chengi J. Kuo) Subject: Re: WELCOMEB/Butpboot caught (PC) "Kurt W. Miles" writes: >Our corporate policy is to scan ALL (files, diskettes, CD-ROM, etc.) >media received from external sources, as well as running vshield at all >times (we do have a site license). Good for you! >The company I work for has just received some diskettes from India. >McAfee's Scan (v2.2.0, Apr 95) and Vshield (v2.2.0, 13 Apr 95) identifies >the virus as the boot sector virus WELCOMEB. F-Prot 2.18a identifies it >as a boot sector virus Butpboot. (BTW, the older version of McAfee >identified it as a boot sector rus Butp.4196). It's one and the same and the CARO name is WELCOMB. >Obviously we caught this before anything was infected, and all the >machines that came in contact with the infected diskettes have been >booted from clean diskettes and checked, and found to be clean. The >provider checked the disks before sending them using Nortan AV (version >ink, date unk), and apparently found nothing. Must have been a old version of NAV. This virus was the last one I did for them in December. >I oculd not find any thing in the info files with the two scanner I >have. Just spreads. Has a message "BUPT" and "9146" in it. >Can anyone provide some information on these for me? Disinfectant >creators who may need more informtion may also contact me at the address >below. Scan can clean it. Jimmy Kuo cjkuo@mcafee.com ------------------------------ Date: Fri, 14 Jul 95 23:53:22 -0400 From: napoleon@enterprise.america.com (Craig Posey) Subject: Re: Wanted Info on Junkie Virus (PC) John Saxon (jsaxon@pcug.org.au) wrote: : kanen@melbpc.org.au (Janice Kanen) wrote: : >I am looking for any information on the Junkie Virus, particularly what it : >does and any clean programs available. I have a short article from CIAC and : >have looked at vsum with no luck. : I have also had no luck finding info on this one. It currently infects : several files on my new 75Mhz Pentium system which I brought in So : California. I found it using McAfee Viruscan Vrs 2.21 (the MS : antivirus does not include Junkie). : So far I have not been able to eliminate it (do not have a clean boot : disk with McAfree S/W ). But am working on that one. : So far I have not noted any adverse effects on my system - but it is : definitely spread via the copy command to MBRs, floppy disks, etc. : Unfortunately I think I may have already spread this to 3 or 4 friends : via Floppy disks - so I'm feeling pretty guilty. While it initially shows up on an infected machine in two places, to whit, in active memory and in the boot sector, it also infects .com files as a means of doing its damage. It is also a bugger to get rid of. Even a clean machine seems to become reinfected within days or weeks for no apparent reason. You diffenently need to get a clean boot disk (you don't really need a clean copy of McAfee since it will scan itself) in order to rid Junkie from memory. Then run SCAN /ADL /CLEAN to rid your system of it. Two other hints. Doing a warm boot (CTRL-ALT-DEL) will not clear Junkie out of memory. You must turn the machine physically off before you boot. Also, write protect the boot disk prior to its usage. N ------------------------------ Date: Sat, 15 Jul 95 01:44:25 -0400 From: bpb@stimpy.us.itd.umich.edu (Bruce Burrell) Subject: Re: /\/\ Can't get that Stupid Stealth_C virus off!! /\/\ (PC) Mike Mahnken (beaumich@texas.net) wrote: [snip] > Don't know about floppies, but we had a system with both NYB and > Stealth-C and used an undocumented fdisk option to remove them. > fdisk /mbr > This was not accepted by a DOS 5.0 system, but you want to boot with a > clean floppy anyway, so make a clean 6.2+ boot floppy and include > fdisk on it. Use this boot floppy to clean up the infected hard > drive. I haven't found any documentation on the /mbr option to fdisk, That's because it's undocumented. > but the guy who told me about it said it writes a new master boot > record. It taps the hard drive lightly (you have to watch quick!) and > it's done. Nothing modified except the MBR, and MBR virus is gone. > Don't know if it's universal, but it's gonna be the first thing I try > for MBR infections from now on! It's not universal, and I strongly suggest that you neither try it nor recommend it. If you use it with e.g., the Monkey virus, your hard drive will become inaccessible. If you have the misfortune of contracting One-half, you won't know how much of your hard drive still needs to be decrypted. Antivirus software is, sadly, a necessity in today's computing environment. Since reliable packages will only apply solutions when they are almost certain to be safe, it is much better to employ them instead of a procedure that is blind. JUST SAY NO TO FDISK/MBR! (Let me commend you for not stating that it will always work, and for tempering your suggestion with a caveat that you didn't know whether it would always work. I wish everyone who was uncertain would exercise such restraint.) -BPB ------------------------------ Date: Sat, 15 Jul 95 01:48:53 -0400 From: bpb@stimpy.us.itd.umich.edu (Bruce Burrell) Subject: Re: MONKEY-A Information Sought (PC) Steve Gallipeau (galip@vnet.net) wrote: > From my experience 'cleaning' machines, the Monkey-A virus can be > easily cleaned with a good program like IBM AV/2. Basically it > infects the BS ant Partition Table Fine so far. > and creates up to 4 non-dos partitions. Huh? If merely encrypts the current MBR and writes it to a new location. > It is usually wiser to just fdisk /mbr, delete all partitions, recreate > the partitions you want (usually just Primary), and reinstall your SW. Fiddlesticks. Monkey doesn't do any harm to the data on the hard drive (assuming the first partition doesn't start on Cylinder 0, Head 0). It is wiser to use a quality antivirus program to remove it, then disinfect all floppies, and, if possible, set CMOS to boot from the hard drive first in the future. -BPB ------------------------------ Date: Sat, 15 Jul 95 03:16:32 -0400 From: Bart Aronoff Subject: Protecting a SCSI Drive (PC) I've just got a new computer at work, with a 1 gig SCSI drive. Is there anything special I should do to prevent problems or disasters from boot sector virus'? On my other machine I kept a rescue disk from Norton's, and also a boot record image from TBAV. Thanks, Bart Aronoff -=- bart@pixi.com ------------------------------ Date: Sat, 15 Jul 95 04:23:47 -0400 From: cjkuo@alumni.caltech.edu (Chengi J. Kuo) Subject: Re: sblank/magic problems (PC) Graham Hannah writes: >Hi Ho, >We have had a rise in the occurance of the s-blank or magic virus >depending on whether you like f-prot or mcafee's name. >(we are implimenting shields rather than just scanners now :-) >We can clean it off floppy disks using f-prot with no problem. >But when we boot up clean onto an infected PC we can't see any >partitions on the harddisk. >f-prot does't see the drive so can't clean it, mcafee does find the >infected disk but doesn't know how to clean it. McAfee Scan's 9507 DAT update can now remove it. It has been renamed to Frankenstein. Jimmy Kuo cjkuo@mcafee.com ------------------------------ Date: Sat, 15 Jul 95 07:02:00 -0400 From: low@sja.pc.my Subject: Re: Scanners getting slower (benchmarks) (PC) > Eugen_Woiwod@mindlink.bc.ca (Eugen Woiwod) writes: > low@sja.pc.my (peng-chiew low) writes: > If you mean Anti-virus TSR's, almost all of em slow down the computer ALOT. > Not so with Norman Armour. It is a device driver that takes about 13k of memory. Have tried and can safely recommend it. ------------------------------ Date: Sat, 15 Jul 95 10:28:23 -0400 From: netz@actcom.co.il (Zvi Netiv) Subject: Re: NAV 3.0 - FORM Killing me!!! (PC) steve@vp-14.eushc.org (Owen Gee) writes: :->My system has the FORM virus resident in memory. :->Norton Anti-Virus 3.0 scans and finds the virus every time :->I boot the system and it will not stop. I've tried to by pass :->Norton and cannot for some reason. Norton halts the system before :->I can get to the c:> prompt and do anything. >> Cannot boot from drive a: either. What must I do??? frisk@complex.is (Fridrik Skulason) wrote: > change the CMOS setting so that you can boot from A:, do so, then clean the > virus. And if this doesn't work then try the following: Get yourself a copy of IV (invfree.zip, from one of the sites below. Boot from the hard drive and press F5 for bypassing the autoexec and config.sys (preventing NAV from hanging). Now run ResQdisk, press ^B (boot sector handling with DOS instead of int 13) and select SYS from the submenu. It will overwrite the infected boot sector with a good one. Reboot an forget the stupid thing. Form isn't a stealth virus and it's easilly handled, even from the infected drive. :-) Zvi - ------------------------------------------------------------------------- Zvi Netiv, author InVircible Internet Web Page: http://invircible.com NetZ Computing Ltd, Israel Voice: +972 3 532 4563 Fax +972 3 532 5325 email: netz@actcom.co.il netz@InVircible.com CompuServe 'GO InVircible' Anonymous ftp: ftp.datasrv.co.il/pub/usr/netz/ ftp.InVircible.com - ------------------------------------------------------------------------- - ------------------------------------------------------------------------- Zvi Netiv, author InVircible Internet Web Page: http://invircible.com NetZ Computing Ltd, Israel Voice: +972 3 532 4563 Fax +972 3 532 5325 email: netz@actcom.co.il netz@InVircible.com CompuServe 'GO InVircible' Anonymous ftp: ftp.datasrv.co.il/pub/usr/netz/ ftp.InVircible.com - ------------------------------------------------------------------------- ------------------------------ Date: Sat, 15 Jul 95 10:28:26 -0400 From: netz@actcom.co.il (Zvi Netiv) Subject: Re: Monkey B virus (PC) dwbaker@ix.netcom.com (David Baker) wrote: > Well, I sorry to say that will not work. Monkey B will not let you > access the hard drive if boot up from a clean floppy disk. This is > well documented. I encountered Monkey B at Indiana University East and > the way we got rid of it was using the Norton's Antivirus. Well, the next time you meet Monkey then you may wish to try XMONKEY. It's freeware, and it will clean up to eight (8) hard drives installed in a machine. A drive that was infected with Monkey and messed with fdisk/mbr can still be fully recovered with ResQdisk. Available from the sites below. - ------------------------------------------------------------------------- Zvi Netiv, author InVircible Internet Web Page: http://invircible.com NetZ Computing Ltd, Israel Voice: +972 3 532 4563 Fax +972 3 532 5325 email: netz@actcom.co.il netz@InVircible.com CompuServe 'GO InVircible' Anonymous ftp: ftp.datasrv.co.il/pub/usr/netz/ ftp.InVircible.com - ------------------------------------------------------------------------- ------------------------------ Date: Sat, 15 Jul 95 10:28:29 -0400 From: netz@actcom.co.il (Zvi Netiv) Subject: Re: EMM386 error #00 (PC) ahui@chaph.usc.edu (Angela Hui) wrote: > Recently, I got a problem with my computer. I am not sure it's > a virus infection or hardware problem. Righ now, everytime I > load EMM386 in my config.sys, the computer will complain the > EMM386 privileged unrecoverable error#00 and ask me to root. Does > it ring any bell? I also have problem using 32bit file access > with Windows. These symptoms are typical to the presence of a stealth boot infector. Stealth boot viruses usually manipulate interrupt 13h so that they can fool any attempt to read (or write) the real content of the mbr - the virus itself. 32 bit access drivers need to hook the int 13 handler for substituting it with their own. Some viruses take it in a way that the driver cannot find the original handler. This is why the Windows 32 bit access driver cannot load. Get a copy of InVircible from ftp.invircible.com/invircible/invbfree.zip and explore your hard disk with ResQdisk before removing the virus. You'll get a better idea of how stealth boot viruses work. Install InVircible and reboot. IVinit will suggest to remove the virus (if there is any). You'll notice that IV won't tell you the name of the virus. If it does matter to you then you can take your chances and look for a scanner that will identify the virus for you. Some viruses may have a destructive payload - Natas (bipartite) for example will trash the hard drive on booting with a 1:500 chance on every boot. :-/ Don't forget to process your floppies with FIXBOOT as some of them should be infected by now. Good luck, - ------------------------------------------------------------------------- Zvi Netiv, author InVircible Internet Web Page: http://invircible.com NetZ Computing Ltd, Israel Voice: +972 3 532 4563 Fax +972 3 532 5325 email: netz@actcom.co.il netz@InVircible.com CompuServe 'GO InVircible' Anonymous ftp: ftp.datasrv.co.il/pub/usr/netz/ ftp.InVircible.com - ------------------------------------------------------------------------- ------------------------------ Date: Sat, 15 Jul 95 10:28:32 -0400 From: netz@actcom.co.il (Zvi Netiv) Subject: Re: What to do if a virus is detected? (PC) kingrac@aol.com (KingRAC) wrote: > For years, I've recommended that when a virus is detected at my workplace, > the PC should be turned off and left unused until assistance is available > to remove the virus. Recently, I heard that when a virus has been > detected the PC should NOT be turned off. Can anyone advise me on the > correct approach and why one approach is better than the other? Whom advised you that the computer should not be turned off is right. The following are guidelines what to do in case virus activity is suspected. Untrained users should better stop what they are doing and call for assistance, and leave their computer ON. The last job's data should be saved to disk, or better to floppy and then exit the application in an orderly manner. Help-desk personnel and trained user: First, save to tape or to diskettes any important _data_ (not programs, as they may be already infected). In too many incidents, invaluable data was lost because of inadequate virus damage recovery procedures. Act as if the infected drive will be inaccessible the next time you try accessing it and backup your data accordingly. DON'T: Don't use activity blockers or TSR scanners that hang the computer or halt the CPU when a virus is detected. You may be forced to reboot and may not find your data or drive anymore. Don't start running a scanner (or integrity checker) without having first checked with generic probes that it is safe to do so. Scanners and integrity checkers are incapable to protect themselves from being piggybacked by a virus not contained in their database. DO: Run generic probes that will give you a first assessment of the nature of the problem. Especially important is to check for possible piggybacking on a _local write-enabled drive_. This test is critical before you launch a virus scanner on your server files. Don't launch a virus scanner test on a file server without launching generic probes and testing for piggybacking first _even if virus activity is not suspected._ Only after having taken the above precautions you may proceed with standard virus detection procedures, on the local hard drive only, not on the server. Servers should be checked from a know to be clean workstation, equipped with a hard drive. The hard drive is necessary for generic probing of virus activity. Regards, - ------------------------------------------------------------------------- Zvi Netiv, author InVircible Internet Web Page: http://invircible.com NetZ Computing Ltd, Israel Voice: +972 3 532 4563 Fax +972 3 532 5325 email: netz@actcom.co.il netz@InVircible.com CompuServe 'GO InVircible' Anonymous ftp: ftp.datasrv.co.il/pub/usr/netz/ ftp.InVircible.com - ------------------------------------------------------------------------- ------------------------------ Date: Sat, 15 Jul 95 10:33:03 -0400 From: ar618@freenet.carleton.ca (Gabriel Duong) Subject: MONKEY_B virus (PC) I have a MONKEY_B virus on the boot sector of my diskette. The latest McAfee Scan could not clean it up. Does anyone know how to get rid of that virus? Thanks. ------------------------------ Date: Sat, 15 Jul 95 12:17:10 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Where can I get AVP 2.2? (PC) Fabiano Ralo Monteiro (monteiro@ime.usp.br) writes: > Eugene Karperski, AVP's author, said that in a couple weeks (well, when he sai > that a couple weeks is about NOW) he would develop a AVP 2.2 shareware version It is called "AVPLite" and is already available in the latest cumulative update: ftp://ftp.informatik.uni-hamburg.de/pub/virus/progs/avp/avp9507.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 12:19:29 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: What is a virus .COV file? (PC) John Mears (zyhltaq@netcom.com) writes: > I recently downloaded a posted zipfile from a binary group which, after > decoding and decompressing, included a file entitled ANTHRAX.COV. > McAfee's Virus Scan subsequently reported that this file did indeed have > the Anthrax virus in it, although this .COV file was two bytes smaller > than the size of the virus as listed in Virus Scan. > > Can anyone tell me what exactly IS a .COV file, and how does this relate The file has been renamed from .COM to .COV so that people do not accidentally execute it - because it contains a virus. Some scanners do such renamings when they are unable to disinfect the infected file. As to why the file is shorter than specified - I do not know. Either McAfee's information is incorrect (as usual), or the file has been compressed, or it has been somehow truncated. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 12:51:34 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: AV Software running under Win95 (PC) carroll herb (a65si@csiunx.it.csi.cuny.edu) writes: > So, Im assuming Win95 uses a method other than int21 to perform file > access. Even so, why wouldnt anti-viral programs still be able to work? The incompetent journalist who has started this whole fuzz probably meant that MEMORY-RESIDENT scanners will not work. The reason for this is that such scanners intercept INT 21h and, whenever one of its functions is used to execute or access an executable file, the scanner scans this file for viruses. However, if under Win95 the operating system accesses the files without using INT 21h, then such a scanner won't be able to intercept any file accesses and therefore will not detect any viruses in the files being accessed. Of course, on-demand scanners will still work. All this does not mean that the sky is falling. It simply means that the memory-resident scanners for Win95 will have to be designed in a different way - as VxD drivers. And indeed, all companies I know to work on Win95-specific anti-virus software are developing the memory-resident scanner of their product as such a driver. So, don't worry, be happy - when Win'9x finally appears, the anti-virus companies will have anti-virus products which will work. > Is my logic incorrect or are my facts > incorrect? (Jeez, I hope not both :) ) You are applying correct logic on incorrect information. Not all kinds of the current anti-virus programs will not work under Win95 - only the memory-resident ones which rely on INT 21h interception. > Also, I don't really see how this would affect scan signatures either. Of course. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 12:52:44 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VIRUS 1575 (PC) Karuna (9030210@zaphod.riv.csu.edu.au) writes: > I recently encountered a virus know only as 1575 while scanning > the hard disk. Could anyone out there furnish me more > information this virus and how to clean the virus. This is the Gree_Caterpillar virus. It is described in our Computer Virus Catalog. The FAQ of this newsgroup describes how to get our Computer Virus Catalog. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 12:56:08 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: /\/\ Can't get that Stupid Stealth_C virus off!! /\/\ (PC) Mike Mahnken (beaumich@texas.net) writes: > Don't know if it's universal, but it's gonna be the first thing I try > for MBR infections from now on! It is _*NOT*_ universal. In some cases it can damage some important information on your hard disk and make it inaccessible. Before using this command, ALWAYS try to access the hard disk first (e.g., "DIR C:"). If you cannot access the hard disk (e.g., "Invalid drive"), then you MUST NOT use the command FDISK/MBR. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 12:57:19 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Remover for WHISPER? (PC) HenryhY (henryhy@aol.com) writes: > I just wondering if there is a anti-virus program can remove the > WHISPER virus. Yes, there are several. I recommend F-PROT or AVP - both are excellent at virus removal. > I found this virus in my PC when using Mcafee2.21 to scan the hard drive. > This anti-virus program found the WHISPER virus but says there is > currently no remover for this virus. Use a better anti-virus program, then. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 13:00:41 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Doom II Death, what I know. (PC) Chris Roung (croung@alpha.netaccess.on.ca) writes: > There was an article about viruses in one of the latest Popular > Mechanics. Beware of "information" on the subject of computer viruses obtained from popular sources. It is usually highly inaccurate. > There is a short paragraph at the end on the doomII death virus. The CAROname of this virus is Tai-Pan.666. > Recently a file infector virus called Doom II Death delivered > fatal blows to computers running illegal copies of the popular game > "Doom II." Rubbish. The virus doesn't have any payload whatsoever. It only replicates. > As for Shareware, whether via telecommunications or floppy > disks, ascertain if the bulletin board or the physical disk has been duly > certified by the Association of Shareware Proffesionals. Rubbish. Exactly the virus you metnioned has been distributed on several CD-ROMs. > MORALE OF THE STORY : Don't copy your friends version of Doom II. This alone ain't gonna help you. Better adopt a good anti-virus program. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 13:02:57 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: FORM_A virus on my MS-DOS system disks!?! (PC) Rob Vanderkam (rvdkam@focus.synapse.net) writes: > I just found out that I had FORM_A on my system. > Does anyone know what harm it does? It is not intentionally destructive. > Using McAfee for DOS, it said to reboot from clean > system disks but they seemed to be infected. So I > used McAfee for Windows and it cleaned my hard drive > but said it couldn't clean my system disks! Anybody > know if MS-DOS disks had this problem? I haven't used There is no problem with the Form.A-infected MS-DOS system disks. The problem seems to be with the anti-virus software you are using. Get a better one. I recommend F-PROT or AVP, but many others can remove this virus without any problems. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 13:07:47 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Ripper virus sighting (PC) Barnard Wacher (barnardw@sfu.ca) writes: > Here is some additional information I found from the IBM Watson Research > Center: > Ripper, a boot virus that originally appeared in the UK, but has I'd suggest to IBM to correct their information. Ripper is a Bulgarian virus. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 13:11:14 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Jerusalem.sunday.nam virus help (PC) Stephen D Smith (sdsmith1@ix.netcom.com) writes: > My office has come down with a virus called "jerusalem.sunday.nam" > today. > It seems to be a dropper, leaving jerusalem.westwood.a and/or > jerusalem.sunday.a in various .EXE and/or .COM files, but not infecting > the PC HD's. Nope; simply the scanner you are using is unable to identify the virus exactly and reports different names in the different files. > We are currently using McAfee 2.21. (Please no flames about that, it's > the best I could get the office to do.) McAfee says they cannot remove > this particular virus. Well, then you are stuck. You either need to convince your supperiors to get a better anti-virus program or to live with the virus or to wait until McAfee fixes their program. > Tomorrow I'll be trying F-Prot 2.17, Dr Solomon, and TBAV. Any of the first two will to the job to remove the virus. TBAV has an excellent scanner but it's disinfector is rather loosy. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 13:24:35 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: CARO Naming Convention (PC) Chris Scally (cscally@iol.ie) writes: > It has occurred to me that if the CARO virus naming system, which was agreed > at a CARO meeting in 1991, was used universally, the answer to this question > would be straightforward. Instead, everyone is referring to viruses by > different names, which simply adds to the confusion. To use a recent > example, "AntiCMOS.B" is a CARO name, and is the name used by F-PROT. The > same virus is called "Lixi" by Dr. Solomon's Toolkit, yet both Fridrik > Skulason and Alan Solomon were members of the CARO Virus Naming Convention > committee. There are three problems with the CARO virus naming scheme: 1) The names keep changing. Suppose that one day we discover a virus and call it Foo_Bar. The virus is 1000 bytes long. Later we discover a new variant of it - one which is 1100 bytes long. We call the new one Foo_Bar.1100 and have to rename the old one to Foo_Bar.1000. However, later yet another variant is discovered, which is again 1000 bytes long, but is different from the original variant. Thus, we have yet again to rename the original variant to Foo_Bar.1000.A and name the new one Foo_Bar.1000.B. Now, this can be acceptable for academic reasons, but the anti-virus producers have real products to support. Can you imagine the effort needed to change a virus name *everywhere* - - in the scanner, in the resident scanner, in the on-line help, in the printed documentation... Do you know how much it costs to change the printed documentation? 2) There is no way CARO can force the anti-virus producers to use our naming scheme. For instance, CPAV/MSAV calls the V-Sign virus "Sigalit" (for no apparent reason) and there is nothing we can do about it. 3) Even if all scanners adopt the CARO virus naming scheme, there will still be misunderstandings. The reason is that, in order to determine the full CAROname of a virus, a scanner must identify this virus *exactly*. Very few scanners can do exact virus identification. Therefore, people who are using scanners which cannot identify viruses exactly will keep asking "What does the Foo_Bar virus do?" and we'll have to keep asking them "Do you mean Foo_Bar.1000.A, Foo_Bar.1000.B, Foo_Bar.1100 or some new Foo_Bar variant?". > If there were no naming standards in place, such differences would be > understandable, but with a standard in place, why do the virus software > developers insist on different naming policies? Because there is *no* standard in place. The CARO virus naming scheme is (we think) a pretty good one and we recommend it to all producers of virus-specific products - but there is no way we can force them to use it. Only you - the users - can do this. Don't buy products which do not use the CARO virus naming scheme - this will force the anti-virus producers to adopt it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 13:26:51 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NYB or ANTI EXEC virus (PC) Dennis Boutsikaris (KTBG41A@prodigy.com) writes: > I can't get rid of this thing. All you need is a good anti-virus program. Try AVP or F-PROT. > It infected my boot drives on both computers-laptop & regular-and Norton > ANTI VIRUS won't help. I even reload original software onto the laptop > and it still popped up. That's because the virus is not in the files; it is in the MBR. Boot from a write-protected, virus-free system diskette, check that you can access the hard disk ("DIR C:"), and execute the command FDISK/MBR. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 13:28:00 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stoned.Empire.Monkey Virus!!!! (PC) reg vito (reggie@community.net) writes: > Does anyone know about this virus?? How to get rid of it???? > Any suggestions of sites where I can find any info. Anything. All you need is ftp://oak.oakland.edu/SimTel/msdos/virus/killmnk3.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 13:30:32 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Will the BootSector Virus-option in the CMOS secure my PC ? (PC) sdkkah@mvs.sas.com (sdkkah@mvs.sas.com) writes: > If I set a CMOS-option called BootSector Virus = Enabled, > can I rest assured, that NO boot-sector virus will infect my PC ? No. However, it will stop the currently known master boot sector infectors. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 13:56:20 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: follow up... (ide-hard disk driver prog, PC). (PC) v942427@si.hhs.nl (v942427@si.hhs.nl) writes: > Invircable told me something was messed up while the 'virus' was active > in memory.... no other a-v package could tell me.... > Why? is iv the only one using some kinda low-level driver-bypassing > super-access??? Yes, InVircible is the only anti-virus program I know which does *this* kind of low-level access (accessing the IDE drive via the ports). Other anti-virus programs (e.g., TBAV) use other kinds of low-level access. > Why don't others implement it? Because it is not portable (works only for IDE disks) and sometimes causes problems. > It is handy for detecting > stealth viruses, isn't it? Yes, it is. You should only keep in mind that it is not a cure-all. > B.T.W.1 I installed IV after I installed the driver.... Speaking of InVircible, make sure that you take a look at the paper ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/invircib.zip It will give you an... uhhh... alternative view on the product. > B.T.W.2 This is a very big harddisk-manufacturer, so many others > probably have the same problem. I know of at least two producers of such drivers. Can't recall the name of the second company but the first is OnTrack. The driver is used to access IDE drives larger than 512 Mb on machines whose BIOS does not support LBA translation. The driver is installed on the first physical track of the disk and "stealths" the MBR much like a virus. If such a system is infected by a virus, the result is usually an inaccessible hard disk - because the virus overwrites some vital parts of the driver. I asked OnTrack what the users whose disks have suffered this way should do but their answer was essentially "they're screwed" (i.e., "there is no universal solution; they should call us for assistence"). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 13:58:48 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus "SHOO (PC) Steven Liang (liangs@watserv.ucr.edu) writes: > Is there any virus remover that can remove SHOO virus. Yes, for instacnce AVP. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 14:03:21 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: MONKEY_B help!!!! (PC) VenturaX (venturax@aol.com) writes: > tape and floppy disks. I have been scanning with McAfee v.2.1.3 and > nothing has come up.. I downloaded the new vshield and now it says i am > infected with Monkey_B. I downloaded the scan and it said the same > thing.. WHen I scan with nomem option it doesn't catch it so i assume it > is a stealth virus. Correct. > The only problem is is whan i boot from a dos disk, > my computer doesn't recognize the hard drive and i can't scan it. This limitation is specific to the anti-virus software you are using. Most other anti-virus programs do not suffer from it. For this particular virus, the best solution is to get the file ftp://oak.oakland.edu/SimTel/msdos/virus/killmnk3.zip It will get rid of this particular virus even if the virus is active in memory. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 14:03:18 -0400 From: 100554@mhafc.production.compuserve.com Subject: "Editor" needed (PC) Need editor to view contents in file to find signs of viruses (text st that is). Does anyone have suggestions of a good DOS program of this k Please e-mail if possible. Thanks. ------------------------------ Date: Sat, 15 Jul 95 14:07:50 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NYB Virus (PC) Chris Franklin (jcfrank@ix.netcom.com) writes: > There is currently a uprising of the NYB Virus. This Virus is also > Known as the "None of Your Business" Virus. This Virus is a Boot :-))). Actually, the name "NYB" was invented by McAfee and means simply "New York Boot virus" - because this particular virus used to be extremely widespread in the New York area. > Some Major Software Makers have been infected by this Virus and have > unknowlingly shipped infected Productivity Software. If You have Which ones? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 71] *****************************************