VIRUS-L Digest Wednesday, 16 Aug 1995 Volume 8 : Issue 72 Today's Topics: Finding Info Re: Virii: A simple question Re: Virus from commercial software? Re: Searching for a citation Re: Software damaging hardware (claimed) Re: Searching for a citation Re: WindowsNT (NT) Re: WindowsNT virus/anti-virus? (NT) Re: OS/2 and possible virus (OS/2) Re: OS/2 viruses (OS/2) Re: Taipan-438 (PC) Re: New integrity checker (PC) Re: fixboot (PC) Re: Trojans (PC) Re: Virus that causes writes to A: to be temporary?! (PC) Re: /poly option in McAfee (PC) Re: Detecting Viruses 2 (PC) Re: Help with 10b7 virus !!!! (PC) Stealth_boot.c info needed (PC) Re: Virus "SHOO (PC) Re: Need help on possible virus (PC) Form Virus running Win95 (PC) Re: MONKEY-A Information Sought (PC) AntiExe removed; survives clean boot!? (PC) Can't access drives A & B (PC) BOAT virus (dos systems) (PC) Re: Form Virus (PC) Khobar Virus (PC) Re: Dr. Solomon's Anti-Virus Toolkit (PC DOS/Windows) (PC) Boot 437 virus, how to detect and remove it? (PC) June 12 Independence Day Virus and Aome Virus Inquiry (PC) Re: Virus info kept in WWW at novell.com (the netmakers) (PC) Re(2): Form Virus (PC) RE: Natas virus (PC) Re: Dr. Solomon's Anti-Virus Toolkit (PC) Re: natas (PC) Is this a known virus? (PC) Khobar virus (PC) WHich Anti-Virus Prog for PARITY Boot B ??? (PC) Re: invircible? (PC) Re: Suspicious virus NOT being deleted. HELP!! (PC) Re: scan and f-prot (PC) Re: Scanner Invokes Disk Killing Virus? (PC) Re: Infected!! Anti-Cmos A (PC) Re: Information re: "Generic Viruses" (PC) Re: BackForm !!! (PC) Re: Suspicious virus NOT being deleted. HELP!! (PC) Re: Removing virus from a non-boot diskette (PC) Strange Problem (LILO? VIRUS?) (more) (PC/Linux) Norton AntiVirus (DOS/Windows) (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sun, 16 Jul 95 15:02:41 -0400 From: bug3654@IMAP2.ASU.EDU Subject: Finding Info This weekend I ran across a pretty handy little web site I thought comp.virus readers could use. The place is called DejaNews and it is a usenet search engine. It's great for finding information and past postings regarding a particular virus. Just type in the name of your virus and soon you can learn from the past misfortunes of others. DejaNews http://www.dejanews.com/ Forest Brown ------------------------------ Date: Sun, 16 Jul 95 22:19:12 -0400 From: maelliso@io.com (Michael Ellison) Subject: Re: Virii: A simple question walkerc@capitalnet.com (Chris Walker) says: >Why is it not possible for a virus to infect various forms of computers? >If they are written in a language that both computers can comply,then >I see no reason why it cannot harm both brands? It is, in fact, possible to do exactly as you describe. The reason it has not been done (at least not so far as viruses in the wild are concerned) is that viruses are generally written in machine language (o.k., assembly) so that they can attach themselves to _binary_ files such as .COM's, .EXE's, and bootsector/MBR code. These binary files ARE machine specific. If, however, a virus were to attach itself to a C source file, and be coded in C itself (sticking to ANSI standards) then, if coded correctly, it could infect any machine with a compatible C compiler and source. Source code viruses, however, are not what one sees in the wild (yet? often?). Cheers, Michael A. Ellison ------------------------------ Date: Mon, 17 Jul 95 09:05:50 -0400 From: ajv@pcug.org.au (Ari Vennonen) Subject: Re: Virus from commercial software? krisu@clinet.fi (Kristofer Nurmia) writes: >davidcho@csulb.edu (David Cho) writes: >>Is it possible? I have never illegally copied software unto the hard >>drive. Everything on my hard drive is from commercial >>software disketts. >>Is it possible to get a virus from these commericial software companies? >It's possible to get a virus from commericial softwares. The computers on >which the software is copied may contain a virus, and when a copy is made >the virus copies itself to the disks. It's even possible to get a virus from >a empty formated disk the same way. It is true. Recently, Microsoft shipped commercial software with a virus on the installation disks. At the time, Microsoft were not aware that the disks contained the virus. So it can occur to anyone - shareware company or even multinationals _______________________________________________________________ Ari Vennonen Compuserve: 100236,2633 ajv@pcug.org.au ACS-Link: ajv@acslink.net.au ------------------------------ Date: Mon, 17 Jul 95 15:33:52 -0400 From: datadec@cs.UCR.EDU (Kevin Marcus) Subject: Re: Searching for a citation Cistron User Account wrote: >I'm looking for the name of the person who said "computer viruses are >a urban myth. Just like the story about alligators in the sewers of >New York" Please mail any answers that can help me to my e-mail >address ollie@cistron.nl thanks for your help > >[Moderator's note: I _think_ that that was John Dvorak, in one of his >PC Magazine columns, circa 1987 or 1988.] I reckon that was Peter Norton, in 1988. Sometimes people make mistakes, eh? - -- Kevin Marcus: http://cs.ucr.edu/~datadec CS Dept, U/CA, Riverside: datadec@cs.ucr.edu Virus-L archives: ftp://cs.ucr.edu/pub/virus-l ------------------------------ Date: Mon, 17 Jul 95 17:24:45 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Software damaging hardware (claimed) A.Appleyard (A.APPLEYARD@fs2.mt.umist.ac.uk) writes: > Daily Telegraph Magazine (Sat 17 June 1995) (one of various supplements that > come on Saturdays with the Daily Telegraph (UK newspaper)), pp 24-30, > anonymous article "Manhunt for Mr.Cyberpunk, how the world's most devious > hacker [Kevin Mitnick] was run to ground", p26 left column:- > "Tsutomu [Shinomura] has built software that can destroy an alien computer." > says Brosl Hasslacher, a physicist at Los Alamos National Laboratory in New > Mexico [in USA], "They are essentially viruses that can, for example, tell the > computer to sit in one register until it melts the circuitry in the chip or > command the hard drive to hit the same track 33,000 times - until it destroys > the drive.". Many security wizards doubt such tools could work on anything but > old-fashioned personal computers, and Shinomura, perhaps wary of giving away > his secrets, would not comment. Fortunately these weapons - whatever their > capabilities - were stored in a safe place. Is Daily Telegraph the UK version of National Enquirer or what? :-) I mean, it requires a real talent to put so much nonsense in such a short paragraph... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 17 Jul 95 17:27:10 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Searching for a citation Cistron User Account (user@cistron.nl) writes: > I'm looking for the name of the person who said "computer viruses are > a urban myth. Just like the story about alligators in the sewers of > New York" Please mail any answers that can help me to my e-mail > address ollie@cistron.nl thanks for your help > [Moderator's note: I _think_ that that was John Dvorak, in one of his > PC Magazine columns, circa 1987 or 1988.] According to Dr. Alan Solomon, this was Peter Norton and he mentioned it in The New York Times. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 17 Jul 95 12:00:52 -0400 From: D.Phillips@open.ac.uk (Dave Phillips) Subject: Re: WindowsNT (NT) I'm using SweepNT from a UK company called Sophos. The UK phone number is 01235 559933 the cost is about #300 per year but that includes monthly updates and a very good 'free' help desk. hope that helps Dave - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ------------------------------ Date: Mon, 17 Jul 95 17:28:20 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: WindowsNT virus/anti-virus? (NT) T.M.Haddock (tmh2708@omega.uta.edu) writes: > I see stuff on DOS/Win/OS2 virus/anti-virus but nothing about NT. Simple; it is just Not There. :-) > Are there any MS WindowsNT anti-virus programs and virus information? Several anti-virus companies are working on versions of their products for this platform. There are no WinNT-specific viruses. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 17 Jul 95 17:29:37 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: OS/2 and possible virus (OS/2) smckee@arlut.utexas.edu (smckee@arlut.utexas.edu) writes: > I have had several occurences of what appears to be a virus on my OS/2 based > PC. The system will boot up and then the cursor begins rushing around the scr > opening and closing items, rearranging my desktop, and even deleting or copyin > files. Any help out there? Doesn't sound like a virus to me. More likely a hardware problem with your mouse or maybe an improper configuration of some device driver... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 17 Jul 95 17:32:04 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: OS/2 viruses (OS/2) Petteri Jarvinen (petteri@pjoy.fi) writes: > >uh...there are already at least two OS/2 viruses... > What kind of viruses are they? Both are non-resident and infect the files in the current directory. The first is a silly overwriting virus; the second one is appending. > Have they been found at large or at > some VX BBS? No, only on the VX BBSes. These viruses are so primitive that they are unlikely to spread in the wild. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 14:19:10 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Taipan-438 (PC) Nick Antone (tone@ix.netcom.com) writes: > Can anyone fill me in on the Taipan-438 virus ?? What type it is, Memory-resident EXE-file infector. > what it does, It just replicates. > what triggers it, Nothing. > and if possible the sig. There is no such thing as "the" sig. Many possible scan strings can be selected for this virus and their efficiency would depend on the scanner which is using them. Just get a good scanner which can detect and remove this virus and don't worry about any "sigs". Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 14:21:36 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New integrity checker (PC) Venzi (venzi@cs.tu-berlin.de) writes: > After trying out many integrity checkers, I didn't find any which > would do what I need, so I decided to write my own one. Unfortunately, writing a good integrity checker is a far from trivial task. > I'm not saying that I wrote the best integrity checker, I didn't try > all the checkers available, and, actually I just put all the usefull > features I found in some programs (and a few more) in mine. Besides being "useful", an anti-virus program has to be *secure* and withstand virus attacks. > I would be really happy if someone finds some time to test it with > some real viruses (or simulate virus infections) to tell me how good > is it (esp. the code check algorithm). Hint: get the paper ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/attacks.zip and see some tricks used by computer viruses against this kind of anti-virus programs. I suspect that yours will be vulnerable to almost all of them. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 14:26:08 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: fixboot (PC) Dave Sainsbury (Captain.Starlight@Adelaide.Edu.Au) writes: > I used Zvi Netiv's FIXBOOT. All disks are fixed, data apparently intact. > They scan clean with McAfee, F_PROT and VET. > As I was breathing a sigh of relief I heard rumour that FIXBOOT > has been removed from the public domain following the accusation > that it is a Trojan Horse. > Can any-one help restore my confidence? The version of Zvi Netiv's FIXBOOT which was removed from the public ftp sites used to destroy a file named SOFIA in the current directory or a file named WRITEST in the root directory, if such files existed. It could also cause some other damage. There are other products which can do the same (i.e., to overwrite the boot sectors of the floppies with a known clean boot sector) and which do not do the nasty tricks that FIXBOOT did. You mentioned VET - it can do it, and Padgett Peterson's package FixUtils contains a program (FixFBR2) which can do it too. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 14:28:24 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Trojans (PC) DNA the Mysterious (limhl@teleview.com.sg) writes: > This person I know is creating a lot of trojans using *.exe and *.com > creators. These files usually utilize the delete, deltree, and format > commands to do damage. Can Scan detect these? No. > I'm rather worried that I > may get it. Why? If you don't get programs from this person then you won't "get it". Also, you could rename the programs DELTREE and FORMAT to something else. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 14:33:59 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus that causes writes to A: to be temporary?! (PC) Noam Weinstein (noam.weinstein@channel1.com) writes: > While using a friend's computer yesterday, I discovered > that copying or altering files on the A: 1.44 drive yielded > temporarily perfect results, but after removing the disk > and putting it back in, the contents were fully reverted > to their original condition! [snip happens] > Does anybody have any idea why a disk drive would not be permanently > updating the contents of a disk? Does it sound like something > a virus could do? No. It is caused by the fact that the Write wire is disconnected - or broken. You get the illusion that the files on the floppy are updated because DOS keeps some of the information in its buffers and shows it to you, instead of actually reading it from the diskette. The diskette is essentially write-protected, but there is no WriteProtect signal, so no error occurs. > (We did open up his machine several months ago to install a CD-ROM > drive -- is it possible that a cable is slightly out of place?) Yes. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 14:37:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: /poly option in McAfee (PC) Gerrold Kuijpers (gkuijper@inter.nl.net) writes: > The new versions of McAfee VShield require a new option to detect the > polymorfic virussus. /POLY. > I thank McAfee for making this clear to me, although I would have > prefered to have read about it in a release note. It is described in the file VIRUSCAN.TXT. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 15 Jul 95 15:09:22 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Detecting Viruses 2 (PC) George (GRIG%BGEARN.BITNET@CUNYVM.CUNY.EDU) writes: > The viruses. At least 60% of the people owning computer have ever had > experiences with them. 89.73% of all statistics are made up. :-) Where did you get that number from? > The boot-sector viruses infect the BootSector of HDD or FDD only when they > are active in memory. *All* viruses infect only when they are active in memory. Do you mean that the boot sector viruses are memory-resident? > Now, do the following: > 1. Boot from a clean diskette. > 2. Type MEM /C and remember the amount of free memory or use MEM /C >MEMF.DAT > 3. Reboot and boot from the HDD. > 4. Type MEM /C (>MEMH.DAT) again and compare the two amounts (files). > If the numbers differ, it is possible you have virus. Or you might not have one. On many configurations booting from a floppy and from the hard disk might result in different memory configurations without a virus being present. For instance, if DBLSPACE is used on the hard disk, it will be loaded by MS-DOS 6.x even if no CONFIG.SYS is present. Also, it is possible that you don't see any difference in the memory configurations and still have a virus - e.g., if the virus "hides" in the second part of the interrupt vector table. > File infectors, as their name suggests, infect files. The infected files, > most commonly are COM and EXE, although there are viruses infecting SYS, OVL, > PRG, MNU files too. .or BAT or OBJ. However, only COM, EXE, SYS, BAT, and OBJ files are properly infected by the currently existing viruses (OK, there is also one very special case with AVR files) - the files with other extensions are infected only by mistake and this often damages them. > There are two types of file infecting viruses: resident > and non-resident. There are also temporary memory resident viruses (e.g., Anthrax) and even overlaid viruses (can't think of an example), but this is not important. > The first type stays resident and infects all ran files or > even those which were only opened (touched). Not always. Many viruses infect only on file execution and not on file access. Those which infect on file access are called fast infectors. > 3. Stelth - infecting files, and afterwards hiding (always resident). The term is "stealth", BTW. > 4. Viruses, which get to the free space of the file header or of > the "program it self" (resident and not). These are called "cavity viruses". > 5. Viruses, which compress the file (resident and not). > (for the first time I have heared about the last two from Wolfgang in Vir-L). Historically, the very first file infector for the IBM PC - the Lehigh virus - was a cavity virus. Check my article in "Komputar za vas" from a few years ago. One example of a compressing virus is Cruncher - it has been found in the wild in Russia recently (although it is a Dutch virus). > Now, do the following: > 1. Boot from a clean diskette. > 2. Type MEM /C and remember the amount of free memory or use MEM /C >MEMF.DAT > 3. Reboot and boot from the HDD. > 4. Type MEM /C (MEMH.DAT) again and compare the two amounts (files). Just like with the boot sector viruses, this method is not very reliable (although worth trying). It might not detect a virus and it might find a difference without a virus being present. > Detecting viruses of the first type: > Detecting of the first type virs is the easiest. There is not difference if > you boot from an infected of not system. Just compare the sizes(datas) of the > files and that's. I don't quite understand. If the files are infected with a direct action (i.e., not memory resident) virus then comparing their lenghts after booting from the hard disk and from a clean floppy is not going to show any difference. Or do you mean comparing the sizes of a clean file and a copy of it which you suspect is infected? > Now about those of the third type: > Here, one should boot from a clean diskette and then (having ran nothing) to > compare the sizes. The memory check should also be done. > If you don't know the original file sizes, not everything is lost. If they > differ when booting from HDD and clean FDD - diagnosis "stelth virus". There is an even simpler approach. Boot from the infected hard disk and copy an executable file to a file with a non-executable extension. Now boot from a clean floppy and compare the sizes of the two copies. If they differ (and if they didn't while you were in the infected environment) then you have a stealth virus. > >From the easiest, to the hardest: > These are the viruses of the fourth and fifth type. Here size comparation > will not help (may be the data(time) of creation will be changed if the > infector is not "self-respecting"). > Here the file CRC should be compared. For this purpose, a little program must > be written, program computing the CRC of a file. Or, if you have a clean copy of the file, you can just COMPare it with the file you suspect to be infected. > It may be done in several ways, easiest to sum the ASC II code of every > symbol from the file. That's also the most insecure way. It's trivial to write a virus which would infect files without changing their checksum computed by this algorithm. Check my paper about InVircible for more information. > Booting from a clean diskette is preferable. It is *mandatory*. > If you are not sure, exactly which type of virus you deal with, admit you > have a stelth one. This is not quite correct. If you are not sure - ask for help. > 3. Viruses infecting directories and FAT. > If boot from a clean diskette, all infected files will appear as crosslinked > (info by Wolfgang). Didn't you know it?! Dir_II is such a virus and is very widespread in Bulgaria... > I don't want one to think that shown method works against all viruses. > There is not universal mathod for detecting viruses. Exactly. > Of course, I haven't answered all questions (I haven't even tried), but I > just show how one can EXACTLY TO KNOW IF HE HAS A VIRUS, and I don't want > some to say that I have TOLD THAT ONE CAN CATCH ALL VIRUSES USING THIS METHOD, > or that I've "HIT THE KEYS AND THE NET", as mr. Wolfgang does (v. 8, issue 57) > or HOW ONE CAN BE SURE HE HAS NO VIRUSES. :-). I just wanted to fill some of the empty spots... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 16 Jul 95 01:24:46 -0400 From: swilmsn@interserv.com Subject: Re: Help with 10b7 virus !!!! (PC) > Mike writes: > I need information on the 10b7 virus. All I know is that it infects .exe files > and is not memory resident. > > I would greatly appreciate any help at all in the matter as No-one seems to be > able to tell me what the side effects, or long term affects of the virus are. I would also like to know more about the 10b7 virus. I have found 20 occurences on machines at work using Microsoft Anti-Virus (DOS version). I then scanned the same disks with Microsoft AV (Windows version) and did not find any files infected with 10b7. These detections only occurred after I updated the virus definitions for MSAV and MWAV. Could these be false indications? Why wouldn't the detections be consistent? Because of the inconsistencies in using the Microsoft Anti-Virus programs I also tried Norton Anti-Virus. This scan did not detect any files infected with 10b7. I do not believe the systems scanned were ever infected, but I would like to know why the indications were given by MSAV. ------------------------------ Date: Sun, 16 Jul 95 04:16:43 -0400 From: BOOTY@SDC.CSMC.EDU (C#Booty, Walter) Subject: Stealth_boot.c info needed (PC) Can someone post information about the Stealth_boot.c virus? Description, how it works, it's symptoms, etc. The more info the better. Thanks in advance. ==>WB ------------------------------ Date: Sun, 16 Jul 95 05:29:42 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus "SHOO (PC) liangs@watserv.ucr.edu (Steven Liang) writes: >Is there any virus remover that can remove SHOO virus. Please E-Mail me. Thanks. MacGyver (Shoo) is not a single virus, but rather a family of at least 9 variants (2824.A, 2824.B 2803.A, 2803.B, 3160, 4112, 4480, 4693, 4645) Some programs can identify and remove some of them, but not others, so without further information it is not possible to answer the question, I'm afraid. - -frisk Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Sun, 16 Jul 95 07:15:48 -0400 From: tdoimea@mplscsc67.uswc.uswest.com (Tony Doimeadios) Subject: Re: Need help on possible virus (PC) trognmo@Direct.CA (Tor Rognmo) writes: > As a publishing consultant on the Internet I've learned to practice > 'safe computing'. This time though I suspect some new virus may be > getting the better of me. I'm running Norton Anti-Virus version 3.0 > with the June '95 definitions installed as well as the latest > Thunderbyte with all tsr's and utilities memory resident. But suddenly > I'm experiencing the following inexplicable problems on my finely > tuned 486 system: > > - - When I load Word Perfect 6.0 for Windows it gives me the error > message 'not enough global memory to perform the requested operation'. > When I click ok it allows me to run the program, but with some > enormous bugs including: If I open any previously saved document, even > a short one page memo, it displays it as a 300 - 400 page document > which is empty. > - - When I run Pagemaker 5.0 it randomly omits fonts from the font list. > Sometimes it will suddenly omit all fonts starting on H (including > helvetica) for example. > - - When I try to perform OCR using Omnipage Direct in combination with > any word processor, it scans the document and allows me to select text > but then bombs out with a "cannot create object' error message at the > end. > > When these problems occur and I do a memory check using the Norton > Desktop for Windows utilities, it reports that around 34 percent of my > memory is in use, and doesn't display anything abnormal. I have 8 MBs > of RAM and have a permanent, 20 MB virtual memory swap file on my > uncompressed host drive. > > Last week I worked on a customer's computer and helped them clean out > a number of viruses, including stoned.b, monkey-a and cmos-a boot > sector virus, which I had detected when I brought some disks back from > the customer's computer. They are also reporting the same start up > problem in Word Perfect 6.0. I therefore suspect that there is a link, > and that some unknown virus may have been transferred. > > Any suggestions? > > Tor Rognmo > Netquest Communications > http://www.infoserve.net/netquest/ > 323-1873 Spyglass Place > Vancouver, B.C. V5Z 4G6 CANADA > > Fax: (604) 737-6928 E-mail: netquest@unix.infoserve.net I used to do tech support for a major computer manufacturer and I'd get problems like this daily. try doing the following: 1) power off, wait one minute, then power on and hit F5 when you see STARTING MS-DOS (assuming you have dos 6.0+) 2) go to your temp directory and delete everything in there (cd\windows\temp del *.*) 3) scandisk c: /autofix /nosave /surface 4) defrag c: /f 5) fdisk /mbr about 15 to 20 times. Some viruses will resist the initial running of fdisk, but if you "overwhelm" it, it'll zap it. THEN POWER OFF! If you don't the virus (if present) will still be in memory and will reinsfect your boot sector... sounds like you have a very fragmented HD, with possible lots of cross-linked files... this screws windows up all the time. By you stating that you have a scanner, that reinforces it for me. You're creating multi-megabyte files, moving them around, etc. Kills HD performance. If nessessary, go into windows, kill your swap file, re-defrag your HD & then make another swap file. Major size: 16-(# of megs of RAM). If you have 8 megs of RAM, then make an 8 meg swap file. Make it permenant - it's faster and HD space is cheap. If this works, do steps 3 & 4 at LEAST weekly *and* prior to any scanning job. - -Tony ------------------------------ Date: Sun, 16 Jul 95 10:06:20 -0400 From: lambert@onramp.net Subject: Form Virus running Win95 (PC) I have detected the Form virus using McAfee. However, under scan it indicates that the scan software is affected also. Have read all of these posts about concerns with Win95. Looks like all my floppies, even boot disk (old and new) are infected. I WAS able to create a clean boot from a laptop, and also have been able to remove the virus from floppies using the "Anti-Virus" under the Windows I am running on the laptop. Scandisk under Win95 doesn't seem to have any "Clean" feature, or perhaps I cannot find it. Nothing under "virus" etc. in documentation. I'm afraid I don't know what to do next. I saw a recent post from J.Berg@sheffield.ac.uk who said he removed this fivus using f-prot 2.17. Know where I can find f-prot 2.17? Also ready about Norton AntiVirus for Win95 beta. Going to try to get that. ANY SUGGESTIONS would be sincerely appreciated!!! Elaine Lambert lambert@onramp.net ------------------------------ Date: Sun, 16 Jul 95 13:33:41 +0000 From: heuman@mtnlake.com (R.S. (Bob) Heuman) Subject: Re: MONKEY-A Information Sought (PC) galip@vnet.net (Steve Gallipeau) wrote: >roachl@cc.ims.disa.mil writes: >>Does anyone know anything about the MONKEY-A virus? My PC was >>recently infected with it, and I can't tell that any damage has been >>done. I know it is a boot sector virus, and that it knows how to >>disguise itself. What harm does it inlict? I would appreciate any >>help on this one >>From my experience 'cleaning' machines, the Monkey-A virus can be >easily cleaned with a good program like IBM AV/2. Basically it >infects the BS ant Partition Table and creates up to 4 non-dos >partitions. It is usually wiser to just fdisk /mbr, delete all >partitions, recreate the partitions you want (usually just Primary), >and reinstall your SW. >Steve NO! Get Killmnk3.zip or use F-PROT and remove monkey easily. Do NOT use FDISK /MBR with any virus where, after you boot from drive A (cold boot) you cannot go to drive C. R.S. (Bob) Heuman Willowdale, ON. Canada ============================================================================== or An inquiring mind in an aging body... My opinions are my own... (I hope) Copyright retained as per Canadian and International law... ------------------------------ Date: Sun, 16 Jul 95 12:43:51 -0400 From: Michael Ramey Subject: AntiExe removed; survives clean boot!? (PC) On Friday I cleaned up an 'AntiExe' virus infection. This virus appeared to survive in memory even after a power-off cold boot from a write-protected known clean floppy diskette! There were other strange occurrences, which I will describe as best I can from memory. The computer is a no-name laptop clone with AMIBIOS: Main Processor: PENTIUM (tm) CPU Numeric Processor: Present Floppy Drive A: 1.44 MB, 3-1/2" Floppy Drive B: None Display Type: VGA/PGA/EGA AMIBIOS Date: 06/06/92 Base Memory Size: 640 KB Ext. Memory Size: 15360 KB Hard Disk C: Type: 47 (USER TYPE) Cyl 692, Hd 16, WPcom 65535, LZone 692, Sect 60, Size 324 MB Hard Disk D: Type: None Serial port(s): 3F8,2F8 Parallel Port(s): 378 This laptop is running MS-DOS 6.22; the clean-boot diskette I used for cleanup is MS-DOS 6.20; could this cause the problem described below? The infection appeared when a faculty member came into the computer lab with a floppy diskette and used one of the Gateway computers. Apparently he accidentally booted the Gateway with his diskette in the A: drive. After he left, I noticed strange messages on the monitor; they appeared to be from DiskSecure-2.42. Unfortunately, I did not document these messages; I thought DiskSecure would clear the problem when I rebooted; it did not! I did a 'clean boot' and used F-PROT 2.18a, which found the AntiExe virus on the hard disk. I removed it using F-PROT 2.18a. This computer runs MS-DOS 6.20; the boot diskette was the same version. Later I reinfected this lab computer (and one other) with the same diskette the instructor used when the infection first appeared. On all subsequent reinfections, DiskSecure detected and cleared the infection! I was unable to reproduce the behavior of the original infection. The infected diskette had been used in the professor's laptop computer; he had lots of infected diskettes. When the laptop was booted from its hard disk, it would infect any diskette which was not write-protected when it was referenced by DIR, CHKDSK, or SCANDISK. To disinfect the laptop, I did a power-off clean boot (using a MS-DOS 6.20 diskette), and ran F-PROT 2.18a from a write-protected diskette. F-PROT detected AntiExe in memory [Why?] and would not continue. I used the infected laptop to make an infected boot disk (FORMAT A: /U /S) and copied the most essential DOS programs to it. I used F-PROT on another machine to disinfect this floppy, and then rebooted the laptop from the floppy. F-PROT still found the AntiExe virus in memory [Why?], but the laptop was not infective; it would _not_ infect floppy disks. (I did get lots of erratic, unreproducable read and format errors on the A: drive, which continued even after the successful disinfection.) I connected a Colorado Trakker tape drive, installed the TAPE program, backed-up the entire hard disk to tape, and compared the tape to the hard disk. I planned to try F-PROT first, and if necessary use FDISK/MBR. Having convinced myself that the virus was not _active_ (since the laptop was not infecting diskettes, even tho' F-PROT found the virus in memory), and having a complete backup of the hard disk, I then ran 'F-PROT /NOMEM' to skip the memory scan. F-PROT found AntiExe on the hard disk; and removed it. After that, F-PROT found no virus on the laptop! I was still unable to install DiskSecure on the laptop, because the A: drive was very intermittent in its ability to read diskettes. QUESTIONS: - Why did AntiExe survive power-off boots from clean diskettes? - Was this an appropriate disinfection procedure? Comments? - --Mike Ramey, University of Washington, Seattle WA USA ------------------------------ Date: Sun, 16 Jul 95 14:05:51 -0400 From: psterling@i2020.net Subject: Can't access drives A & B (PC) I am experiencing problems accessing my floppy drives and my CD drive. I first thought this might be a hardware problem. When I run diagmostics my DMA controller does fail, but it has been doing this for over 6 months and everything has been working OK. Nothing else fails. The reason I suspect that this is a virus and not a hardware problem is that my sons computer started having the same problem about an hour after my problem started. I have run virus checkers and found nothing. My virus checkers are somewhat out of date so I downloaded two from the InterNet. McAffee found no problems, CPAV (which was a special free edition that only worked for a few virus) found not but found one file that had its date information changed. I had just recently copied this file from a shareware CD. I am not sure if this is a problem or not. I am also experiencing problems with programs that were previously working aborting, usually with runtime errors or sometimes I get a message that EMM386 has become unstable. I have run a complete diagnostic (for over an hour) on my memory and it passed. My sons computer is not experiencing any of these problems. Also in case this is a DMA controller problem could someone tell me if the DMA controller is on the motherboard or the I/O card. I have looked in all the hardware manuals I have at home and while they discuss this chip they don't tell me where it is. Thanks ------------------------------ Date: Sun, 16 Jul 95 18:03:54 -0400 From: cristall@snefru.comm2000.it (Alessandro Cristallo) Subject: BOAT virus (dos systems) (PC) Hello ! I found here in Italy the "BOAT" virus on a HD dos floppy. It had infected the boot area (or FAT) and some executables inside. Scan 2.1.5 by McFee was only able to signal the presence of the virus but /CLEAN option said that currently there was no remover for this virus. Someone can help me ? Thx ! Alex SKS ****************************************************************************** * * * Alessandro Cristallo - Milano, Italy * * * * e-mail: cristall@snefru.comm2000.it * ****************************************************************************** ------------------------------ Date: Sun, 16 Jul 95 19:06:40 -0400 From: pitway@cix.compulink.co.uk ("Tim Hetherington") Subject: Re: Form Virus (PC) > I found the form virus on my PC yesturday and removed it with the > disinfect/query scan of f-prot version 2.17. It told me that the virus > had been removed, and on further scanning didn't detect it any more. > Is this all I have to do? Is it really gone? Yes that should have done the job. But, make sure that *every* Floppy disk that may have been used in the machine is checked as well. Nine times out of ten this virus reappears and is usually because you have left an infected Floppy disk in the machine and then booted up. Alternativly, Load up a virus guard TSR of some description on boot up for a few weeks This will interupt any reinfection attempt and warn you. Hope this helps Cheers Tim... ------------------------------ Date: Mon, 17 Jul 95 02:45:57 -0400 From: ngs@gargoyle.fca.vuw.ac.nz (Samuel Ng) Subject: Khobar Virus (PC) Hi all, I've a friend who has this Khobar (or is it Kohbar?) virus on his machine. I gave him a copy a McAfee (2.2.3) and F-Prot (2.17a), they managed to find the virus but not clean it. Does anyone know how to kill this virus? Apparently, it has already infected over 100 files on his machine. Thanks, Samuel - -- - ---------------------------------------------------------- Samuel Ng Victoria University of Wellington New Zealand \|/ (___) \|/ @~./'O o`\.~@ /__( \___/ )__\ *Hakuna Matata* \__`U_/ -- The Lion King <___||___> ngs@gargoyle.fca.vuw.ac.nz - ---------------------------------------------------------- ------------------------------ Date: Mon, 17 Jul 95 04:44:17 -0400 From: harley@europa.lif.icnet.uk (David Harley) Subject: Re: Dr. Solomon's Anti-Virus Toolkit (PC DOS/Windows) (PC) Rob Slade, Social Convener to the Net (roberts@mukluk.decus.ca) wrote: : Dr. Solomon's Anti-Virus Toolkit (AVT) 7.10 : : Summary: : : : General Description: : : Menu driven (TOOLKIT) activity monitoring (VirusGUARD, GUARDMEM), change : detection (ViVerify, Certify), scanning (FINDVIRU), disinfection and operation : restricting (Author, NOFLOPPY, NOHARD) suite of programs. Also contains : additional utilities (SHRED, TKUTIL, DEFERBAT, DEFERKEY). : Actually, NOFLOPPY and NOHARD seem to have been discontinued since 7.0, and SHRED can only be run from the TOOLKIT front-end. : The installation program will, : at the user's discretion, also add the resident portion of the package to the : AUTOEXEC.BAT file, however it does not affect the PATH statement.... : all virus checking must either start from within the \TOOLKIT It's also worth noting that *upgrading* the package actually ignores the previous settings for the GUARD TSR. It also overwrites the current VIV1.BAT and VIV2.BAT, which is annoying if you've customized it. : call for using the FINDVIRU program to check for infections before doing the : installation (which is good) but don't say which disk it is on. (The file : actually resides on the Toolkit DOS disk #2, so it is not intuitively : obvious.) Actually, the label for Disk 2 specifically mentions Findvirus (vs. 7.13). I agree, though, it's not particularly intuitive. : The TKUTIL program can remove references to CPAV, MSAV and NAV in startup : files. Normally I would deplore a hostile action against a competing : antiviral product, but I'm not sure that principle applies here. I'm not privy to S&S's thinking on this issue, but it seems to me that apart from the question of how effective these packages are, it probably makes some sense to address possible incompatibilities between AV packages, especially one which can be configured to be as paranoid as the NAV behaviour blocker. David Harley ICRF ------------------------------ Date: Mon, 17 Jul 95 05:44:29 -0400 From: leon@ic.uva.nl (Leon Oninckx) Subject: Boot 437 virus, how to detect and remove it? (PC) I would like to know how to detect and how to remove the 'boot 437' virus, as we hear more and more complaints of users who have this virus. Can someone help? Thanks, - -Leon - -- | Leon Oninckx | University of Amsterdam email : leon@ic.uva.nl | Informatiseringscentrum | Turfdraagsterpad 9 phone : +31-20-5252260 | NL-1012 XT Amsterdam fax : +31-20-5252084 | The Netherlands ------------------------------ Date: Sat, 15 Jul 95 11:50:37 +0800 From: "Jonathan Richie Yap" Subject: June 12 Independence Day Virus and Aome Virus Inquiry (PC) I would like to inquire about a certain strain of June 12 Independence Day Virus which can't be detected by Virus Data File V9506 of McAfee. It is supposedly sometime detectable and but most of the time undetectable. Do you have Information about it? Also does a 486DX4-100 possess any problem? I recently upgraded my computer from a 386SX to a 486DX4-100 and recently have been experiencing several problems listed below: a) While programming with Turbo C v2.00, my screen usually is littered with clutter and some letters/characters are replaced. It is quite similar to some virus before but when I scanned it, no viruses were reported. b) While typing in Microsoft Word v6.0 in Windows 3.1 (standard), my screen suddenly goes blank with just blinking cursor left. No computer activity is detected within five minutes causing me to reset the computer. This happens frequently. Kindly advise me on this. Thank you for your time. - Jonathan Richie Yap +--------------------------------------------------------------------+ | JONATHAN RICHIE YAP | | iTEC Vice-President | | | | CRC College of Arts and Sciences Tel. nos: 634-2804 to 06 | | Pearl Drive, Ortigas Complex 633-7912 to 13 | | Pasig, Metro Manila 1600 Fax. nos: 634-2816 | | Philippines 242-1089/0787 | | | | e-mail address: YAP_JRL@othello.crc.edu.ph | +--------------------------------------------------------------------+ ------------------------------ Date: Mon, 17 Jul 95 11:59:40 -0400 From: Angus Rae Subject: Re: Virus info kept in WWW at novell.com (the netmakers) (PC) A.Appleyard (A.APPLEYARD@fs2.mt.umist.ac.uk) wrote: : Novell (the net-makers) has these WWW pages which contain the word "virus". : I don't know which of them are actually about viruses. Their WWW addresses are : http://www.novell.com/ServSupp/texttids/netware/###### : where `######' must be replaced by the `END OF ADDR' listed hereinunder. : (The first entry shows that even they believe the chronic stale error that : there is a specific virus called Genb and another called Genp :-) !) : 016528.tid GENP, GENB VIRUS INFO Actually they just reprint data from a McAfee datasheet; the document clearly states that GENB and GENP are non specific generic boot and generic MBR infectors. (aka "I dunno what they are, guv.") - -- Angus G Rae Biological User Support Team, Edinburgh University Email: Angus.Rae@ed.ac.uk Personal Page: http://www.ed.ac.uk/~angusr/ The above views are mine, and Edinburgh Uni can't have any of them. "The night is young, and we have _umbrellas_ in our drinks!" The Tick ------------------------------ Date: Mon, 17 Jul 95 12:00:58 -0400 From: D.Phillips@open.ac.uk (Dave Phillips) Subject: Re(2): Form Virus (PC) Jol Its probably gone. Form is a easy one to remove the best way I have found is booting from a clean DOS disk of the same DOS version as is on your hard disk and then at the a:\ prompt typeing SYS C: That normally does the job. If I find it on a floppy I normally copy the files on the disk to a my clean PC's temp directory and format the floppy and put the files back. Dave - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ------------------------------ Date: Mon, 17 Jul 95 12:16:30 -0400 From: gcluley@sands.co.uk Subject: RE: Natas virus (PC) "Mikael hrberg" writes: > Help! *panic* Firstly, the first rule of viruses: don't panic. :-) > I have the Natas virus, but I just can't seem to get rid of it... > Neither the latest Dr Solomon's Toolkit nor the latest F-prot can > remove it. Well, that is, they both claim they can remove it, but > none of them even FIND/DETECT the virus... :( > Now, then how do I know I have it? Simple. The GUARD program that > comes with Dr Solomon's detects the virus, but does nothing about it. VirusGuard wouldn't do anything about it - it intercepts viruses, but leaves repair to FindVirus. > What should I do? I'm on the edge of switchin OS to OS/2 :) If VirusGuard is detecting Natas but FindVirus isn't, I would be suspicious as to whether you really do have Natas. It sounds like a false alarm - but for VirusGuard false alarms are very rare so I think it's something a little different. I think you might be using an out-of-date version of VirusGuard (the latest is 7.50) with a more recent driver file (GUARD.DRV). Maybe you downloaded a more recent driver file from somewhere. It is important to keep both the virus-finding engine and its driver in sync - otherwise we might change something in the engine your version doesn't know about. If I were you I would check that you really are running a kosher version of VirusGuard. You can contact Dr Solomon's tech support in Sweden on: Tel: +46 8/580 100 02 Fax: +46 8/580 100 05 Regards Graham - --- Graham Cluley Email: gcluley@sands.co.uk Senior Technology Consultant, CompuServe Tech Support: GO DRSOLOMON Dr Solomon's Anti-Virus Toolkit UK Support: support@sands.co.uk S&S International plc, UK USA Tel: +1 617 273 7400 UK Tel: +44 (0)1296 318700 USA Support: 100443.3703@compuserve.com ------------------------------ Date: Mon, 17 Jul 95 12:52:20 -0400 From: gcluley@sands.co.uk Subject: Re: Dr. Solomon's Anti-Virus Toolkit (PC) Nigel Morgan writes: > Sorry Peter, but I just have to contradict you here. I use Dr. Solly's > Toolkit for DOS in my job as a P.C. engineer, and with the introduction > of V7, the scan load speed when using a floppy is abysmal! To give you > some idea, I timed the load & standard scan for a half-full 540mB E-IDE > HDD and it took over 45 seconds just to load the FV386.EXE program after > booting with a vanilla boot disk. V6.x was never this slow. This is due > to the DOS extender program I feel sure. > However, that doesn't mean that Dr. Solly's isn't a good checker 'cos it > is, but it's now (as a result of the DOS/4GW extender needed,) much > slower loading than before. Sounds like the DOS extender to me. The DOS extender is not required if you are not scanning compressed files (ZIP, ARJ, ARC, PKLite, LZEXE, ICE etc), or using advanced heuristic analysis, So, if you're not using these features use the command line FINDVIRU /86. This forces use of the 8086 version of FindVirus, without the DOS extender. You will find that FindVirus slows down when it detects a virus in order to perform precise identification. As has been commented in this newsgroup before FindVirus performs very accurate virus identification. >> I am not conected to Dr. Solomon in any way, I am just a satisfied >> customer. > > So am I I *am* connected to Dr Solomon's - and still a satisfied customer. :-) Regards Graham - -- Graham Cluley Email: gcluley@sands.co.uk Senior Technology Consultant, CompuServe Tech Support: GO DRSOLOMON Dr Solomon's Anti-Virus Toolkit UK Support: support@sands.co.uk S&S International plc, UK USA Tel: +1 617 273 7400 UK Tel: +44 (0)1296 318700 USA Support: 102372.1725@compuserve.com ------------------------------ Date: Mon, 17 Jul 95 12:52:17 -0400 From: gcluley@sands.co.uk Subject: Re: natas (PC) mksky@aol.com (MK sky) writes: > need all the info I can get on the Natas virus. Have been struck, but > getting conflicting results with McAfee antivirus. I'm about to go > nuts!!!!! Here's the info from Dr Solomon's Anti-Virus Toolkit: Natas virus Type: Memory-resident file, boot sector and partition sector virus (multipartite) Affects: Fast infector: COM and EXE files on execution or close (e.g. when copying - both source and destination). COM files longer than 60692 or shorter than 1000 bytes and EXE files longer than 938040 bytes are not affected. Hard disk's partition sector is infected when an infected program is executed or when booted from an infected diskette. Floppies are infected on read access (e.g. DIR command). File Growth: 4744 bytes Description: The virus in infected files is variably encrypted and polymorphic. The virus demonstrates full stealth - when it is active in memory, it conceals all changes in infected files and disks. Unlike most of full stealth viruses, Natas is able to survive archiving (ARJ, LHArc, PKZip), backuping (BACKUP, PCBACKUP) and transfers of infected files via modem (ZMODEM, XMODEM, etc.). It does not trigger CHKDSK file system errors reports. When booted from an infected hard disk, with the probability of 1/512th (i.e. approximately once in every 512 boots) the virus triggers and formats all hard disks in the system, thus destroying all data on them. The virus can also trigger when being traced with a debugger. It contains encrypted strings Natas , BACK and MODEM Regards Graham - --- Graham Cluley Email: gcluley@sands.co.uk Senior Technology Consultant, CompuServe Tech Support: GO DRSOLOMON Dr Solomon's Anti-Virus Toolkit UK Support: support@sands.co.uk S&S International plc, UK USA Tel: +1 617 273 7400 UK Tel: +44 (0)1296 318700 USA Support: 102372.1725@compuserve.com ------------------------------ Date: Mon, 17 Jul 95 16:09:29 -0400 From: bauer@acns.cc.fsu.edu (Chuck Bauer) Subject: Is this a known virus? (PC) I'm a computer support guy here at FSU. Today a user called with the following problem. All of the .COM files on his PC are about (but not exactly) 2048 bytes larger than they should be. Whenever he runs one of them, he gets an ASCII graphic of a cannon firing, which drifts across his screen. He ran MSAV and McAfee (2.1 I think) and they do not report a virus on his system. Has anyone else heard of this behavior? Any idea of a cause and/or cure? Chuck - -- Chuck Bauer bauer@acns.fsu.edu Florida State University Academic Computing and Network Services Microcomputer Group (644-2811) ------------------------------ Date: Mon, 17 Jul 95 16:51:07 -0400 From: ngs@gargoyle.fca.vuw.ac.nz (Samuel Ng) Subject: Khobar virus (PC) Hi all, Is there a program that can cleans the Khobar (or is it Kohbar) virus? I've a friend who has this virus on his machine, I gave him McAfee (2.2.3) and F-Prot (2.17a). They can find it, but not clean it. He now has over 100 files infected. Thanks, Samuel - -- - ---------------------------------------------------------- Samuel Ng Victoria University of Wellington New Zealand \|/ (___) \|/ @~./'O o`\.~@ /__( \___/ )__\ *Hakuna Matata* \__`U_/ -- The Lion King <___||___> ngs@gargoyle.fca.vuw.ac.nz - ---------------------------------------------------------- ------------------------------ Date: Mon, 17 Jul 95 17:33:13 -0400 From: kolbach@mediatel.lu (Tom Kolbach) Subject: WHich Anti-Virus Prog for PARITY Boot B ??? (PC) Hey to everybody in this group, I just wan ted to know which anti-virus program would be best for deleting or removing the mighty PARITY BOOT B Virus? (perhaps Mac Afee just works fine?) Thanks for your attention. Tom Kolbach Luxembourg tom.kolbach@mediatel.lu ------------------------------ Date: Mon, 17 Jul 95 17:34:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: invircible? (PC) SWolfeRPH (swolferph@aol.com) writes: > i'd like some info on a comprehensive anti-virus software program/ > my nephew has suggested this one Tell your nephew to take a look at the paper ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/invircib.zip for an... uh... alternative view on the quality of this program. > any others on shareware?? Certainly; there are lots. Take a look at ftp://ftp.coast.net/SimTel/msdos/virus/ there are many shareware and freeware anti-virus programs there. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 17 Jul 95 17:40:09 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Suspicious virus NOT being deleted. HELP!! (PC) Victor Pomar (vpomar@ix.netcom.com) writes: > I have installed the latest version of F-PROT in my computer. Every time > that I scan my two HD's, the following message shows up: > Scans MBR of Hard Drive 1 > Scans MBR of Hard Drive 2 > Master Boot Sector: Possibly a variant of Stoned [snip] > Is there a way to get rid off of that suspicious virus?, I It's not a "suspicious virus". It means that the MBR looks suspicious - - as if it is infected by a variant of the Stoned program which is unknown to F-PROT. However, I think that in reality you do not have a virus - I mean, not any more. It is possible that the MBR of your computer has been infected with some variant of the Stoned virus. Then the virus has been removed but improperly, leaving parts of its body in the MBR. If this is, indeed, the case, then it is not dangerous - the machine is not infected. Of course, there is also the possibility that it is infected by a new virus (unknown to F-PROT) which remotely resembles to Stoned. You might want to double-check it with another scanner - for instance, AVP is an excellent one. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 17 Jul 95 17:41:22 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: scan and f-prot (PC) rclaessen@tschitschibabin.orgchemie.chemie.uni-tuebingen.de (rclaessen@tschitschibabin.or gchemie.chemie.uni-tuebingen.de) writes: > where do i find the latest versions. please tell me the ftp site. Usually - at ftp://ftp.coast.net/SimTel/msdos/virus/. However, since you are from Germany, you might find it more convenient to get most of the better anti-virus programs from ftp://ftp.informatik.uni-hamburg.de/pub/virus/progs/. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 17 Jul 95 17:44:44 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Scanner Invokes Disk Killing Virus? (PC) Dave Meyer (dmeyer@digex.net) writes: > This is a new one for me..we've had two PCs suffer apparent hard disk failure this > week after failing a virus-scanning routine! Is this possible that the virus (boot > sector/FAT virus) is doing something like destroying the partion table when it > detects that it is being scanned by a particular antivirus scanner? Yes, several viruses activate their destructive payload when the user attempts to run an anti-virus program while the virus is active in the memory of the computer. That's why you must always boot from an uninfected write-protected system diskette before doing any virus hunting. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 17 Jul 95 17:46:04 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Infected!! Anti-Cmos A (PC) OVAL (dwkkwong@undergrad.math.uwaterloo.ca) writes: > It seem like there is a outbreak in my city(Waterloo, Canada) on > Anti-Cmos A. virus. Could anyone tell me more on that virus such as > what part of my machine will not be working properly and is there > any cleaner for this virus. There is a CARObase entry describing this virus in ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/carobase/carobase.zip Regarding the "cleaner", this virus does not preserve the original MBR of the hard disks it infects, so the only way to remove it is to overwrite it with a new copy of the MBR. The DOS program FDISK will do that when started with the option /MBR. Many anti-virus programs are able to do the same. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 17 Jul 95 17:48:25 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Information re: "Generic Viruses" (PC) Larry_Pullen@mail.fws.gov (Larry_Pullen@mail.fws.gov) writes: > Please send me any information you may have on viruses called > "Generic-**" Impossible. As the name indicates, there is no such particular virus. It is a "generic" report from the heuristic analyser of a popular anti-virus program (CPAV, I think) which means "I think that this file or boot sector is infected but I don't have the slightest idea with what". Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 17 Jul 95 17:53:18 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: BackForm !!! (PC) WeiT (elec@phrouter.phy.pku.edu.cn) writes: > I found a virus - BackForm in my lab, but I haven't any 'AV' which can > disinfect it ( f-prot 2.18 can report it without disinfection ). Then try AVP - another excellent disinfector. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.2i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 17 Jul 95 18:30:14 -0400 From: wclib@ccnet.com (Walnut Creek Library) Subject: Re: Suspicious virus NOT being deleted. HELP!! (PC) Victor Pomar (vpomar@ix.netcom.com) wrote: : I have installed the latest version of F-PROT in my computer. Every time : that I scan my two HD's, the following message shows up: : Scans MBR of Hard Drive 1 : Scans MBR of Hard Drive 2 : Master Boot Sector: Possibly a variant of Stoned : ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ : At the end of the scanning, when the Results are shown, this is what I : get: : MBR's : 2 : DOS boot Sector's: 2 : Infected: 0 : Suspicios: 1 : Disinfected: 0 : My question: : Is there a way to get rid off of that suspicious virus?, I : thought that f-prot was capable of erasing viruses from the MBR. Am I : doing something wrong? Is it Ok to have that suspicious virus there as : long as the computer is, or seems, to be working without a problem?? : I would really appreciate your help. Yes there is a way to get rid of it: sledgehammer a new MBR record in... BUT it may turn and bite you... F-prot is capable of removing SOME (quite a few) MBR virii, once it can get a positive ID on them, precisely what's missing here. If it is a virus, it's not a great idea to leave it in place; if it's something else (e.g., a 3rd party disk-partitioning scheme or security program), it likely belongs where it is. Removing even a known virus by sledgehammer can give you real headaches, though. Stoned-B can be killed off that way with no particular difficulties; Monkey (a Stoned variant), if removed in the same way, will give you interesting times (in the sense of the old Chinese curse) putting your partition table back together. You haven't done anything wrong yet that you've mentioned in your account, but you also haven't provided enough info for a determination of whether or not you indeed have a viral infection... You might try some of the other scanners as a shot at getting an ID on the beastie, or you might try sending a dump of your MBR to someone who can read it; if you're one of the first to be hit by a new Stoned variant, you may have to use jury-rigged measures to remove it, pending the installation in f-prot (et al.) of a specific recognition string and flattening code. Good luck. Inconnu - -- **************************************************************************** *** This is a public access account provided by the Walnut Creek branch *** *** of the Contra Costa County Library. Literally anyone can be using *** *** it to send this message. Their views are their own, and do not *** *** reflect those of the Contra Costa County Library. *** **************************************************************************** ------------------------------ Date: Mon, 17 Jul 95 20:25:53 -0400 From: jbunch@primenet.com (James R. Bunch) Subject: Re: Removing virus from a non-boot diskette (PC) G Martin (gmartin@freenet.columbus.oh.us) wrote: : I have seen several postings on this list that have suggested using the : DOS "SYS" command to remove boot sector viruses. But I have not yet seen : a single one that says how to safely do this on a NON-boot diskette. I : recently had to remove the FORM-A and STEALTH-C viruses from a couple : hundred 1.44 mg diskettes, and had a problem with almost all of them that : I used the SYS command on. [snip] I'd reccommend using an AV product such as McAfee's scan, F-PROT, etc. They have built-in capability to restore the corrupted boot sector, and won't put in anything bogus or irrelevant. I've been working an Anti-Exe infection this way, and it's working out 100% ok. (So far ;-)) - -- - ----------------------------- James R. Bunch "A Byte is a terrible thing to waste ... jbunch@primenet.com ... a MByte 1048576 times worse" PGP Key available via finger PGP Key fingerprint = B5 31 10 77 BF B0 FD B2 10 54 CB E6 13 7C 26 58 - ------------------------------ ------------------------------ Date: Mon, 17 Jul 95 20:30:44 -0400 From: "David J. Topper" Subject: Strange Problem (LILO? VIRUS?) (more) (PC/Linux) This is in follow up to my previous post. I just tried booting Linux and got the following error ... even before loading Linux: Loading Linux error 0x04 Loading linux error 0x04 This went on until I rebooted. When I did, I was able to boot but got the following error before my login prompt: hda: read_intr: error = 0x10 hda: read_intr: status = 0x59 (several times) I hope this makes sense to someone who can shed some light on the problem. I am beginning to suspect that it is a hardware problem and not a virus ... but I am not sure either way. Thanks, Dave Topper ------------------------------ Date: Mon, 17 Jul 95 15:13:04 -0500 From: "Rob Slade, the doting grandpa of Ryan Hoff" Subject: Norton AntiVirus (DOS/Windows) (PC) PCNRTNAV.RVW 950608 Comparison Review Company and product: Symantec/Peter Norton 10201 Torre Avenue Cupertino, CA 95014 USA 408-253-9600 800-441-7234 Customer Service 408-252-3570 Fax: 503-334-7400 416-923-1033 Technical Support: 503-465-8450 BBS: 503-484-6669 Retrieval Fax: 503-984-2490 Norton AntiVirus 3 Summary: Manual and TSR virus scanning, as well as change detection. Cost U$130, U$69/C$79 for annual update service Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 3 Ease of use 2 Help systems 2 Compatibility 3 Company Stability 3 Support 2 Documentation 2 Hardware required 2 Performance 2 Availability 4 Local Support 1 General Description: The NAV.EXE program has the ability to scan memory, boot sectors and files for the presence of known viral programs, and to "inoculate" programs to detect change. It can also recover some damage to programs and boot sectors. Comparison of features and specifications User Friendliness Installation The program is shipped on three 1.44M "read only" disks, therefore cannot be infected at the user's site without active intervention. Network installation assistance is provided in the installation program. Ease of use The program is "menu driven", but use without a mouse is not necessarily intuitive, nor do all menus work consistently. Ten pages of the manual are devoted to the use of the interface. The menus are, however, generally clear and readable. The "Advanced scan" and "Auto-inoculate" features of the system are simply variations on checksumming and change detection, but are set up and explained in a manner which appears to be unnecessarily confusing. The options available in the "Options/Configuration" menu allow for a considerable degree of customization, but reasons for choosing certain options are not clearly explained in the initial installation section of the manual. Some options do not appear to work: I did not chose to "Disable scan Cancel *b*utton" (*b* being the letter used to access this option), but the "cancel scan" option was disabled on my program anyway. If a virus is detected in memory at the beginning of a scan, the program will refuse to scan further. This is an advantage in that it prevents infection by viri which infect each file as it is open, but there is no "discretion" on this feature, and it activates even when boot sector viri are found. The program does not terminate, but will not perform (in terms of scanning). No help is given at this point: the user is referred to a section of the manual. Help systems The program contains an extensive help file. Personally, I did not find the onscreen help to be very useful, generally having to go to the of the manual if I could not figure out the operation from the menus. Compatibility Although not stated in the manual, many functions no longer work for CPUs lower than a 286 level. Company Stability Symantec and Peter Norton have both been solid companies in their respective environments. Symantec has also purchased Zortech, Certus and Fifth Generation, all of which have been marketing antiviral software and recently merged with Central Point, which had been following a similar pattern. Company Support The company appears to have removed both a technical support line and a "Virus Newsline" for update information on new viral signatures. The distribution of updated signature files has been problematic. Initially they were available only from the Symantec BBS or on CompuServe, where Symantec runs a support forum. Offers of space on other systems were turned down. Subsequently, a Symantec representative stated that update files could be distributed via BBSes, at the same time that other agents were saying that this was a violation of copyright. At one point a demo version of the program was stated to be available on "hundreds of bulletin boards worldwide". This was later found to refer to the Symantec BBS and CompuServe only. Most recently permission has been granted to distribute the update files from ftp sites on the Internet. However, no announcements of availability were made and the future of this distribution is completely unknown. It should be noted that although the initial program was promised to the reviewer, that it required eleven return phone calls to five different offices to finally have it delivered over three months later. Other shipping was similar, although most recently the package was the fourth to arrive after a general call for review materials. The series of acquisitions by both Symantec and Central Point means the company has absorbed a significant group of antiviral software vendors. This represents more than a dozen products which have been removed from the market or had support withdrawn. The buyouts appear to have been done soley to gain market share. Less than a month after the company had been purchased, callers were being told that the product support for Fifth Generation products had been discontinued, and were offered "upgrades" to NAV. To date, only one of the technologies of the "orphaned" products has been added to the Norton AntiVirus. Documentation The documentation is much improved from earlier versions, but still refers only to program operation and has little general discussion of viral programs. Hardware Requirements A 286 or above is required for many functions. Performance The TSR scanner is invoked from CONFIG.SYS. While it cannot prevent infection of the system from a "boot sector" infected diskette, it does not detect the presence of such a virus in memory, and it neither prevents infection of diskettes, nor alerts the user to the use of an infected diskette or the operation of infecting. Repair of viral programs appeared to be effective on those few for which this is an option. However, the major option tends to be deletion. Local Support Although local sales offices of Symantec/Peter Norton are widely available, support is only provided through central technical support. Support Requirements In its current form, the product is suitable for novice users, but installation and actions when a virus is found may require more expert support. General Notes Statements from former employees indicate serious problems within the Norton AntiVirus product development group, possibly with regard to management. Normally, this would simply fall within the realm of mere gossip, but the almost complete lack of development of the product over the past year tends to add credence to the rumour. copyright Robert M. Slade 1991, 1993, 1995 PCNRTNAV.RVW 950608 ====================== ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 RSlade@cyberstore.ca Why did the chicken cross the Moebius Strip? To get to the other.. um.. er.. Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0 ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 72] *****************************************