[1663] in Virus_Discussion_List
VIRUS-L Digest V10 #86
daemon@ATHENA.MIT.EDU (VIRUS-L/comp.virus Moderator)
Sat Aug 9 16:37:30 1997
Date: Sat, 09 Aug 1997 10:19:16 +0100
Reply-To: virus-l@Lehigh.EDU
From: "VIRUS-L/comp.virus Moderator" <moderator@virus-l.demon.co.uk>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
VIRUS-L Digest Saturday, 9 Aug 1997 Volume 10 : Issue 86
Today's Topics:
Re: Computer virus vs A.I.D.S.
Re: FIBER ANTI VIRUS VER 1.20d
Re: Several intellectual questions
Re: List of known viruses?
Re: PC virus to AppleII GS?
McAfee Anti-Virus - downloading of dat files
cc:Mail and AntiVirus Software
Antiviral Software Evaluation FAQ
virus alert policies
Re: FIBER ANTI VIRUS VER 1.20d
Re: Computer virus vs. A.I.D.S.
too big messages
Re: Can RTF files contain macro viruses? (MACRO)
Re: How to disinfect Word macro virus in PPT file? (MACRO)
Re: Word macro virus (WORD)
NPAD Virus Problem! (WORD)
Wazzu FAQ please? (WORD)
Re: About MSWord's alleged macro av (WORD)
Re: CAP Virus? (WORD)
Re: CAP Virus? (WORD)
Hybrid & ccMail (WORD)
Re: wm.cap virus on Mac (WORD)
Re: Word Macro Virus (WORD)
Word Macro-Virus NOP.A (WORD)
Re:Win NT 4.0, Explorer writes to a floppy when viewing contents (NT)
Re: Problem with McAfee AntiVirus and NT 4.0??? (NT)
Dr. Solomon's AVTK W95 v7.71 configuration info? (WIN95)
Re: Booting Dr. Solomon S.O.S. disk during install? (PC)
Re: Help!! How to remove the Stoned.Empire.Monkey virus (PC)
Re: FLASH prom Virus writing to write protected Floppy (PC)
Boot Sector Problems (PC)
Re: Floppy Format fails (PC)
Help Brutus.296 (PC)
Re: Floppy Format fails (PC)
IA3076.A virus (PC)
Virus payload (PC)
Re: Booting Dr. Solomon S.O.S. disk during install? (PC)
Need info on NCH.B, ZEU.X and NCEPT (PC)
Re: FLASH prom Virus writing to write protected Floppy (PC)
Is there anything I can do to fix this?! (PC)
DOOMSDAY721 (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is its gatewayed and non-digested USENET
counterpart. Discussions are not limited to any one hardware/software
platform--diversity is welcomed. Contributions should be relevant,
concise, polite, etc. (The complete set of posting guidelines is
available by FTP on ftp.infospace.com/pub/virus-l (IP 206.129.166.107)
or upon request.) Please sign submissions with your real name; clearly
faked or anonymous postings will not be accepted. Some antivirus
documentation, and a full set of back-issues are also archived at
ftp.infospace.com, which is also the home of our FAQ (Frequently Asked
Questions) document.
Administrative mail (e.g., comments or suggestions) should be sent to
me at: nick@virus-l.demon.co.uk. (Beer recipes should still be sent to
Ken van Wyk at: krvw@mnsinc.com.)
VIRUS-L subscribers wanting help with list-processor commands should
send a message to listserv@lehigh.edu with the command "info virus-l"
in the body of the message (the listserv ignores Subject: lines).
All submissions should be sent to: VIRUS-L@lehigh.edu.
Nick FitzGerald
----------------------------------------------------------------------
Date: Tue, 27 May 1997 06:58:25 -0700
From: Somebody <thosokaw@sfu.ca>
Subject: Re: Computer virus vs A.I.D.S.
X-Digest: Volume 10 : Issue 86
>> The Antibiotic created(by an honest scientist) searches the body and
>> finds 1010-1100. But A.I.D.S. being the tremendous disease that it is,
>> it CHANGES it CODE RANDOMLY. Today it's code is 1010-1100
>> Tomorrow it's code is 0011-0101. How can the (honest scientist)
>> create a defense Mechanism to seek and destroy this camelion like
>> disease. This is why none of the prior antibiotics weren'nt working.
>
>For any gentic system has some parts that must not been altered in order
>to function properly, it is no big deal to identify any AIDS virus by
>its genetic code. The problem is to identify the cells infected by the
>virus.
Not that there's a special difference here. There are virus scanners
that at one point in time identified some viruses by the decryptor
produced by the polymorphic engine. That's roughly analogous to
looking at the protein coating of a cell to find elements of a virus,
retrovirus, whatever.
- --
Unknown
------------------------------
Date: Wed, 28 May 1997 10:16:11 -0600
From: George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Subject: Re: FIBER ANTI VIRUS VER 1.20d
X-Digest: Volume 10 : Issue 86
Francis Hor says...
>FIBER Anti Virus is a comprehensive tool kit designed to protect, detect
>and recover your PC from the computer viruses.
How, specifically, does the program work? What advantages does it have
over other, more well-known anti-viruses? I've never heard of it
before.
>While FIBER Anti Virus
>focuses heavily on numerous ways to prevent a virus infection, the package
>would not be complete without various cleaner programs to purge a system,
>in the unlikely event that a virus manages to slip through.
How does it handle Word Macro viruses? Does it have Office97 support?
How does it handle encrypted documents?
Your web page states "Highest detection rate on known and unknown
viruses." Please elaborate exactly who tested the detection rate and
found it to be so high. Do you use an in-house virus-detection engine,
or have you licensed it from another anti-virus producer?
Also, you may wish to go over your web page with a spell checker and a
grammar checker. While generally this isn't a big deal, keep in mind
that your web page is how people will get an opinion of your company.
- -
George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Club Secretary & Webmaster,
University of Alberta Karate Club
http://www.ualberta.ca/~gwenzel/
------------------------------
Date: Wed, 28 May 1997 19:07:42 +0000 (GMT)
From: Robert Michael Slade <rslade@vcn.bc.ca>
Subject: Re: Several intellectual questions
X-Digest: Volume 10 : Issue 86
Carey_Tyler_Schug@em.fcnbd.com wrote:
: another virus come along and put virus "a", maybe in sector 8 and itself
: in the boot sector? How long could this go on? Just as an intellectual
Yes, this is quite possible. There are two scenarios: in the first,
the two viruses use different sectors, and co-exist quite happily. In
the second scenario, the viruses use the same sector. In this case the
second virus would overwrite the original boot sector with the body of
the first virus, so the disk would become unbootable. However, as long
as the viruses did *not* use the same boot sector, a number of viruses
could infect one machine.
: exercise, has anybody ever figured out how many boot sector viruses, or
: boot sector plus partition sector viruses could coexist on one machine?
Theoretically, this could go on forever. In practical terms, there
would be a limit to the number of sectors that could be successfully
used, but that number would vary from machine to machine. (For
example, disks with different numbers of sectors would have a different
number of sectors in the partition gap.) Viruses can also, at times,
partition sectors between or beyond existing tracks. (This is strongly
dependent upon the available hardware.)
: Would their payloads be cumulative, or would the first or last take
The last infection would be the first to run, and so would take
precedence. However, again depending upon the mechanism used by the
virus, a number of the payloads could be active.
: precedence? Would any/some/most anti-virus programs find all of them in
: one pass, multiple passes, or fail to detect or disinfect from such a
: scenario?
All of the above. Some antivirals would get them all, some would get
one, some would fail. Some would be able to detect and disinfect, but
most would only disinfect a single infection per pass.
: 2. Shouldn't it be possible for a hardware manufacturer to produce a hard
: disk on which the boot sector is NOT writeable unless a certain jumper is
: set? This jumper could be brought out to a pushbutton switch if desired,
: since it would need to be set to update the partition table. That would
Yes, it is possible. I have no idea why manufacturers don't do it.
(You can achieve a similar result with removable media drives, which
normally have a write protect switch.)
: program from booting from a floppy disk). Greater intelligence in the
: controller could interpret the partition table and protect the partition
: boot sectors also.
A software version of an automated change detection/sector replacment
system is DISKSECURE.
: 3. Alternatively, such a jumper could be placed in the disk controller.
Yup.
: 4. A more elaborate scheme could include flash memory, allowing setting a
: software password and eliminating the mechanical switch. This could be
: done on either the SCSI/IDE disk or the disk controller board.
Could be done, and wouldn't involve extra hardware. However, I suspect
that there are weaknesses to such a system. (Where do you store the
password? etc.)
: 5. It could also be put into the ROM BIOS, with a non-standard physical
: controller, so only a virus written for that specific physical controller
: could infect that machine.
True, but, if successful, everyone would want one, and then it would
become the standard controller, at which point you'd have to write a
different non-standard, and if successful ...
======================
roberts@decus.ca rslade@vcn.bc.ca slade@freenet.victoria.bc.ca
link to virus, book info at http://www.freenet.victoria.bc.ca/techrev/rms.html
Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER)
------------------------------
Date: Sun, 25 May 1997 17:11:48 +0300 (EET DST)
From: Marius Gheorghescu <gg7030@scs.ubbcluj.ro>
Subject: Re: List of known viruses?
X-Digest: Volume 10 : Issue 86
On Sun, 18 May 1997 07:49:22 +0000 (GMT)
"Chengi J. Kuo" <cjkuo@alumnae.caltech.edu> wrote:
> Michael McGinnis <paddy@montana.com> writes:
> >Does anyone know were I can obtain a recent downloadable list of CARO
> >virus names
What do you need a list of names for?
If you don't have the viruses or their specifications that list is
useless, is just a collection of (strange :)) words.
> The last time I saw such a list was a couple years ago.
>
> Currently, the best way to cross-reference names is via the VGREP
> project available from www.virusbtn.com (excellent program by Ian
> Whalley, ex-editor of Virus Bulletin).
But their virus collection isn't that big, that's a problem.
> And CARO has been concentrating on maintaining a consistent naming
> standard for macro viruses.
Hope you'll succeed now.
Because, in my oppinion, untill now, CARO hasn't done too much in DOS
virus naming area. Although most major antiviruses have representatives
in CARO, they do not use the same names for the same viruses.
F-Prot seems the only major antivirus that fully respects the CARO
names specifications, but it is poor at polymorphic viruses.
AVP names the variants as .a, .b, .a1, .b2 and so on, instead of
.A, .B, .AA, .AB., and do not intend to identify (sub)variants of some
major virus families.
DrSolomon screws the names with all kinds internal attributes
(ie .mp., .ow., .cav., ) but, what's worse, it doesn't keep a single
distinguisable name for a virus family (let's take PS-MPC for example:
findviru reports viruses as MPCa, MPCb, ... and so on). And another
annoying thing is that attributes are not specified in a standard way,
for example, the attribute .dr. (dropper) may be encountered in the
following circumstances:
virus.dr.1234.a
virus.dr
virus dr.1234.a
virus dr
Those doesn't look like CARO names, as specified in '92 by the
representatives of the above antiviruses, what do you think, mmm?
Let's not talk about other (strange :) ) antiviruses, such as Sophos,
or AVAST, which names the viruses as virus-1234, or virus 1234, or (ex)
TBAV which (most times) identifies only families, and has also strange
names like virus {1}, the_same_virus {2} ...
The conclusion....(null)
:-)
Marius
______________________________________________________________________________
Gheorghescu Marius <gg7030@scs.ubbcluj.ro>. Tel. +40 64 12 48 21 ('till July)
Babes Bolyai University of Cluj-Napoca, Romania. CSD Student || Virus Analyst.
PGP Key fingerprint = 92 44 FF C7 04 81 CB 58 30 86 2E 33 BF B9 A5 09
"Please note: my CARO name is [Marius.7030.GG]"
------------------------------
Date: Wed, 28 May 1997 09:02:53 -0700
From: Ronald Dailey <rcdailey@deltanet.com>
Subject: Re: PC virus to AppleII GS?
X-Digest: Volume 10 : Issue 86
In article <0003.01IJEQI2VNI28WXS06@csc.canterbury.ac.nz>,
ghostbit@sprynet.com (Bill Rowe) wrote:
>This wouldn't happen even if the PC virus were transfered to the Apple
>disk. Viruses are programs. The CPU must execute the virus code in order
>for the virus to do anything. It would be exceedingly unlikely for code
>designed to be executed on a PC to execute on an AppleII. This is why
>viruses (until the creation of macro viruses) are platform specific.
I wouldn't advise anyone to try running an executable written for an
Amiga (68000 code) on an Intel (80xxx) system. I tried that once (a
crazy idea, I know) and it did something very strange, attempting
boot sector access (I had boot sector protection installed). I doubt
that it was intended to do that, but that the code worked that way on
my PC (at least it worked to that extent, if no more).
Of course, I did have to deliberately load and execute the Amiga code
on the PC for this to happen. If the code had not been in the form
of a file which the system recognized as executable, it would not
even have attempted to execute the code. However, my point is that
you can't assume that code written for one platform won't do
something unexpected on another platform. It probably won't anything
at all, but if it does do something, it could be bad news.
- -
|Ronald Dailey * San Bernardino, CA * rcdailey@deltanet.com|
|Inland Computer Users * <I><C><U> * BBS:(909)381-0882 * 8-N-1|
|Standard Disclaimer: I speak and write for myself, alone. |
------------------------------
Date: Wed, 28 May 1997 21:11:23 -0400
From: mal@bellatlantic.net
Subject: McAfee Anti-Virus - downloading of dat files
X-Digest: Volume 10 : Issue 86
Anyone have McAfee Anti-Virus Protection Program?
If so, I have been trying to download the new dat files and can't seem
to get it done correctly!!
Any help would be appreciated. I need step-by-step instructions - I am
new to this computer stuff and all of the folders, etc.
PLEASE E-MAIL AN ANSWER WITH SIMPLE INSTRUCTIONS.
Thank you very much.
Elizabeth
- -
mailto:mal@bellatlantic.net
------------------------------
Date: Thu, 29 May 1997 10:19:20 -0700
From: Training Dept <traindpt@shore.net>
Subject: cc:Mail and AntiVirus Software
X-Digest: Volume 10 : Issue 86
Is anyone aware of any software that will scan cc:Mail attachments on
the server side of things. I am aware of Trendware's ScanMail but that
seems to be a client "solution" to the problem. I have the usual
problem of trying to "force" users to scan attachments etc. We've had
some problems with Word macro viruses spreading pretty rapidly in the
past. I'd rather attempt to prevent, or slow-down the spread without
relying on user compliance, etc.(if possible)
Any help woould be greatly appreciated!
Thanks,
Frank White
Comp. Sys. Admin.
Greater Lyn Mental Health
(frankw@glmh.org)
------------------------------
Date: Thu, 29 May 1997 19:01:06 +0000 (GMT)
From: Robert Michael Slade <rslade@vcn.bc.ca>
Subject: Antiviral Software Evaluation FAQ
X-Digest: Volume 10 : Issue 86
<!-- avrevfaq.html 961113 -->
Antiviral Software Evaluation FAQ
(maintained by Rob Slade)
(HTML release 1.01)
This list of questions is intended to provide a framework and
background information for review, evaluation and decisions regarding
antiviral protection software and systems. The latest version of this
file may be accessed online via the Web at Victoria Freenet. The
companion files Antiviral contacts listing (CONTACTS.LST) and Quick
reference antiviral review chart (QUICKREF.RVW) provide additional
related information. All three files are available in the Computer
Virus SIG of the Victoria (BC, Canada) Freenet
(telnet://guest@freenet.victoria.bc.ca and give the command "go
virus"). (This file is prepared from Chapter Six of "Robert Slade's
Guide to Computer Viruses".)
This document is *not* intended to be an introduction to the study of
computer viral programs. It is expected that you already know the
relevant concepts and terminology. For general background information
on computer viruses, please see the VIRUS-L/comp.virus FAQ
(ftp://ftp.cs.ucr.edu/pub/virus-l/vlfaq200.txt) which is also available
at the Victoria Freenet site.
This document is now maintained in minimal HTML format.
Table of Contents
1) Why can't I get 100% protection?
2) Why isn't there any one "best" antiviral?
3) What is an activity monitor?
3a) What are the strengths of activity monitors?
3b) What are the weaknesses of activity monitors?
3c) How should activity monitors be evaluated?
4) What is authentication/change-detection software?
4a) What are the strengths of change-detection software?
4b) What are the weaknesses of change-detection software?
4c) How should change-detection software be evaluated?
5) What is a scanner?
5a) What are the strengths of scanners?
5b) What are the weaknesses of scanners?
5c) How should scanners be evaluated?
6) What is resident software?
7) What is heuristic scanning?
8) What is a false negative?
9) What is a false positive?
10) How does disinfection work?
10a) What is "generic" disinfection?
10b) What is "heuristic generic" disinfection?
11) Can I get hardware antiviral protection?
12) Why can a "so-so" antiviral actually be harmful?
13) What aspects of an antiviral are important?
14) What aspects of an antiviral are *not* important?
15) What about "number of viruses detected"?
16) Why isn't disinfection very important?
17) Why should I support "free" software?
18) What about published reviews?
19) Where can I find published reviews?
20) Are virus simulators any help? Questions and answers
[Moderator's note: Rest snipped for posting volume reasons. Please
refer to http://www.freenet.victoria.bc.ca/techrev/avrevfaq.html for
the full article.]
======================
roberts@decus.ca rslade@vcn.bc.ca rslade@vanisl.decus.ca
Ceterum censeo CNA Financial Services delendam esse
Please note the Peterson story - http://www.netmind.com/~padgett/trial.htm
------------------------------
Date: Thu, 29 May 1997 16:36:25 -0400
From: "J. David Stanton, Jr." <jstanton@coin.state.pa.us>
Subject: virus alert policies
X-Digest: Volume 10 : Issue 86
First, the almost obligatory newbie warning - I have been
lurking on VIRUS-L for only a month.
My organization has roughly 800 PCs, representing about 80%
of our total staff. We will soon have over 900 PCs. A
commercial AV software package is included, and enabled,
when these PCs are initially installed, and updates to the
packages are distributed every 3-6 months. Recently,
another individual within the IS bureau issued two virus
"alerts" through informal channels. The first was the Pen
Pal hoax, and the second warned about the AOL4FREE Trojan
horse and was based on CIAC Bulletin H-47 issued on April
16, 1997 (see:
http://ciac.llnl.gov/ciac/bulletins/h-47a.shtml ). Based on
these "alerts" IS management issued official warnings,
that, at least for Pen Pal, had to be corrected. These
incidents led me to consider developing a policy covering
virus alerts.
Does anyone in an IS role supporting hundreds of PCs have a
policy, or consistent practice, concerning virus alerts? If
so, what is your policy? What are your reasons for it? How
are alerts disseminated, and to whom?
Your answers to these questions, and any other information
on the subject would be greatly appreciated. Please respond
directly to me, and I will summarize for the list.
J. David Stanton, Jr. Chief, Div. of Systems Integration
Pennsylvania Office of the Budget, Bureau of MIS
mailto:jstanton@coin.state.pa.us
(MIME, UUENCODE and BINHEX attachments OK)
------------------------------
Date: Thu, 29 May 1997 22:25:56 +0000 (GMT)
From: Patrick Noyens <patrick.noyens@ping.be>
Subject: Re: FIBER ANTI VIRUS VER 1.20d
X-Digest: Volume 10 : Issue 86
On 28 May 1997 04:22:51 -0000, Francis Hor <cwhoi@advantise.net>
wrote:
>FIBER ANTI VIRUS
>- ---------------------------
>FIBER Anti Virus is a comprehensive tool kit designed to protect, detect
[....]
>You can download from http://www.advantise.net/fiber
Has anyone tried this AV ?
Any good (or bad) experiences ?
-Patrick-
- ------------------------------------------------------------------------------
E-mail : patrick.noyens@ping.be
PGP-key available on request.
Key fingerprint = 01 31 60 FF C2 0F D4 A7 D2 83 64 FE 3E 3F 83 79
------------------------------
Date: Sat, 31 May 1997 04:32:17 -0400
From: Lt Stinger <ltstinger@aol.com>
Subject: Re: Computer virus vs. A.I.D.S.
X-Digest: Volume 10 : Issue 86
What happens when the person that can make a virus has it rewriting
Anti-virus programs to make viruses instead of destroying them? It can
be done. I don't know how but viruses do replicate. It can change
from one lay out to the codes.
Later,
LTSTINGER@AOL.COM
------------------------------
Date: Fri, 30 May 1997 13:37:12 -0700
From: Yamandu Ploskonka <yama@adinet.com.uy>
Subject: too big messages
X-Digest: Volume 10 : Issue 86
On May 27, our list moderator wrote
> [Moderator's note: Except in very rare cases, the digest does not get
> "too big"--I make sure it is smaller than the minimum message size the
> RFCs say SMTP-compliant gateways MUST pass. If anyone's digests are being
> truncated, take it up with your local mail admin as s/he is most likely
> running a non-compliant mailer and should fix it.]
Or else someone might have modified some of the setup of your mail
software. In Netscape 3.0, it's under
Options/Mail and News Preferences/Servers/maximum message size
or [Alt] [O] [M] (Servers tab) [S] to set a size,
or [Alt] [O] [M] (Servers tab) [o] to set to any size.
Personally I have this option set to 60 Kb, since I once subscribed to
a list prone to go amok and send 1 MB messages from time to time. If a
message gets truncated, Netscape gives you a live link to ask for the
rest of the message, if you care to.
- -
_______s --- s Ploskonka, Rodo 604, Minas, URUGUAY
/Have a ( (~ 6) ) Rugby, Adventure education, ecology
( Jukumari \ / Uruguayan aquarium fish for export
c__) grin (m)\A/(m) mailto:yama@adinet.com.uy
------------------------------
Date: Wed, 28 May 1997 19:13:12 +0000 (GMT)
From: Robert Michael Slade <rslade@vcn.bc.ca>
Subject: Re: Can RTF files contain macro viruses? (MACRO)
X-Digest: Volume 10 : Issue 86
: Graham Cluley (sandspm@cix.compulink.co.uk) wrote:
: : Yes, Rich Text Format (RTF) files don't contain macros. So it's a very
Slawomir Marczynski (slawek@arcadia.tuniv.szczecin.pl) wrote:
: RTF files don't contain macros. (True - no viruses)
True--as far as it goes--but ever so slightly misleading. A macro
virus can't be saved in a file that is using RTF format, but it *can*
save an infected file with any extension--including .RTF. (Recall the
recent note about an infection in a .TXT file.)
======================
roberts@decus.ca rslade@vcn.bc.ca slade@freenet.victoria.bc.ca
link to virus, book info at http://www.freenet.victoria.bc.ca/techrev/rms.html
Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER)
------------------------------
Date: Thu, 29 May 1997 20:22:41 +0000 (GMT)
From: Sten Westerback <justus@clinet.fi>
Subject: Re: How to disinfect Word macro virus in PPT file? (MACRO)
X-Digest: Volume 10 : Issue 86
In article <0015.01IJEQI2VNI28WXS06@csc.canterbury.ac.nz>, Tom Hall
<tom_hall@ctp.com> wrote:
>I have a powerpoint slide with a Word Macro virus....cannot get it
>out.......any way to disinfect it?
Way 1: select Word object, copy to clipboard, paste in Word, remove
virus macros from file, then replace object in PPT
Way 2: get Dr Solomon and have it disinfect the OLE objects for you...
just make sure you install the newest extra.drv too..
Way 3...x: any other antivirus toolkit may work for you...
- Sten
------------------------------
Date: Wed, 28 May 1997 09:33:16 -0500
From: Sue Wensel <swensel@brandegee.lm.com>
Subject: Re: Word macro virus (WORD)
X-Digest: Volume 10 : Issue 86
Andy Figueroa - figueroa@wpdiss1.wpafb.af.mil- wrote:
<snip>
> In fact, none of the users in our office have complained about
> normal.dot being write protected. They just are not that kind of power
> user. I also advocate extracting and scanning any documents, with an
> up-to-date scanner, that arrive by EMail. A nuisance, but it works.
Unfortunately, in Word for the MacIntosh, write-protecting your Normal
template will lead to the inability to add to your AutoCorrect
dictionary--something our office uses incessantly. The primary task of
the AutoCorrect dictionary is to allow "shorthand" typing; i.e., just
type an abbreviation that has been input and it pops out the whole
word.
> You chose your weapons and you take your chances. I like the advantages
> of multiple weapons. Thus I like having a write protected normal.dot in
> the arsenal along with all the licensed anti virus programs the AF makes
> available to me. Add a knowledgeable user and you have a strong bulwark
> against virus/macro infections.
Our office is made up of power users, but I am slowly introducing them
to the power at their disposal. Part of this is I have been asked to
discuss computer security issues from passwords to viruses with them.
I am open to any and all suggestions.
- -
swensel@brandegee.lm.com
------------------------------
Date: Wed, 28 May 1997 12:18:49 -0400
From: Bill Stamp <bstamp@guthrie.inet.com>
Subject: NPAD Virus Problem! (WORD)
X-Digest: Volume 10 : Issue 86
Very simply, we have an NPad Virus that has infected our Word 7.0
software such that the normal.dot, even once erased, keeps coming back
with the infection.
I've looked for explanations on how to remove, but being a virus
neophyte, much of it is greek.
Can someone point to an effective AV, or process?
------------------------------
Date: Wed, 28 May 1997 19:59:28 +0000 (GMT)
From: Richard Foxcroft <responses@softfox.demon.co.uk>
Subject: Wazzu FAQ please? (WORD)
X-Digest: Volume 10 : Issue 86
I have read much advice about Word macros in general and Wazzu in
particular, which I have not remembered because I didn't need it at
the time - and one can't file everything!
Now that I do need it - for a friend's benefit, I'm relieved to say,
not my own, is there a good FAQ? Rather than asking questions that
have already been answered, you see?
Thanks,
Regards
Richard Foxcroft
Telford, Shropshire, England
richardf@enterprise.net
Telford, Shropshire, England
------------------------------
Date: Wed, 28 May 1997 14:30:56 -0500
From: Eric Peterson <erp@tellabs.com>
Subject: Re: About MSWord's alleged macro av (WORD)
X-Digest: Volume 10 : Issue 86
Vesselin Bontchev wrote:
> Eric Peterson <erp@tellabs.com> wrote:
...
> > Actually, based on recent experiences we have had with an unnamed virus,
> > call it VirusX, version 7.0 seems to work better that 7.0a, as long as 7.0
> > is loaded with the "scanprot.dot", and you do not need to use documents
> > that contain macros.
>
> No. Using ScanProt is a *very* bad idea. It gives you a false sense of
> security, can be bypassed easily, and many viruses "mate" with it,
> snatching macros from it and producing new variants. Don't use it. Get
> yourself a *real* anti-virus program.
I think that ScanProt is an "OK" tool; I don't agree (based on our
situation) that it is a *very* bad idea. It's true that it can give a
false sense of security, and it can be bypassed, but we are using it to
supplement our use of Norton AntiVirus, which does detect and repair
macro viruses (so far we have seen only Cap.A and Npad.A).
Some antivirus programs do not catch all macro viruses - Dr. Solomon
(being used by one division of our company) for example does not seem
to find "Cap.A" yet.
One thing that even *real* anti-virus programs do not seem to do yet is
to catch the opening of infected documents that are stored on a Unix
file server, which is where some or our development groups maintain
their files. ScanProt does offer some level of protection in this
arrangement. We also supplement this with weekly scans of these file
servers (scans work fine).
As for "mating" viruses and the production of new variants, I would be
interested in knowing more about this - how serious a problem is it?
...
> > As far as Word is concerned, I would also recommend enabling the option
> > to prompt the user when the normal template file has changed before it is
> > saved. This is available in all of the above mentioned versions of Word.
>
> Unfortunately, many of the existing viruses know about this option too
> and turn it off automatically.
I have read also some recommendations to make the "normal.dot" file
read-only, except that viruses can then remove this attribute. One
could take this one step further and use NT file permissions (even
change the owner) to block modification of this file.
If an opened file is read-only, do viruses also have the capability to
remove this attribute as well so that they can write (and infect) the
file?
Regards,
Eric Peterson
------------------------------
Date: Wed, 28 May 1997 21:59:13 +0000 (GMT)
From: John Elsbury <jelsbur@clear.co.nz>
Subject: Re: CAP Virus? (WORD)
X-Digest: Volume 10 : Issue 86
On 28 May 1997 04:23:20 -0000, Richard Desjardine
<rdesjard@golden.net> wrote:
>I was wondering if anyone could point me towards some information on this
>Word Macro Virus.
www.datafellows.com
>My Parent company has apparently encountered and sent
>me a warning saying that I would likely be receiving it via email, gee
>thanks, anyway I need to know what will kill it.
F-Macrow from www.commandcom.com or www datafellows.com
>So if anyone knows...
>
>Thanks,
>Richard Desjardine
You're welcome.
------------------------------
Date: Thu, 29 May 1997 09:12:55 -0400
From: MikRoyer <mikroyer@aol.com>
Subject: Re: CAP Virus? (WORD)
X-Digest: Volume 10 : Issue 86
McAfee or F-Macrow will handle this, as most other Word macro viruses.
We've been seeing it also.
Mike Royer, Atlanta
------------------------------
Date: Thu, 29 May 1997 09:26:15 -0400
From: MikRoyer <mikroyer@aol.com>
Subject: Hybrid & ccMail (WORD)
X-Digest: Volume 10 : Issue 86
I had a user on ccMail 2.21 with messages that printed double-spaced.
After disinfecting several instances of Hybrid from her machine, ccMail
messages printed normally (single spaced).
I was wondering if anyone else had seen this, or something similar.
Mike
------------------------------
Date: Thu, 29 May 1997 20:15:52 +0000 (GMT)
From: Sten Westerback <justus@clinet.fi>
Subject: Re: wm.cap virus on Mac (WORD)
X-Digest: Volume 10 : Issue 86
In article <0024.01IJEQI2VNI28WXS06@csc.canterbury.ac.nz>, Rick
Boisvert <rick.boisvert@crc.doc.ca> wrote:
>Have found the Word virus "wm.cap" on my Macintosh. Scanprot and SAM
>won't remove it, neither will Dr. Solomon's.
>
>Can anyone recommend software to clean this one?
Solomon sure will remove it IF you install the extra.drv found on their
site.
- Sten
------------------------------
Date: Fri, 30 May 1997 13:58:42 -0600
From: Ryan E Hope <Ryan.E.Hope@lmco.com>
Subject: Re: Word Macro Virus (WORD)
X-Digest: Volume 10 : Issue 86
(I've had to do some manual cut and paste to reconstruct the
conversation. If I have miss represented what anyone said, I
apologize.)
>> >It is also a very good idea to change the attribute on your file
>> >normal.dot to read-only. That will prevent any new macro virus to infect
>> >your template. As long as your template is free for virus, new
>> >(created)documents will not contain the virus. You stop the spread.
<snip>
>> You do not STOP the spread, just slow it down a little bit maybe. The
problem is that
>> when you open an infected document, it infects the normal.dot that is kept
>> in memory. Word will then infect all other document that are opened or
>> created during the current session of Word. Albeit when you start Word
>> the next time, normal.dot will not be infected (until you inevitably open
>> another infected document).
<snip>
>I agree with Ryan, in principle, but find that write protecting
>normal.dot for most users is a reasonable and effective part of a multi
>pronged approach to preventing the spread of macro viruses.
Perhaps the first message was not clear. I was not advocating that you
should not write protect normal.dot. I agree that it can make sense as
part of a virus management plan. I just think that one should be aware
that this alone will not stop the spread of Word macro viruses. If
that point is not clear, write protecting normal.dot can give a false
sense of security.
In essence we agree...
Ryan Hope
------------------------------
Date: Mon, 02 Jun 1997 10:41:40 +0200
From: Matthias Orphal <orphal@berlin.snafu.de>
Subject: Word Macro-Virus NOP.A (WORD)
X-Digest: Volume 10 : Issue 86
Hi, unfortunately I've catched last week my first Word-Macro-Virus:
NOP.A (according to F-Prot 2.27 / F-Macrow 1.04)
What kind of actions does this Virus start? I "only" remarked that it
infected my normal.dot, but nothing more. How dangerous is it?
Thanks for your attentivity.
Matthias
------------------------------
Date: Thu, 29 May 1997 12:53:45 -0400 (EDT)
From: Karahldata@aol.com
Subject: Re:Win NT 4.0, Explorer writes to a floppy when viewing contents (NT)
X-Digest: Volume 10 : Issue 86
JULIEN CHEVALLEY <JCHEVALLEY@racalrec.co.uk> wrote:
>We compared the size of the file on computers which exhibit the
>behaviour and others which don't and they are exaclty the same (7440
>bytes).
This unfortunately proves nothing. If there is a virus present in
memory, it could return the uninfected image of the file. There could
also be changes of a file even if the size is the same.
If using Integrity Master, it would tell you if the files are *exactly*
the same (make sure you clean boot first); it will find changes due not
only to viruses.
Integrity Master is found at www.stiller.com.
Yours sincerely,
Karsten Ahlbeck, Karahldata
Swedish Integrity Master Agent
Karahldata@aol.com
------------------------------
Date: Sun, 01 Jun 1997 09:47:56 +0000 (GMT)
From: Michael <mwt@gte.net>
Subject: Re: Problem with McAfee AntiVirus and NT 4.0??? (NT)
X-Digest: Volume 10 : Issue 86
Graham Cluley wrote:
> In-Reply-To: <01IIW5AN4ZVI8WVYUZ@csc.canterbury.ac.nz>
> "Joseph R. Demers" <jrdemers@pacific.mps.ohio-state.edu> writes:
> > My friend and I have both recently purchased McAfee's
> > multiplatform antivirus program (version 3.0 released early
> > April) and we have both had problems with it's virus sheild
> > crashing our NT 4.0 (SP2) machines. Please, anyone else having
> > this problem, post. I want to make absolutely sure that it is
> > the culprit.
>
> It's not McAfee's fault. There's a bug in Microsoft's SP2 for NT 4.0
> which causes this crash. Microsoft admitted it was their mistake and
> have made a hotfix available. I believe you can get it from their
> website.
McAfee also said they were working with Microsoft to make sure this
problem was fixed in SP3. SP3 is now out and McAfee still crashes with
the same problems. McAfee is now recommending that everyone NOT install
SP3 until this issue is resolved...
Michael
------------------------------
Date: Sun, 01 Jun 1997 06:20:04 +0000 (GMT)
From: Lucius Chiaraviglio <lucius1@ix.netcom.com>
Subject: Dr. Solomon's AVTK W95 v7.71 configuration info? (WIN95)
X-Digest: Volume 10 : Issue 86
Where I work we have been subscribed to Dr. Solomon's Antivirus
Toolkit for Windows 95 since version 7.63. One thing I have been
doing is to copy the configuration files (toolkit.ini in the Antivirus
Toolkit directory and tk_sched.sdf in the Windows 95 directory) from
one installation to the next to avoid having to re-enter all that
stuff. (Note: every installation of a new version seems to reset the
configuration files back to factory default, and I have taken to using
QuarterDeck CleanSweep to remove the old version so that it can
properly monitor the installation of the new one, since I figure I am
going to lose configuration information anyway.) Unfortunately, now
that we have gotten our installation diskettes for version 7.71, the
Schedule Editor doesn't seem to accept settings from the tk_sched.sdf
file any more*, and it doesn't even have Open or Save As commands in
its File menu any more. I gather from reading the new readme file
that it is probably storing its configuration information in the
Windows 95 Labyrinth of Unending Misery, -er, I mean the Registry, but
I couldn't find any Registry keys with the configuration information.
*Note about an exception: on a Windows 95 OSR2 computer,
putting tk_sched.sdf in C:\Windows DID transfer settings from version
7.68 to version 7.71 of the Toolkit. It also created a file named
tk_sched.sdf_001; however, copying this file to the Windows directory
on a computer running Windows 95 with Service Pack 1 had no effect.
So far, no computer running Windows 95 non-OSR2 has had version 7.71
of the Toolkit accept information from tk_sched.sdf.
Could someone familiar with Dr. Solomon's Antivirus Toolkit
7.71 for Windows 95 tell me where the Schedule Editor stores its
configuration information? Also, I would like to know where WinGuard
now stores its configuration information (presumably the Registry,
but I didn't recognize any keys for this either). Currently, I have
all of the relevant Toolkit settings written down on a piece of paper
(about a whole page, with some text crammed together), but I would
like to be able to back up this configuration information
electronically (fortunately, toolkit.ini still works for archiving
scanner settings). This would be especially helpful given how often
Windows 95 fries itself (a frequency not too much less than that of
our receiving update diskettes for Dr. Solomon's Antivirus Toolkit).
If you post an answer, please e-mail it also, or I might miss
it (I still haven't figured out the safe time for messages on this
server).
Lucius Chiaraviglio | lucius1@ix.netcom.com
------------------------------
Date: Tue, 27 May 1997 13:41 +0000
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Re: Booting Dr. Solomon S.O.S. disk during install? (PC)
X-Digest: Volume 10 : Issue 86
In-Reply-To: <01IJAIRE8S4M8WXA01@csc.canterbury.ac.nz>
Bijutsu <Bijutsu@worldnet.att.net> writes:
> Any ideas:
> I bought Dr. S Antivirus. It says to reboot the computer using the
> s.o.s. disk. The disk is 3.5" which is my b: drive. My bootable
> drive is the a: 5.25. Does anyone know if I can skip (or should I)
> the sos disk and just install the software.
We suggest people run the SOS disk just to ensure you have an
uninfected PC pre-installation. You can always cold-boot from a clean
(virus-free), write-protected 5.25 inch disk of your own and then run
FindVirus manually: FINDVIRU /ALLDRIVES
> Dr. Solomon has not answered my e-mail to them on this matter.
I'm sorry to hear that. I wonder which email address you posted to?
Maybe you could send me details privately via my business email address
(details below) so I can investigate and make sure it doesn't happen
again?
Regards
Graham
- --
Graham Cluley CompuServe: GO DRSOLOMON
Senior Technology Consultant, UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com USA Tel: 888-DRSOLOMON / 617-273-7400
Evaluation version of Dr Solomon's FindVirus available on our website!
------------------------------
Date: Wed, 28 May 1997 08:49:34 +0000
From: Padgett 0sirius <padgett@goat.orl.mmc.com>
Subject: Re: Help!! How to remove the Stoned.Empire.Monkey virus (PC)
X-Digest: Volume 10 : Issue 86
In article <0035.01IJEQI2VNI28WXS06@csc.canterbury.ac.nz> LuvJuz
<DaJuzth@tmaks.dworld.goroun> writes:
>The system is a laptop 486 with 250mb and 8mb Norton detects it but is
>unable to clean it, 'cause the virus hides the partition when the
>machine is booted from a floppy, making the C drive invisible.
Are several ways. Could just get KillMonk fron any SimTel archive, or
use my any program that will save/restore the MBR or even DEBUG - boot
infected & save, boot clean and restore (can do it with one 5 1/4"
floppy 8*). Key is that C: is invisible like you say, but not drive
80h.
A. Padgett Peterson, P.E. Cybernetic Psychophysicist
http://www.freivald.org/~padgett/index.html
http://www2.gdi.net/~padgett/index.html
to avoid antispam use mailto:padgett@gdi.net PGP 4.5 Public Key Available
for evil to triumph, all that is necessary is for good (wo)men to do nothing
------------------------------
Date: Wed, 28 May 1997 13:51:50 +0000 (GMT)
From: William Carver <bcarver@spdmail.spd.dsccc.com>
Subject: Re: FLASH prom Virus writing to write protected Floppy (PC)
X-Digest: Volume 10 : Issue 86
Mark@relocate.demon.co.uk wrote:
: Can anyone tell me, Is it possible that a virus resident within a Flash
: Bios of a 80x86 PC can intercept or ignore the Write Protect line of the
: Floppy Disk Drive, and write to a Floppy Diskette.
:
: I understand this is not possible with uncorrupted BIOS's but I would be
: very interested to know if this is feasible with A Virually infected
: BIOS.
:
: I have done tests with 20 clean diskettes which are write protected and
: ran them through a system with a suspected BIOS Virus written into the
: Flash prom and on every diskette the MBR had been changed Even when I
: have booted from this diskette (This includes a freshly opened Microsoft
: 6.2 Sealed Pack.
:
: If anybody has information to support or contradict this theory, please
: post to this News Group and e-mail me.
I would suspect a bad WriteProtect sensor on the floppy drive. It
should disable the write circuits so no write is possible, even if
commanded to by the BIOS.
- -
DSC Communications Corporation E-mail: bcarver@spd.dsccc.com
1000 Coit Road Plano, Texas 75075
**** The opinions expressed are not those of DSC Communications, Inc ****
------------------------------
Date: Wed, 28 May 1997 12:39:06 -0400
From: Peter Gabriel <peg@acpub.duke.edu>
Subject: Boot Sector Problems (PC)
X-Digest: Volume 10 : Issue 86
I contracted a boot virus on my computer and cleaned it with McAfee
virus scan utility, but now my boot sector is screwed up. The computer
stops at the A drive saying "non sytem disk or disk error" and will not
continue. I've entered setup and changed the boot sequence, as well as
uninstalling the A drive. That causes booting to stop at the C drive
giving the same error message -- "non system disk or disk error." I
made a Win 95 start up disk, and that allows me to boot to a prompt,
but I don't know what to do from there. I ran scandisk and it found no
errors on the C drive. How can I repair the boot sector with the tools
on the startup disk? Are there specific files that contain the boot
code that I can simply replace, or are there any applications that can
help me? If possible, please e-mail me in addition to posting. Thanks
in advance for any assistance!
--Pete
------------------------------
Date: Wed, 28 May 1997 16:15:42 -0400
From: Daniel Brooks <sfkrsve2@scfn.thpl.lib.fl.us>
Subject: Re: Floppy Format fails (PC)
X-Digest: Volume 10 : Issue 86
On 28 May 1997, Warren Contreras wrote:
:)With several machines on a network (3) if you format the A: drive it
:)completes the format (format complete) then gets: 'general falure
:)reading drive a:' and if you select f for fail it says 'invalid media or
:)track 0 bad, disk unusable'
:)We have replaced the command.com and format.com from a known working
:)machine with the same dos version, scanned with McAfee and found no
:)virus, replaced with new floppy drive and same result, did an fdisk/mbr
:)and can not shake the problem. Any others with this problem ?
Try reading the error message again. what does 'disk unusable' mean?
Try a new disk, the software is not wrong.
TTYL,
Daniel Brooks
| Daniel Brooks -- Email: d-brooks@usa.net |
| PGP key fingerprint - DB 10 E4 99 4C B5 86 11 3B 5A BC 56 34 37 57 18 |
------------------------------
Date: Wed, 28 May 1997 22:00:25 +0000 (GMT)
From: "L.B." <leeb@islc.net>
Subject: Help Brutus.296 (PC)
X-Digest: Volume 10 : Issue 86
I uesed the Antware Antiviru to scan my drive after noticing problems.
The result was 39 .com files infected with Brutus.296 and scanprot.dot
infected with WAZZU.R . I also scanned with Norton 2.0 for Win95 and it
showed nothing as well as the McAfee program. Any suggestions to rid of
the problem other than dynamite.
My luck has finally run out as it took me 5 years to get dinged.
L.Bradley
leeb@islc.net
------------------------------
Date: Wed, 28 May 1997 23:42:48 +0000 (GMT)
From: John Gog <JohnGog@worldnet.att.net>
Subject: Re: Floppy Format fails (PC)
X-Digest: Volume 10 : Issue 86
In article <0034.01IJEQI2VNI28WXS06@csc.canterbury.ac.nz>, From Warren
Contreras <quest@teleport.com>, the following was written:
> With several machines on a network (3) if you format the A: drive it
> completes the format (format complete) then gets: 'general falure
> reading drive a:' and if you select f for fail it says 'invalid media
> or track 0 bad, disk unusable'
A common cause of this sort of thing is trying to format the wrong type
of media in the wrong type of drive, e.g. formatting a 1.44 floppy in a
720K drive. Some machines will report an error at the beginning of the
format; some will show it at the end of the format; and some will
actually complete the format, but chkdsk will show oodles of bad
sectors (actually sectors that don't exist).
- -
John Gog
Advanced Systems Design
Opinions expressed are my fault; advice is worth what it cost.
------------------------------
Date: Thu, 29 May 1997 14:22:56 +0000 (GMT)
From: "H.Feza Ertekin" <bursan@service.raksnet.com.tr>
Subject: IA3076.A virus (PC)
X-Digest: Volume 10 : Issue 86
I can't remove IA3076.A virus from my computer. When I start my
computer with clean system disket, my computer halted. I found this
virus with McAfee VirScan 05/17/97 data file.
------------------------------
Date: Thu, 29 May 1997 11:04:12 -0400 (EDT)
From: Laszlo Marshall <laszlom@email.njin.net>
Subject: Virus payload (PC)
X-Digest: Volume 10 : Issue 86
To Whom it May Concern (hopefully Nick Fitzgerald):
First off, I would like to say that you guys are doing a great job, and
I always find your issues informative and helpful. Keep up the
excellent work!
I know you're busy, but hopefully one of you can recognize my problem
and offer some advice. I've been doing fine in the anti-viral field,
however one particular situation remains a dilemma every time it pops
up. Someone will give me a hard drive to clean with a virus supposedly
on it. After running McAfee and checking all the basics, I'll find a
subdirectory or two with filenames listed as strange characters such as
happy faces and other ASCII 'letters'. File sizes have been
misreported by impossible sums, and these files cannot be removed from
the hard drive. Usually this spreads until the disk has to be
reformatted.
No matter if the anti-viral package reports a virus or not, the payload
remains and seems to be irreversable. Is there a way to stop this? I
boot from a clean, write-protected disk, and have done this procedure
hundreds of times. Why is this particular one appearing to be
unstoppable?
Thank you in advance for your help,
-Laszlo Marshall laszlom@pilot.njin.net
[Moderator's note: You don't mention the OS(es) involved, but if Win95
it sounds most likely munged long filenames, which in Win95 were
implemented in a messy, non-backwards compatible manner and thus can be
damaged by "old", non-Win95-aware utilities. If what you are seeing
are not the remains of mangled LFNs (or not Win95) then file system
corruption is not totally unknown, and more often than not, *not* virus
related. Several kinds of quite common corruption in FAT file systems
will cause increasing problems if not dealt with quickly once detected.
What you really need is a good data recovery expert to look at your
particular set of symptoms to work out the best solution, but there
are popular utilities capable of doing some this for the non-expert
(and equally spectacularly getting lots of it wrong!).]
------------------------------
Date: Thu, 29 May 1997 20:19:55 +0000 (GMT)
From: Sten Westerback <justus@clinet.fi>
Subject: Re: Booting Dr. Solomon S.O.S. disk during install? (PC)
X-Digest: Volume 10 : Issue 86
In article <0036.01IJAIRE8S4M8WXA01@csc.canterbury.ac.nz>, Bijutsu
<Bijutsu@worldnet.att.net> wrote:
>Any ideas:
>I bought Dr. S Antivirus. It says to reboot the computer using the
>s.o.s. disk. The disk is 3.5" which is my b: drive. My bootable
>drive is the a: 5.25. Does anyone know if I can skip (or should I)
>the sos disk and just install the software. Dr. Solomon has not
>answered my e-mail to them on this matter.
Do yourself a favour and swap the diskette drives. One should have 3.5"
as A: nowadays.
Anyway, what they really want you to do is boot from an old
writeprotected DOS boot diskette that you are 99.9% sure doesn't
contain any Stealth viruses on it. But you most usually can install
directly...
- Sten
------------------------------
Date: Fri, 30 May 1997 09:57:00 -0400 (EDT)
From: "steve.davis@hrb.com"@icf.hrb.com
Subject: Need info on NCH.B, ZEU.X and NCEPT (PC)
X-Digest: Volume 10 : Issue 86
Can anyone give me information on the viruses listed in the subject.
I have checked the online libraries and encyclopedias and could not
find any information.
Thanks in advance.
-Steve
- -
/=====================================================================\
| __ __ __ HRB Systems |
| (_ / | \ State College, PA |
| __). \__. |__/. |
| Steven C. Davis steve.davis@hrb.com |
| s.davis@ieee.org |
| Microsoft Certified Professional http://oak.kcsd.k12.pa.us/~sdavis |
\=====================================================================/
------------------------------
Date: Fri, 30 May 1997 15:10:12 +0000 (GMT)
From: Patrick Noyens <patrick.noyens@ping.be>
Subject: Re: FLASH prom Virus writing to write protected Floppy (PC)
X-Digest: Volume 10 : Issue 86
On 28 May 1997 04:23:39 -0000, Mark@relocate.demon.co.uk wrote:
>Can anyone tell me, Is it possible that a virus resident within a Flash
>Bios of a 80x86 PC can intercept or ignore the Write Protect line of the
>Floppy Disk Drive, and write to a Floppy Diskette.
>I understand this is not possible with uncorrupted BIOS's but I would be
>very interested to know if this is feasible with A Virually infected
>BIOS.
It's not possible, not even if your BIOS would be "infected". (today,
there is no known virus that can infect your Flash BIOS either.)
The write protection from a floppy disk is pure _mechanical_ (no
software at all involved)
>I have done tests with 20 clean diskettes which are write protected and
>ran them through a system with a suspected BIOS Virus written into the
>Flash prom and on every diskette the MBR had been changed Even when I
>have booted from this diskette (This includes a freshly opened Microsoft
>6.2 Sealed Pack.
The drive is probably broken, that is the only way to write to a
'write protected' floppy disk.
-Patrick-
- ------------------------------------------------------------------------------
E-mail : patrick.noyens@ping.be
PGP-key available on request.
Key fingerprint = 01 31 60 FF C2 0F D4 A7 D2 83 64 FE 3E 3F 83 79
------------------------------
Date: Sat, 31 May 1997 11:37:05 +0100
From: james <H.Micklem@ed.ac.uk>
Subject: Is there anything I can do to fix this?! (PC)
X-Digest: Volume 10 : Issue 86
Please can you help:
I just joined an underfunded organisation that has a Digital DEC pc 425
(Olivetti motherboard) which has been out of action for the last few
months, so I was trying to resuscitate it. Apparently people who were
here before tried and failed.
When it's powered up, the Resident Diagnosis chugs through its stuff
ok:
"CPU (i486SX) pass
Base memory 640kb
Extended memory 3328kb
Dedicated memory 128kb
Total memory 4096kb
Cache memory pass
Parity circuitry pass
Interrupt Controllers pass
DMA Controllers pass
Keyboard pass
Parity Device pass
CPU Protected Mode pass
CMOS RAM pass
Fixed disks 1 present
Floppy disks 1 present"
until it gives the message:
"System Configuration Error - RUN SETUP"
It keeps going nevertheless, (VirusGuard doesn't detect any viruses)
reaching the C:> prompt. Type Win RTN, and on the way it gives
messages:
eg
"You need to run the Setup program again
C:\WINDOWS\system\vshare.386
A device file specified in the system.INI files is corrupted. It may
be needed to run Windows in 386 enhanced mode"
"You need to run the Setup program again
C:\WINDOWS\system\ifsmgr.386"
"cannot find a device file that may be needed to run windows in 386
enhanced mode. You need to run the Setup programme again.
vtcpip.386"
It crashes before reaching Windows.
[Before I started trying to fix the problem --eg by reinstalling
windows,--it did make it through to Windows, but when I tried to run
applications (eg Word 6), there were problems, especially with the A-
drive.]
However, the A:drive apparently reads well enough that I was able to
run SETUP successfully (ie a complete fresh install of Windows 3.1),
but afterwards, all the same problems as detailed here are still there.
I also tried using a recent version (7.71) of the Dr Solomon (Magic
Bullet/Toolkit) virus scanner: if you put in the first Magic Bullet
disc in the A:drive and startup, it gives a message:
"Magic Bullet has detected the possible presence of a virus such as
EXEBUG or PURCYST! These viruses alter you CMOS settings so that a
boot from C; occurs before booting from A:" or "CMOS resports that you
do not have an A:drive. This may indicate the presence of a virus such
as EXEBUG. Please enter a number that describes the type of drive you
have from the following list:
1. 360k 5.25
2. 1.2M 5.25
3. 720k 3.5
4. 1.44M 3.5
5. 2.88M 3.5 "
Having picked the right drive, it reports:
"Magic Bullet has now fixed you CMOS. Power down and reboot this disk
again. Then run FindVirus to check you hard disk"
_But_ doing this just leads to the same "...CMOS reports..... please
enter a number that describes the type of drive" message and so there's
no way out of that circle.
Running the fv86.exe application on this first MagicBullet disc, I
scanned the c:drive, but no viruses were detected. (Incidentally,
running mb_menu on this same disc, and telling it to scan the drives,
it always starts by scanning the A:drive first, and invariably this
lead to a hang with the message: "Bad Message.doc". Message.doc is
one of the files on that MagicBullet disc. I don't know what to make
of this, since the disc is completely write-protected?!)
The A:drive reads well enough that I was able to run SETUP
successfully, but afterwards, all the same problems as detailed above
were still there. I also replaced the internal 6V lithium battery that
keeps the CMOS powered when the machine is switched off.
Does this all mean it's a hardware problem? (or perhaps in the cable to
the a:drive, though that seems less likely, since the machine used to
work fine)?
Does any of this sound familiar? Any idea if it is indeed a hardware
problem, and if so, whereabouts? Could it be repaired? how much could
it cost to fix?
Please please let me know if you have any suggestions for the
diagnosis, or how to fix the problem.
Many thanks!
James
Please email replies to H.Micklem@ed.ac.uk <james>
------------------------------
Date: Sun, 01 Jun 1997 11:21:04 -0400
From: Dream Evul <dreamevul@aol.com>
Subject: DOOMSDAY721 (PC)
X-Digest: Volume 10 : Issue 86
I need help !! how do I get rid of doomsday ??
------------------------------
End of VIRUS-L Digest [Volume 10 Issue 86]
******************************************
