[1664] in Virus_Discussion_List
VIRUS-L Digest V10 #87
daemon@ATHENA.MIT.EDU (VIRUS-L/comp.virus Moderator)
Sun Aug 10 18:07:22 1997
Date: Sun, 10 Aug 1997 18:37:08 +0100
Reply-To: virus-l@Lehigh.EDU
From: "VIRUS-L/comp.virus Moderator" <moderator@virus-l.demon.co.uk>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
VIRUS-L Digest Sunday, 10 Aug 1997 Volume 10 : Issue 87
Today's Topics:
SBABR 3.02
Re: Several intellectual questions
List of Known Macro Viruses: May 1997
Re: "Dark Side" of cookies
Re: Several intellectual questions
AVP Weekly virus report for 06/04/97
AVP FREE Trial software available!
Re[2]: Several intellectual questions
Desktop vs. Server stratgy - really a fight?
Removing viruses from MS-Mail/Exchange E-Mails
Mac viri - help please? (MAC)
Re: How to disinfect Word macro virus in PPT file? (MACRO)
Recovery of macro NPAD.a templated documents (WORD)
What does NOP.A do? (WORD)
Re: wm.cap virus on Mac (WORD)
Re: Macrolist (by Padgett) as a generic AV against macro viruses (WORD)
Re: CAP Virus? (WORD)
Re: Protection for Word97 NORMAL.DOT? (WORD)
Re: Word operation and Normal.dot (WORD)
Macro viruses and Word Viewer (WORD)
Re: dos viruses in win NT (NT)
Re: dos viruses in win NT (NT)
Interested in your Invircible experiences (PC)
Re: Floppy Format fails (PC)
Re: Floppy Format fails (PC)
Latest FILLER virus? - can someone help (PC)
Re: FLASH prom Virus writing to write protected Floppy (PC)
Boot Sector Write, Possible virus ???? (PC)
Re: Floppy Format fails (PC)
Re: Floppy Format fails (PC)
Has anyone heard of the algoritmico virus? (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is its gatewayed and non-digested USENET
counterpart. Discussions are not limited to any one hardware/software
platform--diversity is welcomed. Contributions should be relevant,
concise, polite, etc. (The complete set of posting guidelines is
available by FTP on ftp.infospace.com/pub/virus-l (IP 206.129.166.107)
or upon request.) Please sign submissions with your real name; clearly
faked or anonymous postings will not be accepted. Some antivirus
documentation, and a full set of back-issues are also archived at
ftp.infospace.com, which is also the home of our FAQ (Frequently Asked
Questions) document.
Administrative mail (e.g., comments or suggestions) should be sent to
me at: nick@virus-l.demon.co.uk. (Beer recipes should still be sent to
Ken van Wyk at: krvw@mnsinc.com.)
VIRUS-L subscribers wanting help with list-processor commands should
send a message to listserv@lehigh.edu with the command "info virus-l"
in the body of the message (the listserv ignores Subject: lines).
All submissions should be sent to: VIRUS-L@lehigh.edu.
Nick FitzGerald
----------------------------------------------------------------------
Date: Tue, 3 Jun 97 2:52:43 ITA
From: N.Ferri@agora.stm.it
Subject: SBABR 3.02
X-Digest: Volume 10 : Issue 87
Hello, I'm pleased to announce:
SBABR
System Boot Areas Antivirus
Version 3.02
SBABR is a fast Antivirus for DOS and Windows 95 based computers to
intercept and remove boot viruses that might infect your system, and an
anti-crash utility that will save hours of work in case of system failure.
SBABR makes backups of all your computer system areas and performs
several integrity tests in order to protect your machine.
At any subsequent boot up, SBABR performs its integrity tests: MBR
Boot Sector, Track Zero, CMOS and Memory are carefully examined and any
boot virus that could have infected your system is detected.
The SBABR integrity tests are effective against known and unknown
Boot Sector/MBR viruses.
SBABR is not a TSR (Terminate and Stay Resident) application, so it won't
use system memory and won't create any conflict with TSR applications.
Here are, schematically, the main SBABR features:
Floppy Boot Sector - Back up/Restore
Hard Disk Boot Sector - Back up/Restore
MBR (partition) - Back up/Restore
CMOS data - Back up/restore
Track Zero - Back up/Restore
Automatic back up/restore of all the areas
Boot Sector and MBR Check (not TSR)
MBR Decryptors
Track Zero Check
Relocated MBR search
"Seek and erase" relocated MBR
Memory Check
CMOS Check
Automatic system check at every computer startup
Automatic back up/restore of modified areas at computer startup
Files back up
Hard Disk/Floppy Boot Sector and MBR viewer
Other functions like EZ Erase, Uninstall and more.
See the "Usage" chapter in SBABR.DOC for details.
SBABR and its tools can detect and remove boot viruses as well as clean
the traces of previous infections, restore a lost CMOS configuration,
refresh damaged system areas, draw samples of infected sectors (either on
the hard disk and floppy), back up system areas and important files,
replace a suspicious floppy boot sector, keep Memory and CMOS under control
and more.
WHERE TO DOWNLOAD SBABR
=======================
SBABR Homepages:
http://www.ulisse.it/~mailand/sbabr.htm
http://www.geocities.com/SiliconValley/Park/7438
***
http://www.simtel.net/pub/simtelnet/msdos/virus/sbabr302.zip
ftp://ftp.simtel.net/pub/simtelnet/msdos/virus/sbabr302.zip
ftp://garbo.uwasa.fi/pc/virus/sbabr302.zip
ftp://ftp.elf.stuba.sk/pub/pc/avir/sbabr302.zip
***
NEW IN VERSION 3.02
===================
- All the SBABR utilities are now compiled as EXE files.
- SbaWiper has been eliminated. Now the SbaWiper functions are built into
SBABR (sbabr.exe)
- Corrected a bug in SBABR that made the program display "press Y to
retry, N to abort or H for help" when no help was available.
- Added the possibility to shell to DOS from within SBABR
- Now the Uninstall feature is also available in the shareware version.
- Setup is now more dinamic and correctly updates the AUTOEXEC.BAT
- After updating your backups, now SbaBoot asks you to insert your SBABR
Floppy to also update the backups on the Rescue diskette.
- After updating your backups, now SBABR asks you to insert your SBABR
Floppy to also update the backups on the Reescue diskette.
- You can now start SBABR in two different ways: any key to start
normally, space bar to skip the System Check.
- SBABR can now be installed on any hard drive on your system.
- Registration has changed, now you can register online your copy.
- Now SbaCopy handles large files with no problem.
- Graphic intro screen and menu have been repainted (SBABR and SB).
- The ASC files. Now all the PGP signatures are stored into PGPSIG.TXT
And more. Read WHATSNEW.TXT for a complete list.
=======================================================================
Nicola Ferri <n.ferri@agora.stm.it>
PGP Public Key available on servers, homepage or request
Fingerprint: C2 82 9F 4B 74 3B D4 6E 49 89 DF F4 D8 3E A2 91
Author of SBABR - System Boot Areas Antivirus -
=======================================================================
------------------------------
Date: Tue, 03 Jun 1997 17:51:18 +0000
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: Several intellectual questions
X-Digest: Volume 10 : Issue 87
In <0007.01IJAIRE8S4M8WXA01@csc.canterbury.ac.nz>
Carey_Tyler_Schug@em.fcnbd.com writes:
>I am almost 3 months behind reading this list, so perhaps these questions
>have been asked and answered. My apologies, if so.
>
>1. As I understand it, boot sector viruses write the original boot sector
>to some other sector, and put themselves in the boot sector.
Actually, it's not quite that simple, but most of them do, yes.
>example, virus "a" put the original boot sector in sector 9. Could
>another virus come along and put virus "a", maybe in sector 8 and itself
>in the boot sector?
Oh, yes...happens all the time.
> How long could this go on?
There is no specific limit other than available space on the disk.
However, sooner or later you will encounter a situation where two viruses
attempt to use the same sector for the "original" boot sector, and then
the machine will not boot normally, making it obvious that something
is wrong.
>2. Shouldn't it be possible for a hardware manufacturer to produce a hard
>disk on which the boot sector is NOT writeable unless a certain jumper is
>set? This jumper could be brought out to a pushbutton switch if desired,
>since it would need to be set to update the partition table.
And do you really expect eveery single user to be able to know when to
press the button ? Do you have any idea how many tech support calls
AV producers get because people think they have a virus when they have
just enabled "virus protection" in the BIOS, and then attempt to install
a new OS...?
>4. A more elaborate scheme could include flash memory, allowing setting a
>software password and eliminating the mechanical switch.
And what is to prevent a virus from erasing that ?
>5. It could also be put into the ROM BIOS, with a non-standard physical
>controller, so only a virus written for that specific physical controller
>could infect that machine.
which would make the machine dangerously incompatible.
- -
Fridrik Skulason Frisk Software International phone: +354-5-617273
Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274
------------------------------
Date: Tue, 03 Jun 1997 18:16:10 +0200
From: Klaus Brunnstein <brunnstein@rz.informatik.uni-hamburg.d400.de>
Subject: List of Known Macro Viruses: May 1997
X-Digest: Volume 10 : Issue 87
=========================================
SUMMARY:
Macro Virus List (PC + Macintosh)
according to VTC name specification
including (PC) In-The-Wild Indication
=========================================
Vesselin Bontchev @ FSI
+ Klaus Brunnstein, Uni-Hamburg
+ Joern Dierks, VTC Uni-Hamburg
+ Thomas Buck, VTC Uni-Hamburg
VTC = Virus Test Center
Status: May 31, 1997
>>> Copyright (c) 1997 University of Hamburg, Germany <<<
The number of macro viruses has significantly grown in May 1997: with
37 new strains and 246 new macro viruses (almost all replicating on
Word documents). The number grew faster than in every previous month.
Strains with fastest growth include NPAD (+19), Bandung (+16),
Colors (+14), Twno (+14), Showoff (+13) and Rapi (+13) whereas the growth
has diminished in strains such as Wazzu (+10) and Concept (+8).
The "list of known macro viruses", dated May 31, 1997, reports in
detail about all known macro-related malware. Here are the essential
statistical data:
Word + Other = Total (New)
--------------------------------------------------------------
Number of Strains 196 + 15 = 211 ( 37)
Number of Viruses 921 + 12 = 933 (246)
Number of Trojans 22 + 7 = 29 ( 3)
Number of Generators 10 + 0 = 10 ( 0)
Number of Intendeds 22 + 1 = 23 ( 4)
Number of Jokes 0 + 1 = 1 ( 0)
--------------------------------------------------------------
Remarks: (*)=(viruses+trojans+intendeds+jokes)
The following 37 new macro virus strains have been reported in April 1997:
Anak.A, Ant.A-B:Tw, Attack.A, Beeper.A-B, Chaka.A, Chandigarh.A, Cult.A.int,
CVCK1.C-H, Czech.A, Dakota.A,B:De, Dance.A, Defender.A, Demon.A, Divina.F,
Doggie.E, Donos.A.int, Envader.A.int, Hark.A, Hyper.A,A1, Java.A, Killok.A-B, Lox.A,
Mark.A-B:Tw, Minimorph.A, Noprint.A, Ordo.A, Orhey.A, Pesan.A, Quick.A, Randomic.A,
Rellk.A:Tw, Strezz.A, Sunbeam.A, Trap.A-C:Tw, Varmint.A:Tw, Why.A.drp,Zoolog.A
The following 209 variants of previously reported macro viruses have been reported in April 1997:
Alien.D-E, Appder.D-E, Bandung.Y-Z,AA-AO, CAP.J-M, Cebu.B, Colors.AP-AZ,BA-BB,
Concept.AL-AS, Dzt.D, Epidemic.B-C:Tw, Friday.C:De, Gambler.A-D, Goldfish.B, Irish.K-P,
Johnny.A2,B1-M1, JunkFace.B,C.int, Kompu.C, MDMA.N-R, Minimal.N-P, Muck E,
NiceDay E-J, NJ-WMDLK1.H, NOP.K, Npad.AX-AZ,BA-BP, Nuclear.L-M, PayCheck.B-C,
Pig.B-E:Tw, Rapi.M1,AD2-AI2, ShowOff.AQ-AZ,BA-BC, Slow.B,B.drp, Spiral.B, Switcher.A-B,
Talon.I-K, Twno.K-X:Tw, TwoLines.E-I1, Wazzu.BU-BZ,CA-CD, WMVH1.B-:Tw
The following new viruses were found to replicate esp. under Word97:
Appder.B-C, Bismark.B-D, Lunch.A-B, Minimal.A-B, Opim.A, Rapi.A2, Wazzu.X
The following new viruses replicate under MS Excel and Excel 97:
LMV.D.trj, Tjoro.A
==============================================================================
AVAILABILITY
==============================================================================
This list is published monthly (normally between the 3rd and 8th of a month)
and can be downloaded via FTP from VTCs "new" WWW/FTP site:
ftp://agn-www.informatik.uni-hamburg.de/pub/texts/macro/
The filenames used are:
MACROLST.yym (long version)
MACROL_S.yym (short version)
"yym" stands for:
yy = Year,
m = Month ("1"..."9" for January...September and
"A" = October, "B" = November, "C" = December.
Both lists are also available from VTCs "old" ftp site:
ftp.informatik.uni-hamburg.de/pub/virus/macro/macrolst.*
==============================================================================
------------------------------
Date: Wed, 04 Jun 1997 13:09:25 -0400 (EDT)
From: Doug Muth <dmuth+130918060413091806@ot.com>
Subject: Re: "Dark Side" of cookies
X-Digest: Volume 10 : Issue 87
Hi Slawomir Marczynski! I'm a UNIX geek, spam hunter, and a virusfighter!
>For an example lets consider such a three-bytes long program
>
> JMP xxxx:yyyy
>
>It can (in some circumstances) re-partion HD without any warning.
>(Obviously xxxx:yyyy must be a valid address in BIOS.)
Never mind that, just do a JMP ffff:0 (5 bytes) long, which will
reboot an MS-DOS system and cause a GPF under Windoze 3.1. It will
probally cause something similar under Win 95.
<Doug Muth> ----- <http://www.ot.com/~dmuth> ---- Est sularus oth Mithas!
Co-author of the SPAM-L FAQ -=-=-= http://www.snowpoint.com/spam-lfaq.txt
Maintainer of Responsible ISPs -=-=-=-=- http://spam.abuse.net/goodsites/
Anti-virus software and utils -=-=-=-=-=-= http://www.ot.com/~dmuth/virus
Co-Founder of CAUCE ** Stop E-mail spam for good! ** http://www.cauce.org
------------------------------
Date: Wed, 04 Jun 1997 13:19:45 -0400 (EDT)
From: Doug Muth <dmuth+131940060413194006@ot.com>
Subject: Re: Several intellectual questions
X-Digest: Volume 10 : Issue 87
Hi Carey_Tyler_Schug@em.fcnbd.com! I'm a UNIX geek, spam hunter, and a
virusfighter!
>I am almost 3 months behind reading this list, so perhaps these questions
>have been asked and answered. My apologies, if so.
Join the club. :-)
>1. As I understand it, boot sector viruses write the original boot sector
>to some other sector, and put themselves in the boot sector. Say for
>example, virus "a" put the original boot sector in sector 9. Could
>another virus come along and put virus "a", maybe in sector 8 and itself
>in the boot sector? How long could this go on? Just as an intellectual
Up to the point where one MBR infector places the "original" boot
sector into a sector already occupied. This would probally cause an
endless loop. If you don't have a backup of the original MBR, you could
be in for serious problems.
>exercise, has anybody ever figured out how many boot sector viruses, or
>boot sector plus partition sector viruses could coexist on one machine?
Hmm..I think I'll try that sometime! I've already gotten 5 file
infectors in one file. Talk about a nasty surprise for someone!
>Would their payloads be cumulative, or would the first or last take
>precedence?
Yep, they would all have an equal opportunity to cause damage.
>Would any/some/most anti-virus programs find all of them in
>one pass, multiple passes, or fail to detect or disinfect from such a
>scenario?
Depends on the AV program. If it stops scanning a file after one
infection, it would take multiple passes to disinfect.
>2. Shouldn't it be possible for a hardware manufacturer to produce a hard
>disk on which the boot sector is NOT writeable unless a certain jumper is
>set? This jumper could be brought out to a pushbutton switch if desired,
>since it would need to be set to update the partition table. That would
>be the ultimate boot sector innoculant, and (I think) for operating
>systems like NT prevent floppy infection from any viruses except ones
>written specifically to infect NT (by knowing NTFS, and infecting a
>program from booting from a floppy disk). Greater intelligence in the
>controller could interpret the partition table and protect the partition
>boot sectors also.
My experience is that protecting the MBR through the CMOS is more
trouble than it's worth. Just keep a backup of your MBR on a bootable floppy.
>3. Alternatively, such a jumper could be placed in the disk controller.
Ugh.
>4. A more elaborate scheme could include flash memory, allowing setting a
>software password and eliminating the mechanical switch. This could be
[snip]
>5. It could also be put into the ROM BIOS, with a non-standard physical
>controller, so only a virus written for that specific physical controller
>could infect that machine.
What's to stop said virus from loading the code from ROM into
memory and jump past the section that asks for the password? How do you
think commercial software that asks for registration codes get cracked? :-)
Regards,
<Doug Muth> ----- <http://www.ot.com/~dmuth> ---- Est sularus oth Mithas!
Co-author of the SPAM-L FAQ -=-=-= http://www.snowpoint.com/spam-lfaq.txt
Maintainer of Responsible ISPs -=-=-=-=- http://spam.abuse.net/goodsites/
Anti-virus software and utils -=-=-=-=-=-= http://www.ot.com/~dmuth/virus
Co-Founder of CAUCE ** Stop E-mail spam for good! ** http://www.cauce.org
------------------------------
Date: Wed, 04 Jun 1997 13:43:00 -0500 (EST)
From: keith.peer@command-bbs.com
Subject: AVP Weekly virus report for 06/04/97
X-Digest: Volume 10 : Issue 87
==========================================================
AntiViral Toolkit Pro weekly virus report for June 4, 1997
New viruses added to AVP detection / Removal Database
==========================================================
You can download evaluations for AntiViral Toolkit Pro from:
http://www.command-hq.com
http://www.avp.ch
- --------------------------------
Features of AntiViral Toolkit Pro
- --------------------------------
Virus-Detection: AVP identifies over 10075 different
viruses and virus families, including Macro, and Windows95
viruses, and Trojan programs. With it's state-of-the-art
anti-polymorphic engine, AVP reliably detects complex
polymorphic viruses. AVP's Code Analyzer detects over 80% of,
yet unidentified new viruses. Regular updates keep AVP one
the most up-to-date antiviral suites available today.
Virus-Disinfection: AVP will remove known viruses and
repair, when possible, files and system sectors.
Code Analyzer-Heuristic Virus Scanning Engine: AVP's Code
Analyzer checks files and system sectors for the presence of
new, yet unidentified viruses. The Code Analyzer detects
80% of new, yet previously unknown viruses.
Unpacking Engine: AVP's Unpacking Engine allows "on-the-fly"
scanning of programs, which are runtime compressed with popular
utilities: Diet, ExePack, LzExe, PkLite, ComPack,
Com2Com. The same engine is also used for scanning programs
that were immunized by CPAV, F-XLOCK and FileShield as
well as program encryptors, CryptCOM, CryptCOM-b, Dropper-a,
Dropper-b, Dropper-c, Dropper-d, EncrCom/Exe and Protect_4_0.
Extracting Engine: The Extracing Engine recursively scans
inside ARJ, ZIP, LHA, ICE, LZH, ZIP2EXE, RARSFX, ARJSFX, LHASFX,
compressed archive files.
- ------------------------------------------------------------
New viruses detection and removal added to AVP on 06/04/1997
- ------------------------------------------------------------
DOS:
DAN.WMA.Dumb.404, DeadWin.1088, Diamond.1096,
DieHard2.4000.d,e,f, Dir_II.1024.x,y, Drepo.2470, DrJohn.2000,
Druid.297, DSME.Demo.2509, DST.525, Dutch_Tiny.308, Eatrich.946,
Fbd.1000, Freemun.200, Friday13.540.b, Ganja.437, Getto.2000,
Grace.1346.b, Guevara.1918, HLLP.Frontier.9583, Indonga.2125,
KOV.Eddy.1422,1457,1463,1478,1542,1567, LG, LittBrother.429,
Niko.4293, NRLG.Galiza.1202, Trivial.Drunk.166, TPE.Girafe.e,
TPVO.Glacier.1196, VLAD.Fire.854
Intended: Druid.297, Dutch_Tiny.505, Small.58
Trojan: PressPower
==========================================
Virus Descriptions (C) Eugene V. Kaspersky
- --------------------------------------------------------
Central Command Inc. AntiViral Toolkit Pro
http://www.command-hq.com HS Anti-virus
info@command-hq.com sales@command-hq.com
Compuserve: 102404,3654 GO AVPRO
Ph: 330-273-2820 Fax: 330-220-4129 BBS: 330-220-4036
- --------------------------------------------------------
------------------------------
Date: Wed, 04 Jun 1997 13:52:00 -0500 (EST)
From: keith.peer@command-bbs.com
Subject: AVP FREE Trial software available!
X-Digest: Volume 10 : Issue 87
AntiViral Toolkit Pro 3.0 PRE-RELEASE editions are available for
immediate download! Special 30 day evaluation editions.
All functions enabled for the trial period. These versions will
expire on 07/01/97.
Pre-Release Evaluations
- ----------------------
AntiViral Toolkit Pro v3.0 for DOS - 05/26/97
AntiViral Toolkit Pro v3.0 for Windows 95/NT - 05/26/97
AntiViral Toolkit Pro v3.0 for Netware 3.xx/4.xx/Intranetware - 05/26/97
AntiViral Toolkit Pro v3.0 Cummlative Update - 06/04/97
Free shareware (Freeware)
- ------------------------
AntiViral Toolkit Pro Virus Encyclopedia 1997 edition
AntiViral Toolkit Pro Macro Killer (Word 6/7)
AntiViral Toolkit Pro can detect and remove thousands of computer
virus infections and trojan horse programs. AVP can virus scan
recursively, within ZIP, ARJ, RAR, LHA, LZH, ICE, ZIP2EXE, RARSFX,
ARJSFX, and LHASFX, archives. AVP can virus scan within PKLITE,
EXEPACK, DIET, LZEXE, runtime compressed programs, and also,
within CPAV and FX-LOCK antivirus immunizations. AVP can decrypt
and virus scan within Cryptcom enciphered programs.
You can download these products from:
http://www.command-hq.com
or call our Bulletin Board System at:
330-220-4129 Login: GUEST
Best Regards,
Keith Peer
Central Command
- --------------------------------------------------------
Central Command Inc. AntiViral Toolkit Pro
http://www.command-hq.com HS Anti-virus
info@command-hq.com sales@command-hq.com
Compuserve: 102404,3654 GO AVPRO
Ph: 330-273-2820 Fax: 330-220-4129 BBS: 330-220-4036
- --------------------------------------------------------
------------------------------
Date: Wed, 04 Jun 1997 15:44:48 -0600
From: Carey_Tyler_Schug@em.fcnbd.com
Subject: Re[2]: Several intellectual questions
X-Digest: Volume 10 : Issue 87
Reply to: dmuth+131940060413194006@ot.com (Doug Muth) at INTERNET
>2. Shouldn't it be possible for a hardware manufacturer to produce a hard
>disk on which the boot sector is NOT writeable unless a certain jumper is
>set? This jumper could be brought out to a pushbutton switch if desired,
>since it would need to be set to update the partition table. That would
>be the ultimate boot sector innoculant, and (I think) for operating
>systems like NT prevent floppy infection from any viruses except ones
>written specifically to infect NT (by knowing NTFS, and infecting a
>program from booting from a floppy disk). Greater intelligence in the
>controller could interpret the partition table and protect the partition
>boot sectors also.
My experience is that protecting the MBR through the CMOS is more
trouble than it's worth. Just keep a backup of your MBR on a bootable floppy.
>3. Alternatively, such a jumper could be placed in the disk controller.
Ugh.
- ---> I am referring to hardware. An extra switch or jumper on either the
drive or the controller which requires human intervention before it will
write to the MBR. And if the controller or drive is smart enough to decode
the partition table, before writing to any partition boot sector. I think
all disk controllers and drives have small processor chips in them anyway,
so it would just be a bit more programming for the processor chip there.
The ROM that contains this program is not available to your computer, so it
could not be circumvented by any virus.
>4. A more elaborate scheme could include flash memory, allowing setting a
>software password and eliminating the mechanical switch. This could be
[snip]
- ----> No, flash memory in the disk controller. You run a program on your
PC which asks for a password, then passes it to the controller, which puts
it into the flash memory. From then on, any time you want to write to the
boot sector, you would have to provide that password again. Of course, if
you forgot your password, you would have to get a new flash rom chip from
somewhere (it would assume that if the flashed value was zero, that there
was no password required). To write to the boot sector, you (for instance)
try to write a record containing the password to the boot sector. The
controller does not do the write, but if the next request is ALSO to write
the boot sector (or anytime until the next system reset), it will allow the
second write to proceed. Possibly the controller would be preloaded with a
password which is the serial number of the board, so you could obtain the
password by looking at the controller.
>5. It could also be put into the ROM BIOS, with a non-standard physical
>controller, so only a virus written for that specific physical controller
>could infect that machine.
What's to stop said virus from loading the code from ROM into
memory and jump past the section that asks for the password? How do you
think commercial software that asks for registration codes get cracked? :-)
- ----> OK. What address does it jump to in order to bypass the check? Is
the virus smart enough to decode the device driver and figure out where the
post-check code is? No? Then it can't bypass the code except by being
specific to that controller. OK, it isn't as good as I thought at first,
because a simple table could say 'for this controller' jump to here, and
one virus possibly could infect several of these boards. Assuming the
virus writer had access to several of these special controller boards. Of
course, the BIOS could be smart enough (like some viruses) to randomize
where it loads itself, then the virus would have to be find the code (like
an anti-virus program) wherever it was.
- ---->That's cool. The anti-virus protection would use virus techniques,
and a virus for it would use anti-virus techniques. I like that.
- ---->However, going back to my #4 suggestion, I believe it would still be
100% secure against ever getting infected.
- ----> In the dim distant past, I had 100% protection the cheap way. All
software was on my A: drive and all data on my B: drive (and actually, I
had 3 floppy drives at the time). I was very careful about what I
installed on my a: drive, and even if I had gotten a virus, it could not
wipe out my system, since it would be write-protected by the time its
payload tried to deliver itself. Except that almost every current software
package tries to store all of its data files and all of its .ini and other
changing parameter files in its own directory, this could be done today
with multiple hard drives.
Regards,
- ----> Carey
------------------------------
Date: Wed, 04 Jun 1997 18:34:17 -0700
From: "Mike Reed (MCS NorCal)" <mreed@microsoft.com>
Subject: Desktop vs. Server stratgy - really a fight?
X-Digest: Volume 10 : Issue 87
I'm working with a large Enterprise client who is installing an Exchange
server network for their messaging and collaborative software. We're
discussing the antiviral solutions for NT servers (file/print), NT/Alpha
Exchange Servers and desktop protection.
It is firmly agreed that the desktop is the primary point of infection
and as such should be VXD protected with current signature files but
there is disagreement on where, if anywhere, a second line of defense
should be. Primary concern is macro virii which are being mitigated in
part by a migration to Office97 and aggressive enduser training on
macros and native macro protection features (but not reliant solely on
the features built into Word97 and the associated products). I've
stressed that the best protection is always a VXD on the desktop but the
issue that faces us now is the scanning of email in the Exchange system
and other systems on out to their internet connection.
There are several product that scan mail traversing gateways (especially
SMTP) and others that claim to scan the private and public stores (*.EDB
files for Exchange) as well. There is a strong concern that such
products are going to become "legacyware" as desktop encryption becomes
a standard because the entire message, attachments and all will be
unreadable to scanners.
What, if anything, are the AV companies doing in this regard and what,
if anything can be done? Is the industry moving to a point that the
only place protection can exist is on the desktop? What options are
available as encryption becomes more and more common (what's available
now?)?
Thanks in advance (I'll get your replies in the digest unless you cc
me)!
> ______________________
> Mike Reed (mreed@microsoft.com)
Consultant & Banyan Migration Program Manager
> Microsoft Consulting Services, Northern California
> 950 Tower Lane Work: (415) 573-4996
> Suite 900 Pager: (800) SKY-PAGE
> [#4852164]
> Foster City, CA 94404 Email Paging:
> 4852164@skymail.com [80 character limit]
>
> "Some people say that you shouldn't tempt fate and for them I would
> not disagree - but I never learned nothing from playing it safe - I
> say fate should not tempt me." -- Mary Chapin Carpenter
------------------------------
Date: Thu, 05 Jun 1997 10:56:49 +0000 (GMT)
From: Nick Kitson <nkitson@pc.jaring.my>
Subject: Removing viruses from MS-Mail/Exchange E-Mails
X-Digest: Volume 10 : Issue 87
Does anybody know of any programs which will automate the process of
removing viruses from E-Mail attachments? MS-Mail stores mail in a
compressed format in a file called MSMAIL.MMF. I am looking for
either
(i) a virus scanner which is capable of scanning the MSMAIL.MMF file,
or
(ii) a program or macro which can work through the mail folders, open
every mail with an attachment, and save the attachment in a temp
directory. A virus scanner can then be run on the files in the temp
directory.
We have a similar problem for MS-Exchange users with lots of
attachments.
Very grateful for any thoughts/help
Nick Kitson
[Moderator's note: Perhaps discussion of this could be merged with
discussion of Mike Reed's "Desktop vs. Server stratgy - really a
fight?".]
------------------------------
Date: Wed, 04 Jun 1997 15:48:53 -0400
From: Hologhost <hologhost@aol.com>
Subject: Mac viri - help please? (MAC)
X-Digest: Volume 10 : Issue 87
I have a Macintosh Performa 637CD, running System 7.5.5, and 36,864k total
memory.
A few days ago about 100 meg of my hard drive disappeared. I have run
through my system with SAM 4.0, but it hasn't detected anything. (I do
have the most recent viri detections updated.)
I know it's very possible these symptoms could be caused by something else
- what is making me suspicious is that I seem to have a flickering picture
up by my zipple of a small, straight, wormlike object, with a smiley face
and a "W". (I think - it's hard to be sure.)
If anyone knows anything about this, please email me.
Apple has advised initializing the HD, but I've been told that that won't
always get rid of the problem and I will lose a few files in the process.
(I'm afraid to back them up, since I don't know if they are infected.)
Thanks.
Body by Soloflex, brains by Mattel.
------------------------------
Date: Wed, 04 Jun 1997 13:17:56 +0000
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: How to disinfect Word macro virus in PPT file? (MACRO)
X-Digest: Volume 10 : Issue 87
Tom Hall <tom_hall@ctp.com> wrote:
> I have a powerpoint slide with a Word Macro virus....
I don't think that this is possible - even if you try to embed an
infected Word document in the slide, its macros will be stripped. What
makes you think that you have a virus?
Regards,
Vesselin
- -
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E
------------------------------
Date: Tue, 03 Jun 1997 10:02:52 +0100
From: Simon Nee <S.P.Nee@lboro.ac.uk>
Subject: Recovery of macro NPAD.a templated documents (WORD)
X-Digest: Volume 10 : Issue 87
Is there does anyone know how to recover documents that have been
template by the npad.a word macro virus into their original form ?
TIA
Simon
Nee
------------------------------
Date: Tue, 03 Jun 1997 12:09:40 +0200
From: Matthias Orphal <orphal@berlin.snafu.de>
Subject: What does NOP.A do? (WORD)
X-Digest: Volume 10 : Issue 87
Hi, unfortunately I've catched last week my first Word-Macro-Virus:
NOP.A (according to F-Prot 2.27 / F-Macrow 1.04)
What kind of actions does this Virus start? I "only" remarked that it
infected my normal.dot, but nothing more. How dangerous is it?
Thanks for your attentivity.
Matthias
------------------------------
Date: Wed, 04 Jun 1997 12:54:41 +0000
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: wm.cap virus on Mac (WORD)
X-Digest: Volume 10 : Issue 87
Rick Boisvert <rick.boisvert@crc.doc.ca> wrote:
> Have found the Word virus "wm.cap" on my Macintosh. Scanprot and SAM
> won't remove it, neither will Dr. Solomon's.
> Can anyone recommend software to clean this one?
Get F-MACROW 1.04 (distributed with F-PROT 2.27) - it will remove it.
Regards,
Vesselin
- -
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E
[Moderator's note: Due to posting delays this is outdated. There is a
newer version of F-MACROW with F-PROT v2.27a.]
------------------------------
Date: Wed, 04 Jun 1997 12:53:42 +0000
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Macrolist (by Padgett) as a generic AV against macro viruses (WORD)
X-Digest: Volume 10 : Issue 87
Patrick Noyens <patrick.noyens@ping.be> wrote:
> I was wondering if a macro virus could trigger its payload routine
> immediately upon opening an infected document in MSWord after
> Padgett's Macrolist has been correctly installed. (assuming MSWord has
> been started with an uninfected NORMAL.DOT)
Yes, it can, although it ain't easy.
> What precautions could/should one take ?
Use the Organizer (from a virus-free environment, of course) to inspect
the document for macros before opening it.
Regards,
Vesselin
- -
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E
------------------------------
Date: Wed, 04 Jun 1997 12:59:21 +0000
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: CAP Virus? (WORD)
X-Digest: Volume 10 : Issue 87
Richard Desjardine <rdesjard@golden.net> wrote:
> I was wondering if anyone could point me towards some information on this
> Word Macro Virus. My Parent company has apparently encountered and sent
> me a warning saying that I would likely be receiving it via email, gee
> thanks, anyway I need to know what will kill it. So if anyone knows...
The virus is written by a 14-year old kid from Venezuela. It is not
intentionally destructive, although its infection method leads to the
removal of all user macros from the documents it infects. The virus is
language version independent (will work on any language version of Word)
and very robust to macro corruptions - it can work with most of its
macros missing. Due to the way it infects, it can consist of a variable
number of macros - from 2 to 15, although the original idea seems to
have been that it consists of either 10 or 15 macros.
Regards,
Vesselin
- -
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E
------------------------------
Date: Wed, 04 Jun 1997 13:09:44 +0000
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Protection for Word97 NORMAL.DOT? (WORD)
X-Digest: Volume 10 : Issue 87
Thomas Premo <TPREMO@MAIL.NYSED.GOV> wrote:
> Can anyone explain how to verify that Microsoft's Virus Protection for
> the Normal.dot in Word97 is installed and working correctly
Open the VBA Editor (Alt-F11), make sure that the Project Explorer
window is visible (Ctrl-R) and double-click on Normal in it. If you are
asked for the password, then the protection is installed and working.
> I just need to come up with evaluation procedures before recommending
> it for production.
Let me give you a piece of advice - don't recommend it, or you'll be in
for a lot of trouble. What the "protection" essentially does, is to put
a password on the user's global template. This will stop any attempt to
copy macros to it. It has the following problems:
1) Even if a virus cannot infect the global template, it can still
infect other documents during the editing session in which an infected
document has been opened.
2) There are several viruses which do not even attempt to infect the
global template - they infect the files on the MRU list, use
direct-action infection methods, infect the Startup directory, and
whatnot.
3) Installing the protection will prevent any legitimate macro package
from installing itself in the global template.
4) Users will be likely to forget their passwords and bother your
support department.
5) People tend to look for and install virus protections *after* they
get infected. Microsoft's Office97 protection will have the effect of
"protecting" the virus if it has already infected the global template.
Do yourself a favor, and install a good anti-virus program instead.
Regards,
Vesselin
- -
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E
------------------------------
Date: Wed, 04 Jun 1997 13:32:33 +0000
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Word operation and Normal.dot (WORD)
X-Digest: Volume 10 : Issue 87
Ryan_E_Hope@ccmail.orl.lmco.com wrote:
> Is it accurate to say that when Word starts, it makes a copy of
> normal.dot in memory? Or does it just take settings, macros, etc.
> from Normal.dot and incorporate them into the Word environment?
The latter is the more correct way to put it, depending on your
definition of "incorporate". When Word starts, it opens all global
templates (Normal.dot an any templates in the Startup directory), reads
all macros, customizations, etc. from them and keeps these macros etc.
in memory, making them available to its environment. Changes to them
affect the environment during the editing session but not the image on
the disk until the respective global template is saved.
Regards,
Vesselin
- -
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E
------------------------------
Date: Thu, 05 Jun 1997 19:51:21 +1000
From: "Brian J. Fillery" <bfillery@gil.com.au>
Subject: Macro viruses and Word Viewer (WORD)
X-Digest: Volume 10 : Issue 87
If I am using the Word Viewer to look at Word for Windows docs would I
be in danger of infecting anything with a Macro virus? I don't really
see how they could affect the Viewer but does anyone know?
Regards, Brian.
Brian J. Fillery, (bfillery@gil.com.au)
Brisbane, Australia.
------------------------------
Date: Wed, 04 Jun 1997 13:07:28 -0400 (EDT)
From: Doug Muth <dmuth+130725060413072506@ot.com>
Subject: Re: dos viruses in win NT (NT)
X-Digest: Volume 10 : Issue 87
Hi David Harley! I'm a UNIX geek, spam hunter, and a virusfighter!
>: Another analogy is that doing an rm -f / under UNIX won't do
>: anything if you're not root.
>Hate to be picky (oh, yeah?) but I'd have thought that on most systems
>rm -f / could do a lot of damage, even run by an unprivileged user,
>not least to the directory subtree below their home directory and to
>spool files. It's a rare system that doesn't give directory execute
>permission and file write permission to unprivileged users outside the
>~ subtree on any file whatsoever.
Ok, I see what you're getting at, and it was something I hadn't
thought of.
I did a little experimenting on my own (not on / :-) and discovered
that rm -f <dir> won't do anything if you don't have write permission to
that directory, which a non-root user shouldn't have. Doing an rm -rf /
however, will descend through the directory structure and delete any
files/directories that exist in directories where you have write access
which would mean anything in $HOME and anything you own in /tmp, assuming
that /tmp is set to 1777 as it should be.
Lemme know if there's anything I missed, I'm getting confused
now. :-)
Regards,
<Doug Muth> ----- <http://www.ot.com/~dmuth> ---- Est sularus oth Mithas!
Co-author of the SPAM-L FAQ -=-=-= http://www.snowpoint.com/spam-lfaq.txt
Maintainer of Responsible ISPs -=-=-=-=- http://spam.abuse.net/goodsites/
Anti-virus software and utils -=-=-=-=-=-= http://www.ot.com/~dmuth/virus
Co-Founder of CAUCE ** Stop E-mail spam for good! ** http://www.cauce.org
------------------------------
Date: Wed, 04 Jun 1997 22:31:04 +0100 (BST)
From: David Harley <harley@nagos.lif.icnet.uk>
Subject: Re: dos viruses in win NT (NT)
X-Digest: Volume 10 : Issue 87
Hi, Doug.
> I did a little experimenting on my own (not on / :-) and discovered
> that rm -f <dir> won't do anything if you don't have write permission to
> that directory, which a non-root user shouldn't have.
Have to admit, I did actually read your post as citing rm -rf, no doubt
because it's such a common attack. I'll stand by my response, though,
if only because it might clarify the issue slightly for the less-Unix
proficient. You're absolutely right of course: an unprivileged user
shouldn't have write permission to / or system critical directories,
and wouldn't on most professionally-run systems (I hope). I did have
in mind people administering their own workstations or PCs run as
single-user Unix boxes as well, though. And even pros slip up from time
to time (he said, looking slightly sheepish.....).
> Doing an rm -rf /
> however, will descend through the directory structure and delete any
> files/directories that exist in directories where you have write access
> which would mean anything in $HOME and anything you own in /tmp, assuming
> that /tmp is set to 1777 as it should be.
>
> Lemme know if there's anything I missed, I'm getting confused
> now. :-)
My normal state. B-)
I think we already covered mail. Files/directories/links shared between
group members isn't uncommon in academic environments. Can't think
of anything else, offhand.
- -
David Harley \ | / alt.comp.virus FAQ
D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page
Support & Security Analyst \ | / Folk London On-Line gig-list
Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/
------------------------------
Date: Sun, 01 Jun 1997 22:40:58 +0000 (GMT)
From: Scott Keegan <scottk@s055.aone.net.au>
Subject: Interested in your Invircible experiences (PC)
X-Digest: Volume 10 : Issue 87
I know there was quite a bit of traffic about the Invircible product
some time ago, but I'm wondering what have been your experiences with
this product recently and what the general opinion of the anti-virus
community is on Invircible.
Any information would be greatly appreciated but please, no spam about
your own product.
Thanks,
Scott.
------------------------------
Date: Mon, 02 Jun 1997 09:18:58 +0300
From: Atro Tossavainen <atossava@kontti.helsinki.fi>
Subject: Re: Floppy Format fails (PC)
X-Digest: Volume 10 : Issue 87
Warren Contreras <quest@teleport.com> writes:
> With several machines on a network (3) if you format the A: drive it
> completes the format (format complete) then gets: 'general falure
> reading drive a:' and if you select f for fail it says 'invalid media or
> track 0 bad, disk unusable'
AFAIK I don't have any viruses, my disk drives are working all right,
and still this happens to me, too, rather often - except that it
doesn't even complete the format, it doesn't even start it! And I've
had it happen on several completely different computers, too.
I've kind of come to the conclusion that the problem is simply that
1.44 MB floppies tend to be abysmally bad. But since they tend to come
pre-formatted these days, the solution is simple: don't try to reformat
them.
- -
Atro Tossavainen E-mail: Atro.Tossavainen@helsinki.fi
http://www.helsinki.fi/~atossava/
------------------------------
Date: Mon, 02 Jun 1997 21:29:10 +0000 (GMT)
From: Mari Donkers <mdonkers@xs4all.nl>
Subject: Re: Floppy Format fails (PC)
X-Digest: Volume 10 : Issue 87
Warren Contreras <quest@teleport.com> wrote in article
<0034.01IJEQI2VNI28WXS06@csc.canterbury.ac.nz>...
> With several machines on a network (3) if you format the A: drive it
> completes the format (format complete) then gets: 'general falure
> reading drive a:' and if you select f for fail it says 'invalid media or
> track 0 bad, disk unusable'
I think I have once had this same problem when I was
trying to format a 720K diskette in a 1.44M drive.
A "format a: /f:720" helped me out.
Mari Donkers
------------------------------
Date: Tue, 03 Jun 1997 11:15:55 +0530 (IST)
From: Elyas <rashid@giasbma.vsnl.net.in>
Subject: Latest FILLER virus? - can someone help (PC)
X-Digest: Volume 10 : Issue 87
I've got this filler virus on my pc but my scanner does not detect/remove
it. well, then how do I know its there? - a friend of mine detected it
on my diskette using mcafee scan at his office (now he is unavailable -
not in town). I downloaded an evaluation version of mcafee's ScanPM (for
protected mode - standard ver doesn't run on my 16 MB. Ram), it does not
detect any virus on my pc but does show some files as:-
read access to <DriveName>:<PathName>\<FileName> denied
these files do not appear with the dir command (not even with /A switch).
The filenames are of 2 characters starting with either black/white face
and any other character (like W , S , O etc.), they are found on the
directories :-
windows\media, some other windows directories, history direc of the
mie3.0 (within the NT's programfiles directory) etc.
thanks for any guidance you can give me
Elyas
elyas@poboxes.com
------------------------------
Date: Wed, 04 Jun 1997 12:49:31 +0000
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: FLASH prom Virus writing to write protected Floppy (PC)
X-Digest: Volume 10 : Issue 87
Mark@relocate.demon.co.uk wrote:
> Can anyone tell me, Is it possible that a virus resident within a Flash
> Bios of a 80x86 PC can intercept or ignore the Write Protect line of the
> Floppy Disk Drive, and write to a Floppy Diskette.
I don't think that what you wrote is what you mean. Intercepting and
ignoring the Write Protect error is trivial - and you don't have to have
a virus in the BIOS for that. However, you probably mean to ask whether
such a virus could write to write-protected diskettes - and the answer
is NO. The write protection is physical and electrical and no amount of
clever programming - in the BIOS or elsewhere - can get around it.
> I understand this is not possible with uncorrupted BIOS's but I would be
> very interested to know if this is feasible with A Virually infected
> BIOS.
It is not.
> I have done tests with 20 clean diskettes which are write protected and
> ran them through a system with a suspected BIOS Virus written into the
> Flash prom
You can stop suspecting the poor system now. :-) There are no known
viruses that can write themselves in the BIOS (although there is one
that tries - unsuccessfully - to do so). Besides, such a virus would be
horribly non-portable and the chances that it would have infected your
system are virtually nil.
> and on every diskette the MBR had been changed
Diskettes don't have MBRs, so you obviously mean something else. Please
express yourself correctly. Also, you can do the following test. Write
protect a diskette, insert it in the drive, and try to copy a file to
it. If you can, this means that your floppy disk drive's write
protection is faulty and the drive has to be repaired. If you cannot,
then no virus can write to write protected diskettes either - regardless
of whether it resides in the BIOS or anywhere else. Read the FAQ for
more information on this subject.
Regards,
Vesselin
- -
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E
------------------------------
Date: Wed, 04 Jun 1997 13:16:36 +0000 (GMT)
From: Jason Wells <wells@deakin.edu.au>
Subject: Boot Sector Write, Possible virus ???? (PC)
X-Digest: Volume 10 : Issue 87
I have attempted a clean install of Win 95, during the formatting of the
hard drive the following message appeared.
"Boot Sector Write, Possible Virus"
"Continue:Yes/No"
I continue but alas l am having alot of problems.
Disks are getting corrupted, my hard drive won't boot and l can't seem to
fdisk /mbr to repair the boot sector.
Some one told me to get a cleen copy of the master boot record of my type
of hard drive and reload it.
PS. All Virus Checker used found no errors or virus's.
Can anyone give me some advise on what l have to do to rid the virus.
I know it is a virus because another HD got the same message after booting
from an infected disk.
Jason Wells.
[Moderator's note: You have boot sector "protection" enabled in your
BIOS. This is (normally) a good thing, to be encouraged. The problem
here is you are doing one of the few things that legitimately wants to
write to your MBR--installing a new oeprating system. Turn this
option off--this is safe for now because you say your AV doesn't detect
any viruses. Install your Win95 upgrade, and when it is completely
finished installing, turn the MBR protection back on.]
------------------------------
Date: Wed, 04 Jun 1997 13:24:23 -0400 (EDT)
From: Doug Muth <dmuth+132410060413241006@ot.com>
Subject: Re: Floppy Format fails (PC)
X-Digest: Volume 10 : Issue 87
Hi Warren Contreras! I'm a UNIX geek, spam hunter, and a virusfighter!
>With several machines on a network (3) if you format the A: drive it
>completes the format (format complete) then gets: 'general falure
>reading drive a:' and if you select f for fail it says 'invalid media or
>track 0 bad, disk unusable'
>We have replaced the command.com and format.com from a known working
>machine with the same dos version, scanned with McAfee and found no
>virus, replaced with new floppy drive and same result, did an fdisk/mbr
>and can not shake the problem. Any others with this problem ?
If it happens with the same disk, I woudl say that track 0 is bad.
Spend $.50 (US) and buy a new disk.
Regards,
<Doug Muth> ----- <http://www.ot.com/~dmuth> ---- Est sularus oth Mithas!
Co-author of the SPAM-L FAQ -=-=-= http://www.snowpoint.com/spam-lfaq.txt
Maintainer of Responsible ISPs -=-=-=-=- http://spam.abuse.net/goodsites/
Anti-virus software and utils -=-=-=-=-=-= http://www.ot.com/~dmuth/virus
Co-Founder of CAUCE ** Stop E-mail spam for good! ** http://www.cauce.org
------------------------------
Date: Wed, 04 Jun 1997 21:12:08 +0500
From: Richmann <richmann@videotron.ca>
Subject: Re: Floppy Format fails (PC)
X-Digest: Volume 10 : Issue 87
Did you check the disk reader alignment ?
- -
**********************************************************************
Richmann Richmann@videotron.ca
Was mich nicht umbringt, macht mich st rker
That which does not kill me, makes me stronger Nietzsche
------------------------------
Date: Thu, 05 Jun 1997 09:03:08 +0000 (GMT)
From: Skadanks <skadanks@cyberearth.net>
Subject: Has anyone heard of the algoritmico virus? (PC)
X-Digest: Volume 10 : Issue 87
I recently downloaded a shareware version of anyware antivirus. I ran
it and it said that I have a virus called "algoritmico" in my xtgold
file in windows. I ran other virus programs and they found nothing.
I've read several virus databases and theres no mention of a virus by
this name. Has anyone heard of this or is the anyware antivirus
company trying to get me to purchase their software by setting up a
fake virus alert and having me "remove" it? Thanks in advance.
*******************************************
Think Twice About Spamming Me; E-Junk Mail Is Illegal-
"By US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer
meets the definition of a telephone fax machine.
By Sec.227(b)(1)(C), it is unlawful to send any unsolicited
advertisement to such equipment.
By Sec.227(b)(3)(C), a violation of the aforementioned Section is
punishable by action to recover actual monetary loss, or $500,
whichever is greater, for each violation."
------------------------------
End of VIRUS-L Digest [Volume 10 Issue 87]
******************************************
