[1665] in Virus_Discussion_List
VIRUS-L Digest V10 #88
daemon@ATHENA.MIT.EDU (VIRUS-L/comp.virus Moderator)
Mon Aug 11 20:57:20 1997
Date: Tue, 12 Aug 1997 00:29:26 +0100
Reply-To: virus-l@Lehigh.EDU
From: "VIRUS-L/comp.virus Moderator" <moderator@virus-l.demon.co.uk>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
VIRUS-L Digest Tuesday, 12 Aug 1997 Volume 10 : Issue 88
Today's Topics:
Re: Several intellectual questions
Antivirus Software Reviews
AOL June 15th - hoax
Computer Virus Solutions in USA - Out of Business
Dr Solomon's FindVirus v7.72 available for download
REVIEW: PC-CILLIN II for Windows 95 and Internet, TouchStone 1996
Re: "Dark Side" of cookies
scn-302e.zip McAfee VirusScan for MS-DOS
Crypt News 43 abstracts
Number of viruses evolution?
Anti-Virus Software for HP-UX (UNIX)
AV for Word 97? (WORD)
Macro virus "weekend"? (WORD)
WM.Cap.A (WORD)
Re: POLL: Decrypting Password Protected DOC files (WORD)
Re: CAP Virus (WORD)
Printer Driver Macro Virus (WORD)
Windows 95/Excel 7.0 problem (XL)
McAfee & filenaming restrictions (NT)
Does TBAV NT have a file i/o monitor? (NT)
Elia-Shim Vs-Web (WIN95)
Help!! Anti-Virus for MS-Mail3.5
Best Anti-Virus Program for Win95?
f-prot 95 and network install (WIN95)
F-prot win3.1 and f-prot win95 (WIN)
Help! HD's get destroid, cause unknown! (PC)
Re: PC freezes at midnight--virus? (PC)
Stealthboot MBR problem...Help!!! (PC)
Boot Record infected with CLAUDIA!!! (PC)
Got the "Ripper" virus on a new HD and can`t load DOS! (PC)
Re: FLASH prom Virus writing to write protected Floppy (PC)
Re: Floppy Format fails (PC)
Re: PC freezes at midnight--virus? (PC)
Is it a Virus? (PC)
XHP2021 Virus only on startup ! (PC)
Re: Floppy Format fails (PC)
I've found new viruses? (PC)
New: antivirus for Bleah virus (PC)
Re: FLASH prom Virus writing to write protected Floppy (PC)
Vsign virus (PC)
Virus or system? (PC)
Re: Weed virus (PC)
McAfee ScanPM EMM386 error in Compaq LTE 5100 notebook (PC)
Monkey and Win95 (PC)
I need help fixing a CMOS virus (PC)
Thanks! (was: Logging Interrupts) (PC)
Sampo Mimic? (PC)
MS Excel Evolution-2001 virus: what is it? (PC)
HELP (evolution-2001) virus (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is its gatewayed and non-digested USENET
counterpart. Discussions are not limited to any one hardware/software
platform--diversity is welcomed. Contributions should be relevant,
concise, polite, etc. (The complete set of posting guidelines is
available by FTP on ftp.infospace.com/pub/virus-l (IP 206.129.166.107)
or upon request.) Please sign submissions with your real name; clearly
faked or anonymous postings will not be accepted. Some antivirus
documentation, and a full set of back-issues are also archived at
ftp.infospace.com, which is also the home of our FAQ (Frequently Asked
Questions) document.
Administrative mail (e.g., comments or suggestions) should be sent to
me at: nick@virus-l.demon.co.uk. (Beer recipes should still be sent to
Ken van Wyk at: krvw@mnsinc.com.)
VIRUS-L subscribers wanting help with list-processor commands should
send a message to listserv@lehigh.edu with the command "info virus-l"
in the body of the message (the listserv ignores Subject: lines).
All submissions should be sent to: VIRUS-L@lehigh.edu.
Nick FitzGerald
----------------------------------------------------------------------
Date: Thu, 05 Jun 1997 12:40:56 -0400
From: "M. Miller" <mmiller@cam.org>
Subject: Re: Several intellectual questions
X-Digest: Volume 10 : Issue 88
Carey_Tyler_Schug@em.fcnbd.com wrote:
> I am almost 3 months behind reading this list, so perhaps these questions
> have been asked and answered. My apologies, if so.
No, it's very cool to read intelligent post sometimes... :)
> 1. As I understand it, boot sector viruses write the original boot sector
> to some other sector, and put themselves in the boot sector. Say for
> example, virus "a" put the original boot sector in sector 9. Could
> another virus come along and put virus "a", maybe in sector 8 and itself
> in the boot sector? How long could this go on? Just as an intellectual
> exercise, has anybody ever figured out how many boot sector viruses, or
> boot sector plus partition sector viruses could coexist on one machine?
> Would their payloads be cumulative, or would the first or last take
> precedence? Would any/some/most anti-virus programs find all of them in
> one pass, multiple passes, or fail to detect or disinfect from such a
> scenario?
This is actually possible. But the majority of BSV and MBRV copy the
original boot sector to a sector that will probably never be used.
Sectors on the first cylinder (0, if my memory is good!), between the
partition code and the first partition are usually free. As the
majority of viruses are copied or a little modified, and theses
locations are practically all the same.
Do your computer will hang if you are infected with more than one MBR
virus? Probably. This depends on the particularities of each virus.
Just imagine:
Virus S is a full stealth virus. When in control of your computer, it
redirect any attempt to read/write the MBR (Now the virus) to the old
MBR saved somewhere.
Virus M is a multiparity virus. It can infect executable code in files
and/or in BS and MBRs. You run the infected FILE. You are already
infected with Virus S.
Virus M want to read the MBR. Virus S stealth this to the old MBR.
Virus M read the old MBR in some buffer. Virus M write the old MBR on
some location, different of "S" old MBR location. Virus M copy himself
on MBR. Virus S don't want his code to be removed/overwritted. "S"
stealth this to the old MBR location of... "S"!
Now, you start your computer:
virus "S" Load in memory, redirect interrupts and call int 19h (cold
reboot) Virus is in memory, computer now cold reboot. (You don't even
see this) Computer want to read MBR. Virus "S" stealth code redirect
this read to the old MBR location. Oups! Old MBR location is now the
virus "M".
Virus "M" now Load in memory, and if there is no problems with M's
code, the computer will probably boot... Because saved MBR are not kept
in the same sector.
well... you see... There is many factors to check for! (and I left many
of them...)
Exercise to the reader ;)... What if location or old MBR of "S" = "M" ?
(Sorry if this is not very clear, but english is not my natural
language...)
> 2. Shouldn't it be possible for a hardware manufacturer to produce a hard
> disk on which the boot sector is NOT writeable unless a certain jumper is
> set? This jumper could be brought out to a pushbutton switch if desired,
Yes. All is possible.
> (snip..)
> program from booting from a floppy disk). Greater intelligence in the
> controller could interpret the partition table and protect the partition
> boot sectors also.
But the problem is the user. Just read comp.virus and especially
alt.comp.virus. Read all the MGS about the user that think that he his
infected with a virus because his BIOS "Anti-Virus" (The one in your
CMOS Setup) ring the bell...
Oh! Did I mention that he was installing a new Operating Software?
Many people don't know when it is normal to rewrite a MBR.
(Note: this "Anti-Virus" feature can be bypassed by a virus...)
> 4. A more elaborate scheme could include flash memory, allowing setting a
> software password and eliminating the mechanical switch. This could be
> done on either the SCSI/IDE disk or the disk controller board.
If the password is not stored, but a hash of the password is used,
well... It could be cool... But How many users would like to have
another password? ;-)
- -
+----------------------------------------------+----= PGP FINGERPRINT =----+
| M. Miller <mmiller@cam.org> Montreal, Quebec | BD 4E 24 F1 40 8B FA 17 |
| PGP Key: finger -l mmiller@cam.org | 49 81 69 F2 5D 95 BB CA |
------------------------------
Date: Fri, 06 Jun 1997 21:11:48 -0800
From: Ken Dunham <kdunham@eoni.com>
Subject: Antivirus Software Reviews
X-Digest: Volume 10 : Issue 88
I'm the guide for the antivirus section of The Mining Company at
http://antivirus.miningco.com/. I've created a form for users like
yourself to send me input and reviews regarding your favoriate antivirus
software packages. It's my personal opinion that reviews by experts in
magazines, and by myself, are just one person's opinion--for what it's
worth.
I'd like to know what you think about your antivirus software
product(s). I've seen previous postings on how you agree/disagree with
reviews posted in popular magazines. Here's your chance to tell
everyone about the real strengths and weaknesses of the program(s) you
use.
Fill out the review form at:
http://antivirus.miningco.com/blreviews.htm
After I get several responses I'll put them together into a nice
readable HTML formatted page and put them on my site at
http://antivirus.miningco.com/. I expect that a page of reviews, from
people like yourself, will be available by the end of the month.
I look forward to receiving your comments.
Thankfully,
Ken Dunham
- -
http://eoni.com/~kdunham - My A-Z Computer Consultation Page
http://antivirus.miningco.com/ - My Mining Company Antivirus Page
kdunham@eoni.com A-Z Computer Consultation "We Do It All!"
------------------------------
Date: Mon, 09 Jun 1997 12:17:37 -0400 (EDT)
From: Karahldata@aol.com
Subject: AOL June 15th - hoax
X-Digest: Volume 10 : Issue 88
Lots of hoaxes, I know. Since it might interest a few among the
readers, here comes another, soon in time:
" ON JUNE 15TH @ AROUND 9PM, AOL HACKERS ARE HAVING A REVOLT JUST
LIKE THEY DID ON VALENTINE'S DAY...SO MAKE SURE U DON'T GO ON OR THEY'LL SEND
U A VIRUS TO SCREW UP UR AOL!!!!! SEND THIS TO EV'RY1 U KNOW...UNLESS U
DON'T LIKE THEM...."
Of course just "being on" can not bring you a virus ;-) Do like you always
are supposed to - scan before using!
Yours sincerely,
Karsten Ahlbeck, Karahldata
Swedish Integrity Master Agent
Karahldata@aol.com
------------------------------
Date: Tue, 10 Jun 1997 22:18:38 -0400
From: Gary Martin <fwin@ibm.net>
Subject: Computer Virus Solutions in USA - Out of Business
X-Digest: Volume 10 : Issue 88
Computer Virus Solutions in the USA is Out of Business
- -----------------------------------------------------
From: Gary Martin
E-mail: fwin@ibm.net
On 1/31/97, Computer Virus Solutions (in the USA) went out
of business. Our WWW.FWIN.COM web site has not been
active since then. Since January, 1997, we have continued
to receive a few orders for F/WIN anti-virus, the software
that we marketed. We are posting this message on this
newsgroup to let future customers know that F/WIN is no
longer available through us. F/WIN still is available through
its author, Stefan Kurtzhals, though. You can reach him at:
Stefan Kurtzhals
Dorrenberg 42
42899 Remscheid
Germany
E-Mail: kurtzhal@wrcs3.urz.uni-wuppertal.de
Fido: 2:2480/8849.2
Stefan is also using the business name Computer Virus
Solutions, but he is in Germany, not the USA. I wish to
make it clear that the primary reason I stopped marketing
F/WIN was to spend more time with my family. Computer
Virus Solutions was my side-business, not my main source
of income. I still think very highly of this product and
continue to recommend it to those who want high-quality
protection against the kinds of viruses that F/WIN
protects against.
I have set up a temporary e-mail address of fwin@ibm.net
for anyone who has questions about this. Please do not
e-mail me with virus related questions as I am no longer
in that business, and my knowledge on the issue is now
out-of-date. Thanks.
Gary Martin
Former owner Computer Virus Solutions (in the USA)
fwin@ibm.net
------------------------------
Date: Wed, 11 Jun 97 15:32 BST-1
From: Graham Cluley <sandspm@cix.compulink.co.uk>
Subject: Dr Solomon's FindVirus v7.72 available for download
X-Digest: Volume 10 : Issue 88
Dr Solomon's FindVirus v7.72 is now available for download and
evaluation via the web and ftp.
Here's what's new
1. We have redesigned our virus-finding engine. In the past FindVirus
required a file called FINDVIRU.DRV. This file is no longer required by
Dr Solomon's FindVirus.
FindVirus now requires three other files: FIND.DRV, NAMES.DRV, and
REPAIR.DRV
2. One of the benefits of this new virus-finding engine, is the
enhancement of our Advanced Heuristic Analysis technology to also detect
new macro viruses. Dr Solomon's can now detect new and unknown Word
macro viruses as well as traditional file viruses without the problem of
false alarms. To use this exciting new technology simply use the
/ANALYZE command line switch.
Macro viruses are becoming increasingly common - so we strongly recommend
users to try out this new technology. Our tests suggest that the
heuristics can pick up approximately 80% of new, unknown macro viruses.
If you detect a new virus with this technique please send a sample via
email to the Dr Solomon's virus labs at: vsample@uk.drsolomon.com
3. We are now making two different versions of FindVirus available for
evaluation: FindVirus and FindVirus "Lite".
The 'lite' version does not include support for scanning inside ZIP, LZH,
ARC, ARJ, PKLite, LZExe, ICE, DIET, CryptCOM and MS Compress compressed
files or Advanced Heuristic Analysis. The standard version does include
these features. You may prefer to download the 'lite' version if you are
in a hurry or want to do a virus clean-up.
4. This version of Dr Solomon's FindVirus detects over 12,000 viruses,
trojans and variants.
5. This version may be evaluated until July 31st 1997 - see README.TXT
for more information.
This version of Dr Solomon's FindVirus is for evaluation purposes only.
It is NOT free, shareware or public domain. The evaluation period for
this version ends 31 July 1997. At that point the evaluation period will
have expired, and the program will no longer run.
If you require longer to evaluate the product then we recommend that you
download a more recent version of the evaluation software from the
approved sites (see DISTRIB.TXT in the zip file), as this will be more
up-to-date and detect more viruses.
You can download the evaluation version of FindVirus v7.72 from:
----------------
DSAV772L.ZIP (the 'lite' version which doesn't support unzipping or
heuristics) -
USA:
* FTP: ftp://members.aol.com/gcluley/dsav772l.zip
Europe:
* FTP: ftp://ftp.drsolomon.com/pub/findvirus/dsav772l.zip
* HTTP: http://www.drsolomon.com
----------------
DSAV772.ZIP (the standard version which *does* support unzipping and
heuristics) -
USA:
* FTP: ftp://members.aol.com/pjevansssi/dsaveval.zip
Europe:
* FTP: ftp://ftp.drsolomon.com/pub/findvirus/dsav772.zip
* HTTP: http://www.drsolomon.com
----------------
You can also try:
CompuServe: GO DRSOLOMON
AOL: VIRUS, SAFETYONLINE
If you have any difficulties downloading our eval edition of FindVirus
please contact our webmaster directly: webmaster@uk.drsolomon.com
Regards
Graham
- --
Graham Cluley CompuServe: GO DRSOLOMON
Senior Technology Consultant, UK Support: support@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com
Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com USA Tel: 888-DRSOLOMON / 617-273-7400
Evaluation version of Dr Solomon's FindVirus available on our website!
------------------------------
Date: Thu, 12 Jun 1997 07:00:02 -0400
From: Michael Crestohl <mc@shore.net>
Subject: REVIEW: PC-CILLIN II for Windows 95 and Internet, TouchStone 1996
X-Digest: Volume 10 : Issue 88
CD-ROM REVIEW: PC-CILLIN II for Windows 95 and the Internet, TouchStone Corp.
In my opinion computer viruses (virii?) and those who perpetrate them
are literally electronic terrorists - whose motives are rooted in
twisted and perverted psychological disorders! Lately the Word macro
viruses are particularly insidious because they are transmitted inside
a document file which, once opened, will copy itself to the appropriate
macro directory. It is then free to do its dirty deeds and infect other
documents. A macro virus is easily written, quickly distributed on the
Net and particularly difficult to detect.
There are several virus detection and removal programs on the market
today. PC COMPUTING MAGAZINE compared four of them in the September 1996
edition and awarded PC-CILLIN 95 the only five-star rating, finding fault
only with the difficulty it exhibited scanning individual files.
PC-CILLIN works with both Windows 95 and 3x.
Since the PC COMPUTING article TouchStone has released PC-CILLIN II. One
of its' major improvement is the ability to continuously update its virus
pattern and information database via the Internet. This feature is free
of charge for 90 days and if you wish to subscribe after that it'll cost
about $30 a year. PC-CILLIN II also features the MicroShield (TM) for
detecting and eliminating the Word macro viruses. The scan engine analyzes
the macro's for "questionable" behavior and determines whether it is
malicious. If it is, it is passed to the clean engine which will clean it
and also save the infected Word document back into the .doc format. These
actions take place before Word is launched - so users will know if any of
their Word documents have been infected before starting the program.
PC-cillin looks for all kinds of viruses and if it finds one the Clean
Wizard will silently remove it without damaging the file.
PC-CILLIN II has good credentials - it's certified by the NCSA (National
Computer Security Ass'n) This means that PC-cillin was able to detect
100% of the viruses known to be "in the wild" (according to expert Joe
Well's "wildlist) and at least 90% of all the viruses in the NCSA
library.
PC-CILLIN II also features an Internet virus "lab" that provides up-to-date
virus news and information. In addition for any virus that PC-CILLIN II
cannot remove there is the emergency virus removal service that allows
you to send the infested files to the experts at TouchStone who will provide
you with a response within three hours. There are other features ranging
from a Virus Watch to minimize the possibility of re-infection to TouchStone's
e.support which is a new tech support network.
I found that PC-Cillin II was easy to install and use. It scanned my
files quite quickly and found no viruses. The credentials mentioned
earlier give me the confidence to believe that there are really no files
containing viruses in my system.
%T PC-CILLIN II
%I Touchstone Software Corporation 1-800-531-0450
%C Huntington Beach California www.checkit.com
%D 1996
%O Estimated Street Price: $49.95
%G ISBN:0-927582-77-5
(C) 1997
Michael Crestohl
Cambridge Vermont, USA
mc@shore.net
DISCLAIMER: I have no interest, financial or otherwise, in the success or
failure of the book or materials reviewed herewith, nor have I received any
compensation (other than a review copy requested by me) from anyone who has.
All opinions expressed are strictly my own.
Other Internet and Aviation book/software reviews by me can be obtained
by anonymous FTP from: x2ftp.oulu.fi in the /pub/books/crestohl directory.
------------------------------
Date: Fri, 20 Jun 1997 00:09:52 -0400
From: David Green <green@mindspring.com>
Subject: Re: "Dark Side" of cookies
X-Digest: Volume 10 : Issue 88
Slawomir Marczynski wrote:
> Syko (Syko_Overlord@bigfoot.com) wrote:
> : I know one fact that would prevent any virus that could do any real
> : damage from inhabiting the coockie file: In netscape the size of each
> : cookie is limited to a few bytes; too small for any real virus. Also,
> False.
> For an example lets consider such a three-bytes long program
> JMP xxxx:yyyy
> It can (in some circumstances) re-partion HD without any warning.
> (Obviously xxxx:yyyy must be a valid address in BIOS.)
Yes, a simple JMP instruction can do alot of harm. It would only take 5
bytes of data as well. But what is going to cause the cookie to get
executed as CODE? Indeed, if a website can cause your cookie file to get
executed, they must have the ability to have any program on your machine
executed. That capability just isn't built into browsers that currently
exist (Not Netscape or IE anyway). If this capability did exist, we'd
have a major problem on our hands.
- -
David Green, MIS
MindSpring Enterprises
Atlanta, Georgia
http://www.mindspring.com/
------------------------------
Date: Sun, 22 Jun 1997 20:41:37 +0300
From: Timo Salmi <{omit.No.Emailed.Advertisements.}ts@UWasa.Fi>
Subject: scn-302e.zip McAfee VirusScan for MS-DOS
X-Digest: Volume 10 : Issue 88
Sun 22-Jun-97: Acquired to Garbo the update
662874 Jun 16 03:02 ftp://garbo.uwasa.fi/pc/virus/scn-302e.zip
scn-302e.zip McAfee VirusScan for MS-DOS
All the best, Timo
.....................................................................
Prof. Timo Salmi Co-moderator of news:comp.archives.msdos.announce
Moderating at ftp:// & http://garbo.uwasa.fi archives 193.166.120.5
Department of Accounting and Business Finance ; University of Vaasa
mailto:ts@uwasa.fi <URL:http://uwasa.fi/~ts> ; FIN-65101, Finland
------------------------------
Date: Thu, 26 Jun 1997 15:37:07 -0500 (CDT)
From: Crypt Newsletter <crypt@sun.soci.niu.edu>
Subject: Crypt News 43 abstracts
X-Digest: Volume 10 : Issue 88
In Crypt Newsletter 43:
Science Applications: Pentagon Contracts, Inc. --
Conflicts of interest, snake oil salesmen, electronic
Pearl Harbor on the I-highway. Can you say
"corporate criminals" and "architects of fear"?
The electromagnetic pulse gun: chupacabra of cyberspace.
Info-warriors, assorted weirdos and hackers fabricate tales
of super-weapons and death rays. The emp gun stakes its
claim in the urban legend pantheon. Sandia scientists
laugh and scoff. Hearsay dissected piece by piece.
"I Had To Go Sick" -- Crypt Newsletter is pulled over on
the information highway. Dubbed a militant extremist
by Cyber Patrol Net-filtering software, Crypt News is
made into a CyberNOT. Discover with us the censorship
of the American Society of Criminology's Critical Criminology
Web site for displaying the . . . Unabomber Manifesto?
The USDA Web site hack: A petty act of revenge.
Computer virus horror movie in production in Hampton
Roads, Virginia.
Computer Virus Hysteria Awards 1997 -- the Winners, or
losers, depending on your point of view.
Crypt Newsletter
Pasadena, CA
http://www.soci.niu.edu/~crypt
http://www.soci.niu.edu/~crypt/other/crpt43.htm
------------------------------
Date: 25 Jun 1997 23:01:34 GMT
From: "Frederic Brunelle" <fbrunell@cirquedusoleil.com>
Subject: Number of viruses evolution?
X-Digest: Volume 10 : Issue 88
Would anybody have figures about number of viruses growth over the years.
I am actually looking for a chart on the evolution of the number of viruses
since 1986.
P.S. The list would be helpfull with references!
Frederic Brunelle
North American Tour of
Cirque du Soleil
Computer & Telephony Coordinator
------------------------------
Date: Wed, 25 Jun 1997 19:23:48 -0400
From: gandt@tir.com
Subject: Anti-Virus Software for HP-UX (UNIX)
X-Digest: Volume 10 : Issue 88
I need anti-virus software for a HP-UX system. Non-root privileages are
a plus, but not necessary. Something that can run all the time (shield)
and a scanner to be ran weekly for example.
------------------------------
Date: Fri, 06 Jun 1997 09:27:30 -0400
From: Page of Shields <ccorliss@black.clarku.edu>
Subject: AV for Word 97? (WORD)
X-Digest: Volume 10 : Issue 88
Has anything been released yet that can disinfect macros in Word 97?
- -
~Cyn~ @}---'---
ccorliss@black.clarku.edu ** "For she's been waiting to bloom" **
www.clarku.edu/~ccorliss ** **
------------------------------
Date: Sat, 14 Jun 1997 23:43:59 +0200
From: Wolfgang Scheide <scheide@Uni-Hohenheim.DE>
Subject: Macro virus "weekend"? (WORD)
X-Digest: Volume 10 : Issue 88
does anyone has experience with a macro virus which can be found in the
WORD menue after infection as a macro named "weekend"?
The cillin II antivirus software of TouchStone knows it as the
"word.generic" virus. Since cillin II doesn't work on my pc I'm looking
for some advice.
Thanks
Wolfgang
------------------------------
Date: Wed, 25 Jun 1997 20:53:55 GMT
From: Rosemary Bianculli <r0e@ix.netcom.com>
Subject: WM.Cap.A (WORD)
X-Digest: Volume 10 : Issue 88
I've got an instance of what *seems* to be "WM.Cap.A" coming up in my
LAN. I'm working for a non-profit with a LAN held together by band-aids
and scotch tape; some of us have antivirus programs, most do not. It's
definitively shown up (according to Norton Antivirus, def. set June'97)
in one computer. This computer is running Windows 95. When she goes
to access one of her files in her user directory off of the network
drive, up comes the virus notificiation. The odd thing is, she can
still access "Tools/Macro" when she goes into Word 6.0 -- but I thought
this virus wouldn't allow that to happen?
Other odd things that *are* happening are file names that now begin with
"~$" that disappear after you open them in Word -- her user directory,
as well as others in my department, are showing these files (and the
five people in my department are all using different versions of Word,
including Word for DOS.) I don't know whether this has anything to do
with the above. I'm also running Win95, same antivirus, same definition
set -- I'm having the same thing happening with the disappearing "~$"
files, but *my* antivirus has not shown anything going on.
I apologize if this sounds a bit disjointed -- I'm not the MIS person
here (actually, I'm the Webmaster for our site -- we don't *have* an MIS
person at the moment) and I have a funny feeling our consultant might
not know how to fix this. Any thoughts or advice?? If you need more
information, please e-mail me! Many thanks!
Rosemary Bianculli
------------------------------
Date: Mon, 02 Jun 1997 21:23:58 +0100 (BST)
From: "Mr. Bonninga" <bonninga@argonet.co.uk>
Subject: Re: POLL: Decrypting Password Protected DOC files (WORD)
X-Digest: Volume 10 : Issue 88
In article <0025.01IJEQI2VNI28WXS06@csc.canterbury.ac.nz>, "Chengi J. Kuo"
<cjkuo@alumnae.caltech.edu> wrote:
> Assuming that an antivirus product will be able to detect a virus in a
> file, even if it's password protected, how would you users out there
> want/expect this mechanism to work?
>
> Please feel to to suggest other scenarios
> if these "development's side" views don't fit... (To me, this seems to
> encompass all possibilities, but hey...)
>
> 1) If the file is passworded and has a virus, remove virus, remove
> password.
>
> 2) If the file is passworded and has a virus, remove virus, leave
> password.
How about a really revolutionary option - let the user choose (eg by
parameter or on a file by file basis?)
- -
DISCLAIMER: Any views or comments are purely personal and should not be
taken to represent the views or opinions of any organisation with whom
we are associated.
------------------------------
Date: Mon, 09 Jun 1997 12:55:38 -0400
From: JLawsonbro <jlawsonbro@aol.com>
Subject: Re: CAP Virus (WORD)
X-Digest: Volume 10 : Issue 88
Try McAfee's web site Virus Library
Also try www.cybec.com.au - their downloads include a freeware Macro eater
call VetMacro.exe
It's updated regularly....
------------------------------
Date: Mon, 09 Jun 1997 14:26:38 -0400
From: Bob Buckland <RJBuckland@compuserve.com>
Subject: Printer Driver Macro Virus (WORD)
X-Digest: Volume 10 : Issue 88
Two different users reported on the Symantec antivirus
newsgroup 'symantec.support.win95.nortonantivirus.specificvirus'
that they have a macro virus that creates the following
printer driver entries with Word, and prevents printing.
Can anyone identify a macro virus that does this?
It was an unknown for Symantec. Here are the 2 printer
driver names reported to be added:
"Absolutely Bogus WPS Printer Dr" and
"Absolutely Bogus WPS Printer Driver<<
Thanks very much,
Bob Buckland ?:-) [alt.comp.antivi]
BusinessWare Consulting - California
------------------------------
Date: Fri, 13 Jun 1997 15:38:34 +0000 (GMT)
From: Bruce Politzer <bpolitz@cyberdrive.net>
Subject: Windows 95/Excel 7.0 problem (XL)
X-Digest: Volume 10 : Issue 88
I have run into a strange Excel 7.0/Windows 95 problem. The problem
only occurs when a given spreadsheet in a specific workbook is being
used.
Problem Description: The desktop and all child windows change their
behavior. When a shortcut is clicked the desktop selects an entire
group of shortcuts as though the mouse was clicked and dragged over
them, when in fact only a single click on one shortcut was done. If
inside a window the objects in the windows behave the same. Clicking
on a file in a folder causes all files in the folder from the
beginning of the list up to the one clicked on to be selected.
When in Excel and the problem arises it causes an entire group of
cells to be selected instead of just the one clicked on.
Could Excel be changing a desktop property that would cause this
behavior? Has anyone heard of a virus that could cause this?
Please send any ideas to bpolitz@cyberdrive.net.
Thanks,
Bruce
------------------------------
Date: Wed, 11 Jun 1997 15:43:07 +0000 (GMT)
From: Dave Rogers <Dave.Rogers@alderley.zeneca.com>
Subject: McAfee & filenaming restrictions (NT)
X-Digest: Volume 10 : Issue 88
I am using McAfee Netshield v2.53 in an NT environment, and have
encountered what may be a problem with long filenames. Is anyone aware
of any known issues with this product when scanning files which go
beyond the standard 8.3 syntax ?
Dave
------------------------------
Date: Sun, 15 Jun 1997 15:56:12 +0000 (GMT)
From: ajmoraal@pobox.com.xs4all.nl (Arjan Moraal)
Subject: Does TBAV NT have a file i/o monitor? (NT)
X-Digest: Volume 10 : Issue 88
I downloaded the evaluation version of TBAV 8.00 for Windows NT. From
the Win95 version I know that you can enable a file i/o monitor which
works when TBAV is minimized. I couldn't find it in the NT version.
Does anybody know whether or not the NT version has this feature?
Arjan
- --
Arjan Moraal, The Netherlands
------------------------------
Date: Mon, 09 Jun 1997 13:35:32 +0000 (GMT)
From: "m.stade" <stade02@ibm.net>
Subject: Elia-Shim Vs-Web (WIN95)
X-Digest: Volume 10 : Issue 88
Elia-Shim VS-Web (win95) kills your
desktop-links!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The uninstall routine did not ! recognize it's own install. As a result the
start of a lot of internet-utilities (ftp-explorer, fp-archie and more)
kills your desktop-links even VS-Web is correctly deleted with its routine.
In other words VS-Web works as a virus itself. Try it and enjoy it!
------------------------------
Date: Mon, 09 Jun 1997 13:51:39 +0000 (GMT)
From: Mitsuyoshi Sugaya <m-sugaya@nri.co.jp>
Subject: Help!! Anti-Virus for MS-Mail3.5
X-Digest: Volume 10 : Issue 88
Does anybody know any commercial, shreware or free anti-virus software
for macro viruses included in MS-Mail (Microsoft Mail ver3.5) format?
Regards,
- -
m-sugaya@nri.co.jp
------------------------------
Date: Mon, 16 Jun 1997 00:18:40 +0000 (GMT)
From: kimpmc@worldnet.att.net (K. Mc)
Subject: Best Anti-Virus Program for Win95?
X-Digest: Volume 10 : Issue 88
I would like to purchase an anti-virus program for Win95, but I am looking for
the following:
A program which:
1) has frequent updates via the Internet (preferably free)
2) is very reliable
3) has an interface that is easy to use
4) will run with a minimum of conflicts with Win95 (without conflicts such as
freeze-ups and GPFs)
5) has a background scanner that uses a minimal amount of system resources
(can auto scan items such as e-mail, downloads, etc)
6) is reasonably priced
What is a good choice?
Thanks,
K. Mc
P.S. From doing some further research, I am especially interested in info. on
the effectiveness/problems with Dr. Solomon's Anti-Virus and Pc-Cillin II, but
if you have info. on other good anti-virus programs, I would like opinions on
those as well. Thanks!
------------------------------
Date: Tue, 17 Jun 1997 12:34:26 +0000
From: orain <herve.orain@univ-rennes1.fr>
Subject: f-prot 95 and network install (WIN95)
X-Digest: Volume 10 : Issue 88
I have the 2.26 professionnal version
I have a problem with f-prot professionnal for win95.
I selected the network install and the option f-gatekeeper is active
When I restart windows 95, i have the message:
F-prot DVP: failed to locate francais.tx0 find_language failed
and
DPVLOAD : error 7 loading driver
Can you help me
The file francais.tx0 is in the folder f-prot95
And if i choose a local install, it's work fine
------------------------------
Date: Tue, 17 Jun 1997 12:28:26 +0000
From: orain <herve.orain@univ-rennes1.fr>
Subject: F-prot win3.1 and f-prot win95 (WIN)
X-Digest: Volume 10 : Issue 88
I have a question about f-prot professional for win3.1 and f-prot
professional for win95. I have the 2.26 version
With f-prot for win 3.1, with gatekeeper i have three possibilities:
nothing,rename and delete
With f-prot for win95, with gatekeeper I have 4 possibilities: nothing,
rename, delete and desinfect
Then with f-prot professional for win3.1, the user can't desinfect
automatically the file when the file is open
With f-prot for win95, the file infected is automatically desinfected
when the file is open
Thanks for your help
------------------------------
Date: Mon, 23 Jun 1997 11:00:24 +0200
From: Symbol <symbol@cs.utwente.nl>
Subject: Help! HD's get destroid, cause unknown! (PC)
X-Digest: Volume 10 : Issue 88
Sometime ago I started assembling pc's, and since then things have gone
wrong all the time. System will work for days, but suddenly win95 get's
very ill. DLL's get lost and win95 locks up. After a reboot the complete
win directory has disappeared almost completely. The rest of the HD is a
very big mess.
I tried all scanners known to me but none found a virus. So I installed
all software again after a complete format of the HD. In most cases I
have to repeat installing the software 4 to 5 times before the problems
stop. After that the systems work for weeks, but some crashed again.
Does anyone know what my problem is? If not a virus, other suggestions
are welkom as well.
Thank you,
Herman Harperink.
------------------------------
Date: Thu, 05 Jun 1997 17:06:40 -0700
From: Tony Austin <tony-ta@usa.net>
Subject: Re: PC freezes at midnight--virus? (PC)
X-Digest: Volume 10 : Issue 88
Chengi J. Kuo wrote:
> Dan Bradley (dbradle4@gmu.edu) wrote:
> > For several nights now, my computer has frozen up at exactly midnight.
> > All I can do is turn it off and then back on, but it freezes up again
> > after 1 minute in win95. This lasts for a half hour, then its fine
> > again. I know I somehow or another got a virus, but of course,
> > antivirus on win95 doesn't recognize it. I'm no expert on this kinda
> > stuff, but does someone, ANYONE know about this virus or knows how I can
> > kill it with some sharware anti virus program??? thanks
>
> Are you running any games at midnight?
>
> There is a common virus that may crash machines at midnight if you're
> working (as opposed to idle).
>
> Boot clean and scan from that clean boot to verify.
Erm Tony here,
I don't know how good you are with computers so I'll tel you what he
means in real english terms!
First download your shareware trial version of a virus program. I
strongly recomment McAfee of Dr. Solomon. Use your favourite search
engine and go to the official site if you can find it. This way you get
the latest update.
Once you have done this DO NOT UNZIP IT or put it onto a floppy disk.
Then you should get a floppy disk that you can put in your drive. You
should have created one when you installed windows 95. If you did not
call your computer's technical support line and get them to send you
one. You could get a friend to make one but you can never be sure if
their computer has a virus or not. NEVER make a boot disk from a
computer that you suspect has a virus. Immediately push the write
protect to tap to protect.
Once you have done this get a copy of PKUNZIP that is clean. You
shouldn't do this from your computer you have to make sure it is clean.
If tech support is giving you your disk then get them to put it on.
Otherwise use a friend. Get him to boot from your clean floppy and copy
it off his hard drive. This should be fairly safe.
Now you have a bootable disk with PKUNZIP on it. and PKUNZIP. the write
protect should be to protect. use PKUNZIP to unzip the virus scanner on
your hard drive. Don't put the virus scanner on your floppy. Run the
scanner. If you have a virus then either clean or delete the files. If
you are AT ALL in doubt over what to do then call your computer's
technical support line. If it is still clean and you have no
alternatives left to try then you have three options:
1. Call Technical Support
2. When your computer reaches Midnight - put the clock back a couple of
hours.
3. Go to bed earlier - your wife is missing you!
I hope I have been of help. If you have any questions then email me at
tony-ta@usa.net
Tony Austin
mailto:tony-ta@usa.net
------------------------------
Date: Thu, 05 Jun 1997 20:04:51 +0000 (GMT)
From: Fred Warren <fwarren@spiritone.com>
Subject: Stealthboot MBR problem...Help!!! (PC)
X-Digest: Volume 10 : Issue 88
I am sorry to have to post this after reading that you should not
refomat or run FDISK when having a problem with a virus, because this
is exactly where I have come into the picture.
I have a friend with a virus problem. I have scaned the floppy they
got it from and it has the stealtboot (stelaboot) virus. I have
cleaned up the floppy.
Before they called me in, they reformated the hard dirve (without
removing the virus) and FDISKed it to try to get the drive going again.
When you run FDISK, it shows that there are no partions. You create a
partion, reboot and still, no partions.
The info on the drive is gone. What can I do to get back in control so
I can partion the drive, remove the virus and format the drive again.
Any help would be appreciated.
Thanks...
\|/
( ..)
+-oOO-()-OOo--------------------------------+
| Fredrick W. Warren fwarren@spiritone.com |
| Never attribute to malice, that which can |
| adequately be explained by mere stupidity |
------------------------------
Date: Thu, 05 Jun 1997 20:41:51 -0600
From: Ramon Marin Solis <rmarin@rtn.net.mx>
Subject: Boot Record infected with CLAUDIA!!! (PC)
X-Digest: Volume 10 : Issue 88
I have an NT Server 4.0 PC infected with the virus CLAUDIA,
I4ve already scanned with VirusScanNT 3.0.0 and it sendme this message:
CLAUDIA (No Remover Available) Boot Clean Failed
And All the floppies that I scan send the same Message!
Is there a product that can remove this Virus?
What does it do?
Thanks in advance.
[Moderator's note: First piece of advice for when you are cleaned up--
find out how to set the boot order for your server. It amazes me that
not all workstations are setup with "C: only" or "C:,A:", but anyone
who fails to do this for a server...]
------------------------------
Date: Sat, 07 Jun 1997 23:40:53 +0000 (GMT)
From: Richard Turner <returner@airmail.net>
Subject: Got the "Ripper" virus on a new HD and can`t load DOS! (PC)
X-Digest: Volume 10 : Issue 88
The virus apparently was on the Win95 Setup Disk 1.
When I first tried to load Win95 (OR DOS 6.2), it gave " FAT files
doesn`t match. Fix with Scandisk. Got error reading c:.
Now Scandisk finds No problems but shows 300 megs less than I should
have om HD.
Please HELP!!!!
Thanks!
------------------------------
Date: Mon, 02 Jun 1997 21:07:13 +0100 (BST)
From: "Mr. Bonninga" <bonninga@argonet.co.uk>
Subject: Re: FLASH prom Virus writing to write protected Floppy (PC)
X-Digest: Volume 10 : Issue 88
In article <0036.01IJEQI2VNI28WXS06@csc.canterbury.ac.nz>,
Mark@relocate.demon.co.uk wrote:
> Can anyone tell me, Is it possible that a virus resident within a Flash
> Bios of a 80x86 PC can intercept or ignore the Write Protect line of the
> Floppy Disk Drive, and write to a Floppy Diskette.
>
> I understand this is not possible with uncorrupted BIOS's but I would be
> very interested to know if this is feasible with A Virually infected
> BIOS.
It may seem a silly question but . . . are you sure your floppy disk
drive is working properly. I am aware of two instances where write
protected floppy diskettes were written to. In both cases, the problem
was a hardware fault with the write protection detection in the drive
itself; viruses were not an issue in either case.
- -
DISCLAIMER: Any views or comments are purely personal and should not be
taken to represent the views or opinions of any organisation with whom
we are associated.
------------------------------
Date: Mon, 02 Jun 1997 21:15:17 +0100 (BST)
From: "Mr. Bonninga" <bonninga@argonet.co.uk>
Subject: Re: Floppy Format fails (PC)
X-Digest: Volume 10 : Issue 88
In article <0034.01IJEQI2VNI28WXS06@csc.canterbury.ac.nz>, Warren Contreras
<quest@teleport.com> wrote:
> With several machines on a network (3) if you format the A: drive it
> completes the format (format complete) then gets: 'general falure
> reading drive a:' and if you select f for fail it says 'invalid media or
> track 0 bad, disk unusable'
> We have replaced the command.com and format.com from a known working
> machine with the same dos version, scanned with McAfee and found no
> virus, replaced with new floppy drive and same result, did an fdisk/mbr
> and can not shake the problem. Any others with this problem ?
Check your diskettes - are they double density (720Kbyte or High
Density 1.44Mbyte?). The former have one hole with the write protect
slider, the latter have two holes (one write protect and one
permanent). Some years ago our Compaq '386's would happily format a
Double Density diskette at 1.44Mbyte then refuse to let you read the
disk with exactly the symptoms you describe.
- -
DISCLAIMER: Any views or comments are purely personal and should not be
taken to represent the views or opinions of any organisation with whom
we are associated.
------------------------------
Date: Mon, 09 Jun 1997 03:53:50 -0400
From: Migamixer <migamixer@aol.com>
Subject: Re: PC freezes at midnight--virus? (PC)
X-Digest: Volume 10 : Issue 88
i recently got infected by the NYB (boot) virus that is suposed to
cause a crash at midnight if the HD is accessed at this time...
F-Prot has taken care of this infestation...i used Fprot to scan my
friend system, and found 2 dropper files with that virus(this is the
system i suspected i got the virus from in the first place) but his
system was so infested with viruese that the NYB was no longer in the
boot sector and Fprot could not detect the one that a copy of PC cillin
kept running across (generic boot 408) but like i was originaly saying
try F-prot...its worked good for me
------------------------------
Date: Mon, 09 Jun 1997 16:07:10 +0000 (GMT)
From: Ron Nichols <ronkoNS@swbell.net>
Subject: Is it a Virus? (PC)
X-Digest: Volume 10 : Issue 88
I worked on a friends computer about a month ago that appeared to have
a boot sector virus... CD-rom missing in win95 and 654, and change on a
clean boot chkdsk.
I ran McAfee Virus Deluxe and came up empty. Nothing detected. Went
back to version 2.25 and it turned up MonkeyB, but could not clean it.
As a result ended up doing the normal things like fdisk /[mumble], still no
CD-rom. At one point, I did get a chkdsk of 655,360 but still
exclamations on the hard disk controller in win95. Could not remove
the device and get it to come back without problems...
So I formatted and started over. With a known good bootable floopy and
real mode drivers on the floppy, I boot and get CD-rom support but
cannot install win95 due to the inability to write a \temp directory to
the hard drive... Had the ability to make directory for any directory
except for one that had temp in it i.e. \temp, \windows\temp.
My only solution to this was to low level format (ide HDD so psuedo)
and clear cmos, then all went fine, reinstalled and got his system up.
The problem is, he just called and IT'S BACK.
Has anybody run across this? If so, what is it.
Thanks for ANY help,
Ron Nichols
ronko@swbell.net
------------------------------
Date: Wed, 11 Jun 1997 22:06:05 +0000 (GMT)
From: Franck DENOYEL <franck.denoyel@asi.fr>
Subject: XHP2021 Virus only on startup ! (PC)
X-Digest: Volume 10 : Issue 88
When i start my computer, Mcafee scan de 64 files and detects 1 virus :
XPH2021.
But when i rescan my computer during a dos session, this virus is
not detected.
What can do?
------------------------------
Date: Thu, 12 Jun 1997 09:00:14 +0000 (GMT)
From: Crevan Murphy <throbing@hotmail.com>
Subject: Re: Floppy Format fails (PC)
X-Digest: Volume 10 : Issue 88
Check the controller! :-)
------------------------------
Date: Fri, 13 Jun 1997 17:26:16 +0000 (GMT)
From: Fredrik Wassberg <fredrik.wassberg@mbox200.swipnet.se>
Subject: I've found new viruses? (PC)
X-Digest: Volume 10 : Issue 88
Does anyone know something about these viruses called MTE.COFFEE ,
SMASH and CY-428, Mcafee, Symantec and Dr Solomon do not have these
viruses listed
Regards Martin K
------------------------------
Date: Sat, 14 Jun 1997 01:51:19 +0200
From: Josep Lladonosa i Capell <jllado@arrakis.es>
Subject: New: antivirus for Bleah virus (PC)
X-Digest: Volume 10 : Issue 88
if your computer is infected with Bleah virus, clean it easily with:
http://www.arrakis.es/~jllado/nobleahe.htm
It's nobleah.exe (about 9kb). What it does:
- Checks memory.
- Stops it in memory.
- Prompts user to 'clean' hard disks and floppies selecting (A,B,C)
Regards...Josep
------------------------------
Date: Sun, 15 Jun 1997 19:16:46 +0000 (GMT)
From: Mari Donkers <mdonkers@xs4all.nl>
Subject: Re: FLASH prom Virus writing to write protected Floppy (PC)
X-Digest: Volume 10 : Issue 88
> Can anyone tell me, Is it possible that a virus resident within a Flash
> Bios of a 80x86 PC can intercept or ignore the Write Protect line of the
> Floppy Disk Drive, and write to a Floppy Diskette.
I think the "Write Protect Line" is just an indication (so that
the computer can detect write protect for error messages), but
that the actual protecting is done in hardware. That would make
it impossible (with correctly functioning hardware) to write
to a write protected floppy.
Mari
------------------------------
Date: Fri, 20 Jun 1997 09:06:20 -0700
From: Stan Paskoff <paskoff@pps.pubpol.duke.edu>
Subject: Vsign virus (PC)
X-Digest: Volume 10 : Issue 88
I have a user with the vsign virus. Both f-prot and mcaffee report that
he has the vsign boot sector virus and mcaffee reports that it is too
new and cannot be removed. He's also tried antivirus for DOS.
All software are the latest versions. Will he have to reformat his hard
drive and will that get rid of it? thanks for any help.
- -
****************************************************************
* Stan Paskoff phone: (919) 613-7368 *
* Network Administrator fax: (919) 681-8288 *
* Duke University *
* Terry Sanford Institute of Public Policy *
* Box 90239 *
* 227 Sanford Institute Building *
* Durham, NC 27708-0239 *
------------------------------
Date: 20 Jun 1997 15:22:09 GMT
From: "Ken " <kenny9091@earthlink.net>
Subject: Virus or system? (PC)
X-Digest: Volume 10 : Issue 88
I have a problem that my McAffee anti-virus did not pick up if in fact it
is a virus. bear with me I do not have vast experience.
I'm running win95 on an Intel 100 MHz with 49mb of ram.
I recently added a new printer, an HP Deskjet870Cse replacing an HP560C and
it worked fine for two days.
Booting up yesterday morn I received a DOS window to start in safe mode. I
ignored it and rebooted and the desktop came up fine (not in safe mode). I
opened a Word document ,altered it and when I tried to print it out I got
the wait "hour-glass" forever. Thinking that it was something with my
connection. I copied the document to a floppy and opened it on my wifes
computer (a win95, Intel 100mhz with 32 mb ram running with no problems).
She was printing out multiple copies of a different letter 5 minutes before
without a problem on the same printer (we use an "A/B" switch). After I
opened my non-printing document on her machine it also would not print with
the same symptoms. And now we both cannot print ANY Word document getting
the same long wait, non-printing symptoms.
And then this morning when I tried to boot up the first time I got a DOS
window saying that there was an error loading KERNEL, "reinstall windows".
I re-booted to get the DOS window showing the list. I selected "step by
step configuration" and hit "yes" to every question and got my normal
desktop!
I was thinking it might be a virus only because of the manner in which the
document seemed to affect my wifes machine.
Please email as I dont know how long the re-booting method will work and I
have a laptop to get my mail. I will post a summary of the responses.
Ken
kenny9091@earthlink.net
------------------------------
Date: Thu, 19 Jun 1997 18:54:58 GMT
From: aeb88@pipeline.com (Arthur E. Blossom)
Subject: Re: Weed virus (PC)
X-Digest: Volume 10 : Issue 88
Hil Hughes <lhugh02@emory.edu> wrote:
>What is the Weed virus? I do support for a college, and I'm sure we'll
>get this one (we've had all the others :) ) Is this real, and what does
>it do? If someone could email me, I'd appreciate it....thanks..
It was discovered by technical staff at ZDnet. It appears to be
just another non-memory resident com/exe DOS/Win file infector.
They are calling it HLL.5850 or Weed.5850.
Regards
- -
Arthur Blossom, IBM AntiVirus services
------------------------------
Date: 26 Jun 1997 21:11:33 +0800
From: keung@olisc.glink.net.hk (Tang Tat Keung)
Subject: McAfee ScanPM EMM386 error in Compaq LTE 5100 notebook (PC)
X-Digest: Volume 10 : Issue 88
As above subject said, I get EMM386 error when I run scanpm v3.0.2 in
my Compaq LTE 5100 notebook. Does anyone have this experience and how
can I solve it? I didn't get this error in other desktop PC such as
Compaq Deskpro, Prolinea.
Regards,
keung
keung@olisc.glink.net.hk
------------------------------
Date: Thu, 26 Jun 1997 20:48:06 GMT
From: Phreddy@nh.ultranet.com (Phreddy)
Subject: Monkey and Win95 (PC)
X-Digest: Volume 10 : Issue 88
I have a customer's pc that is showing signs of Monkey B on his C and
D hard drives. Fprot /hard doesn't clean it, neither does Scan
c:/clean/all. Fprot picks it up on both drives then says drive not
present while Mcafeegoes into an endless loop: boot off a clean
diskette, then the clean diskette must be infected, etc., when the
diskette is from a machine that was never exposed to the infected
machine before booting and was write-protected. Is the OS, Win95, a
contributing factor to the scanner's lack of ability to clean it?
If I couldn't get a program to clean it up I was wondering if backing
up the data to a tape (parallel port type) or ZIPping it via laplink
to another hard drive then FDISKing and repartitioning the drives
before restoring the data would be a good alternative to cleaning.
Would Monkey still infect the hard drive via a laplink or interlink
connection or does it only infect floppies? This is a pain, I've
never had this much trouble cleaning an infection before.
Thanks.
------------------------------
Date: Thu, 26 Jun 1997 19:25:45 -0700
From: Gordon Jones <gjones@ucr.campus.mci.net>
Subject: I need help fixing a CMOS virus (PC)
X-Digest: Volume 10 : Issue 88
I have computer that will not let me boot it. I have been told I have a
CMOS virus. Is there any way t rewrite CMOS? Is there any way to
remove it? Please E-mail me if you have heard of this or if you have
suggestions for me to try.
- -
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
It all starts with counting. .. ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
------------------------------
Date: Wed, 18 Jun 1997 10:17:44 +0200
From: croes@imec.be (Kris Croes)
Subject: Thanks! (was: Logging Interrupts) (PC)
X-Digest: Volume 10 : Issue 88
Some time ago, I asked for an utility that I found in the early 90's,
that was capable to log DOS interrupts.
I want to thank all the nice people who answered, but none of them
pointed me to the utility I was searching for. So, I started looking
after it myself.
Well, I've found it!
It's called "intercep", was posted on 18-Dec-91 in comp.binaries.ibm.pc,
and can be found in volume16 of the archives, e.g. at
http://ftp.funet.fi/pub/archive/comp.binaries.ibm.pc/
Here is the cbip moderator's comment:
> intercep is a program which intercepts DOS calls and displays the
> calling location, request, and meaning of the call. I imagine it could
> be really useful for some programs, but it was not for any of the
> interractive programs I tried, since keyboard polling results in
> thousands of lines of calls to "is keyboard character ready?" completely
> swamping any useful data.
(don't worry, you can selectively disable the logging of some interrupts)
>
> Other than that it seemed to work just fine. I ran a few small
> non-interactive things and got a trace for each.
Best regards,
Kris
- -
Kris Croes - mailto:croes@imec.be - http://www.esat.kuleuven.ac.be/~croes/
"Due to budget cuts the light at the end of the tunnel has been turned off"
------------------------------
Date: 21 Jun 1997 09:45:45 GMT
From: "Jeremy Goldberg" <jeremy@jgoldberg.prestel.co.uk>
Subject: Sampo Mimic? (PC)
X-Digest: Volume 10 : Issue 88
Does anyone know of a virus (or similar) that will write the Sampo Virus to
floppies, or simulate the effect?
The machine in question says that unprotected floppies are infected with
the Sampo Virus - but programs which attempt to clean them either lock up
in repeatedly cleaning Sampo from the bootblock, or clean once then fail.
All disks examined (even those which were definitely clean beforehand) are
apparently infected, except for those which are write protected.
When examined afterwards on another machine no infection is found. The
virus checkers can't find any virus on the hard drive or in memory.
The checkers used were Dr. Solomons, and McAfee for Windows 3.x, both
fairly recent.
Can anyone help?
------------------------------
Date: Fri, 06 Jun 1997 20:53:11 +0000 (GMT)
From: Phil Anzel <bai@bannerassoc.com>
Subject: MS Excel Evolution-2001 virus: what is it? (PC)
X-Digest: Volume 10 : Issue 88
I was scanning a disk with McAfee's NTSCAN and it reported that several
Microsoft Excel 5.0 spreadsheets had the EVOLUTION-2001 virus. The
McAfee site had no information on this virus, neither did the Dr
Solomon site. Anybody know what this virus is? I suspect that I am
getting false positives on this detection but would like to put this
issue to rest.
Thanks
Phil Anzel, Banner Associates Inc
------------------------------
Date: 26 Jun 1997 00:31:48 GMT
From: "Gilles Etourneau" <infotek@cam.org>
Subject: HELP (evolution-2001) virus (PC)
X-Digest: Volume 10 : Issue 88
I'm infected with a new virus, is name EVOLUTION-2001.
I called the technical support of Mcafee and they don't know how to
remove it without deleting my partition. They think the virus is in
the master boot record.
I did a few test and the Mcaffe software can see the virus in the high
area of the memory (between 640 and 1024) 904kb to be exacte. But
when i boot from a clean disk, Mcafee don't see it anymore, even in
every files of the hard disk. So if there is no other way, is it
possible to delete and rebuilt the master boot record without erasing
my 2 gig partition. (backup won't be easy)
- Latest version of Fprot and Thunderbytes anti virus are useless the
virus name is not in the virelist.
Gilles
[Moderator's note: What you describe are classic symptoms of a false
positive--a scanner tells you there is a virus in memory and then is
unable to find any other trace of it in your system. That two other
products fail to "detect" this "virus" is a good point for them, not a
negative, as you imply.]
------------------------------
End of VIRUS-L Digest [Volume 10 Issue 88]
******************************************
