[1668] in Virus_Discussion_List
VIRUS-L Digest V10 #91
daemon@ATHENA.MIT.EDU (VIRUS-L/comp.virus Moderator)
Wed Aug 13 17:27:12 1997
Date: Wed, 13 Aug 1997 19:41:26 +0100
Reply-To: virus-l@Lehigh.EDU
From: "VIRUS-L/comp.virus Moderator" <moderator@virus-l.demon.co.uk>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
VIRUS-L Digest Wednesday, 13 Aug 1997 Volume 10 : Issue 91
Today's Topics:
Re: What happened? (ADMIN)
Re: Several intellectual questions
"Kiss of Death"
Re: McAfee Antivirus for Exchange Server
Re: Computer virus vs A.I.D.S.
Re: Computer virus vs. A.I.D.S.
Re: Several intellectual questions
Pros and Cons of Server based virus checking
Re: Computer virus vs A.I.D.S.
Re: Dark side of cookies
Re: Several intellectual questions
Re: Several intellectual questions
Re: "Dark Side" of cookies
Re: Computer virus vs. A.I.D.S.
Re: Dark side of cookies
I suffer a goldfish virus!! (WORD)
Re: Word macro virus (WORD)
Re: About MSWord's alleged macro av (WORD)
Need help with Laroux.E cleaner (XL)
NetShield NT 3.00 hangs on files... (NT)
Re: Problem with McAfee AntiVirus and NT 4.0??? (NT)
McAfee or Norton AntiVirus (NT,WIN95)
Re: Filenames scrambled (WIN95)
Re: Problem with Dr Solomon (WIN95)
Re: Filenames scrambled (WIN95)
Little face in taskbar virus (WIN95)
Re: What's special about *.FON and *.ICO files? (WIN)
Re: What's special about *.FON and *.ICO files? (WIN)
Re: Invircible (PC)
Out of memory with McAfee (PC)
Re: Jaz Drives immune from BSIs? (PC)
IPX virus activity (PC)
Problem making McAfee Emergency Disk (PC)
Help with Stealth C (PC)
Burglar.1150 keeps recurring (PC)
Question Regarding Triple Level Bootstrap (PC)
Re: Help disinfecting TOS (PC)
PS-MPC Virus in Excel Temporary File (PC)
What is effect of Mona Lisa Virus? (PC)
Help: Nasty "MRHU Virus" that I can't get rid of (PC)
Re: Jaz Drives immune from BSIs? (PC)
Viruses and Drivespace??? (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is its gatewayed and non-digested USENET
counterpart. Discussions are not limited to any one hardware/software
platform--diversity is welcomed. Contributions should be relevant,
concise, polite, etc. (The complete set of posting guidelines is
available by FTP on ftp.infospace.com/pub/virus-l (IP 206.129.166.107)
or upon request.) Please sign submissions with your real name; clearly
faked or anonymous postings will not be accepted. Some antivirus
documentation, and a full set of back-issues are also archived at
ftp.infospace.com, which is also the home of our FAQ (Frequently Asked
Questions) document.
Administrative mail (e.g., comments or suggestions) should be sent to
me at: nick@virus-l.demon.co.uk. (Beer recipes should still be sent to
Ken van Wyk at: krvw@mnsinc.com.)
VIRUS-L subscribers wanting help with list-processor commands should
send a message to listserv@lehigh.edu with the command "info virus-l"
in the body of the message (the listserv ignores Subject: lines).
All submissions should be sent to: VIRUS-L@lehigh.edu.
Nick FitzGerald
----------------------------------------------------------------------
Date: 28 Jul 1997 18:26:42 GMT
From: doren@slonet.org (Doren Rosenthal)
Subject: Re: What happened? (ADMIN)
X-Digest: Volume 10 : Issue 91
Nick FitzGerald (n.fitzgerald@csc.canterbury.ac.nz) wrote:
: For those with such a bent, I have updated my PGP key with my new
: addresses.
:
: - - ------BEGIN PGP PUBLIC KEY BLOCK-----
: Version: 2.6.i
:
: mQCNAjBlEuoAAAEEAOtCeFmSTxlIORUaSAQOp27CULdaUkdxB+5gJ8x6Fxj6lspL
: EfPRSFo3Hxk3U2hN7nR66F1akU9g5luuiL06vs0y+9jpq2NwiaDQ+k3kNkkBRse0
[snip]
Are all of us welcome to post binaries in your newsgroup Nick?
....... or just you?
[Moderator's note: I seldom post PGP-signed messages (I trim the PGP
headers and signature) as any regular reader of this list/group knows.
I do this to save volume going into the mailing list. In instances
where it seems critical that a signed message stay signed, I post it as
received. I signed my "hand-over" message to validate it. It seemed a
little silly not to include my updated public key at the same time. As
Doren is a well-known virus distributor and sly-marketeer of a product
totally devoid of any merit for the purpose for which it is widely
touted (mainly by Doren), it is not surprising that he is unaware of
"normal" proceedings in this list/group.]
------------------------------
Date: 31 Jul 1997 17:49:07 GMT
From: cjkuo@alumnae.caltech.edu (Chengi J. Kuo)
Subject: Re: Several intellectual questions
X-Digest: Volume 10 : Issue 91
Bruce Burrell <bpb@stimpy.us.itd.umich.edu> writes:
>Carey_Tyler_Schug@em.fcnbd.com wrote:
>> 1. As I understand it, boot sector viruses write the original boot sector
>> to some other sector, and put themselves in the boot sector.
>
>Most, but not all, do this. Some (e.g., AntiCMOS), do not move the MBR
>but contain similar code to do what the MBR code does normally.
>
>> Say for
>> example, virus "a" put the original boot sector in sector 9. Could
>> another virus come along and put virus "a", maybe in sector 8 and itself
>> in the boot sector? How long could this go on? Just as an intellectual
>> exercise, has anybody ever figured out how many boot sector viruses, or
>> boot sector plus partition sector viruses could coexist on one machine?
>
>I did this once in alt.comp.virus; I think I found some 12 or 14 that
>could coexist, with a little care in the order of infection.
>
>> Would their payloads be cumulative, or would the first or last take
>> precedence?
>
>"Yes."
>
>Depends on what the payloads are. Some would be cumulative; some would
>be first come, first served.
Yes. The "rewrite hard disk" payload would not allow any more payloads to
be served. :-)
>> Would any/some/most anti-virus programs find all of them in
>> one pass, multiple passes, or fail to detect or disinfect from such a
>> scenario?
>
>Some would get them all in one pass; DSAV removed 5 BSIs at once in our
>recent tests here at University of Michigan. Other products would
>require several passes; still others would fail miserably. I would
>expect that only the finest products could handle more than two BSIs at
>once, but that is just a guess.
Depends on how you use each product and what its settings are. For instance,
you would be able to unwind a multiply infected disk by removing the viruses.
Each removal of the virus, surfaces the next one. Then, it's a matter of
how many layers you allow the scanner to do this. Each scanner must have
a cut-off because two viruses which use the same "extra" sector will cycl
back and forth in this scenario.
[Other suggestions offerred]
>How big a market do you think there is for this? We already have
>BIOSes with MBR protection, and I suspect most folks won't be keen on
>paying a lot for this feature.
This is the biggest thing. There are lots of easy things people can do,
even today. But people don't do them as it is.
Jimmy
cjkuo@mcafee.com
------------------------------
Date: Wed, 30 Jul 1997 14:07:20 -0600
From: Fabio Esquivel <fesq@sysde.co.cr>
Subject: "Kiss of Death"
X-Digest: Volume 10 : Issue 91
That's the message my Mail Server sent to my e-mail reader today when I
tried to read my pending e-mails... Besides, it asked me my password again!
Does anyone knows what's that?
My Mail Server is a Linux box (RedHat), kernel 2.0.27, if that helps.
- -
Fabio Esquivel
Systems Programmer/Analyst
SYSDE, Financial Solutions
fesq@sysde.co.cr
http://www.sysde.co.cr
[Moderator's note: This was asked a couple of months back and the
nearest we got to an explanation was that some Unix TCP/IP stacks emit
this odd error message and it was suggested that this was (incorrectly)
being displayed by some client software like mail and telnet programs.
Any advance on this, in terms of *details* would be greatly
appreciated.]
------------------------------
Date: Wed, 30 Jul 1997 15:17:55 GMT
From: cr764@torfree.net (Kurt Wismer)
Subject: Re: McAfee Antivirus for Exchange Server
X-Digest: Volume 10 : Issue 91
Hanspeter Kurt (KHanspeter@eurac.edu) wrote:
: I've heard that McAfee now offers an AntiViren programm for Exchage
: Server. Who can give me information about such a program?
probably mcafee themselves... why don't you go check out their website..
[Moderator's note: http://www.mcafee.com/]
------------------------------
Date: Wed, 30 Jul 1997 14:37:05 +0100
From: michael dalton <michael@demon.co.uk>
Subject: Re: Computer virus vs A.I.D.S.
X-Digest: Volume 10 : Issue 91
In article <0015.869990286.0610545.0@virus-l.demon.co.uk>, "Mark E.
Harper" <meharper@richmond.infi.net> writes
>"Paul M. Young" <paul@populus.net> wrote:
>
>>F74BM@CUNYVM.CUNY.EDU wrote:
><snip>
>>> Antibiotic made for humans works like this:
>>>
>>> Let's take A.I.D.S. for instance entering the bodywith a DNA code of
>>> 1010-1100. The Antibiotic created(by an honest scientist) searches
>>> the body and finds 1010-1100. But A.I.D.S. being the tremendous
>>> disease that it is, it CHANGES it CODE RANDOMLY. Today it's code is
>>> 1010-1100 Tomorrow it's code is 0011-0101. How can the (honest
>>> scientist) create a defense Mechanism to seek and destroy this
>>> camelion like disease. This is why none of the prior antibiotics
>>> weren'nt working.
>>
>> Kev, Kev, Kev, did you take bio 101 yet? Antibiotics don't work
>>against _any_ virus. By the way, what makes you believe that
>>antibiotics search for anything? The action of antibiotics are
>>simply chemical reactions to other chemical processes.
>> I'd be happy to carry on this discussion on or off the
>>list, as the moderator chooses.
>
>Anti-virus software is designed to actively seek out and eliminate
>computer viruses. Antibiotic mechanisms are designed, either by
>evolution or by pharmacology, to eliminate disease organisms. Do
>antibiotics / antibodies search for anything? Drugs and T-cells and
>whatnot may not "search" for victims in a meaningful way. They may
>just sit there and wait for hapless bugs to run into them and be
>neutralized (for all I know). I suppose that the searching -- the
>seek-and-destroy part -- comes while the antigen is being developed.
>Developments can occur through natural selection, through drug
>research, or through software engineering. It doesn't really matter
>whether the agent is active in itself -- it is a part of a much
>larger, and very active process.
>
>I just thought that was neat.
- - One problem with a virus like aids is that for most of the time it
is hidden,or else inside T4 cells. Whilst it is there the bodies
antibodies do not find it, and it is usually only after a few months
that antibodies appear and one becomes HIV +ve. Perhaps one way would
be to make the antibodies smaller, as most antibodies have a small
binding site, and a lot of baggage tagged on at the other end of the
molecule. The antibody binding fraction Fab can be cleaved from the
rest of the molecule with enzymes. In your view one could make
monoclonal antibodies, cleave them, put a marker or toxin on the loose
end and then use this to search and stick to abit of antigen inside a
T4 cell. I think this is what you mean, but there are many problems
with this approach, there are not many antigenic sites on the HIV
virus, and they change/ mutate very quickly.
michael dalton
------------------------------
Date: Tue, 29 Jul 1997 19:59:40 -0400 (EDT)
From: dmuth@ot.com (Doug Muth)
Subject: Re: Computer virus vs. A.I.D.S.
X-Digest: Volume 10 : Issue 91
Hi Laszlo Baranyai! I'm a UNIX geek, spam hunter, and a virusfighter!
>I suppose this is the way of future. Antivirus programs have to inhibit
>specific events (absolute disk access, formating, leaving resident
>part).
They help, but TSR AV programs never take the place of a good scanner.
>We are not able to follow numerous virus developments, we only
>react when we experience the results. This why TSR programs are nearer
>to antibiotics and they have the general method we need. They rarely
>scan for virus code, they'd rather check movements.
I would suggest an Integrity Checker as well.
Regards,
<Doug Muth> ----- <http://www.ot.com/~dmuth> ---- Est sularus oth Mithas!
Maintainer of the SPAM-L FAQ -=-=-=-=-=-= http://www.ot.com/~dmuth/spam-l
Maintainer of Anti-spam ISPs list -=-=-= http://spam.abuse.net/goodsites/
Anti-virus software and utils -=-=-=-=-=-= http://www.ot.com/~dmuth/virus
Co-Founder of CAUCE ** Stop E-mail spam for good! ** http://www.cauce.org
From: Timo Salmi <ts@uwasa.fi{omit.No.Emailed.Advertisements}>
Date: Mon, 28 Jul 1997 22:55:54 +0300
From: Timo Salmi <ts@uwasa.fi{omit.No.Emailed.Advertisements}>
To: n.fitzgerald@csc.canterbury.ac.nz
Subject: fp-227a.zip Virus Protection system by Fridrik Skulason, great
Thank you for your contribution. This upload is now available as
1032636 Jul 25 02:27 ftp://garbo.uwasa.fi/pc/virus/fp-227a.zip
: Date: Fri, 25 Jul 1997 12:03:11 +0000 (GMT)
: From: frisk@complex.is (Fridrik Skulason)
: To: pc-up@uwasa.fi
: Subject: fp-227a.zip F-PROT anti-virus uploaded
:
: File name: fp-227a.zip
: One line description: Version 2.27a of the F-PROT anti-virus package
: Replaces: fp-227.zip
: Suggested Garbo directory:
: Uploader name & email: Fridrik Skulason (frisk@complex.is)
: Author or company: Frisk Software International
: Email address: sales@complex.is, support@complex.is
: Surface address: Postholf 7180, IS-127 Reykjavik, Iceland
: Special requirements: No
: Shareware payment required from private users: No
: Shareware payment required from corporates: Yes
: Distribution limitations: May not be distributed together with viruses
: Demo: No
: Nagware: No (well, I don't think so)
: Self-documenting: Mostly
: Garbo CD-ROM distribution allowed
: External documentation included: Yes, some .TXT files.
: Source included: No
: Size: 1.032.568 bytes
: 10 lines description:
:
: A minor update, handling several hundred new viruses, and a rewritten
: F-MACROW program.
..................................................................
Joni Yrjana, Computer Center, University of Vaasa, Finland
Archivist at ftp:// & http://garbo.uwasa.fi archives 193.166.120.5
mailto:joyr@uwasa.fi
------------------------------
Date: 29 Jul 1997 17:08:48 GMT
From: af380@chebucto.ns.ca (Norman L. DeForest)
Subject: Re: Several intellectual questions
X-Digest: Volume 10 : Issue 91
FIALISHIA OLOUGHLIN (FIALISHIA.C.OLOUGHLIN@LMCO.COM) wrote:
: Carey_Tyler_Schug@em.fcnbd.com wrote:
[snip]
: > 2. Shouldn't it be possible for a hardware manufacturer to produce a hard
: > disk on which the boot sector is NOT writeable unless a certain jumper is
: > set? This jumper could be brought out to a pushbutton switch if desired,
: > since it would need to be set to update the partition table.
:
: Have been a number of such ranging from hardware (C-Cure) to software
: (many BIOSes). None have ever caught on. Of course setting to boot from
: C first which most BIOSes contain today would stop all but the
: droppers.
A posting in another newsgroup mentioned that the DEC MicroVax 3200 had
a switch on the front of the case which could write-protect the drive.
It had the annoying property of being in exactly the right place to be
accidentally bumped and switched, bringing processes to a halt as they
needed hard disk access.
Perhaps failings such as these have hampered other attemps to market
hardware protection.
- -
Norman De Forest http://www.chebucto.ns.ca/~af380/Profile.html
af380@chebucto.ns.ca [=||=] (A Speech Friendly Site)
..........................................................................
Spammers, see: http://www.chebucto.ns.ca/~af380/Profile.html#Contact
Any spam sent to me will be another item to be added to my ISP's new spam
filter and will reduce your overall subsequent coverage. <grin><laughter>
------------------------------
Date: Tue, 29 Jul 1997 11:23:20 +0100 (BST)
From: Clare Gill <Clare.Gill@ucd.ie>
Subject: Pros and Cons of Server based virus checking
X-Digest: Volume 10 : Issue 91
>From your varied experiences what have been the advantages and
disadvantages of server based virus checking as opposed to
workstation based virus checking.
Which mechanism would you recommend ?
What products have you implemented in this regard ?
Here at University College Dublin we are examining the whole area of
desktop security and one area we need to examine is how best to
implement virus checking - server based - Novell Netware or
workstation based - PCs Macs. We are looking at Dr. Solomons
Anti-Virus Toolkit in this regard.
Many thanks in advance.
Clare Gill
University College Dublin Computing Services
Belfield DUBLIN 4
Tel : +353-1-706 2007 Fax : +353-1-2837077
E-mail : Clare.Gill@ucd.ie
------------------------------
Date: Mon, 28 Jul 1997 16:42:13 +0200
From: invi@abanet.ch (Remo Inverardi)
Subject: Re: Computer virus vs A.I.D.S.
X-Digest: Volume 10 : Issue 91
> As others wrote correctly, antibiotics INHIBIT CHEMICAL reactions
> as virus infection, internal movements of virii (e.g. replication).
I always thought antobiotics will kill bacteria -- or does the word have
a little different meaning in german?
There were those AOL Virus Database CDs going aroung for some time ("AOL
- - antibiotics for your PC"). Everybody was laughing about them, because
(at least in the german language), antibiotics do not have any use in
fighting viruses.
yours,
Remo
------------------------------
Date: Mon, 28 Jul 1997 16:38:56 +0200
From: invi@abanet.ch (Remo Inverardi)
Subject: Re: Dark side of cookies
X-Digest: Volume 10 : Issue 91
> I think everyone've met a site asking us for fill one or
> more form(s) so that we will be able to access information
> there. I looked into these HTMLs and there are LINKS TO
> EXECUTABLE FILES.
Don't worry about these links. They do *not* start files on your
local machine. Those links are running CGI-programs on the web
server you're requesting data from. Those CGI-programs (which can
have *any* extension) will return data to the web server, which in
turn returns the data to your browser.
yours,
Remo
------------------------------
Date: Mon, 28 Jul 97 13:05:13 EDT
From: "A. Padgett Peterson P.E. Information Security" <padgett@tccslr.dnet.lmco.com>
Subject: Re: Several intellectual questions
X-Digest: Volume 10 : Issue 91
>> 4. A more elaborate scheme could include flash memory, allowing setting a
>> software password and eliminating the mechanical switch. This could be
>> done on either the SCSI/IDE disk or the disk controller board.
>
>Whatever software can make, software can unmake.
<My suggestion 4 was still a hardware solution: The hardware (either
<the EIDE or SCSI controller board, or the drive itself) would recognize
<any write command to the boot sector.
Good basic idea but is still a problem: *How* do you pass a password to the
drive ? In yon olden daze, the drive/controller would "hardwire" a memory
segment in the region C000:0 to EFFF:F. The original allocation put video
BIOSes at C000:0 and hard disk controller Bioses at C800:0 (remember
G C800:5 ?).
Problem is that this takes address space and with RAM cram this is a problem.
In addition 32BitDiskAccess is liable to remove it entirely. Now a BIOS password
that is available only from DOS might not be a bad idea but must be
considered.
Still the basic problem is that it does not offer any additional profits
in a cut-throat business.
Warmly,
Padgett
------------------------------
Date: 28 Jul 1997 11:35:34 -0000
From: frisk@complex.is (Fridrik Skulason)
Subject: Re: Several intellectual questions
X-Digest: Volume 10 : Issue 91
In <0012.869990286.0610545.0@virus-l.demon.co.uk>
Carey_Tyler_Schug@em.fcnbd.com writes:
>My suggestion 4 was still a hardware solution: The hardware (either
>the EIDE or SCSI controller board, or the drive itself) would recognize
>any write command to the boot sector.
The problem with that approach is that it relies on the user to determine
when writes to the boot sector should be allowed and when not.
What it the virus displays a polite message "Installation of this software
requires a slight modification to the boot sector. Please enable boot sector
writes before continuing." ? Alternatively, what if people just do a SYS
or FDISK that modifies the boot sectors, and panic because the program
triggers, making them think they have a virus ?
- -
Fridrik Skulason Frisk Software International phone: +354-5-617273
Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274
------------------------------
Date: Sun, 27 Jul 1997 16:30:48 -0400 (EDT)
From: Kenneth Albanowski <kjahds@kjahds.com>
Subject: Re: "Dark Side" of cookies
X-Digest: Volume 10 : Issue 91
On Mon, 26 May 1997, Fridrik Skulason wrote:
> The smallest known DOS virus is somewhere around 22 bytes.
>
> Even if this was in a cookie, so what...it would not be executed.
Exactly. That is the most important point. I could include in this message
ASCII characters that are a virus if run on a PC, but the potential for
damage would be nil, as you mail program is going to clip out a random
piece of text in the middle of a message and start executing it.
<pedant>
Well, a very buggy program might do that, so I suppose if you had exact
knowledge of the program, and were _very_ lucky, there is an off chance
you could coerce a specific version of a specific program, running on a
specific computer, to execute arbitrary code. In fact, many network
attacks are based on a closely related technique.
</pedant>
However, given the quality of most viruses, most people do not need to
worry about this, yet.
- -
Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126)
------------------------------
Date: 27 Jul 1997 17:20:13 GMT
From: tyetiser@ptdprolog.net.com (Tarkan Yetiser)
Subject: Re: Computer virus vs. A.I.D.S.
X-Digest: Volume 10 : Issue 91
In article <0013.869990286.0610545.0@virus-l.demon.co.uk>,
baranyai@elfiz2.kee.hu says...
> As others wrote correctly, antibiotics INHIBIT CHEMICAL reactions
> as virus infection, internal movements of virii (e.g. replication).
>
> I suppose this is the way of future. Antivirus programs have to inhibit
No, it's just science fiction;-) Since self-recognition is not trivial
with the computer programs, viruses cannot be stopped that easily. You
can bring in infected stuff to a computing environment and it can spread
like wildfire. Try a simple organ transplant and your body immediately
knows something ain't right, and gives the newly added part hell.
> specific events (absolute disk access, formating, leaving resident
> part). We are not able to follow numerous virus developments, we only
Viruses can be and are implemented very much like legit programs. You
cannot inhibit that without severely restricting good programs as well. A
better approach is to identify possible carriers (like Word docs), and
eliminate passing on viruses while sharing stuff. Another approach is to
curtail subversion of default commands as WordPerfect does. Another would
be to add early warning messages when auto-anything is about to happen
(though this might get annoying).
> react when we experience the results. This why TSR programs are nearer
> to antibiotics and they have the general method we need. They rarely
> scan for virus code, they'd rather check movements.
:-))
> As virus development started - at the very beginning - with modelling
> of bacteria growth, I think biology has got some interesting idea for
> us too.
If the immune system were anything like the AV solutions, we'd all be
dead by now:-) But then again, the computer virus problem is less
complicated and current "state of the art" AV can deal with it just fine.
I think instead looking for loose analogies, we should concentrate on
analyzing the elements in each domain, and coming up with suitable
solutions. Pseudo-science might get you a patent from a confused
examiner, but it sure won't help those who have an immediate need for an
effective solution.
- -
Regards
Tarkan Yetiser
VDSARG
tyetiser@vdsarg.com
http://www.vdsarg.com
data != information != knowledge != perspective != wisdom
Perforin for WinWord finds and removes macro viruses.
------------------------------
Date: Sun, 27 Jul 1997 10:06:52 -0700
From: Jim Gillogly <jim@acm.org.delete_me>
Subject: Re: Dark side of cookies
X-Digest: Volume 10 : Issue 91
Laszlo Baranyai wrote:
> Well, I read some very useful trick. I made my cookie file
> (EMCOOKIE.DAT) readonly for instance.
>
> What do you think about this?
I think it doesn't work for some Web sites, which may refuse to
let you continue if they don't get confirmation that their write
was successful.
On my Linux box, I accept all cookies, but deleted my cookie file
and sym-linked it to /dev/null. This means they'll write successfully
into my bit bin, and if they try to read back a cookie they'll get a
successful read that says there's nothing there for 'em. No problems
with this strategy so far.
- -
Jim Gillogly
Highday, 4 Wedmath S.R. 1997, 17:04
12.19.4.6.12, 5 Eb 10 Xul, Sixth Lord of Night
------------------------------
Date: 31 Jul 1997 14:54:41 GMT
From: <squirrelming@hotmail.com>
Subject: I suffer a goldfish virus!! (WORD)
X-Digest: Volume 10 : Issue 91
I need for help!
I suffer a goldfish virus. I don't know where from I suffered.Perhaps
it come from the internet.
When I started the windows95,it appeared on the screen.It opened a
window and shows "I'm goldfish feed me: "and have a space for you to
enter words.It made all the application did not work
I tried many words and phases but didn't take any effect. I used
several anti-virus but it couldn't be detested.Then I restarted the
computer ,it disapeared.
I worry it will appaer again.Please give me any advice to solve.
My E-mail adress is tiggest@hotmail.com or squirrelming@hotmail.com
Thank!
Q
squirrelming
------------------------------
Date: Wed, 30 Jul 1997 04:56:36 +0100
From: a8604659@unet.univie.ac.at (Joerg Erdei)
Subject: Re: Word macro virus (WORD)
X-Digest: Volume 10 : Issue 91
FIALISHIA OLOUGHLIN <FIALISHIA.C.OLOUGHLIN@LMCO.COM> wrote:
> > An even faster way would be deleting the normal.dot file. (WORD will
> > create a default normal.dot next time you run it)
>
> This is one answer, write-protecting NORMAL (how do you do this on a
> MAC?) is another.
Quite simple on a Mac:
In the Word folder, highlight the document 'Normal', type command-I to
get the info box and activate the protect checkbox.
Joerg
- -
eMail: a8604659@unet.univie.ac.at
[Moderator's note: I know Joerg knows this and was answering a
different question, but write-protecting your Normal template buys
marginally more than no protection. Do not think this helps the
situation.]
------------------------------
Date: Sun, 27 Jul 1997 16:42:29 -0400 (EDT)
From: Kenneth Albanowski <kjahds@kjahds.com>
Subject: Re: About MSWord's alleged macro av (WORD)
X-Digest: Volume 10 : Issue 91
On Wed, 28 May 1997, Padgett 0sirius wrote:
> Will venture that the current a-v practice of declaring a "new" varient
> every time a virus acquires a new macro (usually just by copying every
> macro found) is another dumb idea - rather like saying that every time
> an MBR virus infects a different OS, it becomes new. Must admit is is
> good for marketing numbers but that is about it - why MacroList just
> has a "Delete All" button. (There: have offended everyone 8*).
Surely the biological community has standard ways of referring to
lineages, to keep track of ancestors, and just where mutation A or
recessive trait B popped up. It seems something similar would be useful
for Word viruses. Ironically, these things do far better at "evolving"
then anything crafted intentionally by the virus writers.
A world in a jar, accidentally created by Microsoft... Nah, no-one would
believe it.
- -
Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126)
------------------------------
Date: Thu, 07 Aug 97 08:46:00 PDT
From: Michael D Noonan <Michael_D_Noonan@ccm.rr.intel.com>
Subject: Need help with Laroux.E cleaner (XL)
X-Digest: Volume 10 : Issue 91
Does anyone have a cleaner for Laroux.E? I have two files infected
with Laroux.E which when cleaned with any of the following causes the
file to corrupt. By "corrupt", I mean that the virus is cleaned,
however, you can no longer do anything but view/print the file. If you
try to edit it or save it, Excel will do one of the following: GPF
Excel, hang your machine, bluescreen if NT, request a module which
doesn't exist.
McAfee scanners I have tried:
DOS SCAN.EXE 3.0.2 3008 DATs
DOS SCAN.EXE 3.0.3 3008 DATs - BETA
VS95 3.0.2 3008 DATs
NTSCAN 3.0.2 3008 DATs
I was able to detect and clean the virus, without corruption, using
VS95 3.0.0 and 3008 DATs. So far this is the only combination of scan
engine and virus signature files which didn't corrupt the files. The
3008 DATs are the latest BETA DAT files. I tried 3007 and it didn't
make a difference.
I was only able to find details on the Laroux.D and Laroux.E variants
on the McAfee Virus Database. Does anyone have any other details on
Laroux.D or Laroux.E?
These new strains go around the PERSONAL.XLS and create either BINV.XLS
(Laroux.D) or PLDT.XLS (Laroux.E) to continue infection. Making
XLSTART directory or PERSONAL.XLS READ-ONLY doesn't prevent infection.
Michael Noonan
Intel Corporation
Intel Virus Response Team
mdnoonan@inside.intel.com
------------------------------
Date: 28 Jul 1997 15:19:13 GMT
From: "T. Carroll" <tcarroll@sun.science.wayne.edu>
Subject: NetShield NT 3.00 hangs on files... (NT)
X-Digest: Volume 10 : Issue 91
NetShield NT 3.00 with dat 3007 (or to that matter any dat files) on a
NT 4.00 service pack 3 system hangs on the <EXPLORER.EXE> specifically
and in general the NT system folder. The scheduler, running either in
automatic or manual start mode, hangs on these files and even the
stand-alone SCAN hangs on these files. The trouble is only with our
regular servers as our primary and back-up servers the program works
fine.
Any help would be apprecaited..
Tom Carroll
And if you would contact my email address....
tcarroll@sun.science.wayne.edu
------------------------------
Date: 31 Jul 1997 18:03:44 GMT
From: cjkuo@alumnae.caltech.edu (Chengi J. Kuo)
Subject: Re: Problem with McAfee AntiVirus and NT 4.0??? (NT)
X-Digest: Volume 10 : Issue 91
Michael Burk <mburk1@tigger.cc.uic.edu> writes:
>"Joseph R. Demers" <jrdemers@pacific.mps.ohio-state.edu> wrote:
>> My friend and I have both recently purchased McAfee's multiplatform
>> antivirus program (version 3.0 released early April) and we have both
>> had problems with it's virus sheild crashing our NT 4.0 (SP2) machines.
>> Please, anyone else having this problem, post. I want to make absolutely
>> sure that it is the culprit.
>> What happens is that upon closing your A drive after viewing it's
>> contents with explorer - bang. NT goes blue-screen-belly-up (BSBU).
>> Removing the virus sheild from startup has so far ended this problem. I
>> have also had crashes accessesing my CDROM, but this may be due to the
>> Autoplay Extender from PowerToys that I can_not_seem to uninstall. We
>> shall see, I removed Virus Shield from my start-up and the problems have
>> gone away.
It's been some time since this post and a lot of work has gone into the
NT product to settle out its stability issues. The current product is
now 3.0.2. I am told that this finally settles the problems.
But, maybe it's just the problem description, but VirusShield should not
be used on NT. VShield is for 95 or DOS or Win3. NT uses its on-demand
scanner or NetShield.
>We had a similar problem in our office, I do have some information to
>share. The problem is specifically between NT 4.0 WITH Service Pack 3
>and McAfee 3.0. One temporary fix around the problem is to remove
>Service Pack 3, until MS gets around to releasing SP 4. You should be
>able to remove it in the Add/Remove Programs
>
>Another issue to be aware of with NT and Mcafee, is when you install
>the program as Administrator, be sure to change the default action in
>the configuration manager from Contiue Scanning, else a normal logged
>in user will be unable to clean and work with documents infected, I
>know specifically, the CAP.A virus.
>
>This is also my first time posting to this list, and I am very
>interested in working in virus research if anyone can give me
>suggestions as to what type of college classes/job experiance (with the
>obvious exception of already working as one) to get into the field.
For a flavor of what a virus researcher needs to know, you can read
my paper on "What's NOT a Virus." That's what occupies your day.
The basic thing you need to know is how the PC works. And you need
as broad a training as you can get. The virus specific parts end up
being just how you make use of that varied background.
In order to work with boot viruses, you have to know about CMOS, PC
interrupts, partition tables, the PC boot up process, BPBs, diskette
architectures, and lots and lots of things. Any one thing missing from
your repetoire and you'll have a virus that you don't understand.
But most of all, this industry needs a curious sort. One who is willing
to search out the answer. And he needs to be able to devote himself as
sacrifice for the users. All-nighters if the company has a problem that
needs resolution by the next morning.
Best wishes.
Jimmy
------------------------------
Date: Sat, 02 Aug 1997 04:09:19 GMT
From: aendalwaght@pas.com (Ali Endalwaght)
Subject: McAfee or Norton AntiVirus (NT,WIN95)
X-Digest: Volume 10 : Issue 91
Currently, I'm conducting a research in order to determine which
anti-virus software works better in Windows 95 and Windows NT4.0:
McAfee or Norton AntiVirus. Any input is appreciated. Please state
your reason for choosing one over the other.
Thanks
Ali
------------------------------
Date: 31 Jul 1997 18:06:34 GMT
From: cjkuo@alumnae.caltech.edu (Chengi J. Kuo)
Subject: Re: Filenames scrambled (WIN95)
X-Digest: Volume 10 : Issue 91
tim <alpo@essex1.com> writes:
>I've run virus net, w/macro scan, no virus. scandisk had to run
>w/thorough scan three times until it was satisfied did a defrag
>useing win95.
>One folder only-all files names scrambled [I don't have a file
>encription prog.] Win 95 will not let me change the scram. file
>names, or useing 'properties' see the file=it said 0bites-unknown for
>create-accessed= and cant copy or move files. Trying to view win95
>progs say can't locate file.
>Useing DOS prog. disk managers I could change names, read 64k to 3M in
>size [the original files weren't any larger than 100k] and win explorer
>reads a different file size on similar file].. Dos reader will read
>some files but the scrambled file 'links to' another file in a
>different folder= these files that 'were' in the other folders have
>dissapeared.
>- -----Is there a way to reverse this scramble, ?? deleating the folder
>might destroy other "linked to" files [some of the scrambled files
>appear to be 3Meg, don't know why]???-------
>
>Anyone have any idea what happened or how to recover scrambled file
>named files?
Please list some of the scrambled names. One person's scrambled name
may make perfect sense to another.
It could be SCANDISK/CHKDSK recovered files, files in your trash bin,
files in your TEMP directory,...
Jimmy
cjkuo@mcafee.com
------------------------------
Date: Sat, 02 Aug 1997 21:41:26 -0400
From: Minstrel <tengu@concentric.net>
Subject: Re: Problem with Dr Solomon (WIN95)
X-Digest: Volume 10 : Issue 91
Another problem I've found with Dr Solomon for any Windows platform is
that it is a bit of a resources hog. Even the anti-virus TSR for DOS
takes 10KB of conventional memory!
Now the thing is, the computer will hang if the TSR is loaded high. It
has to be loaded low in order for the computer to work properly.
Just a bit of advice
- -
Minstrel BlackWing
tengu@concentric.net
http://www.concentric.net/~tengu/
------------------------------
Date: 3 Aug 1997 00:31:54 GMT
From: JohnGog@bellsouth.net (John Gog)
Subject: Re: Filenames scrambled (WIN95)
X-Digest: Volume 10 : Issue 91
In article <0030.869990286.0610545.0@virus-l.demon.co.uk>, tim
<alpo@essex1.com> wrote:
> Anyone have any idea what happened or how to recover scrambled file
> named files?
Sounds like you've gotten a bunch of cross-linked files. Something
Norton Utilities MIGHT help you out, but, frankly, my luck with
cross-linked files has always been very poor. BTW, are you using OSR2
with the 32-bit FAT, or do you have a 16-bit FAT? Also, what did
scandisk report with its full scans? If it was turning up defective
sectors, you probably have a hard drive going bad.
Regards,
- -
John Gog
Advanced Systems Design
Opinions expressed are my fault; advice is worth what it cost.
Reviewer for NetCent Communications <http://www.netcent.com>
Using: OUI PRO 1.8 Beta 4 from <http://www.peaktopeak.com>
------------------------------
Date: Sun, 3 Aug 1997 12:22:45 +0300
From: <owner-virus-l@fidoii.cc.lehigh.edu>
Subject: Little face in taskbar virus (WIN95)
X-Digest: Volume 10 : Issue 91
I think I have found a new virus!
In my Windows 95 taskbar
between the time and language indication there is this little
icon like a yellow face and when I put the mouse over it says
"am I idle?". During periods of idlessness in my PC the little chinesse
face changes and three zzz apear in the top left corner
Can anyone help and if he has heard this symptom before to tell me what I
can do about it?
Dimitris
Athens, Greece
[Moderator's note: An earlier thread (months ago) on this suggested
that this may be a "symptom" of running the Trend on-access (resident)
scanner. A few other products use the Trend engine and may also
display this effect. Definite confirmation or denial would help...]
------------------------------
Date: 29 Jul 1997 08:11:05 GMT
From: cjkuo@alumnae.caltech.edu (Chengi J. Kuo)
Subject: Re: What's special about *.FON and *.ICO files? (WIN)
X-Digest: Volume 10 : Issue 91
Ilia Levin <Ilia_Levin@p15.f520.n50.z2.fidonet.org> writes:
>"Chengi J. Kuo" <cjkuo@alumnae.caltech.edu> writes:
>[cut]
>>>Does anyone here have any idea WHY the *.ICO and *.FON files would be
>>>scanned? (Other than possible stupidity?) Is there *really* a way to
>>>spread viruses with them as carriers?
>>
>>Yes. (No.) Yes.
>>
>>That seems contradictory, doesn't it? Well, it's theoretically possible
>>that the files can be carriers.
>[cut]
>Really? ICO files can be infected? :-) I knew COM infectors inside JPEG
>files is a good custom of McAfee Scan, but ICO... Did you have an
>examples? ;-)
Sure, cut the piece of my answer that said that a user could rename any
file to any extension.
>Face facts: FON is a DLL-like file ('Can DLL be infect?' instead of
>'Can FON be infect?', eh?), ICO is a data file and CAN'T be infected
>(same for BMP, JPG, PCX, GIF, TIF, etc.). From the other hand any
>executable file can be infected and renamed with .ICO (and other)
>extention.
And DLL files have a standard EXE header. Direct infectors don't care
beyond that.
And files regardless of extension are infectable with the most basic
Trivials.
Neither of those are likely (like close to 1/infinity). So I answered
that it was stupid to include those extensions into the default for a scan.
Jimmy
cjkuo@mcafee.com
------------------------------
Date: 28 Jul 1997 11:38:55 -0000
From: frisk@complex.is (Fridrik Skulason)
Subject: Re: What's special about *.FON and *.ICO files? (WIN)
X-Digest: Volume 10 : Issue 91
In <0033.869990286.0610545.0@virus-l.demon.co.uk> Ilia Levin
<Ilia_Levin@p15.f520.n50.z2.fidonet.org> writes:
>
>"Chengi J. Kuo" <cjkuo@alumnae.caltech.edu> writes:
>
>Really? ICO files can be infected? :-)
Well, they can contain viruses...and will re-infect if you rename them
to .EXE and run them...under normal circumstances, that will not happen,
though.
You see, .ICO and .FON files start with the bytes "MZ". Some virues may
attempt to infect any file they encounter, starting with those bytes, assuming
they are .EXE files.
- -
Fridrik Skulason Frisk Software International phone: +354-5-617273
Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274
------------------------------
Date: Thu, 31 Jul 1997 08:44:45 -0600
From: gwenzel@gpu.srv.ualberta.ca (George Wenzel)
Subject: Re: Invircible (PC)
X-Digest: Volume 10 : Issue 91
Scott Keegan says...
>What can anyone tell me about the Invircible anti-virus product?
While I have not recently taken a look at it, it has a very bad track
record. Very few reviews have rated it highly, and those have been
criticized as being flawed.
Also, their support is quite lacking. I e-mailed Zvi Netiv (the
producer of InVircible) asking him questions about how part of
InVircible worked, and he responded by accusing me of harassing him
(I had only sent one e-mail). I have pointed out problems with
InVircible in the past, and NetZ Computing's general response has
been to complain to my university - Zvi Netiv has tried to get my
account cancelled because I have been critical of InVircible.
>I know that there was a lot of negative stuff floating around about
>this product a little while ago but what is the considered opinion on
>it now?
My opinion is that it is an overhyped product that is not worth the
money. There are far better options out there.
>Is it as effective as it is claimed to be?
Generally, no. The claims that have been made about it have been
generally considered to be untenable for _any_ anti-virus product.
>What sort of problems has anyone had in running in a network environment?
Take a look at some of the posts in alt.comp.virus. There are posts
there by people that have had InVircible running in a network
environment, and they have had several types of problems.
>Any information would be greatly appreciated, but please, no spam for
>some other product.
I am not a representative of any anti-virus products. I'm just your
average university student with an interest in viruses and anti-
viruses.
- -
George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Club Secretary & Webmaster,
University of Alberta Karate Club
http://www.ualberta.ca/~gwenzel/
------------------------------
Date: Wed, 30 Jul 1997 20:57:50 -0700
From: Frank Lindahl <Flindahl@pa.mother.com>
Subject: Out of memory with McAfee (PC)
X-Digest: Volume 10 : Issue 91
When I boot with a clean disk, and try to run McAfee, I get an
insufficent memory error. When I use MEM it tells me I have 526K of
memory for a DOS program. When in Windows, I try to run Microsoft
Anti-Virus for Windows, it does fine on my uncompressed partition, but
on my compressed partition, It comes back "Insufficent conventional
memory. Needed: 8192 byte(s)."
Any suggestion of a virus scanner that either only uses Windows memory
or a minimal amount of DOS would be sincerly appreciated.
------------------------------
Date: 30 Jul 1997 20:10:50 GMT
From: "Bruce P. Burrell" <bpb@ren.us.itd.umich.edu>
Subject: Re: Jaz Drives immune from BSIs? (PC)
X-Digest: Volume 10 : Issue 91
Roy L. Jacobs <rljacobs@pipeline.com> wrote:
> I back up my work only to a Jaz drive. (I do not back up to tape since
> it is almost impossible to verify the tape.) The drive appears not to
> have a Dos partition and has no MBR.
Are you sure? ZIP drives have an MBR, fwiw.
> Only work gets put on the drive
> consisting of mostly Word Perfect documents,some Word and tiff files.
> Is it fair to say (and excluding the macros issue in Word documents)
> that this drive is immune from virus infection, especifically BSI which
> could make the drive unreadable?
No. First of all, if software can write to the drive, so can a virus.
But let's assume that you are right and there is no MBR. If you
encounter a virus that is a DOS Boot Sector infector, then it might bite
you. Hard, since it probably thinks it is seeing a floppy. Of course,
if thee IS an MBR, then a virus might attack the JAZ drive; it all
depends.
> The documents are critical. I would appreciate anyone's thoughts on this
> matter. (Norton antivirus 95 ver.2 is installed and always on and I run
> occasional scans with F-Prot.)
If the documents are critical, keep multiple copies on multiple disks,
tapes, or whatever. If you are satisfied with the level of protection
of the software you are using already, then fine; if not consider other
products.
-BPB
------------------------------
Date: 29 Jul 1997 17:59:59 GMT
From: "Brien K. Meehan" <meehanb@detroitedison.com>
Subject: IPX virus activity (PC)
X-Digest: Volume 10 : Issue 91
Is anyone aware of any virus that does anything with IPX? I don't
necessarily mean replicate via IPX, I mean anything - send a packet of
junk, put a network adapter into promiscuous mode - anything at all.
- -
brien k. meehan, network janitor
meehanb@detroitedison.com
(The opinion posted here is solely my position and does not represent the
opinion of Detroit Edison.)
------------------------------
Date: Tue, 29 Jul 1997 04:37:49 +0900
From: Kim kyung-ho <klaq21@chollian.dacom.co.kr>
Subject: Problem making McAfee Emergency Disk (PC)
X-Digest: Volume 10 : Issue 91
I tried to make Emergency disk at 3.5inch diskett preparing to get my
computer infected. But I couldn't because 3.5inch diskett does not have
sufficient space for that. So Edick program didn't copy names.dat file.
Edisk needs about 30 Kb more than the diskett space.
Is there any tip to make Edisk? Please let me know how!
Thanks in advance.
------------------------------
Date: Mon, 28 Jul 1997 17:29:55 GMT
From: sesnyder@mail.utexas.edu (Susan)
Subject: Help with Stealth C (PC)
X-Digest: Volume 10 : Issue 91
My computer contracted the Stealth C virus from an infected diskette.
I unfortunately did not have anti-virus software installed on my
computer, but I now have McAfee VirusScan. I booted from a clean
diskette, but I still receive messages that there are traces of the
virus in memory. My computer is not running as fast as it used to (I
am running a 166 with 32 RAM), so I believe that the virus is still
there.
Can anyone tell me how to rid the memory of the Stealth C virus?
------------------------------
Date: Mon, 28 Jul 1997 06:45:55 +0000 (GMT)
From: lbishop@aztec.asu.edu (LIS BISHOP)
Subject: Burglar.1150 keeps recurring (PC)
X-Digest: Volume 10 : Issue 91
Bear with me, I'll try and explain. I was having problems with
memory,so used McAfee and found Burglar .1150. Ran scan/clean, and
it worked. But just about every day, sometimes 2 or more times
a day, it comes back. I'll scan/clean, then go to, for instance, unzip
a file using xtree, and suddenly it jumps back to Quickmenu.(Yes, i
still like DOS :) Since it acts up I run Scan, and Burglar is back,
although 2 minutes before Scan found and cleaned it.
does anyone have any idea where this virus is hiding, and how I can
really get it out of my system?
Thanks-
Lis
- -
Lisbeth Bishop
------------------------------
Date: Mon, 28 Jul 1997 02:15:44 +0530
From: Sampath Kawiratne <dssk@sri.lanka.net>
Subject: Question Regarding Triple Level Bootstrap (PC)
X-Digest: Volume 10 : Issue 91
Could somebody please be kind enough to explain to me the boot sequence
when a PC is turned on. I have got a general idea about it but the how
and when the Master Boot Record is used in this sequence puzzles me.
Like for example will the MBR be used only when booting from the H/D or
will it be always used. I have listed my view of the triple boot
sequence below. Could somebody please be kind enough to point out
whatever short comings in it and also explain to be the use of the MBR
and the boot sector. A early reply would be very much appreciated as I
need this info for an assignment.
Thank you
Regard,
Sampath.
Triple Level Bootstrap on PC
1) ROM-BIOS loads a short loader program (INT 19h). This first level
program is general to any operating system and its job is as follows.
(a). Read the first physical sector of the FD (Boot sector) into
memory location 0000:7C00.
(b). (b.1) If the sector contains the word value AA55h (known as the
signature word) at offset 510 of the block, the sector is
assumed to contain valid code and the BIOS jumps to the
first byte of the block (at 0000:7C00).
(b.2) If the First FD sector doesn't have the correct signature
word the BIOS attempts to load the first sector from the
first HD (MBR) of the system into memory location
0000:7C00 and step (b.1) is repeated.
(c). If the valid signature isn't found in the HD then
(c.2) Others will simply wait for for the user to insert a
floopy disk into the system.
2) The second level boot program is found it the boot sector of a disk.
It is Operating system specific and is about 300 bytes. This program
loads the system files msdos.sys and io.sys into RAM. These file have
the third boot strap program called SYSINT which is loaded into RAM at
location at 0070:0000 and control is passed to it.
3) Third level boot program, SYSINT is an intelligent loader and loads
the rest of the OS including the command interpreter COMMAND.COM .
------------------------------
Date: Fri, 1 Aug 1997 14:22:45 +0100
From: James MacDonald <trill@netbook.demon.co.uk>
Subject: Re: Help disinfecting TOS (PC)
X-Digest: Volume 10 : Issue 91
In article <0035.869990286.0610545.0@virus-l.demon.co.uk>,
MrShadow99@aol.com scribbled :
>I need help on removing a virus called TOS. It is a stealth I think.
>
>Here is what I found it does:
>
>- Randomly turns off Computer
Unless you are using a laptop, that's not possible!
>- When you close the Internet Explorer, it locks up your computer
IE is unstable software, and it always locks up my computer too. But I
use Netscape, as all sane people should.
>- Does not let you forward mail that you have read
This is a problem with your mail client.
>I got the main part of it erased, but when I start uo the computer, two
>messages come up saying please re-install TOS and then the other says
>to find it as .INI file
Viruses don't do that, but software will. You installed some software
that conflicted with your computer. If you nuked a virus like that, then
your system would (hopefully) be unusable. I say hopefully, because if
you can just remove the virus 'like that' then it's not a good virus
(although there is no such thing as a good or bad one..)!
- -
Brought to you from my network, which consists of:
Voyager (a 202MHz StrongARM RiscPC)
Defiant (a 33MHz NeXT Station)
Enterprise (a 25MHz NeXT Cube - you will be assimilated!)
Lucifer (a 166MHz Pentium)
[Moderator's note: Desktops whose BIOSes support power management (and
with it turned on) can just as easily be turned of as laptops--afterall,
it is not because they are laptops but because they support s/w power-
down that laptops can be turned off by programs. There is nothing to
stop a virus using an INI file to store part of its "works". In fact,
some macro viruses use this for storing counters and some DOS/Win
multipartites modify SYSTEM.INI to ensure that their Windows "resident"
part gets loaded. I don't know TOS, so cannot comment how much of this
applies to it, but most of what James writes off as impossible here has
already been done.]
------------------------------
Date: Fri, 1 Aug 1997 04:28:21 GMT
From: Stuart Rose <rose@clinphys.pmh.toronto.on.ca>
Subject: PS-MPC Virus in Excel Temporary File (PC)
X-Digest: Volume 10 : Issue 91
I have a user which uses Excel 7 of Office 95 fame. We are setup in our
department to run Office 95 from the server. We use McAfee VirusScan 95
(V2.0.8) to dynamically monitor viruses at the desktop.
At one point I was called in and shown a virus alert on his PC, where a
McAfee screen pointed to the PS-MPC.MAYBERRY.OPY.409 virus being
detected. It turns out this file is a temporary file created by Excel
with the original name of C:\WINDOWS\TEMP\~DF9301.TMP.
I have tried my best to track down what this virus his, what its
signature is, and anything else that would be helpful in diagnosing this
event. All major anti-virus sites make no direct reference to this virus
(although there is generic PS-MPC information).
In cleaning the file the first three bytes (CD 21 81) are zeroed and the
trailing 1227 bytes are stripped from the file.
After removing the offending file a new scan of the user's PC revealed
no further viruses. A scan of the server based Excel files shows no
viruses (nor has any other user of Excel reported a virus being found).
Can anyone help me by supplying the virus signature so I can tell why
McAfee is so unhappy?
I am not able to distribute the suspect file as it contains patient
information, and is therefore confidential in nature.
Thanks to all in advance,
Stuart Rose
- -
| Stuart Rose
* |> | Computer Systems Manager
__{_{ | Princess Margaret Hospital
i{_{{_{{_{ | Department of Clinical Physics
/|{_{{_{{_{ | 610 University Avenue, Toronto, Ontario, CANADA. M5G 2M9
(_|_|__|__|_' | mailto:rose@clinphys.pmh.toronto.on.ca
\########/ | Voice: 416-946-2000 x5068, Fax: 416-946-6566
^^^^^^^^^^^^^ | "All I ask is a tall ship and a star to steer her by
..."
------------------------------
Date: Sat, 02 Aug 1997 18:31:39 -0400
From: "Michael P. Di Fulvio" <w3inc@bellsouth.net>
Subject: What is effect of Mona Lisa Virus? (PC)
X-Digest: Volume 10 : Issue 91
A friend loaded and ran the mona.exe file. They have 'seen' no effect.
Since I run a virus check program. It detected the virus and I did not
run the .exe file but removed it quickly.
Can one of you explain what the virus does?
- -miked
------------------------------
Date: 5 Aug 1997 16:50:30 GMT
From: "ALOHA!" <ECHIANG@DIRECT.CA>
Subject: Help: Nasty "MRHU Virus" that I can't get rid of (PC)
X-Digest: Volume 10 : Issue 91
I got a very nasty virus called "MRHU Virus". I detected by Mcafee
3.0.2, but failed to clean it. It says that the virus infects the boot
record of my comp. I know that you could clean it by putting in a clean
boot disk. IT DIDN'T WORK ON MINE COMP!!!
I am SCREWED..... The Mcafee doesn't have any remover.
PLEASE HELP!!!
thanx eric
------------------------------
Date: Sun, 03 Aug 1997 02:21:42 -0700
From: "Mark C. Hunt" <mhunt@icis.on.ca>
Subject: Re: Jaz Drives immune from BSIs? (PC)
X-Digest: Volume 10 : Issue 91
I use a jaz drive (at SCSI ID 0, 1 FAT partition) as my boot disk with
an Adaptec 1542CF SCSI controller and no other hard drives on the
system. Works fine. So I can safely say that it does have an MBR, and I
assume it could be infected as any other hard drive.
In the above configuration, I do not need to run the GUEST.EXE to access
the drive (unless I want to run the IOMEGA utilities).
If I add two SCSI hard drives (as SCSI ID 0 & 1) and change the Jaz ID
to 3, then the drive is not visable unless I run GUEST.EXE. From what
I gather, GUEST.EXE acts as a ASPI device driver for the drive (like
Adaptec's ASPIDISK.SYS). Once it is loaded, an MBR virus could infect it
too.
Now, I haven't been able to determine for sure how many primary
partition entiries (beyond the one FAT partition entry on the disk) I
can have on the disk (1 or 4). The Jaz drive does have some problems
with partitioning and formating utilites from what I have read (I think
this has to do with the "Z-tracks" the Jaz drives use to remap bad
tracks, and IOMEGA's implementation of certain "optional" SCSI API
commands).
Probably a bit more info than you wanted, but hope it helps. :-)
- Mark
------------------------------
Date: Wed, 06 Aug 1997 17:17:24 -0500
From: Juan Carlos Donoso <jdonoso@srv1.telconet.net>
Subject: Viruses and Drivespace??? (PC)
X-Digest: Volume 10 : Issue 91
Recently I had the idea to use Drivespace to double my Hard Disk
capacity, but a thought came to my mind.
My chances that a virus strikes my system and makes my HDD inaccesible,
by affecting my MBR and boot sector, are good. This chances will
definetely increase if a use Drivespace to compress my HDD
information???
I think this, because if a virus destroys the files needed by Drivespace
to load the disk, it will be inaccesible as same as it is, when a virus
attack my MBR.
So the bennefits of doubling my 1.2Gb. disk are better than the damage a
virus can cause.???
BTW, I still don't do the thing, so don't worry, I'll wait your answers.
Any comments or suggestions will be greatly appreciated.
- -
Juan Carlos Donoso
please mailto:jdonoso@srv1.telconet.net
Guayaquil, Ecuador
South America
------------------------------
End of VIRUS-L Digest [Volume 10 Issue 91]
******************************************
