[1669] in Virus_Discussion_List
VIRUS-L Digest V10 #92
daemon@ATHENA.MIT.EDU (VIRUS-L/comp.virus Moderator)
Thu Aug 14 21:27:18 1997
Date: Thu, 14 Aug 1997 23:32:12 +0100
Reply-To: virus-l@Lehigh.EDU
From: "VIRUS-L/comp.virus Moderator" <moderator@virus-l.demon.co.uk>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
VIRUS-L Digest Thursday, 14 Aug 1997 Volume 10 : Issue 92
Today's Topics:
Re: New virus - vir.zip (1/1)
Review of "Underground"
Re: Computer virus vs. A.I.D.S.
Re: List of known viruses?
"Terminal Games" by Perriman
Re: virus alert policies
Re: How to disinfect Word macro virus in PPT file? (MACRO)
Re: Can RTF files contain macro viruses? (MACRO)
EL MALDITO VIRUS WAZZU.GEN (WORD)
Re: About MSWord's alleged macro av (WORD)
Re: NPAD Virus Problem! (WORD)
Re: Word Macro-Virus NOP.A (WORD)
Re: NPAD Virus Problem! (WORD)
Re: Word Macro-Virus NOP.A (WORD)
Re: Macro viruses and Word Viewer (WORD)
Re: NPAD Virus Problem! (WORD)
Re: About MSWord's alleged macro av (WORD)
Re: wm.cap virus on Mac (WORD)
Re: Macro viruses and Word Viewer (WORD)
Re: What does NOP.A do? (WORD)
Re: Macro viruses and Word Viewer (WORD)
Re: POLL: Decrypting Password Protected DOC files (WORD)
HELP virus causing not to boot?? (PC)
INT 24 error - VIRUS?!?! (PC)
Re: IA3076.A virus (PC)
Re: Help Brutus.296 (PC)
Re: Boot Sector Problems (PC)
Re: Latest FILLER virus? - can someone help (PC)
Re: Floppy Format fails (PC)
Re: Is there anything I can do to fix this?! (PC)
Re: Floppy Format fails (PC)
Re: Interested in your Invircible experiences (PC)
Re: Virus payload (PC)
Re: Floppy Format fails (PC)
Pieck.4444 - Virus (PC)
Re: Booting Dr. Solomon S.O.S. disk during install? (PC)
Re: Need info on NCH.B, ZEU.X and NCEPT (PC)
Re: Latest FILLER virus? - can someone help (PC)
Damaged chkmem virus (PC)
Re: Floppy Format fails (PC)
Re: Boot Sector Problems (PC)
Re: I need help fixing a CMOS virus (PC)
Re: I need help fixing a CMOS virus (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is its gatewayed and non-digested USENET
counterpart. Discussions are not limited to any one hardware/software
platform--diversity is welcomed. Contributions should be relevant,
concise, polite, etc. (The complete set of posting guidelines is
available by FTP on ftp.infospace.com/pub/virus-l (IP 206.129.166.107)
or upon request.) Please sign submissions with your real name; clearly
faked or anonymous postings will not be accepted. Some antivirus
documentation, and a full set of back-issues are also archived at
ftp.infospace.com, which is also the home of our FAQ (Frequently Asked
Questions) document.
Administrative mail (e.g., comments or suggestions) should be sent to
me at: nick@virus-l.demon.co.uk. (Beer recipes should still be sent to
Ken van Wyk at: krvw@mnsinc.com.)
VIRUS-L subscribers wanting help with list-processor commands should
send a message to listserv@lehigh.edu with the command "info virus-l"
in the body of the message (the listserv ignores Subject: lines).
All submissions should be sent to: VIRUS-L@lehigh.edu.
Nick FitzGerald
----------------------------------------------------------------------
Date: 6 Aug 1997 07:51:03 GMT
From: doren@slonet.org (Doren Rosenthal)
Subject: Re: New virus - vir.zip (1/1)
X-Digest: Volume 10 : Issue 92
[This is pointlessly cross-posted from alt.comp.virus. To satisfy
Doren's feverish, demented mind, I'm posting it anyway.]
Tarkan Yetiser (tyetiser@ptdprolog.net.com) wrote:
: In article <33e4d1b8.854320@news.dnc.net>,
: rling@dnc.antispam.net says...
: > I think most of us know where Doren is coming from when he said "All
: > are welcome to post this group". By limiting what people can post, you are
: > limiting in a sense who can post.
In a very real sense. The advantage of an unmoderated group is all are
welcome to post here. That can't be said of Nicks comp.virus. (Watch I'll
post this message to boths groups). Nick recently posted a binary that he
felt he'd like to share. I posted test binaries here as part of an on-line
experiment that I feel was very infomative.
A moderated group will censor whatever it is the moderator feels like. A
few binaries and Hot-Sex ads is a small price to pay for the freedom of
expression we all enjoy here.
So post whatever you like, all are welcome here. Binaries are welcome,
as are complaints about them. Read or ignor what you chose.
Doren Rosenthal
------------------------------
Date: Sun, 20 Jul 1997 17:48:32 -0400 (EDT)
From: "George Smith [CRYPTN]" <70743.1711@COMPUSERVE.COM>
Subject: Review of "Underground"
X-Digest: Volume 10 : Issue 92
Here's a copy of a review of "Underground." It will be in
Crypt News 44 and I'll have it on my Website shortly at
http://www.soci.niu.edu/~crypt/other/drey.htm
George
====================================
Suelette Dreyfus' "Underground" burns the mind
by George Smith, Crypt Newsletter
Crypt News reads so many bad books, reports and news pieces
on hacking and the computing underground that it's a real
pleasure to find a writer who brings genuine perception to
the subject. Suelette Dreyfus is such a writer, and
"Underground," published by the Australian imprint, Mandarin,
is such a book.
The hacker stereotypes perpetrated by the mainstream media include
descriptions which barely even fit any class of real homo sapiens
Crypt News has met. The constant regurgitation of idiot slogans
- - "Information wants to be free," "Hackers are just people who
want to find out how things work" -- insults the intelligence.
After all, have you ever met anyone who wouldn't want their
access to information to be free or who didn't admit to some
curiosity about how the world works? No -- of course not.
Dreyfus' "Underground" is utterly devoid of this manner of
patronizing garbage and the reader is the better for it.
"Underground" is, however, quite a tale of human frailty.
It's strength comes not from the feats of hacking it portrays --
and there are plenty of them -- but in the emotional and physical
cost to the players. It's painful to read about people like
Anthrax, an Australian 17-year old trapped in a dysfunctional
family. Anthrax's father is abusive and racist, so the son --
paradoxically -- winds up being a little to much like him for
comfort, delighting in victimizing complete strangers with mean
jokes and absorbing the anti-Semitic tracts of Lewis Farrakhan.
For no discernible reason the hacker repetitively baits
an old man living in the United States with harassing telephone
calls. Anthrax spends months of his time engaged in completely
pointless, obsessed hacking of a sensitive U.S. military system.
Eventually, of course, Anthrax become entangled in the Australian
courts and his life collapses.
Equally harrowing is the story of Electron whose hacking pales
in comparison to his duel with mental illness. Crypt News
challenges the readers of "Underground" not to squirm at the
image of Electron, his face distorted into a fright mask of
rolling eyes and open mouth due to tardive dyskinesia,
a side-effect of being put on anti-schizophrenic medication.
Dreyfus expends a great deal of effort exploring what happens
when obsession becomes the only driving force behind her
subjects' hacking. In some instances, "Underground's"
characters degenerate into mental illness, others try to find
solace in drugs. This is not a book in which the hackers
declaim at any great length upon contorted philosophies in which
the hacker positions himself as someone whose function is a
betterment to society, a lubricant of information flow, or
a noble scourge of bureaucrats and tyrants. Mostly, they hack
because they're good at it, it affords a measure of recognition
and respect -- and it develops a grip upon them which goes beyond
anything definable by words.
Since this is the case, "Underground" won't be popular with
the goon squad contingent of the police corp and computer security
industry. Dreyfus' subjects aren't the kind that come neatly
packaged in the "throw-'em-in-jail-for-a-few-years-while-awaiting-trial"
phenomenon that's associated with America's Kevin Mitnick-types.
However, the state of these hackers -- sometimes destitute,
unemployable or in therapy -- at the end of their travails is
seemingly quite sufficient punishment.
Some things, however, never change. Apparently, much of Australia's
mainstream media is as dreadful at covering this type of story as
America's. Throughout "Underground," Dreyfus includes clippings
from Australian newspapers featuring fabrications and exaggeration
that bare almost no relationship to reality. Indeed, in one prosecution
conducted within the United Kingdom, the tabloid press whipped the
populace into a blood frenzy by suggesting a hacker under trial could
have affected the outcome of the Gulf War in his trips through U.S.
computers.
Those inclined to seek the unvarnished truth will find "Underground"
an excellent read. Before each chapter, Dreyfus presents a snippet
of lyric chosen from the music of Midnight Oil. It's an elegant
touch, but I'll suggest a lyric from another Australian band,
a bit more obscure, to describe the spirit of "Underground."
>From Radio Birdman's second album: "Burned my eye, burned my mind, I
couldn't believe it . . . "
["Underground: Tales of Hacking, Madness and Obsession on the
Electronic Frontier" by Suelette Dreyfus with research by Julian
Assange, Mandarin, 475 pp. http://underground.org/book
or http://www.underground-book.com]
------------------------------
Date: Sat, 9 Aug 1997 19:12:02 -0400 (EDT)
From: Kenneth Albanowski <kjahds@kjahds.com>
Subject: Re: Computer virus vs. A.I.D.S.
X-Digest: Volume 10 : Issue 92
On Sat, 31 May 1997, Lt Stinger wrote:
> What happens when the person that can make a virus has it rewriting
> Anti-virus programs to make viruses instead of destroying them? It can
> be done. I don't know how but viruses do replicate. It can change
> from one lay out to the codes.
Many viruses can easily be spread by a careless virus scanner. This and
other reasons is why virus scanners are designed to be run without the
virus in memory whenever possible. If the virus isn't running, it can't
subvert the scanner.
- -
Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126)
------------------------------
Date: 11 Aug 1997 14:11:11 GMT
From: Fagerland@pki.uib.no (Snorre Fagerland)
Subject: Re: List of known viruses?
X-Digest: Volume 10 : Issue 92
: > Michael McGinnis <paddy@montana.com> writes:
: > >Does anyone know were I can obtain a recent downloadable list of CARO
: > >virus names
:
: Let's not talk about other (strange :) ) antiviruses, such as Sophos,
: or AVAST, which names the viruses as virus-1234, or virus 1234, or (ex)
: TBAV which (most times) identifies only families, and has also strange
: names like virus {1}, the_same_virus {2} ...
You could also try the AVID crossref database at
ftp.uib.no/pub/snorre/avid95.zip. It will list what the different
scanners call viruses - but you will need Win95 or NT.
Between Ian's VGREP and my AVID you'd get a reasonable overview.
AVID also gives you the opportunity to make your own databases, if that
would be of interest.
CARO doesn't really publish any good standardised naming anymore -
in AVID I try to follow at least what used to be their naming philosophy.
It is a little old by now - last update was in june - but a new version
is right around the corner.
Best regards,
Snorre Fagerland
Engineer
University of Bergen - Norway
fagerland@pki.uib.no
------------------------------
Date: Mon, 11 Aug 1997 11:00:21 -0500 (EST)
From: "Rob Slade, doting grandpa of Ryan & Trevor" <roberts@mukluk.hq.decus.ca>
Subject: "Terminal Games" by Perriman
X-Digest: Volume 10 : Issue 92
BKTERGAM.RVW 970327
"Terminal Games", Cole Perriman, 1994, 0-553-57243-1, U$5.99/C$7.99
%A Cole Perriman
%C 666 Fifth Ave., New York, NY 10103
%D 1994
%G 0-553-57243-1
%I Bantam Books
%O U$5.99/C$7.99 212-765-6500 http://www.bdd.com
%P 546
%T "Terminal Games"
First off, Cole Perriman is said to be the pseudonym of another writer. I
rather suspect that it is the pseudonym of at least two other writers, since
that is the easiest explanation of the rather dichotomous writing involved
here. In some places there is a very nice feel for technology, some other
passages demonstrate the usual flights of, well, fantasy.
The terminal games of the title revolve around an online service called
Insomnimania. The description of the technology fits an expansion of MUD
(multi-user domain) gaming: basically conversation between online users. The
addition of cartoon "virtual reality" is well within acceptable limits, and the
"bots" (automated response programs) are credible as well. The online
conversations are reasonably characteristic of what goes on in MUDs and IRC
(Internet Relay Chat), although all the users seem to be B1FF clones.
Everything is upper case, most of the conversation is trivial, and it is hard
to accept construction like "REEEEEEEL WURLD" as the kind of timesaving
abbreviation convention that professional businesspeople would use. I'm
pleased to see that at least one writer realizes that computer crackers and
phone phreaks do not come in the same package.
The business model for Insomnimania doesn't quite work. There is no mention of
networks: everybody is direct dial, even those (many) from across the country.
The two asocial nerds who run the place are unlikely to be the types to provide
a level of service necessary to keep such a tony (and well heeled) clientele
online. There also doesn't appear to be any reason for the business hours
shutdown of the service: this harks back to the early days of CompuServe and
the Source (remember them?) when hobbyist systems ran on the unused time of
business systems.
The psychology of the plot is a bit better. Real time chat, in whatever guise,
is extremely popular as a recreation. The denizens of Insomnimania seem to be
remarkably polite; there doesn't appear to be any flaming, spamming, or loud
activity by determinedly obnoxious newbies; but I've seen similar levels of
interaction on many different systems and technologies. The plot makes much of
an affect "pulling" users increasingly "into" the virtual world. I'm not quite
as comfortable with that. The book speaks of users "hearing" conversations
typed online: I have, myself, auditory memories of dialogues that were only
typed, but I suspect that the phenomenon has more to do with memory encoding
than personality disorder. The big surprise twist ending is a) not to hard to
figure in advance and b) a little too far out.
There is also a laughable description of a virus "zoo" in the book. Whether
the writer(s) know it or not, zoo is actually the term used to describe a
collection of sample computer viruses. A real zoo, though, is simply a pile of
disks, or a directory full of files. There is absolutely no need whatsoever to
keep viruses "alive" on running computers. In fact, a collection of obsolete
computers *couldn't* keep viruses alive, since very few of those old machines
had any viruses written for them. (Oh, and one more thing. If you do keep a
virus zoo, it isn't necessary to keep feeding the little beasts accounting
programs to keep them alive. They don't "consume" code.)
copyright Robert M. Slade, 1997 BKTERGAM.RVW 970327
======================
roberts@decus.ca rslade@vcn.bc.ca rslade@vanisl.decus.ca
"The only thing necessary for the triumph of evil is for good men to do
nothing." - Edmund Burke http://www2.gdi.net/~padgett/trial.htm
------------------------------
Date: Tue, 12 Aug 1997 08:00:11 GMT
From: ChekWARE@Cavalry.com (Martin Overton)
Subject: Re: virus alert policies
X-Digest: Volume 10 : Issue 92
On 9 Aug 1997 20:35:06 -0000, "J. David Stanton, Jr."
<jstanton@coin.state.pa.us> wrote:
>Does anyone in an IS role supporting hundreds of PCs have a
>policy, or consistent practice, concerning virus alerts? If
>so, what is your policy? What are your reasons for it? How
>are alerts disseminated, and to whom?
Yes, I do a lot of work for a large international company with over
40,000 staff worldwide and at least 15,000 PC's.
Your experiences with others passing these alerts around, either hoax
or trojans are not uncommon. These are the pratices that I have
recommended, and the reasons for them.
1. Only security should send out alert messages, and only then if they
have a solution to the problem.
Why? Because then you have an official path of communication and a
singe point of contact for further information. It is no good sending
out an alert which will panic the user community if you have nothing
to offer to either debunk it as a myth or to counter it.
2. That all information about these alerts found by concerned or
interested parties should be passed to the security contact above
only, and not passed on by them to other third parties..
Why? This shows that instead of clamping down on them that you value
their input into making their computing safer.
3. To Whom? Well to all department managers, technical support teams
so that they can distribute as required to their customer base on a
need to know basis.
Why? This again informs those that need to know without risking
panicing the rest of the company that are unlikely to see or care
about the perceived threat.
>Your answers to these questions, and any other information
>on the subject would be greatly appreciated. Please respond
>directly to me, and I will summarize for the list.
I have done so, but am posting here to help others in the same
predicament.
Hope this helps?
Regards,
Martin Overton - Author of ChekMate - ChekWARE@Cavalry.com
| ChekMate: a Generic Anti-Virus Utility for DOS, OS/2 and Win (3.x, |
| 95 and NT). Detects Known and UNKNOWN Viruses, incl Word Macro(s). |
| Cleans documents of macro viruses. Registered version can remove |
| Boot and Partition Sector viruses from memory and hard disk. |
+---------------------------------------------------------------------+
2.20 Now Available: Web site http://www.salig.demon.co.uk/cmindex.htm
------------------------------
Date: Mon, 11 Aug 1997 20:50:00 +0100
From: Dmitry Gryaznov <er86@dial.pipex.com>
Subject: Re: How to disinfect Word macro virus in PPT file? (MACRO)
X-Digest: Volume 10 : Issue 92
Vesselin Bontchev wrote:
> Tom Hall <tom_hall@ctp.com> wrote:
> > I have a powerpoint slide with a Word Macro virus....
>
> I don't think that this is possible - even if you try to embed an
> infected Word document in the slide, its macros will be stripped.
No, they won't.
> What
> makes you think that you have a virus?
A scanner?
- -
Sincerely, | VirusLab, Dr.Solomon's Software Ltd.
Dmitry O. Gryaznov | Alton House, Office Park, Gatehouse Way,
Senior Research Consultant | Aylesbury, Bucks HP19 3XU, United Kingdom
E-mail: grdo@dial.pipex.com | Tel: +44 (0)1296 318700
WWW: http://www.drsolomon.com | Fax: +44 (0)1296 318734
------------------------------
Date: Tue, 12 Aug 1997 07:32:42 GMT
From: elsbury@ibm.net (John Elsbury)
Subject: Re: Can RTF files contain macro viruses? (MACRO)
X-Digest: Volume 10 : Issue 92
>: Graham Cluley (sandspm@cix.compulink.co.uk) wrote:
>: : Yes, Rich Text Format (RTF) files don't contain macros. So it's a very
>
>Slawomir Marczynski (slawek@arcadia.tuniv.szczecin.pl) wrote:
>: RTF files don't contain macros. (True - no viruses)
>
>True--as far as it goes--but ever so slightly misleading. A macro
>virus can't be saved in a file that is using RTF format, but it *can*
>save an infected file with any extension--including .RTF. (Recall the
>recent note about an infection in a .TXT file.)
<snip>
I have seen two files with an .RTF extension infected with WM.CAP.A -
the virus had fooled the user into thinking they had saved the
document successfully in.RTF format, whereas it was in fact still a
Word document (or perhaps more properly a template?).
I heard a rumour recently that the author of WM.CAP.A is now employed
by an antivirus outfit? Anybody know if this is true? Poacher turned
gamekeeper, indeed, if true...
John
------------------------------
Date: Fri, 08 Aug 1997 17:12:29 -0500
From: "Armando de Jesus Garcia Villegas" <garciav@infosel.net.mx>
Subject: EL MALDITO VIRUS WAZZU.GEN (WORD)
X-Digest: Volume 10 : Issue 92
como se quita este mugroso virus!
es un macrovirus y me esta dando muchos dolores de cabeza.
te agradecer cualquier ayuda al respecto
- -------------------------------------------------------------------
How can I get rid of this "Dirty" Virus!
It is a macrovirus and its giving me a headache.
I'll thank so much any help about it
[Moderator's note: Translation kindly provided by Ruben M. Arias
(Ruben@RALP.Satlink.net). Responses in Spanish by direct Email please.]
------------------------------
Date: 10 Aug 1997 13:57:42 -0000
From: bontchev@complex.is (Vesselin Bontchev)
Subject: Re: About MSWord's alleged macro av (WORD)
X-Digest: Volume 10 : Issue 92
Eric Peterson <erp@tellabs.com> wrote:
> Some antivirus programs do not catch all macro viruses - Dr. Solomon
> (being used by one division of our company) for example does not seem
> to find "Cap.A" yet.
Probably your version is not up-to-date; Dr Solomon's scanner catches
CAP.A just fine.
> One thing that even *real* anti-virus programs do not seem to do yet is
> to catch the opening of infected documents that are stored on a Unix
> file server,
Why not? Doesn't the Unix server look like a DOS drive to the
workstations? Then an on-access scanner installed on these workstations
should have no problem detecting viruses in the documents opened from
the server, and on-demand scanners should be able to scan the server
just like any other disk drive.
> As for "mating" viruses and the production of new variants, I would be
> interested in knowing more about this - how serious a problem is it?
It is quite serious. I don't have exact statistics, but dozens of new
macro virus variants have been produced by snatching macros from
legitimate macro packages. This happens most often with ScanProt -
because this is usually what the users install when they suspect a macro
virus.
> I have read also some recommendations to make the "normal.dot" file
> read-only, except that viruses can then remove this attribute. One
> could take this one step further and use NT file permissions (even
> change the owner) to block modification of this file.
This is unlikely to be much more effective than setting the ReadOnly
attribute. Don't forget that a virus always runs with the privileges of
the user who has executed it. Furthermore, macro viruses infect even if
the disk image of the global template is not infected. Finally, there
are several macro viruses which replicate successfully without even
trying to infect Normal.dot.
> If an opened file is read-only, do viruses also have the capability to
> remove this attribute as well so that they can write (and infect) the
> file?
No. However, they can remove the attribute when the file is closed.
Regards,
Vesselin
- -
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E
------------------------------
Date: 10 Aug 1997 14:01:44 -0000
From: bontchev@complex.is (Vesselin Bontchev)
Subject: Re: NPAD Virus Problem! (WORD)
X-Digest: Volume 10 : Issue 92
Bill Stamp <bstamp@guthrie.inet.com> wrote:
> Very simply, we have an NPad Virus that has infected our Word 7.0
> software such that the normal.dot, even once erased, keeps coming back
> with the infection.
That simply means that the virus has also infected some documents and
keeps coming back from them.
> I've looked for explanations on how to remove, but being a virus
> neophyte, much of it is greek.
Then it would be best if you use an anti-virus program and let it do the
work.
> Can someone point to an effective AV, or process?
Our F-MACROW is quite good - but then, I am biased, of course. :-)
Regards,
Vesselin
- -
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E
------------------------------
Date: 10 Aug 1997 14:05:03 -0000
From: bontchev@complex.is (Vesselin Bontchev)
Subject: Re: Word Macro-Virus NOP.A (WORD)
X-Digest: Volume 10 : Issue 92
Matthias Orphal <orphal@berlin.snafu.de> wrote:
> Hi, unfortunately I've catched last week my first Word-Macro-Virus:
> NOP.A (according to F-Prot 2.27 / F-Macrow 1.04)
It is one of the most widespread viruses in Germany.
> What kind of actions does this Virus start? I "only" remarked that it
> infected my normal.dot, but nothing more. How dangerous is it?
None - it just replicates. And, of course, converts the infected
documents to Templates, which is a major annoyance.
Regards,
Vesselin
- -
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E
------------------------------
Date: Sun, 10 Aug 1997 15:43:54 -0500
From: Tom Mullin <atmullin@pnx.com>
Subject: Re: NPAD Virus Problem! (WORD)
X-Digest: Volume 10 : Issue 92
In my job as a network administrator, I have to fend off these puppies
all the time. See my article at:
http://www.pnx.com/atmullin/Articles.htm
under "Your Computer",About Viruses". It is really aimed at the novice
user, but I do list resources at the end of it.
I have a day job and I'm not selling anything.
I just like to teach.
- -
Tom Mullin
http://www.pnx.com/atmullin/
------------------------------
Date: Sun, 10 Aug 1997 15:52:29 -0500
From: Tom Mullin <atmullin@pnx.com>
Subject: Re: Word Macro-Virus NOP.A (WORD)
X-Digest: Volume 10 : Issue 92
Look at http://www.pnx.com/atmullin/Articles.htm under "Your
Computer","About Viruses" for a list of anti-virus sites that maintain
databases of viruses and what they can do to you.
- -
Tom Mullin
http://www.pnx.com/atmullin/
------------------------------
Date: Mon, 11 Aug 1997 02:44:03 GMT
From: aeb88@pipeline.com (Arthur E. Blossom)
Subject: Re: Macro viruses and Word Viewer (WORD)
X-Digest: Volume 10 : Issue 92
"Brian J. Fillery" <bfillery@gil.com.au> wrote:
>If I am using the Word Viewer to look at Word for Windows docs would I
>be in danger of infecting anything with a Macro virus? I don't really
>see how they could affect the Viewer but does anyone know?
No because the viewer doesn't execute macros. However, the danger
exists if you click Open for Write as that will launch MS Word.
Arthur
- -
Arthur E Blossom IBM AntiVirus services
- -
------------------------------
Date: Mon, 11 Aug 1997 09:05:30 +0300
From: Zvi Netiv <netz@actcom.co.il>
Subject: Re: NPAD Virus Problem! (WORD)
X-Digest: Volume 10 : Issue 92
Bill Stamp <bstamp@guthrie.inet.com> wrote:
> Very simply, we have an NPad Virus that has infected our Word 7.0
> software such that the normal.dot, even once erased, keeps coming back
> with the infection.
>
> I've looked for explanations on how to remove, but being a virus
> neophyte, much of it is greek.
>
> Can someone point to an effective AV, or process?
The latest InVircible, just released, has multi layer protection
against Word macro malware.
The IV Macro Sweeper will clean affected docs and templates,
on demand.
The IV Interceptor provides real time protection, with option to
clean macros on-the-fly.
The IV Watchdog provides on-access alerting with optional
on-the-fly cleaning.
All modules are generic and work effectively against Word
macros, known and new.
Regards, Zvi
- --------------------------------------------------------------------
NetZ Computing Ltd.Israel Producer of InVircible ResQdisk & ResQdata
Voice +972 3 938 6868, +972 52 494 017 (mobile) Fax +972 3 938 6869
www.invircible-av.com www.Second-Sight.co.uk www.invircible.com
ftp://ftp.netzcomp.com/private/netz/ Compuserve forum: go INVIRCIBLE
E-mail: netz@actcom.co.il netz@netzcomp.com Compuserve: 76702,3423
- --------------------------------------------------------------------
------------------------------
Date: Mon, 11 Aug 1997 13:32:05 GMT
From: thomas.bjorseth@bi.no (Thomas Bjorseth)
Subject: Re: About MSWord's alleged macro av (WORD)
X-Digest: Volume 10 : Issue 92
On 9 Aug 1997 20:35:18 -0000, Eric Peterson <erp@tellabs.com> wrote:
<snip>
>I think that ScanProt is an "OK" tool; I don't agree (based on our
>situation) that it is a *very* bad idea. It's true that it can give a
>false sense of security, and it can be bypassed, but we are using it to
>supplement our use of Norton AntiVirus, which does detect and repair
>macro viruses (so far we have seen only Cap.A and Npad.A).
Saying tht Scanprot is OK is the same as telling everyone that they
can download it and trust it to prevent macro viruses from infecting
their system. This is not true! Trust your commercial AV product and
remove Scanprot.
If you use one of the major AV products and keep it updated, there is
no need to use Scanprot. It doesn't detect anything but some of the
first simple macro viruses (Concept).
Telling a computer novice that Scanprot is sufficient is the same as
telling them to leave their door unlocked at night, because after all,
the door is closed so noone can get in...
>Some antivirus programs do not catch all macro viruses - Dr. Solomon
>(being used by one division of our company) for example does not seem
>to find "Cap.A" yet.
Are you _really_ sure that what you are telling is the truth? Download
the evaluation copy of DrSol and get a surprise...
<snip>
>I have read also some recommendations to make the "normal.dot" file
>read-only, except that viruses can then remove this attribute. One
>could take this one step further and use NT file permissions (even
>change the owner) to block modification of this file.
....but how many regular users out there uses Win NT?
Write-protecting the Normal.dot will only slow down the process, not
stop it completely. To do that you need an AV product that can find
and remove viruses.
>If an opened file is read-only, do viruses also have the capability to
>remove this attribute as well so that they can write (and infect) the
>file?
If the file is read-only then the user won't be able to save the
changes either... The user has to save the document with a new name,
but (s)he'll save the virus as well. The original file will be clean,
but the newly saved copy will be infected.
The safest thing is to get an on access scanner that will find and
remove viruses before they can cause any damage.
Regards,
Thomas B
------------------------------
Date: Mon, 11 Aug 1997 23:46:29 +1000
From: William Jacomb <wjacomb@connexus.apana.org.au>
Subject: Re: wm.cap virus on Mac (WORD)
X-Digest: Volume 10 : Issue 92
Rick Boisvert <rick.boisvert@crc.doc.ca> wrote:
> Have found the Word virus "wm.cap" on my Macintosh. Scanprot and SAM
> won't remove it, neither will Dr. Solomon's.
I have used a number of viral scanners as a mac technician. The only one I
have found to consistently and reliably work is Virex. For most Word
Viruses it will not only clean but reconvert back into a standard word
document.
Also the technical support from Data Watch is superb as well as the updates.
If you need further help, please feel free to contact me.
Yours Aye
William Jacomb
------------------------------
Date: Mon, 11 Aug 1997 13:58:33 GMT
From: thomas.bjorseth@=nospam=bi.no (Thomas Bjorseth)
Subject: Re: Macro viruses and Word Viewer (WORD)
X-Digest: Volume 10 : Issue 92
On 10 Aug 1997 21:58:48 -0000, "Brian J. Fillery"
<bfillery@gil.com.au> wrote:
>If I am using the Word Viewer to look at Word for Windows docs would I
>be in danger of infecting anything with a Macro virus? I don't really
>see how they could affect the Viewer but does anyone know?
Word Viewer does not support macros, so you are safe. You will not be
infected from opening an infected document in Word Viewer.
Regards,
Thomas B
[Moderator's note: ...so long as you do not go on to open them in
Word. Word Viewer does not *remove* macros--it simply ignores them.]
------------------------------
Date: Mon, 11 Aug 1997 09:59:25 -0700
From: Frederic Marchal <frederic.marchal@fundp.ac.be>
Subject: Re: What does NOP.A do? (WORD)
X-Digest: Volume 10 : Issue 92
Matthias Orphal wrote:
> Hi, unfortunately I've catched last week my first Word-Macro-Virus:
> NOP.A (according to F-Prot 2.27 / F-Macrow 1.04)
> What kind of actions does this Virus start? I "only" remarked that it
> infected my normal.dot, but nothing more. How dangerous is it?
http://www.avp.ch/avpve/ will explain it better as i can do.
Frederic
------------------------------
Date: Mon, 11 Aug 1997 21:31:46 GMT
From: jelsbur@clear.co.nz (John Elsbury)
Subject: Re: Macro viruses and Word Viewer (WORD)
X-Digest: Volume 10 : Issue 92
On 10 Aug 1997 21:58:48 -0000, "Brian J. Fillery"
<bfillery@gil.com.au> wrote:
>If I am using the Word Viewer to look at Word for Windows docs would I
>be in danger of infecting anything with a Macro virus? I don't really
>see how they could affect the Viewer but does anyone know?
The viewer itself operates like a dumbed-down version of Word - it
doesn't understand macros and has no NORMAL.DOT template to get
infected. You can therefore read WMV-infected documents safely. You
can even copy from it and paste into a new Word x document. I have
used this technique in the past to recover document contents when
they were infected. It's also a good way of "defragmenting" Word
documents.
There is a risk that you might not realise that an infected document
_is_ infected, and that you might send it on to somebody else
believing it is safe. You should consider getting hold of a good
on-access scanner, keeping it uptodate, and using it all the time.
Hope this helps
John
------------------------------
Date: Mon, 11 Aug 1997 22:53:47 -0400
From: tyetiser@ptdprolog.net.com (Tarkan Yetiser)
Subject: Re: POLL: Decrypting Password Protected DOC files (WORD)
X-Digest: Volume 10 : Issue 92
In article <0015.871343516.064141.0@virus-l.demon.co.uk>,
bonninga@argonet.co.uk says...
> In article <0025.01IJEQI2VNI28WXS06@csc.canterbury.ac.nz>, "Chengi J. Kuo"
> <cjkuo@alumnae.caltech.edu> wrote:
> > Assuming that an antivirus product will be able to detect a virus in a
> > file, even if it's password protected, how would you users out there
> > want/expect this mechanism to work?
> >
> > Please feel to to suggest other scenarios
> > if these "development's side" views don't fit... (To me, this seems to
> > encompass all possibilities, but hey...)
> >
> > 1) If the file is passworded and has a virus, remove virus, remove
> > password.
> >
> > 2) If the file is passworded and has a virus, remove virus, leave
> > password.
>
> How about a really revolutionary option - let the user choose (eg by
> parameter or on a file by file basis?)
The revolution is over ;-) Perforin will scan and disinfect password-
protected Word 6/7 documents WITHOUT disturbing the password protection.
You will see on screen and in the log file the password it discovered.
It's not a good thing to remove passwords from user's documents willy-
nilly, and there's no need to force this to be the only option. It can be
done transparently. Just a matter of implementing it properly.
- -
Regards
Tarkan Yetiser
VDSARG
tyetiser@vdsarg.com
http://www.vdsarg.com
data != information != knowledge != perspective != wisdom
Perforin for WinWord finds and removes macro viruses.
..
------------------------------
Date: 9 Aug 1997 15:50:33 -0400
From: Jodi Ann Mastronardi <74543.1723@CompuServe.COM>
Subject: HELP virus causing not to boot?? (PC)
X-Digest: Volume 10 : Issue 92
Yesterday, my roommate turned on her computer, and it refused to
boot, coming up with an error that the Dynamic drive Overlay had
an error. We booted from a Windows 95 boot disk and an F-Prot
boot disk and got into the A:\ prompt. We were even able to scan
the MBR, and were told we had the ripper virus. But we can see
the hard drive to scan or clean it. Attempting to change
directories to C:\, we get a message that the drive does not
exist.
Is this being caused by the virus? Can anyone else us get the
computer to boot?
TIA
Jodi
------------------------------
Date: Sun, 10 Aug 1997 15:50:13 GMT
From: tbarnett@awod.com (WaReZ tHe bEEf)
Subject: INT 24 error - VIRUS?!?! (PC)
X-Digest: Volume 10 : Issue 92
I just reformatted my 2.1 gig drive, installed osr2, and copied all my
old files (no files were executed from the old drive) from the old
drive. right after I copy the old stuff I reboot the PC and get a
'GENERAL FAILURE READING DRIVE C:' message. I hit 'R' to retry and get
an INT 24 error. The last time I ran FDISK on the drive it had 2
partitions on it, and I only had 1 to begin with, I'm going to install
virus shield before I copy the old stuff next time. I ran McAfee
(latest version) VirusScan on it and it came up with nothing.
------------------------------
Date: Sun, 10 Aug 1997 15:45:17 -0500
From: Tom Mullin <atmullin@pnx.com>
Subject: Re: IA3076.A virus (PC)
X-Digest: Volume 10 : Issue 92
Sometimes we have to use several brands of anti virus before we can get
a particular variety fixed.
See: http://www.pnx.com/atmullin/Articles.htm under "Your
Computer","About Viruses."
- -
Tom Mullin
http://www.pnx.com/atmullin/
------------------------------
Date: Sun, 10 Aug 1997 15:50:27 -0500
From: Tom Mullin <atmullin@pnx.com>
Subject: Re: Help Brutus.296 (PC)
X-Digest: Volume 10 : Issue 92
See: http://www.pnx.com/atmullin/Articles.htm under "Your
Computer","About Viruses."
I find that sometimes you have to through several anti-virus programs at
a problem before you find one that works.
Try PC-Cillin on this one.
- -
Tom Mullin
http://www.pnx.com/atmullin/
------------------------------
Date: Sun, 10 Aug 1997 19:21:01 -0300
From: christopher_hume@bigfoot.com (Christopher Hume)
Subject: Re: Boot Sector Problems (PC)
X-Digest: Volume 10 : Issue 92
In article <0031.871134761.1113148.0@virus-l.demon.co.uk>,
peg@acpub.duke.edu says...
> I contracted a boot virus on my computer and cleaned it with McAfee
> virus scan utility, but now my boot sector is screwed up. The computer
> stops at the A drive saying "non sytem disk or disk error" and will not
> continue. I've entered setup and changed the boot sequence, as well as
> uninstalling the A drive. That causes booting to stop at the C drive
> giving the same error message -- "non system disk or disk error." I
> made a Win 95 start up disk, and that allows me to boot to a prompt,
Being able to boot to a prompt with a Win95 start-up disk is good sign.
It sounds like McAfee did get rid of the virus.
> but I don't know what to do from there. I ran scandisk and it found no
> errors on the C drive.
Another good sign. No disk errors.
> How can I repair the boot sector with the tools
> on the startup disk? Are there specific files that contain the boot
> code that I can simply replace, or are there any applications that can
> help me? If possible, please e-mail me in addition to posting. Thanks
> in advance for any assistance!
There are some specific files in addition to the boot sector that are
required to boot. With your Win95 start-up disk in drive, change to the
drive that you put the disk in. Now type SYS C:
This should copy all necessary boot files to your hard drive (they are
among the files that are on the Win 95 start-up disk).
You should reboot your system. If everything works fine, your system
should now boot normally. I hope this helps.
As requested, also sent via e-mail.
Regards,
Christopher
------------------------------
Date: Sun, 10 Aug 1997 17:54:19 -0500
From: Tom Mullin <atmullin@pnx.nospam.com>
Subject: Re: Latest FILLER virus? - can someone help (PC)
X-Digest: Volume 10 : Issue 92
Look at the bottom of the article at
http://www.pnx.com/atmullin/virus.htm and get some more brands of
anti-virus programs.
No one anti-virus program does it all. That's why there are several
choices.
- -
Tom Mullin
http://www.pnx.com/atmullin/
------------------------------
Date: Sun, 10 Aug 1997 21:59:33 -0400
From: Stuart Carter <StuartC@BellSouth.Net+++>
Subject: Re: Floppy Format fails (PC)
X-Digest: Volume 10 : Issue 92
> > With several machines on a network (3) if you format the A: drive it
> > completes the format (format complete) then gets: 'general falure
> > reading drive a:' and if you select f for fail it says 'invalid media or
> > track 0 bad, disk unusable'
>
> AFAIK I don't have any viruses, my disk drives are working all right,
> and still this happens to me, too, rather often - except that it
> doesn't even complete the format, it doesn't even start it! And I've
> had it happen on several completely different computers, too.
>
> I've kind of come to the conclusion that the problem is simply that
> 1.44 MB floppies tend to be abysmally bad. But since they tend to come
> pre-formatted these days, the solution is simple: don't try to reformat
> them.
I agree. I bought several hundred generic disks last year. The failure
rate is very high. Name brand disk usually have max 3/10 bad to less
then 1/10 bad over one year. The several generic brands I bought went
from max 10/10 to 5/10.
I have gone to TDK and SONY for my disks and bought a tape drive for
even small backups.
Stuart
------------------------------
Date: Mon, 11 Aug 1997 02:05:53 GMT
From: genew@vip.net (Gene Wirchenko)
Subject: Re: Is there anything I can do to fix this?! (PC)
X-Digest: Volume 10 : Issue 92
james <H.Micklem@ed.ac.uk> wrote:
>I just joined an underfunded organisation that has a Digital DEC pc 425
>(Olivetti motherboard) which has been out of action for the last few
>months, so I was trying to resuscitate it. Apparently people who were
>here before tried and failed.
>
>When it's powered up, the Resident Diagnosis chugs through its stuff
>ok:
>
>"CPU (i486SX) pass
>Base memory 640kb
>Extended memory 3328kb
>Dedicated memory 128kb
>Total memory 4096kb
>Cache memory pass
>Parity circuitry pass
>Interrupt Controllers pass
>DMA Controllers pass
>Keyboard pass
>Parity Device pass
>CPU Protected Mode pass
>CMOS RAM pass
>Fixed disks 1 present
>Floppy disks 1 present"
>
>until it gives the message:
>
>"System Configuration Error - RUN SETUP"
<<snip>>
>"Magic Bullet has detected the possible presence of a virus such as
>EXEBUG or PURCYST! These viruses alter you CMOS settings so that a
>boot from C; occurs before booting from A:" or "CMOS resports that you
>do not have an A:drive. This may indicate the presence of a virus such
>as EXEBUG. Please enter a number that describes the type of drive you
>have from the following list:
<<snip>>
When was the CMOS battery last replaced? It may be dead. The
CMOS settings get corrected by Magic Bullet, but when the power is
dropped, they are lost.
This may not be the only thing wrong with the system, but it is
the first to nail.
>Many thanks!
You're welcome.
Sincerely,
Gene Wirchenko
C Pronunciation Guide:
y=x++; "wye equals ex plus plus semicolon"
x=x++; "ex equals ex doublecross semicolon"
------------------------------
Date: Sun, 10 Aug 1997 22:08:14 -0400
From: Randolph Scott <momola@interport.net>
Subject: Re: Floppy Format fails (PC)
X-Digest: Volume 10 : Issue 92
it also depends on what type of computer you have. compaqs are known to
have problems reading and writing to their floppy drives. i was doing
support at a company where roughly one out of every two compaqs had
problems with their floppys.
just a thought.
Randy
[Moderator's note: *Especially* true of desktop cases standing on their
side, regardless of brand.]
------------------------------
Date: Sun, 10 Aug 1997 22:01:52 -0600
From: gwenzel@gpu.srv.ualberta.ca (George Wenzel)
Subject: Re: Interested in your Invircible experiences (PC)
X-Digest: Volume 10 : Issue 92
Scott Keegan says...
>I know there was quite a bit of traffic about the Invircible product
>some time ago, but I'm wondering what have been your experiences with
>this product recently and what the general opinion of the anti-virus
>community is on Invircible.
I do NOT recommend InVircible to anybody looking for an anti-virus.
There are better products out there.
Aside from that, the producer of InVircible (Zvi Netiv) generally
will not answer questions about his product (at least, not from me).
He also attacks critics of InVircible by insulting them and
criticizing their credentials, rather than addressing the issues they
raise.
Mr. Netiv also often that problems people raise about his product are
not problems at all - for example, InVircible has been found by many
people to false alarm when no virus is present. Zvi dismisses these
claims by saying that the reports aren't false alarms (when everybody
else seems to think they are).
>Any information would be greatly appreciated but please, no spam about
>your own product.
I don't have my own product, so no spam here. :-)
- -
George Wenzel <gwenzel@gpu.srv.ualberta.ca>
Club Secretary & Webmaster,
University of Alberta Karate Club
http://www.ualberta.ca/~gwenzel/
------------------------------
Date: Mon, 11 Aug 1997 09:05:33 +0300
From: Zvi Netiv <netz@actcom.co.il>
Subject: Re: Virus payload (PC)
X-Digest: Volume 10 : Issue 92
Laszlo Marshall <laszlom@email.njin.net> wrote:
> I know you're busy, but hopefully one of you can recognize my problem
> and offer some advice. I've been doing fine in the anti-viral field,
> however one particular situation remains a dilemma every time it pops
> up. Someone will give me a hard drive to clean with a virus supposedly
> on it. After running McAfee and checking all the basics, I'll find a
> subdirectory or two with filenames listed as strange characters such as
> happy faces and other ASCII 'letters'. File sizes have been
> misreported by impossible sums, and these files cannot be removed from
> the hard drive. Usually this spreads until the disk has to be
> reformatted.
As pointed to you by Nick, the irregular directories are most
likely corrupted long filename structures after being fiddled
with AV software, after clean booting with an incompatible
operating system.
Since one cannot predict under what OS the drive to clean was
running, then prepare a boot floppy with the latest OS,
currently OSR2 (Windows 95, FAT-32 capable). The higher OS are
compatible with former OS file systems, the other way round
is not always true.
> No matter if the anti-viral package reports a virus or not, the payload
> remains and seems to be irreversable. Is there a way to stop this? I
> boot from a clean, write-protected disk, and have done this procedure
> hundreds of times. Why is this particular one appearing to be
> unstoppable?
No virus "payload" involved, just self inflicted file system
damage, with the courtesy of the wrong operating system when
externally booting.
Regards, Zvi
- --------------------------------------------------------------------
NetZ Computing Ltd.Israel Producer of InVircible ResQdisk & ResQdata
Voice +972 3 938 6868, +972 52 494 017 (mobile) Fax +972 3 938 6869
www.invircible-av.com www.Second-Sight.co.uk www.invircible.com
ftp://ftp.netzcomp.com/private/netz/ Compuserve forum: go INVIRCIBLE
E-mail: netz@actcom.co.il netz@netzcomp.com Compuserve: 76702,3423
- --------------------------------------------------------------------
------------------------------
Date: Mon, 11 Aug 1997 07:45:15
From: padgett@goat.orl.mmc.com (Padgett 0sirius)
Subject: Re: Floppy Format fails (PC)
X-Digest: Volume 10 : Issue 92
>In article <0034.01IJEQI2VNI28WXS06@csc.canterbury.ac.nz>, From Warren
>Contreras <quest@teleport.com>, the following was written:
>> With several machines on a network (3) if you format the A: drive it
>> completes the format (format complete) then gets: 'general falure
>> reading drive a:' and if you select f for fail it says 'invalid media
>> or track 0 bad, disk unusable'
MS-DOS is incredibly stupid and with DOS 6.x it started checking for a "90"
(NOP) in the third byte. If not found, it reports exactly what you are
seeing.
The really weird part is that about that time, MASM stopped putting a "90"
after every short JMP. I had to change the code in FixFBR to correct this.
A. Padgett Peterson, P.E. Cybernetic Psychophysicist
http://www.freivald.org/~padgett/index.html
http://www2.gdi.net/~padgett/index.html
to avoid antispam use mailto:padgett@gdi.net PGP 4.5 Public Key Available
for evil to triumph, all that is necessary is for good (wo)men to do nothing
[Moderator's note: Another of life's mysteries resolved--thanks Padgett.
This explains why diskettes corrupted by Word writing part of a .DOC
into the DBS are not easily formatted in an (MS-)DOS/Win95 machine...
Someone should point this bug in this feature out to the Word developers
(and ask why they did not document this handy feature!).]
------------------------------
Date: Mon, 11 Aug 1997 13:58:03 +0200
From: Olaf Strehl <strehl@forst.uni-muenchen.de>
Subject: Pieck.4444 - Virus (PC)
X-Digest: Volume 10 : Issue 92
does anybody know something about the Pieck.4444 Virus ?
it was detected by f-prot v.2.27 but there were no information about
this virus .
Olaf
- -
Institut fuer Holzforschung Muenchen
<Olaf Strehl> strehl@forst.uni-muenchen.de
------------------------------
Date: Mon, 11 Aug 1997 08:51:38 -0400
From: rich hawkins <rhawkins@advnet.net>
Subject: Re: Booting Dr. Solomon S.O.S. disk during install? (PC)
X-Digest: Volume 10 : Issue 92
try to setup in bios to boot form b if can't try changing the 5.25 to
the b make the 3.5 a:
or get to an clean comp with both drives copy the 3.5 to 5.25 don't
forget to boot from the 3.5 then copy sys file over
Rich Hawkins
------------------------------
Date: Mon, 11 Aug 1997 13:54:54 GMT
From: thomas.bjorseth@=nospam=bi.no (Thomas Bjorseth)
Subject: Re: Need info on NCH.B, ZEU.X and NCEPT (PC)
X-Digest: Volume 10 : Issue 92
On 9 Aug 1997 20:37:56 -0000, "steve.davis@hrb.com"@icf.hrb.com wrote:
>Can anyone give me information on the viruses listed in the subject.
>I have checked the online libraries and encyclopedias and could not
>find any information.
Sounds to me like you are using McAfee Scan to search for viruses. It
is a known problem that if you mix v.2.x scan engines with v3.x dat
files, you can "find" these viruses. The two first characters are
missing from the name. The second you mention should be COncept...
It is a false positive. You probably don't have a virus infection.
Check the version of your scanning engine and dat files and download
the correct version of the dat file. That should take care of your
problem.
Regards,
Thomas B
------------------------------
Date: Mon, 11 Aug 1997 11:49:12 -0700
From: Sam Fareri <tazmania@voicenet.com>
Subject: Re: Latest FILLER virus? - can someone help (PC)
X-Digest: Volume 10 : Issue 92
Elyas wrote:
> I've got this filler virus on my pc but my scanner does not detect/remove
> it. well, then how do I know its there? - a friend of mine detected it
> on my diskette using mcafee scan at his office (now he is unavailable -
<<snip>>
Try using "Thunder Byte Anti Virus" It works really well with my
computer. You can get it at http://www.download.com
Sam Fareri
------------------------------
Date: 11 Aug 1997 22:12:02 GMT
From: "j.t. MERKLEN" <john@club-internet.fr>
Subject: Damaged chkmem virus (PC)
X-Digest: Volume 10 : Issue 92
- - May i have informations about a virus named DAMAGED CHKMEM.
Thank you.
J.Thiibaut MERKLEN
e-mail : john@club-internet.fr
------------------------------
Date: 11 Aug 1997 23:17:03 GMT
From: "RANDYAB" <randyab@microsoft.com>
Subject: Re: Floppy Format fails (PC)
X-Digest: Volume 10 : Issue 92
This problem is not uncommon if your machine has read a DMF (1.68MB)
floppy disk, and then try to format a 1.44mb disk. It doesn't happen on
all machines, or always on the same machines with different OS's (DOS,
WIN95, WINNT). I have seen it on several machines though, and a reboot
usually takes care of it.
Contrary to another post, I would recommend re-formatting factory
pre-formatted disks. If your floppy drive isn't aligned the same as the
drive that preformatted the disk, the data written can be dificult for
some machines to read. This tends to be especially true for laptops.
Finally, don't use the /q option. Allow the PC to do a full format when you
run into this type of problem. Format /f:1.44 might also be of help for
this problem.
Randy Abrams
- -
These views and opinions are my own and and do not necsesarly (or often)
represent the views and opinions of my employer.
[Moderator's note: Regarding not using "/q", to be sure you are really
writing to the whole diskette use the "/u"--unconditional--switch.]
------------------------------
Date: Mon, 11 Aug 1997 20:06:13 -0400
From: Peter Gabriel <peg@acpub.duke.edu>
Subject: Re: Boot Sector Problems (PC)
X-Digest: Volume 10 : Issue 92
I fixed it. Thanks to those who responded,
--Pete
------------------------------
Date: Tue, 12 Aug 1997 09:39:26 +0200
From: Hentrich <hentrich@frss01.fr.bosch.de>
Subject: Re: I need help fixing a CMOS virus (PC)
X-Digest: Volume 10 : Issue 92
Gordon Jones wrote:
> I have computer that will not let me boot it. I have been told I have a
> CMOS virus. Is there any way t rewrite CMOS?
Shure, go into your BIOS-Setup (press "del" or something like that at
startup) and select "reload with defaults".
> Is there any way to remove it?
The CMOS?
> Please E-mail me if you have heard of this or if you have
> suggestions for me to try.
In most cases the CMOS has a size of 64 bytes. Sometimes it has a size
of 256 bytes. The CMOS itself is a data area. There is no program that
can be executed in the CMOS because there is only 1 byte that can be
accessed at one time. Instructions for PC are mostly longer than 1
byte...
Reload your CMOS with the default settings of your BIOS.
There are a lot of possible ways, why your CMOS is killed.
1. Is the battery in your PC ok? Sometimes the battery is wrong and the
PC lose all the information stored in the CMOS. You can check this with
several programs.
2. It is possible that a virus erase the CMOS when the PC is running,
make a check with anti-virus-progs (2 different are better than only
one).
------------------------------
Date: Tue, 12 Aug 1997 07:51:10
From: padgett@goat.orl.mmc.com (Padgett 0sirius)
Subject: Re: I need help fixing a CMOS virus (PC)
X-Digest: Volume 10 : Issue 92
In article <0045.871343516.064141.0@virus-l.demon.co.uk> Gordon Jones
<gjones@ucr.campus.mci.net> writes:
>I have computer that will not let me boot it. I have been told I have a
>CMOS virus. Is there any way t rewrite CMOS? Is there any way to
>remove it? Please E-mail me if you have heard of this or if you have
>suggestions for me to try.
1) No virus executes from the CMOS
2) It is possible to corrupt the CMOS
3) You rewrite the CMOS by using the computer's SETUP, by using a program
which can set the CMOS (AMISETUP, SNOOPER), or by writing your own
program with INs and OUTs
Understand, the CMOS is just a "nonvolatile" RAM memory area on the clock
chip, nothing magical about it.
A. Padgett Peterson, P.E. Cybernetic Psychophysicist
http://www.freivald.org/~padgett/index.html
http://www2.gdi.net/~padgett/index.html
to avoid antispam use mailto:padgett@gdi.net PGP 4.5 Public Key Available
for evil to triumph, all that is necessary is for good (wo)men to do nothing
------------------------------
End of VIRUS-L Digest [Volume 10 Issue 92]
******************************************
