[1693] in Virus_Discussion_List
VIRUS-L Digest V12 #19
daemon@ATHENA.MIT.EDU (VIRUS-L Moderator)
Sun Jun 27 07:07:21 1999
Date: Sun, 27 Jun 1999 22:33:44 +1200
Reply-To: virus-l@Lehigh.EDU
From: VIRUS-L Moderator <moderator@virus-l.demon.co.uk>
To: "Computer Virus Discussion List" <virus-l@Lehigh.EDU>
X-To: virus-l@lehigh.edu
VIRUS-L Digest Sunday, 27 Jun 1999 Volume 12 : Issue 19
Today's Topics:
Re: Norman Anti-Virus
Re: Warning e-mail re: Backdoor access to PBX's for Long Distance calls
Anyone able to verify this report?
RE: A Virus Wrapped in a Hoax?
Re: Warning e-mail re: Backdoor access to PBX's for Long Distance calls
java and PC-Cillin
RE: A Virus Wrapped in a Hoax?
macro identification (MACRO)
Re: Help requested with class.poppy message (WORD)
Re: W97M.Heathen.12288.A (WORD)
Re: virus in Quark? NT Server now toast. (WIN)
Re: InoculateIT PE - Free AV solution??? (WIN)
Re: PC-cillin and the Worm Virus? (WIN)
help: is this due to a virus? (WIN)
Re: InoculateIT PE - Free AV solution??? (WIN)
Re: need latest mcafee antivirus in dos (PC)
Re: remove of ANTICMOS available? (PC)
Trojan phucker c (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is its gatewayed and non-digested USENET
counterpart. Discussions are not limited to any one hardware/software
platform--diversity is welcomed. Contributions should be relevant,
concise, polite, etc. (The complete posting guideline is available at
ftp://ftp.infospace.com/pub/virus-l/ or upon request.) Please sign
submissions with your real name; anonymous postings will not be
accepted. A FAQ (Frequently Asked Questions) document and all of the
back-issues are available from the URL above. The current FAQ
document is in a file called vlfaq200.txt.
Administrative mail (e.g., comments or suggestions) should be sent to
us at: moderator@virus-l.demon.co.uk. (Beer recipes should still be
sent to Ken van Wyk at: ken@para-protect.com.)
VIRUS-L subscribers wanting help with list-processor commands should
send a message to listserv@lehigh.edu with the command "help" in the
body of the message (the listserv ignores Subject: lines).
All submissions should be sent to: VIRUS-L@lehigh.edu.
Co-moderators: Bruce Burrell (BPB)
Nick FitzGerald (NCF)
----------------------------------------------------------------------
Date: Sat, 26 Jun 1999 12:11:55 GMT
From: kweiss@i-2000.com (Kenneth Weiss)
Subject: Re: Norman Anti-Virus
X-Digest: Volume 12 : Issue 19
On 26 Jun 1999 04:41:26 -0000, keith.schofield@virgin.net wrote:
>Anybody got any views on Norman as an Anti-Virus protection for servers
>and workstations? Or would I be better sticking to one of the more
>widely used products?
I'm using NVC 4.70 for Win9x. I find it to be quite good, if not a
bit pricey. The product actually is an excellent piece of anti-virus
software. Get a demo.
- -
Ken Weiss <mailto:kweiss@i-2000.com>
URL: http://www.i2.i-2000.com/~kweiss/Ken's.html
(C)ompletely (D)efeated (A)ffront...help keep it that way.
------------------------------
Date: Sat, 26 Jun 1999 09:38:33 -0400
From: pete-weiss@psu.edu (Pete Weiss)
Subject: Re: Warning e-mail re: Backdoor access to PBX's for Long Distance calls
X-Digest: Volume 12 : Issue 19
First and foremost, it is a CHAIN letter. Second, there is generically useful
advice contained in it, but certainly not suitable for a chain letter -- don't
accept "commands" (or candy) from strangers. Third, why don't you setup a test
scenario and see if it applies to your PBX config? (This warning/hoax has been
around the 'net for a while -- the last I looked at it, it was reported that
there was some slim possibility under very specific configs that it was
possible).
see also:
http://x40.deja.com/getdoc.xp?AN=324808549&CONTEXT=930404232.257228866&hitnum=0
http://www.bergen.com/biz/geb0329199903296.htm
http://www.urbanlegends.com/
------------------------------
Date: Sat, 26 Jun 1999 13:23:08 -0700
From: "Ken Dunham" <antivirus.guide@about.com>
Subject: Anyone able to verify this report?
X-Digest: Volume 12 : Issue 19
Greetings,
Has anyone seen this message - is it a hoax, or for real?
- --quote---
Today while I was online an AOL Billing information error
screen popped
up on my screen. It looked very legit. It said my billing cycle was up
and they needed more info.
It had numerous boxes for me to fill out. I.e.: Name, address, Town,
State. On one side and Credit Card Info on the other... Card, Number,
Expiration Date, Card holder name...
The upper right hand box was whited out I could not X out of this. It
had a "Submit" box to click. When I did that (I had not filled out ANY
info) . It gave me an error requesting my name. I called AOL. THIS IS
NOT AOL. IT LOOKS JUST LIKE "MEMBER SERVICE'S" INFO
do not ... DO NOT FILL ANYTHING IN. You must hit "CONTROL, ALT,
DELETE" AND GET OUT OF AOL AND RESIGN ON"... PLEASE INFORM ANY OF YOUR
OTHER BUDDIES ONLINE. I RECEIVED TWO OF THEM. PLEASE. IT'S SOMEONE
TRYING TO GET YOUR INFO. IT
IS NOT AOL..................
And one more...
If you get a flashing IM, DO NOT reply or delete, but sign
off immediately and re-sign on! Then change your password immediately.
If you are unable to sign on, call AOL !!! The number is
1-800-827-6364----The Flashing IM is a password stealer. This has been
confirmed by AOL.
PLEASE FORWARD TO EVERYONE YOU KNOW!!
- --end---
Ken
Free Antivirus Newsletter - =
http://antivirus.about.com/gi/pages/mmail.htm
ER Center & Downloads - http://antivirus.about.com/library/bldownld.htm
Virus Hoaxes - http://antivirus.about.com/msub2.htm
Recent Outbreaks - http://antivirus.about.com/msub14.htm
[Moderator's note: Sounds like a typical confused over-reaction to, or
hoax based upon, receipt and execution of an AOL password stealing
Trojan. Suggesting to forward it to "everyone you know" is of course
classic hoax material -- even AOL must realize there are a few non-AOL
users left on the net... NCF]
------------------------------
Date: Sat, 26 Jun 1999 02:41:39 -0400
From: "David Totzke" <dtotzke@home.com>
Subject: RE: A Virus Wrapped in a Hoax?
X-Digest: Volume 12 : Issue 19
>And your point? The account was a Hotmail one. They are closed for a
>variety of reasons. My comment was that it was closed -- any of those
>reasons was possible, *but* the server confirmed the address had
>existed. That is all I said.
"The Point" is that *you* created unnecessary traffic on the Internet as
well as unnecessary traffic on the mail server and *you* encouraged everyone
on this list to do the same. If the email address was placed there to
harass the owner of the address, *you* aided in the harassment and
encouraged others to do the same. Sure, the account was disabled by the
time you got to it, but others before *you* most likely contributed to its
closing.
Arrogance does not become a list moderator.
Regarding this vacuous proselytizing:
>: Yeah, you can recycle this, but it would be a courtesy to acknowledge
>: Chris Quirke (cquirke@iafrica.com) as the source ;-)
<snip> cont'd ad nauseum...
Recycled indeed. I have heard all the Microsoft bashing before and find it
tiresome. Go to http://www.cert.org/advisories/ and see how many of them
involve Microsoft programs. We are talking about problems that
simultaneously affected computers running SCO, SGI, Linux - both RedHat and
Caldera, and IBM's AIX, among others. It happens to everyone and no amount
of testing can possibly account for what some goof with a lot of time on his
hands will do when trying to compromise the system.
Such lengthy diatribes should be posted on a web page so that we may choose
to ignore them.
Get a grip...
Regards,
David R. Totzke
Senior Programmer/Analyst
EDS Systemhouse
------------------------------
Date: Sat, 26 Jun 1999 21:08:40 -0400 (EDT)
From: "Bruce P. Burrell" <bpb@umich.edu>
Subject: Re: Warning e-mail re: Backdoor access to PBX's for Long Distance calls
X-Digest: Volume 12 : Issue 19
In VIRUS-L Digest V12 #18, "David Smith" <David@xycorp.com> writes:
> Subject: Warning e-mail re: Backdoor access to PBX's for Long Distance calls
> X-Digest: Volume 12 : Issue 18
>
> ** Reply Requested by 6/26/1999 (Saturday) **
[Posted in private email as well]
> Just recently received an unsolicited e-mail message (see below) outlining
> a supposed backdoor access to PBX's allowing for long distance calls...
>
> Question 1 - is this message for real?? - or is it a bogus
It is real, sort of, but not worthy of forwarding willy-nilly. You
*might* be able to make an argument for sending it to PBX sysadmins, but
I'd guess that it would be a weak case.
[90# scam snipped]
For one take on it, see
<http://www.umich.edu/~virus-busters/hoaxes/phone.html>
-BPB
------------------------------
Date: Sun, 27 Jun 1999 11:05:22 +0100
From: "joe button" <joebutton@bigfoot.com>
Subject: java and PC-Cillin
X-Digest: Volume 12 : Issue 19
PC-Cillin seems to take AGES (sevreal minutes) to scan java class files. Is
there any way around this? I've tried telling it not to scan .CLA or CLASS
files, but this doesn't seem to do anything. It's probably not a good idea
anyway, but a better one than unloading the monitor entirely which is what I
tend to end up doing.
Cheers.
------------------------------
Date: Sun, 27 Jun 1999 18:12:21 +1200
From: "Nick FitzGerald" <nick@virus-l.demon.co.uk>
Subject: RE: A Virus Wrapped in a Hoax?
X-Digest: Volume 12 : Issue 19
David Totzke responded to some comments of mine thus:
> "The Point" is that *you* created unnecessary traffic on the Internet as
> well as unnecessary traffic on the mail server ...
Yep -- I am guilty of sending one very short Email message to that
address *and* of receiving the very short response from the mail server.
It must have been 5 KB all up.
But "unnecessary"? In order to answer the poster's question, it was
necessary (short of having direct admin access to the server or a good
buddy who did).
> ... and *you* encouraged everyone
> on this list to do the same. If the email address was placed there to
> harass the owner of the address, *you* aided in the harassment and
> encouraged others to do the same. Sure, the account was disabled by the
> time you got to it, but others before *you* most likely contributed to its
> closing.
Advice for next time you feel like posting:
Stop, read, re-read, *think*...
You see, you will find **no** evidence of me "encouraging" people to
mail that site. You will find **no** evidence of me encouraging
anyone at all to mail that site at all. You made the accusation twice.
Apologize or go down in the annals as a twat.
> Arrogance does not become a list moderator.
But it seems you find it acceptable in the people moderators have to
deal with?
> Regarding this vacuous proselytizing:
>
> >: Yeah, you can recycle this, but it would be a courtesy to acknowledge
> >: Chris Quirke (cquirke@iafrica.com) as the source ;-)
> <snip> cont'd ad nauseum...
>
> Recycled indeed. I have heard all the Microsoft bashing before and find it
> tiresome. Go to http://www.cert.org/advisories/ and see how many of them
> involve Microsoft programs. We are talking about problems that
> simultaneously affected computers running SCO, SGI, Linux - both RedHat and
> Caldera, and IBM's AIX, among others. It happens to everyone and no amount
> of testing can possibly account for what some goof with a lot of time on his
> hands will do when trying to compromise the system.
>
> Such lengthy diatribes should be posted on a web page so that we may choose
> to ignore them.
As moderator, I chose to post it as I thought it may raise some
interesting points of discussion -- radical idea in a discussion
list/group, but hey... If you have something worthwhile to add, either
in favour or contrary to Chris' "guidelines", please add it.
> Get a grip...
Ever consider trying some of your own advice on for size?
- -
Nick FitzGerald,
Virus-L/comp.virus moderator.
------------------------------
Date: Sun, 27 Jun 1999 01:35:42 +0300
From: Uzi Paz <uzipaz@bgumail.bgu.ac.il>
Subject: macro identification (MACRO)
X-Digest: Volume 12 : Issue 19
I use MS-Word very little, and none of the other Office applications.
I have Word7 on Win95.
I sometimes receive a Word document via e-mail or on diskette, and as I
know, some of the recent Macro viruses spread very fast, so that AV
products may not be updated enough for identifying them. I guess that the
situation in this aspect will get worse.
I do not expect to get Word documents which contain Macros, so I prefer to
have some small application that checks if a Word document has a Macro in
it or not, without executing the macro. I know that Office97 has such
option but I do not wish to upgrade just for this feature.
I will appreciate any help.
Thanks,
Uzi
------------------------------
Date: Sat, 26 Jun 1999 03:36:43 GMT
From: raj007@my-deja.com
Subject: Re: Help requested with class.poppy message (WORD)
X-Digest: Volume 12 : Issue 19
You can cure and clean your Computer System from virus (Word) using
Protector Plus. It can automatically detect and remove this virus and
other thousands of viruses. Download fully functional and evaluation
copies from
http://www.pspl.com/download/download.htm
Write to us for any queries.
Raj http://www.pspl.com
------------------------------
Date: Fri, 25 Jun 1999 22:36:22 -0700
From: Dmitry Gryaznov <grdo@dial.pipex.com>
Subject: Re: W97M.Heathen.12288.A (WORD)
X-Digest: Volume 12 : Issue 19
Dave wrote:
> I work at a govt. facility that has been hit pretty hard by a macro virus
> called W97M.Heathen.12288.A. The only antivirus software that has any info
> on it that I have found is Norton's and Sophos.
>
> The sites are:
> http://www.sophos.com/downloads/ide/index.html#heathena
>
> http://www.symantec.com/avcenter/venc/data/w97m.heathen.12288.a.html
<<snip>>
Well, having in mind that the virus was discovered by my Virus Patrol
and that it was me who informed other AV people about it and that I work
for Network Associates, I am surprised you haven't found the following:
http://vil.mcafee.com/vil/vm10196.asp
You can easily get there from http://www.nai.com through Services / Virus
Info Library
- -
Sincerely,
Dmitry O. Gryaznov
------------------------------
Date: 26 Jun 1999 07:36:15 GMT
From: harley@europa.lif.icnet.uk (David Harley)
Subject: Re: virus in Quark? NT Server now toast. (WIN)
X-Digest: Volume 12 : Issue 19
sherman_mohler@my-deja.com wrote:
: I was downloading a Quark file from a local University when my NT Server
: locked up so badly it was not possible to kill processes.
I can't say definitely that you don't have a virus. However, there is
no obvious indication of virus action here. You don't say whether what
you were downloading was a data file or a program file. Even if it was
the latter, you have to execute viral code, trojans etc. before they
can do -any- damage: simply downloading them won't. [He said, skipping
over the question of what constitutes 'downloading'.....]
: Does it sound like a virus
Not particularly.
: what can I do with NAV5 to help me at this point,
Not a lot unless it -is- a virus! Even then, if your system is hosed,
an anti-virus utility won't repair it.
: or do I need to
: reinstall the O.S. ?
Probably less hassle than any other route.
: p.s. I do NOT have a recovery disk for this machine I inherited (sucks).
Sounds to me like you have some work -and- reading to do.
- -
David Harley
D_Harley@iname.com
------------------------------
Date: Sat, 26 Jun 1999 12:09:44 GMT
From: kweiss@i-2000.com (Kenneth Weiss)
Subject: Re: InoculateIT PE - Free AV solution??? (WIN)
X-Digest: Volume 12 : Issue 19
On 26 Jun 1999 04:42:12 -0000, scott@computeralt.com (Scott I. Remick)
wrote:
>Was wondering if anyone had any experience with InoculateIT Personal
>Edition or knew anything about it. People here are wondering if we
>should start using it instead of McAfee or NAV. I have my doubts and
>concerns, with it being free and all (and perhaps worth every penny spent
>on it). For example, how does it compare to other solutions? How is it
>free? What makes it different from CA's non-free AV solutions?
>Any info appreciated... thanks in advance.
The Virus Bulletin included it in their May 1999 100 awards for Win9x.
NAI and Symantec's products did not make the cut. Draw your own
conclusions.
- -
Ken Weiss <mailto:kweiss@i-2000.com>
URL: http://www.i2.i-2000.com/~kweiss/Ken's.html
(C)ompletely (D)efeated (A)ffront...help keep it that way.
------------------------------
Date: Sat, 26 Jun 1999 21:47:34 -0400 (EDT)
From: "Bruce P. Burrell" <bpb@umich.edu>
Subject: Re: PC-cillin and the Worm Virus? (WIN)
X-Digest: Volume 12 : Issue 19
In VIRUS-L Digest V12 #18 "Labo Trend : Marc Blanchard"
<marc_blanchard@trendmicro.fr> wrote:
> >Does any know if PC-cellin OEM version is good enough to remove the Worm
> >Virus?
>
> Dear all,
>
> For Worm Virus, you should have an update PC-Cillin with Engine 2.062
> minimum and pattern file version 546 or more.
> You can check your engines/patterns files on <http://www.antivirus.com>
>
> For Happy99, here is the description :
[snip]
Ummm, isn't it more likely that the poster had ExploreZip in mind?
-BPB
------------------------------
Date: 27 Jun 1999 05:26:28 GMT
From: sr229492@aol.com (SR229492)
Subject: help: is this due to a virus? (WIN)
X-Digest: Volume 12 : Issue 19
hi while i was using the computer something strange happens to my screen. all
the letters on screen break. i have a picture of it at
http://members.aol.com/_ht_b/sr229492/myhomepage/index.html
is this due to a virus or something else?
thanks for your help.
------------------------------
Date: Sun, 27 Jun 1999 22:06:37 +1200
From: "Nick FitzGerald" <nick@virus-l.demon.co.uk>
Subject: Re: InoculateIT PE - Free AV solution??? (WIN)
X-Digest: Volume 12 : Issue 19
Kenneth Weiss replied to Scott I. Remick:
> The Virus Bulletin included it in their May 1999 100 awards for Win9x.
The version tested in that review was *not* the PE release but the
"corporate" product. The PE release is (essentially) the Australian
Vet product recently procured from Cybec whereas the corporate version
contains the iRiS detection engine. Thus, there is no guarantee that
the test results referred to apply to the PE version.
> NAI and Symantec's products did not make the cut. Draw your own
> conclusions.
Please do, but do so from *relevant* information...
- -
Nick FitzGerald,
Virus-L/comp.virus moderator.
------------------------------
Date: Fri, 25 Jun 1999 22:40:03 -0700
From: Dmitry Gryaznov <grdo@dial.pipex.com>
Subject: Re: need latest mcafee antivirus in dos (PC)
X-Digest: Volume 12 : Issue 19
william wrote:
> may i know where to download latest version for mcafee antivirus in dos
> mode. thanks.
http://www.nai.com/download/
- -
Sincerely,
Dmitry O. Gryaznov
------------------------------
Date: Sat, 26 Jun 1999 21:40:25 -0400 (EDT)
From: "Bruce P. Burrell" <bpb@umich.edu>
Subject: Re: remove of ANTICMOS available? (PC)
X-Digest: Volume 12 : Issue 19
In VIRUS-L Digest V12 #18, Baranyai Laszlo <baranyai@elfiz2.kee.hu> wrote:
> Detailed analysis made by Derek Karpinski is available online at
> http://www.virusbtn.com/VirusInformation/anticmos.html
>
> Suggested removal method (pasted from that site):
>
> "The virus does not store the original boot sector, making removal from
> the hard drives of machines formatted pre-DOS 3.31 problematic. For
> machines formatted with DOS 3.31 or later, boot from a write-protected
> system floppy and use the FDISK /Mumble command
[snip]
<Sigh>
Not a Flame of Mr. Baranyai -- I do, however, take issue with the
suggestion in the article he cites:
That may have been a reasonable enough suggestion back in the days when
DOS 3.31 was in vogue, but it is a Bad Idea nowadays. While it is safe
enough for *most* hard drives *if* the only problem is an AntiCMOS
infection, it can make matters a lot worse if there is more than one virus
in the Master Boot Record (not all that uncommon) or in other, non-virus
related cases.
See the alt.comp.virus FAQ for a list, if you're interested: Part 4,
Section 14.
Lest I be accused of dissing without suggesting a viable alternative:
merely boot from a clean, write-protected floppy and use any current
quality antivirus product from the DOS prompt. Will take care of
ANTICMOS, no problem -- and about 42,000 other viruses as well.
-BPB
------------------------------
Date: Mon, 28 Jun 1999 10:47:23 +0100
From: "astewart" <astewart@breathemail.net>
Subject: Trojan phucker c (PC)
X-Digest: Volume 12 : Issue 19
While installing Settlers 3 game onto my system, PC-cillin 98 found the
file virus Trojan Phucker c in the s3.exe file. It was unable to remove it.
Does anyone know what this virus does, is it damaging and how can I
remove it and keep the file intact.
------------------------------
End of VIRUS-L Digest [Volume 12 Issue 19]
******************************************
