VIRUS-L Digest Thursday, 7 Oct 1993 Volume 6 : Issue 129 Today's Topics: Re: Virus scanning for Unix (UNIX) Protection of HP/UX service (UNIX) Re: boot viruses, without booting from an infected disk (PC) Re: Satan Bug virus (PC) Re: Removing the Form virus using MSDOS 5.0 SETUP (PC) Re: Tremor Virus and McAfee VIRUSCAN (PC) Re: Stoned virus.... (PC) Re: Stoned virus.... (PC) Re: Removing the Form virus using MSDOS 5.0 SETUP (PC) Tumbling Chars Virus (PC) Re: Pklite Pro (PC) Re: Stoned virus , need disinfector (PC) Re: The form virus vs. F-prot 2.09d (PC) Re: Bait files (PC) Re: Satan-Bug (PC) sUMsDos (PC) TBAV false alarm (PC) help with FAT lost (PC) A few questions... (PC) More troble with F-prot 2.09d and FORM (PC) LAN Virus Software (PC) Re: boot viruses, without booting from an infected disk (PC) Re: What is BAMBI MEETS GODZILLA?! (PC) Re: What is BAMBI MEETS GODZILLA?! (PC) Novell virus proofing (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 01 Oct 93 17:13:02 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus scanning for Unix (UNIX) Bert K. Mok (bmok@netcom.com) writes: > I need to implement virus protection on our Unix machines. Can > someone suggest a common mechanism for doing that? A coworker The question is a bit too general. Do you need to protect Unix machines from Unix viruses or do you want to detect PC viruses on a Unix file server? > suggested getting a Workstation to pre-scan software of files about to > be uploaded. Is this a good approach? What's the most bullet proof > approach to doing this? Right now our operator only scans the files > on the PC before the upload. The above technique suggests that you want to protect from PC viruses. In this case yes, the technique does make sense. There are very few Unix-based scanners for PC viruses and they are not as good as the existing PC-based scanners for PC viruses. > I just don't think that makes sense > because that doesn't guarantee the files don't contain "Virus for our > HP/UX". The above sentence suggests the opposite - that you are trying to protect from Unix viruses. Well, there are not many of them - I have seen only 3-4, only one of which has been reported in the wild. And none of the existing PC viruses is able to infect Unix executables. > A side question: How does a Virus on Unix do its damage? What virus on Unix? A PC virus on Unix? Well, it doesn't do any damage, because it doesn't run - usually it can be only stored on a Unix machine that acts as a file server for a network of PCs. One exception is if you have a PC emulator on Unix - but then the virus can run and cause damage only within the emulated environment - and even then there are some restrictions. Or do you mean a Unix virus running on Unix? Well, such virus can do anything that a normal program can - delete files if they are writable, steal passwords, if they are readable, infecting other files, if they are writable, and so on. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 02 Oct 93 10:44:05 -0400 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Protection of HP/UX service (UNIX) >I need to implement virus protection on our Unix machines. Can >someone suggest a common mechanism for doing that? A coworker >suggested getting a Workstation to pre-scan software of files about to >be uploaded. Is this a good approach? What's the most bullet proof >approach to doing this? Bert, your query is inconsistent. You request a mechanism that is both "common" and "bullet proof." That is an over constrained problem. There are no solutions in any real domain that are both common and bullet proof. Like a physician who does not prescribe for a patient that he has never seen, I do not prescribe for environments and applications that I do not fully understand. (Niether do I give to one client for free what I charge other clients for.) Honest people will respond to your question, and, taken collectively, they will inform you, but all of that information will not _solve_ your problem. That having been said, an effective, though perhaps not efficient, solution to your problem is to maintain rigorous separation between PC data (of any type or class) that is merely intended to be stored on your HP/UX and _programs_ that are intended to be executed there. (I suspect that you will not find that answer any more "real world" than I find your question.) William Hugh Murray, Executive Consultant, Information System Security 49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840 1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ Date: Fri, 01 Oct 93 18:57:14 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: boot viruses, without booting from an infected disk (PC) Nathaniel Schiffman (nathan@remus.rutgers.edu) writes: > I've seen cases where someone is using WordPefect, and they load in a file of f > an infected disk (or save a file to the disk) and the hard drive that > WordPerfect is on gets infected with the virus. Scary, eh? We used Vshield to Sorry, but the above is IMPOSSIBLE. The closest thing to the situation that you describe is if after accessing a floppy infected with a boot sector virus you run a scanner and it reports a virus in memory (NOT on the hard disk). This is just a mistake of the scanner and is called "ghost positive" (see the FAQ) - and of course, there is no any virus on your hard disk. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Oct 93 16:32:53 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Satan Bug virus (PC) Paul Bennett (bennett@keylime.cis.ufl.edu) writes: > Recently I have been getting reports of a virus F-prot209d refers to > as the Satan Bug virus locally. First, the latest version of F-Prot is 2.09f - available from our ftp site. Second, your case is almost certainly a false positive. > It may be coincidental, but both PC > class systems running Dos 6.0 had problems with keyboard charactors. > In one case, all keyboard entries were switched to upper case only. > In the other case, the "-" key was not recognized. In the second > case, pkzip 204g would not run either. Again, may be unrelated, as I This virus doesn't cause such effects. Actually, it carries no payload. It could cause damage unintentionally, but infecting some EXE files with internal overlay structure - just like Jerusalem can. > do not have any info on Satan Bug. Has anyone else run into this > virus before. The virus has been distributed initially in source on the virus exchange BBSes. Then it has been released in the wild, and nowadays we have several reports of infections by this virus. Speaking of the damage that the VX BBSes cause... The virus is a polymorphic resident EXE and COM fast infector with unusually large amount of do-nothing instructions in the decryptor. Keeps itself encrypted even in memory, which makes it a bit difficult to detect it there. Can be detected with a set of wildcard scan strings and a heuristic (to eliminate the false positives), but this is not for amateurs; you should better use a reliable scanner. The "Are you there?" call that the virus uses to determine its presence in memory is INT 21h/AH=0F9h - if it gets AX=0AC0Ah, it decides that it is already there and doesn't install itself in memory. Adds 100 to the year of the date of last update of the infected files. Doesn't infect COMMAND.COM (I think). Doesn't infect files smaller than 1024 bytes. The type of the infected files (COM/EXE) is determined by the "magic number" in the EXE header - but the virus only checks for 'MZ', not for 'ZM'. The virus removes the immunization modules appended to the files by CPAV. Also removes the data that SCAN /AV (or /AG, not sure) adds to the files. > So far, FP-209D has reported it in one gif file and a > couple of *.pcc files that were part of a game. While I grant the The virus does not infect such files. It is almost certainly a false positive. I encourage you to inform the author of F-Prot and to send him the files that cause the false positive. BTW, while writing this article, I noticed that SCAN 108 does NOT detect this virus reliably! Users shouldn't rely on it to detect all infected files and McAfee Ass. should look into the question. Also, while taling about false negatives, it has been brought to my attention that FindVirus 6.34 from Dr. Solomon's Anti-Virus ToolKit does not detect reliably Tremor - yet another polymorphic virus which is in the wild. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Oct 93 15:50:12 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Removing the Form virus using MSDOS 5.0 SETUP (PC) Ted Wong (tmw5@cornell.edu) writes: > I recently suffered an a attack of the Form virus on my machine, a TI > TravelMate. Form inserts itself in the boot sector of disks; in fact, the ^^^^^^^^^^^^^^^^^^^^^^^^^^^ Correct. In the DOS boot sector of the active partition. > infection was traced back to an accidental boot off of a non-system disk > (NB: always check the floppy drives before booting!). Indeed, this is, in practice, the source of all boot/master boot sector infections. The only exception is a multi-partite virus or a dropper. > The infection was reported by SCAN 102; however, CLEAN was unable to remove > it. The virus was subsequently removed by booting off the OEM distribution > of MSDOS 5.0 (NOT the retail upgrade), and reinstalling DOS. Version 102 is pretty old; you should upgrade to 108, which is the current one. I don't recall when CLEAN began to remove the Form virus correctly. It might be also that you have some variant, but unlikely. When CLEAN fails to remove a boot or a master boot virus, it is always worthwhile to tell it to remove the [GenB] or [GenP] "virus" respectively. This activates its generic algorithm for boot sector virus removal and in many cases succeeds - although the algorithm is by no means fool-proof and sometimes can take a looot of time. > My question is: would I have saved myself some time by using FDISK /MBR to > write out a new copy of the boot sector? The answer is: NO. FDISK/MBR rewrites the master boot record (MBR), while the Form virus resides in the DOS boot sector (DBS). The correct tool to use in this instance is SYS. > Or do I have the definitions of the > Master Boot Record and the boot sector mixed up? It seems that you know the difference (or at least that there is one), but have confused what exactly the Form virus infects. It infects the DBS, not the MBR. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Oct 93 17:24:48 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Tremor Virus and McAfee VIRUSCAN (PC) (FWF%GISA.UUCP@GERMANY.EU.NET) writes: > In Germany the "Tremor" virus is a widespread virus. Yes. A -very- widespread one. > McAfee VIRUSCAN 9.17 V 106 identified - not always - this virus > as "Tremor" with the following entry in VIRLIST.TXT: You shouldn't use the word "identify" together with McAfee's VIRUSCAN, unless preceded by the word "doesn't". :-) SCAN doesn't identify anything. It can just detect scan strings (and some classes of decryptors, using algorithmic approach) in files. > No other anti-virus product uses and knows a "Tremor2" virus. We had > a lot of questions, if this is a "special (?)" Tremor variant and what > are the diffences of Tremor and Tremor2. As I have said several times here - SCAN is essentially useless for virus identification. It doesn't use consistent virus names, the names often change from version to version, not all of them are listed in the documentation, many names listed in the documentation are never reported, some names listed in the documentation are misspelled, often two closely related virus variants are reported with two completely different names, and often two completely different viruses are reported with one and the same name. Infections by some viruses are reported with two different names, even if only one virus is present. Sometimes one and the same virus is reported under different names in COM and EXE files. SCAN is relatively good only in one thing - to decide whether some object (file or boot sector) is infected or not. In order to determine with what exactly it is infected, you should use another program that does this job better. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Oct 93 16:37:53 +0000 From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stoned virus.... (PC) Joseph Dunne (dunne@plains.NoDak.edu) writes: > I recently got the stoned virus on my boot sector. F-protect says it > cannot remove the virus. First, the name is F-Prot. Second, which version did you use? Third, there is no such thing as "the stoned virus" - there are dosens of variants and F-Prot usually identifies them quite exactly. What exactly did the program report? Maybe it has been "New or modfied variant of Stoned" or "Possibly a new variant of Stoned"? In this case, it is what the program says - a new virus variant (member of the Stoned family of viruses), which is unknown to the program - that's why it refuses to remove it. > Does anyone know of a way I can remove it > without re-formatting my hard drive? In most cases booting from an uninfected write-protected DOS 5.0 (or higher) system diskette and executing FDISK/MBR will remove a master boot sector infector like the Stoned variants. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 01 Oct 93 22:35:23 -0400 From: tsparan@eis.calstate.edu (Themistocles Sparangis) Subject: Re: Stoned virus.... (PC) You can use the McAffee virus clean and scan to remove stoned. It has always worked well with me. Themy Sparangis -- ------------------------------ Date: Fri, 01 Oct 93 22:48:49 -0400 From: eddy@hebron.connected.com (Eddy Simons) Subject: Re: Removing the Form virus using MSDOS 5.0 SETUP (PC) tmw5@cornell.edu (Ted Wong) writes: > My question is: would I have saved myself some time by using FDISK /MBR to > write out a new copy of the boot sector? Or do I have the definitions of the > Master Boot Record and the boot sector mixed up? > I see the Form virus atleast once a week. The easiest way to get rid of it is to boot off of a clean floppy and SYS the HD. (Make sure to use the same version of dos!) - -eddy@hebron.connected.com ------------------------------ Date: Fri, 01 Oct 93 23:02:15 -0400 From: gintis@econs.umass.edu (HERBERT GINTIS) Subject: Tumbling Chars Virus (PC) My wife, who is barely computer literate, told me to come quick, all the letters on the screen tumbled down. Sure enough, I came and there was a litter of broken characters on the bottom three lines of the screen! I rebooted and everything was okay. Is this some sort of virus? If so, it's cute unless it gets dangerous later! Any hints? Regards, Herbert Gintis Department of Economics University of Massachusetts gintis@econs.umass.edu ------------------------------ Date: Fri, 01 Oct 93 23:49:10 -0400 From: "Steve Bonds (007" Subject: Re: Pklite Pro (PC) SCHULTZ@ufrjmcp1.bitnet writes: > On F-Prot , Mr Skulason say that is possible search virus inside > PKLITE , DIET and others ExePacks like programs. > > Well on Documentation of PKlpro , Pkware guys said that is impossible > to unpack PKlited files compress with -e (*extra Compression*). > > My question is How F-prot and Scan manage this kind of thing ? PKLite files MUST be able to be decompressed no matter what kind of compression they use-- otherwise, how could the CPU understand the executable code? The trick is that *PKLite* is unable to uncompress files compressed with extra compression. There are third-party programs that will uncompress even these files. F-prot and SCAN uncompress the file into memory and then scan the uncompressed version. > BTW What Xuxa virus do ? I believe it is a variant of the "Surviv" family. A resident .COM file infector, reported to play music under the right circumstances. Most common antivirus utilities should disinfect it, though you would be much better off to delete any infected software and restore it from either the original disks or uninfected backups. -- Steve Bonds (aka 007) - -- 000 000 7777 | sbonds@jarthur.claremont.edu and Steve_Bonds@hmc.edu 0 0 0 0 7 |----------------------------------------------------------- 0 0 0 0 7 | Childhood is short... [Calvin & Hobbes] 000 000 7 | ...but immaturity is forever. ------------------------------ Date: Fri, 01 Oct 93 23:59:19 -0400 From: "Steve Bonds (007" Subject: Re: Stoned virus , need disinfector (PC) RZOTTO@NYX.UNI-KONSTANZ.DE (Otto Stolz) writes: >Before you start you have to plan your action along the following lines: >2. Collect all floppy disks that were used in any computers found > infected in step 1. It is essential that you really find all those > disks, so hunt them down in all conceivable and inconceivable > places: in cupbourds and drawers, in pockets and bags, don't over- > look even those that are abused as rulers or saucers! Just wanted to add a quick plug here. Using frisk's VIRSTOP with the /BOOT switch makes this much more effective. After checking all the disks you can find, just add VIRSTOP /BOOT to the startup of the computer and verify that it works with F-TEST. This will help prevent reinfection since VIRSTOP will pop up a message when the disk gets accessed. It should be noted that I have seen a very few problems with this switch. Under Windows, or other programs that interpret the critical error handler in strange ways, the warning message may cause the system to hang. Usually this is a sign that the disk was infected and hopefully the person using the computer will have the good sense to remove the disk before rebooting... In any case the user should be notified that if the system hangs during floppy access, the disk should be set aside for scanning. BTW, I don't work for frisk, even if I sound like it sometimes... :) Just a VERY satisfied customer. -- Steve Bonds (aka 007) - -- 000 000 7777 | sbonds@jarthur.claremont.edu and Steve_Bonds@hmc.edu 0 0 0 0 7 |----------------------------------------------------------- 0 0 0 0 7 | Childhood is short... [Calvin & Hobbes] 000 000 7 | ...but immaturity is forever. ------------------------------ Date: Sat, 02 Oct 93 02:53:09 -0400 From: vfreak@aol.com Subject: Re: The form virus vs. F-prot 2.09d (PC) >FDISK /MBR has no effect on the FORM that I can think of. FORM >is an operating-system-boot-record infector, not a master-boot >infector. If a machine is FORM-infected before an FDISK /MBR, >it'll still be infected afterwards... Correct. FDISK/MBR would only work on viruses that hide in the partition table. This includes Stoned, Michelangelo, etc. However; a SYS C: may get rid of FORM. However; Since Form is a resident virus, users should cold boot from a bootable diskette before trying this. I wouldn't like for the computer to be re-infected. Bill ------------------------------ Date: Sat, 02 Oct 93 06:46:48 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Bait files (PC) vfreak@aol.com writes: >Bait files are usually small do nothing programs for viruses to attach to.. The problem with many bait files is that the viruses don't like them :-) Many viruses will infect practically every executable file...but there are viruses that will only infect thiles that contain large block of 0-bytes, start with a JMP instruction, are biggert (or smaller) than a particular number of bytes, or meet some other criteria, so there is no guarantee that any particular goat file will get infected if you get a virus. Even if it does get infected, so what ? If the virus is a stealth virus, the goat file will "look" the same as before infection. - -frisk ------------------------------ Date: Sat, 02 Oct 93 06:53:37 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Satan-Bug (PC) padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes: >This is not a particularly interesting virus... There is one extremely interesting aspect to it - it was one of the viruses that were distributed by the (in)famous "government VX BBS", and it seems to have only been reported in the Washington area, in government offices in particular... - -frisk ------------------------------ Date: Sat, 02 Oct 93 10:37:19 -0400 From: Subject: sUMsDos (PC) Hello, please forgive if this message does not follow good format and such. I was directed by a batch of messages I recently downloaded from a local echo here in san leandro california,to you because I have recently contracted a number of viruses on program downloads from local BBS's If this is the right area for contributions then i will proceed by describing. The first virus seems to copy itself endlessly on exe files. and once on com files.the most distinguishing features are: a)When it finally activates (at 30 minute clock tick) a black window appears on the lower left corner of the screen b)the first instruction(from debug ip=100) is jmp 195 which is followed by the string "sUMsDos".which i suppose refers to the author in some way. anyway in the interest of brevity,the other virus was on an exe program that quickly moved my directory from sector 5 to 3 and changed my boot sector to constantly reboot itself(unendingly) with a beep and the message "HeHe your computer is now hooked..." I am very interested in knowing where these things come from and how I may be of help.I am hoping that maybe I have given some information that you can use. please send me mail if you have questions. and also is there anywhere that i can learn more about viruses? I have limited time on a school bbs echo,here so i will not be able to send a great deal of mail to and fro. but i am a new programmer,2 years actually but mostly tinkering until recently,and find the line of study you folks(?) pursue very interesting and challenging. also if you need me to send you the viruses that i have isolated please let me know and i will do so.they are no longer attached to files and are stand alone.the sUMsDos virus in particular is exactly 1808 byte long(710) anyway must go please write back jmuir@snldro.noca.fred.org ----------------- 37.43.06N, 122.08.30W Jason Muir College Student at International Corresponde, electronics Oakland, ca ------------------------------ Date: Sat, 02 Oct 93 12:24:38 -0400 From: al026@yfn.ysu.edu (Joe Norton) Subject: TBAV false alarm (PC) I just wanted to let Frans know that TBAV605 is flagging a copy of Timeset 6.0 as "Dropper of Bad_Taste".. I'm used to TBAV yelling that Timeset is suspicious, but this new version of TBAV is actually saying it's a virus. Timeset is packed using ICE v1.0 acording to UNP v3.11 if that helps any.. ------------------------------ Date: Sat, 02 Oct 93 18:24:58 +0000 From: hensel@garbo.uwasa.fi (Mike Hensel) Subject: help with FAT lost (PC) i have a problem with my hard disk, it generates errors such as 'sector not found' and 'file allocation table bad'. when i run chkdsk it reports a lot of lost clusters. also my monitor is flashing in a weird way. a friend of mine suggested it could be a virus. also i examined the boot sector with a program called norton utilities and i found a string 'IBM 20.0' in it what does this mean? if anyone can help me pls leave a message. Mike Hensel ------------------------------ Date: Mon, 04 Oct 93 05:10:24 -0400 From: patrickp@netcom.com (Patrick Pfadenhauer) Subject: A few questions... (PC) I was just wondering - If I use 4 anti-virus TSRs (PCRX, Virstop, VShield, and the TBAV one), will they conflict with eachother, or will it work out? Also, after D/Ling the Faerie virus, I renamed it to .CO!, then scanned it with SCAN.EXE. Then I fired up F-Prot to see what it would say, and it said that Faerie was in memory! The only three things I had done after downloading the virus was - PKUNZIPped it, renamed it from .COM to CO!, and scanned it with SCAN.EXE. Why did F-Prot find it in memory? I rebooted it, and everything seems fine now... - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Patrick Pfadenhauer - patrickp@netcom.com - Costa Mesa, CA, USA - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ------------------------------ Date: Mon, 04 Oct 93 11:38:12 -0400 From: doug@viper.ELP.CWRU.Edu (Douglas Bell) Subject: More troble with F-prot 2.09d and FORM (PC) Well, the FORM virus came back to our site on a buch of computers that were booting from the a: drive. I booted off of a clean diskette and disinfected the computers with f-prot. On 2 of the four infected computers, one is a zenith z386-20 and the other a compuadd 325, f-prot disinfected the boot sector, but reported errors when opening all of the files on the hard drive. I exited f-prot and found that I could see all of the files on the hard drive, copy and delete files on the hard drive, run norton 7.0 disk doctor on the hard drive, all without any problem. I rebooted the computer using the hard drive and found that f-prot would not report errors any more and the file system appeared intact. I booted from my write protected floppy disk again and every thing seemed hunky-dory except for f-prot which still could not read the files on the hard drive when it would scan the computer. ???? At this point I decided to stop playing around and I backed up the computer, repartitioned the hard drive and restored the data. F-prot still could not open the files on the hard drive if and only if I booted from my clean disk. Can anyone help me with this one? p.s. I'm using MS-DOS 5.0. ------------------------------ Date: Mon, 04 Oct 93 16:20:56 -0400 From: kenneth@halcyon.halcyon.com (Kenneth J. Walkky) Subject: LAN Virus Software (PC) I saw a post about LAN oriented software to protect against viruses. Did anybody save that? If so, could you send it to me? If not, what is the best thing to run on a LAN? ~r .signature - -- - ------------------------ kenneth@halcyon.com says: Kenneth J. Walkky "Just when I figured out the answers to life's Seattle, Washington, USA questions......they changed the questions!" ------------------------------ Date: Mon, 04 Oct 93 17:04:28 -0400 From: maven@kauri.vuw.ac.nz (Jim Baltaxe) Subject: Re: boot viruses, without booting from an infected disk (PC) nathan@remus.rutgers.edu (Nathaniel Schiffman) writes: >>James W. Kaiser, , reports: >I've seen cases where someone is using WordPefect, and they load in a file off >an infected disk (or save a file to the disk) and the hard drive that >WordPerfect is on gets infected with the virus. Scary, eh? We used Vshield to >stop that. Could you please provide more details about this. What tests did you run to verify that this actually happened and not a reboot from an infected floppy, or a previously infected machine which was noticed at the particular time? I cannot see why WP would read, much less, load and execute the floppy disk boot sector when trying to read a file on the floppy. Please enlighten me. - -- Jim Baltaxe - jim.baltaxe@vuw.ac.nz ******************** Are you man enough to change things? ********************* Contact: Wellington Men for Nonviolence or Manline Telephone Counselling Service - phone (04) 472 7982 ------------------------------ Date: Tue, 05 Oct 93 02:43:24 -0400 From: valentea@amdahl2.lat.oz.au (Anthony J Valente) Subject: Re: What is BAMBI MEETS GODZILLA?! (PC) ebingha@eis.calstate.edu (Eli S Bingham) writes: >Hello... > >Yesterday on the Netfind server at cs.colorado.edu I encountered a vt100 >animation called BAMBI MEETS GODZILLA which played during the Netfind >output...today I encountered it again while fingering a calstate >account...both times the animation appeared during a Finger of >(netfind uses finger as part of it's operation) a calstate >account...has anyone ever heard of this beast? It is most likely that this is NOT a virus at all.. What the person would have done it simply pipe the animation to his/her plan file so each time the person if fingured, it shows the animation. - Aj ------------------------------ Date: Tue, 05 Oct 93 03:43:31 -0400 From: carlr@netcom.com (Carl Robinson) Subject: Re: What is BAMBI MEETS GODZILLA?! (PC) There is a very short video called Bambi meets Godzilla in which Bambi is munching on some grass while some Disney-type sweet music is playing. Godzilla's giant foot suddenly comes out of the top of the screen and stomps him into the ground. That's all there was to it. It's pretty old now. It's probably the same one since the video was only about a minute long. - -- ______________________________________________________________________________ Carl Robinson carlr@netcom.com Voice: (510) 685-4983 Fax: (510) 825-5290 ------------------------------ Date: Tue, 05 Oct 93 09:19:29 -0400 From: KIDAJ.TRANSCOM@transcom.safb.af.mil (KIDA JOHN H) Subject: Novell virus proofing (PC) Looking for an FTP site or BBS which carries the REPORT / STUDY on Virus proofing NOVELL NETWORKS. There also was a report, which pointed out the weaknesses of NOVELL networks to virus infections. Any information would be appreciated ____________________________________ JOHN KIDA SR. Network Administration KIDAj@TRANSCOM.SAFB.AF.MIL ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 129] ******************************************