home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Cream of the Crop 11
/
Cream of the Crop 11-1.iso
/
virus
/
12nav95.zip
/
VIRSPEC.TXT
< prev
next >
Wrap
Text File
|
1995-12-01
|
8KB
|
169 lines
VIRSPEC.TXT - Special Information Regarding Unique Viruses
AntiVirus Lab, SYMANTEC/Peter Norton Product Group
December 1, 1995
**************************************************************************
In instances where viruses employ new or previously unused technology, NAV
requires the use of various external files to effectivly detect and/or
repair infections. We have made these external files available for you to
download.
========================
Disappearing Hard Drives
========================
There are several viruses that appear to cause the hard drive to
"disappear" when booting from a clean floppy disk. This occurs when the
virus encrypts or moves the partition table (a vital part of the system
area). Everything appears to be fine as long as the virus is in memory
because the virus tells DOS where the partition table is, or acts as the
partition table itself. When you boot clean, DOS can't find the partition
table as the virus isn't around to give it directions. As a result, you
might receive a "Invalid drive specification" or similar error when
trying to access the drive.
When you boot clean to have NAV repair such an infection, the hard drive
will not appear in the drive list. Not to worry! NAV, with the default
options enabled, will bypass DOS and look directly at the hard drive and
check the system area for infection no matter what you scan. In effect,
scanning your floppy will scan memory, the floppy AND the system area of
the hard drive. If an infection is discovered, you will be alerted
appropriately.
Examples of viruses that work in this manner are Crazy Boot, Frankenstein,
Neuroquila and Stoned.Empire.Monkey.
==========
Crazy Boot
==========
The Crazy Boot virus is a MBR infector that behaves much like the
Stoned.Empire.Monkey virus. Due to the nature of this virus, once you
have started your computer from an uninfected diskette, you will no
longer see your fixed disk. Booting with the virus in memory will allow
you to see and access your hard disk, but Crazy Boot will continue to
spread at every opportunity.
If Norton AntiVirus finds the Crazy Boot virus on your computer, please
contact Technical Support department for instructions on how to remove the
virus. Please do not attempt to repair the virus without talking to
Technical Support first.
Requires external file for repair.
**************************************************************************
WARNING: Because of the unusual behavior of this virus, DO NOT reinoculate
the master boot record or use inoculation technology to repair the virus
and DO NOT attempt to repair your hard disk using Norton Disk Doctor or
any other disk repair utility.
**************************************************************************
==========
Neuroquila
==========
Neuroquila is a multipartite virus that behaves in some ways like the
Stoned.Empire.Monkey virus or Crazy Boot. In addition to infecting files,
it will infect and encrypt both the master boot record and boot sector.
Due to this encryption, once you have started your computer from an
uninfected diskette, you will no longer see your fixed disk. Booting with
the virus in memory will allow you to see and access your hard disk, but
Neuroquila will continue to spread at every opportunity.
If Norton AntiVirus detects the Neuroquila virus on your computer, please
contact Technical Support department for instructions on how to remove
the virus. Please do not attempt to repair the virus without talking to
Technical Support first.
Requires external file for complete detection and repair.
**************************************************************************
WARNING: Because of the unusual behavior of this virus, DO NOT reinoculate
the master boot record or use inoculation technology to repair the virus
and DO NOT attempt to repair your hard disk using Norton Disk Doctor or
any other disk repair utility.
**************************************************************************
==============
One Half Virus
==============
The One Half virus is a multipartite virus that exhibits both stealth and
polymorphic behavior. In addition to infecting files and master boot
records, the One Half virus will encrypt data on your hard disk.
To date, the One Half virus has been detected in parts of Europe,
specifically Russia and other Eastern bloc countries. The virus was also
detected in a U.S. government agency.
Starting November 1, 1994 the virus definitions file includes a definition
for detecting this virus.
If Norton AntiVirus finds the One Half virus on your computer, please
contact Technical Support department for instructions on how to remove the
virus. Please do not attempt to repair the virus without talking to
Technical Support first.
**************************************************************************
WARNING: Because of the unusual behavior of this virus, DO NOT reinoculate
the master boot record or use inoculation technology to repair the virus
and DO NOT attempt to repair your hard disk using Norton Disk Doctor or
any other disk repair utility.
**************************************************************************
===========
Viking.Dec3
===========
The Viking.Dec3 virus alters EXE files in such a way that NAV is not able
to completely repair them. However, we felt it was important to give you
as much of the repair as possible rather than none. NAV will repair the
COM files flawlessly, but the EXE repair requires some input from you.
In order to complete the EXE repair, we need your involvement. As a
result, we recommend that you replace files from backups where you can.
And where you can't, apply the following procedure. If you need help with
this repair, we encourage you to call our Technical Support.
After an EXE file is repaired by NAV, one must take the following
additional steps. Lines prefixed by the "greater than" sign represent
lines to be typed at the DOS prompt. Lines prefixed by a dash are typed
while running debug.
>rename filename.exe filename.bad
>debug filename.bad
-d 100 l 4
Verify that the first byte is E9 and the fourth byte is
C0. If yes, proceed. If no, quit (q) from debug.
-e 100 4d 5a ff 1
-w
-q
>rename filename.bad filename.exe
====================
MS Word Macro Family
====================
The Word Macro family of viruses uses the WordBasic macro language to
infect and, in some cases, implant binary viruses into host programs.
These macros reside within Word document templates and the documents
themselves. Most notably, this family of viruses is platform independant -
they will infect documents and templates on DOS, Windows, Mac and Windows
NT operating systems.
In order for NAV to detect these viruses, you must insure that your
scanning options include .DOC and .DOT extensions (or you have selected
the option to scan "All Files"). For more information on setting this option,
see Chapter 8 "Customizing Virus Checking" of your User's Guide. With that
in place, scan your system as usual.
Microsoft has provided a repair solution for the Concept virus. You can
obtain additional information regarding the virus and a repair for it from
the following locations:
- The Microsoft WWW site at http://www.microsoft.com/msoffice/prank.htm
- The Microsoft Network. Go word: wordprankfix
- The Word forums on CompuServe and America Online
- Customers can call Microsoft's Product Support Services at 206-462-9673
for Word for Windows, and 206-635-7200 for Word for the Macintosh.