home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Cream of the Crop 11
/
Cream of the Crop 11-1.iso
/
virus
/
n10a25.zip
/
VIRSPEC.TXT
< prev
Wrap
Text File
|
1995-11-01
|
8KB
|
190 lines
VIRSPEC.TXT - Special Information Regarding Unique Viruses
AntiVirus Lab, SYMANTEC/Peter Norton Product Group
November 1, 1995
*******************************************************************************
In instances where viruses employ new or previously unused technology, NAV
requires the use of various external files to effectivly detect and/or repair
infections. We have made these external files available for you to download.
The file is named REPAIR.ZIP and is available from wherever you downloaded this
file.
========================
External Files Available
========================
NAV requires external files to detect and/or repair the following viruses:
Annoying.4060
Bad_Head
Byway
CPW
Crazy Boot
Da'Boys
Die Hard
Emmie.2702
Emmie.2823
Emmie.3097
Fairz
Frankenstein
Neuroquila
Sat_Bug.Natas
Urkel
WinWord Macro Family (WinWord.Concept and WinWord.Nuclear)
========================
Disappearing Hard Drives
========================
There are several viruses that appear to cause the hard drive to "disappear"
when booting from a clean floppy disk. This occurs when the virus encrypts or
moves the partition table (a vital part of the system area). Everything
appears to be fine as long as the virus is in memory because the virus tells
DOS where the partition table is, or acts as the partition table itself. When
you boot clean, DOS can't find the partition table as the virus isn't around
to give it directions. As a result, you might receive a "Invalid drive
specification" or similar error when trying to access the drive.
When you boot clean to have NAV repair such an infection, the hard drive will
not appear in the drive list. Not to worry! NAV, with the default options
enabled, will bypass DOS and look directly at the hard drive and check the
system area for infection no matter what you scan. In effect, scanning your
floppy will scan memory, the floppy AND the system area of the hard drive. If
an infection is discovered, you will be alerted appropriately.
Examples of viruses that work in this manner are Crazy Boot, Frankenstein,
Neuroquila and Stoned.Empire.Monkey.
==========
Crazy Boot
==========
The Crazy Boot virus is a MBR infector that behaves much like the
Stoned.Empire.Monkey virus. Due to the nature of this virus, once you have
started your computer from an uninfected diskette, you will no longer see your
fixed disk. Booting with the virus in memory will allow you to see and access
your hard disk, but Crazy Boot will continue to spread at every opportunity.
If Norton AntiVirus finds the Crazy Boot virus on your computer, please
contact Technical Support department for instructions on how to remove the
virus. Please do not attempt to repair the virus without talking to Technical
Support first.
Requires external file for repair.
*******************************************************************************
WARNING: Because of the unusual behavior of this virus, DO NOT reinoculate the
master boot record or use inoculation technology to repair the virus and DO
NOT attempt to repair your hard disk using Norton Disk Doctor or any other
disk repair utility.
*******************************************************************************
==========
Neuroquila
==========
Neuroquila is a multipartite virus that behaves in some ways like the
Stoned.Empire.Monkey virus or Crazy Boot. In addition to infecting files, it
will infect and encrypt both the master boot record and boot sector. Due to
this encryption, once you have started your computer from an uninfected
diskette, you will no longer see your fixed disk. Booting with the virus in
memory will allow you to see and access your hard disk, but Neuroquila will
continue to spread at every opportunity.
If Norton AntiVirus detects the Neuroquila virus on your computer, please
contact Technical Support department for instructions on how to remove
the virus. Please do not attempt to repair the virus without talking to
Technical Support first.
Requires external file for complete detection and repair.
*******************************************************************************
WARNING: Because of the unusual behavior of this virus, DO NOT reinoculate the
master boot record, boot sector or use inoculation technology to repair the
virus and DO NOT attempt to repair your hard disk using Norton Disk Doctor or
any other disk repair utility.
*******************************************************************************
==============
One Half Virus
==============
The One Half virus is a multipartite virus that exhibits both stealth and
polymorphic behavior. In addition to infecting files and master boot records,
the One Half virus will encrypt data on your hard disk.
To date, the One Half virus has been detected in parts of Europe, specifically
Russia and other Eastern bloc countries. The virus was also detected in a
U.S. government agency.
Starting November 1, 1994 the virus definitions file includes a definition
for detecting this virus.
If Norton AntiVirus finds the One Half virus on your computer, please contact
Technical Support department for instructions on how to remove the virus.
Please do not attempt to repair the virus without talking to Technical Support
first.
*******************************************************************************
WARNING: Because of the unusual behavior of this virus, DO NOT reinoculate the
master boot record or use inoculation technology to repair the virus and DO
NOT attempt to repair your hard disk using Norton Disk Doctor or any other
disk repair utility.
*******************************************************************************
===========
Viking.Dec3
===========
The Viking.Dec3 virus alters EXE files in such a way that NAV is not able to
completely repair them. However, we felt it was important to give you as much
of the repair as possible rather than none. NAV will repair the COM files
flawlessly, but the EXE repair requires some input from you.
In order to complete the EXE repair, we need your involvement. As a result,
we recommend that you replace files from backups where you can. And where you
can't, apply the following procedure. If you need help with this repair, we
encourage you to call our Technical Support.
After an EXE file is repaired by NAV, one must take the following additional
steps. Lines prefixed by the "greater than" sign represent lines to be typed
at the DOS prompt. Lines prefixed by a dash are typed while running debug.
>rename filename.exe filename.bad
>debug filename.bad
-d 100 l 4
Verify that the first byte is E9 and the fourth byte is
C0. If yes, proceed. If no, quit (q) from debug.
-e 100 4d 5a ff 1
-w
-q
>rename filename.bad filename.exe
====================
WinWord Macro Family
====================
The WinWord Macro family of viruses uses the WordBasic macro language to
infect and, in some cases, implant binary viruses into host programs. These
macros reside within Word document templates and the documents themselves.
Most notably, this family of viruses is platform independant - they will
infect documents and templates on DOS, Windows, Mac and Windows NT operating
systems.
The default NAV settings do not check non-binary files. In order for
NAV to detect these viruses, you must have the external detection file
(VIRSPWD.DAT) in your NAV directory and you must set your scanning options
to scan "All Files." For more information on setting this option, see Chapter
8 "Customizing Virus Checking" of your User's Guide. With that in place, scan
your system as usual.
Microsoft has provided a repair solution for the WinWord.Concept virus. You can
obtain additional information regarding the virus and a repair for it from the
following locations:
- The Microsoft WWW site at http://www.microsoft.com/msoffice/prank.htm
- The Microsoft Network. Go word: wordprankfix
- The Word forums on CompuServe and America Online
- Customers can call Microsoft's Product Support Services at 206-462-9673 for
Word for Windows, and 206-635-7200 for Word for the Macintosh.