home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freelog 33
/
Freelog033.iso
/
Extra
/
Antivir
/
NavScan
/
VIRSPEC.TXT
< prev
Wrap
Text File
|
1996-01-31
|
8KB
|
170 lines
===============================================================================
VIRSPEC.TXT - Special Information Regarding Unique Computer Viruses
Symantec AntiVirus Research Center
February 1, 1996
===============================================================================
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
* IMPORTANT NOTICE - Norton Antivirus v3.0 *
* *
* If your version of Norton AntiVirus 3.0 for Windows and DOS is dated *
* before December 1, 1995, you will need to update it using the NAV Macro *
* Engine Update in order to protect against Word Macro Viruses. If you *
* have not updated your version, download the NAV Macro Engine Update from *
* the Symantec BBS, Symantec's FTP and Web site, CompuServe, America *
* Online, or Microsoft Network. The file is called UPDATEME.EXE and is *
* located where the monthly update files are normally found. Alternately, *
* you may call Customer Service at (800) 441-7234 to order a disk set. *
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
====================
MS Word Macro Family
====================
The Word Macro family of viruses uses the WordBasic macro language to
infect and, in some cases, implant binary viruses into host programs.
Currently, there are 5 known Macro viruses; Concept, Colors, DMV,
FormatC, and Nuclear. These macros reside within Word document
templates and the documents themselves. Most notably, this family of
viruses is platform independant - they will infect documents and
templates on DOS, Windows, Mac and Windows NT operating systems.
In order for NAV to detect these viruses, you must ensure that your
scanning options include .DOC and .DOT extensions. For more information
on setting this option, see Chapter 8 "Customizing Virus Checking" of your
User's Guide. With that in place, scan your system as usual.
========================
Disappearing Hard Drives
========================
There are several viruses that appear to cause the hard drive to
"disappear" when booting from a clean floppy disk. This occurs when the
virus encrypts or moves the partition table (a vital part of the system
area). Everything appears to be fine as long as the virus is in memory
because the virus tells DOS where the partition table is, or acts as the
partition table itself. When you boot clean, DOS can't find the partition
table as the virus isn't around to give it directions. As a result, you
might receive an "Invalid drive specification" or similar error when
trying to access the drive.
When you boot clean to have NAV repair such an infection, the hard drive
will not appear in the drive list. Not to worry! NAV, with the default
options enabled, will bypass DOS and look directly at the hard drive and
check the system area for infection no matter what you scan. In effect,
scanning your floppy will scan memory, the floppy AND the system area of
the hard drive. If an infection is discovered, you will be alerted
appropriately.
NOTE: If you have an IDE hard drive that is larger than 1024 cylinders,
you may need to include additional files on your rescue disk in order to
correctly repair it. Make sure that any overlay files or drivers for
your hard drive that are part of your normal system configuration are
included on your rescue disk.
Examples of viruses that work in this manner are Crazy Boot, Frankenstein,
Neuroquila and Stoned.Empire.Monkey.
==========
Crazy Boot
==========
The Crazy Boot virus is a MBR infector that behaves much like the
Stoned.Empire.Monkey virus. Due to the nature of this virus, once you
have started your computer from an uninfected diskette, you will no
longer see your fixed disk. Booting with the virus in memory will allow
you to see and access your hard disk, but Crazy Boot will continue to
spread at every opportunity.
If Norton AntiVirus finds the Crazy Boot virus on your computer, please
contact Technical Support department for instructions on how to remove the
virus. Please do not attempt to repair the virus without talking to
Technical Support first.
**************************************************************************
WARNING: Because of the unusual behavior of this virus, DO NOT reinoculate
the master boot record or use inoculation technology to repair the virus
and DO NOT attempt to repair your hard disk using Norton Disk Doctor or
any other disk repair utility.
**************************************************************************
==========
Neuroquila
==========
Neuroquila is a multipartite virus that behaves in some ways like the
Stoned.Empire.Monkey virus or Crazy Boot. In addition to infecting files,
it will infect and encrypt both the master boot record and boot sector.
Due to this encryption, once you have started your computer from an
uninfected diskette, you will no longer see your fixed disk. Booting with
the virus in memory will allow you to see and access your hard disk, but
Neuroquila will continue to spread at every opportunity.
If Norton AntiVirus detects the Neuroquila virus on your computer, please
contact Technical Support department for instructions on how to remove
the virus. Please do not attempt to repair the virus without talking to
Technical Support first.
**************************************************************************
WARNING: Because of the unusual behavior of this virus, DO NOT reinoculate
the master boot record or use inoculation technology to repair the virus
and DO NOT attempt to repair your hard disk using Norton Disk Doctor or
any other disk repair utility.
**************************************************************************
==============
One Half Virus
==============
The One Half virus is a multipartite virus that exhibits both stealth and
polymorphic behavior. In addition to infecting files and master boot
records, the One Half virus will encrypt data on your hard disk.
Starting November 1, 1994 the virus definitions file includes a definition
for detecting this virus.
If Norton AntiVirus finds the One Half virus on your computer, please
contact Technical Support department for instructions on how to remove the
virus. Please do not attempt to repair the virus without talking to
Technical Support first.
**************************************************************************
WARNING: Because of the unusual behavior of this virus, DO NOT reinoculate
the master boot record or use inoculation technology to repair the virus
and DO NOT attempt to repair your hard disk using Norton Disk Doctor or
any other disk repair utility.
**************************************************************************
===========
Viking.Dec3
===========
The Viking.Dec3 virus alters EXE files in such a way that NAV is not able
to completely repair them. However, we felt it was important to give you
as much of the repair as possible rather than none. NAV will repair the
COM files flawlessly, but the EXE repair requires some input from you.
In order to complete the EXE repair, we need your involvement. As a
result, we recommend that you replace files from backups where you can.
And where you can't, apply the following procedure. If you need help with
this repair, we encourage you to call our Technical Support.
After an EXE file is repaired by NAV, one must take the following
additional steps. Lines prefixed by the "greater than" sign represent
lines to be typed at the DOS prompt. Lines prefixed by a dash are typed
while running debug.
>rename filename.exe filename.bad
>debug filename.bad
-d 100 l 4
Verify that the first byte is E9 and the fourth byte is C0.
If yes, proceed. If no, quit (q) from debug.
-e 100 4d 5a ff 1
-w
-q
>rename filename.bad filename.exe