home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The World of Computer Software
/
World_Of_Computer_Software-02-385-Vol-1of3.iso
/
2
/
21a03.zip
/
21A03.TXT
< prev
next >
Wrap
Text File
|
1992-12-29
|
7KB
|
153 lines
21A03.TXT - Description file for 21A03.DEF
AntiVirus Lab, SYMANTEC/Peter Norton Product Group
January 1, 1993
******************************************************************
Instructions for loading virus definitions, using Norton AntiVirus
2.1:
1) Run Virus Clinic by typing NAV at the DOS prompt.
2) If you are in DOS, press <Enter> to accept the Welcome screen.
3) Select "Cancel," or press <Esc> to bypass the "Scan Drives"
Screen.
4) Select the "Definitions" menu.
5) Select "Load from File..."
6) If the name of the drive and directory to which you loaded the
definition file does not appear on the "Directory:" line, change to
the proper drive and directory name and press <Enter>. The name of
the definition file should appear in the "Files" window.
7) Select the definition file, select "OK," and press <Enter>.
8) After the definitions have loaded, press <Enter> to exit from the
"Load Definition File Results" screen.
9) Select "Exit" from the "Scan" menu.
10) Reboot your computer to activate the new definitions.
********************************************************************************
Monkey
Monkey is a memory resident infector of the Master Boot Record on
hard disks and of the boot sector on floppies. If Monkey is in memory,
any accesses to the boot record will be rerouted to a copy of the
original boot sector. Monkey replaces the partition table thus
invalidating the hard drive if it is infected and a boot up occurred
from a clean diskette. Thus, this virus can only be seen in memory
or on a floppy disk. If you boot from a clean diskette, the hard
disk will be unknown to DOS. If you boot from the hard disk, you are
infected. Repair is not possible from within NAV because of this
complexity. If you encounter this virus, call Technical Support.
They can guide you through a repair process.
The virus is spread onto hard disks when a boot occurs from an infected
diskette. Diskettes are infected when the virus is resident in memory
and any access is made to the diskette.
The virus occupies one K at the top of memory (640K mark). Any memory
indicator will show the machine as having one K less than it should.
INT 01 and INT 13h are intercepted by the virus to accomplish its deeds.
Monkey does no intentional permanent damage and seems only designed to
spread. But the encryption and the inability for DOS to see the hard
drive if booted from a diskette is a major inconvenience. Damage may
occur on diskette formats other than DOS on 360K, 720K, 1.2M, and 1.44M
diskettes.
Monkey is prevalent in Canada at the time of this writing, especially
around Edmonton.
-----
ATAS (aka 384, 400)
Atas is a direct action infector of COM files. Atas infects one COM
file in the current directory per execution. Files will grow by 384
or 400 bytes depending on which strain is infecting your system. The
date and timestamp of the file will be changed to the time of infection.
Atas intercepts INT 21h in order to infect but returns the vector once
the infection is complete. Upon completion of the infection, a message
will appear on the screen. This message will either be "I like to
travel..." (ATAS-400) or "Ok." (ATAS-384). Both messages are encrypted
in the body of the virus and cannot be seen until appropriate portions
are decrypted. Because of the encryption, repair is not possible.
-----
No Frills
No Frills is a memory resident infector of COM and EXE files. Files
are infected if executed or copied. The resident portion of the virus
takes up approximately 2K of memory. Files grow by approximately 800
to 850 bytes but the date and timestamp will be unchanged. Infected
files are repairable by NAV. The only negative side-effect that could
be found was that the system would occasionally hang once infected.
-----
DiskInfect
DiskInfect is a memory resident infector of the Master Boot Record and
partition tables on hard disks and of the boot sector on floppies.
DiskInfect overwrites the OEM name on hard disks, though that causes no
actual damage. Repair of partition tables is provided. The boot sector
can be repaired with the FDISK /MBR command on hard disks or with the
SYS command for floppies.
The virus is spread onto hard disks when a boot occurs from an infected
diskette. Diskettes are infected when the virus is resident in memory
and any access is made to the diskette.
The virus occupies one K at the top of memory (640K mark). Any memory
indicator will show the machine as having one K less than it should.
INT 13h and INT 21h are intercepted by the virus to accomplish its deeds.
-----
Gnose (aka Irish-3, Necrose)
Gnose is a prepending virus. It infects COM files including COMMAND.COM.
For EXE files, it creates a companion COM program of 1164 bytes with the
hidden attribute turned on so the DOS DIR command will not list them,
making it seem invisible. For COM files, the first 1164 bytes are copied
to the end of the file, replaced by the viral code. On NOV 21 of any
year, the virus produces periodic beeps on the speaker (using INs & OUTs
to port 61h). NAV can detect and repair both the new hidden files as
well as the traditional prepended viral code. In repairing the spawned
hidden COM files, NAV truncates the files to 0 length. A separate step
must be taken to delete these files. Programs from The Norton Utilities,
The Norton Desktop for Windows, The Norton Desktop for DOS, or the DOS
ATTRIB program can all be used to locate and delete hidden files. After
NAV has repaired the system, all COM files of length 0 should be deleted.
We did not recommend deleting the files directly from NAV because it is
too difficult to determine if an affected COM file is one that has been
attached to or one that has been spawned and is only 1164 bytes. If all
files on the system can be retrieved from backup if necessary, then using
the delete function in NAV is appropriate.
The virus is improperly coded such that if you work with a write-
protected floppy diskette while the virus is in memory, you will get
a continual sequence of write protect error messages.
Gnose steals approximately 2.5K (2624) of memory from just below the
640K mark to remain resident in memory. INTs 1Ch, 21h, and 03h are
intercepted by the virus. INT 1Ch is the periodic timer tick interrupt
and is used to determine when to play its tunes. INT 21h is intercepted
for use in propagation. And INT 03 is used by the virus possibly to
encumber the anti-virus evaluator as it is also the DEBUG interrupt.
Finally, the virus does a self-residency check issuing AX=4BFDh,INT 21h.
On return, if AX is 3238h, then the virus is already in memory.
-----
(Note: File size growth is given in approximate numbers. If a number is
enclosed in parentheses, that number would be the growth of one of the more
common variants. As it is too easy for a virus writer to alter this number
without changing the virus significantly, do not depend on the more precise
number. It is provided for your confidence should you encounter it, which
we hope never happens.)