home *** CD-ROM | disk | FTP | other *** search
- ===============================================================================
- VIRSPEC.TXT - Special Information Regarding Unique Computer Viruses
- Symantec AntiVirus Research Center
- February 1, 1996
- ===============================================================================
-
- *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
- * IMPORTANT NOTICE - Norton Antivirus v3.0 *
- * *
- * If your version of Norton AntiVirus 3.0 for Windows and DOS is dated *
- * before December 1, 1995, you will need to update it using the NAV Macro *
- * Engine Update in order to protect against Word Macro Viruses. If you *
- * have not updated your version, download the NAV Macro Engine Update from *
- * the Symantec BBS, Symantec's FTP and Web site, CompuServe, America *
- * Online, or Microsoft Network. The file is called UPDATEME.EXE and is *
- * located where the monthly update files are normally found. Alternately, *
- * you may call Customer Service at (800) 441-7234 to order a disk set. *
- *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
-
-
- ====================
- MS Word Macro Family
- ====================
-
- The Word Macro family of viruses uses the WordBasic macro language to
- infect and, in some cases, implant binary viruses into host programs.
- Currently, there are 5 known Macro viruses; Concept, Colors, DMV,
- FormatC, and Nuclear. These macros reside within Word document
- templates and the documents themselves. Most notably, this family of
- viruses is platform independant - they will infect documents and
- templates on DOS, Windows, Mac and Windows NT operating systems.
-
- In order for NAV to detect these viruses, you must ensure that your
- scanning options include .DOC and .DOT extensions. For more information
- on setting this option, see Chapter 8 "Customizing Virus Checking" of your
- User's Guide. With that in place, scan your system as usual.
-
-
- ========================
- Disappearing Hard Drives
- ========================
- There are several viruses that appear to cause the hard drive to
- "disappear" when booting from a clean floppy disk. This occurs when the
- virus encrypts or moves the partition table (a vital part of the system
- area). Everything appears to be fine as long as the virus is in memory
- because the virus tells DOS where the partition table is, or acts as the
- partition table itself. When you boot clean, DOS can't find the partition
- table as the virus isn't around to give it directions. As a result, you
- might receive an "Invalid drive specification" or similar error when
- trying to access the drive.
-
- When you boot clean to have NAV repair such an infection, the hard drive
- will not appear in the drive list. Not to worry! NAV, with the default
- options enabled, will bypass DOS and look directly at the hard drive and
- check the system area for infection no matter what you scan. In effect,
- scanning your floppy will scan memory, the floppy AND the system area of
- the hard drive. If an infection is discovered, you will be alerted
- appropriately.
-
- NOTE: If you have an IDE hard drive that is larger than 1024 cylinders,
- you may need to include additional files on your rescue disk in order to
- correctly repair it. Make sure that any overlay files or drivers for
- your hard drive that are part of your normal system configuration are
- included on your rescue disk.
-
- Examples of viruses that work in this manner are Crazy Boot, Frankenstein,
- Neuroquila and Stoned.Empire.Monkey.
-
-
- ==========
- Crazy Boot
- ==========
- The Crazy Boot virus is a MBR infector that behaves much like the
- Stoned.Empire.Monkey virus. Due to the nature of this virus, once you
- have started your computer from an uninfected diskette, you will no
- longer see your fixed disk. Booting with the virus in memory will allow
- you to see and access your hard disk, but Crazy Boot will continue to
- spread at every opportunity.
-
- If Norton AntiVirus finds the Crazy Boot virus on your computer, please
- contact Technical Support department for instructions on how to remove the
- virus. Please do not attempt to repair the virus without talking to
- Technical Support first.
-
- **************************************************************************
- WARNING: Because of the unusual behavior of this virus, DO NOT reinoculate
- the master boot record or use inoculation technology to repair the virus
- and DO NOT attempt to repair your hard disk using Norton Disk Doctor or
- any other disk repair utility.
- **************************************************************************
-
-
- ==========
- Neuroquila
- ==========
- Neuroquila is a multipartite virus that behaves in some ways like the
- Stoned.Empire.Monkey virus or Crazy Boot. In addition to infecting files,
- it will infect and encrypt both the master boot record and boot sector.
- Due to this encryption, once you have started your computer from an
- uninfected diskette, you will no longer see your fixed disk. Booting with
- the virus in memory will allow you to see and access your hard disk, but
- Neuroquila will continue to spread at every opportunity.
-
- If Norton AntiVirus detects the Neuroquila virus on your computer, please
- contact Technical Support department for instructions on how to remove
- the virus. Please do not attempt to repair the virus without talking to
- Technical Support first.
-
- **************************************************************************
- WARNING: Because of the unusual behavior of this virus, DO NOT reinoculate
- the master boot record or use inoculation technology to repair the virus
- and DO NOT attempt to repair your hard disk using Norton Disk Doctor or
- any other disk repair utility.
- **************************************************************************
-
-
- ==============
- One Half Virus
- ==============
- The One Half virus is a multipartite virus that exhibits both stealth and
- polymorphic behavior. In addition to infecting files and master boot
- records, the One Half virus will encrypt data on your hard disk.
-
- Starting November 1, 1994 the virus definitions file includes a definition
- for detecting this virus.
-
- If Norton AntiVirus finds the One Half virus on your computer, please
- contact Technical Support department for instructions on how to remove the
- virus. Please do not attempt to repair the virus without talking to
- Technical Support first.
-
- **************************************************************************
- WARNING: Because of the unusual behavior of this virus, DO NOT reinoculate
- the master boot record or use inoculation technology to repair the virus
- and DO NOT attempt to repair your hard disk using Norton Disk Doctor or
- any other disk repair utility.
- **************************************************************************
-
-
- ===========
- Viking.Dec3
- ===========
- The Viking.Dec3 virus alters EXE files in such a way that NAV is not able
- to completely repair them. However, we felt it was important to give you
- as much of the repair as possible rather than none. NAV will repair the
- COM files flawlessly, but the EXE repair requires some input from you.
-
- In order to complete the EXE repair, we need your involvement. As a
- result, we recommend that you replace files from backups where you can.
- And where you can't, apply the following procedure. If you need help with
- this repair, we encourage you to call our Technical Support.
-
- After an EXE file is repaired by NAV, one must take the following
- additional steps. Lines prefixed by the "greater than" sign represent
- lines to be typed at the DOS prompt. Lines prefixed by a dash are typed
- while running debug.
-
- >rename filename.exe filename.bad
- >debug filename.bad
- -d 100 l 4
-
- Verify that the first byte is E9 and the fourth byte is C0.
- If yes, proceed. If no, quit (q) from debug.
-
- -e 100 4d 5a ff 1
- -w
- -q
- >rename filename.bad filename.exe
-
-
