home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!cs.utexas.edu!sdd.hp.com!mips!darwin.sura.net!jvnc.net!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: Jim.Baltaxe@vuw.ac.nz (Jim Baltaxe)
- Newsgroups: comp.virus
- Subject: Frodo False Alarm (PC)
- Message-ID: <0007.9207302004.AA22651@barnabas.cert.org>
- Date: 29 Jul 92 00:00:11 GMT
- Sender: virus-l@lehigh.edu
- Lines: 26
- Approved: news@netnews.cc.lehigh.edu
-
- I just came across an interesting false positive reported by Virusafe
- v. 4.5, from XTree software running on a Toshiba laptop (386SX) under
- DOS 5.0 and an access control manager called Ironclad v. 2.0 from
- Silver Oak Systems.
-
- Virusafe reported the Frodo (4096) virus in memory but no infected
- files. F-Prot 204a did not report anything either in memory or on
- disk. Attempting to reboot from a known clean system disk failed
- because the ACM was active.
-
- Eventually we got an emergency boot disk for Ironclad which disabled
- the ACM. Then when we rebooted and rescanned with both Virusafe and
- F-Prot the system reported clean. EXE & COM files reported the same
- lengths with & without the "infected" system running.
-
- Unfortunately I am not very familiar with Ironclad so I cannot say
- exactly what it did (presumably packed/encrypted the disk?). Ironclad
- appears to be based on a hidden device driver which is unlikely to
- have been effected by the virus.
-
- Anybody come across this as well?
- - --
- Jim Baltaxe - jim.baltaxe@vuw.ac.nz
- Computing Services Centre - Victoria University of Wellington - New Zealand
- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- Time is such a valuable commodity because they're not making it any more.
-
