home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!ukma!darwin.sura.net!jvnc.net!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: cjkuo@ccmail.norton.com (Jimmy Kuo)
- Newsgroups: comp.virus
- Subject: Re: Autoexec deletion virus?? (PC)
- Message-ID: <0003.9211101922.AA06969@barnabas.cert.org>
- Date: 3 Nov 92 20:30:45 GMT
- Sender: virus-l@lehigh.edu
- Lines: 32
- Approved: news@netnews.cc.lehigh.edu
-
- ed street writes:
- >My mom recently purchased a IBM machine (PS/1) and is complaining
- >about her virus checker deleting her autoexec.bat file,(she has the
- >standard virus checking program that came with the computer) this only
- >occurs when she gets an error message that says something similar to
- >"can't read autoexec.bat and procedes to delete it. This sounds to
- >me not like a virus problem, but a file problem.
-
- >So my question is does anyone know anything about this problem and if
- >i told her right? (the program also deletes a text file from where the
- >search program is located on her hard drive, so I am at a loss on
- >this. I know some programs delets file upon use (like workperfect and
- >others) but never have I heard of this happening.)
-
- We have encountered a direct action infector of C:\COMMAND.COM and
- C:\DOS\COMMAND.COM which renames C:\AUTOEXEC.BAT to C:\AUTOEXEC.BAK on
- Thursdays. Presently, we have dubbed this "Thursday Autoexec". We
- had only one single sighting of this in the wild.
-
- This is a COM appender virus which makes COMMAND.COM files grow by
- 452 bytes and spreads ONLY through COMMAND.COM! It's a minor miracle
- that this virus could spread (unless, "it gets lucky" [Dave Chess]).
- Question: Has your mother recently purchased software or otherwise
- obtained software that included its own copy of COMMAND.COM?
-
- You can verify an infected command.com by debugging and noting that
- it starts with: JMP [0104]
-
- If all the above is true, NAV 2.1 can detect and repair this virus.
-
- Jimmy Kuo cjkuo@ccmail.norton.com
- Norton AntiVirus Research
-
