home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 2
/
HACKER2.BIN
/
345.21A04.TXT
< prev
next >
Wrap
Text File
|
1993-01-31
|
7KB
|
163 lines
21A04.TXT - Description file for 21A04.DEF
AntiVirus Lab, SYMANTEC/Peter Norton Product Group
February 1, 1993
******************************************************************
Instructions for loading virus definitions, using Norton AntiVirus
2.1:
1) Run Virus Clinic by typing NAV at the DOS prompt or clicking
on the NAV Icon from within Windows.
2) Select "Cancel," or press <Esc> to bypass the "Scan Drives"
Screen.
3) Select the "Definitions" menu.
4) Select "Load from File..."
5) If the name of the drive and directory to which you loaded the
definition file does not appear on the "Directory:" line, change to
the proper drive and directory. The name of the definition file
should appear in the "Files" window.
6) Select the definition file, click "OK," or press <Enter>.
7) After the definitions have loaded, press <Enter> to exit from the
"Load Definition File Results" screen.
8) Select "Exit" from the "Scan" menu.
9) Reboot your computer to activate the new definitions.
******************************************************************
Note for users who are not updated through Corporate Channels:
If you experience MtE problems, please download the patch file,
PTCH1A.ZIP, unzip the file, follow the instructions in included
in the readme file, then load these definitions again.
******************************************************************
In our effort to merge the industry to standards, we have chosen to
follow the naming conventions established by CARO, the Computer Anomoly
Research Organization. In future months, we will be slowly changing the
virus names in the NAV product to more closely resemble names established
by CARO.
In this update, the following name changes occur:
Old name New Name
-------- --------
Christmas in Japan Japanese Christmas
Agiplan Month 4-6
Manta VCS
Jerusalem-Related-2 Jerusalem-2
Manola Manuel
MFace Multiface
Newcom YD-44.Login
Smobla Vienna (Sicilian Mob 1a)
Pisselo Pisello
Taiwan-3 Anticad 2
Rocko Rock Steady
UNK Kiss
Invol Involuntary
DiskInfect Quox
Gnose Necros
-----
Exebug
Exebug is a memory resident infector of floppy diskette boot sectors
and hard disk master boot records. The original boot sectors will be
stored in encrypted form elsewhere on the disk, depending on the disk
type. And the disk boot sector will now be replaced by the viral boot
sector which will not be a legal MBR! It is a very complicated virus.
If you are infected with Exebug, all attempts to read the boot sector
will be redirected to the correct version of the boot sector. As a
result, your system will seem to be unaffected. The only way to detect
the virus when infected is by its memory signature.
Exebug steals 1K of memory from the 640K mark. Thus infected systems
will show 1K less memory available than normal. The virus will alter
the CMOS configuration of the system to report that there is no A:
drive. On some systems, this alteration causes the system to always
boot first from the C: drive. Thus, on those systems, the virus will
get into memory first. The virus, understanding that a user just
attempted to reboot, will then simulate the booting process from A:
but it will already be in memory.
Fortunately, the Exebug virus is only known to be in the wild in South
Africa and neighboring locations. If you discover that you are infected
by this virus, please call our Technical Support for instructions on how
to remove the virus.
Apart from these technical complications, the virus does not intentionally
damage the computer. Sector 7 of the hard disk boot track or a sector on
track 0 of floppies is used to store the original boot sector. Thus, it
might overwrite information.
-----
Kilroy
Kilroy is a very simple boot sector infector. It is from the book,
"The Little Black Book of Viruses." It is not believed to be in the wild.
However, as some people have the book and might be mischieviously playing
with its instructions, we provide it to make sure those people do not
mistakenly put it into the wild. The virus displays "Kilroy was here!"
when booted from an infected diskette.
_____
Vienna-629
Vienna-629 is a strain of the Vienna family of viruses. It is a direct
action infector of COM files. On each execution of an infected file,
another COM file in the current directory is found and infected. Files
with the read-only bit set do not affect the decision criteria. Not all
files COM files will be infected as some may randomly match the virus'
self check against reinfection. Infected files will grow by 629 bytes.
On random occasions, instead of a size increase, the virus will instead
destroy the file by overwriting the first 5 bytes with garbage. The
files which have grown by 629 bytes are repairable by NAV. Those files
which have been overwritten are not.
-----
Jerusalem (Pipi)
Jerusalem (Pipi) is another strain in the Jerusalem family of viruses.
It is a memory resident infector of COM and EXE files. For COM files, it
prepends itself into the file. In EXE files, it appends itself to the
file. The memory resident portion of the virus uses 2K of memory but
CHKDSK will not show any memory deficiency. Files are infected when
executed once the virus is in memory. Infected files grow by approximately
1550 (1552) bytes. Infected files will also have their file timestamps
altered to that of the time of infection.
The virus intercepts INT 21H and INT 1CH. INT 21H is the primary DOS
interrupt and is used by the virus to replicate. INT 1CH is the timer
tick interrupt and used by the virus to determine when to display a
message on the screen.
This virus, like many of the memory resident types in the Jerusalem
family, has conflicts with the Novell network environment and may crash
such systems.
-----
Michelangelo 5/26
This virus is a third strain of the well known Michelangelo virus. It
has been slightly altered from the original Michelangelo virus. One of
the things that was altered was the activation date. This strain
activates on May 26th. Otherwise, it has all the same characteristics
as the other Michelangelo viruses.
-----
(Note: File size growth is given in approximate numbers. If a number is
enclosed in parentheses, that number would be the growth of one of the more
common variants. As it is too easy for a virus writer to alter this number
without changing the virus significantly, do not depend on the more precise
number. It is provided for your confidence should you encounter it, which
we hope never happens.)