zimmerma@lan.informatik.tu-muenchen.dbp.de (Kai Zimmermann) (10/04/89)
Hello, Interferon detected the following resources in one program on my harddisk one day after I copied some files from a floppy onto the harddisk: Type ID Size CODE 256 422 nVIR 1 428 nVIR 2 8 nVir 3 416 nVIR 6 66 nVIR 7 2106 I then removed these resources instantly. What surprises me is the fact that the infected application was used after it was infected. But it seems that the virus didn't spread because neither Interferon nor I can find any nVir-resources on the disk. My questions are: 1. Is this behavior common (e.g. is there a threshold (time, nr. of program starts) that prevented the virus from spreading)? 2. Did the virus really not spread or did it just hide itself (maybe in the normal code resources of other programs)? Any help would be appreciated, Kai ========================================================================= | Kai Zimmermann zimmerma@lan.informatik.tu-muenchen.dbp.de | | ...!uunet!unido!tumult!zimmerma | =========================================================================
henry@chinet.chi.il.us (Henry C. Schmitt) (10/07/89)
In article <827@tuminfo1.lan.informatik.tu-muenchen.dbp.de> zimmerma@lan.informatik.tu-muenchen.dbp.de (Kai Zimmermann) writes: >Hello, >Interferon detected the following resources in one program on my >harddisk one day after I copied some files from a floppy onto the harddisk: >Type ID Size >CODE 256 422 >nVIR 1 428 >nVIR 2 8 >nVir 3 416 >nVIR 6 66 >nVIR 7 2106 These numbers indicate you have nVIR strain B. >I then removed these resources instantly. What surprises me is >the fact that the infected application was used after it was >infected. But it seems that the virus didn't spread because >neither Interferon nor I can find any nVir-resources on the disk. Look for the following in your System file: Type ID Size B ---- ---- ------ INIT 32 416 nVIR 0 2 nVIR 1 428 nVIR 4 422 nVIR 5 8 nVIR 6 66 nVIR 7 2106 >My questions are: >1. Is this behavior common (e.g. is there a threshold (time, nr. of >program starts) that prevented the virus from spreading)? >2. Did the virus really not spread or did it just hide itself (maybe >in the normal code resources of other programs)? > Good questions, to the best of my knowledge nVIR spreads to the System as soon as the first infected application is run, then after reboot spreads to any application run. Were you using any sort of virus blocking INIT (eg. Vaccine, GateKeeper)? >Any help would be appreciated, Kai > >========================================================================= >| Kai Zimmermann zimmerma@lan.informatik.tu-muenchen.dbp.de | >| ...!uunet!unido!tumult!zimmerma | >========================================================================= My best advice is to pick up a copy of Disinfectant (available many places) which is a free virus detector/remover written by John Norstad of Northwestern University here in Chicago. Henry C. Schmitt Author of Virus Encyclopedia Latest Version dated 6/9/89 Watch for an update, coming soon! -- H3nry C. Schmitt | CompuServe: 72275,1456 (Rarely) | GEnie: H.Schmitt (Occasionally) Royal Inn of Yoruba | UUCP: Henry@chinet.chi.il.us (Best Bet)
siegel@endor.harvard.edu (Rich Siegel) (10/08/89)
In article <827@tuminfo1.lan.informatik.tu-muenchen.dbp.de> zimmerma@lan.informatik.tu-muenchen.dbp.de (Kai Zimmermann) writes: >I then removed these resources instantly. What surprises me is >the fact that the infected application was used after it was >infected. But it seems that the virus didn't spread because >neither Interferon nor I can find any nVir-resources on the disk. >My questions are: >1. Is this behavior common (e.g. is there a threshold (time, nr. of >program starts) that prevented the virus from spreading)? >2. Did the virus really not spread or did it just hide itself (maybe >in the normal code resources of other programs)? It turns out that programs written using THINK C are incapable of *spreading* nVIR (and possibly others). They can be infected, but they don't seem to pass the infection along to other programs. R. ~~~~~~~~~~~~~~~ Rich Siegel Staff Software Developer Symantec Corporation, Language Products Group Internet: siegel@endor.harvard.edu UUCP: ..harvard!endor!siegel "There is no personal problem which cannot be solved by sufficient application of high explosives." ~~~~~~~~~~~~~~~
ralph@cbnewsj.ATT.COM (Ralph Brandi) (10/10/89)
In article <2795@husc6.harvard.edu> siegel@endor.UUCP (Rich Siegel) writes: > It turns out that programs written using THINK C are incapable >of *spreading* nVIR (and possibly others). They can be infected, but >they don't seem to pass the infection along to other programs. Is this a bug, or a feature? :-) :-) -- Ralph Brandi ralph@lzfme.att.com att!lzfme!ralph Work flows toward the competent until they are submerged.