padgett%tccslr.dnet@mmc.com (Padgett Peterson) (05/21/91)
It is possible that there is a bug in some of the 7x versions (inc. 77) of the McAfee SCAN utility that may cause it to miss some infected overlays. A JERUSALEM infection was encountered in which the .EXE was properly diagnosed but an infected .OVL was missed despite being checked as part of the default. Use of the /A swich resulted in the infected .OVL being detected. Since the .EXE will always be infected also, there is no real danger, however, if an infection occurs that may also infect .OVL files (see the VIRLIST.TXT file iside the SCANxx.ZIP file), a rescan using the /A switch following a CLEAN activity is recommended. I do not know if this is particular to the Jerusalem-related viruses or if others are affected also. We have reported this to McAfee associates and a fix or explination should be forthcoming. Incidently, the infection appears to be the original sUMsDos version. Warmly, Padgett
mcafee@netcom.com (Aryeh Goretsky) (05/22/91)
padgett%tccslr.dnet@mmc.com (Padgett Peterson) writes: >A JERUSALEM infection was encountered in which the .EXE was properly >diagnosed but an infected .OVL was missed despite being checked as >part of the default. Use of the /A swich resulted in the infected .OVL >being detected. Since the .EXE will always be infected also, there is >no real danger, however, if an infection occurs that may also infect >.OVL files (see the VIRLIST.TXT file iside the SCANxx.ZIP file), a >rescan using the /A switch following a CLEAN activity is recommended. This has been verified and will be fixed in the next release of VIRUSCAN. Since the Jerusalem (and sundry variants) infects overlays in addition to .COM and .EXE files, it's always a good idea to run SCAN (and CLEAN) with the /A option, or use the /E option and list the extensions you would like to add. > I do not know if this is particular to the Jerusalem-related >viruses or if others are affected also. It's particular to the Jerusalem-related virus string. > We have reported this to McAfee associates and a fix or >explination should be forthcoming. Incidently, the infection appears >to be the original sUMsDos version. The next release (incorporating the fix) is scheduled for mid-June but will probably be released earlier because of this. Aryeh Goretsky McAfee Associates Technical Support "Just 10 minutes from Great America" - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com 4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | mrs@netcom.com ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers)
padgett%tccslr.dnet@mmc.com (Padgett Peterson) (05/23/91)
>From: mcafee@netcom.com (Aryeh Goretsky) > Since the Jerusalem (and sundry variants) infects overlays >in addition to .COM and .EXE files, it's always a good idea to run >SCAN (and CLEAN) with the /A option, or use the /E option and list the >extensions you would like to add. Have done some more checking & v74B-earlier operate correctly, 75, 77 (& I assume 76) are the ones that need the /A switch, something shared with CLEAN and NETSCAN. BTW, I tried using /E OVL and it still did not pick it up, only the /A (or, I would assume, an /EXT) seem reliable. What I tell people is when an infection is confirmed (the parent .EXEs are picked up just fine) or no other explination is reached, always use the /A switch & take a coffee break. Warmly, Padgett