zlsiial@cs.man.ac.uk (05/09/91)
Some utility on my PC (running MS DOS 3.3) has been creating several hundred hidden files. All had a filename of an existing COM or EXE file, but with the corresponding extension ._OM or ._XE, and all were 77 bytes long. The files are all deleted -- sorry not to have saved a copy -- and no available virus scanning utility reports any odd files anywhere. Has anyone seen this elsewhere? A. V. Le Blanc Manchester Computing Centre University of Manchester ZLSIIAL@uk.ac.mcc.cms
EATER@MICF.NIST.GOV (Chuck Eater) (05/11/91)
> Some utility on my PC (running MS DOS 3.3) has been creating several > hundred hidden files. All had a filename of an existing COM or EXE > file, but with the corresponding extension ._OM or ._XE, and all were > 77 bytes long. The files are all deleted -- sorry not to have saved a > copy -- and no available virus scanning utility reports any odd files > anywhere. Has anyone seen this elsewhere? These files sound like the checksum files created by the auto-inoculate feature of the Norton Antivirus package. They are 77-bytes in length and are created with the system and hidden file attributes. - --chuck - ------------------------------------------------------------------------ Charles L. Eater, National Institute of Standards & Technology (NIST) Snail : Administration A738, Gaithersburg, MD 20899 Email : eater@nbsmicf eater@micf.nist.gov (129.6.16.4) Phone : (301) 975-4065 - ------------------------------------------------------------------------ In-Reply-To: note of 05/10/91 12:36
p1@arkham.wimsey.bc.ca (Rob Slade) (05/11/91)
zlsiial@cs.man.ac.uk writes: > Some utility on my PC (running MS DOS 3.3) has been creating several > hundred hidden files. All had a filename of an existing COM or EXE If it was hidden .COM files for each .EXE, then it would indicate the new type of viral programs which Patricia Hoffman refers to as "spawning". However, since the hidden files do not have executable filenames, it might be similar to the Norton Antivirus change detection scheme. NAV does not store all the checksum information for "innoculated" files in one file, but in one hidden file for each innoculated program. The checksum files have filenames related to the program files, but one character in the extension is altered. Sorry not to have more details, but I can't find the specifics in the manual. (Thinks: what are READ.ME files for? Sure enough.) Yes, in the READ.ME file, you will find (at about line 125) a description of the checksum files it creates. For .COM it is ._OM, for .EXE, ._XE, for .SYS, ._YS etc. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security
f18@clark.edu (Torry V Schreiner) (05/12/91)
zlsiial@cs.man.ac.uk writes: >Some utility on my PC (running MS DOS 3.3) has been creating several >hundred hidden files. All had a filename of an existing COM or EXE >file, but with the corresponding extension ._OM or ._XE, and all were >77 bytes long. The files are all deleted -- sorry not to have saved a >copy -- and no available virus scanning utility reports any odd files >anywhere. Has anyone seen this elsewhere? Norton's AntiVirus made all of those files. They were checksums(or something like that) of those .EXE and .COM files. If you look there should be ._VL files too. You just killed Norton's protection scheme. Hope you aren't still using that.
n054gi@tamuts.tamu.edu (Apurva Shah) (05/13/91)
It is very likely that the files that were created having the _xe and _om extensions contained the headers of the respective EXE and COM files. This files are then used by some virus detection program to look for changes in the header of the original files. The assumption of course being that the infecting virus would have to change the header of the original file. To sum up these files are absolutely harmless! and erasing them also is no cause for concern. Since this is the first time I am posting in this news group, let me introduce my self. My name is Apurva Shah and I am a student from India. At present I am doing my Masters in Computer Science at the Texas A&M University. I have been working with PC based viruses for about two years. I was heading the anti-virus cell for V.M.C.I., which is a computer class in Bombay and have also authored the first public domain Indian anti-virus software called the NASSCOM Vaccine set. The NASSCOM vaccine set is a bunch of generic vaccines and anti-virus programs. I have a copy of the set with me, but would like to know how I may put it up on some intrested bulliten board so that others may use this software. Any help in this direction would be appreciated. Regards Apurva Shah