csg020@cck.coventry.ac.uk (***CURTIS***) (03/13/91)
Hello all. I have a little problem with my 386 PC. A few days ago I had the Jeruselem B virus on my machine (it's going ripe round here). I got rid of it but somehow it kept coming back.... (I know about the memory resident thingies etc etc) In the end I got rid of it. Yesterday, I ran my virus checker from hard disk. It came up with the warning "Virus checker Infected. Do not use" So I ran the write-protected version I had on floppy, No virus's found. Next I copied the virus checker from floppy to HD and ran it. It, again, said it had been infected. On further investigation I found that whatever I had was appending itself onto the end of the file, around 10-15K worth. However, the virus only appends to a file once. Has anyone out there got a good virus killer (shareware of course!) that they could arc and mail me?? Or any suggestions as to what to do (I don't particulaly want to HDWIPE the hard disk as I have only just recovered from doing the last one! I do not think the boot sector is infected which was my first thought. Cheers for any help, - -- _______________________________________________________________________________ _ | Flesh : ***CURTIS*** E-mail : csg020%uk.ac.cov.cck@uk.ac.earn-relay | | Voice : (0203) 599500 Quote : What a great day, watch some bastard spoil it! | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
frisk@rhi.hi.is (Fridrik Skulason) (03/27/91)
csg020@cck.coventry.ac.uk (***CURTIS***) writes: >Hello all. > > I have a little problem with my 386 PC. A few days ago I had >the Jeruselem B virus on my machine (it's going ripe round here). II >got rid of it but somehow it kept coming back.... (I know about the >memory resident thingies etc etc) In the end I got rid of it. Hm...maybe I should have replied directly by mail, but there are a few points which might be of interest to other readers of the newsgroup, so... You do not say which scanner you used, but at least I know it is not my own, as it will display a different message when infected. :-) The reason iy "kept coming back.." might be that some program with an extension other than .COM or .EXE was infected, and the scanner only scanned "normal" executable files, not overlay files, for example. Another possibility is that you have an infected file which has been compressed (PKLITE or LZEXE) after being infected, as most scanners will not be able to detect viruses in compressed files. When something like this happens, it is generally advisable to scan all files, just to make sure. >Yesterday, I ran my virus checker from hard disk. It came up with the >warning "Virus checker Infected. Do not use" Three possibilities here - A: The file had been infected and disinfected, but the disinfection might leave 1-15 extra bytes at the end. B: The virus had damaaged the file when infecting it - which happens in <5% of Jerusalem infections - Disinfectin may not be able to detect the damage in all cases. C: The file is just normally infected. >So I ran the write-protected version I had on floppy, No virus's found. This might indicate a hidden virus (overlay, or packed as I mentioned), and just a damaged scanner. >Next I copied the virus checker from floppy to HD and ran it. This clearly indicates you have an active virus in memory at that point - and an infected scanner. As the scanner did not detect any virus, there are two possibilities: A: A new virus - or a lousy scanner :-) B: A "stealth" virus, which the scanner will not find in the files, unless you boot from a "clean" system diskette before scanning. However - it is very unlikely this is a "stealth" virus, as the virus scanner would then probably not have been able to detect any changes to itself. >It, again, said it had been infected. On further investigation I found >that whatever I had was appending itself onto the end of the file, around >10-15K worth. However, the virus only appends to a file once. If you see the file increase happen, you don't have a "stealth" virus, but this is a bit strange as 10-15K in one chunk does not indicate a Jerusalem is involved - actually there are very few viruses in that range, and I suspect a new one - the 40th this month :-( I would strongly suggest sending a sample to the anti-virus people active on comp.virus. >Has anyone out there got a good virus killer (shareware of course!) >that they could arc and mail me?? Well, I have one - I wrote it :-) but I am not sure what is causing your problems - if it is a new virus, my scanner will not be of much help, until I have updated it. If your scanner is just unable to detect the virus, you might try a different scanner, but "10-15K" might indicate a new virus. - -frisk Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |