rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) (02/01/91)
This Wednesday I visited our Law school to check on problem with the pong virus in their computer lab (three machines, not a big lab). Each machine had a 5.25" drive and a 20 meg hard disk. I scanned the machines, booting off a tabbed write-protected floppy in the A: drive. I ran McAfee's Scan (version 4.5V6-B), said everything was ok. Out of curiousity, I also ran F-FCHK and F-BOOT from the F-PROT package (version 1.13). A funny thing happened: when F-FCHK came across the file INSTALL.EXE from the PCPANEL package (something to do with redirecting printer output) I got an error message saying it couldn't write to the A: drive (the familiar "abort, retry, fail"). I ran it again, same result. I ran it on another machine, same result when it came across that file. This is a bit weird. Didn't happen using Scan. Why should scanning a file provoke a write attempt? I realize these are not the latest versions of the packages, but I feel that to be irrelevant. Anyone have any ideas? +-----------------+ Richard Travsky | | Division of Information Technology | | University of Wyoming | | Bitnet: RTRAVSKY @ UWYO | | Internet: RTRAVSKY @ CORRAL.UWYO.EDU | U W | (307) 766 - 3663 / 3668 | * | "Wyoming is the capital of Denver." - a tourist +-----------------+ "One of those square states." - another tourist Home state of Dick Cheney, Secretary of Defense of these here UNITED STATES!
frisk@rhi.hi.is (Fridrik Skulason) (02/01/91)
> ...when F-FCHK came across the file INSTALL.EXE from the PCPANEL package > (something to do with redirecting printer output) I got an error message > saying it couldn't write to the A: drive The reason is that INSTALL.EXE is packed, using the LZEXE program. If it had been infected before it was packed, normal scanning would not find the virus. I added the ability to scan LZEXE-packed files to F-PROT, but the routine for scanning LZEXE-packed file has two problems - it is a bit slow, as it is written in C - I have not had the time to rewrite it in assembly language. The other problem, which is the cause of the above difficulties, is that F-FCHK will write a temporary file to the current drive. If the current drive is A: and the floppy disk is write-protected, this error may occur. I am planning to rewrite this in version 2.0 - doing the unpacking in memory. - -frisk