AZX@NIHCU.BITNET (10/11/90)
There may be no need for yet another translation of the German text, but I offer this as possibly the easiest for Americans to understand. It was written by a group of computer-literate graduate students here at the National Institutes of Health and then edited by myself. Help against camouflage virus: The infamous 4096 virus, alias Frodo, which loads itself into main memory and makes itself invisible to most currently-used utilities (see the German publication: Computerwoche of 8/10/90, p. 10), has an Achilles' heel: precisly its own invisibility. Copying an infected program may, if done correctly, lead to a virus-free program. To accomplish this, the virus must be resident in main memory. Choose a name for the destination file that does not have an executable file suffix; that is, avoid COM, .EXE, .OVL, and .SYS extensions. When the copy is made the virus will actually delete its own virus code from the copied file in its usual attempt to hide itself. The destination file will therefore consist of the original program file before infection. The best way to make the copy is by using a compression program like PKARC. It is still unclear if the same method will work with DOS's COPY or XCOPY programs. Once the copy is made, the infected programs have to be deleted, the system must be rebooted from a guaranteed 'clean' disk, and the copied files need to be decompressed (or renamed) back to their original file names. Virus experts caution against the approach outlined above: this method is more tricky than it appears. It is recommended only to those experienced computer users who understand their machines at the machine code level. The preferred method is to use a professionally-written antivirus program designed to handle this virus, like those of Solomon (Findviru), McAfee (Scan), or Skulason (F-Fehler). EPG Internationals Turbo Anti Virus is also supposed to be able to remove this virus. Two additional tips: 1. Signature programs and virus scanners should only be started from a guaranteed clean disk, and only after the PC has been booted from a clean disk. 2. When the virus becomes active it does not print the message 'Frodo lives' owing to a programming error in the virus. Instead, the computer will just crash. - ------------------------------------------------------------------------ Andrew Mitz || Animal research saves lives. NIH Animal Center || AZX@NIHCU || - -------------------------------------------------------------------------