DAVID@BGUVM.BITNET (David de Leeuw) (07/26/90)
Michael Greve <GREVE@wharton.upenn.edu> writes: >Subject: We've been hit!!! Help! (4096 VIRUS) (PC) > > This afternoon we discovered that two of the machines in our lab have > the 4096 virus on them. One of the people in our office was installing > new software on the hardrives of the lab machines. The machines are > protected with disk manager. The install was going fine until she > reached one certain machine. When she tried booting off her disk > manager disk, it started the booting process then wouldn't read the > disk. When she tried booting without the bootdisk it came back with > "Insert system disk into drive and press any key to continue". The > machine will no longer work. This happened with two machines. When > she tried to check the her disk on a machine in the consulting office > it ruined that one. At that point I ran SCANV62 on the disks she > had been using that day and sure enough every executable file has > 4096 on it. We think that since the disk she was using was just created > on a clean machine (we assume) that she picked it up on a lab machine. > Either way we now have three machines that no longer boot up. > > I've created a fresh, clean boot disk and tried booting up with it. > All three get to the A prompt but only one will recognize the C: drive. > On that one, every .exe or .com file was infected. > Does anybody have any info on what we can do? How can we get these > machines working again and how can we get rid of this virus? What's > the best way to handle this. Can anybody give me any info on this > virus? Does it normally cause the machine to no longer boot? Any > help would be greatly appreciated. How come diskmanager didn't > stop this virus? I don't know disk manager that well! > Thank you for any assistance. >Michael Greve >University of Pa. >The Wharton School >greve@wharton.upenn.edu Dear Michael, Here are answers based on my struggles with 4096. 1. Disk Manager will do nothing to protect against viruses. DM is a disk initializer, partitioner etc but is not a watch dog for any attacks. 2. The boot-sector does get attacked by 4096. (John McAfee's Virlist says it does not.) 3. All executables and coms get infected, my suspision is that a file checker which is infected spreads the virus to all files, even those not run. 4. Backuping after you noticed the virus to reformat the disk is useless because the restore brings the virus back. 5. We used two antiviruses. Ran them a number of times. TNTVIRUS got stuck on one of the computers because of a weird hidden directory and could not get to the subdirectories. Unvirus ran alright. TNTVIRUS is a very smart program. Both protect against a wide range of viruses including this 4096 (1000 Years, Frodo, IDF etc.) TNTVIRUS : (For U.S.A.) PepCo New Yersey phone 201-9455751 fax 201-9459029 [yesterdays newspaper here states that the City of New York decided to use this program for its 1400 pcs after testing 14 anti-virus checkers] UNVIRUS 10 PF1 114 Derech P.Tikva Tel Aviv Israel phone 972-3-5617175 972-3-5622930 (Unvirus 9 was freeware, not completely effective against 4096..) These antiviruses cleaned up the files from antiviruses without causing any damage to executables. 6. Restoring the boot sector: Prepare a DOS diskette from an absolutely clean computer and copy SYS.COM to it. WRITE-PROTECT it! (take care that the DOS version is compatible with the DOS on the hard disk) Boot from A: and run SYS C: Now immediately run antiviruses from diskette again on the hard disk. Also copy COMMAND.COM from the diskette to C: to make sure. The SYS program did not work at first in a few cases. Running SYS and antiviruses a few times we got it to work. 7. It is very likely the disk will be reinfested a number of times. Likely most diskettes around will be infected too so bring back the virus. Another source might be the ZIP, ARC, LZH etc compressed files with executables in them. Most antiviruses won't see those programs. Apparently some can be run from SHEZ to check archives as well. [On the other hand: storing infrequently used executables in an archive will protect them against future attacks!] 8. Protecting against attack. We installed the BOOTCHEK program. (Shareware in the US, Freeware abroad) available from SIMTEL20 and TRICKLE. This will prevent any changes in the boot at startup of the computer. It also checks itself and as the first program run (after COMMAND.COM) will warn you immediately if the virus struck again. BOOTCHEK is not a resident program, does not take memory and does the job very well. 9. Be very careful not to spread the virus further. Check all the diskettes with UNVIRUS and/or TNTVIRUS (or other antiviruses) Our computers which are fairly public (a number of users) got attacked repeatedly. My homecomputer stayed clean all the way. Success, David de Leeuw Ben Gurion University of the Negev Beer Sheva Israel [and lots of disclaimers apply ...]
CHESS@YKTVMV.BITNET (David.M.Chess) (07/28/90)
David de Leeuw <DAVID@BGUVM.BITNET>: > 2. The boot-sector does get attacked by 4096. Interesting! What have you seen the 4096 do to the boot sector? The only boot-sector effect that I know of so far is that some of the broken/garbled/not_working code seems to be designed to write the "Frodo Lives!" display program to (some) boot sector. But I've never seen a 4096 sample in which enough of that code was intact to even figure out just what it was supposed to do. Any more information you have would be very nice! > 3. All executables and coms get infected, my suspision is that a file checker > which is infected spreads the virus to all files, even those not run. Yep; if the virus is active in memory, executables get infected when they are opened/closed. Since virus checkers open/close just about all executables, running a checker that does not scan memory for 4096-like viruses before scanning files can cause the infection to spread in a hurry. It's best to scan only after cold booting from a known-clean floppy (so you know the virus isn't in memory), with a known-clean scanner. That's not always feasible, of course... DC IBM T. J. Watson Research Center