Alan_J_Roberts@SUN.COM (10/22/89)
A number of disturbing reports about scanning systems infected with the Dark Avenger virus have just been substantiated by Kevin Harrington at U.C. Davis and Morgan Schweers in Glen Cove N.Y. It seems that the virus infects any and every executable file that is opened for read or write. Thus, if a system is scanned by VIRUSCAN or IBM's VIRSCAN, the virus begins an uncontrollable infection of the system, resulting in corruption of virtually everything in the system. This turns what might have been a modest disinfection task into a total nightmare. VIRUSCAN version 45 has corrected this problem by checking for the active virus in memory before attempting to do a system scan. Dave Chess and Art Gilbert at IBM have been made aware of the problem (according to John McAfee) and a fix for their VIRSCAN program should be forthcoming. If you are using either of these products please get the fixed version before scanning any system suspected of harboring this virus. If you are unable to do this, then scan only a floppy diskette first. This will risk only the files on your floppy. If you have a "clean" system master, then of course re-boot first to start from a clean system. The problem most infected installations have, however, is finding a guaranteed clean system disk, so proceed cautiously. The safest thing, again, is to use the updated versions of these programs. Alan Roberts
Alan_J_Roberts@Sun.COM (10/22/89)
ViruScan (version 43 and below) and Virscan (IBM's scanning program) SHOULD NOT BE USED if a Dark Avenger infection is suspected. These programs cause an uncontrollable spread of the virus when they are used. The virus infects every executable file when the files are opened. Both of these programs open ALL executables, thus the virus saturates the system when it is scanned. VIRUSCAN version 45 has fixed this problem, and IBM will, presumably, issue a new Virscan version shortly. Kevin Harrington of U.C. Davis and Morgan Schweers of Glen Cove, NY have reported that scanning systems infected with this virus have turned what would have been a moderate disinfection task into a monumental problem. If anyone does have this virus, the M-DAV disinfector on HomeBase will remove it and repair the damage. The board number is 408 988 4004. Alan