Virus-L/comp.virus FAQ: Specific Virus and Antivirus Software Questions...

===================================================================
= Section G.   Specific Virus and Antivirus Software Questions... =
===================================================================

G1)  I was infected by the Jerusalem virus and disinfected the infected
     files with my favorite antivirus program.  However, WordPerfect
     and some other programs still refuse to work.  Why?

The Jerusalem virus and WordPerfect 4.2 program combination is an
example of a virus and program that cannot be completely disinfected by
an antivirus tool.  In some cases such as this, the virus will destroy
code by overwriting it instead of appending itself to the file.  The
only solution is to re-install the programs from clean (non-infected)
backups or distribution media (see D10 and E8).


G2)  Is my disk infected with the Stoned virus?

Of course the answer to this, and many similar questions, is to obtain a
good virus detector.  There are many to choose from, including ones that
will scan diskettes automatically as you use them.  As Stoned is a boot
sector infector, remember to check all diskettes, even non-system or
"data" diskettes (see E1).

It is possible, if you have an urgent need to check a system when you
don't have any antivirus tools, to run CHKDSK or MEM and note down the
values reported (see C1) and then to boot from a known clean system
diskette and compare the results returned by CHKDSK or MEM.  If the
total amount of conventional memory reported is different between the
two boots then you may have a viral problem but this information alone
cannot tell us if it is Stoned.  If you cannot see the PC's hard disk
(usually the C: drive) then it is even more likely you have a virus
problem, though definitely not Stoned.  If you have a "disk editor" type
program, looking at the boot sector of a suspect floppy, or the MBR of
the suspect hard drive may be helpful.  If you have Stoned, the first
byte will indicate the characteristic far jump of the virus (hex: EA)
instead of the more common short jump (hex: EB) of the boot loader.
Even if that is the first byte, you could be looking at a perfectly good
disk that has been "inoculated" against the virus *or* is infected with
some other virus which makes similar changes, or at a diskette that
seems safe but contains a totally different type of virus.


G3)  I was told that the Stoned virus displays the text "Your PC is now
     Stoned" at boot time.  I have been infected by this virus several
     times, but have never seen the message.  Why?

The "original" Stoned message was ".Your PC is now Stoned!", where the
"." represents the "bell" character (ASCII 7 or "PC speaker beep").  The
message is displayed with a probability of 1 in 8 *only* when a PC is
booted from an infected *diskette*.  When booting from an infected hard
disk, Stoned never displays this message.

Further, versions of Stoned with no message whatsoever or only the
leading bell character have become very common.  These versions of
Stoned are likely to go unnoticed by all but the most observant, even
when regularly booting from infected diskettes.

Contrary to some reports, the Stoned virus does *not* display the
message "LEGALISE MARIJUANA", although such a string is quite clearly
visible in the boot sectors of diskettes and MBR's of hard disks
infected with the "original" version of Stoned.


G4)  I was infected by both Stoned and Michelangelo.  Why has my
     computer become unbootable?  And why, each time I run my favorite
     scanner, does it find one of the viruses and say that it is
     removed, but when I run it again, it says that the virus is still
     there?

These two viruses store the original Master Boot Record at one and the
same place on the hard disk.  They do not recognize each other, and
therefore a computer can become infected with both of them at the same
time.

The first of these viruses that infects the computer will overwrite the
Master Boot Record with its body and store the original MBR at a certain
place on the disk.  So far, this is normal for a boot-record virus.  But
if now the other virus infects the computer too, it will replace the MBR
(which now contains the virus that has come first) with its own body,
and store what it believes is the original MBR (but in fact is the body
of the first virus) *at the same place* on the hard disk, thus
*overwriting* the original MBR.  When this happens, the contents of the
original MBR are lost.  Therefore the disk becomes non-bootable.

When a virus removal program inspects such a hard disk, it will see the
*second* virus in the MBR and will try to remove it by overwriting it
with the contents of the sector where this virus normally stores the
original MBR.  However, now this sector contains the body of the *first*
virus.  Therefore, the virus removal program will install the first
virus in trying to remove the second.  In all probability it will not
wipe out the sector where the (infected) MBR has been stored.

When the program is run again, it will find the *first* virus in the
MBR.  By trying to remove it, the program will get the contents of the
sector where this virus normally stores the original MBR, and will move
it over the current (infected) MBR.  Unfortunately, this sector still
contains the body of the *first* virus.  Therefore, the body of this
virus will be re-installed over the MBR ad infinitum.

There is no easy solution to this problem, since the contents of the
original MBR are lost.  The only solution for the antivirus program is
to detect that there is a problem, and to overwrite the contents of the
MBR with a valid MBR program, which the antivirus program has to provide
itself.  If your favorite antivirus program is not that smart, consider
replacing it with a better one, or try using the boot sector
disinfection procedure described elsewhere (see C3).

In general, infection of the same file or area by multiple viruses is
possible and vital areas of the original may be lost.  This can make it
difficult or impossible for virus disinfection tools to be effective,
and replacement of the lost file/area will be necessary.


G5)  My scanner finds the Filler and/or Israeli Boot virus in memory,
     but after I boot from a clean floppy it reports no viruses.  Am I
     infected?

This is almost certainly a "false positive" (see C5).  One particular,
popular antivirus product (usually its TSR scanner/monitor VSAFE) leaves
its scan strings in memory in an unencoded form, and is well-known for
causing false positives on Filler and Israeli Boot.  Your other scanner
sees the first's scan strings (at least those for Filler and/or Israeli
Boot) and reports a virus in memory.  When you boot from a floppy you
(probably) are not loading the resident scanner, so it doesn't have a
chance to "booby-trap" your other scanner.  To fix this problem, try
adding "REM " to the beginning of the line in your AUTOEXEC.BAT or
CONFIG.SYS file that loads the suspect TSR, and see if the problem
disappears.


G6)  I was infected with Flip and now a large part of my hard disk
     seems to have disappeared.  What has happened?

Flip has a logic error, probably based on its author only knowing about
hard disk partitioning schemes under DOS 3.x (where partitions could not
exceed 32MB in size).

Part of Flip's infection routine decrements by six the "total number of
sectors" field in the BIOS Parameter Block (BPB--a table of critical
disk geometry data) in the DOS boot sector of the boot partition.  For
partitions of 32MB and under this field is meaningful, but in larger
partitions, this field is set to zero and a field in the "extended BPB"
contains the "big number of sectors" for that partition instead.  Not
knowing about larger partitions, Flip renders the large partitions it
meets a shade under 32MB.  The fix for this is to use a disk sector
editor to set the word at offset 13h of the affected DOS boot sector to
"00 00" (they should be set to "FA FF" if the situation above applies).
If you don't understand these instructions, do *not* attempt to follow
them and seek the help of a more technically knowledgeable person.


G7)  What does the GenB and/or the GenP virus do?

There is no such thing as *the* GenB or GenP virus.  It is a heuristic
used by a very popular scanner to detect boot sector viruses and means
"There is something very suspicious in the boot sector (GenB) or in the
MBR (GenP), and I am pretty sure that it is a virus, however, I have no
idea which particular virus it might be".  You should run a scanner
which has better recognition and identification capabilities (see B15),
if you want to know which particular virus you have.  One advantage of
the GenB/GenP report is that you can often use the disinfection utility
from the same producer to remove the virus, even if no other scanner can
remove it.  When told to remove the GenB/GenP "virus", the utility scans
the disk for something that looks like a saved copy of the original boot
sector or MBR and will put it back in place, thus removing the virus, or
it writes a good generic MBR if there is an apparently valid partition
table in the virus MBR.


G8)  How do I "boot from a clean floppy"?

"Put it in the A: drive and turn the power on."

The facetious answer aside, the real question here is usually more one
of "How do I ensure I have a clean boot floppy?"

As with so many issues concerning viruses, the important thing is to be
prepared *in advance*.  As with backups, a current, clean boot disk
should be a standard part of every personal computer system, as there
are other occasions than when facing a real or suspected virus infection
where being able to boot your computer to a "known good" state are
useful or desirable (e.g. you accidentally delete your disk-compression
driver from your hard disk).  As with backups, a current, clean boot
disk is one of the standard parts of a personal computer system most
commonly missing.

The important thing in preparing a clean boot diskette, especially where
it has to be used with a (suspected) virus infection, is that it must
*not* run a single byte of code from your hard disk.  This means your
boot floppy must contain all the basic operating system files, device
drivers and configuration commands necessary to make your system
minimally usable.  This diskette must be prepared on a system that is,
itself, guaranteed "clean" and it should be write-protected immediately
after it is completed.  Aside from a basic, minimal operating system,
your emergency boot diskette should contain the utilities necessary to
install your OS to a hard disk *and* basic diagnostic or "fix it"
programs and your favorite antivirus tools.  Depending upon disk space
considerations, you may need additional diskettes to hold all these
utilities.  For example, if you use DOS it is a good idea to copy the
following utility programs to your emergency boot disk (if your version
of DOS includes them): FDISK, CHKDSK and/or SCANDISK, FORMAT, SYS, MEM,
UNFORMAT, UNDELETE, MSD.

When it comes to rebooting your computer from a clean system disk, it is
most important that you perform a "cold start".  On a PC, this means
pressing the reset button or turning the power off on again, *not* by
pressing Ctrl-Alt-Del.  Regardless of the machine type, if you are
unsure, use the power off then power on method just described.  It is
even more important that your machine is correctly configured to try
booting from the floppy first.  Most contemporary BIOSes have an option
to select the boot order (A: then C: or C: then A:)--this must be set to
A: then C: for this procedure, though normally we strongly recommend
that you set this option to C: then A:.

As systems change from time to time, you may occasionally need to update
this most critical of diskettes so it will still boot your system to a
usable state.  As you may have recently contracted a new virus that
bypasses your current antivirus precautions, this update process can put
you at risk of infecting your "clean" emergency boot diskette.  Because
of this, it is prudent to have two such diskettes.  With system changes
you would update these in a "leap frog" manner.  This means your
previous emergency boot diskette might still bring your machine up to a
minimally useful state (such that you may still be able to make repairs)
should your updated emergency boot diskette be infected by a previously
unknown virus.

Unfortunately, this isn't the whole story either!  A PC virus known as
EXE_Bug can fake out the boot process by setting the PC's CMOS to look
as if there are no floppy drives in the machine.  Most BIOS'es don't
even try to boot from a floppy in this case, and go straight to the hard
disk, loading the virus from the MBR.  When EXE_Bug first loads into
memory, it checks to see if there is a diskette in the first floppy
drive, and if there is, it loads the boot sector from the diskette and
lets the floppy boot as normal.  Most people don't notice the subtly
different boot time and drive access order involved in this, so they
think they have booted clean, when in fact the virus is active in
memory!  To circumvent this possibility, you have to check the PC's CMOS
settings before letting the floppy boot proceed, make sure that your PC
"knows" it has a floppy drive, *and*, with some PCs, make sure that the
boot order option is set to "A: then C:".  This presents a chicken-and-
egg situation on some machines, as you may have to boot DOS on the
machine to be able to run the utility program that lets you change its
CMOS settings.

Remember, if you changed your BIOS's boot order option, set it back to
C: then A: after disinfecting your PC.


G9)  My PC diagnostic utility lists "Cascade" amongst the hardware
      interrupts (IRQs).  Does this mean I have the Cascade virus?

No!  This is quite normal on AT-style (286 and better) PCs (and on a few
8086 (XT) class machines).  The original IBM PC design had one
Programmable Interrupt Controller (PIC) to handle hardware interrupts
generated when devices like disk controllers, serial and parallel ports,
LAN adaptors, etc have to be serviced.  While developing the AT, IBM
decided that the eight Interrupt ReQuest (IRQ) lines the original PIC
supported were probably insufficient for likely future expansion needs,
so they added a second PIC.  The two PIC's had to cooperate, so both
didn't interrupt the CPU concurrently.  This was achieved by having the
second PIC use an IRQ to signal the first PIC when it has an IRQ to
service.  IRQs 2 and 9 were used for this and are commonly called the
"cascade" IRQ, as they allow the second PIC to cascade an IRQ down to
the first PIC.


G10) Occasionally the text "welcome datacomp" appears in my Mac
     documents without me typing it.  Is this a virus?

Most likely not.  This phenomenon has been reported for a particular
make/model of third-party Macintosh-compatible keyboard.  It appears to
be a practical joke, coded into the keyboard's ROM, that causes the
keyboard to output that text (as if it was typed) after a period of
keyboard inactivity.  The only practical fix is to replace the keyboard.
This is, in effect, a hardware (technically "firmware") Trojan Horse--
the keyboard has features or functions that are not advertised and that
will be performed without the owner's or user's wish or permission.


G11) How good are the antivirus tools included with MS-DOS 6?

While this FAQ sheet avoids answering specific questions about
particular antivirus software (partly because the ground tends to move
very quickly!), the antivirus tools included with MS-DOS 6 are very
widely distributed and accessible.  We will not give a wide-ranging
answer here, but will point out that Microsoft Corporation does not use
MSAV but a competitor's product.  We suggest that anyone considering
using the antivirus tools supplied with MS-DOS 6 as a significant part
of their virus defense should read the review available by anonymous FTP
from (amongst others) ftp.informatik.uni-hamburg.de (IP = 134.100.4.42)
as /pub/virus/texts/viruses/msaveval.zip.


G12) When I do a "DIR | MORE", I see two files with random names that
     are not there when I just use "DIR".  On my friends's system they
     cannot be seen.  Do I have a virus?

No.  DOS's default commandline interpreter (COMMAND.COM) creates two
temporary files with unique names for every pipe character ("|") used on
the command line.  Starting with DOS version 5.0, these files are
created in the directory pointed to by the TEMP environment variable,
not in the current directory as they were in earlier DOS versions.  If
your TEMP setting is invalid or you have an earlier version of DOS you
will see these files in the current directory when you pipe the output
of a DIR command through MORE (or any other filter). If you don't see
these files in the current directory's listing, performing the command
"DIR | MORE" on the directory specified by the TEMP variable will reveal
them.

Generally, you would be better to use "DIR /P" instead of "DIR | MORE",
as this avoids the creation of the temporary files.  If you use an
alternative commandline interpreter, none of the above may apply.


G13) What is the ChipAway virus?  (Or ChipAwayVirus?)

The ChipAway virus is not a virus at all.  In fact, it is a poorly
chosen name for a good idea.  Many PCs have an advanced BIOS feature
that, when activated, prevents any writes to the MBR through BIOS disk
routines.  If active, this feature can cause problems if you install non-
DOS operating systems (like OS/2, Windows 95 or Windows NT), as their
installation routines typically need to write to the MBR, but for
general purpose computers, it is a good idea to turn on these options,
if they exist.

Unfortunately, one of the earliest and most widely available
implementations of this idea prints a message on screen at each system
startup to the effect "ChipAwayVirus installed".  This is supposed to
calm the owner's nerves, making them confident that their BIOS antivirus
system is working for them.  For fairly obvious reasons, it tends to
have the opposite effect!

[End of Virus-L/comp.virus FAQ sheet]
0
No votes yet
Your rating: None