21A03.TXT - Description file for 21A03.DEF AntiVirus Lab, SYMANTEC/Peter Norton Product Group January 1, 1993 ****************************************************************** Instructions for loading virus definitions, using Norton AntiVirus 2.1: 1) Run Virus Clinic by typing NAV at the DOS prompt. 2) If you are in DOS, press to accept the Welcome screen. 3) Select "Cancel," or press to bypass the "Scan Drives" Screen. 4) Select the "Definitions" menu. 5) Select "Load from File..." 6) If the name of the drive and directory to which you loaded the definition file does not appear on the "Directory:" line, change to the proper drive and directory name and press . The name of the definition file should appear in the "Files" window. 7) Select the definition file, select "OK," and press . 8) After the definitions have loaded, press to exit from the "Load Definition File Results" screen. 9) Select "Exit" from the "Scan" menu. 10) Reboot your computer to activate the new definitions. ******************************************************************************** Monkey Monkey is a memory resident infector of the Master Boot Record on hard disks and of the boot sector on floppies. If Monkey is in memory, any accesses to the boot record will be rerouted to a copy of the original boot sector. Monkey replaces the partition table thus invalidating the hard drive if it is infected and a boot up occurred from a clean diskette. Thus, this virus can only be seen in memory or on a floppy disk. If you boot from a clean diskette, the hard disk will be unknown to DOS. If you boot from the hard disk, you are infected. Repair is not possible from within NAV because of this complexity. If you encounter this virus, call Technical Support. They can guide you through a repair process. The virus is spread onto hard disks when a boot occurs from an infected diskette. Diskettes are infected when the virus is resident in memory and any access is made to the diskette. The virus occupies one K at the top of memory (640K mark). Any memory indicator will show the machine as having one K less than it should. INT 01 and INT 13h are intercepted by the virus to accomplish its deeds. Monkey does no intentional permanent damage and seems only designed to spread. But the encryption and the inability for DOS to see the hard drive if booted from a diskette is a major inconvenience. Damage may occur on diskette formats other than DOS on 360K, 720K, 1.2M, and 1.44M diskettes. Monkey is prevalent in Canada at the time of this writing, especially around Edmonton. ----- ATAS (aka 384, 400) Atas is a direct action infector of COM files. Atas infects one COM file in the current directory per execution. Files will grow by 384 or 400 bytes depending on which strain is infecting your system. The date and timestamp of the file will be changed to the time of infection. Atas intercepts INT 21h in order to infect but returns the vector once the infection is complete. Upon completion of the infection, a message will appear on the screen. This message will either be "I like to travel..." (ATAS-400) or "Ok." (ATAS-384). Both messages are encrypted in the body of the virus and cannot be seen until appropriate portions are decrypted. Because of the encryption, repair is not possible. ----- No Frills No Frills is a memory resident infector of COM and EXE files. Files are infected if executed or copied. The resident portion of the virus takes up approximately 2K of memory. Files grow by approximately 800 to 850 bytes but the date and timestamp will be unchanged. Infected files are repairable by NAV. The only negative side-effect that could be found was that the system would occasionally hang once infected. ----- DiskInfect DiskInfect is a memory resident infector of the Master Boot Record and partition tables on hard disks and of the boot sector on floppies. DiskInfect overwrites the OEM name on hard disks, though that causes no actual damage. Repair of partition tables is provided. The boot sector can be repaired with the FDISK /MBR command on hard disks or with the SYS command for floppies. The virus is spread onto hard disks when a boot occurs from an infected diskette. Diskettes are infected when the virus is resident in memory and any access is made to the diskette. The virus occupies one K at the top of memory (640K mark). Any memory indicator will show the machine as having one K less than it should. INT 13h and INT 21h are intercepted by the virus to accomplish its deeds. ----- Gnose (aka Irish-3, Necrose) Gnose is a prepending virus. It infects COM files including COMMAND.COM. For EXE files, it creates a companion COM program of 1164 bytes with the hidden attribute turned on so the DOS DIR command will not list them, making it seem invisible. For COM files, the first 1164 bytes are copied to the end of the file, replaced by the viral code. On NOV 21 of any year, the virus produces periodic beeps on the speaker (using INs & OUTs to port 61h). NAV can detect and repair both the new hidden files as well as the traditional prepended viral code. In repairing the spawned hidden COM files, NAV truncates the files to 0 length. A separate step must be taken to delete these files. Programs from The Norton Utilities, The Norton Desktop for Windows, The Norton Desktop for DOS, or the DOS ATTRIB program can all be used to locate and delete hidden files. After NAV has repaired the system, all COM files of length 0 should be deleted. We did not recommend deleting the files directly from NAV because it is too difficult to determine if an affected COM file is one that has been attached to or one that has been spawned and is only 1164 bytes. If all files on the system can be retrieved from backup if necessary, then using the delete function in NAV is appropriate. The virus is improperly coded such that if you work with a write- protected floppy diskette while the virus is in memory, you will get a continual sequence of write protect error messages. Gnose steals approximately 2.5K (2624) of memory from just below the 640K mark to remain resident in memory. INTs 1Ch, 21h, and 03h are intercepted by the virus. INT 1Ch is the periodic timer tick interrupt and is used to determine when to play its tunes. INT 21h is intercepted for use in propagation. And INT 03 is used by the virus possibly to encumber the anti-virus evaluator as it is also the DEBUG interrupt. Finally, the virus does a self-residency check issuing AX=4BFDh,INT 21h. On return, if AX is 3238h, then the virus is already in memory. ----- (Note: File size growth is given in approximate numbers. If a number is enclosed in parentheses, that number would be the growth of one of the more common variants. As it is too easy for a virus writer to alter this number without changing the virus significantly, do not depend on the more precise number. It is provided for your confidence should you encounter it, which we hope never happens.)