15a12.TXT - Description file for 15a12.DEF SYMANTEC/Peter Norton Product Group August 01, 1992 ******************************************************************** THIS FILE CONTAINS DEFINITIONS FOR NORTON ANTI-VIRUS (NAV) VERSION 1.5 DATED 8/5/91 OR LATER ONLY. DO NOT USE WITH EARLIER VERSIONS OF NAV 1.5 OR WITH NAV 1.0. Instructions to Load the Definitions File: 1) Run Virus Clinic by typing NAV at the DOS prompt. 2) Press to accept the Welcome screen. 3) Press to bypass the Scan Drive dialog box. 4) If you have NAV in Advanced Mode: a) Press to pull down the Options menu. b) Press to select the Scan Options command. c) Press to change to Basic Mode. d) Press to leave the Scan Options dialog box. 5) Press to pull down the Definitions menu. 6) Press to select the Load Virus Definitions command. 7) Type C:\NAV\15a12.DEF to specify which file to load (this assumes that 15a12.DEF resides in the NAV directory of the C: drive; change the file specification to match the location of your 15a12.DEF file). 8) Press to pull down the Definitions menu. 9) Press to select the List Virus Names command. 10) If you had NAV in Advanced Mode: a) Press to pull down the Options menu b) Press to select the Scan Options command. c) Press to return to Advanced Mode (at this point, Auto-Inoculate will be turned on; if you had it off or want it off, press ). d) Press to leave the Scan Options dialog box. e) Press to pull down the Scan menu. f) Press to select the Drive command. g) Select the drive on which NAV resides. h) At this point, if you get an alert from virus intercept saying NAV_.SYS has changed or may contain an unknown virus (which probably won't happen), press to Reinoculate this file, and then press to cancel the scan. i) Press to leave the Scan Results screen. 11) Press to pull down the Exit menu. 12) Press to select Yes. 13) Reboot your computer to activate the new definitions. ******************************************************************** Overview: BigV BigV is a memory resident virus targeting Boot Sectors. Big V becomes memory resident on boot. It infects hard disk if not already infected, then, it infects floppies when they are formatted, possibly at other times. The virus occupies about 2K while in memory, and 2 sectors on the hard disk and floppy. It may damage the FAT or files near the front of the disk on infection by overwriting with the 2 sectors of the viral code. Big V hooks INT 13 indirectly through IO.SYS. Intermittently, it displays large V on the screen and hangs the system. Repair is available for hard disks. Floppies can not be repaired. Welcome Welcome is a memory resident virus targeting both COM and EXE files. Welcome hooks INT 21 when it becomes memory resident, and infects files as they are executed. Infected files increase in size by 1350-1400 bytes depending of the variant. Welcome is of the APPENDING type; thus, the viral code is located at the end of the file. Infected EXE files are repairable; however infected COM files are not. Unwelcome (aka Scream2) Unwelcome is an encrypting, memory resident virus targeting both EXE and COM files including COMMAND.COM. While memory resident, the virus infects files as they are executed. COM files increase in size by 700 (692) bytes, and EXE files increase in size by 1000 (932) bytes. Fish Boot Fish Boot is a memory resident virus targeting the Partition Table Sector and the Boot Sector. It seem to only infects hard disks and floppies. However,there may be a dropper for the virus. Fish Boot occupies three sectors on the disk toward the end of the disk. Two of the sectors contain viral code and data, and the third sector is the original Boot Sector. When the virus is memory resident, it would have hooked INT 13 and INT 10. It displays the following message on the upper right side of the screen: "Hello! I am FISH, please don't kill me Congratulate 80th year of the Republic of China Building, Fish will help to kill stone Written by Fish in NTIT. TAIWAN 80.10.18" Also, the system seems to slow down especially screen writes. It is not confirmed whether this virus does anything destructive. Boot Fish can be repaired by NAV. PSQR-1364 PSQR-1364 is a variant of the Jerusalem Family. It is a memory resident virus targeting EXE files. The virus has an internal counter. At some point, when the counter gets to zero, possibly on Friday the 13th, the virus will activate. On activation, it trashes the current logical drive. On drives with multiple partitions, chances are only the current partition is destroyed. If the current drive is a floppy, it may be trashed. PSQR-1364 seems to infect files when they are executed, or when they are opened. So, if a file is copied while the virus is in memory, chances are it will get infected. Unfortunately, repair is not possible on files infected by this virus since the virus overwrites a portion of the original file. (Note: File size growth is given in approximate numbers. If a number is enclosed in parentheses, that number would be the growth of one of the more common variants. As it is too easy for a virus writer to alter this number without changing the virus significantly, do not depend on the more precise number. It is provided for your confidence should you encounter it, which we hope never happens.)