FORWARDED MAIL FROM DR. NEMETH

From: Brian Buhrow (buhrow@lothlorien.nfbcal.org)
Date: Sun Jan 21 1996 - 18:34:41 PST


(fwd)
To: skyclub-l@io.org, support-list@blazie.com
Mime-Version: 1.0

I thought this message should have wide distribution.
My tactic disk also had a virus and I was able to use the /clean option of
scan v229e to disinfect the disk.

Irwin Hott ishott@freenet.columbus.oh.us
---------- Forwarded message ----------
Date: Fri, 12 Jan 1996 23:48:32 -0800
From: Robert Englebretson <6500reng@UCSBUXA.UCSB.EDU>
To: Multiple recipients of list BLIND-L <BLIND-L@UAFSYSB.UARK.EDU>
Subject: ALERT!: virus on Tactic disk?

Howdy,

This message is intended for subscribers of Tactic magazine, who receive the
magazine on disk. I have been a Tactic subscriber for several years, and it
is a great magazine. It has also been nice to receive it on disk. However,
I received my copy in the mail today and have discovered that the disk I
received is infected with the Antiexe Virus. See below for more information
on the Antiexe Virus and how to eliminate it. I know for a fact (and have
verified) that my system is not infected, and the only disk I have which is
infected is the disk containing the Fall 1995 issue of Tactic. Depending on
how Clovernook copies the disks, this could mean that all copies are
infected. If you have the Fall 1995 issue, and are comfortable using
antivirus programs, please verify that it is in fact the Tactic disk that's
infected. If you haven't yet received the Fall issue, it might be a good
idea to wait until further notice to read it. I am trying to give this
message widest possible distribution, so that people can be informed and take
precautions before too much time goes by. I have also sent a copy to Deborah
Kendrick, editor of Tactic, so she will hopefully contact Clovernook so that
they can inform all disk subscribers of the virus and how to deal with it.
Please don't panic! I have taken every precaution I can think of to ensure
that this is not a false alarm, and I sincerely apologize if I have
overlooked something. On the (unfortunately large) chance that I am right
and Tactic is infected, I think it's important to let people know.

Here are more details on my experience. I received the disk in the mail
today, and, as with any disk I receive in the mail, I scanned it for viruses
before looking at it any further. (As I have learned from past experiences,
this is a very good precaution--one which everyone should take if you value
your computer and your data.) I was using a recent version of Mcafee, but
any good *recent antivirus program should do (e.g. F-Prot, recent version of
Norton, etc.). Mcafee reported that my memory was clean, but the boot sector
of the Tactic disk was infected with the Antiexe Virus. At this point, I
scanned my hard-disk and a couple other floppies, but Tactic was the only one
infected.

Here's info on the Antiexe Virus that I gleaned from various web resources.
This virus appeared sometime in late 1994, and is believed to have originated
in Russia. It infects the boot sector of floppies, and the master boot
record of hard disks. It's main function seems to be to corrupt .exe files
that are 200-256k in size (no one seems real sure which specific file was
originally the target.) Antiexe is a stealth virus--in other words it will
only do serious damage on the occurrence of a specific event; in this case,
if you press CTRL-break while Antiexe is performing a disk access, the virus
will overwrite the eight sectors on each head and track of the drive starting
at sector four. Besides this one event, the virus will cause no permanent
damage--just temporarily reduce system performance and memory slightly until
it is removed. The virus resides on the boot sector of floppies, and will
infect the master boot record of your hard drive if you accidentally boot
from the floppy, and (as I found out through a little experiment) if you even
do a directory of the disk. Once the master boot record of your hard drive
is infected, the virus will spread to the boot sector of any floppy that is
not write-protected.

Here are some tips on diagnosing and eliminating the Antiexe Virus. If you
are not very comfortable with computers or these kinds of things, it might be
best for you to find someone who is, so that nothing goes seriously wrong.
First, it is *very important that you boot your system from a floppy that you
*know to be virus free. Second, run a program to check for viruses. (If you
don't have one, you can download a demo of Mcafee antivirus from there FTP
site: ftp.mcafee.com. You want the file scn-229e.zip in the /pub/antivirus
directory.) If the virus scanner indicates that your hard drive is infected
with Antiexe, you can disinfect it with an antivirus program (F-Prot was
recommended for this), or you can disinfect it simply by running the dos
command fdisk with the /mbr switch. (*Warning: issuing this command could
do some serious damage if you haven't booted from a clean floppy, and also if
your hard drive is infected with other mbr viruses.) If your hard drive is
not infected, but a floppy disk is, you can disinfect the floppy by running a
program like F-Prot, or by putting the DOS system on it--from your *clean
hard-drive issue the command sys a: to do this.

This is all the info I have right now--maybe someone out there knows more
about this. Again, I apologize if this is a false alarm (for a lot of
people's sake I almost hope it is), but I have taken every precaution I can
think of to make sure that it was the Tactic disk. In any case, this should
be a reminder for all of us of the precautions we should be taking before
inserting disks that we receive from other sources into our systems. I also
hope that organizations like Clovernook who send out things on disk will take
better care that their systems aren't infected.

Feel free to contact me if you need more information or have questions about
what I have written.

                         Robert Englebretson
                         (6500reng@ucsbuxa.ucsb.edu)

{Mail}& d



This archive was generated by hypermail 2b29 : Sun Dec 02 2012 - 01:30:03 PST