_______________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin November 17 Virus on MS DOS Computers March 15, 1993 1000 PST Number D-10 __________________________________________________________________________ NAME: November 17 virus ALIASES: NOV 17, 855 PLATFORM: MS DOS Computers DAMAGE: On November 17 will destroy hard disk contents SYMPTOMS: Files grow by 855, 768, 880, or 800 bytes DETECTION/ ERADICATION: FPROT 207, Scan V102, Novi __________________________________________________________________________ Critical Facts about the November 17 virus The November 17 virus is a simplistic file infector virus which has recently been discovered to be fairly widespread. This virus will overwrite the hard disk on November 17 of any year. Infection Mechanism This virus is a file infector virus (see CIAC bulletins A-20, A-27, A-29, B-35, and 3 bulletins from Fiscal Year 1989 for information on similar file infector viruses). Upon execution of a virus-infected program, NOV 17 will become memory resident at the top of memory and inhabit 896 bytes of memory. Once resident, it will infect any .COM and .EXE programs when the file attributes are set or read, when the file is opened for READ, and upon loading and execution. Therefore, if the virus is resident in memory, and a new disk with clean executibles is copied, the original disk's .EXE and .COM files will become infected if the disk is not write-protected. It can easily be transferred via LAN's anytime an executible file is opened or executed over the LAN. This virus will not infect files with a filename of SCAN.EXE or CLEAN.EXE, and it will not infect files that have the system bit set. It does not affect data files. Potential Damage On November 17 of any year this virus will overwrite portions of the C: drive or current drive, depending on the variant. On any other day of the year this virus will simply replicate. Some variants will cause this overwrite process to occur on days after November 17. Detection and Eradication Many recent versions of antivirus products will detect this virus. Another method of direct detection is to search for the string "SCAN.CLEAN.COMEXE", which can be found within the virus code of every infection. Until March of 1993, there had been no reports of this virus in the United States. Because of this fact, some anti-virus products do not detect the presence of it by name. Some products, such as Data Physician Plus!, do detect when it they themselves become infected, at which point a message such as "A virus has been detected, would you like to continue?" may appear on the screen. This message means that the antivirus product's self check mechanism has detected a modification to itself, and at this point CIAC recommends that you check the machine with a different antivirus product, or call CIAC for additional information on virus handling. Virus Variants There are four known variants to this virus, all increase file lengths by a different amount and take up a different amount of resident memory. The variants increase file lengths of infected files by 768, 800, 880, and 855 bytes. The 768 variant is almost identical to the original virus but takes up 800 bytes of memory; it was discovered in May of 1992. The variant which adds 800 bytes to files takes up 832 bytes of memory, was discovered in March of 1993, and activates November 17-30 of any year. The 880 variant, which uses 928 bytes of memory, first seen in November, 1992, will activate on any date from November 17-December 31 of any year. The 855 variant, also called Nov17B, first seen in September of 1992, causes infected .EXE files to hang the system when executed. Due to the nature of this virus's infection mechanism, it is sometimes not possible to remove the infection from a host program. CIAC recommends that if this virus is discovered a copy be kept and then all infected files be deleted and restored from backup. For additional information or assistance, please contact CIAC at (510) 422-8193 / FTS or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002 / FTS. Previous CIAC bulletins and other information are available via anonymous ftp from irbis.llnl.gov (IP address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.