VIRSPEC.TXT - Special information regarding unique viruses
AntiVirus Lab, SYMANTEC/Peter Norton Product Group
August 1, 1995
**************************************************************************
This text file contains information about viruses that cause unique
problems and require special handling.


========================
Disappearing Hard Drives
========================
There are several viruses that appear to cause the hard drive to 
"disappear" when booting from a clean floppy disk. This occurs when the 
virus encrypts or moves the partition table (a vital part of the system 
area). Everything appears to be fine as long as the virus is in memory 
because the virus tells DOS where the partition table is, or acts as the 
partition table itself. When you boot clean, DOS can't find the partition 
table as the virus isn't around to give it directions. As a result, you 
might receive a "Invalid drive specification" or similar error when 
trying to access the drive.

When you boot clean to have NAV repair such an infection, the hard drive 
will not appear in the drive list. Not to worry! NAV, with the default 
options enabled, will bypass DOS and look directly at the hard drive and 
check the system area for infection no matter what you scan. In effect, 
scanning your floppy will scan memory, the floppy AND the system area of 
the hard drive. If an infection is discovered, you will be alerted 
appropriately.

Examples of viruses that work in this manner are Crazy Boot, Frankenstein 
and Stoned.Empire.Monkey.


==============
One Half Virus
==============
The One Half virus is a multipartite virus that exhibits both stealth and
polymorphic behavior.  In addition to infecting files and master boot
records, the One Half virus will encrypt data on your hard disk.

To date, the One Half virus has been detected in parts of Europe,
specifically Russia and other Eastern bloc countries.  The virus was also
detected in a U.S. government agency.

Starting November 1, 1994 the virus definitions file includes a
definition for detecting this virus.

If Norton AntiVirus finds the One Half virus on your computer, please
contact Technical Support department for instructions on how to remove
the virus.  Please do not attempt to repair the virus without talking to
Technical Support first.

**************************************************************************
WARNING: Because of the unusual behavior of this virus, DO NOT reinoculate
the master boot record or use inoculation technology to repair the virus
and DO NOT attempt to repair your hard disk using Norton Disk Doctor or
any other disk repair utility.
**************************************************************************


==========
Crazy Boot
==========
The Crazy Boot virus is a MBR infector that behaves much like the Monkey
virus.  Due to the nature of this virus, once you have started your
computer from an uninfected diskette, you will no longer see your fixed
disk.  Booting with the virus in memory will allow you to see and access
your hard disk, but Crazy Boot will continue to spread at every
opportunity.

If Norton AntiVirus finds the Crazy Boot virus on your computer, please
contact Technical Support department for instructions on how to remove
the virus.  Please do not attempt to repair the virus without talking to
Technical Support first.

**************************************************************************
WARNING: Because of the unusual behavior of this virus, DO NOT reinoculate
the master boot record or use inoculation technology to repair the virus
and DO NOT attempt to repair your hard disk using Norton Disk Doctor or
any other disk repair utility.
**************************************************************************


===========
Viking.Dec3
===========
The Viking.Dec3 virus alters EXE files in such a way that NAV is not able
to completely repair them.  However, we felt it was important to give you
as much of the repair as possible rather than none.  NAV will repair the
COM files flawlessly, but the EXE repair requires some input from you.

In order to complete the EXE repair, we need your involvement.  As a
result, we recommend that you replace files from backups where you can.
And where you can't, apply the following procedure.  If you need help
with this repair, we encourage you to call our Technical Support.

After an EXE file is repaired by NAV, one must take the following
additional steps.  Lines prefixed by the "greater than" sign represent
lines to be typed at the DOS prompt.  Lines prefixed by a dash are typed
while running debug.

		>rename filename.exe filename.bad
		>debug filename.bad
		-d 100 l 4
		Verify that the first byte is E9 and the fourth byte is
		C0.  If yes, proceed.  If no, quit (q) from debug.
		-e 100 4d 5a ff 1
		-w
		-q
		>rename filename.bad filename.exe
