Neuroquila Virus in BEYOND.ZIP file?
Dr. Dennis Bogdan
Please be aware of a possible VIRUS in the Dark-Forces Custom
Patch, BEYOND.ZIP (esp the MAKE_GOB.EXE file).
Further verifications welcome(send to drbo...@lm.com).
Details are as follows:
(Note: NAV95 detection is reproducible!)
**********************************************************************
Virus Information - NORTON ANTI-VIRUS95 (Definitions Date - 02/09/96)
**********************************************************************
***VIRUS ALERT!!*** (02/26/96db)
Re: BEYOND.ZIP FILE (355kb,dated 2/7/96db)
(esp MAKE_GOB.EXE FILE)(5088size,dated 03/19/95 20:32)
(associated with Patch: "BEYOND DARK FORCES version 1.0",
released "20 December 1995")
(associated with "Ed Mundy at DGV...@Prodigy.com or
Reru...@aol.com")
Background: DownLoaded from following "DarkForces WebPage" (Feb 7(?),1996)
(http://www2.best.com/~dalton/DarkForces/patches.html)
(also noted on http://www2.best.com/~dalton/DarkForces/new.html)
NAV95 note: "This compressed file is infected. Norton AntiVirus cannot
repair or delete compressed files."
Virus name: Neuroquila (1)
Aliases:
Infects: .EXE files
Likelihood: Common
Length: 4644 bytes
Characteristics
Memory resident Yes Triggered event Yes
Size stealth Yes Encrypting Yes
Full stealth Yes Polymorphic Yes
Comments:
Please see VIRSPEC.TXT (dated September 1 or later) for specific
removal instructions (see below). If you have any questions or
problems, please contact Techincal Support
***VIRSPEC.TXT NOTE***
VIRSPEC.TXT - Special Information Regarding Unique Computer Viruses
Symantec AntiVirus Research Center
February 9, 1996
==========
Neuroquila
==========
Neuroquila is a multipartite virus that behaves in some ways like the
Stoned.Empire.Monkey virus or Crazy Boot. In addition to infecting files,
it will infect and encrypt both the master boot record and boot sector.
Due to this encryption, once you have started your computer from an
uninfected diskette, you will no longer see your fixed disk. Booting with
the virus in memory will allow you to see and access your hard disk, but
Neuroquila will continue to spread at every opportunity.
If Norton AntiVirus detects the Neuroquila virus on your computer, please
contact Technical Support department for instructions on how to remove
the virus. Please do not attempt to repair the virus without talking to
Technical Support first.
**************************************************************************
WARNING: Because of the unusual behavior of this virus, DO NOT reinoculate
the master boot record or use inoculation technology to repair the virus
and DO NOT attempt to repair your hard disk using Norton Disk Doctor or
any other disk repair utility.
**************************************************************************
--
==================================================
| Dr.Dennis Bogdan | Computer DataPro Consulting |
| drbo...@lm.com | http://www.lm.com/~drbogdan |
==================================================
Fridrik Skulason
>Subject:*VIRUS ALERT*-BEYOND.ZIP
>Please be aware of a possible VIRUS in the Dark-Forces Custom
also beware of false alarms in certain AV programs.
Have you run any decent scanner to confirm this report ?
-frisk
--
Fridrik Skulason Frisk Software International phone: +354-5-617273
Author of F-PROT E-mail: fr...@complex.is fax: +354-5-617274
Dr. Dennis Bogdan
Fridrik (and others who may be interested),
Headlines: Unfortunately, a "True" Positive Result.
Several items since the original posting:
1. Norton AntiVirus95 (most recent updates) gave a (True) Positive Result.
2. McAfee VirusScan95 (most recent available) gave NO result. (This is not
surprising since this scanner, apparently, does NOT analyze *within*
compressed ZIP files as does the Norton AntiVirus95.)
3. Ed (Reru...@aol.com), the original poster of the suspected file has
e-mailed me with confirmation of the virus. Apparently, the virus was
detected several weeks ago (by Pala...@aol.com) and withdrawn
forthwith from the Dalton DownLoad WebPage
(http://www2.best.com/~dalton/DarkForces). Ed further noted that he
picked up the virus from another file(GOBBER.ZIP)which contains the
same virus. Finally, a virus-free version (named, BEYOND21.ZIP) of
the infected file (BEYOND.ZIP) will be issued soon at the Dalton
WebPage site.
This virus "discovery" is a first-time experience for me. If there are
better AV-Scanners for Windows95 available than the ones I've used,
please let me know. Further, if you are aware of how best to remove
the Neuroquila (1) virus from a PC, please post or e-mail me. The removal
remedy may not apply to me since all kinds of "bells" went off with the
NAV95 program when I tried to unzip the infected file and I believe I
stopped processing in time. However, I'd be interested in the best remedy
just in case. (Symantec, apparently, doesn't have AntiVirus-Technical
Support on the Internet according to a reply to my recent e-mail inquiry.)
(I should also note that the uncompressed infected file was transferred
off the HD to a Floppy Diskette and safely isolated from the PC, I hope.)
Dennis
Graham Cluley
> better AV-Scanners for Windows95 available than the ones I've used,
> please let me know.
Dr Solomon's Anti-Virus Toolkit for Windows 95. You can read some
independent comparative reviews of our Win95 version (and other
platforms) which include tests of the Win95 AV products you mentioned at
http://www.drsolomon.com
Dr Solomon's for Win95 can scan recursively inside ZIP, ZIP2EXE, LZH,
ARC, ARJ, PKLite, LZExe, ICE, Diet, CryptCOM, MS Expand compressed files
without writing a single byte to the hard disk. This feature is also
included in our DOS, Windows 3.x, Windows NT, OS/2, Novell NetWare and
Unix versions.
Regards
Graham
---
Graham Cluley CompuServe: GO DRSOLOMON
Senior Technology Consultant, UK Support: sup...@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit. US Support: sup...@us.drsolomon.com
Email: gcl...@uk.drsolomon.com UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com USA Tel: +1 617-273-7400
NEW:Evaluate Dr Solomon's FindVirus 7.57! Download it from our webpage