HELP!! NYB virus

[Sherry]

Kyle,

A gal I work with had the luck to "catch" the NYB from a floppy - not a boot
floppy, just a data floppy. She had McAfee on her computer, which spotted the
virus, but she hadn't made a rescue disk (she's a newbie and didn't know about
rescue disks) and was unable to clean the virus without it. The virus "hid" her
drive D so she wasn't able to load Norton. She ended up downloading the Norton
from their website so she could clean the virus off. Everything's fine now.
She didn't lose any data and after she got the virus cleaned, she was able to
use her CD-ROM drive again.

Sherry

Kyle wrote:

> A friend of mine inherited a computer recently and she gave a floppy to a
> business associate of hers. He told her that it had a virus on it. I checked
> her system out and found that it had McAfee on it. I ran scan95 (old
> version) and it found NYB. I hard booted with my boot disk from McAfee 4.0.2
> (positively clean and write protected) and booted up her computer. No C:
> drive. Invalid drive it says. I run bootscan a: from the floppy and it says
> NYB is in memory! and tells me to boot from a clean boot disk.?!?!?! I
> booted with an old MS-DOS 5 disk and it say no C:...invalid drive again.
>
> Is it possible that this, or any virus for that matter, has moved into her
> CMOS? I checked a few web sites and some say that removal of NYB is fairly
> straight forward and some say not. Fdisk /mbr seems very drastic. Will it
> work? I am assuming that all data will be wiped. I'm stumped. How can I
> clean a disks mbr when the OS can't even see the disk? Booting with any
> floppy says C: is an invalid drive. If I remove her hard drive and put it
> into my system as a slave will it show up?
>
> From what I understand about Boot Virii they are only "caught" by booting
> from an infected floppy. Am I wrong about this?
>
> Please email me with what it is I am missing or what I need to do.
>
> Kyle
> gunr...@lcc.net

[Kyle]

[Jeffrey A. Setaro]

[This followup was posted to alt.comp.virus and a copy was sent to the
cited author.]

In article <7eds12$9...@atlas.lcc.net>, k...@nospam.com says...

In order to successfully remove a boot sector virus like NYB from your
computer you need to boot from a clean, write protected, startup diskette
and run the DOS version of a good up-to-date anti-virus program like AVP
(http://www.avp.com) or F-Prot for DOS (http://www.complex.is) from
floppy diskette.

Be sure to include EMM386.EXE & HIMEM.SYS on your boot diskette along
with a CONFIG.SYS that contains the following lines;

DEVICE=HIMEM.SYS
DEVICE=EMM386.EXE /noems
DOS=HIGH,UMB
FILES=20
BUFFERS=4

Instructions for using AVP & F-Prot from floppy.

AVP (http://www.avp.com) unzip the archive to a clean floppy and write
protect it. After booting the infected machine from your clean startup
diskette put the disk containing AVP into the floppy drive and type:
AVPLITE C: /-

F-Prot (http://www.complex.is) Copy the files F-PROT.EXE, ENGLISH.TX0 &
*.DEF to a clean floppy and write protect it. After booting the infected
machine from from your clean startup diskette put the disk containing F-
Prot into the drive and type: F-PROT /HARD /DISINF

Here is description of NYB from Data Fellows F-Secure Anti-Virus
(http://www.datafellows.com).

Name: NYB
Alias: B1, Stoned.I
Type: Resident Stealth Boot MBR

The NYB virus is a reasonably simple diskette and Master Boot Record
infector. It is only able to infect a hard disk when you try to boot the
machine from an infected diskette. At this time B1 infects the Main Boot
Record, and after that it will go resident to high DOS memory during
every boot-up from the hard disk.

Once NYB gets resident to memory, it will infect practically all non-
writeprotected diskettes used in the machine. NYB will allocate 1kB of
DOS base memory. NYB is a stealth virus, so the changes made to MBR are
not visible as long as the virus is resident.

Every time a floppy disk is accessed, there is a 1/512 chance that the
virus activates. Virus then sends the floppy drive head repeatedly from
track 0 sector 0 to track 255, sector 62. On standard floppy drives, such
areas do not exist.

On some floppy drives there are no validity checking on these values, and
so the floppy head might get hit against the stopper again and again.
This might cause some physical damage to the floppy drive, but only if
the routine is allowed to continue for some time. We've yet to see an
actual case where this would have caused real damage to the floppy drive.

There is also another activation routine, which went unnoticed by virus
researchers for a long time. The virus will crash the machine, if the
hard disk is written to when the hour and minute fields of the system
clock are zero (ie. right after midnight). Thanks to Paul Talbot
(pt...@aol.com) for pointing this out.

NYB has no text strings. While infecting, it will corrupt some diskettes
seriously.

NYB is very common all over the world.

F-PROT used to detect NYB as B1, but the virus was renamed in February
1996 (F-PROT 2.22).

[Analysis: Mikko Hypponen, Data Fellows]

--
Cheers-

Jeff Setaro
jase...@sprynet.com
http://home.sprynet.com/~jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99

[Robert]

In article <7eds12$9...@atlas.lcc.net>, Kyle <k...@nospam.com> wrote

>A friend of mine inherited a computer recently and she gave a floppy to a
>business associate of hers. He told her that it had a virus on it. I checked
>her system out and found that it had McAfee on it. I ran scan95 (old
>version) and it found NYB. I hard booted with my boot disk from McAfee 4.0.2
>(positively clean and write protected) and booted up her computer. No C:
>drive. Invalid drive it says.

This is not at all uncommon with MBR infectors. Although DOS cannot
"see" your hard drive, a *reputable* AV suite on diskette will still be
able to access the disk.

>I run bootscan a: from the floppy and it says
>NYB is in memory! and tells me to boot from a clean boot disk.?!?!?!

This is curious, but not necessarily inexplicable. Have you checked the
CMOS settings to ensure that you truly are booting from the diskette ?

>I
>booted with an old MS-DOS 5 disk and it say no C:...invalid drive again.

Same problem as above

>
>Is it possible that this, or any virus for that matter, has moved into her
>CMOS?

No.

>I checked a few web sites and some say that removal of NYB is fairly
>straight forward and some say not. Fdisk /mbr seems very drastic.

Just say NO to Fdisk/Mumble

> Will it
>work?

Why do you want to use FDISK - which is *not* an AV suite to do the work
of your AntiVirus suite? Why not let McAffee 4.02 do the job correctly?

>I am assuming that all data will be wiped. I'm stumped. How can I
>clean a disks mbr when the OS can't even see the disk?

Ignore what DOS can and cannot see, just use McAffee or another
*reputable* AV suite (i.e. NOT Invircible) to disinfect the machine.

> Booting with any
>floppy says C: is an invalid drive. If I remove her hard drive and put it
>into my system as a slave will it show up?

Why make problems for yourself?

>
>From what I understand about Boot Virii they are only "caught" by booting
>from an infected floppy. Am I wrong about this?

Only partly wrong. You don't need to go as far as booting to get
infected, just getting as far as the "Invalid System Disk" message will
do.

>
>Please email me with what it is I am missing or what I need to do.
>

Firstly, you must check the CMOS settings to ensure that A: is the
*primary* boot source, then follow the instructions for using your
McAffee 4.02 rescue disk set. I do not know the command line syntax for
McAffee, but you should be able to instruct it to disinfect all hard
drives. Ignore the fact that DOS will not show them to you.
--
Read the *competent AV reviews from:
http://www.virusbtn.com/ http://www.westcoast.com/
http://www.uta.fi/laitokset/virus/
or http://agn-www.informatik.uni-hamburg.de/vtc/en9810.htm

[kurt wismer]

On Tue, 6 Apr 1999, Kyle wrote:

> A friend of mine inherited a computer recently and she gave a floppy to a
> business associate of hers. He told her that it had a virus on it. I checked
> her system out and found that it had McAfee on it. I ran scan95 (old
> version) and it found NYB. I hard booted with my boot disk from McAfee 4.0.2
> (positively clean and write protected) and booted up her computer. No C:

> drive. Invalid drive it says. I run bootscan a: from the floppy and it says
> NYB is in memory! and tells me to boot from a clean boot disk.?!?!?! I

> booted with an old MS-DOS 5 disk and it say no C:...invalid drive again.

what version of dos were you using when it told you the virus was in
memory? i'm guessing one of the ones that comes with win9x... that would
be a ghost positive which is pretty normal for some scanners in that kind
of environment...

if you're absolutely sure your boot disk is clean (ie. it's write
protected, it was clean when you write protected it, and the write protect
detect mechanism in your friend's drive isn't broken) then just turn off
the memory scanning part...

> Is it possible that this, or any virus for that matter, has moved into her
> CMOS?

no, for two reasons... first is that there's not nearly enough room in
cmos for it, and second the computer wouldn't boot at all if it did (cmos
normally holds configuration information needed for the computer to boot
properly)..

> I checked a few web sites and some say that removal of NYB is fairly
> straight forward and some say not.

it is fairly straight forward when you don't have to deal with ghost
positives (did you get any ghost positives when you booted from that dos
5 disk?)

as for the missing c: drive, that suggests the possibility of a secondary
infection (i don't recall ever hearing anything about nyb doing things
with the partition table but other viruses do)...

> Fdisk /mbr seems very drastic. Will it

and will do very bad things if you can't find c: after a clean boot...

> work? I am assuming that all data will be wiped.

no, the data won't be wiped, you'll be left with a completely valid mbr
that thinks a completely invalid partition table is accurate and so you
won't be able to access your partitions...

> I'm stumped. How can I
> clean a disks mbr when the OS can't even see the disk?

it doesn't need to see the logical drive to clean the virus, the virus
doesn't reside inside the logical drive in the first place... the av
product will read the mbr, not the logical drive (the physical disk it can
still see) find the virus and remove it...

> Booting with any
> floppy says C: is an invalid drive. If I remove her hard drive and put it
> into my system as a slave will it show up?

if you set up a partition for it in your partition table... but this isn't
necessary... the message you're getting is just telling you that it can't
find the partition (the partition/logical drive/c: drive is where files
are stored) and that's just because the partition table in the mbr is not
valid, there is a valid one somewhere or the computer wouldn't be able to
boot from the hard disk at all... an anti-virus product should be able to
remove the virus(es) and put the correct partition table back where it
belongs...

> From what I understand about Boot Virii they are only "caught" by booting
> from an infected floppy. Am I wrong about this?

well, there are dropper programs that will insert the virus into the
system, and there are multipartite viruses which can also infect
executables and be spread that way, but generally you are correct...

(nyb isn't multipartite, by the way, just so i don't confuse you with that
term)

> Please email me with what it is I am missing or what I need to do.

posted and mailed, hope this helps...

--
"when the truth walks away everybody stays
cause the truth about the world is that crime does pay
so if you walk away who is going to stay
cause i'd like to make the world be a better place"

[Homebuilt LAN]

Sounds like the drive is compressed or has a proprietary driver for the
drive. This was common on old systems with "large" (greater than 32MB) hard
drives. Look at the autoexec.bat & config.sys on the hard disk for some
type of driver being loaded (like DriveSpace or DoubleSpace, or
DiskDoubler).

Rich.
--
Homebuilt LAN - The Resource Center for the Networked Home User
http://www.homebuilt-lan.com
f...@homebuilt-lan.com

[Kyle]

|A friend of mine inherited a computer recently and she gave a floppy to a
|business associate of hers. He told her that it had a virus on it. I
checked
|her system out and found that it had McAfee on it. I ran scan95 (old
|version) and it found NYB. I hard booted with my boot disk from McAfee
4.0.2
|(positively clean and write protected) and booted up her computer. No C:
|drive. Invalid drive it says. I run bootscan a: from the floppy and it says
|NYB is in memory! and tells me to boot from a clean boot disk.?!?!?! I
|booted with an old MS-DOS 5 disk and it say no C:...invalid drive again.
|

|Is it possible that this, or any virus for that matter, has moved into her

|CMOS? I checked a few web sites and some say that removal of NYB is fairly
|straight forward and some say not. Fdisk /mbr seems very drastic. Will it
|work? I am assuming that all data will be wiped. I'm stumped. How can I
|clean a disks mbr when the OS can't even see the disk? Booting with any

|floppy says C: is an invalid drive. If I remove her hard drive and put it
|into my system as a slave will it show up?
|

|From what I understand about Boot Virii they are only "caught" by booting
|from an infected floppy. Am I wrong about this?
|

|Please email me with what it is I am missing or what I need to do.
|

First off I would like to thank the people that responded positively. I
appreciate the time and effort that you took to try and help.

**RANT**
I would also like to tell all of the people that took the time to email me
and tell me what I did wrong about...how to post, how to phrase my question
to get a response, about the proper way to request an answer, and my
improper grammar..without ever addressing my problem with NYB!!! to take a
floppy and stick it were the sun don't shine!!! Your vast knowledge of
Usenet FAQ and etiquette was very impressive but it didn't help. It's no
surprise that my friends that are new to the internet have such a low
opinion of the "knowledgeable users" that they seek help from. While it is
true that many users should make a more extensive effort to find the
solution themselves, responding as you did was a complete waste of your time
and more importantly....mine! The people that this applies to know exactly
who I am speaking to . The rest of you that frequent this group probably
know also.

**PROBLEM SOLVED**
This morning I was playing around with the computer and I went into BIOS and
I changed the boot order from C: then A: to A: then C:. I didn't even know
that a computer would boot to a floppy using this configuration so I had not
noticed this the other day and that was the problem. NYB was able to load
into memory and it apparently hid the hard drive. When I said that the OS
was reporting C: as an invalid drive I meant that it did not recognize ANY
hard drive in the system. Running Bootscan C: /Boot or Bootscan C: /Clean
produced only the VIRUS IN MEMORY! warning without cleaning or even finding
the hard drives MBR. Same thing with F-Prot. After I changed it my boot disk
came up clean and I was able to clean the MBR of the hard drive. I looked at
every NYB description that I could find on the internet and I never saw
anything mentioning this.

[Zvi Netiv]

"Kyle" <k...@nospam.com> wrote:

> A friend of mine inherited a computer recently and she gave a floppy to a
> business associate of hers. He told her that it had a virus on it. I checked
> her system out and found that it had McAfee on it. I ran scan95 (old
> version) and it found NYB. I hard booted with my boot disk from McAfee 4.0.2
> (positively clean and write protected) and booted up her computer. No C:
> drive. Invalid drive it says. I run bootscan a: from the floppy and it says
> NYB is in memory! and tells me to boot from a clean boot disk.?!?!?! I
> booted with an old MS-DOS 5 disk and it say no C:...invalid drive again.

You friend's computer could be running Windows 98 (or Win 95) with FAT-32
file system. This could be the reason for not being able to see the drive
when booted from floppy.

> Is it possible that this, or any virus for that matter, has moved into her
> CMOS? I checked a few web sites and some say that removal of NYB is fairly
> straight forward and some say not. Fdisk /mbr seems very drastic. Will it
> work? I am assuming that all data will be wiped.

Far simpler and most effective in removing boot/MBR infections is
InVircible. Download the program from a site in my signature, install to the
affected drive, reboot and follow the instructions on screen. There is no
need to boot clean in order to remove boot viruses with InVircible.

> I'm stumped. How can I
> clean a disks mbr when the OS can't even see the disk? Booting with any
> floppy says C: is an invalid drive. If I remove her hard drive and put it
> into my system as a slave will it show up?

It depends of the file system on your boot drive and the affected one. If
the latter has FAT-32 and the OS of your boot drive is prior to Win95/OSR2
(which supports FAT-32) then you won't see your friends drive on your
computer either.

In any case, it won't be necessary to move the drive if you use InVircible
to rid it from NYB or whatever.

> From what I understand about Boot Virii they are only "caught" by booting
> from an infected floppy. Am I wrong about this?

You are right. Process your friend's floppies with FIXBOOT, also provided in
the InVircible package, to prevent reinfection.

> Please email me with what it is I am missing or what I need to do.

Copy was sent by e-mail.

> Kyle
> gunr...@lcc.net

Regards, Zvi
---------------------------------------------------------------------
NetZ Computing Ltd. Israel Developer & Producer of InVircible & ResQ
Download, Support: http://www.InVircible.com Sup...@invircible.com
US Mirror: http://www.NetZComp.com Personal e-mail:z...@invircible.com
Voice +972 3 938 6868, +972 52 494 017 (cellular) Fax +972 3 938 6869
---------------------------------------------------------------------

[John Beardmore]

In article <Pine.GSO.3.95.990407100403.29157A-100000@cougar>, kurt
wismer <a340...@cdf.toronto.edu> writes

>On Tue, 6 Apr 1999, Kyle wrote:

>> A friend of mine inherited a computer recently and she gave a floppy to a
>> business associate of hers. He told her that it had a virus on it. I checked
>> her system out and found that it had McAfee on it. I ran scan95 (old
>> version) and it found NYB. I hard booted with my boot disk from McAfee 4.0.2

I had an NYB infection a few months ago. McAfee could detect it but not
remove it. AVP sorted it without problem.

>> Is it possible that this, or any virus for that matter, has moved into her
>> CMOS?
>

>no, for two reasons... first is that there's not nearly enough room in
>cmos for it,
> and second the computer wouldn't boot at all if it did (cmos
>normally holds configuration information needed for the computer to boot
>properly)..

I think that's wrong. NYB is a pretty small thing. There might well be
enough space at the end of a BIOS flash chip for a virus that size. Not
that NYB has code to invade a BIOS...

>> Fdisk /mbr seems very drastic. Will it
>

>and will do very bad things if you can't find c: after a clean boot...
>

>> work? I am assuming that all data will be wiped.
>

>no, the data won't be wiped, you'll be left with a completely valid mbr
>that thinks a completely invalid partition table is accurate and so you
>won't be able to access your partitions...

Really ?

>> I'm stumped. How can I
>> clean a disks mbr when the OS can't even see the disk?
>

>it doesn't need to see the logical drive to clean the virus, the virus
>doesn't reside inside the logical drive in the first place... the av
>product will read the mbr, not the logical drive (the physical disk it can
>still see) find the virus and remove it...

McAfee would only see NYB on disk 0 for me. NYB was in fact infecting
disks 0, 1, 2 and 3 !

Cheers, J/.
--
John Beardmore

[kurt wismer]

John Beardmore wrote:
>
> In article <Pine.GSO.3.95.990407100403.29157A-100000@cougar>, kurt
> wismer <a340...@cdf.toronto.edu> writes
> >On Tue, 6 Apr 1999, Kyle wrote:
>
> >> A friend of mine inherited a computer recently and she gave a floppy to a
> >> business associate of hers. He told her that it had a virus on it. I checked
> >> her system out and found that it had McAfee on it. I ran scan95 (old
> >> version) and it found NYB. I hard booted with my boot disk from McAfee 4.0.2
>
> I had an NYB infection a few months ago. McAfee could detect it but not
> remove it. AVP sorted it without problem.

nyb is rather old, i suspect that mcafee can actually remove it (in fact
i've heard of it being successfully used to that end in the past)...
perhaps you weren't using it properly...

> >> Is it possible that this, or any virus for that matter, has moved into her
> >> CMOS?
> >
> >no, for two reasons... first is that there's not nearly enough room in
> >cmos for it,
> > and second the computer wouldn't boot at all if it did (cmos
> >normally holds configuration information needed for the computer to boot
> >properly)..
>
> I think that's wrong. NYB is a pretty small thing. There might well be
> enough space at the end of a BIOS flash chip for a virus that size. Not
> that NYB has code to invade a BIOS...

hello? the question was cmos, not flash bios...

> >> Fdisk /mbr seems very drastic. Will it
> >
> >and will do very bad things if you can't find c: after a clean boot...
> >
> >> work? I am assuming that all data will be wiped.
> >
> >no, the data won't be wiped, you'll be left with a completely valid mbr
> >that thinks a completely invalid partition table is accurate and so you
> >won't be able to access your partitions...
>
> Really ?

if the person is booting clean and can't access c: (which is the only
heuristic i have that would make me mention that) it means the data in
what is supposed to be the partition table is not actually a partition
table... thing is, my recollection is that nyb leaves a valid partition
table in the sector so fdisk is an even worse idea because there seems
to be more going on there than meets the eye... unfortunately i think
some of the original has been lost to snippage...

> >> I'm stumped. How can I
> >> clean a disks mbr when the OS can't even see the disk?
> >
> >it doesn't need to see the logical drive to clean the virus, the virus
> >doesn't reside inside the logical drive in the first place... the av
> >product will read the mbr, not the logical drive (the physical disk it can
> >still see) find the virus and remove it...
>
> McAfee would only see NYB on disk 0 for me. NYB was in fact infecting
> disks 0, 1, 2 and 3 !

nyb can only spread from disk 0... i agree that mcafee should be dealing
with all the physical disks though...

--
"when the truth walks away everybody stays
cause the truth about the world is that crime does pay

so if you walk away who is gonna stay

[John Beardmore]

In article <371A9864...@utoronto.ca>, kurt wismer
<kurt....@utoronto.ca> writes
>John Beardmore wrote:

>> In article <Pine.GSO.3.95.990407100403.29157A-100000@cougar>, kurt
>> wismer <a340...@cdf.toronto.edu> writes
>> >On Tue, 6 Apr 1999, Kyle wrote:
>>
>> >> A friend of mine inherited a computer recently and she gave a floppy to a
>> >> business associate of hers. He told her that it had a virus on it. I
>checked
>> >> her system out and found that it had McAfee on it. I ran scan95 (old
>> >> version) and it found NYB. I hard booted with my boot disk from McAfee
>4.0.2
>>
>> I had an NYB infection a few months ago. McAfee could detect it but not
>> remove it. AVP sorted it without problem.
>
>nyb is rather old, i suspect that mcafee can actually remove it (in fact
>i've heard of it being successfully used to that end in the past)...
>perhaps you weren't using it properly...

Perhaps it just won't do it on NTFS disks ? I'm not a total novice so I
doubt I'd have made any absurdly simple mistakes.

>> >> Is it possible that this, or any virus for that matter, has moved into her
>> >> CMOS?
>> >
>> >no, for two reasons... first is that there's not nearly enough room in
>> >cmos for it,
>> > and second the computer wouldn't boot at all if it did (cmos
>> >normally holds configuration information needed for the computer to boot
>> >properly)..
>>
>> I think that's wrong. NYB is a pretty small thing. There might well be
>> enough space at the end of a BIOS flash chip for a virus that size. Not
>> that NYB has code to invade a BIOS...
>
>hello? the question was cmos, not flash bios...

Fair enough, though as NYB fits in less than a single sector... How big
is CMOS memory normally ? And how much is used ?

>nyb can only spread from disk 0... i agree that mcafee should be dealing
>with all the physical disks though...

Yes. AVP did.

[kurt wismer]

John Beardmore wrote:
>
> In article <371A9864...@utoronto.ca>, kurt wismer
> <kurt....@utoronto.ca> writes
> >John Beardmore wrote:
>
> >> In article <Pine.GSO.3.95.990407100403.29157A-100000@cougar>, kurt
> >> wismer <a340...@cdf.toronto.edu> writes
> >> >On Tue, 6 Apr 1999, Kyle wrote:
> >>
> >> >> A friend of mine inherited a computer recently and she gave a floppy to a
> >> >> business associate of hers. He told her that it had a virus on it. I
> >checked
> >> >> her system out and found that it had McAfee on it. I ran scan95 (old
> >> >> version) and it found NYB. I hard booted with my boot disk from McAfee
> >4.0.2
> >>
> >> I had an NYB infection a few months ago. McAfee could detect it but not
> >> remove it. AVP sorted it without problem.
> >
> >nyb is rather old, i suspect that mcafee can actually remove it (in fact
> >i've heard of it being successfully used to that end in the past)...
> >perhaps you weren't using it properly...
>
> Perhaps it just won't do it on NTFS disks ? I'm not a total novice so I
> doubt I'd have made any absurdly simple mistakes.

mcafee has in the past claimed to have av software for every major
platform available,
including nt... perhaps you weren't using the right version...

seriously, when people have difficulty removing an old but otherwise
ordinary virus with a major anti-virus product, usually the culprit is
human error...

(who inherets a computer with nt on it and leaves nt on it?)

> >> >> Is it possible that this, or any virus for that matter, has moved into her
> >> >> CMOS?
> >> >
> >> >no, for two reasons... first is that there's not nearly enough room in
> >> >cmos for it,
> >> > and second the computer wouldn't boot at all if it did (cmos
> >> >normally holds configuration information needed for the computer to boot
> >> >properly)..
> >>
> >> I think that's wrong. NYB is a pretty small thing. There might well be
> >> enough space at the end of a BIOS flash chip for a virus that size. Not
> >> that NYB has code to invade a BIOS...
> >
> >hello? the question was cmos, not flash bios...
>
> Fair enough, though as NYB fits in less than a single sector... How big
> is CMOS memory normally ? And how much is used ?

it may be big enough to hold the smallest variant of trivial but it
wouldn't matter as there is also no mechanism whereby the contents of
cmos can be executed...

[Brian Rechterman]

Go to C:\windows\command and run fdisk /mbr. That should fix NYB virus.

John Beardmore wrote:

> In article <371A9864...@utoronto.ca>, kurt wismer
> <kurt....@utoronto.ca> writes
> >John Beardmore wrote:
>
> >> In article <Pine.GSO.3.95.990407100403.29157A-100000@cougar>, kurt
> >> wismer <a340...@cdf.toronto.edu> writes
> >> >On Tue, 6 Apr 1999, Kyle wrote:
> >>
> >> >> A friend of mine inherited a computer recently and she gave a floppy to a
> >> >> business associate of hers. He told her that it had a virus on it. I
> >checked
> >> >> her system out and found that it had McAfee on it. I ran scan95 (old
> >> >> version) and it found NYB. I hard booted with my boot disk from McAfee
> >4.0.2
> >>
> >> I had an NYB infection a few months ago. McAfee could detect it but not
> >> remove it. AVP sorted it without problem.
> >
> >nyb is rather old, i suspect that mcafee can actually remove it (in fact
> >i've heard of it being successfully used to that end in the past)...
> >perhaps you weren't using it properly...
>
> Perhaps it just won't do it on NTFS disks ? I'm not a total novice so I
> doubt I'd have made any absurdly simple mistakes.
>

> >> >> Is it possible that this, or any virus for that matter, has moved into her
> >> >> CMOS?
> >> >
> >> >no, for two reasons... first is that there's not nearly enough room in
> >> >cmos for it,
> >> > and second the computer wouldn't boot at all if it did (cmos
> >> >normally holds configuration information needed for the computer to boot
> >> >properly)..
> >>
> >> I think that's wrong. NYB is a pretty small thing. There might well be
> >> enough space at the end of a BIOS flash chip for a virus that size. Not
> >> that NYB has code to invade a BIOS...
> >
> >hello? the question was cmos, not flash bios...
>
> Fair enough, though as NYB fits in less than a single sector... How big
> is CMOS memory normally ? And how much is used ?
>

[Bruce P. Burrell]

Brian Rechterman <bria...@netins.net> wrote:
> Go to C:\windows\command and run fdisk /[mumble -BPB]. That should fix NYB
virus.

Bad advice, though it will work sometimes. See the FAQ, Part 4, Section 14
for a discussion of why this is all-advised.

They always come out near the full moon....

JUST SAY NO TO FDISK/MBR !!

-BPB

[David H. Lipman]

Update to McAfee v4.02 and generate an Emergency Boot Disk. Boot this disk
in infected PC and follow directions. I will clean NYB, I know...

I had an infections and was cleaned yesterday.

[John Beardmore]

In article <37239B8A...@utoronto.ca>, kurt wismer

<kurt....@utoronto.ca> writes
>John Beardmore wrote:
>> In article <371A9864...@utoronto.ca>, kurt wismer
>> <kurt....@utoronto.ca> writes
>> >John Beardmore wrote:

>mcafee has in the past claimed to have av software for every major
>platform available,

>including nt... perhaps you weren't using the right version...

I think I was.

>seriously, when people have difficulty removing an old but otherwise
>ordinary virus with a major anti-virus product, usually the culprit is
>human error...

Maybe, but it may be the human who documented the product !

>(who inherets a computer with nt on it and leaves nt on it?)

??