news RemoveThis @absamail.co.za wrote:
> Hi,
> I've had Russian_Flag.A virus in my several [old ] PCs, and in many
> fd0s. I thought F-PROT had solved the problem, but it kept on
> returning unexpectedly, when I use DOS [for transporting linux
> and Oberon-S3 orginated files] for printing.
>
> Only now, on closer analysis did I noticed the message:
> "Unable to remove the virus. ",
> which I had apparently just been skipping over previously !
Russian_flag is an old boot/MBR infector. It activates on August 20 and
displays the russian flag, from which it draws its name. RF uses int 13 stealth
and relocates the uninfected MBR to logical sector 8 (0/0/9 CHS). F-Prot for
DOS detects Russian-flag only when inactive, i.e. from clean boot, and misses it
totally otherwise (which may explain part of your findings).
> How/why can this particular copy of the virus not be removable,
> when F-PROT ANTIVIRUS v3.14e removed many from fd0s & hdx1s
> previously [ Always Russian_Flag.A virus ] ?
The way F-Prot removes this particular virus is by restoring the uninfected MBR
from logical sector 8. A possible reason for which F-Prot cannot clean a
particular instance is because it does not find the relocated MBR where it
expects it to be. Such condition could be created by mirroring the boot drive,
rather than by spontaneous infection. The only way to contract this virus is by
attempting to boot of an infected floppy.
> Equally confusing is that when I set:
> find virus in "Local hard disk[s]", it finds the virus on /dev/hda1 [DOS C:]
> and finds that /dev/hdc1 [DOS D:] is OK.
> But when I set C: & D: individually as the 'check for virus' devices, it
> passes both without finding any virus. The logs below show results.
You gave quite many details, but fail providing the important ones.
Like
under what conditions your tests were conducted (e.g. external boot from floppy
or self boot of the hard drive? Under what OS?). A possible reason for the
ambiguous results could be self boot from an infected drive (and a blind
F-Prot). Moreover, Russian_flag only affects the PHYSICAL boot drive (drive 128
in BIOS notation). Logical drives (C, D, etc.) have nothing to do with that,
although F-Prot is supposed to check the MBR unless you used the /NOBOOT switch.
Removal/cleaning:
For the 101th time: Antivirus programs are NOT to be used for the removal of
boot infectors. They may sometimes work, but in many instances you risk losing
access to the drive and its content, especially if running under W2K or XP.
If running under Win 9x/Me, get yourself a DOS boot floppy, preferably made
under Windows 98 (
www.invircible.com/iv_tools.php#makeresq ) and boot from.
From the A: prompt, run FDISK /STATUS You should see a list of allocated
partitions and logical drives. Continue with the next step only if the "status"
command yields sensible data (that you know to be correct). Run then FDISK /MBR
and the virus should be gone.
Lastly, since Russian_flag reappears on your drives, that means that you may
have [an] infected boot floppy[ies]. Get
www.invircible.com/iv_tools.php#fixboot and process your floppies with.
> Thanks for any information explaining these strange results.
Not strange at all.
Regards, Zvi
--
NetZ Computing Ltd. ISRAEL
www.invircible.com www.ivi.co.il (Hebrew)
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
FAQ
Profile
Private Messages
Log in
