On Wed, 26 Jun 2002 11:22:07 -0500, Samuel W. Heywood wrote: > On Wed, 26 Jun 2002 14:43:17 +0300 (EEST), Cristian Burneci wrote:
>> For those who at a certain moment would have to clean a Klez.H >> infected computer, the information at the following URL is of great help: >> http:[EMAIL PROTECTED] >> The disinfection tool works very well. >> Also, I've noticed the fact that the Klez version I've disinfected, uses >> to create RAR archives containing itself and spread them all over the >> place. These may remain unscaned by the antivirus. Take care. > F-PROT for DOS most certainly will detect KLEZ.H in a RAR archive. > If your virus scanner cannot detect a KLEZ.H in a RAR archive then > you should consider upgrading to F-PROT for DOS. > As an experiment I copied from my trashbox an email message containing > a KLEZ.H to a directory C:\VIRUS. I renamed the file CRAP.MES. Then > I archived it by using RAR.EXE to produce a file named CRAPBOX.RAR. > CRAP.MES was the only file in the archive. Next, I deleted CRAP.MES. > from the directory C:\VIRUS. CRAPBOX.RAR remained as the only file in > the directory C:\VIRUS. Then I scanned the directory for viruses by > using F-PROT for DOS. > Here are my results of virus scanning: > - -------- > Virus scanning report - 26. June 2002 10:57 > F-PROT 3.12a > SIGN.DEF created 24. June 2002 > SIGN2.DEF created 24. June 2002 > MACRO.DEF created 11. June 2002 > Search: c:\virus > Action: Disinfect/Query > Files: Attempt to identify files > Switches: /ARCHIVE /PACKED /REPORT=c:\virus\report.xxx > No viruses found in memory. > No viruses were found in MBRs or hard disk boot sectors. > C:\VIRUS\CRAPBOX.RAR->CRAP.MES->Uqde.exe Infection: W32/Klez.H@mm > Virus-infected files in archives cannot be disinfected. > Results of virus scanning: > Files: 2 > MBRs: 1 > Boot sectors: 1 > Objects scanned: 6 > Infected: 1 > Suspicious: 0 > Disinfected: 0 > Deleted: 0 > Renamed: 0 > Time: 0:01 > - ------ And here are my results of a similar test but with the KLEZ.H infected file itself extracted from the saved .CNM and then placed into a .RAR ________ Virus scanning report - 26. June 2002 19:10 F-PROT 3.12 SIGN.DEF created 14. June 2002 SIGN2.DEF created 14. June 2002 MACRO.DEF created 11. June 2002 Search: c:\1temp Action: Report only Files: "Dumb" scan of all files Switches: /ARCHIVE /PACKED /BEEP No viruses found in memory. No viruses were found in MBRs or hard disk boot sectors. C:\1TEMP\KLEZARCH.RAR->rhwd.bat Infection: W32/Klez.H@mm Results of virus scanning: Files: 1 MBRs: 2 Boot sectors: 11 Objects scanned: 15 Infected: 1 Suspicious: 0 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:01 __________ -- Glenn http://arachne.cz/ http://www.delorie.com/listserv/mime/ http://www.angelfire.com/id/glenndoom/download.htm http://www.thispagecannotbedisplayed.com/
