nv-l

Re: virus on Netview NT 5.1.2 CD?

2000-03-10 12:25:43
Subject: Re: virus on Netview NT 5.1.2 CD?
From: James_Shanks AT tivoli DOT com
To: nv-l AT lists.tivoli DOT com
Date: Fri, 10 Mar 2000 12:25:43 -0500
Well, OK, but my take on this is still the same -- that even this virus only
affects executbale code and that's not what those files were.    I don't know
exactly how or where those catalogs are used but if they are called by a running
routine, I would expect an access violation or Dr. Watson sooner or later if
they aren't there.    You may have to re-install 5.1.2 to get them back.

I can tell you that  I can find no record of anything like this having been
reported before, and 5.1.2 is now old hat.  We released 5.1.3 to manufacturing
this week and it will be shipping next week.


James Shanks
Tivoli (NetView for UNIX and NT) L3 Support



Kenneth Viola <kviola AT cpcug DOT org> on 03/10/2000 12:14:52 PM

Please respond to IBM NetView Discussion <nv-l AT tkg DOT com>

To:   IBM NetView Discussion <nv-l AT tkg DOT com>
cc:    (bcc: James Shanks/Tivoli Systems)
Subject:  Re: [NV-L] virus on Netview NT 5.1.2 CD?




James,

The following is all I know currently on this. I have not contacted McAfee
yet, but will next week as I'm currently in travel. Hopefully, there is no
call for alarm, but it does need further investigation.

 Information from
McAfee's readme on this release shows:

W32/         File-infector or boot-sector
               virus. Runs in 32-bit Windows
               environments (Windows 95,
               Windows 98 or Windows NT)

.CMP.        Companion file. This designates a
               companion file that the virus
               adds to an existing executable
               file. McAfee software deletes the
               companion file to prevent later
               infections .MP. Multi-partite
               virus. A McAfee designation

.GR          Generic detection and removal.
               Native routines in McAfee software
               detect and remove this virus without
               using specific code strings.

WINDOWS PORTABLE EXECUTABLE FILE VIRUSES (9)
--------------------------------------------
W32/AZACO.CMP.GR

3/7/00    1:15 PM   Scan Started   Administrator   Scan CDROM
3/7/00    1:15 PM   Scan Error     Administrator   Error occured while
scanning boot sector of F.
3/7/00    1:19 PM   Infected  Administrator
F:\intel\nvfiles\filtered.cat W32/Azaco.cmp.GR (Removable)
3/7/00    1:22 PM   Scan Summary   Administrator   Scan Summary
3/7/00    1:22 PM   Scan Summary   Administrator        Boot sectors
scanned   : 1
3/7/00    1:22 PM   Scan Summary   Administrator        Boot sectors
infected  : 0
3/7/00    1:22 PM   Scan Summary   Administrator        Boot sectors
cleaned   : 0
3/7/00    1:22 PM   Scan Summary   Administrator        Files scanned
: 5787
3/7/00    1:22 PM   Scan Summary   Administrator        Files infected
: 1
3/7/00    1:22 PM   Scan Summary   Administrator        Files cleaned
: 0
3/7/00    1:22 PM   Scan Summary   Administrator        Files deleted
: 0
3/7/00    1:22 PM   Scan Summary   Administrator        Files moved
: 0
3/7/00    1:22 PM   Scan Complete  Administrator   Scan CDROM

Regards,

Ken Viola
kviola AT cpcug DOT org


On Fri, 10 Mar 2000 James_Shanks AT tivoli DOT com wrote:

>
>
> Well, it is highly likely that this is a fluke and you should take it up with
> VirusScan.  Even before looking, I can tell you that all the build machines
run
> Norton AntiVirus regularly.
>
> I just updated my Norton anti-virus to the latest defs, which are dated
> 03/01/2000 and it found no viruses on a scan of that same CD.  I check the
virus
> list, but did not find one labelled W32/Azaco.cmp.GR though I did see one
> labeled W32.Azaco.8192.A.  I have no idea if they are the same or not.   But
> W32.Azaco.8192.A. infects only EXE files and is very rare.  What does
> W32/Azaco.cmp.GR infect?  The files you have identified are read-only message
> catalogs and contian no executable code.
>
> James Shanks
> Tivoli (NetView for UNIX and NT) L3 Support
>
>
>
> Viola Kenneth <Kenneth.Viola AT irs DOT gov> on 03/10/2000 11:07:12 AM
>
> Please respond to IBM NetView Discussion <nv-l AT tkg DOT com>
>
> To:   "'nv-l AT tkg DOT com'" <nv-l AT tkg DOT com>
> cc:   "'kviola AT cpcug DOT org'" <kviola AT cpcug DOT org> (bcc: James 
> Shanks/Tivoli
Systems)
> Subject:  [NV-L] virus on Netview NT 5.1.2 CD?
>
>
>
>
> Greetings all,
>
> I found a virus using VirusScan NT (Network Associates) scan engine 4.0.02
> with virus definition file version 4.0.4067 dated March 1, 2000. It is
> identified as W32/Azaco.cmp.GR and appears to infect file:
> \usr\ov\nls\c\filtered.cat. The virus is also on the CD in file:
> intel\nvfiles\filtered.cat.
>
> Does anyone know if this is a serious virus or if it's being reported by
> VirusScan in error? The virus could not be removed automatically by
> VirusScan  so I removed the read attribute and deleted it manually. Is this
> an important file for Netview operation?
>
> Does IBM know about this?
>
> Please help.
>
> Regards,
>
> Ken Viola
> IRS NMC staff
> kviola AT cpcug DOT org
>
>

_________________________________________________________________________

NV-L List information (unsubscribing, policies, posting, digest version,
searchable archives): http://www.tkg.com/nv-l


<Prev in Thread] Current Thread [Next in Thread>