THE WELCH COMPANY
440 Davis Court #1602
San Francisco, CA 94111-2496
415 781 5700
rodwelch@pacbell.net


S U M M A R Y


DIARY: August 3, 1992 09:30 AM Monday; Rod Welch

Fix virus on CPU #3 and #5.

1...Summary/Objective
...Norton Antivirus Procedure


..............
Click here to comment!

CONTACTS 

SUBJECTS
Property Management, Computer #3
Virus, 920802
Lotus V. 2.4, 920728
Anti-virus, Norton
Virus Protection

0707 -
0707 -    ..
0708 - Summary/Objective
0709 -
070901 - Follow up ref SDS 6 0000.
070902 -
070903 - Confirmed discovery yesterday that CPU #3 was infected by virus from
070904 - installing a new version of Lotus 123. ref SDS 6 6O5Y  Work today
070905 - seems to have cleared the problem.  Notified Lotus development to
070906 - take corrective action.
070908 -  ..
070909 - Had to restore programs from backup tapes, and re-format previously
070910 - used backup tapes.  It appears our interim backup tape for past 45
070911 - days is dead,
070912 -
070913 -      [On 030618 similar problem with Microsoft. ref SDS 7 0001
070914 -
070915 -      [On 030818 SDS software discovered improper materials.
070916 -      ref SDS 8 0001
070917 -
070918 -
070919 -
070920 -
070921 -
070923 -  ..
0710 -
0711 -
0712 - Discovery and Correction
0713 -
071301 - As a result of difficulties and investigation yesterday, ref SDS 6
071302 - 0001, purchased Norton Antivirus 2.0 from Egghead.  I advised Egghead
071303 - that I suspect the Lotus program purchased yesterday on 920728,
071304 - ref SDS 1 0001, may have infected my computers with a virus, and they
071305 - requested confirmation following tests with Norton Antivirus.
071307 -  ..
071308 - Called TMS.  Dick Tull walked me through application.  Norton reported
071309 - immediately the following virus in main memory:
071310 -
071311 -                         keypress
071313 -  ..
071314 - The Keypress virus had infected 25 executable files on c:, including
071315 - e.exe, s.com, sf.exe, dd.exe, command.com, smartdrv.exe, the macro
071316 - assembler programs, the Everex tape drive program files, Norton
071317 - ds.exe, etc., and himem.sys on H.
071319 -  ..
071320 - Once installed, it appears to infect any subsequent program that is
071321 - run.
071323 -  ..
071324 - Had to boot the system from a: in order for Norton to clear the virus
071325 - from main memory.  This took several tries.  It appears the work files
071326 - are not affected.  Norton tested all 22000 files on drives c: - h: and
071327 - it only found the 26 corrupt files, all executables.
071328 -
071330 -    ..
071331 -   Norton Antivirus Procedure
071332 -
071333 -   Had to boot from a: - fortunately we had a boot disk for DOS 5.0
071334 -
071335 -   Entered:  A>nav
071336 -
071337 -       This opens a menu, from which we selected the drives to scan,
071338 -       using the space bar; and then select "scan."  It is already
071339 -       setup in the Norton menu system.
071341 -     ..
071342 -    This reports the files found to be infected, then
071344 -     ..
071345 -    Use Tab key to access the right menu and select "Repair."
071347 -     ..
071348 -    When this completes, we get a choice to delete the inoculation
071349 -    files, which are evidently reports on the files that were
071350 -    disinfected.  Dick recommended we skip this step and return to
071351 -    DOS.
071353 -     ..
071354 -    Installed Norton Antivirus on c: drive and set up to check the
071355 -    system each time it is turned on.
071356 -
071357 -        After this was installed, I disconnected the entries in
071358 -        config.sys and autoexec.bat.  It takes 7K or ram and does not
071359 -        load high.  We can run it periodically (when we purchase a new
071360 -        program or load anything foreign onto the system), rather than
071361 -        everytime the system is booted.
071362 -
071363 -
071364 -
071366 -  ..
0714 -
0715 -
0716 - CPU #7 Passed Antivirus Test
0717 -
071701 - Ran Norton Antivirus on CPU #7, and it reported no virus present.
071702 - Curiously the Lotus install.exe program which contains the Keypress
071703 - virus is not reported on CPU #7.  Maybe this is because I installed
071704 - the thing with Laplink, but I don't think so.  Lotus is installed on
071705 - CPU #3 in the Wysiwyg mode, but is installed on CPU #7 inconventional
071706 - mode.  This difference indicates it was installed from the program
071707 - disks, and that suggests the virus does not execute on every install.
071709 -  ..
071710 - Another curiosity is that os2 is refusing access to e.exe.  This
071711 - typically indicates a problem with the refused program, yet Norton
071712 - passes e.exe.
071714 -  ..
071715 - In any event, will reconstruct e.exe after restoring the old
071716 - development code backed up on July 26, 1992.
071717 -
071718 -
071719 -
071721 -  ..
0718 -
0719 -
0720 - CPU #5 Virus found
0721 -
072101 - Norton reports a strain of Keypress was found in 20 files on the C
072102 - drive.
072104 -  ..
072105 - These files were repaired, then deleted and replaced by files from CPU
072106 - #3, after it was repaired.
072107 -
072108 -
072110 -  ..
0722 -
0723 -
0724 - Lotus 123 v. 2.4 Seems Infected
0725 -
072501 - After CPU #3 was cleared of the virus, we tested the Lotus program
072502 - disk #1 purchased from Egghead on Jul 28, and installed Jul 31, ref
072503 - SDS 1 and 2.
072505 -  ..
072506 - Norton reported the install.exe program file contained the Keypress
072507 - virus.
072509 -  ..
072510 - This is actually somewhat good news because it indicates that the
072511 - problem arose after Jul 31 (which generally coincides with the record
072512 - of problems), and therefore our full file backup of the main system,
072513 - made on Jul 26, 1992, can be used to restore the infected program
072514 - files.
072515 -
072516 -      [On 030618 similar problem with Microsoft. ref SDS 7 0001
072518 -       ..
072519 -      [On 030818 SDS software discovered improper materials.
072520 -      ref SDS 8 0001
072521 -
072522 -
072523 -
072525 -  ..
0726 -
0727 -
0728 - Recovery
0729 -
072901 - It is my general understanding that Norton Antivirus completely
072902 - recovers any defects caused by the virus.  Nominally after Norton
072903 - is completed, the issue is over.
072905 -  ..
072906 - However, there remain some slight differences in the file size for
072907 - affected files on CPU #3 and CPU #7.  This indicates that Norton
072908 - eliminated some of the extra size that was initially recognized as
072909 - indicating a virus was present, but did not restore it to the
072910 - pre-virus condition.  Additionally, the dates of the files are not
072911 - restored. I think there is some benefit to having the program files in
072912 - their original condition, and so will restore from the Jul 26, 1992
072913 - full file backup.
072915 -  ..
072916 - It appears the last full file backup was Jul 31, 1992.  Possibly the
072917 - interim backups prior to that date can be re-used.
072919 -  ..
072920 - Egghead and/or Lotus should investigate and advise us of their
072921 - opinion on the viability of using any part of this interim backup
072923 -  ..
072924 - After CPU #3 is restored, will re-build e.exe and install again on
072925 - CPU #7.  Actually this is likely the problem.  Even though the virus
072926 - is not found in e.exe itself, the fact it was constructed by an
072927 - infected macro assembler may have altered it enough to caused denied
072928 - access by os2.
072929 -
072931 -  ..
072932 - Will run Norton on CPU #5 to clear it of the virus, and install the
072933 - software from CPU #3 via Laplink.
072934 -
072936 -  ..
0730 -
0731 -
0732 - Notice to Vendor
0733 -
073301 - Gave formal notice to Egghead of this record and requested their
073302 - assistance and information in affecting full recovery.
073304 -  ..
073305 - Returned the defective Lotus 123 program for replacement.
073306 -
073307 -
073308 -
073309 -