home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.sys.novell
- Path: sparky!uunet!wupost!cs.utexas.edu!hellgate.utah.edu!fcom.cc.utah.edu!calvin.saff.utah.edu!SKLEPZI
- From: SKLEPZI@SSB1.SAFF.UTAH.EDU (Steven Klepzig)
- Subject: Re: Viruses in Novell installation.
- Message-ID: <SKLEPZI.23.0@SSB1.SAFF.UTAH.EDU>
- Lines: 66
- Sender: news@fcom.cc.utah.edu
- Organization: University of Utah
- References: <haverkam.99.725624816@uni-duesseldorf.de>
- Date: Tue, 29 Dec 92 15:21:10 GMT
-
- In article <haverkam.99.725624816@uni-duesseldorf.de> haverkam@uni-duesseldorf.de (Wilhelm Haverkamp) writes:
- >In 1991 the system administrator of a small company in Duesseldorf area
- >detected the VASCINA virus and the 1701/1704 virus. His Novell version was
- >SFT 286, V. 2.15. The system administrator believes that his network was
- >infected by a demonstration disc given to him by another person.
- >Unfortunately he used for demonstration purposes one of his network PC's.
- >The system administrator is arguing that he had needed about 36 hours to
- >run COMPSURF and some more hours to restore the programm files. Now his
- >company wants compensation from the person who gave them the
- >demonstration disc.
- >The demonstration took place in the late afternoon, the viruses were found
- >the next morning. The owner of the demonstration disc had taken the disc
- >with him after the demonstration was finished.
- >By using a pretence the system administrator asked that person 2 days later
- >to send him the demonstration disc again. The viruses were found on the
- >disc, too.
-
- My questions are:
- 1. Why did the sysadmin COMPSURF the server?
- 2. Is there definite proof that the virii came from the demonstration disk?
- 3. What was infected by the virii? Why were executables left unprotected
- from infection by network users? Or was the demo run from a supervisor
- login? If so, why?
- 4. If the network was previously infected, perhaps the demo disk was infected
- from the server. Why couldn't the person with the demo disk ask for
- compensation from the company?
- 5. How were the virii found? What prompted the search?
-
- >My questions are:
- >
- >- Who has got experiences with the above mentioned
- > viruses in Novell networks with SFT 286, V. 2.15?
-
- Nope. I don't have any. The closest I've come is discovering Michelangelo
- on ONE computer - before the "deadline".
-
- >- What would have been an adequate reaction of the
- > system administrator when he detected VACSINA and
- > 1701/1704 viruses? For my opinion the "number of passes
- > for the sequential test" (which takes much time)
- > within COMPSURF could have been restricted to 1; do you agree?
-
- I don't see a reason right off for ANY compsurf at all. The infected files
- could possibly be disinfected by F-PROT or CLEAN or ...; at most they could/
- should be deleted and restored from the original diskettes. If (big IF)
- NET$OS.EXE was infected (how did it get infected?) then perhaps just a regen/
- reload of NET$OS.EXE. I think that compsurf is a drastic and quite radical
- fix for the problem. It should be the extremely last thing done, IMO.
-
- >- The owner of the disc is argueing that his disc was free of
- > viruses when he took it to the demonstration. He says
- > that perhaps by other events the viruses came into the
- > network; later on the owner of the network could have
- > infected the disc by himself.
- > Is there a doubtless method to find out at what time
- > the disc was infected? My opinion is that the date-informations
- > in the directory of the disc could have been manipulated.
-
- I doubt that the date/time of infection could be fixed with any certainty.
- I don't remember the particulars on these virii but most non-trivial virii
- do manipulate any/all information possible to hide themselves. However, I
- suggest that you post your questions to comp.virus and see what is said on
- that group.
-
- HTH...
- Steven Klepzig (sklepzi@ssb1.saff.utah.edu)
-
