TIP: Click on subject to list as thread! ANSI
echo: virus_info
to: ALL
from: RICHARD ST. JOHN
date: 1996-12-30 09:17:00
subject: Not A Virus [2/8]
***>>> CONTINUED FROM PREVIOUS MESSAGE <<<***
        0E0 41 50 00 72 00 6F 00 67-00 72 00 0F 00 20 61 00 AP.r.o.g.r... a.
        0F0 6D 00 20 00 46 00 69 00-6C 00 00 00 65 00 73 00 m. .F.i.l...e.s.
        100 50 52 4F 47 52 41 7E 31-20 20 20 11 00 00 00 00 PROGRA~1 .....
        110 00 00 00 00 00 00 CC 80-17 1F 81 1E 00 00 00 00 ................
        180 41 45 00 78 00 63 00 68-00 61 00 0F 00 15 6E 00 AE.x.c.h.a....n.
        190 67 00 65 00 00 00 FF FF-FF FF 00 00 FF FF FF FF g.e.............
        1A0 45 58 43 48 41 4E 47 45-20 20 20 10 00 78 BC 81 EXCHANGE ..x..
        1B0 17 1F 17 1F 00 00 BC 81-17 1F 38 16 00 00 00 00 ..........8.....
        1C0 43 4F 4D 4D 41 4E 44 20-43 4F 4D 20 00 00 00 00 COMMAND COM ....
        1D0 00 00 6E 20 00 00 40 4E-EB 1E 3D 42 C6 6A 01 00 ..n ..@N..=B.j..
                Here is the output of DiskEdit as it interprets the above
                information:
        Name .Ext Size Date Time Cluster Arc R/O Sys Hid Dir Vol
        
------------------------------------------------------------------------
        AP 7536741 3-12-80 12:03 am 0 R/O Sys Hid Vol
        PROGRA~1 0 8-23-95 4:06 pm 7809 R/O Dir
        AE 4294967295 15-31-7 7:63 pm 0 R/O Sys Hid Vol
        EXCHANGE 0 8-23-95 4:13 pm 5688 Dir
        COMMAND COM 92870 7-11-95 9:50 am 16957 Arc
                This behavior by Windows 95 is often misinterpreted by
                unsuspecting users as a virus which creates HUGE illegal 
iles
                onto their drives, or as a virus which corrupts file entries.
                All it actually is, is people looking at absolutely correct
                information with inappropriate tools.
        2.2 Windows 95 writes to diskette OEM fields
                With Windows 95, when you insert a diskette into the drive, 
t
                will write to the diskette OEM Name field (see Appendix B). I
                believe this is done for volume change detection. If the
                diskette is not write-protected, Windows 95 will write 4
                random characters plus the 3 letters "IHC".
                This activity has sometimes been interpreted as a virus
                constantly writing to diskettes. After all, the user has done
                nothing of note to cause a write to the diskette.
                [Curiosity item: IHC and 4 spaces makes one believe that at
                one point, "OGACIHC" was the string being written in this
                location. "Chicago" was Microsoft's codename for Windows 4.0
                which was later renamed to Windows 95.]
        2.3 I didn't have a label for my harddisk, but now I do
                Every disk is allowed to have a label. One can assign a label
                to a disk by using the LABEL command supplied with DOS. When
                the LABEL command is used, it creates a directory entry with
                the volume label bit enabled.
                The first entry with a label bit in the root directory is
                interpreted to be the label of the disk.
                If we look at Appendix A, you will note that if the label bit
                is set, all other fields are ignored. Windows 95 uses this
                trick for its LongFileName entries.
                If you did not initially give your disk a label, the first
                LongFileName will then satisfy the LABEL criteria. And your
                disk will now bear a weird looking LABEL name.
        2.4 Windows 95 says you have a boot sector virus
                Windows 95 has a dialogue box which will show up on certain
                occasions. It is true most of the time that if the box shows
                up, you do indeed have a virus. However, the mechanism behind
                this determination is that the INT 13h vector has been 
changed.
                Again, the most likely thing is indeed that a boot sector 
virus
                was responsible for this change. However, installation of
                certain security related software may also result in the
                report of this message.
        2.5 SUHDLOG.DAT
                SUHDLOG.DAT is a file found on Windows 95 systems. It 
ontains
                images of the master boot record (partition sector) and boot
                sectors of your hard disks. Therefore, if a boot sector virus
                had once gotten on the machine, it will be saved in the file
                SUHDLOG.DAT. Depending on the technology used by the scanner
                involved, scanning the file might produce a warning of a boot
                virus in the file.
                Why is this not a virus? After all, it does indicate that a
                boot virus had at one point been on the machine.
                If this occurs, it means a virus was once on the machine. It
                does not mean that the file is infected by a boot sector 
virus.
                After all, a boot sector virus is being reported in a file.
                But do boot clean and check the system. Also, delete the 
le.
3.0 Windows
        3.1 386SPART.PAR
                This is a hidden file to mark the swap space used by Windows
                3.x. Swap space allows an operating system (or normal
                executable) to write things that are not currently being 
ed,
***>>> CONTINUED NEXT MESSAGE <<<***
--- GEcho 1.20/Pro
---------------
* Origin: Slings & Arrows BBS St. Louis, Mo. (1:100/205.0)
SOURCE: echomail via exec-pc

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.