_______________________________________________________
              The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
         _____________________________________________________
                         Information Bulletin
 
    November 17 Virus on MS DOS Computers
 
March 15, 1993 1000 PST                                       Number D-10
__________________________________________________________________________
NAME:        November 17 virus
ALIASES:     NOV 17, 855
PLATFORM:    MS DOS Computers
DAMAGE:      On November 17 will destroy hard disk contents
SYMPTOMS:    Files grow by 855, 768, 880, or 800 bytes
DETECTION/
ERADICATION: FPROT 207, Scan V102, Novi
__________________________________________________________________________
        Critical Facts about the November 17 virus

The November 17 virus is a simplistic file infector virus which has
recently been discovered to be fairly widespread.  This virus will
overwrite the hard disk on November 17 of any year.

Infection Mechanism

This virus is a file infector virus (see CIAC bulletins A-20, A-27,
A-29, B-35, and 3 bulletins from Fiscal Year 1989 for information on
similar file infector viruses).  Upon execution of a virus-infected
program, NOV 17 will become memory resident at the top of memory and
inhabit 896 bytes of memory.  

Once resident, it will infect any .COM and .EXE programs when the file
attributes are set or read, when the file is opened for READ, and upon
loading and execution.  Therefore, if the virus is resident in memory,
and a new disk with clean executibles is copied, the original disk's
.EXE and .COM files will become infected if the disk is not
write-protected.  It can easily be transferred via LAN's anytime an
executible file is opened or executed over the LAN.  This virus will
not infect files with a filename of SCAN.EXE or CLEAN.EXE, and it will
not infect files that have the system bit set.  It does not affect
data files.

Potential Damage

On November 17 of any year this virus will overwrite portions of the
C: drive or current drive, depending on the variant.  On any other day
of the year this virus will simply replicate.  Some variants will
cause this overwrite process to occur on days after November 17.

Detection and Eradication

Many recent versions of antivirus products will detect this virus.
Another method of direct detection is to search for the string
"SCAN.CLEAN.COMEXE", which can be found within the virus code of every
infection.

Until March of 1993, there had been no reports of this virus in the
United States.  Because of this fact, some anti-virus products do not
detect the presence of it by name.  Some products, such as Data
Physician Plus!, do detect when it they themselves become infected, at
which point a message such as "A virus has been detected, would you
like to continue?" may appear on the screen.  This message means that
the antivirus product's self check mechanism has detected a
modification to itself, and at this point CIAC recommends that you
check the machine with a different antivirus product, or call CIAC for
additional information on virus handling.

Virus Variants

There are four known variants to this virus, all increase file lengths
by a different amount and take up a different amount of resident
memory.  The variants increase file lengths of infected files by 768,
800, 880, and 855 bytes.  The 768 variant is almost identical to the
original virus but takes up 800 bytes of memory; it was discovered in
May of 1992. The variant which adds 800 bytes to files takes up 832
bytes of memory, was discovered in March of 1993, and activates
November 17-30 of any year.  The 880 variant, which uses 928 bytes of
memory, first seen in November, 1992, will activate on any date from
November 17-December 31 of any year.  The 855 variant, also called
Nov17B, first seen in September of 1992, causes infected .EXE files to
hang the system when executed.

Due to the nature of this virus's infection mechanism, it is sometimes
not possible to remove the infection from a host program.  CIAC
recommends that if this virus is discovered a copy be kept and then
all infected files be deleted and restored from backup.


For additional information or assistance, please contact CIAC at 
(510) 422-8193 / FTS or send E-mail to ciac@llnl.gov.  FAX
messages to (510) 423-8002 / FTS.

Previous CIAC bulletins and other information are available via anonymous
ftp from irbis.llnl.gov (IP address 128.115.19.60).

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Your agency's team will coordinate with CIAC.  The Forum
of Incident Response and Security Teams (FIRST) is a world-wide
organization.  A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.

Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights.  Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California.  The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.