Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Ravage virus?

  • 07-01-2000 9:57am
    #1
    Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭


    a girl in work here just had her HD deleted by the ravage virus. The virus information site for sophos says that this virus writes itself to the cylinder 0 head 0 sector 1 . when you boot the PC it displays the message RaVage is now deleting your system (and unlike the jokey ones this one means it). So, anyone got any ideas on how to

    a: detect the ******* before it kicks in
    b: remove it as Sophos can't/won't - I have no choice but to use Sophos, company standard.


Comments

  • Registered Users, Registered Users 2 Posts: 1,643 ✭✭✭Jak


    Well Below is the basic details of the virus (not that this is any help) .... It's not too recent either ... have you been upgrading Sophos at all?

    J.


    Type

    Boot sector virus.

    Infects

    The boot sector of floppy disks; and the partition sector of hard disks if the PC is booted from an infected floppy disk.

    File Growth

    -

    Description

    On hard disks, the virus infects the partition sector, re-locating the original partition sector to cylinder 0, head 0, sector 14. Additional virus code is stored on cylinder 0, head 0, sector 15.
    On floppy disks, the virus infects the boot sector, re-locating the original boot sector to the end of the root directory (cylinder 0, head 1, sector 15, for 1.44Mb floppy disks). Additional virus code is stored on the following sector.
    The virus uses 1Kb of DOS memory, although CHKDSK/MEM will not report any memory missing. The virus intercepts INT_13h (disk I/O) and INT_21h (DOS services).

    The virus uses stealth to conceal itself when memory resident.
    The virus detects the presence of the file SYSTEM\IOSUBSYS\HSFLOP.PDR in the WINDOWS folder (this file is responsible for floppy disk access in Windows 95) and, if found, deletes it. The effect of this is to enable the virus to infect floppy disks on PCs running Windows 95 (otherwise Windows 95's direct disk access prevents floppy disks from becoming infected).
    The virus has a payload. If the file named RAV*.* is executed, the virus checks the CMOS clock and (with probability of 1/256) displays the following message, in green (this text is stored at the end of the main body of the virus, in reverse order of letters):

    RAVage is wiping data! RP&muRPhy
    Then the virus writes 14 sectors of rubbish to every cylinder of the hard disk, in an infinite loop. This makes any disk completely unusable.

    Copyright © 1989-1998 Dr Solomon's Software Limited. All Rights Reserved.


  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    yep that's the one (though there is another version as far as I can remember). We're on version 3.29 of Sophos with every IDE file listed on their webpage. I think it sees the virus as a password protected file and turns up an error because it can't look inside password files. <maybe>


  • Registered Users, Registered Users 2 Posts: 4,471 ✭✭✭elexes


    sounds like a nice virus . hmmmmm . where can i get it ............................... off to deep thought .................. com1131@pat.itcarlow.ie that my addy by the way .


This discussion has been closed.
Advertisement