November_17th

Classification

Category :

Malware

Type :

Virus

Aliases :

November_17th, Int83, BigMouse, November, 800

Summary

The November_17th virus family has several members:

Variant:November_17th.584

Size:584

This virus seems to one of the earliest versions of November 17 as it only infects COM files. The virus will attempt to infect all COM programs that are executed with the following exceptions:

o File is smaller than 16 bytes or larger than 63,488 bytes.

Every Wednesday between 1PM and 5PM, the virus will attempt to erase the CMOS (if present). Every time a key is pressed, a series of descending notes will be produced by the speaker.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Variant:November_17th.690

Size:690

This variant attempts to infect any COM or EXE which is executed with the following exceptions:

o COM files bigger than 61,440 bytes or smaller than 16 bytes o EXE programs whose declared length is different from it's physical

 length (e.g. Programs with internal overlays)

o EXE programs which allocate less than 10 paragraphs (Bait programs).

On the 8th of July, the virus will attempt to overwrite the first 8 sectors of the current drive. Network drives are not affected. Due to an error in the virus the computer may crash after the payload has benn activated.

Variant:November_17th.706

Size:706

This virus will attempt to infect all COM and EXE programs that are executed with the following exceptions:

o COM files bigger than 61440 bytes or smaller than 16 bytes o EXE programs whose declared length is different from it's physical

 length (e.g. Programs with internal overlays)

o EXE programs that allocate less than 10 paragraphs of memory (e.g. Bait

 programs)

On the first of any month the first will attempt to overwrite the first 11 sectors of the current drive. Due to an error in the virus code, the only drives to be affected are A:, B: and drives E: to Z:. Network drives will not be affected.

Variant:November_17th.768

Size:768

This variant will attempt to infect all COM and EXE files that are executed with the following exceptions:

o McAfee's SCAN and CLEAN programs o Any COM file bigger than 60,000 bytes o EXE programs that allocate less than 20 paragraphs of memory (Bait

 programs)

If the current date is between the 17th and 30th of November the virus overwites the first 8 sectors of the current drive, making the disk unbootable.

Variant:November_17th.800.A

Size:800

Any file that is opened, executed or has is attributes changed is liable for infection with some exceptions:

o McAfee's SCAN and CLEAN will not be infected. o System files are not infected. o COM files larger than 60,000 bytes will not be infected. o EXE programs whose declared length is different from it's physicial

 length (Programs with internal overlays)

o EXE programs which allocate less than 20 paragraphs of memory (Bait

 programs)

The virus will overwrite the first 8 sectors of the current drive on any day between the 17th and 30th of November. Network drives will not be affected.

The following text strings can be found at the end of all infected files:

SCAN.CLEAN.COMEXE

Variant:November_17th.855.A

Size:855

This particular variant of November 17 is probably one of the most common viruses in Italy.

Any file that is opened, executed or has is attributes changed is liable for infection with some exceptions:

o McAfee's SCAN and CLEAN will not be infected. o COM files larger than 60,000 bytes will not be infected. o EXE programs whose declared length is different from it's physicial

 length (Programs with internal overlays)

o EXE programs which allocate less than 20 paragraphs of memory (Bait

 programs)

The virus will overwrite the first 8 sectors of the current drive on any day between the 17th and 30th of November after 500 keypresses. Network drives will not be affected.

The following text strings can be found at the end of all infected files:

SCAN.CLEAN.COMEXE

Variant:November_17th.880

Size:880

Any file that is opened, executed or has is attributes changed is liable for infection with some exceptions:

o McAfee's SCAN and CLEAN will not be infected. o COM files larger than 60,000 bytes will not be infected. o EXE programs whose declared length is different from it's physicial

 length (Programs with internal overlays)

o EXE programs which allocate less than 30 paragraphs of memory (Bait

 programs)

The virus will overwrite the first 4 sectors of the current drive on any day between the 17th and 31st of October after 100 keypresses. Network drives will not be affected.

Certain instructions have been reordered in this virus probably to prevent detection by existing signatures for other November 17 variants.

The following text strings can be found at the end of all infected files:

SCAN.CLEAN.COMEXEAMZ