high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for disinfecting PE executables.
Windows 95/98/Me
Use DOS SWEEP with the -DIPE switch. You can use it from the DOS folder on the Sophos CD, or download an emergency version, double-click it to extract it, then copy the files into a C:\Sophtemp directory on your computer.
You must disinfect this virus in DOS, not in a 'DOS window'.
- In Windows 95/98
- Restart the computer in MS-DOS mode.
Note: starting a Command Prompt (a DOS window) is not enough. - Go to the Start menu and select Shut Down. Choose the option 'Restart the computer in DOS mode'. This disables the virus and provides a safe environment for disinfection.
- In Windows Me
- This version of Windows does not allow you to exit directly into MS-DOS
mode. You need to create a startup disk and boot from that. - Go to Start|Settings|Control Panel. Click 'Add/Remove Programs', select the 'Startup Disk' tab and click the 'Create Disk' button.
- When you have created the startup disk, write-protect it and boot from it. This disables the virus and provides a safe environment for disinfection.
Go to the directory containing DOS SWEEP:
- for the Sophos CD (where D: is your CD drive) type
D:
CD DOS - for the Sophtemp directory type
C:
CD \
CD SOPHTEMP
Then type
SWEEP C: -PB -F -DIPE -P=VIRLOGC.TXT
Repeat for other hard drives: SWEEP D: -PB -F -DIPE -P=VIRLOGD.TXT
All other files must be deleted. Some of these were dropped by the virus and need not be restored, others should be recovered from backups.
SWEEP C: -PB -REMOVEF -P=REMVLOGC.TXT
Repeat for other hard drives: SWEEP D: -PB -REMOVEF -P=REMVLOGD.TXT
Use the log files to identify any deleted files which should be restored from a clean backup or the original media.
After disinfection you must restart the computer in Windows and run a scan to check that all is well.
You should purge System Restore on Windows Me.
Other platforms
Please read the instructions for removing PE executable viruses.
More Information
W95/Dupator becomes active in memory by infecting the Windows system file kernel32.dll. The virus searches for kernel32.dll in the Windows system folder and copies the file into the Windows folder. W95/Dupator becomes active in memory by infecting the Windows system file kernel32.dll. The virus searches for kernel32.dll in the Windows system folder and copies the file into the Windows folder.
Once the file is copied, the virus infects the file and replaces the pointer to the exported kernel32 function GetFileAttributes with the pointer to a function located inside the virus body.
Next time Windows is restarted the operating system loads the infected version of kernel32.dll and the virus becomes active in memory. The virus intercepts calls to GetFileAttributes function and uses the function argument to get filenames of the files to infect.
|
