McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Cruel.1024

Characteristics

The Cruel.A virus was first reported as originating "In the Wild" in Hungary in September 1996. It went worldwide quickly thereafter and was officially listed in the October 1996 WildList. While still reported occasionally, this virus does not often present itself anymore.

Upon booting from an infected diskette, Cruel.A installs itself to memory and to the hard drive boot record.

Cruel.A does not employ read-stealth characteristics. If the user were to attempt to view the hard drive's boot record, the true boot record would be what the user is shown, albeit an infected boot record. The virus saves a copy of the original uninfected boot record to a variable location that is based on drive geometry.

As its payload, Cruel.A modifies the CMOS settings. Depending on the make and manufacturer of the BIOS, it is possible the virus could modify drive type, time, date, or the power-on password.

Cruel.A infects boot sectors in diskettes and the boot record on hard drives. Upon loading into memory, this virus will reduce the top of DOS memory by 2K. As an example, on v6.20 DOS-based computer, [where there is originally 640K conventional memory available with various other drivers already loaded], the memory reduction will result in showing 587,664 bytes available, rather than 589,712. Please note different computers may display different amounts of conventional memory available, depending on configuration.

Upon booting an infected computer where DOS is the operating system, the virus loads and stays resident in memory. Like most memory-resident boot viruses running under DOS, Cruel.A intercepts calls to Int13h, redirecting the call to its own code. When the virus is in memory - when it is able to intercept calls to Int13h - virtually any diskette access will result in its infection.

Upon booting an infected computer where Windows 95 is the operating system, the virus will load itself into memory. However, because Windows 95 uses a specialized 32-bit filesystem driver, the virus is unable to replicate to other diskettes - even under a Windows DOS box. The short reason for this is due to Windows 95s' specialized 32-bit disk driver. Once Windows 95 completes startup (more accurately, once VMM32.SYS loads), calls to Int13h are not made in the same fashion as DOS thus, while the virus still resides on the hard drive's boot record, the virus is unable to replicate.

The following points should be noted:

1) Post-infection of a Windows 95 system, upon restarting Windows 95, the user may see the following Performance Warning:

In reality, the message indicates a change to the Int13h address - at least the Int13h address that was last being pointed to, as recorded by Windows 95. The message would appear when there is a change to the Int13h address, regardless of whether there was truly a physical change to the boot record or not.

The message can be indicative of a virus, however there are other valid reasons why it might appear (disk compression software, disk encryption software, etc). The performance warning message box will appear only once. Upon the next system restart the system, the message will not appear. If you see the message, and did not expect to, it is best to investigate the reason behind it immediately.

2) The Windows 95 32-bit disk driver can be disabled. In doing so, the system is placed in "DOS compatibility mode". Once in DOS compatibility mode, there are calls to Int13h. This means - in theory - the virus may once again have the ability to replicate. In the case of Cruel.A, the virus in fact will replicate in DOS compatibility mode (but only if Window 95 is in compatibility mode).

Symptoms

Method of Infection

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Cruel.1024

Characteristics

Characteristics -

The Cruel.A virus was first reported as originating "In the Wild" in Hungary in September 1996. It went worldwide quickly thereafter and was officially listed in the October 1996 WildList. While still reported occasionally, this virus does not often present itself anymore.

Upon booting from an infected diskette, Cruel.A installs itself to memory and to the hard drive boot record.

Cruel.A does not employ read-stealth characteristics. If the user were to attempt to view the hard drive's boot record, the true boot record would be what the user is shown, albeit an infected boot record. The virus saves a copy of the original uninfected boot record to a variable location that is based on drive geometry.

As its payload, Cruel.A modifies the CMOS settings. Depending on the make and manufacturer of the BIOS, it is possible the virus could modify drive type, time, date, or the power-on password.

Cruel.A infects boot sectors in diskettes and the boot record on hard drives. Upon loading into memory, this virus will reduce the top of DOS memory by 2K. As an example, on v6.20 DOS-based computer, [where there is originally 640K conventional memory available with various other drivers already loaded], the memory reduction will result in showing 587,664 bytes available, rather than 589,712. Please note different computers may display different amounts of conventional memory available, depending on configuration.

Upon booting an infected computer where DOS is the operating system, the virus loads and stays resident in memory. Like most memory-resident boot viruses running under DOS, Cruel.A intercepts calls to Int13h, redirecting the call to its own code. When the virus is in memory - when it is able to intercept calls to Int13h - virtually any diskette access will result in its infection.

Upon booting an infected computer where Windows 95 is the operating system, the virus will load itself into memory. However, because Windows 95 uses a specialized 32-bit filesystem driver, the virus is unable to replicate to other diskettes - even under a Windows DOS box. The short reason for this is due to Windows 95s' specialized 32-bit disk driver. Once Windows 95 completes startup (more accurately, once VMM32.SYS loads), calls to Int13h are not made in the same fashion as DOS thus, while the virus still resides on the hard drive's boot record, the virus is unable to replicate.

The following points should be noted:

1) Post-infection of a Windows 95 system, upon restarting Windows 95, the user may see the following Performance Warning:

In reality, the message indicates a change to the Int13h address - at least the Int13h address that was last being pointed to, as recorded by Windows 95. The message would appear when there is a change to the Int13h address, regardless of whether there was truly a physical change to the boot record or not.

The message can be indicative of a virus, however there are other valid reasons why it might appear (disk compression software, disk encryption software, etc). The performance warning message box will appear only once. Upon the next system restart the system, the message will not appear. If you see the message, and did not expect to, it is best to investigate the reason behind it immediately.

2) The Windows 95 32-bit disk driver can be disabled. In doing so, the system is placed in "DOS compatibility mode". Once in DOS compatibility mode, there are calls to Int13h. This means - in theory - the virus may once again have the ability to replicate. In the case of Cruel.A, the virus in fact will replicate in DOS compatibility mode (but only if Window 95 is in compatibility mode).

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

N/A