On one of my fellow co-workers machine I noticed this about 2 weeks ago, but it didn't strike my eye until today when I ran by it. We have had NO problems with the Melissa virus in our office (just Happy99, that's all). The employee who uses this machine swears up and down he didn't do it through regedit.exe. There was an OEM number enterned, but I took that part out in the paint program. Has anyone had this happen to them, or know what the hell happened. We also did a full system scan on the machine with the 3/26/99 Norton Defs and that came up empty. Check the picture below, I'm clueless here...


http://kcc.kcpag.com/davidsmith.jpg

Thanks guys!

send a copy of the registry to Symantec for scrutinisation, although I think your friend is pulling your leg. It is easy to write a registry script to change certain keys without the person knowing ( especially if they are naive about PC's ) http://www.windrivers.com/cgi-bin/forum/smile.gif

Let us all know what Symantec have to say about it.

Darren, I really don't beleive the employee at that station knows how to do that. I caught him today trying to install pkzip.exe. And he couldn't get it through his head that it doesn't install - it runs... and also I noticed this 2 weeks ago!!! Before this VicodinES ever caught media coverage. I remember seeing the Diet Mt. Dew thing, but didn't remeber what the top line was, but when I saw it today my eyes lite up. So I REALLY REALLY don't think it was him, or anyone in the office. We are running off a Novell Network (NetWare 4 - I think) with all systems having Internet access. We've had no other cases in our office, but we do have 30 more offices country wide - I'll have to check with them... Strange!!!


I've just found a virus on a website written by TNN, another name above. The address is:
<a href="http://users.skynet.be/somnus/virshop.html" target="resource window">http://users.skynet.be/somnus/virshop.html</a>


I found CB I think mentioned in this story on a news site. The URL is <a href="http://www.techweb.com/wire/story/TWB19990209S0015" target="resoure window">http://www.techweb.com/wire/story/TWB19990209S0015</a>


It seems that VicodinES and CB author Word97 Macro viruses and TNN altered the CIH virus for "better" results.

Should I send them the system.dat and user.dat - Symantec that is???

Thanks!!!




[This message has been edited by RP8 (edited April 07, 1999).]

I talked to Symantec this morning. The guy on the phone went and tried to see what virus that was, but couldn't find the name of it, he was sure it was an older one though. He also said that it had probably been detected by Norton at some time but just didn't remove or change back the registry entries for the Name: and Company: fields. So all is well, I went ahead and got the 3/31/99 Updates and am doing a full scan on it as we speak. Wonderful huh?!?!

By the way, do any of you know what virus that is??

[This message has been edited by RP8 (edited April 08, 1999).]