McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Flip-2343

• Omicron

Characteristics

The Flip is a file infecting virus. It infects .COM, .EXE, and .OVL files, including COMMAND.COM, as well as alter the MBR and boot sector of hard disks.

Flip can only be passed between systems on infected .EXE files. Infected .COM files, and altered floppy boot sectors do not transfer the virus.

The first time an .EXE file infected with the Flip virus is executed, it becomes memory resident in high memory. At this time, the copy of COMMAND.COM located in the C: drive root directory is infected. The system's hard disk MBR and boot sector are also slightly modified. If the infected file was executed from a floppy, COMMAND.COM on the floppy is infected, though the size change is noticeable.

Once Flip becomes memory resident, any .COM or .EXE files executed becomes infected. If a file is executed which uses an .OVL file, the .OVL file also becomes infected.

Additional Comments:
The Flip, or Flip-2343, virus was discovered in West Germany in July 1990. It is a generic file infector, and will infect .COM, .EXE, and overlay files. This virus will also infect COMMAND.COM, as well as alter the master boot sector (partition table) and boot sector of hard disks. It is important to note that the Flip virus is not infective from .COM files or boot sectors. The first time an .EXE program infected with the Flip virus is executed, it installs itself memory resident in high memory. System memory as reported by the CHKDSK command as well as free memory will have decreased by 3,064 bytes. At this time, the copy of COMMAND.COM located in the C: drive root directory will be infected, though no file length change will be apparent with the virus in memory. The system's hard disk master boot sector and boot sector will also be slightly modified. If the infected program was executed from a floppy, COMMAND.COM on the floppy will be infected, though the size change will be noticeable. After Flip becomes memory resident, any .COM or .EXE files executed will become infected. Infected programs will show a file length increase of 2,343 bytes. If a program is executed which uses an overlay file, the overlay file will also become infected. Systems infected with Flip may experience file allocation errors resulting in file linkage errors. Some data files may become corrupted. On the second of any month, systems which were booted from an infected hard disk and have an EGA or VGA capable display adapter may experience the display on the system monitor being horizontally "flipped" between 16:00 and 16:59. Systems with hard disks which have been allocated with partitions greater than 32 megabytes in size may experience corruption of the hard disk logical partitioning. When this occurs, a partition larger than 32 megabytes may be altered to be slightly less than 32 megabytes in size. Flip can only be passed between systems on infected .EXE files. Infected .COM files, and altered floppy boot sectors do not transfer the virus. Known variant(s) of Flip are:

Symptoms

On the second of any month, systems which were booted from an infected hard disk and have an EGA or VGA capable display adapter may experience the display on the system monitor being horizontally "flipped" for 1 hour.

Systems with hard disks which have been allocated with partitions greater than 32 megabytes in size may experience corruption of the hard disk logical partitioning. When this occurs, a partition larger than 32 megabytes may be altered to be slightly less than 32 megabytes in size.

Systems infected with Flip may experience file allocation errors resulting in file linkage errors. Some data files may become corrupted.

System memory decreases by 3,064 bytes. Infected files have a file length increase of 2,343 bytes.

Method of Infection

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

• Flip-2153
• Flip-2153B
• Flip-2153C
• Flip-2343B
• Prism
• Raistlin

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Flip-2343

• Omicron

Characteristics

Characteristics -

The Flip is a file infecting virus. It infects .COM, .EXE, and .OVL files, including COMMAND.COM, as well as alter the MBR and boot sector of hard disks.

Flip can only be passed between systems on infected .EXE files. Infected .COM files, and altered floppy boot sectors do not transfer the virus.

The first time an .EXE file infected with the Flip virus is executed, it becomes memory resident in high memory. At this time, the copy of COMMAND.COM located in the C: drive root directory is infected. The system's hard disk MBR and boot sector are also slightly modified. If the infected file was executed from a floppy, COMMAND.COM on the floppy is infected, though the size change is noticeable.

Once Flip becomes memory resident, any .COM or .EXE files executed becomes infected. If a file is executed which uses an .OVL file, the .OVL file also becomes infected.

Additional Comments:
The Flip, or Flip-2343, virus was discovered in West Germany in July 1990. It is a generic file infector, and will infect .COM, .EXE, and overlay files. This virus will also infect COMMAND.COM, as well as alter the master boot sector (partition table) and boot sector of hard disks. It is important to note that the Flip virus is not infective from .COM files or boot sectors. The first time an .EXE program infected with the Flip virus is executed, it installs itself memory resident in high memory. System memory as reported by the CHKDSK command as well as free memory will have decreased by 3,064 bytes. At this time, the copy of COMMAND.COM located in the C: drive root directory will be infected, though no file length change will be apparent with the virus in memory. The system's hard disk master boot sector and boot sector will also be slightly modified. If the infected program was executed from a floppy, COMMAND.COM on the floppy will be infected, though the size change will be noticeable. After Flip becomes memory resident, any .COM or .EXE files executed will become infected. Infected programs will show a file length increase of 2,343 bytes. If a program is executed which uses an overlay file, the overlay file will also become infected. Systems infected with Flip may experience file allocation errors resulting in file linkage errors. Some data files may become corrupted. On the second of any month, systems which were booted from an infected hard disk and have an EGA or VGA capable display adapter may experience the display on the system monitor being horizontally "flipped" between 16:00 and 16:59. Systems with hard disks which have been allocated with partitions greater than 32 megabytes in size may experience corruption of the hard disk logical partitioning. When this occurs, a partition larger than 32 megabytes may be altered to be slightly less than 32 megabytes in size. Flip can only be passed between systems on infected .EXE files. Infected .COM files, and altered floppy boot sectors do not transfer the virus. Known variant(s) of Flip are:

Symptoms

Symptoms -

On the second of any month, systems which were booted from an infected hard disk and have an EGA or VGA capable display adapter may experience the display on the system monitor being horizontally "flipped" for 1 hour.

Systems with hard disks which have been allocated with partitions greater than 32 megabytes in size may experience corruption of the hard disk logical partitioning. When this occurs, a partition larger than 32 megabytes may be altered to be slightly less than 32 megabytes in size.

Systems infected with Flip may experience file allocation errors resulting in file linkage errors. Some data files may become corrupted.

System memory decreases by 3,064 bytes. Infected files have a file length increase of 2,343 bytes.

Method of Infection

Method of Infection -

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Removal -

Removal -

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

• Flip-2153
• Flip-2153B
• Flip-2153C
• Flip-2343B
• Prism
• Raistlin