Summary
The November_17th virus family has several members:
Variant:November_17th.584
Size:584
This virus seems to one of the earliest versions of November 17 as it only infects COM files. The virus will attempt to infect all COM programs that are executed with the following exceptions:
o File is smaller than 16 bytes or larger than 63,488 bytes.
Every Wednesday between 1PM and 5PM, the virus will attempt to erase the CMOS (if present). Every time a key is pressed, a series of descending notes will be produced by the speaker.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First, check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Variant:November_17th.690
Size:690
This variant attempts to infect any COM or EXE which is executed with the following exceptions:
o COM files bigger than 61,440 bytes or smaller than 16 bytes o EXE programs whose declared length is different from it's physical
length (e.g. Programs with internal overlays)
o EXE programs which allocate less than 10 paragraphs (Bait programs).
On the 8th of July, the virus will attempt to overwrite the first 8 sectors of the current drive. Network drives are not affected. Due to an error in the virus the computer may crash after the payload has benn activated.
Variant:November_17th.706
Size:706
This virus will attempt to infect all COM and EXE programs that are executed with the following exceptions:
o COM files bigger than 61440 bytes or smaller than 16 bytes o EXE programs whose declared length is different from it's physical
length (e.g. Programs with internal overlays)
o EXE programs that allocate less than 10 paragraphs of memory (e.g. Bait
programs)
On the first of any month the first will attempt to overwrite the first 11 sectors of the current drive. Due to an error in the virus code, the only drives to be affected are A:, B: and drives E: to Z:. Network drives will not be affected.
Variant:November_17th.768
Size:768
This variant will attempt to infect all COM and EXE files that are executed with the following exceptions:
o McAfee's SCAN and CLEAN programs o Any COM file bigger than 60,000 bytes o EXE programs that allocate less than 20 paragraphs of memory (Bait
programs)
If the current date is between the 17th and 30th of November the virus overwites the first 8 sectors of the current drive, making the disk unbootable.
Variant:November_17th.800.A
Size:800
Any file that is opened, executed or has is attributes changed is liable for infection with some exceptions:
o McAfee's SCAN and CLEAN will not be infected. o System files are not infected. o COM files larger than 60,000 bytes will not be infected. o EXE programs whose declared length is different from it's physicial
length (Programs with internal overlays)
o EXE programs which allocate less than 20 paragraphs of memory (Bait
programs)
The virus will overwrite the first 8 sectors of the current drive on any day between the 17th and 30th of November. Network drives will not be affected.
The following text strings can be found at the end of all infected files:
SCAN.CLEAN.COMEXE
Variant:November_17th.855.A
Size:855
This particular variant of November 17 is probably one of the most common viruses in Italy.
Any file that is opened, executed or has is attributes changed is liable for infection with some exceptions:
o McAfee's SCAN and CLEAN will not be infected. o COM files larger than 60,000 bytes will not be infected. o EXE programs whose declared length is different from it's physicial
length (Programs with internal overlays)
o EXE programs which allocate less than 20 paragraphs of memory (Bait
programs)
The virus will overwrite the first 8 sectors of the current drive on any day between the 17th and 30th of November after 500 keypresses. Network drives will not be affected.
The following text strings can be found at the end of all infected files:
SCAN.CLEAN.COMEXE
Variant:November_17th.880
Size:880
Any file that is opened, executed or has is attributes changed is liable for infection with some exceptions:
o McAfee's SCAN and CLEAN will not be infected. o COM files larger than 60,000 bytes will not be infected. o EXE programs whose declared length is different from it's physicial
length (Programs with internal overlays)
o EXE programs which allocate less than 30 paragraphs of memory (Bait
programs)
The virus will overwrite the first 4 sectors of the current drive on any day between the 17th and 31st of October after 100 keypresses. Network drives will not be affected.
Certain instructions have been reordered in this virus probably to prevent detection by existing signatures for other November 17 variants.
The following text strings can be found at the end of all infected files:
SCAN.CLEAN.COMEXEAMZ
Protect your devices from malware with F‑Secure Total
Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.
Award‑winning antivirus and malware protection
Online browsing, banking, and shopping protection
24/7 online identity and data breach monitoring
Unlimited VPN service to safeguard your privacy
Password manager with private data protection
Choose how many devices you want to protect to get started.
Free customer support
Cancel anytime
The trial does not obligate you to buy the product
After 30 days your subscription will renew automatically for one year at €69.99.
)
)
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.