Return-Path: <
[email protected]>
Received: from csmes.ncsl.nist.gov (MACBETH.NCSL.NIST.GOV) by csrc.ncsl.nist.gov (4.1/NIST)
id AA17641; Tue, 28 Jul 92 14:50:39 EDT
Posted-Date: Tue, 28 Jul 1992 14:20:48 -0400
Received-Date: Tue, 28 Jul 92 14:50:39 EDT
Errors-To:
[email protected]
Received: from hooch.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm))
id AA09970; Tue, 28 Jul 92 14:46:01 EDT
Received: from (localhost) by hooch.CC.Lehigh.EDU with SMTP id AA18682
(5.65c/IDA-1.4.4 for
[email protected]); Tue, 28 Jul 1992 14:20:48 -0400
Date: Tue, 28 Jul 1992 14:20:48 -0400
Message-Id: <
[email protected]>
Comment: Virus Discussion List
Originator:
[email protected]
Errors-To:
[email protected]
Reply-To: <
[email protected]>
Sender:
[email protected]
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: Kenneth R. van Wyk <
[email protected]>
To: Multiple recipients of list <
[email protected]>
Subject: VIRUS-L Digest V5 #133
Status: RO
VIRUS-L Digest Tuesday, 28 Jul 1992 Volume 5 : Issue 133
Today's Topics:
Strange Identification with SCAN91 (PC)
Best VirusDetection Software for the PC??? (PC)
Re: Bugsres-2 (PC)
Re: Virus discovered in file from WUARCHIVE.WUSTL.EDU (PC)
Virus Question re printer, floppy problems (PC)
Re: WARNING - Virus Creation Laboratory (PC)
Common misconception (was: Re: VET as good as Viruscan? (PC))
Stoned and Michaelangelo (PC)
Re: Virus discovered in file from WUARCHIVE.WUSTL.EDU (PC)
Re: Scream information? (PC)
Re: Virus discovered in file from WUARCHIVE.WUSTL.EDU (PC)
Re: F-PROT, Telecom, false positive ?? (PC)
Re: GIF viewer crashes system (was Re: an amazing problem...) (PC)
Info on Intel's NLM? (PC)
Re: VET as good as Viruscan? (PC)
Re: McAfee GENP/GENY identification (PC)
Re: How do I reverse the effect(s) of Stoned ? (PC)
UK Computer Crime Unit
Computer Virus Catalog update
Jerusalem virus part 2 (CVP)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name. Send contributions to
[email protected].
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<
[email protected]>.
Ken van Wyk
----------------------------------------------------------------------
Date: Fri, 24 Jul 92 07:27:23 +0000
>From:
[email protected] (Lt Sajid Rahim)
Subject: Strange Identification with SCAN91 (PC)
I find it very strange to see that SCAN identifies Saturday the
14th virus as Armagedom. Having disassemble the code for both
viruses, I find no particular relationship between the two.
Anybody care to comment.
Sincerely
Sajid
- ---------------------------------------------------------------------
- -- Sajid Rahim, Dept of Computer Science, Rhodes University, --
- -- Grahamstown, South Africa. Internet :
[email protected] --
- ---------------------------------------------------------------------
------------------------------
Date: Sat, 25 Jul 92 07:30:12 +0000
>From:
[email protected] (Hari Seldon)
Subject: Best VirusDetection Software for the PC??? (PC)
I am new to this group, and I get kinda paranoid after reading all the
potentias of programs, not being able to detect.. I have the latest
version of McAfee s3t apparently it isn't very good. Does anybody
have any suggestions, on which, orn of programs would be the best??
And if possible, list FTP sites where I can ac clean versions of these
programs?? I haven't really had a problem, yet. I donh outside
contact, except the downloaded files, from ftp sites, and the
occasetinn board.. Thanx for any advice...
Seldon
------------------------------
Date: Mon, 27 Jul 92 17:45:24 -0400
>From: "William Walker C60223 x4570" <
[email protected]>
Subject: Re: Bugsres-2 (PC)
>From: Behrend AArea <
[email protected]>
> Hi. I am a computer operator at Penn State Erie, and I have a
> student's disk that I ran through F-Prot 2.04. It detected a virus
> named BUGSRES-2 JOKE PROGRAM. Looking through the Virus information
> section of F-Prot, I could not find a description of this virus.
> F-Prot also did not disinfect it. I was wondering if anyone had an
> idea of this virus, as in what it does, how to disinfect, etc.
BUGRES.COM (or whatever it may have been renamed) is a "Resident
Screen-Eating Utility." It loads TSR, and when activated (the version
I have is activated by ALT-B) a number of character-graphic "bugs"
wander about the screen and "eat" characters in their path, and
continue wandering about the screen until you press a key, which
restores the original screen. It is essentially a cute screen saver.
> Any e-mail responses to
[email protected] will be greatly appreciated.
I'm sending this to VIRUS-L as well as
[email protected], since others
may also be wondering about this.
Bill Walker (
[email protected] ) | "History is made at night.
OAO Corporation | Character is what you are in
Arnold Engineering Development Center | the dark."
M.S. 120 | -- Lord John Whorfin,
Arnold Air Force Base, TN 37389-9998 | "Buckaroo Banzai"
------------------------------
Date: Mon, 27 Jul 92 22:10:54 +0000
>From:
[email protected] (William L. Hadley)
Subject: Re: Virus discovered in file from WUARCHIVE.WUSTL.EDU (PC)
[email protected] (System Manager) writes:
>Today I downloaded a file from WUARCHIVE.WUSTL.EDU (one of the
>mirroring ftp sites). Filename is
>/mirrors/garbo.uwasa.fi/screen/grabsc11.zip When I tried to ran
>GRABSCRN.COM from this zip file, Norton Antivirus TSR reported that
>the file is infected with Wonder-2 virus. F-PROT did not report a
>virus. I sent mail to the person who maintains garbo.uwasa.fi and
>received an answer that he is out of town till July 27. This means,
>the file will not be tested/removed from garbo until then. Has anyone
>downloaded this file before ? What happened ?
I downloaded this file, but was unable to find any infection in GRABSCRN.COM
or in the .EXE file (RAW2GIF.EXE). I scanned it with NAV 2.0 and McAffee's
SCAN v93. I then downloaded F-PROT 2.04a and VIRX 2.3 from WUARCHIVE and
tried them...still couldn't find the virus. From the information I have on
the Wonder (and Wonder-2) virus, it only infects .EXE files (that was why
I played with RAW2GIF.EXE). I then tried to two executable files with NAV
resident in memory...it still didn't detect it. Then I looked closely at
them with the Norton Utilities DISKEDIT program. About the only similarity I
can find with these files and the WONDER virus is that they were both written
in Borland C++.
What version of NAV are you running? Do you have any other TSRs loaded?
It could be that GRABSCRN combined with something else you have loaded in
memory may be causing a false alarm. Hope this helps!
Bill Hadley
PS. I downloaded GRABSC11.ZIP from WUARCHIVE too...so I was playing with the
same file that you downloaded.
- --
William L. Hadley | User Support Center Specialist
The MITRE Corporation | Internet:
[email protected]
7525 Colshire Drive, MS W130 | UUCP: linus!mitre.org!wlhadley
McLean, Virginia 22102-3481 | My opinions! Do you hear? MINE!!!!
------------------------------
Date: Mon, 27 Jul 92 17:00:16 -0700
>From:
[email protected] ()
Subject: Virus Question re printer, floppy problems (PC)
Is there any virus that can cause an IBM-compatible to be blind to the
printer (it thinks that an online printer is offline) and to the
changing of floppies (showing previous floppy contents after replacing
a floppy with another with different contents).
Any comment is appreciated. Thanks a lot.
- -Tuan
------------------------------
Date: Mon, 27 Jul 92 18:23:42 +0100
>From:
[email protected] (Tim Martin; FSO; Soil Sciences)
Subject: Re: WARNING - Virus Creation Laboratory (PC)
[email protected] (Neal Miller) writes:
> Oh for crying out loud... Just what we need... A
>Virus-Construction Kit for beginners... I hope that McAfee gets their
>hands on this package ASAP, if not sooner. Here's an idea... Could
The package has already been forwarded to Frisk, McAfee, etc.
I will not send it to anyone else, so don't bother asking. :)
>someone conceivably write a virus that will seek out and destroy such
>a V.C.L. based on unique strings within the program? Just an idea...
Technically, yes. Ethically, morally, no. An idea, yes, a good one,
no. A virus designed to destroy other viruses might easily become
more of a problem that the viruses it seeks to destroy. Depending on
how one defines "virus", one might argue a case for "good" viruses,
but that debate doesn't include viruses designed to seek out and
destroy one another. Playing "core wars" in real cyberspace is not a
good idea. :)
Tim
-------------------------------------------------------------
Tim Martin *
Spatial Information Systems * These opinions are my own:
University of Alberta * My employer has none!
[email protected] *
-------------------------------------------------------------
------------------------------
Date: Tue, 28 Jul 92 02:36:31 +0000
>From:
[email protected] (McAfee Associates)
Subject: Common misconception (was: Re: VET as good as Viruscan? (PC))
[email protected] (Anthony Naggs) writes:
<message deleted>
>Oh, while I am being rude about McAfee, any suggestions as to what
>will happen to Viruscan if the "big one" hits LA?
This is a quite common misconception that I would like to clear up.
McAfee Associates is located in Santa Clara, a city at the southern
end of the San Francisco Bay. We are some 330 miles (530km) north of
Los Angeles, about the distance from London to Luxembourg or Perth to
Rawlinna.
Any geologic activity (flooding, earthquakes, giant radioactive ants
from the bowels of the earth, etc.) affecting Los Angeles is not going
to have any physical impact on the northern portion of California.
In case of an earthquake or other event that leaves us stranded
without power for several days, we do have enough laptops to keep the
programmers working although we will have to shut down our technical
support, customer support, order processing, and other non-essential
(well, lower priority, perhaps) services. Of course, given that our
communication links (fax, telephone, BBS, internet, postal mail) will
be down as way until the restoration of services, these may not have
as much impatct as you thought.
Oh, we do also have a network of agents both domestic (inside the U.S.
and Canada) and international, so anyone could contact them for
support, etc., but the home office would be down for a day or two
(during the October, 1990 earthquake, we were "disconnected from the
electronic world" for about 36 hours).
Regards,
Aryeh Goretsky
McAfee Associates Technical Support
- --
- - - -
McAfee Associates | Voice (408) 988-3832 |
[email protected] (business)
3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | ObQuote: "Log... from Blammo"
Santa Clara, California | |
95054-3107 USA | BBS (408) 988-4004 | CompuServe ID: 76702,1714
ViruScan/CleanUp/VShield | USR Courier DS 14.4Kb| or GO VIRUSFORUM
------------------------------
Date: 28 Jul 92 06:43:33 +0000
>From:
[email protected]
Subject: Stoned and Michaelangelo (PC)
Hello All,
I had two odd infection occur in my office in the last 2 days.
Two computers both appeared to have Michaelangelo when run through
Vi-Spy, but appeared to have Stoned when run through SCAN. Niether
detector took notice of both. Any idea or similar experience ?
- J. Schiffman
The Wharton School
Univ. of Pennsylvania
Phila., Pa
[email protected]
------------------------------
Date: Tue, 28 Jul 92 04:09:03 -0400
>From: G J Scobie <
[email protected]>
Subject: Re: Virus discovered in file from WUARCHIVE.WUSTL.EDU (PC)
> From: System Manager <
[email protected]>
>
> Today I downloaded a file from WUARCHIVE.WUSTL.EDU (one of the
> mirroring ftp sites). Filename is
> /mirrors/garbo.uwasa.fi/screen/grabsc11.zip When I tried to ran
> GRABSCRN.COM from this zip file, Norton Antivirus TSR reported that
> the file is infected with Wonder-2 virus. F-PROT did not report a
> virus. I sent mail to the person who maintains garbo.uwasa.fi and
> received an answer that he is out of town till July 27. This means,
> the file will not be tested/removed from garbo until then. Has anyone
> downloaded this file before ? What happened ?
Hi there,
Just for your info I have downloaded the above file this morning and
F-PROT 2.04 and Bates v3.37 report the unzipped files as being clean.
I receieved two copies of this digest in my mail this morning - can't
get too much of a good thing I suppose :-)
Cheers
Garry Scobie
EUCS LAN Support
Edinburgh University Computing Service
Scotland
------------------------------
Date: 28 Jul 92 08:43:59 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: Scream information? (PC)
[email protected] (Nancy DeCourville) writes:
>Any information on a virus called Scream would be appreciated.
I know of one Scream virus - or "Screaming Fist" as it is also called.
There are at least five variants of it, 692, 696, 711 and 838 bytes
long (and one with a variable length). I have not yet written a
disinfector for the 838 byte variant, but I can handle the others.
As for the effects of the virus, I am not sure - I have only analysed
them minimally.
- -frisk
------------------------------
Date: 28 Jul 92 09:13:14 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: Virus discovered in file from WUARCHIVE.WUSTL.EDU (PC)
[email protected] (System Manager) writes:
>Today I downloaded a file from WUARCHIVE.WUSTL.EDU (one of the
>mirroring ftp sites). Filename is
>/mirrors/garbo.uwasa.fi/screen/grabsc11.zip When I tried to ran
>GRABSCRN.COM from this zip file, Norton Antivirus TSR reported that
>the file is infected with Wonder-2 virus. F-PROT did not report a
>virus.
Ignore this - it is a false alarm. In fact, ignore everything NAV
says about the Wonder virus. The virus is written in C or Pascal, and
it seems they are just "detecting" a part of the run-time library.
- -frisk
------------------------------
Date: 28 Jul 92 09:07:26 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: F-PROT, Telecom, false positive ?? (PC)
RXB%
[email protected] writes:
>Situation - After receiving ftp'd *.zip files, I downloaded them
>from my mainframe VM session to my PC using Attachmate's Extra for
>Windows 3.22, under Windows 3.1. Then I ended my mainframe session and
>exited Windows. After unzipping the files onto a floppy, I scanned them
>using SCANv93, then Central Point Antivirus 1.2, and then F-PROT 204a.
>Central Point's VSAFE is loaded into memory as a tsr, the others are
>not. F-PROT gave a message indicating that the Telecom virus
>search pattern was found in memory
This is CPAVs fault - they leave the signature in memory. No other
major anti-virus producer has a similar compatibility problem with the
rest of the industry In fact, even the CPAV manual says you should not
use other anti-virus programs with CPAV. The reason is simple - they
are responsible for too many false alarms. As it is generally a good
idea to use multiple scanners, the solution is quite simple - don't
use CPAV....combine a few other scanners - they all work
Of course anybody is free to use CPAV, but if you do, please don't use
any other scanner (including my own) on the same machine - you will
get problems.
>Is F-PROT the only one of the 3 that can scan *.zip files, not yet
>unzipped?
Uh - F-PROT can *not* scan .ZIP files....It can scan compresseded
executables (PKLITE/DIET/ICE/LZEXE/EXEPACK), but not archives....
- -frisk
------------------------------
Date: Tue, 28 Jul 92 12:32:39 +0000
>From:
[email protected] (Henrik St|rner)
Subject: Re: GIF viewer crashes system (was Re: an amazing problem...) (PC)
[after downloading a GIF viewer, the system crashed and now reports a
'drive c write protected' when booting]
You are running Stacker, and this message DOES come from stacker. When
a system crashes, that has a Stacker drive mounted, some allocation
errors can occur on the Stacker drive. If these cannot be fixed
automatically when booting, Stacker write protects the drive that has
the error. Note that drive C in Your case is NOT the physical drive C,
but rather the drive that Stacker has compressed. Your physical C:
drive is called D:.
Solution: Run SCHECK to repair the Stacker drive, possibly also CHKDSK
/F. Reboot, and You should be running fine.
- --
Henrik Storner (
[email protected])
Dept. of Computer Science
Univ. of Copenhagen, Denmark.
------------------------------
Date: Tue, 28 Jul 92 08:50:41 -0400
>From:
[email protected]
Subject: Info on Intel's NLM? (PC)
In the next several weeks we will be looking at INTEL's NLM for our
servers. I've heard that it is a border line product, but no
specifics. I would appreciate any information that any one would have
on this product.
Thanks Bruce
------------------------------
Date: Tue, 28 Jul 92 13:08:17 +0000
>From:
[email protected] (Lachlan Cranswick)
Subject: Re: VET as good as Viruscan? (PC)
[email protected] (Anthony Naggs) writes:
>David H. Ivens (
[email protected]) asks:
>> I have evaluated VET anti-virus software (Australia) and it seems a very
>> good alternative to the expensive Viruscan.
>>
>> Has anyone had problems with this software?
>>
>> We do not get a lot of viruses and are considering a site licence for VET.
>I haven't used VET, but I have talked to Roger Riordan (the author) at
>a couple of conferences and he certainly knows his stuff, both on
>viruses loose on Australia and effective techniques for anti-virus
>software. Better still for you he is also in Victoria and will
>provide good quality and timely support, two things which you may have
>problems with for Viruscan (esp being so far from LA).
We have a site licence for V give it to site staff to nice how you can
legitimatly? give copies to site staff to install on their home
computers so any viruses they get from their
We are not on the cutting edge of pirate software etc that is a major
source of viruses so I do not encourage people to use the memory
resident parts of VET unless they expect nasty file viruses. The
memory resident part of VET can cause clashes and eratic behaviour
with some programs. If you read the manual you are prepared for it,
but just having VET.COM installed makes
VET is also very good at repairing the damage that a virus can cause
to a hard-disk.
Just have a site licence for an anti-viral program makes people aware
the damage they can cause and makes them cautious - and thus we do not
have many infectionRs (1 or 2 a year).
Another advantage of having a program installed on all PC's is that
people no longer blame viruses when their computers play up and
instead look for other software or hardware causes. Not too long ago,
it used to be very hard to convince PC users that their problem was
not virus related because of all the virus paranoia.
- --
Lachlan Cranswick - CSIRO _--_|\
[email protected]
Division of Mineral Products / \ +61 3 647 0367
PO Box 124, Port Melbourne 3207 \_.--._/
AUSTRALIA v
------------------------------
Date: Tue, 28 Jul 92 09:18:03 -0400
>From:
[email protected]
Subject: Re: McAfee GENP/GENY identification (PC)
In reference to Padgett's comments on McAfee's GENP / GENY virus
identification.
I must agree when you have several thousand PC's to keep CLEAN it's
almost imperative that you know what your coming against. This type
of identification process makes keeping any kind of useful stats very
difficult.
We ran into some factory sealed diskette that were infected. Can you
imagine trying to talk to the service rep. "We know your infected with
a virus, but we don't know what it is."
Bruce
------------------------------
Date: Tue, 28 Jul 92 13:11:45 +0000
>From:
[email protected] (Lachlan Cranswick)
Subject: Re: How do I reverse the effect(s) of Stoned ? (PC)
[email protected] (Bruno Berstel) writes:
>In brief : I got Stoned and now my hard disk has name D:. How can I correct
> this ?
>I have bought a modem to some unknown fellow; he gave me a floppy with
>Kermit on it. Well, not just Kermit. Stoned/Marijuana too. Since I'm
>new to the PC world (yes : another Unix/Mac baby -- in fact I grew up
>with MULTICS !), I didn't run no scanner on the infected disk. I woke
>up the day after with my hard disk named D:. Stop me here if there is
>no relation.
>>From what (I understand among what) I have been told by my scanner,
>Stoned sleeps in the boot sector of floppies and attacks hardies, but
>doesn't settle down on them. Of course I've erased it from the floppy
>but the evil had been done. Not knowning what to do I "temporarily"
>notified to all my software that the hard disk was named D:.
Try the VET anti-viral program, unlike other programs it is very
good at repairing the damage this virus causes as well as cleaning
the virus of the hard-disk. Stoned is quite happy to exist on
a hard-disk which it slowly corrupts. Other anti-viral
programs can wipe the data on the hard-disk by not repairing
the damage Stoned has caused.
- --
Lachlan Cranswick - CSIRO _--_|\
[email protected]
Division of Mineral Products / \ +61 3 647 0367
PO Box 124, Port Melbourne 3207 \_.--._/
AUSTRALIA v
------------------------------
Date: Thu, 23 Jul 92 20:56:21 -0400
>From: Anthony Naggs <
[email protected]>
Subject: UK Computer Crime Unit
Over the last 3 months I've had reasonable access to the net and I
have been gradually collecting back issues of virus-l. I just came
across some mention in December 1990 of the UK Computer Crime Unit.
As there appeared to be little follow up I thought you may like to
know the situation, (as I understand it).
First there is no "UK" unit, in London the Metropolitan Police ("New
Scotland Yard") has a CCU of four officers and a some clerks. In the
various police districts there are officers who are trained to have
some familiarity with computers. They will investigate reports, with
the assistance of technical people at the complaining company, other
experts or may refer (some politics in this one) to the CCU in London.
The CCU held a meeting in March 1991 of around 30 people,
opimistically called the National Computer Virus Strategy Group. The
main result was the report forms mentioned below. I hope that the CCU
workload will soon reduce, so that they will be able to arrange a
second meeting later this year.
Most incidents reported and investigated are computer assisted frauds
or cracking. The CCU is not well equipped to investigate virus
incidents, and would call on experts, such as myself, to give
technical assistance. The CCU has a scheme for reporting virus
incidents, if there is interest I'll post a copy of the forms to Ken
to make available for FTP.
The current purpose of the scheme is to gauge the number of incidents
& financial losses accruing. This will allow a case can be made to
the appropriate government agencies, (the Home Office and the
Department of Trade & Industry), for funding to expand the CCU and
support it in properly investigating these incidents. So if you want
to help them to do this you should report all UK virus incidents.
The CCU telephone number is 071 230 1176, virus related matters are
normally handled by Detective Constable Noel Bonczoszek. Ye olde
postal method: Computer Crimes Unit (CCU), 2 Richbell Place, LONDON
WC1X 8CD
No they don't read VIRUS-L/comp.virus, basically because with such a
small staff and a high work load they don't have the time to browse
and pick out the useful/interesting bits.
I can forward email to the CCU, though this would be a strictly
unofficial arrangement.
DISCLAIMER: This message is not an official statement, and any inaccuracies
or misrepresentation in this information is solely due to my
fallibility and misunderstanding.
Regards, Anthony Naggs
Internet:
[email protected] or
[email protected]
Janet:
[email protected] ( cbs%uk.ac.brighton.vms::amn )
or
[email protected] ( cbs%uk.ac.city::xa329 )
------------------------------
Date: 24 Jul 92 20:05:00 +0100
>From: <
[email protected]>
Subject: Computer Virus Catalog update
Computer Virus Catalog summer update available from VTC Hamburg:
FTP site: ftp.informatik.uni-hamburg.de
Adress: 134.100.4.42
Login: anonymous
Password: your_name
Directory: pub/virus/texts/catalog
(other entries contain info on virus documents,
the CARO naming scheme, and info on CCC).
The following new files (in ASCII, will be zipped later) are available:
Index.792 (26 kB): Survey of all 243 classified viruses/
trojans and strains.
AmigaVir.792 (17 kB): Survey of all 64 classified AmigaVirs;
+Incognito,Traveller,2001.
MacVir.792 (27 kB): Survey of all 34 classified MacVirs;
+CODE252,INIT1984,MBDF-A,T4-A,T4-B.
MsDosVir.792 (88 kB): Survey of all 124 classified MsDosVirs;
+Akuku,Amoeba,Anthrax,Armagedon,BFD,
Groove,Hafenstrasse-2/-3,Halloween,Joshi,
Leningrad-543,Mummy 1.2,P-Check,Peach,
Seventh Son,SillyWilly Trojan/Virus,
VCS 1.0 Manta,VCS 1.1a,VCS 1.3 RUF,
XPEH-4016=CHREN-4016.
If you have no ftp access, please cntact the author or Vesselin Bontchev
who will send the requested files (both on travel until mid-August).
With next CVC edition, a machine readable version will be available,
for direct retrieval, based on dBase III. To assist in retrieval, a
Clipper program will be downloadable (free-of-charge) from the server.
Generally, any critical and constructive remarks will be welcomed.
CVC editors: Klaus Brunnstein + Vesselin Bontchev,
Virus Test Center, University Hamburg, Germany
(July 24, 1992)
------------------------------
Date: 23 Jul 92 16:50:00 -0700
>From: Robert Slade <
[email protected]>
Subject: Jerusalem virus part 2 (CVP)
HISVIR4.CVP 920714
The "Jerusalem" virus - part 2
The history of the Jerusalem virus is every bit as convoluted as its
functionality and family. The naming alone is a fairly bizarre tale.
As mentioned before, it was originally called the Israeli virus.
Although considered unfair by some, it was fairly natural as the
virus had both been discovered and reported from Israel. (Although
the virus was reported to slow down systems that were infected, it
seems to have been the "continual growth" of EXE files which led to
the detection of the virus.) In an effort to avoid anti-semitism, it
was referred to by its "infective length" of 1813 bytes. For COM
files. For EXE files it was 1808 bytes. Sometimes. It varies
because of the requirement that the header of an EXE file is
divisible by 16. (All quite clear?)
One of the early infections was found to be in an office belonging to
the Israeli Defence Forces. This fact was reported in an Associated
Press article, and, of course, made much of. It also gave rise to
another alias, the I.D.F. virus.
When the virus was first discovered, it was strongly felt that it had
been circulating prior to November of 1987. The "payload" of file
deletion on Friday the 13th gave rise to conjecture as to why the
logic bomb had not "gone off" on Friday, November 13th, 1987.
(Subsequent analysis has shown that the virus will activate the
payload only if the year is not 1987.) The next following "Friday
the 13th" was May 13th, 1988. Since the last day that Palestine
existed as a nation was May 13th, 1948 it was felt that this might
have been an act of political terrorism. This led to another alias,
the PLO virus. (The fact that Israel celebrates its holidays
according to the Jewish calendar, and that the independence
celebrations were slated for three weeks before May 13th in 1988 were
disregarded. The internal structure of the virus, and the existence
of the sURIV viral programs seems to indicate that any political
correspondence is merely coincidence.)
Yet another alias is "sUMsDos", based upon text found in the virus
code itself. This was, on occasion, corrupted to "sumDOS".
The name "Jerusalem" has gained ascendancy, possibly due to the
McAfee SCAN program identification. (He certainly must be
responsible for the "B" designation for the "original" version.) Of
course, the great number of variants have not helped any. Because a
number of the variants are very closely based upon each others code,
the signatures for one variant will often match another, thus
generating even more naming confusion. This confusion is not unique
to the Jerusalem family, of course, and is an ongoing concern in the
virus research community.
copyright Robert M. Slade, 1992 HISVIR4.CVP 920714
=============
Vancouver
[email protected] | "The client interface
Institute for
[email protected] | is the boundary of
Research into
[email protected] | trustworthiness."
User
[email protected] | - Tony Buckland, UBC
Security Canada V7K 2G6 |
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 133]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
