Return-Path: <virus-l@lehigh.edu>

Return-Path: <[email protected]>
Received: from csmes.ncsl.nist.gov (MACBETH.NCSL.NIST.GOV) by csrc.ncsl.nist.gov (4.1/NIST)
id AA06071; Fri, 7 Aug 92 22:43:17 EDT
Posted-Date: Fri, 7 Aug 1992 09:12:01 -0400
Received-Date: Fri, 7 Aug 92 22:43:17 EDT
Errors-To: [email protected]
Received: from hooch.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm))
id AA21657; Fri, 7 Aug 92 22:38:32 EDT
Received: from (localhost) by hooch.CC.Lehigh.EDU with SMTP id AA17522
(5.65c/IDA-1.4.4 for [email protected]); Fri, 7 Aug 1992 09:12:01 -0400
Date: Fri, 7 Aug 1992 09:12:01 -0400
Message-Id: <[email protected]>
Comment: Virus Discussion List
Originator: [email protected]
Errors-To: [email protected]
Reply-To: <[email protected]>
Sender: [email protected]
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: Kenneth R. van Wyk <[email protected]>
To: Multiple recipients of list <[email protected]>
Subject: VIRUS-L Digest V5 #136
Status: R
VIRUS-L Digest Thursday, 6 Aug 1992 Volume 5 : Issue 136

Today's Topics:

Re: Stoned and Michaelangelo (PC)
Re: McAfee Products (PC)
victor charlie (PC)
F-Prot and Stoned (No-Int) Virus (PC)
Watchdog conflict with sprint (PC)
Write Protect Drive C: (PC)
DRAGON VIRUS found!!! (PC)
Virus discovered in file from WUARCHIVE.WUSTL.EDU (PC)
Stoned and Michaelangelo (PC)
Re: McAfee GENP/GENY identification (PC)
Integrity Master Forwarded from Fidonet (PC)
Re: write protect on C: (PC)
Problem with SHARE and VSHIELD (PC)
MS-DOS 6.0 with Anti-Virus ? (PC)
BIOS level MBR protection (PC)
YASAS (yet another stupid article story)
Re: Virus BBS List?
Re: Jerusalem virus (CVP)
Jerusalem part 3 (CVP)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name. Send contributions to [email protected].
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<[email protected]>.

Ken van Wyk

----------------------------------------------------------------------

Date: Wed, 29 Jul 92 20:08:56 +0000
>From: [email protected] (Robert Slade)
Subject: Re: Stoned and Michaelangelo (PC)

This really isn't very odd, since Michelangelo is a "version" of
Stoned. I have seen SCAN report Michelangelo as Stoned at times.
Which version of SCAN are you running?

It is, of course, possible that this is a modification of Michelangelo
or Stoned which is similar enough to the original to be "found", but
identified differently by different scanners.

Overall, though, I'd go with the Vi_Spy id.

=============
Vancouver [email protected] | "Remember, by the
Institute for [email protected] | rules of the game, I
Research into [email protected] | *must* lie. *Now* do
User [email protected] | you believe me?"
Security Canada V7K 2G6 | Margaret Atwood

------------------------------

Date: Wed, 29 Jul 92 06:18:00 -0400
>From: [email protected] (James Roy)
Subject: Re: McAfee Products (PC)

TO: [email protected] (Fridrik Skulason)

FS>Well, if you define "scanner" as using only simple signature search,
FS>this is correct - such a scanner will only detect viruses it knows or
FS>variants of it. However, some "scanners" now include the ability to
FS>find non-specific virus-like code, and this approach does enable the
FS>scanner to find around 90-95% of NEW viruses.

Agreed that scanners are becoming more sophisticated. The 5-10% is
still somewhat disturbing.

I had sent a message to you earlier wondering if you had given thought
to increasing your penetration of Canadian Federal Government market by
having an agent here. Did you receive the message?
- ---
. OLX 2.1 . Proofread carefully to see if you any words out.

------------------------------

Date: Wed, 29 Jul 92 06:11:00 -0400
>From: [email protected] (James Roy)
Subject: victor charlie (PC)

MEB>Subject: victor charlie (PC)

MEB>Has anyone ever used Victor Charlie and have any opinions? We are
MEB>thinking of using it opposed to McAfee's Scan and Clean.

I am a distributor of Victor Charlie in Canada.

It takes a radically different approach to virus control than McAfee's
products. It is a generic product which looks for virus activity and
can detect all viruses even those previously unknown.

It has a range of utilities the most useful of which are:

- a quick (3 second) routine which runs bait files and checks key
files and areas to detect active viruses. Once detected the signature
of the virus is captured in real time and a reboot is forced to purge
it from memory. Because of this feature you do not have to depend on
updates from the developer nor risk extensive damage to your files due
to a virus unknown to the version of the scanner you have;

- an audit routine that allows you to record encrypted checksums of
all your executable files and later run a comparison. This will
detect all changes to files and allow you to track down elusive
viruses;

- a low level AI routine to learn from each new virus detected and
develop methods for detecting viruses within that "family" of viruses.

VC is a highly secure product designed to foil viruses which may be
specifically written to attack it.

It currently does not use a TSR due to the vulnerability of TSR virus
monitors to such targeted viruses. VC's checks are easily put into your
applications menu or batch files which allow it to be run automatically
(and silently) frequently during your computing day.

It is, one might say, a scanner in reverse. Rather than relying on
scanning new files for viruses which the scanner knows about, VC is run
after a new application is run to see if any viruses have gone active.

VC does have a scanner which it updates itself. One can use it for
scanning new files but it is primarily for used for tracking down a
virus once detected by the method described above.

Given the stealth viruses and polymorphic viruses which are out there,
scanners are becoming more and more limited in their effectiveness.

VC retails for $139 and requires no updating.

It is distributed in the States by Computer Security Associates at
(803)-796-1935 and in Canada by Lannatec Associates Inc, 166 Anna
Avenue, Ottawa, Ont. K1Z 7V2 tel (613)-724-5978.
- ---
. OLX 2.1 . I'm in shape ... round's a shape isn't it?

------------------------------

Date: Thu, 30 Jul 92 16:44:46 +0000
>From: [email protected] (Michael Ciarfello)
Subject: F-Prot and Stoned (No-Int) Virus (PC)

We are evaluating F-Prot. I saved a copy of the No-Int Stoned virus
on a floppy disk for later testing. When using F-Prot on the disk, it
says it can not clean the virus because it can not locate the original
boot-sector.

The No-Int Stoned virus is about the only virus that gives us trouble
around here. Does anyone have any experience with cleaning up Stoned
with F-Prot?

We have a program to restore the boot-sector of the hard disk from a
good copy of it, but it doesn't work to restore floppy disks.

- ----------------------------------------------------------------------------
Michael Ciarfello Internet: [email protected]
State Univ. of NY at Albany Bitnet: mike@albnyvms
Student Computer Consultant/Computer Science Major

------------------------------

Date: 30 Jul 92 23:15:44 -0000
>From: [email protected] (Mr. Christopher C.J. Martin)
Subject: Watchdog conflict with sprint (PC)

Borland's word processor sprint writes to a swap file every few seconds
and watchdog interrupts each attempt to write and will not allow you to
continue.

Has anyone come across this problem

Must I chain up my watchdog ?

Chris Martin

[email protected]

------------------------------

Date: Thu, 30 Jul 92 22:06:26 -0400
>From: [email protected] (TEMPO BBS Operations Manager)
Subject: Write Protect Drive C: (PC)

This is for [email protected].......

As to your problem about your c: drive being write protected, I have
encountered this before myself. The problem would appear to be with your
compression system Stacker.

Apparently, if you have stacker set up to swap C: and D: at boot up so that
c: is the stacked drive, and the contents of config.sys get messed up, then
you will not be able to write to your boot drive C:. The only way that I
found to correct this was to reformat the hard drive.

Anyone else have any ideas??

- -----------------------------------------------------------------------------
Brian C. Boorman [email protected]
- -----------------------------------------------------------------------------

------------------------------

Date: Fri, 31 Jul 92 15:16:53 +0000
>From: [email protected] (Lt Sajid Rahim)
Subject: DRAGON VIRUS found!!! (PC)

I have just found a new virus which has been named appropriately
DRAGON since it contains a whole poem by the fantasy writer Anne
McCaffrey. The text is encrypted and it is as follows :

Gone Away, Gone Ahead.
Echo Away, dies unanswered.
....
...
.... McCaffrey
Dragon Riders of Pern.

I have yet to ascertain as to what its course of action is. I will
keep the group updated with the full disassembly report.

Sincerely

Sajid

- --
- ---------------------------------------------------------------------
- -- Sajid Rahim, Dept of Computer Science, Rhodes University, --
- -- Grahamstown, South Africa. Internet : [email protected] --
- ---------------------------------------------------------------------

------------------------------

Date: Fri, 31 Jul 92 18:38:57 -0400
>From: Jimmy Kuo <[email protected]>
Subject: Virus discovered in file from WUARCHIVE.WUSTL.EDU (PC)

[email protected] (System Manager) writes:

>>Today I downloaded a file from WUARCHIVE.WUSTL.EDU (one of the
>>mirroring ftp sites). Filename is
>>/mirrors/garbo.uwasa.fi/screen/grabsc11.zip When I tried to ran
>>GRABSCRN.COM from this zip file, Norton Antivirus TSR reported that
>>the file is infected with Wonder-2 virus. F-PROT did not report a
>>virus.

to which Fridirk replies:

>Ignore this - it is a false alarm. In fact, ignore everything NAV
>says about the Wonder virus. The virus is written in C or Pascal, and
>it seems they are just "detecting" a part of the run-time library.

I want to thank Fridrik for answering this so the discussion can be cleared
up. This posting is to fill in all the details.

The Wonder-2 false-id situation existed for the original June update.
Upon hearing of the false-id situation, a subsequent update was released
which does not have the problem in it. The original June update would be
20A04.DEF or 15A09.DEF (depending on whether you're using 2.0 or 1.5).
Loading any updates beyond 04 for 2.0 or 09 for 1.5 will remove this
problem from your system. We are about to release (or have already released
by the time this posting is made) the August update set which are 20A07 and
15A12, respectively.

Jimmy Kuo [email protected]
Norton AntiVirus Research

------------------------------

Date: Fri, 31 Jul 92 06:14:00 -0400
>From: [email protected]
Subject: Stoned and Michaelangelo (PC)

TO: [email protected]

SC> I had two odd infection occur in my office in the last 2 days.
SC>Two computers both appeared to have Michaelangelo when run through
SC>Vi-Spy, but appeared to have Stoned when run through SCAN. Niether
SC>detector took notice of both. Any idea or similar experience ?

The Michaelangelo (actually spelled Michelangelo) is simply a hacked
version of the stoned virus (which has 18 or more off-spring according
to Patricia Hoffman's VSUMX205.

Either your two different scanners are picking up different pieces of
code VI-Spy recognizing a part of the code which is found in
Michelangelo and SCAN (which version?) picking up code which is found
in both Stoned and Michelangelo. What you may have is a new variant
which is neither one but still detectable by scanners looking either
for the stoned or Michelangelo. The virus hacker was not too skillful
as with just a little more work, he or she might have made it
invisible to both scanners.

Some scanning software also uses some heuristic techniques to find
families of viruses and this is what may be happening here.

Scanning is a very imperfect art as viruses can be hacked to fool
scanners.
- ---
. OLX 2.1 . The first myth of management is that it exists.

------------------------------

Date: Fri, 31 Jul 92 06:05:00 -0400
>From: [email protected]
Subject: Re: McAfee GENP/GENY identification (PC)

TO: [email protected]

OB>In reference to Padgett's comments on McAfee's GENP / GENY virus
OB>identification.

OB>I must agree when you have several thousand PC's to keep CLEAN it's
OB>almost imperative that you know what your coming against. This type
OB>of identification process makes keeping any kind of useful stats very
OB>difficult.

I certainly agree that IDEALLY one would like to identify the exact
virus and be able read up about it and also have a utility to clean it
out of the system.

However, in practice, there are too many viruses coming out for any
anti-virus company to keep up, you risk not getting updates in time even
if available, cleaning is not 100%, new polymorphic viruses are
self-mutating and as they improve will become invisible to scanners and
other heuristic techniques.

Rather than look for the perfect scanner, one should accept their
limitations and only use them as gross filters for incoming software.

Generic protection virus control is essential in a modern computing
environment. There are a number of products in this category including
TSR virus monitors and integrity checkers.

Our firm distributes Victor Charlie which can deal with all known and
unknown viruses.

Generic products do not identify the virus, they just detect it and
purge it from the system.
- ---
. OLX 2.1 . Jim Roy - Tel. (613) 724-5978 Fax 729-8109

------------------------------

Date: Sun, 02 Aug 92 06:32:27 +0100
>From: [email protected]
Subject: Integrity Master Forwarded from Fidonet (PC)

sg #: 88 Area: SHAREWARE Sent: 27 Jul 92 22:37:00
From: Wolfgang Stiller
To: All
Topic: New Shareware anti-virus

Stiller Research announces release of Integrity Master(tm) version 1.23a

Integrity Master is ASP shareware providing complete, easy to use, data
integrity for your PC plus virus protection. It can also be used to
provide file change management and security on your PC. As well as
scanning for known viruses, it detects unknown viruses and unlike other
products will detect files which have been damaged but not infected by a
virus. INTEGRITY MASTER PROTECTS YOU AGAINST ALL THREATS TO YOUR DATA
AND PROGRAMS NOT JUST VIRUSES!

This upgrade provides the following new features since version 1.22:

1) We added a new option to do nothing but scan programs in the current
directory for known viruses.

2) The COMMANDS menu now contains an "uninstall" option to remove
integrity data files from the directories on the current disk. This
allows you to easily remove protection from a disk.

3) We added three new command line options to scan files and system sectors
for known viruses. These parameters are:

"/VA" Check ALL files on a disk (not just executables).
"/VO" One time quick screening of programs on current disk.
"/VR" One time quick screening of programs in current directory.

(REMINDER: Scanning by itself is not sufficient protection against
viruses!)

4) 35 new viruses and variants are identified by name.

To save space I'm listing just the executables included within the archive:

PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
PKUNZIP Reg. U.S. Pat. and Tm. Off.

Searching ZIP: I-M123.ZIP

Length Method Size Ratio Date Time CRC-32 Attr Name
----- ------ ----- ----- ---- ---- ------ ---- ----
2183 Implode 2151 2% 07-14-92 01:23 3da7f740 --w GENVIR.EXE
102867 Stored 102867 0% 07-14-92 01:23 92f8d173 --w IM.EXE
3616 Implode 1899 48% 07-14-92 01:23 c8ad2af0 --w IMCHECK.EXE
60912 Stored 60912 0% 07-14-92 01:23 d2aac559 --w SETUPIM.EXE
1118 Implode 1011 10% 07-14-92 01:23 515b8205 --w IMVIEW.COM

Integrity Master V1.23a was released on July 14th via SDN and also the

------------------------------

Date: Mon, 03 Aug 92 11:52:00 +1200
>From: "Mark Aitchison, U of Canty; Physics" <[email protected]>
Subject: Re: write protect on C: (PC)

[email protected] (Steven W. Smith) writes:
>>yesterday i downloaded a piece of software called NakedEye -- a p.d. gif
>>viewer -- when i tried to run it, the screen blanked and the system crashed,
>>but when i rebooted i got an error "drive c write protected" -- i am using
>>dos 5.0 and as far as i know (and as far as my manual says) you cannot write
>>protect a drive. although i am also running stacker and 4dos...
>
> I've experienced the same thing using DR DOS 6.0 with disk
> compression. It was not virus-related in any way. It's very likely
> that CHKDSK/F will put everything back in order. I think that it's a
> nice feature to add the write protect if you subtly munge your disk,
> but it would be nice to clue the user in about using CHKDSK/F to clean
> up.

Yep, Stacker does exactly this when the disk is messed up, but you need a
special program (supplied with Stacker) to properly fix it, or you can copy
everything off to diskette while you can, then reformat the disk (not low
level, just clear the partition and re-install Stacker and you backed-up
software). But don't trust the present copy of the files on the disk!
Hopefully you have a backup of everything.

Stacker and DRDOS's SuperStore do the same thing, its just with SuperStore that
DRDOS's CHKDSK/F does the appropriate fixing (not very well, perhaps, but
consider that PKZIPFIX can't work miracles either).

So the message didn't come from a virus but I suspect the gif viewer has a bug!
The method of testing unknown programs - whether you are worried about a virus
or a bug - is to keep your valuable hard disk safe - ideally have a machine
somewhere you can practice on, or unplug your hard disk, or change the
partition table at the very least.

Mark Aitchison.

------------------------------

Date: Mon, 03 Aug 92 11:11:34 -0400
>From: "Werner Ente 3-AUG-1992 15:55:13.39" <[email protected]>
Subject: Problem with SHARE and VSHIELD (PC)

Hi,

I am using Ms-Dos 5.0 (German-Version) and VSHIELD. When I start the SHARE
program and redirect the VSHIELD output to a file I get the following
result.

==================================
C:\>share
SHARE installiert

C:\>copy autoexec.bat nul
1 Datei(en) kopiert

C:\>vshield > nul
VSHIELD 4.9V91 Copyright 1989-92 by McAfee Associates. (408) 988-3832
VSHIELD 4.9V91 is now installed.

C:\>copy autoexec.bat nul
Unzuldssige SHARE-Operation

C:\>
==================================

This example works with different filenames too.
Has anyone an idea to where this problem comes from? Is it a Microsoft
or a McAfee or only my special problem?

Werner

.............
Werner Ente [email protected]
Institut f|r Weltwirtschaft 0431/8814277
Kiel, Germany

------------------------------

Date: Tue, 04 Aug 92 10:00:46 -0400
>From: [email protected] (A. Padgett Peterson)
Subject: MS-DOS 6.0 with Anti-Virus ? (PC)

I see in the new PC-Week that MS-DOS 6.0 is scheduled to contain anti-
virus software from Central Point. Makes sense since MS & CP have been
working together for some time now & CP has a number of utilities in
MS-DOS 5.0.

Too bad that they have chosen the one product that is notorious for
leaving viral signatures scattered in memory though hopefully that will
be fixed by the time 6.0 comes out else MS support lines are liable to
be swamped with calls.

This is interesting in that back at the start of the year once again I sent
Microsoft copies of my BIOS stuff and suggested that the best place for it
would be in FORMAT, SYS, and FDISK. I received a nice letter back stating
that "it was not in MicroSoft's business plan..." be interesting to see
what actually ships...

Warmly (95 before the thunderstorms, 75 after),

Padgett

------------------------------

Date: Tue, 04 Aug 92 14:11:25 -0600
>From: [email protected] (Kevin Hemsley)
Subject: BIOS level MBR protection (PC)

Thuna Technologies has a BIOS upgrade called MR. BIOS(TM) which includes
an "Anti-Virus Feature" which when enabled, will trap writes to the Master
Boot Record. Additionally, as with other BIOS manufacturers, the boot
sequence can be set to boot from C: first, or optionally, a screen
prompt which requests an explicit selection of the boot drive.

Vendors may be slow, but they are learning!

--
Kevin Hemsley | The cute message that used to
Information & Technical Security | be here was destroyed by a
Idaho National Engineering Laboratory | nasty .sig virus!
(208) 526-9322 |
[email protected] | Please control your .sigs.

------------------------------

Date: Sat, 01 Aug 92 13:18:54 -0700
>From: [email protected] (Robert Slade)
Subject: YASAS (yet another stupid article story)

Number 37 in the series, "Accuracy in the media":

The Vancouver Sun, Saturday, August 1, 1992,
"Ocean", p. A6 (continued from "Deep Dark Secrets", p. A1)

"If that weren't enough, the computer software meant to help guide
ROPOS developed a virus. To the shock of the scientists watching the
first nerve-wracking descent, the system suddenly froze and "Your
system is stoned" flashed on the control room consoles."

Editors, The Sun
Fax: 732-2323

Gentlemen:

I am writing to correct some errors in your article "Deep Dark Secrets" (p. A1
and A6, Saturday, August 1, 1992). I was quite interested in the article, and
would normally never dare to question the facts therein: oceanography is not my
field.

However, your mention of the virus in the computer needs some correction.
First of all, the "software meant to help guide ROPOS" did not "develop" the
virus. (It was, in fact, written by a high school student in New Zealand about
four years ago.) The virus would have been carried to the computer on a floppy
disk, probably unknowingly, by one of the people concerned with the project.
Secondly, the system did not suddenly "freeze", at least not because of the
virus. This virus, most often referred to as "Stoned" because of the message,
does not stop systems. (It will, with certain types of disks, overwrite the
pointers to some files.) In all instances that I am aware of, the computer
would continue to function without interference to any programs. Thirdly, the
message was "Your PC is now Stoned" (not "system") and it did not "flash" on
the screen. If the message appeared at all, it was displayed when the computer
was turned on or "rebooted", and then only if a floppy disk, itself infected
with the virus, was in the A: drive of the computer at the time.

Why do I bring up these points at all? They do not have anything to do with
the oceanographic studies. However, the expedition could have lost valuable
data. The tragedy would be that the virus infection could easily have been
prevented. Unfortunately, media attention to computer viral programs is so
sparse (and so often inaccurate) that the general run of computer users have no
idea as to the danger, nor what steps to take to combat the problem. At the
current time, a business with 200 PCs can expect to be hit by at least one new
virus infection every month, and the problem is growing rapidly. The rapid
growth is primarily due to the fact that most computer users take no
precautions against viral programs, and those precautions are often
insufficient or directed against the wrong type of problem.

Hopefully, at some point accurate information about computer viral programs can
be promoted, and the threat will diminish almost to nothing.

Robert Slade
Vancouver Institute for Research into User Security

==============
Vancouver [email protected] | "It says 'Hit any
Institute for [email protected] | key to continue.'
Research into [email protected] | I can't find the
User [email protected] | 'Any' key on my
Security Canada V7K 2G6 | keyboard."

------------------------------

Date: Mon, 03 Aug 92 11:32:11 +0000
>From: m13079@mwunix (Mary Anne Walters)
Subject: Re: Virus BBS List?

[email protected] (Brian C) writes:
>Could someone please e-mail me a list of virus related bbs?

How about posting it?
- --
- --Mary Anne
"What we have once enjoyed and deeply loved we can never lose, for all
that we love deeply becomes a part of us." Helen Keller
[for Alexander]

------------------------------

Date: Thu, 30 Jul 92 14:06:23 -0400
>From: Y. Radai <[email protected]>
Subject: Re: Jerusalem virus (CVP)

Robert Slade writes:
>A few things are common to pretty much all of the Jerusalem family.
.....
>Programs run after the program is resident in memory are infected by
>addition of the virus code to the end of the file, with a redirecting
>jump added to the beginning of the program.

This is accurate for infection of EXE files, but not for COM files.
For these the code is *prepended* to the file (at least in the case of
the original Jerusalem virus).

>The history of the Jerusalem virus is every bit as convoluted as its
>functionality and family. The naming alone is a fairly bizarre tale.
>As mentioned before, it was originally called the Israeli virus.
>Although considered unfair by some, it was fairly natural as the
>virus had both been discovered and reported from Israel. ....
> .... In an effort to avoid anti-semitism, it
>was referred to by its "infective length" of 1813 bytes. For COM
>files. ....

I agree with almost everything here, but I think it's a bit presump-
tuous to conclude that the reason for the name "1813" had anything to
do with avoiding anti-semitism. To the best of my knowledge, this
name was first given to it by Alan Solomon, who at that time (1988)
gave a numeric name, based on the size of the added code, to *all*
file viruses.

>One of the early infections was found to be in an office belonging to
>the Israeli Defence Forces. This fact was reported in an Associated
>Press article, and, of course, made much of. It also gave rise to
>another alias, the I.D.F. virus.

I think you're confusing the Jerusalem with another virus here. The
above story and name fit the Frodo (= 4096) virus. To the best of my
knowledge, they do not fit the Jerusalem.

Y. Radai
Hebrew Univ. of Jerusalem, Israel
[email protected]
[email protected]

------------------------------

Date: Fri, 31 Jul 92 17:37:49 +0000
>From: [email protected] (Robert Slade)
Subject: Jerusalem part 3 (CVP)

HISVIR5.CVP 920714

The "Jerusalem" virus - part 3

Although it is difficult to be absolutely certain about
pronouncements as to the provenance and family history of viral
programs, it is almost certain that the Jerusalem virus is, in fact,
two viral programs combined. Among the Jerusalem "family" are three
"sURIV" variants (again, named for text in the code.) It is fairly
easy to see where "virus" 1, 2 and 3 come from. sURIV 1.01 is a COM
file infector, COM being the easier file structure and therefore the
easier programs to infect. sURIV 2 is an EXE only infector, and is
considerably longer and more complex code. sURIV 3 infects both
types of program files, and has considerable duplication of code: it
is, in fact, simply the first two versions "stuck" together.

(Although the code in the sURIV programs and the "1813" version of
Jerusalem is not absolutely identical, all the same features are
present. The date of the "payload" is April 1 in the sURIV variants.
There is also a "year" condition: some of the payload of the sURIV
variants is not supposed to "go off" until after 1988.)

Perhaps this explains the "popularity" of the Jerusalem virus as a
"template" for variants. The code is reasonably straightforward and,
for those with some familiarity with assembly programming, an
excellent "primer" for the writing of viral programs affecting both
COM and EXE files. (There is, of course, the fact that Jerusalem is
both "early" and "successful". There are many copies of Jerusalem
"in the wild", and it may be simply availability that has made it so
widely copied. Its "value" as a teaching tool may simply be an
unfortunate coincidence.)

Of course, not every virus writer who used the Jerusalem as a
template showed the same good taste and imagination in what they did
with it. Not all of them even fixed the obvious flaws in the
original. The "variations" tend to be quite simplistic: there are a
number of "Thursday the 12th", "Saturday the 14th" and "Sunday the
15th" programs. (Some of the "copy cat" virus authors added errors
of their own. One of the "Sunday" variants is supposed to delete
files on the "seventh" day of the week. Unfortunately, or perhaps
fortunately for those of us in the user community, nobody ever
bothered to tell the author that computers start counting from zero
and Sunday is actually the "zeroth" day of the week. The file
deletions never actually happen.)

copyright Robert M. Slade, 1992 HISVIR5.CVP 920714

==============
Vancouver [email protected] | "It says 'Hit any
Institute for [email protected] | key to continue.'
Research into [email protected] | I can't find the
User [email protected] | 'Any' key on my
Security Canada V7K 2G6 | keyboard."

------------------------------

End of VIRUS-L Digest [Volume 5 Issue 136]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253