HJW2@PSUVM.BITNET (12/08/89)
How I got Jerusalem virus in my computer
A user's nightmare came true
(88 lines long, anything longer that would be VIRUS...)
To make a short story long, let me go back to some day in late September....
I was playing with my computer, as usual, and my wife was doing her works
in the kitchen, as usual. I was using PC Tools to copy some of my files from
hard disk to floppy and when I went back to root directory in C:, I saw an
empty file that was new and weird to me. It looked like this in PC Tools:
Filename File length Attribute Date
gEgEgEgE.gEg 0 .SR. 11/07/14
Since I have deleted countless files using PC Tools, I tried the same way to
select that file and delete it. To my surprise, PC Tools responded "File not
Found". So I said to my self:"It must be the problem of zero length." and
tried to write something on it so I can delete it, and you know, it didn't
work that way. And the strange thing was that whenever I changed its
attribute by using Edit/View function, it didn't work as it supposed to be.
So I kept that file and forgot it until someone on campus(or Wall Street
Journal) brought up the issue of October 13th and computer virus attack. I
went to 12 Willard to get a scanv4 disk and used it to scan my hard disk for
at least 13 times and did not spot a virus. I was still nervous about the
virus attack, so I got another virus protection program (Flushot, in case it
matters) and checked the hard disk again and again and again until my wife
reminded me to do homework. I survived the virus hit in October.
Before the first snow in November about three weeks ago, I booted up the
machine as usual and press the turbo switch when I noticed the slow speed of
computer checking my Intel Aboveboard memory. The computer suddenly went nuts
for the first time since I bought it a year ago. There was nothing on the
screen, the keyboard didn't respond, and the speaker beeped. I powered off
and on again and the computer prompted me "8237 Error" and refused to work. I
was nervous but not afraid. Since I have played around with computers for a
while, I tore down my machine to check what might be the source of error. I
didn't find anything suspicious but BIOS and DMA. I went to a local computer
store and had my BIOS replaced and the computer worked again. So I gave them
$35 for the Phoenix BIOS that worked wonder on my computer.
But honeymoon was soon over. One day when I was using my primitive word
processor PFS:Professional Write, the computer hung me without any warning. I
lost all my editing file and had to reboot it again using reset button not
ctrl+alt+del. And after that, it hung from time to time whenever I changed
from editing document to print or to spell check. After few days, I found out
I cannot use turbo mode anymore, I had to stay with normal mode. When I press
the turbo button to boost speed, I got hung.
Since I just replaced BIOS, I suspected the problem is in DMA. So I
brought my computer back to that local store after Thanksgiving and they said
that I need a new motherboard because they cannot fix the motherboard problem.
Because they were asking ONLY $200 for a new 12MHz 286 motherboard, I decided
to get it replaced. Everything worked fine with the new board until I tried
to run Harvard Graphics, it hung again. Same thing happened to Minitab and
the new PFS:Professional Write v2.0. I questioned the store about the
compatibility of that kind of motherboard and got pissed off. They claimed
that their motherboard has been running thousands of software and has never
encountered non compatible problem. So I tested everything I could, changing
faster memories, changing different BIOS, changing video board, and even
swapping hard disks. I could not find out the problem until someday I used
MAPMEM to see memory usage and saw an unknown program occupying about 1732k
memory above configuration and dos command and I realized that something
weird was going on.
I immediately (well, next day) got the virus detection disk from office
and started checking my hard disk. Boy, was I astonished! I saw a warning
line as soon as I issued SCAN command: SCAN file has been damaged....
In the next few minutes, I saw 50 of my command files were infected by
Jerusalem B virus. I used pctools to erase all infected files and got a map
of my hard disk to see if everything is ok. But I saw some secctors marked
"unremovable" where they should be "usable" space. And I realized that the
only way to get rid of the virus would be reformatting my entire hard disk.
So I did. I am glad I have a back up for every program I have in the hard
disk.
Now all the viruses are gone except one that I keep in a floppy as a
memory or for future research use, I start thinking where I got this little
virus. There are only two places: PCLIB at Penn State or that computer store.
I cannot think of any other sources except these two. The weired file with 0
byte and unremovable is from some file in PCLIB, but I have checked every file
before October 13 and found no virus. After that date, I have not downloaded
anything. On the other hand, every weired thing started after I replaced BIOS
and used testing software from the computer store. It's also possible that
the virus is attached in some file that store has. I will post the problem in
netnews and let some experts answer this question. If anything comes out
interesting, I will summarize and post it.
-------
GOOD BYE !
_____ ___
H. WU HJW2@PSUVM.BITNET _|_ |___|
DEPARTMENT OF BUSINESS LOGISTICS |_|_| |___|
THE PENNSYLVANIA STATE UNIVERSITY _|_|_|_ |___|
| | _/ |__|poffen@molehill (Russ Poffenberger) (12/12/89)
In article <89342.011130HJW2@PSUVM.BITNET> HJW2@PSUVM.BITNET writes: > > How I got Jerusalem virus in my computer > A user's nightmare came true > > (88 lines long, anything longer that would be VIRUS...) > > >To make a short story long, let me go back to some day in late September.... <stuff deleted> To be safe in the future, keep a bootable copy of your OS on floppy. Whenever you suspect something funny, boot off the floppy and see if the problem goes away. This could save a lot of headaches by not assuming bad hardware and spending a lot of money. Russ Poffenberger DOMAIN: poffen@sj.ate.slb.com Schlumberger Technologies UUCP: {uunet,decwrl,amdahl}!sjsca4!poffen 1601 Technology Drive CIS: 72401,276 San Jose, Ca. 95110 (408)437-5254