hirayama@suvax1.UUCP (Pat Hirayama) (12/27/87)
Odds, are that this notice may have been posted on the net already. Neverthe-
less, it is better safe than sorry. I found this floating around on a local
BBS here in Seattle and thought that it might be best to send it out to all
of you out in net-land.
Isn't fascinating that a notice posted onto BITNET from Bethlehem PA could
find it's way off the BITNET, onto a the Pacific NW IBM-PC's User's Group
BBS in Seattle, then back onto the net again (This time USENET, though)?
-----(begin bulletin)-----
Virus Invades Lehigh University
Last week, some of our student consultants discovered a virus program
that's been spreading rapidly throughout Lehigh University. I thought
I'd take a few minutes and warn as many of you as possible about this
program since it has the chance of spreading much farther than just our
University. We have no idea where the virus started, but some users have
told me that other universities have recently had similar problems.
The virus: the virus itself is contained in the stack space of COMMAND.COM.
When a PC is booted from an infected disk, all a user need do to spread
the virus is to access another disk via TYPE, COPY, DIR, etc. If the
other disk contains COMMAND.COM, the virus code is copied to the other
disk. Then, a counter is incremented on the parent. When this counter
reaches a value of 4, any and every disk in the PC is erased thoroughly.
The boot tracks are nulled, as are the FAT tables, etc. All Norton's
horses couldn't put it back together again... :-) This affects both floppy
and hard disks. Meanwhile, the four children that were created go on
to tell four friends, and then they tell four friends, and so on, and so on.
Detection: while this virus appears to be very well written, the author
did leave behind a couple footprints. First, the write date of the
COMMAND.COM changes. Second, if there's a write protect tab on an
uninfected disk, you will get a WRITE PROTECT ERROR... So, boot up from
a suspected virus'd disk and access a write protected disk - if an
error comes up, then you're sure. Note that the length of command.com
does not get altered.
I urge anyone who comes in contact with publicly accessible (sp?) disks
to periodically check their own disks. Also, exercise safe computing -
always wear a write protect tab. :-)
This is not a joke. A large percentage of our public site disks has
been gonged by this virus in the last couple days.
Kenneth R. van Wyk, User Services Senior Consultant,
Lehigh University Computing Center (215)-758-4988
<LUKEN@LEHIIBM1.BITNET> <LUKEN@VAX1.CC.LEHIGH.EDU>
{RISKS-FORUM Digest Monday, 30 November 1987 Volume 5 : Issue 67}
-----(end bulletin)-----
- Pat Hirayama
- Seattle University
"No matter how large and standardized the marketplace is, IBM can redefine it."