dave@sun.soe.clarkson.edu (Dave Goldblatt) (03/31/88)
I just pulled this from my bulletin board...
---------------------------cut here--------------------------
TO: All
FROM: Wes Brzozowski
SUBJECT: New Trojan Virus
There's a new virus program that's been seen on the West Coast, that's a
lot nastier than the COMMAND.COM virus. This one doesn't need COMMAND.COM
to carry it. It inserts itself into the boot record of diskettes, and
takes 3 unused clusters, which it then marks as "bad" in the FAT. As
such, it doesn't show up in any DOS file. Booting up from such an
infected diskette will cause all subsequent diskettes to be infected. The
original program that carries the thing is no longer needed, and in fact,
no one seems to know what the original program is, so it could be here.
I've been given a deactivated copy of the virus for study, so I know that
this piece of trash really exists. It appears to only go for diskettes
(only infects the A & B drives), not hard drives. I haven't gotten far
enough to find out what nastiness it will eventually do. It seems that it
will change the volume labels of the diskettes to "(c) Brain". The boot
record contains a message to beware of this virus, and gives an address
(in Pakistan, no less!!) to write to for protection. This seems like a
joke, but there's always an outside chance that someone is trying to do
some extortion. An infected diskette will show three bad clusters if you
run a CHKDSK on it. (So says the person who made the virus available; I
have no intention of actually activating it to check this out.)
In any case, if you happen to see this weird volume label, or start
seeing bad clusters in your diskettes, or (most likely) both, let us all
know about it. We may be able to find the source of this virus, which
would be a great service to everyone. By the way, this virus looks for
two "innoculation bytes" in two normally unused bytes in the boot record.
It presently looks like setting these to the proper value will make the
virus ignore your diskettes. I'll give more details on these after I've
gone completely through the code and am absolutely sure I know what I'm
talking about. Until then, please keep your eyes open. Take care.
Wes B.
---
* Origin: * N I T E W I N G * 607_687_3470 * Owego,NY * (Opus 1:260/410)
SEEN-BY: 260/10 313 314 320 322 325 330 335 345 350 360 410
--
Internet: dave@sun.soe.clarkson.edu or: dave@clutx.clarkson.edu
BITNET: dave@CLUTX.Bitnet uucp: {rpics, gould}!clutx!dave
Matrix: Dave Goldblatt @ 1:260/360 ICBM: Why do you want to know? :-)