haverlan@boulder.Colorado.EDU (HAVERLAND MARC BRADLEY) (02/07/90)
I seem to be experiencing a virus on my machine and three other machines that have exchanged files. I have not experienced this before, and am not very familiar with this class of problem. If anyone would like to tell me what they know about viruses, any information would be most appreciated. I will post a summary if requested. The following is a description of what this thing looks like and acts like, as far as I have been able to tell in one night. o It only affects .com and .exe files. o Infected .exe files seem to run fine, but infected .com files hang. o A clean .com file will run fine until an infected .exe is run. Any subsequent execution of any .com file will infect that particular file. o Infected .com files seem to be 1813 bytes longer than uninfected ones. o The beginning of infected .com files is affected, and various locations in infected .exe files is affected. o The following seems to be a reliable signature: e9 92 00 73 55 4d 73 44 6f 63 (Hex ASCII) . . . s U M s D o s (ASCII) o This is only the first part of the changes made to the beginning of .com files. There is more, but searching for this seems reliable. o This shows up at the beginning of infected .com files, and sometimes at approximately offset 1555. o Using the Norton Utility TS (TextSearch) and searching for the string sUMsDos seems to be a reliable check. Has anyone experienced this? What exactly do virus detectors do? Can they clean up infected files, or do they just check them out? Any suggestions, comments, or education on this subject would be appreciated. Thanks, Marc Haverland haverlan@tramp.colorado.edu 303-650-1100 303-266-6990
tima@polari.UUCP (tim anderson) (02/07/90)
This virus was found once before at Computervision/Prime. It was on one of the computers that was used for everyone to copy files at the last international users conference in Boston. Needless to say, anyone that copied files at Computervision's international users conference recieved a little more than they bargained for! You have found the cure that we used, search for that sUMsDOs string (or however it is spelt...) and blow away those files.
tima@polari.UUCP (tim anderson) (02/07/90)
I almost forgot, part of the virus infects the operating system, so make sure you boot up with a clean version of command.com and the other important boot up type files...
greenber@utoday.UUCP (Ross M. Greenberg) (02/09/90)
Looks like you have the so-called "PLO" or "Israeli/Firday 13th/Black Hole" virus. Not too serious. It doesn;t cause much damage, except some EXE's will no longer be executable -- on Friday the 13th, it erases any file you try to run on an infected machine. Best bet: reboot on a clean, wrtite protected floppy. Look for "sUMsDos" as you've found, delete the file and replace from your backups. Running an infected program infects your machine until you power down... Ross M. Greenberg Author, FLU_SHOT+ -- Ross M. Greenberg, Technology Editor, UNIX Today! greenber@utoday.UUCP 594 Third Avenue, New York, New York, 10016 Voice:(212)-889-6431 BIX: greenber MCI: greenber CIS: 72461,3212 To subscribe, send mail to circ@utoday.UUCP with "Subject: Request"
greenber@utoday.UUCP (Ross M. Greenberg) (02/09/90)
In article <1248@polari.UUCP> tima@polari (tim anderson) writes: >I almost forgot, part of the virus infects the operating system, >so make sure you boot up with a clean version of command.com and >the other important boot up type files... Nope. Not this virus. In fact, it makes specific checks so it does not infect COMMAND.COM. Ross M. Greenberg Author, FLU_SHOT+ -- Ross M. Greenberg, Technology Editor, UNIX Today! greenber@utoday.UUCP 594 Third Avenue, New York, New York, 10016 Voice:(212)-889-6431 BIX: greenber MCI: greenber CIS: 72461,3212 To subscribe, send mail to circ@utoday.UUCP with "Subject: Request"