A.C.G.Saunders@newcastle.ac.uk (Aidan Saunders) (05/20/91)
Following the recent infections at Oxford University (see article from A.Appleyard - 16/5/91) I've been trying to find scanners to detect these viruses. (I understand there are two forms of this: one boot sector version, one file version.) Having checked the documentation of the F-PROT (1.14) & McAfee SCAN (v77) packages, I don't find any reference to these. So: 1) How can Spanish Telecom be detected ? 2) Which virus detection/removal packages can deal with Spanish Telecom ? 3) What signature strings can be added to programs such as F-PROT & SCAN that allow user-defined signatures ? Any help would be appreciated ! If you mail responses to me, I'll summarise. Many thanks, Aidan Saunders - -- - ---------------------------------------------- ARPA :: a.c.g.saunders@newcastle.ac.uk UUCP :: ...!ukc!newcastle.ac.uk!a.c.g.saunders - ----------------------------------------------
frisk@rhi.hi.is (Fridrik Skulason) (05/22/91)
A.C.G.Saunders@newcastle.ac.uk (Aidan Saunders) writes: >Having checked the documentation of the F-PROT (1.14) & McAfee SCAN (v77) >packages, I don't find any reference to these. So: F-PROT 1.14 is a bit outdated - the current version (1.15A) will detect the virus without problems, as will 1.16 which will be released around June 1st. In the meantime, you can detect the virus on boot sectors, by adding the following line to SIGN.TXT 1.14 Telecom 1DuoWjeMGmqkUXUlq+wl5ajj5XOOM54Z06tFd8NGJAbqkOJjl9Rwj8DFTmdKy4W4BX Detecting infected program is a slightly larger problem - as the virus does not seem to be able to infect files. Don't misunderstand me, it is clearly intended to - but testing, as well as a study at Oxford where the virus has been spreading recently has only revealed spreding by boot sector infections. The following string can be used to detect the original .COM file I have, but it is not 100% certain to detect all instances of the virus - - I have heard of a different variant, but not yet received a sample. Telecom xyJnWmtj2mDuGkjAVFHRl0AeAK9nxtmS74gBbEAG8K9NJdMLZplgBhZEkK If you want hex patterns for some other program, the following patterns are the Virus Bulletin patterns: Telecom Boot: 8A 0E EC 00 BE 70 00 03 F1 8A 4C 02 8A 74 03 C3 Telecom Program1: 8B 1D B2 00 83 FB 00 74 18 BF 55 00 B2 Telecom Program2: 83 ED 09 BE 20 01 03 F5 FC B6 Regarding disinfection - F-DISINF 1.15A can remove the infection from boot sectors - This was thoroughly tested as I managed somehow to infect one of my own computers by accident with the virus. I have not yet added code to "clean" infected files, as I have not been able to generate them - if anyone has been able to get Spanish Telecom to infect files, I would very much like to hear about it. - -frisk Fridrik Skulason Technical Editor of the Virus Bulletin (UK) (author of F-PROT) E-Mail: frisk@rhi.hi.is Fax: 354-1-28801