Alan_J_Roberts@cup.portal.com (02/06/90)
This is a forward from John McAfee: ================================================================= O. Fadel points out that Clean-Up overwrites files infected with the Yankee Doodle virus and then deletes them rather than removing the virus and repairing the program. This is pointed out clearly in the documentation. Clean-Up V57 currently repairs infections from 17 of the most common viruses (Yankee Doodle is by no means a common virus - at least based on our reporting statistics) and will identify and overwrite the remainder. Each version of Clean-Up will add more viruses to the list that we can repair - the remainder we will still identify and overwrite. Our priorities for inclusion in the "repair" list are based on the frequency of virus reports. We hope to have all viruses included in the repair list by May 15. Yankee Doodle is Scheduled for mid- April. Mr. Fadel asks why the Clean-Up delete function for less common viruses is any better than the DOS delete function and why anyone would bother to include it. The answer is that the DOS delete function, to the best of my memory, cannot search and identify an infected file. Neither does it do an overwrite. (We overwrite with C3H - the return function - so that a careless undelete will never return the virus to your system). If Yankee Doodle is indeed a larger problem than we thought, then we can re-arrange its priority and move it from the delete list to the repair list for the next version. I welcome suggestions. John McAfee 408 988 3832 (Voice) 408 988 4004 (BBS) 408 970 9727 (FAX)
JIMS@SERVAX.BITNET (Jim Schenk) (04/12/91)
Hello, Does anyone out there have information on the Yankee Doodle virus? F-PROT 1.14 reports some files infected with "Yankee (TP-44)". I would like to know: 1. What does the TP-44 mean? 2. How does it spread? I know it is memory resident, but once in memory, does it attack .EXE and .COM files when they are executed, or search the disk and randomly attach itself to executable files? 3. What are the symptoms? (Note: this particular strain does NOT play Yankee Doodle on the speaker when I set the system clock to 5:00, nor when I reboot, as some Y.D. strains are reported to do.) F-PROT has been quite effective in getting rid of the virus, but I would like to know more about it. Thanks, Jim Schenk University Computer Services Florida International University Bitnet: jims@servax Internet: jims@servax.fiu.edu
walker@AEDC-VAX.AF.MIL (William Walker C60223 x4570) (04/27/91)
Hello, people. Glad to be part of this discussion.
Jim Schank (JIMS@SERVAX.BITNET) write:
> Does anyone out there have information on the Yankee Doodle virus?
A little bit: Yankee Doodle is a variant of a virus called Vacsina,
both of which, along with Yankee Doodle-B, belong to the "TP" family
of about 48 viruses (last time I checked). The second to the last
byte of an infected file is believed to be the "version number" of the
virus. In the most common Yankee Doodle virus, this number is 2C hex,
or 44 decimal, therefore the name "TP-44." The viruses from about 25
(19 hex) earlier are called Vacsina, while the later ones are called
Yankee Doodle.
I'm not 100% sure when the infection takes place, but I believe that
it occurs when a .COM or .EXE file is run. As for playing "Yankee
Doodle" on the speaker, TP-44 does indeed play it. I know because
I've just removed that version from a machine here. However, when you
test it, don't set the clock exactly at 5:00, set it for 4:59, because
it starts a few seconds early. Also, be sure that the time is 4:59 PM
(not AM), or 16:59.
For additional information, the best source (besides this forum) is
the VIRUSSUM document by Patricia M. Hoffman, which is available on
many BBSs and FTP servers which have anti-virus software. Oh, by the
way, some versions of Yankee Doodle hunt down other some other
viruses, such as Ping and Cascade. Who knows, with this kind of
in-fighting, maybe they'll wipe each other out completely! ;-)
Bill Walker
OAO Corporation
Arnold Engineering Development Center
M.S. 100
Arnold Air Force Base, TN 37389-9998