Alan_J_Roberts@Sun.COM (09/21/89)
Well, it's happening again. We've just received a new virus from Randy Dean at the U.C. Davis bookstore. The virus infects COM and EXE files, including COMMAND.COM, increases the size of infected files by 1800 bytes, and infects through the DOS COPY command, as well as program loads. The virus contains the words - "The Dark Avenger, copyright 1988, 1989 and the message - "This program was written in the city of Sofia. Eddie lives.... Somewhere in Time!". The virus bears no resemblance to the Jerusalem despite the similarity in sizes. ViruScan V38 identifies the virus. By the way, I'd also like to respond to the comments about ViruScan and John McAfee. If I had written a shareware program that was being distributed by some other company for money, I would be pretty ticked off. John has the right to determine who can sell it and who can't, as I see it. [Ed. Has V38 been sent out to the VIRUS-L/comp.virus archive sites?]
Alan_J_Roberts@Sun.COM (11/11/89)
A new COM infector was submitted to the HomeBase board this
evening by Jean Luz of Lisbon, Portugal. The virus is in many
respects similar to the Vienna virus - the size increase is 648 bytes,
and instead of overwriting every eigth file (on the average) with the
re-boot sequence, it overwrites with the characters "AIDS", thus
crippling those applications. This virus shoulkd not be confused with
the original AIDS virus (very dissimilar). Asside from the mentioned
similarities with Vienna, the virus appears to be written from
scratch. The 648 length seems to be a chance result. No effects of
the virus have been observed other than the above mentioned. The
virus has been in Portugal at least two months according to the
submitter. Alan
P.S. The following presumably straight-faced request was posted on
HomeBase by John McAfee. Thought it might be of interest to Virus-L
readers:
To: All Users
From: John McAfee
Subject: Reported Possible Virus
I received an unusual call from a Mr. Fred Hankel of Fargo, North
Dakota this morning. Mr. Hankel was highly agitated and after hearing his
long and involved story, I was moved to pass on this condensed summary to
all who might be interested: Mr. Hankel reports, and I have no grounds for
doubting, that a computer virus invaded his system from a bingo game he
purchased in mid-October. The virus activated at 11:00 A.M yesterday and
promply melted his power supply and mother board. As he reached for the
power switch to turn off the machine, the virus blasted a perfectly circular
hole in the front panel of his AT clone and left a three foot oval scorch
mark on the back wall of his den. I had not heard of this virus before
and felt that an alert might be in order. Anyone experiencing similar
symptoms should contact us immediately.
Thank you.
[Ed. Sounds (to me) like paranoia strikes deep. I trust that everyone
will have the good sense to take this report with a large grain of
salt...]Alan_J_Roberts@Sun.COM (11/12/89)
Yet another virus has been reported and sampled in the Seattle
area. The virus is a COM, EXE and Overlay infector that increases the
size of infected files by 1644 bytes. It activates on Sundays and
displays the message: "Today is Sunday! Why do you work so hard? All
work and no play make you a dull boy." File allocation table damage
has been reported in two instances, although we could not dupliacte
the FAT problem on our test systems.
McAfee is planning to put SCAN49 out on Tuesday. 49 will detect
this Sunday virus, the Lisbon Virus and Yuval Tal's Do Nothing virus
(He sounds pretty haggard over the phone and begins to snarl if the
words "new virus" are mentioned).
AlanTomZ@DDN1.DCA.MIL (11/16/89)
Comment: About that "virus" reported to John McAfee [Virus-L Digest V2 #239] by Fred Hankel of Fargo, North Dakota, that >> ... promply melted his power supply and mother board ... [and] >> ... blasted a perfectly circular >> hole in the front panel of his AT clone and left a three foot oval scorch >> mark on the back wall of his den. Er, doesn't anyone recognize a *L*I*G*H*T*N*I*N*G* strike? The effects Mr. Hankel reported are classic, only the assumption of a computer virus is paranoia. Maybe McAfee should submit this to the RISKS forum. /s/: Tom Zmudzinski | "The above does not constitute a policy DCS Data Systems | statement from DCS Data Systems or its McLean, Virginia | parent organization" - Zmudzinski - ---------------------------+--------------------------------------------- (703) 285-5459 | "But it does from Me!" - GOD
NYYUVAL@WEIZMANN.BITNET (Yuval Tal) (06/05/90)
I've just received a copy of a virus called "Armagedon the GREEK". Have anyone ever seen this virus? SCAN 62 did not identify this virus so I consider this as a new virus. I've checked it a bit and from what I found out, at a certain time, the virus sends a special command to your ports which a Hayes compatible modem can understand! Greek fellows: What does the phone number 081-141 mean? I'll make a larger report after I will finish disassembling this virus! - -Yuval Tal +--------------------------------------------------------------------------+ | BitNet: NYYUVAL@WEIZMANN Domain: NYYUVAL@WEIZMANN.WEIZMANN.AC.IL | | InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU | +----------------------+---------------------------------------------------+ | Yuval Tal | Voice: +972-8-474592 (In Israel: 08-474592) | | P.O Box 1462 | BBS: +972-8-471026 * 20:00-7:00 * 1200 * N81 | | Rehovot, Israel | FidoNet: 2:403/143 | +----------------------+---------------------------------------------------+ | "Always look on the bright side of life" *whistle* - Monty Python | +--------------------------------------------------------------------------+
RY15@DKAUNI2.BITNET (Christoph Fischer) (07/04/90)
I just received a new virus from a friend, the first analysis shows the
following facts:
Resident virus that infects COM and EXE files!
It is a appending virus that modifies the EXE header.
Infection trigger INT 21 subfunction 4Bh (load and execute)
Infection length 688 bytes.
Processes R/O and hidden files correctly and restores time and date
stamp as well as attributes after infection.
Contains a new way of detecting R/O floppy disks
Fools debuggers to prevent reverse engineering.
Selfdetection in memory is not sufficient. (So you might have several
copies of the virus TSR active)
Payload: starting with june 1990 it hooks INT 08 and after a random
time it starts to toggle the screen blanking bit every 7 minutes
5 cycles. This will only work on MDA, Hercules, CGA but not on
EGA and VGA. The effect will be a screen flicker that might be
confused with a bad contact in the CRT system.
*****************************************************************
* Christoph Fischer *
* Micro-BIT Virus Team / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-37 64 22 *
* E-Mail: RY15 at DKAUNI2.BITNET >>>> NEW NODEID <<<<< *
*****************************************************************CHESS@YKTVMV.BITNET (David.M.Chess) (07/09/90)
> Fools debuggers to prevent reverse engineering.
One small nit, just in case this list is being read by someone
in the media! *8) The virus contains some code that's designed
to cause a branch to a nasty place in BIOS if one single-steps
through a particular early part of the virus. But anyone
skillful enough to use a debugger is almost certainly skillful
enough to detect what the virus is trying to do, and prevent it.
A more accurate description, to avoid giving the virus more
credit than it deserves, might be:
Contains easily-avoidable code that's intended to
make analysis more difficult, but in fact has no
particular effect.
DCpublic@alva.tut.fi (Public Domain PC-software) (12/22/90)
I've found a new virus on PC at the beginning of December, but it has been around here at least from the end of June. I've named that virus as 2480 virus, because its size is that. 2480 Virus spreads only (I think) if the year is set to 1988 or earlier. If it is later than 1988, infected files will occasionally display the logo of European Crackin' Crew (Does anyone know anything about that group??) when user executes an infected program. 2480 Virus adds 2480 bytes to the end of every .COM file it decides to infect. It doesn't infect files very quickly and it seems that infection happens only at the certain time. It will also change the last modification time to the time when infection happened but the files' dates remain unchanged. 2480 Virus is not memory resident and it can easily be noticed because the European Crackin' Crew's logo is at the end of every infected .COM file. This virus is not detected by the ViruScan V72, but I've sent a copy of it to Mr. John McAfee and Fridrik Skulason, so hopely the ViruScan V73 and F-Prot 1.14 will find this virus :-) Tapio Keihanen Mesiheinankatu 2 B 6 33340 Tampere Finland PS. I'm sorry for my POOR English...
S008@HECMTL01.BITNET (02/26/91)
Here is some information about a new virus (that I named "SCUD"). This virus modifies the boot record or the master boot of the hard disk depending on the stage of infection. Randomly, when you try to access a diskette (dir or other commands), if it is not write protected, it changes the boot record of the diskette and most of the time, it changes the media descriptor byte so you're not able to correctly access this disk anymore. One way to recover the data is to put a clean boot record on the diskette. Hakim Belmaachi Computer Analyst Ecole des Hautes Etudes Commerciales 5255 Decelles, Montreal Quebec, H3T 1V6 Tel. (514) 340-6067
martin@cs.UAlberta.CA (Tim Martin; FSO; Soil Sciences) (04/11/91)
Has anyone else found a DOS boot sector virus that gives an eight line message about the USA being the real "evil empire" in the "impending war with Iraq"? It is on several of our more public computers at U of Alberta, and we are wondering whether it was locally written. The virus is a "new stoned" variant, according to the F-DISINF and F-SYSCHK programs. Please notify myself, and also Peter Johnston. Peter is at usergold@mts.ucs.ualberta.ca. Thanks, Tim Martin Soil Science U of Alberta tmartin@vm.ucs.ualberta.ca martin@menaik.cs.ualberta.ca