rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) (01/07/91)
This appeared in a recent Info-Ibmpc digest. Figured I'd pass it on. I have not seen any mention of this in recent virus-l postings so hopefully I'm not passing on old news. Then again, I hope I'm not also spreading panic! Date: Tue, 1 Jan 91 10:58:09 -0500 From: David Kirschbaum <kirsch@usasoc.soc.mil> Subject: Reported QEMM virus Received from the Fido Dr. Debug Echo, 1 Jan 91. David Kirschbaum Toad Hall FROM: Richard Crain Area # 23 ( Dr. Debug ) TO: ALL SUBJECT: Virus I have found what appears to be a virus on the factory supplied disk from Quarterdeck on the QEMM386 V5.1 diskette in the Optimize.com amd install.exe programs. These 2 programs contain a HEX signature of EAF0FF00F0 which indicates the possible presence of the 648 virus. This virus is supposed to infect overlay programs, which I have had MAJOR problems with lately. In the last 18 hours, every program that I have used that uses overlays has had its CRC change, or worse yet, totaly crash on invocation locking the system. Further, it has been only the EXE files that have changed. Also, in doing a byte by byte compare of a corrupted file with a good version on backup (tape) I find an absolute pattern of corruption in the files. These changes are the substitution of a HEX 00 00 at loctaions 68B8, 68BC, 78B8, 78BC, 88B8, 88BC, Etc..... This problem started yesterday (again) after running the Optimize program that comes with Qemm386 V5.1 . This problem occured before causing me to panic and wipe out my hard disk, secure erase, reformat, and reload without doing serious research as to the cause, I ASSUMED that a new program that I had just added was the cause. This time, I have found what I believe to be the true cause with some advise from Chris Anderson. Further, Quarterdeck has been notified and the original disk is being returned to them for replacement and analysis. Also, the disk was never written onto by me at any time, the diskette was copied and the copy underwent the registeration process. The HEX string to look for is EAF0FF00F0 - --- msged 1.99S ZTC * Origin: DinoPoint 2 (1:104/114.2)
mrh@camcon.co.uk (Mark Hughes) (01/09/91)
rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) writes: >This appeared in a recent Info-Ibmpc digest. Figured I'd pass it on. > ...deleted... >From: David Kirschbaum <kirsch@usasoc.soc.mil> >Subject: Reported QEMM virus >Received from the Fido Dr. Debug Echo, 1 Jan 91. >David Kirschbaum >Toad Hall >FROM: Richard Crain Area # 23 ( Dr. Debug ) >TO: ALL >SUBJECT: Virus >I have found what appears to be a virus on the factory supplied disk >from Quarterdeck on the QEMM386 V5.1 diskette in the Optimize.com amd >install.exe programs. These 2 programs contain a HEX signature of >EAF0FF00F0 which indicates the possible presence of the 648 virus. I have checked my QEMM v5.0 master disks and find this signature also occurs in the same named files, but which are obviously much older. They are dated 9 March 90 on my disk. I have been using QEMM v5.0 for a good few months (can't remember exactly when I bought it) and have had no reason to suspect virus infection of my system. The age of QEMM v5.0 without apparent virus report is interesting. In addition, McAfee's scan program 5.1v67 fails to complain about QEMM v5.0 or v5.1 despite manual inspection showing that the signature does appear as reported above. A "Vienna/648" virus is described in the McAfee documentation. This is all fairly re-assuring to me, but it is possible that this is a dormant virus just waking up. It needs further investigate (by Quarterdeck I guess), but caution rather than panic seems appropriate. Hope this adds to the investigation. [Ed. Please see followup below!] Mark - -- ---------------- Eml: mrh@camcon.co.uk or mrh@camcon.uucp | Mark Hughes | Tel: +44 (0) 223 420024 Cambridge Consultants Ltd. |(Compware & CCL)| Fax: +44 (0) 223 423373 The Science Park, Milton Road, ---------------- Tlx: 81481 (CCL G) Cambridge, CB4 2JB, UK.