Alan_J_Roberts@cup.portal.com (07/30/90)
This is a forward from Aryeh Goretsky of the Computer Virus Industry Association: ================================================================ John McAfee has authorized me to begin posting selected CVIA Membership Alerts to VIRUS-L/VALERT-L. Ken van Wyk has asked John if he would provide more information to VIRUS-L subscribers about infection occurences by new virus strains. Membership Alerts appear to be the best way to do this. All Alerts will be posted to Virus-l provided the report originator does not specify membership restricted distribution. Accordingly, the following Alert is submitted: July 27, 1990 CVIA Membership Alert Originating Member: Microsoft Corporation Alert Type: New Virus in Public Domain Library Entry: AIRCOP Entry Type: Boot Sector Virus CVIA member Microsoft Corporation has reported a public domain U.S. infection by a new boot sector virus. The virus has been submitted to the library and is currently under analysis. The virus replicates in the normal boot sector fashion by booting from an infected floppy. Non-write-protected diskettes that are inserted into an infected system become infected at the time that the diskette is first referenced. The virus randomly displays the following message: Red State, Germ Offensive. AIRCOP Potential data damage has not yet been determined. Early analysis, however, indicates some small similarity to both the Joshi and Marti Brothers boot viruses that have been reported at multiple sites in the U.S. A detector will be made available to liaison staff on Monday, July 30. John McAfee
CCMH@MVS.MCGILL.CA (Michael Head) (11/27/90)
We have found an unknown boot sector virus on "COMBASE" and
"SVGA-UTILITY" software shipped in PACKARD-BELL PACKMATE-III and 386sx
computers . The diskettes are in sealed envelopes. The seal bears
characters which appear to be chinese .
The disks were not intended to be booted and will produce the
standard error message "NON-SYSTEM DISK etc." if accidently booted,
however the harddisk if present will have been infected.
The symptoms are varied. Some infected systems play a few notes with
every DOS command issued . On others there are no notes but there is a
lot of I/O of write protected disks (one has the feeling it is trying
to burn its way onto the disk) . Still others (my quarantined
Taiwanese AT) will not boot at all after being infected.
Now for the bad news. SCANV67c does not report anything. F-PROT113
also doesn't find a known virus but reports the boot sector is an
unusual DOS boot sector and there may be a an unknown virus. (Thanks
Fridrik,it sure is lonely trying to convince yourself your the first
one to ever see a brand new virus).
Michael Head
______________________________________________________________________
e:mail - ccmh@mvs.mcgill.ca | McGill Computing Center
bitnet - ccmh@mcgillvs.bitnet | 805 Sherbrooke St. West
voice - (514) 398-3707 | Montreal,Quebec
| Canada H3A 2K6frisk@rhi.hi.is (Fridrik Skulason) (12/03/90)
CCMH@MVS.MCGILL.CA (Michael Head) writes: >We have found an unknown boot sector virus on "COMBASE" and >"SVGA-UTILITY" software shipped in PACKARD-BELL PACKMATE-III and 386sx >computers . The diskettes are in sealed envelopes. The seal bears >characters which appear to be chinese . The diskettes are probably from Taiwan - a country which is practically flooded by viruses - a friend of mine ordered a machine from a company there and received it infected with three different viruses. Also, every company in Iceland which imports machines from Taiwan, has at least once received infected machines or floppies. > Now for the bad news. SCANV67c does not report anything. F-PROT113 >also doesn't find a known virus but reports the boot sector is an >unusual DOS boot sector and there may be a an unknown virus. (Thanks >Fridrik,it sure is lonely trying to convince yourself your the first >one to ever see a brand new virus). Well, I am glad the routine I added in version 1.13 to analyze boot sectors for suspicious code turned out to be useful - I am working on improvements for version 1.14 - -frisk Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |