padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (10/30/90)
Connie <warren@mdcbbs.com> writes >>Subject: Cascade virus? (PC) >>All of the files in my comm directory deleted themselves in one fell >>swoop. I was able to unerase them and run the comm program again. >>This time beautiful graphics began scrolling by. It was geometric, >>scrolled upward... >> FYI, the interrupt looks like this: >>IRQ 02 0c28:0219 [Cascade] DOS System Area This does not sound like the CASCADE virus (letters fall vertically to the bottom of the screen). Also, CASCADE is a descriptive name applied to that virus, not one that is found in the code (incidently QAPLUS reports that IRQ 2 on my 386 is assigned to CASCADE also and I am reasonably sure that it is not infected). Other than the graphics, the symptoms sound like a variant of the Jerusalem & would recommend running the latest version of SCAN (v67C) to check. BTW, I was not aware that Norton's SYSINFO (SI) would return interrupt identification - is this something new in 5.0 ? (I have 4.5) ************ Paul Evans <PEvans@HMC_VAX.claremont.edu> writes: >>I had an infinite number of directories. I have seen this happen twice on older machines and have yet to find a good explination other than once repaired the problem did not reoccur & did not seem to be a virus. What happens is that a subdirectory is created that points at the root directory storage area creating an endless loop. Since they point at the same area, no disk space is actually used. The downside is that deleting anything in the sub affects the root. All that is necessary is to use Norton or something to remove the errant subdirectory (but NOT its files). *********** Lately, I have been receiving a number of requests for live viruses from readers. All have been & will continue to be refused since there is no way to verify credentials on the net and I will not send any infectious code over a public network anyway. Period. Similarly, information disseminated openly MUST be, to a degree, censored. Most of the researchers I know share the view that we are not going to point out a virus writer's mistakes to them for correction in the next version. I will say that EVERY memory resident virus seen so far is easily detectable if you understand the basics of DOS (and this includes the "stealthy" 4096, Joshi, and Whale ALL of which are detectable in memory by the same 1331 byte .COM file {mostly ASCII text messages} I wrote three years ago in response to a BRAIN outbreak) and, if the virus is not memory resident, is even easier to find. Padgett (Do any schools still teach Logic or Boolean Algebra ?)