NYEVENBA@WEIZMANN.BITNET (Baruch Even) (10/03/90)
Hello all,
There is a new virus in Israel he was discovered on a bbs, on a file
names SCAN.COM in a package SCANV68.ZIP so please inform Mcafee not to
publish a SCAN ver. numbered 68.
Some info that was posted over BBS's net follow's.
[Ed. As this information looks (to me) to be somewhat sketchy, I urge
readers to regard it as unconfirmed until/unless more information can
be found. If anyone does have any _first hand_ information on this, I
would appreciate a call or an e-note. (krvw@cert.sei.cmu.edu or
(412) 268-7090)]
From : Gady Guy
Attention all computer users.
The file SCANV68.ZIP as downloaded from 'On-Line Today' includes one SCAN.COM
file of size about 63Kb. This file when run immidiately terminates, as it
includes nothing but one INT 20 (termination) and 60Kb of junk.
But, it is also infected by a virus that has a very limited ability:
it hooks interrupt 21H (Dos function call) and hooks ONE .COM file in the
current directory every time INT 21 is called. It put itself in high memory
without changing high mem counter, so that any big program hangs the system.
Command.com will not work when infected, so that infection will cause system
to hang on BOOT. It has a very bad BUG when hooking INT 21H which causes
Command.com to misinterpret commands, so that any DEL will cause deletion of
whole directory (I repeat: It is only a BUG!!!).
It's main Symptom is typing a message unto screen every 8th INT 21H request:
HEY SADAM
LEAVE QUEIT BEFORE I COME
It's size is about 700 bytes.
It is also very bad programmed, probably by someone who has very little
control of assembly language.
There's nothing to avoiding it:
When you get a new COM program, run it in an EMPTY directory eight times.
C:> MKDIR EMPTY
C:> CD EMPTY
C:EMPTY> COPY \PROCOMM\SCAN.COM
$One file(s) copied ...
C:EMPTY> SCAN
$Does NOTHING.
C:EMPTY> SCAN
C:EMPTY> SCAN
C:EMPTY> SCAN
C:EMPTY> SCAN
HEY SADAM
LEAVE QUEIT BEFORE I COME
C:EMPTY>
Ah hah!!!
Continue? [Y/n/=]:
LEAVE QUEIT BEFORE I COME
C:EMPTY>
Ah hah!!!
C:EMPTY> DEL *.*
Are you sure (yes/no): Y
C:EMPTY>
Now BOOT!!! Further use of DOS might cause damage to directory.
+-------------------------------------------------------+
| Baruch Even |
| |
| BitNet - NYEVENBA@WEIZMANN.BITNET |
| InterNet - nyevenba%weizmann.bitnet@cunyvm.cuny.edu |
| |
| Enjoy The Silence - Depeche Mode |
+-------------------------------------------------------+NYEVENBA@WEIZMANN.BITNET (Baruch Even) (10/06/90)
Here are specifications of the NEW virus 'The Saddam Virus' The virus
was found few days ago on a BBS in Israel and was probably written by
the one who wrote the original Stupid Virus. The virus was found on a
file named SCAN.COM in a package named SCANV68.ZIP so please let
McAffee know about this virus so he wont release ver with this number
for the sake of the Israeli Users. The virus isn't widespread (I
hope) It was download-able just for few days and then deleted by the
SysOp of the BBS, The virus also probably wasn't spred out of Israel.
BTW: Please skip over my english mistakes
==============================================================================
Entry...............: The Saddam Virus
Alias(es)...........: ---
Virus strain........: The Stupid Virus
Virus detected when.: 1-October-1989
where.: BBS in Israel
Classifications.....: COM file infecting virus/extending, resident.
Length of virus.....: 917 - 924 bytes depends on the size of the name of
infected file.
- --------------------- Preconditions -----------------------------------
Operating system(s).: MS-DOS
Version/release.....: 2.0 or higher
Computer model(s)...: IBM PC,XT,AT and compatibles
- --------------------- Attributes --------------------------------------
Identification......: Memory: INT 6Bh points to original INT 21h.
(see Particularities [4])
.COM files: The encryped string.
to decrypt the string add 6 to each char,
the terminating char is 24h before adding 6.
The name of the infected file is stored
by the virus.
Type of infection...: System: The virus copies itself to high memory by the
following calculation:
[0:413]*40h-867h
The virus does not lower the ammount of memory
that is written in [0:413] nor making DOS think
the area is used so big programs will make the
system hang.
.COM files: Extends .COM files. Adds about 918 bytes to
the end of the file.
.EXE files: Not infected.
Infection trigger...: every call to INT 21h
Interrupts hooked...: 21h, 6Bh.
Damage..............: Prints the string:
HEY SADAM
LEAVE QUEIT BEFORE I COME
Damage trigger......: Counts the number of times INT 21H was requested
and on every eight time will print the string.
Particularities.....: 1. Many programs load themself to this area and
erase the virus from the memory.
2. The virus uses INT 6BH replacement for the original
INT 21H.
3. The virus infect just files in the current directory.
4. If the disk is write protected you'll see the message
from DOS about the write protection,
When the virus try to spread.
- --------------------- Agents ------------------------------------------
Countermeasures.....: F-Prot 1.13 RESIDENT PART ONLY:
identify the virus as The stupid Virus
and don't let the program to get on memory.
- --------------------- Acknowledgement ---------------------------------
Classification by...: Baruch Even (NYEVENBA@WEIZMANN.BITNET)
Documentation by....: Baruch Even (NYEVENBA@WEIZMANN.BITNET)
Date................: October 5, 1990
+-------------------------------------------------------+
| Baruch Even |
| |
| BitNet - NYEVENBA@WEIZMANN.BITNET |
| InterNet - nyevenba%weizmann.bitnet@cunyvm.cuny.edu |
| |
| Enjoy The Silence - Depeche Mode |
+-------------------------------------------------------+