NYEVENBA@WEIZMANN.BITNET (Baruch Even) (10/03/90)
Hello all, There is a new virus in Israel he was discovered on a bbs, on a file names SCAN.COM in a package SCANV68.ZIP so please inform Mcafee not to publish a SCAN ver. numbered 68. Some info that was posted over BBS's net follow's. [Ed. As this information looks (to me) to be somewhat sketchy, I urge readers to regard it as unconfirmed until/unless more information can be found. If anyone does have any _first hand_ information on this, I would appreciate a call or an e-note. (krvw@cert.sei.cmu.edu or (412) 268-7090)] From : Gady Guy Attention all computer users. The file SCANV68.ZIP as downloaded from 'On-Line Today' includes one SCAN.COM file of size about 63Kb. This file when run immidiately terminates, as it includes nothing but one INT 20 (termination) and 60Kb of junk. But, it is also infected by a virus that has a very limited ability: it hooks interrupt 21H (Dos function call) and hooks ONE .COM file in the current directory every time INT 21 is called. It put itself in high memory without changing high mem counter, so that any big program hangs the system. Command.com will not work when infected, so that infection will cause system to hang on BOOT. It has a very bad BUG when hooking INT 21H which causes Command.com to misinterpret commands, so that any DEL will cause deletion of whole directory (I repeat: It is only a BUG!!!). It's main Symptom is typing a message unto screen every 8th INT 21H request: HEY SADAM LEAVE QUEIT BEFORE I COME It's size is about 700 bytes. It is also very bad programmed, probably by someone who has very little control of assembly language. There's nothing to avoiding it: When you get a new COM program, run it in an EMPTY directory eight times. C:> MKDIR EMPTY C:> CD EMPTY C:EMPTY> COPY \PROCOMM\SCAN.COM $One file(s) copied ... C:EMPTY> SCAN $Does NOTHING. C:EMPTY> SCAN C:EMPTY> SCAN C:EMPTY> SCAN C:EMPTY> SCAN HEY SADAM LEAVE QUEIT BEFORE I COME C:EMPTY> Ah hah!!! Continue? [Y/n/=]: LEAVE QUEIT BEFORE I COME C:EMPTY> Ah hah!!! C:EMPTY> DEL *.* Are you sure (yes/no): Y C:EMPTY> Now BOOT!!! Further use of DOS might cause damage to directory. +-------------------------------------------------------+ | Baruch Even | | | | BitNet - NYEVENBA@WEIZMANN.BITNET | | InterNet - nyevenba%weizmann.bitnet@cunyvm.cuny.edu | | | | Enjoy The Silence - Depeche Mode | +-------------------------------------------------------+
NYEVENBA@WEIZMANN.BITNET (Baruch Even) (10/06/90)
Here are specifications of the NEW virus 'The Saddam Virus' The virus was found few days ago on a BBS in Israel and was probably written by the one who wrote the original Stupid Virus. The virus was found on a file named SCAN.COM in a package named SCANV68.ZIP so please let McAffee know about this virus so he wont release ver with this number for the sake of the Israeli Users. The virus isn't widespread (I hope) It was download-able just for few days and then deleted by the SysOp of the BBS, The virus also probably wasn't spred out of Israel. BTW: Please skip over my english mistakes ============================================================================== Entry...............: The Saddam Virus Alias(es)...........: --- Virus strain........: The Stupid Virus Virus detected when.: 1-October-1989 where.: BBS in Israel Classifications.....: COM file infecting virus/extending, resident. Length of virus.....: 917 - 924 bytes depends on the size of the name of infected file. - --------------------- Preconditions ----------------------------------- Operating system(s).: MS-DOS Version/release.....: 2.0 or higher Computer model(s)...: IBM PC,XT,AT and compatibles - --------------------- Attributes -------------------------------------- Identification......: Memory: INT 6Bh points to original INT 21h. (see Particularities [4]) .COM files: The encryped string. to decrypt the string add 6 to each char, the terminating char is 24h before adding 6. The name of the infected file is stored by the virus. Type of infection...: System: The virus copies itself to high memory by the following calculation: [0:413]*40h-867h The virus does not lower the ammount of memory that is written in [0:413] nor making DOS think the area is used so big programs will make the system hang. .COM files: Extends .COM files. Adds about 918 bytes to the end of the file. .EXE files: Not infected. Infection trigger...: every call to INT 21h Interrupts hooked...: 21h, 6Bh. Damage..............: Prints the string: HEY SADAM LEAVE QUEIT BEFORE I COME Damage trigger......: Counts the number of times INT 21H was requested and on every eight time will print the string. Particularities.....: 1. Many programs load themself to this area and erase the virus from the memory. 2. The virus uses INT 6BH replacement for the original INT 21H. 3. The virus infect just files in the current directory. 4. If the disk is write protected you'll see the message from DOS about the write protection, When the virus try to spread. - --------------------- Agents ------------------------------------------ Countermeasures.....: F-Prot 1.13 RESIDENT PART ONLY: identify the virus as The stupid Virus and don't let the program to get on memory. - --------------------- Acknowledgement --------------------------------- Classification by...: Baruch Even (NYEVENBA@WEIZMANN.BITNET) Documentation by....: Baruch Even (NYEVENBA@WEIZMANN.BITNET) Date................: October 5, 1990 +-------------------------------------------------------+ | Baruch Even | | | | BitNet - NYEVENBA@WEIZMANN.BITNET | | InterNet - nyevenba%weizmann.bitnet@cunyvm.cuny.edu | | | | Enjoy The Silence - Depeche Mode | +-------------------------------------------------------+