76304.1407@CompuServe.COM (Ray Glath) (07/16/90)
July 13, 1990 *** First Documented sighting of the "4096" virus in the U.S.A. *** The 4k (a.k.a. 4096, IDF, Israeli Defense Forces, Frodo, 100 Years, Stealth) virus has turned up in the Dallas TX area. A computer dealer about 50 miles south of Dallas TX noticed a few unexplainable system crashes over the last 2 weeks. Upon investigation, he found that EXE file sizes were increased by 4 - 5k bytes. He copied a sample off to diskette, and sent it to RG Software Systems, Inc. for examination. A quick check using our Vi-Spy product found the 4k virus. This dealer is now undergoing an intensive operation to locate and remove all occurrances of the 4k using Vi-Spy. Thus far he has found his demo systems infected; several customers' systems infected; and believes that some demo disks that he has shipped have carried the virus. In addition to clearing up the problem in his own shop, he's contacting his customers and has taken the very unusual and commendable position of "going public" through an interview with Tom Steinert-Threlkeld of the Dallas Morning News, to let others in the Dallas area know of the problem. The story is in the Monday, July 16 edition of the paper. The dealer believes he received the infection from a local software consultant who believes he got it from a local private BBS. (This consultant utilizes "many" private BBS'es and works for several companies in the Dallas area.) At this stage, we do not know how widespread the infection is, however due to the "Stealth" logic this virus employs to avoid detection, and the extremely prolific nature of its infection logic (infects any EXE or COM file OPENED, AND it infects COMMAND.COM) it can go a long way before becoming noticed. Once a system is infected, this virus gives no obvious signs of its presence. Only an experienced and very perceptive user may notice its activity, and then probably only by accident. Since there is no direct trigger, the system crashes seem to be occurring only after massive infection whereby many program files have been expanded by 4 - 5k bytes and disk resources are used up. [Ed. After posting this message, Ray called me back to inform me that the virus does indeed have a trigger - on or after September 22, 1990 - - at which time it will crash the system and/or delete the boot sector, while attempting to display a message, "Frodo lives".] Upon examination at RG, we've determined this virus matches the sample we have in our Lab, which we had received from colleagues in Europe. Raymond M. Glath President RG Software Systems, Inc. 2300 Computer Ave. A-7 Willow Grove, PA 19090 (215) 659-5300 Compuserve 76304,1407
76304.1407@CompuServe.COM (Ray Glath) (07/21/90)
> Date: Mon, 16 Jul 90 15:44:31 -0700 > From: Alan_J_Roberts@cup.portal.com > Subject: 4096 virus information (PC) > The following is a forward from John McAfee: > ======================================================================== > Raymond Glath's posting about the 4096 in Dallas implied that > this was the first documented case of the 4096 here in the States. > Far from it. I reported the first DOCUMENTED sighting of this virus in the U.S. because a retail computer dealer... James Rich of James Rich Computers in Corsicana TX... was willing to stand up and admit to having the infection in an effort to slow its spread in the Dallas area. Prior to my posting, no-one has reported this virus' appearance in the U.S. on Virus-L, and the emergence of this virus in the U.S. IS a significant event that needs attention. What is of PRIME IMPORTANCE is that all of us in the virus research community know when we've got a new problem to deal with, and one of the reasons for Virus-L's existance is to provide a vehicle for this type of information. As recently as July 2nd, Dave Chess from IBM asked if anyone had any reports on the 4k virus since he'd been hearing rumors about its spread, especially in Israel. A response from Y. Radai stated that the 4k has been creating problems in Israel for about a year. John McAfee offered no response to the query from Dave Chess. And now he tells us: > The 4096 was first detected at Washington University > in St. Louis nearly 6 months ago and since then has been reported > at over 100 sites involving many thousands of computers. > Some well > publicized incidents of recent infections include the entire > Monterrey <sic> PC User's group (through an infected distribution > diskette), 13 Burger King franchises in Scotts Valley, CA and Santa > Cruz, numerous IRS offices in Seattle and one of the nation's > largest banks based in Houston. I have spoken with several people at the Northern California Burger King Corporate group that supports franchises. They were not aware of any virus problem at the franchise sites in their area. For a final resolution on this, I am awaiting a return call from the Operational V. P. in that office. I also spoke with Mr. Tim Thompson of the "End User Support Group" at the IRS in Seattle. Mr. Thompson was unaware of ANY virus problems at the IRS offices other than some Mac viruses last year and his own personal experience with the Disk Killer virus several months ago, which he eliminated before it spread to other systems. By the way, it seems the IRS has ONE office in Seattle. What gives here ????? Ray Glath ps: According to a recent conversation with my colleagues in Europe, the 4k virus has been causing problems in the U.K. for about the last 2 months... pps: This is a heavily revised posting. Ken van Wyk censored my original response, which has been sent to John McAfee as private mail. [Ed. Ray asked me to check for the record - a quick grep through the v-l archives turned up one previous report of a 4096 infection, at Weizmann Univ. in Israel.]
RADAI1@HBUNOS.BITNET (Y. Radai) (07/24/90)
>[Ed. Ray asked me to check for the record - a quick grep through the >v-l archives turned up one previous report of a 4096 infection, at >Weizmann Univ. in Israel.] Just for the record, the first report in Virus-L of a sighting of the 4096 (albeit not explicitly by that name) was in Vol. 2, Issue 214: >Date: Thu, 05 Oct 89 14:33:43 +0200 >From: Y. Radai <RADAI1%HBUNOS.BITNET@VMA.CC.CMU.EDU> >Subject: Two new PC viruses > > Two new viruses have been discovered in Israel. One of them is >called the Alabama virus. .... > > I have less information about the other virus (not even a name for >it). It adds 4096 to all infected files (both EXE amd COM, incl. >COMMAND.COM). But when you perform DIR you don't see the increase in >file size since the virus shows you the *original* (uninfected) sizes. >Like the Alabama and MIX1, it does not use the usual TSR function. It >also uses INs and OUTs to confuse single-step utilities. As for the debate between Ray Glath and John McAfee over whether the recent Dallas sighting was the first documented case in the U.S., I don't have any evidence either way. But IMHO it was very incautious of Ray to make such an extreme claim without proof, and one of the most obvious sources of counter-evidence would have been John McAfee. Perhaps the problem is that Ray is using the word "documented" in a very peculiar way. At one point he seems to imply that a virus sight- ing hasn't been documented unless it has been reported on Virus-L. Whatever his definition is, he should have stated it in his original posting. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI1@HBUNOS.BITNET RADAI@HUJIVMS.BITNET