RY15@DKAUNI11.BITNET (Christoph Fischer) (05/31/90)
Hi,
we were contacted during the last week by 3 persons / institutions
reporting the following symptoms:
#1: (large company) on one of their PCs (used by several people) they
suddenly found all of their COM files in the root directory being
replaced by 204 byte long text files (the names were still the old
ones e.g. COMMAND.COM) the text is a french translation of a
Edgar Allen Poe poem. (4 lines)
#2: (mid size industrial company) they ran Lotus and all of a sudden
the printer started and printed the last lines of McAfee's scan
message (This program may not be used in .....) reverse order
(right to left). And it played a tune possibly Yankee Doodle Dandy
#3: (reporting person did not disclose company) A small ambulance car
drawn with block graphic characters moved across the screen and played
a sirene sound on the speaker.
In all three cases the victims destroyed the sabotage code be it a virus or
trojan by using a low level format. In case #3 they even found out that it
was a virus of 799 bytes length, but did not keep a sample.
A low level format might get rid of the virus on a particular machine but
if one can't search for the cause of these effects there is a high probability
that these things reappear and cause malfunctions again. Also such a virus or
trojan may not only affect executable code it might also affect data files.
Only a disassembly and expert investigation can reveal such doings.
If anyone has seen or heard of the above described effects should contact me.
Thanks in advance
Christoph Fischer
*****************************************************************
* Christoph Fischer *
* Micro-BIT Virus Team / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-37 64 22 *
* E-Mail: RY15 at DKAUNI11.BITNET *
*****************************************************************