C51@TAUNOS.BITNET (Ami Ziv) (05/25/90)
Shalom,
Here's a posting we must all take into consideration.
As to the copy of SCAN which I promised to distribute, I take it directly
from Simtel or indirectly through Trickle. Hopefully, these sources are still
safe.
Still, you can never know nowadays...
Ran
----------------------------Original message----------------------------
Date: Mon, 14 May 90 22:10:05 +0300
From: Yuval Tal <NYYUVAL@WEIZMANN.BITNET>
Subject: Bogus SCAN.EXE
A file called SCAN.ZIP has been uploaded to one of the BBSs here,
in Israel. I noticed that the file was very small (about 7K of ZIP)
and the description said that it can detect 103 viruses. I, ofcourse,
downloaded this file and checked it right away. This program seems
to be identical to SCAN.EXE from first look except for two things:
1. The bogus SCAN was not written in C - it's write_to_screen routine
is much faster than the real SCAN's one. 2. The screen is cleared
before the bogus SCAN.EXE activates itself. The bogus SCAN size is
28720 bytes long - much smaller than the original one. The version of
this bogus SCAN is 9.4V65. When you execute SCAN C: for instance, it
seems to work fine - It scanns the memory (much faster than usual,
tough - false check) and starts checking the files (also, much faster).
The reason for the quick files scan is that the files are actually
being replaced with a 14 bytes text file which contains the message:
"Next time...". Note that this file came as a stand alone file without
all the documentations and validation program. Also note that all
the messages from the real SCAN has been copied to the bogus SCAN. Just
from looking at the messages, you can't tell if it's a real SCAN or a
bogus one (you can always check the version number, though).
I do not think that this file will not leave Israel but I would like
to warn everyone, anyway.
- -Yuval Tal (NYYUVAL@WEIZMANN.BITNET)