[comp.virus] Israeli virus strains vs. Novell?

RZOTTO%DKNKURZ1.BITNET@CUNYVM.CUNY.EDU (02/22/90)

Good evening,

recently, a user of a Novell Network consulted me about my (ancient,
even obnsolete, yet popular) VIRCHECK program, which had rendered his
network hanging.  He declared, that Novell uses Int 21, Function E0,
for its internal gearings -- the very same function the "Friday 13th"
virus uses for its signalling.  My VIRCHECK will check for the
presence of TSR "Friday 13th" by invoking this function and looking at
the answer.

Now I conjecture, that
** the "Friday 13th" will cause Novell Networks to hang every time an
   infected program is invoked;
** so will probably other Israeli strains do (Y.R. forgive me: I don't
   know any other, widely recognized, term for them :-) ;
** IMMUNE and similar virus-watchers will probably suspect Novell
   of being a virus, and alert the user about it;
** VIRCHECK and similar virus-checkers will cause Novell to hang,
   as well.

Has anybody any experiences to share with us, in this respect?
(I, for my part, have no Novell running to test my conjectures.)

Best wishes
            Otto Stolz

LISTVIR@USACHVM1.BITNET (Gonzalo M. Rojas Costa) (03/02/90)

Hi...

   Otto Stolz (RZOTTO%DKNKURZ1.BITNET@CUNYVM.CUNY.EDU) writes:

>> ** the "Friday 13th" will cause Novell Networks to hang every time an
>>    infected program is invoked;

      Yes. Novell Networks use function E0 of int 21h for the print
spooler. For that reason, if I execute an infected program, the server
and the stations hangs. (On the server, before it hangs, the LAN
manager prints a message that an interrupt vector was try to changed).

>> ** so will probably other Israeli strains do.

      I tested versions B and B-2 of the Jerusalem virus and the two
versions produce the same efect (hangs the stations and server).

>> IMMUNE and similar virus-watchers will probably suspect Novell of
>> being a virus, and alert the user about it;
>> VIRCHECK and similar virus-checkers will cause Novell to hang,
>> as well.

      I didn't tested IMMUNE on a Novell Network. But any program that
try to detect the Jerusalem Virus through function E0 int 21h, hangs
the computers on a Novell Network.

      In a Novell Network or other LAN you can use John Mcaffe's
NETSCAN to search infected programs. (This program is on SIMTEL20 in
the directory PD:<MSDOS.TROJAN-PRO>).

Disclaimer: The views expressed are my own! I do not speak for, nor do
            I represent any other person or company.

Gonzalo M. Rojas Costa
BITNET: LISTVIR@USACHVM1
ARPA: LISTVIR%USACHVM1.BITNET@CUNYVM.CUNY.EDU
Owner of ASSMPC-L
Antiviral Research Group
Technical Support Unit
Universidad de Santiago de Chile