RZOTTO%DKNKURZ1.BITNET@CUNYVM.CUNY.EDU (02/22/90)
Good evening, recently, a user of a Novell Network consulted me about my (ancient, even obnsolete, yet popular) VIRCHECK program, which had rendered his network hanging. He declared, that Novell uses Int 21, Function E0, for its internal gearings -- the very same function the "Friday 13th" virus uses for its signalling. My VIRCHECK will check for the presence of TSR "Friday 13th" by invoking this function and looking at the answer. Now I conjecture, that ** the "Friday 13th" will cause Novell Networks to hang every time an infected program is invoked; ** so will probably other Israeli strains do (Y.R. forgive me: I don't know any other, widely recognized, term for them :-) ; ** IMMUNE and similar virus-watchers will probably suspect Novell of being a virus, and alert the user about it; ** VIRCHECK and similar virus-checkers will cause Novell to hang, as well. Has anybody any experiences to share with us, in this respect? (I, for my part, have no Novell running to test my conjectures.) Best wishes Otto Stolz
LISTVIR@USACHVM1.BITNET (Gonzalo M. Rojas Costa) (03/02/90)
Hi... Otto Stolz (RZOTTO%DKNKURZ1.BITNET@CUNYVM.CUNY.EDU) writes: >> ** the "Friday 13th" will cause Novell Networks to hang every time an >> infected program is invoked; Yes. Novell Networks use function E0 of int 21h for the print spooler. For that reason, if I execute an infected program, the server and the stations hangs. (On the server, before it hangs, the LAN manager prints a message that an interrupt vector was try to changed). >> ** so will probably other Israeli strains do. I tested versions B and B-2 of the Jerusalem virus and the two versions produce the same efect (hangs the stations and server). >> IMMUNE and similar virus-watchers will probably suspect Novell of >> being a virus, and alert the user about it; >> VIRCHECK and similar virus-checkers will cause Novell to hang, >> as well. I didn't tested IMMUNE on a Novell Network. But any program that try to detect the Jerusalem Virus through function E0 int 21h, hangs the computers on a Novell Network. In a Novell Network or other LAN you can use John Mcaffe's NETSCAN to search infected programs. (This program is on SIMTEL20 in the directory PD:<MSDOS.TROJAN-PRO>). Disclaimer: The views expressed are my own! I do not speak for, nor do I represent any other person or company. Gonzalo M. Rojas Costa BITNET: LISTVIR@USACHVM1 ARPA: LISTVIR%USACHVM1.BITNET@CUNYVM.CUNY.EDU Owner of ASSMPC-L Antiviral Research Group Technical Support Unit Universidad de Santiago de Chile