IA96@PACE.BITNET (IA96000) (12/13/89)
At 03:00 yesterday another version of EAGLE.EXE was discovered and forwarded to SWE for analysis. Here are the results. See back issues of VIRUS-L and/or VALERT-L for original symptoms. This new version has changed slightly: 1) Contains Jerusalem-D virus. Active and spreads! 2) Seeks out and overwrites the following files and locations: a) COMMAND.COM (ascii 246 used to overwrite) b) BOTH FAT's (ascii 246 used to overwrite) c) BOOT SECTOR (ascii 246 used to overwrite) d) EAGLSCAN.EXE (string "F**K YOU" used to overwrite) e) SCAN.EXE (string "F**K YOU" used to overwrite) f) VIRUSCAN.EXE ( same as last two above used to overwrite) 3) There seems to be a built in timer. Once the file has been loaded it remains dormant for twenty minutes. During this time the VIRUS can be detected by SCAN.EXE if you use the /M switch. Once the timer has run down, the trojan takes over and does its dirty deed. 4) Unlike previous versions, it DOES NOT matter if the disk is a DOS system disk or not. If a file is not found, it just continues on down the list. Previously COMMAND.COM had to be in the root to trigger the trojan. 5) SWE reports that they feel this WAS NOT written by the same author(s) as the first two versions. First, this new version appears to be written in Pascal. Second, SCAN.EXE will identify the file. It has not been encrypted or compressed like the previous versions. Since SCAN.EXE will detect the virus, and since SWE is closing for their vacation period, they feel there is NO rush to update EAGLSCAN at this time. They said it will be done when they get back. One important point needs to be repeated! SCAN.EXE will identify the virus, in memory when you use the /M switch. It will also detect the virus in a file. It has no way of knowing if the file also contains a trojan (understandable, it wasn't designed to) so be wary if you decide to experiment with this new version of EAGLE.EXE!!!! Thanks to Harriman, New York for sending it for evaluation.