HJW2@PSUVM.PSU.EDU (12/10/89)
FOR THOSE WHO RESPONDED TO MY PREVIOUS VIRUS POSTING, I HAVE THIS STORY
FOR YOU:
How I got Jerusalem virus in my computer
A user's nightmare came true
(88 lines long, anything longer than that would be VIRUS...)
To make a short story long, let me go back to some day in late
September....
I was playing with my computer, as usual, and my wife was doing
her works in the kitchen, as usual. I was using PC Tools to copy some
of my files from hard disk to floppy and when I went back to root
directory in C:, I saw an empty file that was new and weird to me. It
looked like this in PC Tools:
Filename File length Attribute Date
gEgEgEgE.gEg 0 .SR. 11/07/14
Since I have deleted countless files using PC Tools, I tried the same
way to select that file and delete it. To my surprise, PC Tools
responded "File not Found". So I said to my self:"It must be the
problem of zero length." and tried to write something on it so I can
delete it, and you know, it didn't work that way. And the strange
thing was that whenever I changed its attribute by using Edit/View
function, it didn't work as it supposed to be.
So I kept that file and forgot it until someone on campus(or Wall
Street Journal) brought up the issue of October 13th and computer
virus attack. I went to 12 Willard to get a scanv4 disk and used it
to scan my hard disk for at least 13 times and did not spot a virus.
I was still nervous about the virus attack, so I got another virus
protection program (Flushot, in case it matters) and checked the hard
disk again and again and again until my wife reminded me to do
homework. I survived the virus hit in October.
Before the first snow in November about three weeks ago, I booted
up the machine as usual and press the turbo switch when I noticed the
slow speed of computer checking my Intel Aboveboard memory. The
computer suddenly went nuts for the first time since I bought it a
year ago. There was nothing on the screen, the keyboard didn't
respond, and the speaker beeped. I powered off and on again and the
computer prompted me "8237 Error" and refused to work. I was nervous
but not afraid. Since I have played around with computers for a
while, I tore down my machine to check what might be the source of
error. I didn't find anything suspicious but BIOS and DMA. I went to
a local computer store and had my BIOS replaced and the computer
worked again. So I gave them $35 for the Phoenix BIOS that worked
wonder on my computer.
But honeymoon soon was over. One day when I was using my
primitive word processor PFS:Professional Write, the computer hung me
without any warning. I lost all my editing file and had to reboot it
again using reset button not ctrl+alt+del. And after that, it hung
from time to time whenever I changed from editing document to print or
to spell check. After few days, I found out I cannot use turbo mode
anymore, I had to stay with normal mode. When I press the turbo
button to boost speed, I got hung.
Since I just replaced BIOS, I suspected the problem is in DMA.
So I brought my computer back to that local store after Thanksgiving
and they said that I need a new motherboard because they cannot fix
the motherboard problem. Because they were asking ONLY $200 for a new
12MHz 286 motherboard, I decided to get it replaced. Everything
worked fine with the new board until I tried to run Harvard Graphics,
it hung again. Same thing happened to Minitab and the new
PFS:Professional Write v2.0. I questioned the store about the
compatibility of that kind of motherboard and got pissed off. They
claimed that their motherboard has been running thousands of software
and has never encountered non compatible problem. So I tested
everything I could, changing faster memories, changing different BIOS,
changing video board, and even swapping hard disks. I could not find
out the problem until someday I used MAPMEM to see memory usage and
saw an unknown program occupying about 1732k memory above
configuration and dos command and I realized that something weird was
going on.
I immediately (well, next day) got the virus detection disk from
office and started checking my hard disk. Boy, was I astonished! I
saw a warning line as soon as I issued SCAN command: SCAN file has
been damaged.... In the next few minutes, I saw 50 of my command
files were infected by Jerusalem B virus. I used pctools to erase all
infected files and got a map of my hard disk to see if everything is
ok. But I saw some secctors marked "unremovable" where they should be
"usable" space. And I realized that the only way to get rid of the
virus would be reformatting my entire hard disk. So I did. I am glad
I have a back up for every program I have in the hard disk.
Now all the viruses are gone except one that I keep in a floppy
as a memory or for future research use, I start thinking where I got
this little virus. There are only two places: PCLIB at Penn State or
that computer store. I cannot think of any other sources except these
two. The weired file with 0 byte and unremovable is from some file in
PCLIB, but I have checked every file before October 13 and found no
virus. After that date, I have not downloaded anything. On the other
hand, every weired thing started after I replaced BIOS and used
testing software from the computer store. It's also possible that the
virus is attached to some file that store has. I will keep tracking
down the suspicious source of this virus and if anything comes out
interesting, I will summarize and post it.
GOOD BYE !
_____ ___
H. WU HJW2@PSUVM.BITNET _|_ |___|
DEPARTMENT OF BUSINESS LOGISTICS |_|_| |___|
THE PENNSYLVANIA STATE UNIVERSITY _|_|_|_ |___|
| | _/ |__|