IA96@PACE.BITNET (IA96000) (11/21/89)
Final report on virus contained in file EAGLE.EXE:
1) It DOES contain a form of Jerusalem B. It WILL spread to other
files once EAGLE.EXE has been loaded into memory.
2) If the system being run has a '286 or higher processor and if
COMMAND.COM is found in the root directory, the program will
DESTROY the boot and FAT tables on the disk. No question about
this folks! It overwrites the sectors with the ASCII 246
character.
3) When EAGLE.EXE is loaded, ONLY the Jerusalem B virus is spread
to other files. The trojan part of the program is part of
EAGLE.EXE, not part of the virus itself.
4) Viruscan (SCAN.EXE) WILL NOT detect any viruses in the EAGLE.EXE
file. This appears to be because EAGLE.EXE has been compressed
and a DOS loader has been added to the head of the file and is
not the fault of Viruscan.
5) Once EAGLE.EXE has been run,SCAN will detect the Jerusalem B
virus in memory when SCAN's "M" command line switch is used.
6) A write protect tab WILL stop the destruction of the Boot and FAT
on a floppy. Numerous methods have been tried to stop the destruction
of the Boot and FAT on a hard disk and none appear to be effective.
7) After considerable study it has been determined that the EAGLE.EXE
program was written in (take a guess) a version of compiled Basic.
8) We have no way to know that author intended for the program to
contain the Jerusalem virus. It is quite possible this IS the case
since the specific compression program used would not allow the
program to load, if the virus had infected the file AFTER it had
been compressed.
To recap:
The program name is EAGLE.EXE and contains the Jerusalem virus.
It was uploaded to a BBS with a description line saying it would
produce a VGA animation of an EAGLE in flight. If COMMAND.COM
is present in the root directory of the default drive and if
the processor is a '286 or higher (including a '486) EAGLE.EXE
will write over the Boot and both FAT areas with the ASCII 246
character.
Detection:
The good people at SWE have written a small program named
EAGLSCAN.EXE which will probe any file with an extension of .EXE
to determine if it is the EAGLE.EXE program renamed. I do not know
the particulars of the program but I have tested it, and it is very
fast! It will if you desire scan one .EXE file or all .EXE files
on your disk. If a file is found be EAGLE.EXE renamed or has the
exact same identification strings, it will be flagged and you will
be notified.
If you would like a copy of EAGLSCAN.EXE please send a formatted
5.25 inch, 360k disk to the following address with return postage,
(stamps are fine) and you will receive the program along with a
commented dis-assembly of the EAGLE.EXE file. Please enclose a
return address label for the disk mailer.
SWE
132 Heathcote Road
Elmont, New York 11003
EAGLSCAN IS NOT Shareware, nor is it in the public domain. The
authors have consented to supply anyone who reads Virus-L with
a copy free of charge (except for postage which you must supply).
That is about it for now. As far as I am concerned we have found
everything we need to know. EAGLE.EXE contains both a virus and
a very nasty trojan horse if the conditions are right!
For whatever it is worth, my opinion is that you should send for
a copy of EAGLSCAN. It does not cost you anything except for postage
and it might come in handy!