IA96@PACE.BITNET (IA96000) (11/21/89)
Final report on virus contained in file EAGLE.EXE: 1) It DOES contain a form of Jerusalem B. It WILL spread to other files once EAGLE.EXE has been loaded into memory. 2) If the system being run has a '286 or higher processor and if COMMAND.COM is found in the root directory, the program will DESTROY the boot and FAT tables on the disk. No question about this folks! It overwrites the sectors with the ASCII 246 character. 3) When EAGLE.EXE is loaded, ONLY the Jerusalem B virus is spread to other files. The trojan part of the program is part of EAGLE.EXE, not part of the virus itself. 4) Viruscan (SCAN.EXE) WILL NOT detect any viruses in the EAGLE.EXE file. This appears to be because EAGLE.EXE has been compressed and a DOS loader has been added to the head of the file and is not the fault of Viruscan. 5) Once EAGLE.EXE has been run,SCAN will detect the Jerusalem B virus in memory when SCAN's "M" command line switch is used. 6) A write protect tab WILL stop the destruction of the Boot and FAT on a floppy. Numerous methods have been tried to stop the destruction of the Boot and FAT on a hard disk and none appear to be effective. 7) After considerable study it has been determined that the EAGLE.EXE program was written in (take a guess) a version of compiled Basic. 8) We have no way to know that author intended for the program to contain the Jerusalem virus. It is quite possible this IS the case since the specific compression program used would not allow the program to load, if the virus had infected the file AFTER it had been compressed. To recap: The program name is EAGLE.EXE and contains the Jerusalem virus. It was uploaded to a BBS with a description line saying it would produce a VGA animation of an EAGLE in flight. If COMMAND.COM is present in the root directory of the default drive and if the processor is a '286 or higher (including a '486) EAGLE.EXE will write over the Boot and both FAT areas with the ASCII 246 character. Detection: The good people at SWE have written a small program named EAGLSCAN.EXE which will probe any file with an extension of .EXE to determine if it is the EAGLE.EXE program renamed. I do not know the particulars of the program but I have tested it, and it is very fast! It will if you desire scan one .EXE file or all .EXE files on your disk. If a file is found be EAGLE.EXE renamed or has the exact same identification strings, it will be flagged and you will be notified. If you would like a copy of EAGLSCAN.EXE please send a formatted 5.25 inch, 360k disk to the following address with return postage, (stamps are fine) and you will receive the program along with a commented dis-assembly of the EAGLE.EXE file. Please enclose a return address label for the disk mailer. SWE 132 Heathcote Road Elmont, New York 11003 EAGLSCAN IS NOT Shareware, nor is it in the public domain. The authors have consented to supply anyone who reads Virus-L with a copy free of charge (except for postage which you must supply). That is about it for now. As far as I am concerned we have found everything we need to know. EAGLE.EXE contains both a virus and a very nasty trojan horse if the conditions are right! For whatever it is worth, my opinion is that you should send for a copy of EAGLSCAN. It does not cost you anything except for postage and it might come in handy!