shaynes@lynx.northeastern.edu (10/25/89)
After running Scan 1.1V45 on my hard drive I detected the Jerusalem Virus Version B on one of my files. The file that I detected the virus on had not appeared in earlier runs of Scan. The infected file is UNVIRUS.EXE. The archive I got it out of was UNVIRUS.ARC. I downloaded this file from the SIMTEL20 PD archives. I immediately deleted the file. I have never had a reason to the program (and I would think that running the program on itself would have adverse affects). [Ed. Could someone at SIMTEL20 please check into this and confirm or deny it? Thanks!] +-----------------------------------------------------------------------------+ | PA_HAYNES@VAXE.COE.NORTHEASTERN.EDU | Sean A. Haynes |Student Northeastern | | SHAYNES@LYNX.NORTHEASTERN.EDU | 46 Udine St. |University, Boston | | PA_HAYNES@NUHUB.BITNET | Arlington, MA |MA 02115 | | | (617) 648-8390 |(617) 437-5422 | +-----------------------------------------------------------------------------+
jwright@atanasoff.cs.iastate.edu (Jim Wright) (10/26/89)
In article <0010.8910251154.AA23552@ge.sei.cmu.edu> shaynes@lynx.northeastern.e du writes: | After running Scan 1.1V45 on my hard drive I detected the Jerusalem Virus | Version B on one of my files. The file that I detected the virus on had | not appeared in earlier runs of Scan. | | The infected file is UNVIRUS.EXE. The archive I got it out of was | UNVIRUS.ARC. I downloaded this file from the SIMTEL20 PD archives. I | immediately deleted the file. I have never had a reason to the | program (and I would think that running the program on itself would | have adverse affects). I uploaded unvirus.arc to SIMTEL20, after it was sent directly to me by the author. I will assert there is no virus in that file. Of course, for the program to be able to deal with the Jerusalem-B virus, it must first identify it. Apparently scanv is setting off false alarms based on the identification code present in unvirus. Scanv previously had problems with false alarms with one of the author's own programs. Unvirus.arc is an old version that was removed from distribution at the request of the author. No problems, but a newer version has been released. Please get unvir6.arc from any of the IBMPC anti-viral archives. Unvir6.arc also replaces the file immune.arc. Now, as for scanv. The author said previously that he regularly changes the methods he uses to identify viruses, thus hopefully discouraging crackers from releasing minor modifications of existing viruses. It seems that this incarnation of scanv is triggered by what it sees in unvirus. I tested both scanv45 and scanv42. 45 choked on it, 42 gave no false alarms. One more curious point. Scanv45 insisted that Jerusalem-B was present in memory! How to explain this? I *never* executed the unvirus program, so even it it did have a virus it couldn't load itself. No other file set off any alarms. Where did it come from? Well, when I unarchived unvirus.arc or unvir6.arc, the archiving program used more memory than scanv. Since MS-DOS doesn't clear memory after programs execute, there was still an image of unvirus left where the archiver had been working. Scanv45 barfed on this! To verify this, I unarchived unvir6.arc, then ran DBASE III+, then ran scanv45. This time no virus found in memory. So in summary, replace unvirus.arc with the current release unvir6.arc. Apparently scanv45 sets off a false alarm with unvirus (either version). Neither author should be faulted for this. But everyone should be made aware of it. And don't put blind faith in any one program!! - -- Jim Wright jwright@atanasoff.cs.iastate.edu (ignore the Reply-To: line)