flanders@grebyn.com (Dennis Flanders) (10/25/89)
I am a new user on VIRUS-L. I am a communication engineer on the FTS2000 project at Boeing Computer Services and we run a large client/server data network. It now serves over 800 PC's, Sun Workstations and is served by several host machines from mainframes to micros. I said all that to say this: In the process of "de lousing" our network for Columbus day and Friday the 13th, using a program called VScan, we discovered seven programs that showed as possible infected programs or carrier programs. In disassembling them only one proved to be dangerous. The others contained code sequences to totally lock the keyboard and triggered warnings. It may have had the infection passed on by another virus as the first three bytes in the .com file were 909090h. The following bytes (I believe 19) simply blitzed track 0. The infected file was a brief program (217 bytes) called KEYLOCK.COM which comes with a set of utilities distributed by PC Magazine. We could find no infected distribution disks. Only versions found on two PCs were found to contain this bomb. Curiously enough a couple of programs (ie NORTON.COM) popped a warning due to 1Fh found in the Seconds field of the directory. We also found several programs with a value >60 (ie 62) in the same location. All but one turned out to be harmless, we are still looking at the one. +-------------------------------------------------+----------------------+ |Dennis M. Flanders | | |AT&T Mail: !DFLANDERS | If at first you | |MCI Mail: DFLANDERS | don't succeed get | |INTERNET: flanders@grebyn.com | a bigger hammer! | |CompuServe: 73507,1771 | | +-------------------------------------------------+----------------------+