Alan_J_Roberts@Sun.COM (08/29/89)
A new PC virus has been turned over to the CVIA by RAP Systems of
San Bruno, CA. RAP Systems discovered the virus at one of their
Northern California client sites on August 17. The virus infects COM
and EXE files (with the exception of COMMAND.COM) and increases their
size by exactly 2500 bytes. The virus seems to have an activation
date of Friday 13, and when activated, it destroys both executable and
data files in a seemingly random fashion.
Of interest is the fact that the infected client was also infected
with the Jerusalem Virus version B. Both viruses appeared able to
infect the same files.
The virus has been temporarily dubbed the RAP virus. More info.
will be reported as we take it apart.
AlanAlan_J_Roberts@SUN.COM (10/03/89)
A new PC virus was submitted to the CVIA from Keith Peterson (who
maintains the SIMTEL20 MSDOS archives). This virus replicates in COM files
and has the unusual capability of infecting generic COM files internally -
without changing the real size of the file (unlike the zero-bug virus which
maintains an "apparent" constant infected file size). Small COM files are
infected externally, and the files sizes, for all files under 10K, changes to
13952 bytes - another unusual characteristic. The virus displays a full
screen graphic with the the word "AIDS" occupying the bottom half of the
screen. The top half contains a long rambling message from the author
informing the user of how stupid he has been for using public domain
software.
SCANV40 has been updated to identify the virus. It is not yet known
how destructive the virus may be (all tests have been done with a disabled
hard disk). More info forthcoming. ViruScan identifies the virus as the
AIDS Virus. Thanks to Keith Peterson for his quick identification of
the virus and for his timely response.
Alan