pfafman@marlin.nosc.mil (David F. Pfafman) (07/18/89)
In my travels I ran across several systems which were infected quite heavily with a virus that flushot 1.6 identified as the PLO virus (aka the Jerusalem or israeli virus). It appeared that the infected files grew by about 1.8K each time they were infected. Some files had been infected 40 or more times. It did not appear that the virus infected either the command.com or the two system files, however it did attack anyother executable .com or .exe file. I also noticed that the virus seems to go TSR and conflicts a small section of video memory on highly infected machines. Using PC tools I was able to search for the ascii string "sumsdos" which seems to be in all of the infections. The suggested solution for right now was to boot the system off of a write protected floppy disk then delete all of the files that the infection was found in. Just as an added precaution when the infected files had all been erased, the hard drive was optimized which would overwrite any sections of the disk where any of the deleted files had resided. With any luck this will inhibit the reoccurance of the virus. Does anyone out there have any experience dealing with the PLO virus? As always with the unknown I'm alittle concerned that I might have missed something. Has anyone taken the time to un-assemble the PLO virus to determine eaxctly what it does? I would also like to know what other people have used as a prescribed procedure for dealing with this virus and if there is a program out there that will cutout the infected code. Dave Pfafman (Computer Resource Center NOSC) Responses can be addressed to pfafman@nosc.mil Thank-you in advance for taking the time to respond.