LBA002%PRIME-A.TEES-POLY.AC.UK@ibm1.cc.lehigh.edu (06/22/89)
A new virus? The first issue of Virus Bulletin (a newsletter specialising in viruses) announces Fu Manchu. This new virus is said to insert obscene comments into printed documents after the keying of 4 names:- Botha, Reagan, Waldheim & Thatcher. Any sitings (or suggestions for new names, or the text of the obscene comments?) Rgds, Iain Noble PS I've discovered that GateKeeper won't work on our ancient 128/512k Macs to stop reinfection with the dose of nVirB we have going around. Am I right? If I am any helpful suggestions?
davidf%CS.HW.AC.UK@ibm1.cc.lehigh.edu (David.J.Ferbrache) (06/22/89)
Please find enclosed a brief description of the Fu Manchu virus: Fu Manchu Parasitic virus - resident Type description: The virus occurs attached to the beginning of a COM file, or the end of an EXE file. It is a rewritten version of the Jerusalem virus, and most of what is said for that virus applies here with the following changes: a. The code to delete programs, slow down the machine, and display the black 'window' has been removed, as has the dead area at the end of the virus and some sections of unused code. b. The marker is now 'rEMHOr' (six bytes), and the preceeding 'sU' is now 'sAX' (Sax Rohmer - creator of Fu Manchu). c. COM files now increase in length by 2086 bytes & EXE files 2080 bytes. EXE files are now only infected once. d. One in sixteen times on infection a timer is installed which runs for a random number of half-hours (maximum 7.5 hours). At the end of this time the message 'The world will hear from me again!' is displayed in the centre of the screen and the machine reboots. This message is also displayed every time Ctrl-Alt-Del is pressed on an infected machine, but the virus does not survive the reboot. e. There is further code which activates on or after the first of August 1989. This monitors the keyboard buffer, and makes derogatory additions to the names of politicians (Thatcher, Reagan, Botha & Waldheim), censors out two four-letter words, and to 'Fu Manchu ' adds 'virus 3/10/88 - latest in the new fun line!' All these additions go into the keyboard buffer, so their effect is not restricted to the VDU. All messages are encryted. > PS > > I've discovered that GateKeeper won't work on our ancient 128/512k Macs > to stop reinfection with the dose of nVirB we have going around. Am I right? > If I am any helpful suggestions? Hmm, the documentation for gatekeeper says that it should operate on Mac with 128K Rom or better, including Mac 512Ke, Plus, SE, II etc. If this does not apply to your Macs then I suspect that vaccine is the only alternative (or possibly one of the watch inits if you only require notice of possible infection without the comprehensive error checking applied to resource writes by vaccine). Sorry I can't be of more help - ------------------------------------------------------------------------------ Dave Ferbrache Internet <davidf@cs.hw.ac.uk> Dept of computer science Janet <davidf@uk.ac.hw.cs> Heriot-Watt University UUCP ..!mcvax!hwcs!davidf 79 Grassmarket Telephone +44 31-225-6465 ext 553 Edinburgh, United Kingdom Facsimile +44 31-220-4277 EH1 2HJ BIX/CIX dferbrache - ------------------------------------------------------------------------------
rdavis@AI.MIT.EDU (Russell K. Davis) (07/02/89)
This virus was found by Joe Hurst in the united Kingdom and he shoukld have finished disassembling it by now (but I have not spoken to him for a while)