LBA002%PRIME-A.TEES-POLY.AC.UK@ibm1.cc.lehigh.edu (06/22/89)
A new virus? The first issue of Virus Bulletin (a newsletter specialising in viruses) announces Fu Manchu. This new virus is said to insert obscene comments into printed documents after the keying of 4 names:- Botha, Reagan, Waldheim & Thatcher. Any sitings (or suggestions for new names, or the text of the obscene comments?) Rgds, Iain Noble PS I've discovered that GateKeeper won't work on our ancient 128/512k Macs to stop reinfection with the dose of nVirB we have going around. Am I right? If I am any helpful suggestions?
davidf%CS.HW.AC.UK@ibm1.cc.lehigh.edu (David.J.Ferbrache) (06/22/89)
Please find enclosed a brief description of the Fu Manchu virus:
Fu Manchu
Parasitic virus - resident
Type description:
The virus occurs attached to the beginning of a COM file, or the end of
an EXE file. It is a rewritten version of the Jerusalem virus, and
most of what is said for that virus applies here with the following
changes:
a. The code to delete programs, slow down the machine, and display
the black 'window' has been removed, as has the dead area at
the end of the virus and some sections of unused code.
b. The marker is now 'rEMHOr' (six bytes), and the preceeding 'sU'
is now 'sAX' (Sax Rohmer - creator of Fu Manchu).
c. COM files now increase in length by 2086 bytes & EXE files 2080
bytes. EXE files are now only infected once.
d. One in sixteen times on infection a timer is installed which
runs for a random number of half-hours (maximum 7.5 hours). At
the end of this time the message 'The world will hear from me
again!' is displayed in the centre of the screen and the
machine reboots. This message is also displayed every time
Ctrl-Alt-Del is pressed on an infected machine, but the virus
does not survive the reboot.
e. There is further code which activates on or after the first of
August 1989. This monitors the keyboard buffer, and makes
derogatory additions to the names of politicians (Thatcher,
Reagan, Botha & Waldheim), censors out two four-letter words,
and to 'Fu Manchu ' adds 'virus 3/10/88 - latest in the new fun
line!' All these additions go into the keyboard buffer, so
their effect is not restricted to the VDU. All messages are
encryted.
> PS
>
> I've discovered that GateKeeper won't work on our ancient 128/512k Macs
> to stop reinfection with the dose of nVirB we have going around. Am I right?
> If I am any helpful suggestions?
Hmm, the documentation for gatekeeper says that it should operate on
Mac with 128K Rom or better, including Mac 512Ke, Plus, SE, II etc. If this
does not apply to your Macs then I suspect that vaccine is the only
alternative (or possibly one of the watch inits if you only require
notice of possible infection without the comprehensive error checking applied
to resource writes by vaccine).
Sorry I can't be of more help
- ------------------------------------------------------------------------------
Dave Ferbrache Internet <davidf@cs.hw.ac.uk>
Dept of computer science Janet <davidf@uk.ac.hw.cs>
Heriot-Watt University UUCP ..!mcvax!hwcs!davidf
79 Grassmarket Telephone +44 31-225-6465 ext 553
Edinburgh, United Kingdom Facsimile +44 31-220-4277
EH1 2HJ BIX/CIX dferbrache
- ------------------------------------------------------------------------------rdavis@AI.MIT.EDU (Russell K. Davis) (07/02/89)
This virus was found by Joe Hurst in the united Kingdom and he shoukld have finished disassembling it by now (but I have not spoken to him for a while)