davidf@CS.HW.AC.UK (David.J.Ferbrache) (06/30/89)
There has been a new virus for the IBM PC detected in the UK, this
virus is known as the Traceback virus. The following description is
from material supplied by the British Computer Virus Research Centre.
Traceback
Category: Memory resident, Non-overwriting .COM/.EXE infector
Characteristic file extension: 3066 bytes
Description:
When an infected binary is executed the virus installs itself in memory,
thereafter any program executed will be infected by the virus. This is the
indirect infection mode.
Additionally each time the virus is executed, if the date is after 5th Dec
1988, it will infect one .com or .exe file in the current directory, failing
which it will search the entire directory structure commencing at the root for
a candidate. The search process will terminate if an infected file is
encountered prior to infection taking place.
The name traceback derives from the fact that each infected copy of the
virus contains the directory path of the file causing the infection. It is
thus possible to trace an infection back through a number of files.
Symptoms:
If the date is after the 28th Dec 1988 the virus will produce a screen
display similar to the cascade virus (ie letters will detach from their
position on the screen and fall downwards until striking another letter).
This display occurs one hour after infection. During the display sequence
any keystrokes will cause a system lockup. Following the character descent
the user may restore each character to its original position. Each time
the user types a keystroke one character will be restored to its
original position (depressions of the same key twice are ignored). The
screen display will nevertheless restore itself after 1 minute. The
cascade and restore are repeated at one hour intervals.
- ------------------------------------------------------------------------------
Dave Ferbrache Internet <davidf@cs.hw.ac.uk>
Dept of computer science Janet <davidf@uk.ac.hw.cs>
Heriot-Watt University UUCP ..!mcvax!hwcs!davidf
79 Grassmarket Telephone +44 31-225-6465 ext 553
Edinburgh, United Kingdom Facsimile +44 31-220-4277
EH1 2HJ BIX/CIX dferbrache
- ------------------------------------------------------------------------------