odawa@lll-winken.llnl.gov (Michael Odawa) (06/24/89)
My colleague Derrick Shadel asked if I would post this note: ----- I would like to add some information to the excellent analysis Y. Radai reported regarding the Israeli virus and its effect on WordPerfect 4.2. We would first like to concur that this is really a strain of the Israeli virus which infects many other programs besides WordPerfect. Thus the term "WordPerfect Virus" would not be an appropriate appelation for this agent, and indeed would only add to the confusion. Since that name also unfairly characterizes our product, we would appreciate it not being used. Thank you. Second, we have obtained a copy of the virus through the good offices of Lance Nakata of Stanford University, and can confirm Radai's description of how the infector interacts with our product. When the Israeli virus infects an .EXE file, it reads the length field of the header. WP 4.2, like a large class of similar programs, has some additional information appended to the "normal" .EXE data. This information includes the overlays and some text messages used during the operation of the program. This is why the .EXE length was not increased and why the virus was inserted into the middle of the program. It was actually added to the end of the normal part of the EXE and overwrote a portion of the overlays that are appended. When WP 4.2 starts up it searches for the .EXE so it can open and use the overlays and text messages that are part of that file. In the process of infecting the .EXE, data areas were changed that WP 4.2 uses to determine if the correct .EXE was found (we do this because it might be someone's old WP 4.1 .EXE that was found). This results in the error message about WP.EXE not being found. I hope this helps you to better understand why WP 4.2 reacts differently when it is infected with the Israeli virus. With WP 5.0 the overlays and text messages are kept in a separate file called WP.FIL. Since the .FIL and .EXE are separate, the floppy with the .EXE can be write protected without adversely affecting the way WordPerfect runs. I hope this information is helpful to those who have investigated this problem. We appreciate your work, and hope that together we can find a way to free ourselves of these malicious and destructive viruses. Derrick Shadel WordPerfect Corp. - ----- forwarded by: Michael Odawa Software Development Council odawa@well.uucp