VIRUS-L Digest Monday, 21 Aug 1989 Volume 2 : Issue 178 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Basic Virus Questions (PC) NEW VIRUS DICOVERED AND DISASSEMBLED Fixing Disinfectors/Virus Finders --------------------------------------------------------------------------- Date: 18 Aug 89 10:52:00 -0400 From: "Andrew R. D'Uva" Subject: Basic Virus Questions (PC) After hearing quite a bit about viruses, particularly the Internet 'Worm' of November, 1988, I have a few questions concerning prevention of virus infiltration on IBM PCs/clones using MS-DOS 3.3x or 4.01. 1) Is the possibility of virus infection limited to executable programs (.com or .exe extensions)? Or can an operating system be infected from reading a document file or graphic image? 2) Are there generic "symptoms" to watch for which would indicate a virus? 3) Any suggestions on guidelines for handling system archiving procedures so that an infected system can be "cleaned up"? Thanks for the help. Andrew D'Uva Jnet---> ADUVA@GUVAX Internet---> ADUVA@GUVAX.GEORGETOWN.EDU ------------------------------ Date: Fri, 18 Aug 89 19:07:11 -0500 From: Christoph Fischer Subject: NEW VIRUS DICOVERED AND DISASSEMBLED We just finished to disassemble a new virus, it was sent to us by the university of Cologne. We haven't found any clue that this virus showed up before. Here are the facts we found: 0. It works on PC/MS-DOS ver. 2.0 or higher 1. It infects COM files increasing them by 1206 to 1221 bytes (placing the viruscode on a pragraph start) 2. It infects EXE files in two passes: After the first pass the EXE file is 132 bytes longer; after the second pass its size increased by an aditional 1206 to 1221 bytes (see 1.) 3. The virus installs a TSR in memory wich will infect executable files upon loading them (INT 21 subfunction 4B00) using 8208 bytes of memory 4. The only "function" we found, was an audible alarm(BELL character) whenever another file was successfully infected. 5. It infects COM files that are bigger than 04B6h bytes and smaller than F593h bytes and start with a JMP (E9h) 6. It infects EXE files if they are smaller than FDB3 bytes (no lower limit) 7. It opens a file named "VACSINA. " without checking the return value. At the end it closes this file without ever touching it. The facts 4 and 7 make us belive it is a "Beta-Test" virus that might have escaped prematurely by accident. The word VACSINA is really odd beause of its spelling. All languages I checked (12) spell it VACC... only Norwegians write VAKSINE. Has anybod an idea? We produced an desinfectant and a guardian. The PC room at Cologne (28 PCs) was also infected by DOS62 (Vienna)| We call the virus VACSINA because of the unique filename it uses| Chris & Tobi & Rainer ***************************************************************** * TORSTEN BOERSTLER AND CHRISTOPH FISCHER AND RAINER STOBER * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * ***************************************************************** ------------------------------ Date: Fri, 18 Aug 00 19:89:35 +0000 From: utoday!greenber@uunet.UU.NET (Ross M. Greenberg) Subject: Fixing Disinfectors/Virus Finders To Mr. McAfee: (Hi John!) Simply do what I do: encrypt the string you're looking for yourself, then decrypt it when you first run the program. Works like a champ here.... Sheesh! Do i have to tell my competition everything? :-) Ross ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253