[198] in Public-Access_Computer_Systems_Forum
Virus Warning
daemon@ATHENA.MIT.EDU (LBA002%PRIME-A.TEES-POLY.AC.UK@RIC)
Fri May 8 09:14:31 1992
Date: Fri, 8 May 1992 08:11:51 CDT
Reply-To: Public-Access Computer Systems Forum <PACS-L%UHUPVM1.BITNET@RICEVM1.RICE.EDU>
From: LBA002%PRIME-A.TEES-POLY.AC.UK@RICEVM1.RICE.EDU
To: Multiple recipients of list PACS-L <PACS-L@UHUPVM1.BITNET>
----------------------------Original message----------------------------
******************************************************************
Here's a recent warning of a new virus folks - take care!
******************************************************************
Date: Mon, 4 May 1992 10:55:40 EDT
Original-Sender: Virus Alert List <VALERT-L@BITNET.LEHIIBM1>
From: WVANDERC@BITNET.BENTLEY
Subject: New Virus (PC)
Comments: To: valert-l@ibm1.cc.lehigh.edu
To: Multiple recipients of list VALERT-L <VALERT-L@BITNET.LEHIIBM1>
Sender: VALERT-L@EDU.Lehigh.CC.IBM1
VIRUS ALERT
I have found what I believe to be a new virus, new in that 7 major
anti-virus packages including a Beta copy of Mcafee's version 90 could
not find or identify the virus. F-PROT found it using the Heuristic
scan but could not identify it.
The virus is a file infector and infects both .COM and .EXE files. It
does not seem to effect .SYS or overlay files. File size shows a 1K
increase when infected but the time and date stamps do not change.
The international company that called me in to remove the infection
first realized they had a problem when WINDOWS would not load. The
virus spread through their 150 node network within 36 hours, mostly
due to someone with supervisor privileges scanning with the virus in
memory. We could not identify the source of the virus but the
stations first effected do extensive file transfers via modem with
multiple European sites.
We identified the following as a valid search string for the new virus;
5A 5B 07 1F C3 1E 52 2E
Unfortunately the virus obtained the name "JOES DEMISE". We have not
yet disassembled the virus so that the trigger and action are not yet
known. Copies have been shipped off to both Fridrik Skulason and to
Macafee for analysis. Because it sometimes damages .EXE files when it
infects them, the first indication of infection is .EXE files that
suddenly won't run. I'll post more information as it becomes
available.
Bill VanderClock
WVANDERC@BENTLEY
-----------------------------------------------------------------------------
Iain Noble |
LBA002@tees.ac.uk | Post: Main Site Library,
JANET: LBA002@uk.ac.tees | Teesside Polytechnic,
EARN/BITNET: LBA002%tees.ac.uk@UKACRL | Middlesbrough
INTERNET: LBA002%tees.ac.uk@cunyvm.cuny.edu | Cleveland, TS1 3BA, UK
UUCP: LBA002%tees.ac.uk@ukcnet.uucp | Phone: +44 642 342121
-----------------------------------------------------------------------------
