[449] in Public-Access_Computer_Systems_Forum
Virus Warning
daemon@ATHENA.MIT.EDU (LBA002@PRIME-A.TEES-POLY.AC.UK)
Tue Jun 9 10:28:33 1992
Date: Tue, 9 Jun 1992 09:22:33 CDT
Reply-To: Public-Access Computer Systems Forum <PACS-L%UHUPVM1.BITNET@RICEVM1.RICE.EDU>
From: LBA002@PRIME-A.TEES-POLY.AC.UK
To: Multiple recipients of list PACS-L <PACS-L%UHUPVM1.BITNET@RICEVM1.RICE.EDU>
----------------------------Original message----------------------------
Here's a warning of a new PC virus from the VALERT-L list.
*********************************************************
From: ISOCEPT (REMOTE-MAIL-SERVER) on ANODE sent: 92-06-05.23:41:40.Fri
Mail from: JNT-Mail on 05/06/92 at 19:38:31
Via: UK.AC.NSFNET-RELAY ; Fri, 05 Jun 92 19:38:27 BST
Received: from IBM1.CC.Lehigh.EDU by sun3.nsfnet-relay.ac.uk with Internet SMTP
id <sg.12118-0@sun3.nsfnet-relay.ac.uk>;
Fri, 5 Jun 1992 19:32:40 +0100
Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX)
with BSMTP id 2207; Fri, 05 Jun 92 14:30:36 EDT
Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP
id 6591; Fri, 05 Jun 92 14:30:31 EDT
Date: Fri, 5 Jun 1992 14:24:58 EDT
Original-Sender: Virus Alert List <VALERT-L@BITNET.LEHIIBM1>
From: Vedat Gunay <vgunay@edu.peachnet.wga.sun>
Subject: Virus Discovery (PC)
Comments: To: valert-l@ibm1.cc.lehigh.edu
To: Multiple recipients of list VALERT-L <VALERT-L@BITNET.LEHIIBM1>
Sender: VALERT-L@EDU.Lehigh.CC.IBM1
Unknown MS-DOS Based Virus found on the West Georgia College Campus
The virus infects COM and EXE files.
It is not detected by:
McAfee Scan v8.3B86
F-Prot v2.03A Quick Scan or Secure Scan
Virusafe 2.43
It is detected by:
F-Prot v2.03A Heuristic Scan which reports
"This program seems to contain a memory-resident virus,
which infects other programs when they are executed."
Infected files have larger file sizes. The problem was first detected when
certain application no longer ran. Windows 3.0 dies with a memory protection
error before the program finishes loading. Once the virus is in memory it
attaches itself to any programs that are executed. Most programs however
still run correctly after the virus has attached itself.
The F-Prot scan of memory does not initially detect the virus if it is
already resident, but during a heuristic scan the following message may
appear:
"Alert! An active "stealth" virus has been found in
memory. You should reboot the computer from a "clean"
system diskette.
It has either lain dormant on our campus and just activated itself (which I
do not believe is the case), or it spreads very fast! If users have write
permission on fileservers in locations where EXE and COM files exist, the
virus can spread through the network.
At the moment we are deleting any files that are suspect and replacing them
with clean copies. We still do not have a name, or any way to disinfect.
Any information regarding what we might have, and how we can get rid of it
would be greatly appreciated.
---------------------------------------------------------------------------
Scott W. Hughes
shughes@sun.wga.peachnet.edu
West Georgia College
Computer Center
(404) 836-6604
?
:end of mail.
-----------------------------------------------------------------------------
Iain Noble |
LBA002@tees.ac.uk | Post: Main Site Library,
JANET: LBA002@uk.ac.tees | Teesside Polytechnic,
EARN/BITNET: LBA002%tees.ac.uk@UKACRL | Middlesbrough
INTERNET: LBA002%tees.ac.uk@cunyvm.cuny.edu | Cleveland, TS1 3BA, UK
UUCP: LBA002%tees.ac.uk@ukcnet.uucp | Phone: +44 642 342121
-----------------------------------------------------------------------------
