From lehigh.edu!virus-l Tue Jul 28 16:07:57 1992 Date: Tue, 28 Jul 1992 15:39:12 -0400 Message-Id: <9207281750.AA19608@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: To: Multiple recipients of list Subject: VIRUS-L Digest V5 #133 Status: R VIRUS-L Digest Tuesday, 28 Jul 1992 Volume 5 : Issue 133 Today's Topics: Strange Identification with SCAN91 (PC) Best VirusDetection Software for the PC??? (PC) Re: Bugsres-2 (PC) Re: Virus discovered in file from WUARCHIVE.WUSTL.EDU (PC) Virus Question re printer, floppy problems (PC) Re: WARNING - Virus Creation Laboratory (PC) Common misconception (was: Re: VET as good as Viruscan? (PC)) Stoned and Michaelangelo (PC) Re: Virus discovered in file from WUARCHIVE.WUSTL.EDU (PC) Re: Scream information? (PC) Re: Virus discovered in file from WUARCHIVE.WUSTL.EDU (PC) Re: F-PROT, Telecom, false positive ?? (PC) Re: GIF viewer crashes system (was Re: an amazing problem...) (PC) Info on Intel's NLM? (PC) Re: VET as good as Viruscan? (PC) Re: McAfee GENP/GENY identification (PC) Re: How do I reverse the effect(s) of Stoned ? (PC) UK Computer Crime Unit Computer Virus Catalog update Jerusalem virus part 2 (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 24 Jul 92 07:27:23 +0000 From: g89r4255@hippo.ru.ac.za (Lt Sajid Rahim) Subject: Strange Identification with SCAN91 (PC) I find it very strange to see that SCAN identifies Saturday the 14th virus as Armagedom. Having disassemble the code for both viruses, I find no particular relationship between the two. Anybody care to comment. Sincerely Sajid - --------------------------------------------------------------------- - -- Sajid Rahim, Dept of Computer Science, Rhodes University, -- - -- Grahamstown, South Africa. Internet : g89r4255@hippo.ru.ac.za -- - --------------------------------------------------------------------- ------------------------------ Date: Sat, 25 Jul 92 07:30:12 +0000 From: seldon@milton.u.washington.edu (Hari Seldon) Subject: Best VirusDetection Software for the PC??? (PC) I am new to this group, and I get kinda paranoid after reading all the potentias of programs, not being able to detect.. I have the latest version of McAfee s3t apparently it isn't very good. Does anybody have any suggestions, on which, orn of programs would be the best?? And if possible, list FTP sites where I can ac clean versions of these programs?? I haven't really had a problem, yet. I donh outside contact, except the downloaded files, from ftp sites, and the occasetinn board.. Thanx for any advice... Seldon ------------------------------ Date: Mon, 27 Jul 92 17:45:24 -0400 From: "William Walker C60223 x4570" Subject: Re: Bugsres-2 (PC) From: Behrend AArea > Hi. I am a computer operator at Penn State Erie, and I have a > student's disk that I ran through F-Prot 2.04. It detected a virus > named BUGSRES-2 JOKE PROGRAM. Looking through the Virus information > section of F-Prot, I could not find a description of this virus. > F-Prot also did not disinfect it. I was wondering if anyone had an > idea of this virus, as in what it does, how to disinfect, etc. BUGRES.COM (or whatever it may have been renamed) is a "Resident Screen-Eating Utility." It loads TSR, and when activated (the version I have is activated by ALT-B) a number of character-graphic "bugs" wander about the screen and "eat" characters in their path, and continue wandering about the screen until you press a key, which restores the original screen. It is essentially a cute screen saver. > Any e-mail responses to opa@psuvm.psu.edu will be greatly appreciated. I'm sending this to VIRUS-L as well as opa@psuvm.psu.edu, since others may also be wondering about this. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | "History is made at night. OAO Corporation | Character is what you are in Arnold Engineering Development Center | the dark." M.S. 120 | -- Lord John Whorfin, Arnold Air Force Base, TN 37389-9998 | "Buckaroo Banzai" ------------------------------ Date: Mon, 27 Jul 92 22:10:54 +0000 From: wlhadley@mwunix.mitre.org (William L. Hadley) Subject: Re: Virus discovered in file from WUARCHIVE.WUSTL.EDU (PC) system@SCFE.NWC.NAVY.MIL (System Manager) writes: >Today I downloaded a file from WUARCHIVE.WUSTL.EDU (one of the >mirroring ftp sites). Filename is >/mirrors/garbo.uwasa.fi/screen/grabsc11.zip When I tried to ran >GRABSCRN.COM from this zip file, Norton Antivirus TSR reported that >the file is infected with Wonder-2 virus. F-PROT did not report a >virus. I sent mail to the person who maintains garbo.uwasa.fi and >received an answer that he is out of town till July 27. This means, >the file will not be tested/removed from garbo until then. Has anyone >downloaded this file before ? What happened ? I downloaded this file, but was unable to find any infection in GRABSCRN.COM or in the .EXE file (RAW2GIF.EXE). I scanned it with NAV 2.0 and McAffee's SCAN v93. I then downloaded F-PROT 2.04a and VIRX 2.3 from WUARCHIVE and tried them...still couldn't find the virus. From the information I have on the Wonder (and Wonder-2) virus, it only infects .EXE files (that was why I played with RAW2GIF.EXE). I then tried to two executable files with NAV resident in memory...it still didn't detect it. Then I looked closely at them with the Norton Utilities DISKEDIT program. About the only similarity I can find with these files and the WONDER virus is that they were both written in Borland C++. What version of NAV are you running? Do you have any other TSRs loaded? It could be that GRABSCRN combined with something else you have loaded in memory may be causing a false alarm. Hope this helps! Bill Hadley PS. I downloaded GRABSC11.ZIP from WUARCHIVE too...so I was playing with the same file that you downloaded. - -- William L. Hadley | User Support Center Specialist The MITRE Corporation | Internet: wlhadley@mitre.org 7525 Colshire Drive, MS W130 | UUCP: linus!mitre.org!wlhadley McLean, Virginia 22102-3481 | My opinions! Do you hear? MINE!!!! ------------------------------ Date: Mon, 27 Jul 92 17:00:16 -0700 From: txl@dbs42.elsegundoca.ncr.com () Subject: Virus Question re printer, floppy problems (PC) Is there any virus that can cause an IBM-compatible to be blind to the printer (it thinks that an online printer is offline) and to the changing of floppies (showing previous floppy contents after replacing a floppy with another with different contents). Any comment is appreciated. Thanks a lot. - -Tuan ------------------------------ Date: Mon, 27 Jul 92 18:23:42 +0100 From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: Re: WARNING - Virus Creation Laboratory (PC) millernw@craft.camp.clarkson.edu (Neal Miller) writes: > Oh for crying out loud... Just what we need... A >Virus-Construction Kit for beginners... I hope that McAfee gets their >hands on this package ASAP, if not sooner. Here's an idea... Could The package has already been forwarded to Frisk, McAfee, etc. I will not send it to anyone else, so don't bother asking. :) >someone conceivably write a virus that will seek out and destroy such >a V.C.L. based on unique strings within the program? Just an idea... Technically, yes. Ethically, morally, no. An idea, yes, a good one, no. A virus designed to destroy other viruses might easily become more of a problem that the viruses it seeks to destroy. Depending on how one defines "virus", one might argue a case for "good" viruses, but that debate doesn't include viruses designed to seek out and destroy one another. Playing "core wars" in real cyberspace is not a good idea. :) Tim ------------------------------------------------------------- Tim Martin * Spatial Information Systems * These opinions are my own: University of Alberta * My employer has none! martin@cs.ualberta.ca * ------------------------------------------------------------- ------------------------------ Date: Tue, 28 Jul 92 02:36:31 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Common misconception (was: Re: VET as good as Viruscan? (PC)) AMN@vms.brighton.ac.uk (Anthony Naggs) writes: >Oh, while I am being rude about McAfee, any suggestions as to what >will happen to Viruscan if the "big one" hits LA? This is a quite common misconception that I would like to clear up. McAfee Associates is located in Santa Clara, a city at the southern end of the San Francisco Bay. We are some 330 miles (530km) north of Los Angeles, about the distance from London to Luxembourg or Perth to Rawlinna. Any geologic activity (flooding, earthquakes, giant radioactive ants from the bowels of the earth, etc.) affecting Los Angeles is not going to have any physical impact on the northern portion of California. In case of an earthquake or other event that leaves us stranded without power for several days, we do have enough laptops to keep the programmers working although we will have to shut down our technical support, customer support, order processing, and other non-essential (well, lower priority, perhaps) services. Of course, given that our communication links (fax, telephone, BBS, internet, postal mail) will be down as way until the restoration of services, these may not have as much impatct as you thought. Oh, we do also have a network of agents both domestic (inside the U.S. and Canada) and international, so anyone could contact them for support, etc., but the home office would be down for a day or two (during the October, 1990 earthquake, we were "disconnected from the electronic world" for about 36 hours). Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | ObQuote: "Log... from Blammo" Santa Clara, California | | 95054-3107 USA | BBS (408) 988-4004 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | USR Courier DS 14.4Kb| or GO VIRUSFORUM ------------------------------ Date: 28 Jul 92 06:43:33 +0000 From: schiffman@wilma.wharton.upenn.edu Subject: Stoned and Michaelangelo (PC) Hello All, I had two odd infection occur in my office in the last 2 days. Two computers both appeared to have Michaelangelo when run through Vi-Spy, but appeared to have Stoned when run through SCAN. Niether detector took notice of both. Any idea or similar experience ? - J. Schiffman The Wharton School Univ. of Pennsylvania Phila., Pa Schiffman@Wharton.upenn.edu ------------------------------ Date: Tue, 28 Jul 92 04:09:03 -0400 From: G J Scobie Subject: Re: Virus discovered in file from WUARCHIVE.WUSTL.EDU (PC) > From: System Manager > > Today I downloaded a file from WUARCHIVE.WUSTL.EDU (one of the > mirroring ftp sites). Filename is > /mirrors/garbo.uwasa.fi/screen/grabsc11.zip When I tried to ran > GRABSCRN.COM from this zip file, Norton Antivirus TSR reported that > the file is infected with Wonder-2 virus. F-PROT did not report a > virus. I sent mail to the person who maintains garbo.uwasa.fi and > received an answer that he is out of town till July 27. This means, > the file will not be tested/removed from garbo until then. Has anyone > downloaded this file before ? What happened ? Hi there, Just for your info I have downloaded the above file this morning and F-PROT 2.04 and Bates v3.37 report the unzipped files as being clean. I receieved two copies of this digest in my mail this morning - can't get too much of a good thing I suppose :-) Cheers Garry Scobie EUCS LAN Support Edinburgh University Computing Service Scotland ------------------------------ Date: 28 Jul 92 08:43:59 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Scream information? (PC) ndecour@spartan.ac.BrockU.CA (Nancy DeCourville) writes: >Any information on a virus called Scream would be appreciated. I know of one Scream virus - or "Screaming Fist" as it is also called. There are at least five variants of it, 692, 696, 711 and 838 bytes long (and one with a variable length). I have not yet written a disinfector for the 838 byte variant, but I can handle the others. As for the effects of the virus, I am not sure - I have only analysed them minimally. - -frisk ------------------------------ Date: 28 Jul 92 09:13:14 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus discovered in file from WUARCHIVE.WUSTL.EDU (PC) system@SCFE.NWC.NAVY.MIL (System Manager) writes: >Today I downloaded a file from WUARCHIVE.WUSTL.EDU (one of the >mirroring ftp sites). Filename is >/mirrors/garbo.uwasa.fi/screen/grabsc11.zip When I tried to ran >GRABSCRN.COM from this zip file, Norton Antivirus TSR reported that >the file is infected with Wonder-2 virus. F-PROT did not report a >virus. Ignore this - it is a false alarm. In fact, ignore everything NAV says about the Wonder virus. The virus is written in C or Pascal, and it seems they are just "detecting" a part of the run-time library. - -frisk ------------------------------ Date: 28 Jul 92 09:07:26 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: F-PROT, Telecom, false positive ?? (PC) RXB%FDACFSAN.BITNET@VTVM2.CC.VT.EDU writes: >Situation - After receiving ftp'd *.zip files, I downloaded them >from my mainframe VM session to my PC using Attachmate's Extra for >Windows 3.22, under Windows 3.1. Then I ended my mainframe session and >exited Windows. After unzipping the files onto a floppy, I scanned them >using SCANv93, then Central Point Antivirus 1.2, and then F-PROT 204a. >Central Point's VSAFE is loaded into memory as a tsr, the others are >not. F-PROT gave a message indicating that the Telecom virus >search pattern was found in memory This is CPAVs fault - they leave the signature in memory. No other major anti-virus producer has a similar compatibility problem with the rest of the industry In fact, even the CPAV manual says you should not use other anti-virus programs with CPAV. The reason is simple - they are responsible for too many false alarms. As it is generally a good idea to use multiple scanners, the solution is quite simple - don't use CPAV....combine a few other scanners - they all work Of course anybody is free to use CPAV, but if you do, please don't use any other scanner (including my own) on the same machine - you will get problems. >Is F-PROT the only one of the 3 that can scan *.zip files, not yet >unzipped? Uh - F-PROT can *not* scan .ZIP files....It can scan compresseded executables (PKLITE/DIET/ICE/LZEXE/EXEPACK), but not archives.... - -frisk ------------------------------ Date: Tue, 28 Jul 92 12:32:39 +0000 From: storner@diku.dk (Henrik St|rner) Subject: Re: GIF viewer crashes system (was Re: an amazing problem...) (PC) [after downloading a GIF viewer, the system crashed and now reports a 'drive c write protected' when booting] You are running Stacker, and this message DOES come from stacker. When a system crashes, that has a Stacker drive mounted, some allocation errors can occur on the Stacker drive. If these cannot be fixed automatically when booting, Stacker write protects the drive that has the error. Note that drive C in Your case is NOT the physical drive C, but rather the drive that Stacker has compressed. Your physical C: drive is called D:. Solution: Run SCHECK to repair the Stacker drive, possibly also CHKDSK /F. Reboot, and You should be running fine. - -- Henrik Storner (storner@diku.dk) Dept. of Computer Science Univ. of Copenhagen, Denmark. ------------------------------ Date: Tue, 28 Jul 92 08:50:41 -0400 From: OB77665@IBMH1.ORL.MMC.COM Subject: Info on Intel's NLM? (PC) In the next several weeks we will be looking at INTEL's NLM for our servers. I've heard that it is a border line product, but no specifics. I would appreciate any information that any one would have on this product. Thanks Bruce ------------------------------ Date: Tue, 28 Jul 92 13:08:17 +0000 From: lachlan@dmp.csiro.au (Lachlan Cranswick) Subject: Re: VET as good as Viruscan? (PC) AMN@vms.brighton.ac.uk (Anthony Naggs) writes: >David H. Ivens (D.Ivens@deakin.OZ.AU) asks: >> I have evaluated VET anti-virus software (Australia) and it seems a very >> good alternative to the expensive Viruscan. >> >> Has anyone had problems with this software? >> >> We do not get a lot of viruses and are considering a site licence for VET. >I haven't used VET, but I have talked to Roger Riordan (the author) at >a couple of conferences and he certainly knows his stuff, both on >viruses loose on Australia and effective techniques for anti-virus >software. Better still for you he is also in Victoria and will >provide good quality and timely support, two things which you may have >problems with for Viruscan (esp being so far from LA). We have a site licence for V give it to site staff to nice how you can legitimatly? give copies to site staff to install on their home computers so any viruses they get from their We are not on the cutting edge of pirate software etc that is a major source of viruses so I do not encourage people to use the memory resident parts of VET unless they expect nasty file viruses. The memory resident part of VET can cause clashes and eratic behaviour with some programs. If you read the manual you are prepared for it, but just having VET.COM installed makes VET is also very good at repairing the damage that a virus can cause to a hard-disk. Just have a site licence for an anti-viral program makes people aware the damage they can cause and makes them cautious - and thus we do not have many infectionRs (1 or 2 a year). Another advantage of having a program installed on all PC's is that people no longer blame viruses when their computers play up and instead look for other software or hardware causes. Not too long ago, it used to be very hard to convince PC users that their problem was not virus related because of all the virus paranoia. - -- Lachlan Cranswick - CSIRO _--_|\ lachlan@dmp.CSIRO.AU Division of Mineral Products / \ +61 3 647 0367 PO Box 124, Port Melbourne 3207 \_.--._/ AUSTRALIA v ------------------------------ Date: Tue, 28 Jul 92 09:18:03 -0400 From: OB77665@IBMH1.ORL.MMC.COM Subject: Re: McAfee GENP/GENY identification (PC) In reference to Padgett's comments on McAfee's GENP / GENY virus identification. I must agree when you have several thousand PC's to keep CLEAN it's almost imperative that you know what your coming against. This type of identification process makes keeping any kind of useful stats very difficult. We ran into some factory sealed diskette that were infected. Can you imagine trying to talk to the service rep. "We know your infected with a virus, but we don't know what it is." Bruce ------------------------------ Date: Tue, 28 Jul 92 13:11:45 +0000 From: lachlan@dmp.csiro.au (Lachlan Cranswick) Subject: Re: How do I reverse the effect(s) of Stoned ? (PC) berstel@lacim.uqam.ca (Bruno Berstel) writes: >In brief : I got Stoned and now my hard disk has name D:. How can I correct > this ? >I have bought a modem to some unknown fellow; he gave me a floppy with >Kermit on it. Well, not just Kermit. Stoned/Marijuana too. Since I'm >new to the PC world (yes : another Unix/Mac baby -- in fact I grew up >with MULTICS !), I didn't run no scanner on the infected disk. I woke >up the day after with my hard disk named D:. Stop me here if there is >no relation. >>From what (I understand among what) I have been told by my scanner, >Stoned sleeps in the boot sector of floppies and attacks hardies, but >doesn't settle down on them. Of course I've erased it from the floppy >but the evil had been done. Not knowning what to do I "temporarily" >notified to all my software that the hard disk was named D:. Try the VET anti-viral program, unlike other programs it is very good at repairing the damage this virus causes as well as cleaning the virus of the hard-disk. Stoned is quite happy to exist on a hard-disk which it slowly corrupts. Other anti-viral programs can wipe the data on the hard-disk by not repairing the damage Stoned has caused. - -- Lachlan Cranswick - CSIRO _--_|\ lachlan@dmp.CSIRO.AU Division of Mineral Products / \ +61 3 647 0367 PO Box 124, Port Melbourne 3207 \_.--._/ AUSTRALIA v ------------------------------ Date: Thu, 23 Jul 92 20:56:21 -0400 From: Anthony Naggs Subject: UK Computer Crime Unit Over the last 3 months I've had reasonable access to the net and I have been gradually collecting back issues of virus-l. I just came across some mention in December 1990 of the UK Computer Crime Unit. As there appeared to be little follow up I thought you may like to know the situation, (as I understand it). First there is no "UK" unit, in London the Metropolitan Police ("New Scotland Yard") has a CCU of four officers and a some clerks. In the various police districts there are officers who are trained to have some familiarity with computers. They will investigate reports, with the assistance of technical people at the complaining company, other experts or may refer (some politics in this one) to the CCU in London. The CCU held a meeting in March 1991 of around 30 people, opimistically called the National Computer Virus Strategy Group. The main result was the report forms mentioned below. I hope that the CCU workload will soon reduce, so that they will be able to arrange a second meeting later this year. Most incidents reported and investigated are computer assisted frauds or cracking. The CCU is not well equipped to investigate virus incidents, and would call on experts, such as myself, to give technical assistance. The CCU has a scheme for reporting virus incidents, if there is interest I'll post a copy of the forms to Ken to make available for FTP. The current purpose of the scheme is to gauge the number of incidents & financial losses accruing. This will allow a case can be made to the appropriate government agencies, (the Home Office and the Department of Trade & Industry), for funding to expand the CCU and support it in properly investigating these incidents. So if you want to help them to do this you should report all UK virus incidents. The CCU telephone number is 071 230 1176, virus related matters are normally handled by Detective Constable Noel Bonczoszek. Ye olde postal method: Computer Crimes Unit (CCU), 2 Richbell Place, LONDON WC1X 8CD No they don't read VIRUS-L/comp.virus, basically because with such a small staff and a high work load they don't have the time to browse and pick out the useful/interesting bits. I can forward email to the CCU, though this would be a strictly unofficial arrangement. DISCLAIMER: This message is not an official statement, and any inaccuracies or misrepresentation in this information is solely due to my fallibility and misunderstanding. Regards, Anthony Naggs Internet: amn@vms.brighton.ac.uk or xa329@city.ac.uk Janet: amn@uk.ac.brighton.vms ( cbs%uk.ac.brighton.vms::amn ) or xa329@uk.ac.city ( cbs%uk.ac.city::xa329 ) ------------------------------ Date: 24 Jul 92 20:05:00 +0100 From: Subject: Computer Virus Catalog update Computer Virus Catalog summer update available from VTC Hamburg: FTP site: ftp.informatik.uni-hamburg.de Adress: 134.100.4.42 Login: anonymous Password: your_name Directory: pub/virus/texts/catalog (other entries contain info on virus documents, the CARO naming scheme, and info on CCC). The following new files (in ASCII, will be zipped later) are available: Index.792 (26 kB): Survey of all 243 classified viruses/ trojans and strains. AmigaVir.792 (17 kB): Survey of all 64 classified AmigaVirs; +Incognito,Traveller,2001. MacVir.792 (27 kB): Survey of all 34 classified MacVirs; +CODE252,INIT1984,MBDF-A,T4-A,T4-B. MsDosVir.792 (88 kB): Survey of all 124 classified MsDosVirs; +Akuku,Amoeba,Anthrax,Armagedon,BFD, Groove,Hafenstrasse-2/-3,Halloween,Joshi, Leningrad-543,Mummy 1.2,P-Check,Peach, Seventh Son,SillyWilly Trojan/Virus, VCS 1.0 Manta,VCS 1.1a,VCS 1.3 RUF, XPEH-4016=CHREN-4016. If you have no ftp access, please cntact the author or Vesselin Bontchev who will send the requested files (both on travel until mid-August). With next CVC edition, a machine readable version will be available, for direct retrieval, based on dBase III. To assist in retrieval, a Clipper program will be downloadable (free-of-charge) from the server. Generally, any critical and constructive remarks will be welcomed. CVC editors: Klaus Brunnstein + Vesselin Bontchev, Virus Test Center, University Hamburg, Germany (July 24, 1992) ------------------------------ Date: 23 Jul 92 16:50:00 -0700 From: Robert Slade Subject: Jerusalem virus part 2 (CVP) HISVIR4.CVP 920714 The "Jerusalem" virus - part 2 The history of the Jerusalem virus is every bit as convoluted as its functionality and family. The naming alone is a fairly bizarre tale. As mentioned before, it was originally called the Israeli virus. Although considered unfair by some, it was fairly natural as the virus had both been discovered and reported from Israel. (Although the virus was reported to slow down systems that were infected, it seems to have been the "continual growth" of EXE files which led to the detection of the virus.) In an effort to avoid anti-semitism, it was referred to by its "infective length" of 1813 bytes. For COM files. For EXE files it was 1808 bytes. Sometimes. It varies because of the requirement that the header of an EXE file is divisible by 16. (All quite clear?) One of the early infections was found to be in an office belonging to the Israeli Defence Forces. This fact was reported in an Associated Press article, and, of course, made much of. It also gave rise to another alias, the I.D.F. virus. When the virus was first discovered, it was strongly felt that it had been circulating prior to November of 1987. The "payload" of file deletion on Friday the 13th gave rise to conjecture as to why the logic bomb had not "gone off" on Friday, November 13th, 1987. (Subsequent analysis has shown that the virus will activate the payload only if the year is not 1987.) The next following "Friday the 13th" was May 13th, 1988. Since the last day that Palestine existed as a nation was May 13th, 1948 it was felt that this might have been an act of political terrorism. This led to another alias, the PLO virus. (The fact that Israel celebrates its holidays according to the Jewish calendar, and that the independence celebrations were slated for three weeks before May 13th in 1988 were disregarded. The internal structure of the virus, and the existence of the sURIV viral programs seems to indicate that any political correspondence is merely coincidence.) Yet another alias is "sUMsDos", based upon text found in the virus code itself. This was, on occasion, corrupted to "sumDOS". The name "Jerusalem" has gained ascendancy, possibly due to the McAfee SCAN program identification. (He certainly must be responsible for the "B" designation for the "original" version.) Of course, the great number of variants have not helped any. Because a number of the variants are very closely based upon each others code, the signatures for one variant will often match another, thus generating even more naming confusion. This confusion is not unique to the Jerusalem family, of course, and is an ongoing concern in the virus research community. copyright Robert M. Slade, 1992 HISVIR4.CVP 920714 ============= Vancouver ROBERTS@decus.ca | "The client interface Institute for Robert_Slade@sfu.ca | is the boundary of Research into rslade@cue.bc.ca | trustworthiness." User p1@CyberStore.ca | - Tony Buckland, UBC Security Canada V7K 2G6 | ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 133] ******************************************