From lehigh.edu!virus-l Sat Aug 8 09:58:19 1992 Date: Fri, 7 Aug 1992 09:12:01 -0400 Message-Id: <9208061608.AA27094@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: To: Multiple recipients of list Subject: VIRUS-L Digest V5 #136 Status: R VIRUS-L Digest Thursday, 6 Aug 1992 Volume 5 : Issue 136 Today's Topics: Re: Stoned and Michaelangelo (PC) Re: McAfee Products (PC) victor charlie (PC) F-Prot and Stoned (No-Int) Virus (PC) Watchdog conflict with sprint (PC) Write Protect Drive C: (PC) DRAGON VIRUS found!!! (PC) Virus discovered in file from WUARCHIVE.WUSTL.EDU (PC) Stoned and Michaelangelo (PC) Re: McAfee GENP/GENY identification (PC) Integrity Master Forwarded from Fidonet (PC) Re: write protect on C: (PC) Problem with SHARE and VSHIELD (PC) MS-DOS 6.0 with Anti-Virus ? (PC) BIOS level MBR protection (PC) YASAS (yet another stupid article story) Re: Virus BBS List? Re: Jerusalem virus (CVP) Jerusalem part 3 (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 29 Jul 92 20:08:56 +0000 From: rslade@sfu.ca (Robert Slade) Subject: Re: Stoned and Michaelangelo (PC) This really isn't very odd, since Michelangelo is a "version" of Stoned. I have seen SCAN report Michelangelo as Stoned at times. Which version of SCAN are you running? It is, of course, possible that this is a modification of Michelangelo or Stoned which is similar enough to the original to be "found", but identified differently by different scanners. Overall, though, I'd go with the Vi_Spy id. ============= Vancouver ROBERTS@decus.ca | "Remember, by the Institute for Robert_Slade@sfu.ca | rules of the game, I Research into rslade@cue.bc.ca | *must* lie. *Now* do User p1@CyberStore.ca | you believe me?" Security Canada V7K 2G6 | Margaret Atwood ------------------------------ Date: Wed, 29 Jul 92 06:18:00 -0400 From: james.roy@synapse.isis.org (James Roy) Subject: Re: McAfee Products (PC) TO: frisk@complex.is (Fridrik Skulason) FS>Well, if you define "scanner" as using only simple signature search, FS>this is correct - such a scanner will only detect viruses it knows or FS>variants of it. However, some "scanners" now include the ability to FS>find non-specific virus-like code, and this approach does enable the FS>scanner to find around 90-95% of NEW viruses. Agreed that scanners are becoming more sophisticated. The 5-10% is still somewhat disturbing. I had sent a message to you earlier wondering if you had given thought to increasing your penetration of Canadian Federal Government market by having an agent here. Did you receive the message? - --- . OLX 2.1 . Proofread carefully to see if you any words out. ------------------------------ Date: Wed, 29 Jul 92 06:11:00 -0400 From: james.roy@synapse.isis.org (James Roy) Subject: victor charlie (PC) MEB>Subject: victor charlie (PC) MEB>Has anyone ever used Victor Charlie and have any opinions? We are MEB>thinking of using it opposed to McAfee's Scan and Clean. I am a distributor of Victor Charlie in Canada. It takes a radically different approach to virus control than McAfee's products. It is a generic product which looks for virus activity and can detect all viruses even those previously unknown. It has a range of utilities the most useful of which are: - a quick (3 second) routine which runs bait files and checks key files and areas to detect active viruses. Once detected the signature of the virus is captured in real time and a reboot is forced to purge it from memory. Because of this feature you do not have to depend on updates from the developer nor risk extensive damage to your files due to a virus unknown to the version of the scanner you have; - an audit routine that allows you to record encrypted checksums of all your executable files and later run a comparison. This will detect all changes to files and allow you to track down elusive viruses; - a low level AI routine to learn from each new virus detected and develop methods for detecting viruses within that "family" of viruses. VC is a highly secure product designed to foil viruses which may be specifically written to attack it. It currently does not use a TSR due to the vulnerability of TSR virus monitors to such targeted viruses. VC's checks are easily put into your applications menu or batch files which allow it to be run automatically (and silently) frequently during your computing day. It is, one might say, a scanner in reverse. Rather than relying on scanning new files for viruses which the scanner knows about, VC is run after a new application is run to see if any viruses have gone active. VC does have a scanner which it updates itself. One can use it for scanning new files but it is primarily for used for tracking down a virus once detected by the method described above. Given the stealth viruses and polymorphic viruses which are out there, scanners are becoming more and more limited in their effectiveness. VC retails for $139 and requires no updating. It is distributed in the States by Computer Security Associates at (803)-796-1935 and in Canada by Lannatec Associates Inc, 166 Anna Avenue, Ottawa, Ont. K1Z 7V2 tel (613)-724-5978. - --- . OLX 2.1 . I'm in shape ... round's a shape isn't it? ------------------------------ Date: Thu, 30 Jul 92 16:44:46 +0000 From: mike@csc.albany.edu (Michael Ciarfello) Subject: F-Prot and Stoned (No-Int) Virus (PC) We are evaluating F-Prot. I saved a copy of the No-Int Stoned virus on a floppy disk for later testing. When using F-Prot on the disk, it says it can not clean the virus because it can not locate the original boot-sector. The No-Int Stoned virus is about the only virus that gives us trouble around here. Does anyone have any experience with cleaning up Stoned with F-Prot? We have a program to restore the boot-sector of the hard disk from a good copy of it, but it doesn't work to restore floppy disks. - ---------------------------------------------------------------------------- Michael Ciarfello Internet: mike@uacsc1.albany.edu State Univ. of NY at Albany Bitnet: mike@albnyvms Student Computer Consultant/Computer Science Major ------------------------------ Date: 30 Jul 92 23:15:44 -0000 From: cjmartin@ccu1.aukuni.ac.nz (Mr. Christopher C.J. Martin) Subject: Watchdog conflict with sprint (PC) Borland's word processor sprint writes to a swap file every few seconds and watchdog interrupts each attempt to write and will not allow you to continue. Has anyone come across this problem Must I chain up my watchdog ? Chris Martin cj.martin@aukuni.ac.nz ------------------------------ Date: Thu, 30 Jul 92 22:06:26 -0400 From: BOORMABC@snyalfva.cc.alfredtech.edu (TEMPO BBS Operations Manager) Subject: Write Protect Drive C: (PC) This is for glratt@rice.edu....... As to your problem about your c: drive being write protected, I have encountered this before myself. The problem would appear to be with your compression system Stacker. Apparently, if you have stacker set up to swap C: and D: at boot up so that c: is the stacked drive, and the contents of config.sys get messed up, then you will not be able to write to your boot drive C:. The only way that I found to correct this was to reformat the hard drive. Anyone else have any ideas?? - ----------------------------------------------------------------------------- Brian C. Boorman boormabc@snyalfva.cc.alfredtech.edu - ----------------------------------------------------------------------------- ------------------------------ Date: Fri, 31 Jul 92 15:16:53 +0000 From: g89r4255@hippo.ru.ac.za (Lt Sajid Rahim) Subject: DRAGON VIRUS found!!! (PC) I have just found a new virus which has been named appropriately DRAGON since it contains a whole poem by the fantasy writer Anne McCaffrey. The text is encrypted and it is as follows : Gone Away, Gone Ahead. Echo Away, dies unanswered. .... ... .... McCaffrey Dragon Riders of Pern. I have yet to ascertain as to what its course of action is. I will keep the group updated with the full disassembly report. Sincerely Sajid - -- - --------------------------------------------------------------------- - -- Sajid Rahim, Dept of Computer Science, Rhodes University, -- - -- Grahamstown, South Africa. Internet : g89r4255@hippo.ru.ac.za -- - --------------------------------------------------------------------- ------------------------------ Date: Fri, 31 Jul 92 18:38:57 -0400 From: Jimmy Kuo Subject: Virus discovered in file from WUARCHIVE.WUSTL.EDU (PC) system@SCFE.NWC.NAVY.MIL (System Manager) writes: >>Today I downloaded a file from WUARCHIVE.WUSTL.EDU (one of the >>mirroring ftp sites). Filename is >>/mirrors/garbo.uwasa.fi/screen/grabsc11.zip When I tried to ran >>GRABSCRN.COM from this zip file, Norton Antivirus TSR reported that >>the file is infected with Wonder-2 virus. F-PROT did not report a >>virus. to which Fridirk replies: >Ignore this - it is a false alarm. In fact, ignore everything NAV >says about the Wonder virus. The virus is written in C or Pascal, and >it seems they are just "detecting" a part of the run-time library. I want to thank Fridrik for answering this so the discussion can be cleared up. This posting is to fill in all the details. The Wonder-2 false-id situation existed for the original June update. Upon hearing of the false-id situation, a subsequent update was released which does not have the problem in it. The original June update would be 20A04.DEF or 15A09.DEF (depending on whether you're using 2.0 or 1.5). Loading any updates beyond 04 for 2.0 or 09 for 1.5 will remove this problem from your system. We are about to release (or have already released by the time this posting is made) the August update set which are 20A07 and 15A12, respectively. Jimmy Kuo cjkuo@ccmail.norton.com Norton AntiVirus Research ------------------------------ Date: Fri, 31 Jul 92 06:14:00 -0400 From: james.roy@synapse.isis.org Subject: Stoned and Michaelangelo (PC) TO: schiffman@wilma.wharton.upenn.edu SC> I had two odd infection occur in my office in the last 2 days. SC>Two computers both appeared to have Michaelangelo when run through SC>Vi-Spy, but appeared to have Stoned when run through SCAN. Niether SC>detector took notice of both. Any idea or similar experience ? The Michaelangelo (actually spelled Michelangelo) is simply a hacked version of the stoned virus (which has 18 or more off-spring according to Patricia Hoffman's VSUMX205. Either your two different scanners are picking up different pieces of code VI-Spy recognizing a part of the code which is found in Michelangelo and SCAN (which version?) picking up code which is found in both Stoned and Michelangelo. What you may have is a new variant which is neither one but still detectable by scanners looking either for the stoned or Michelangelo. The virus hacker was not too skillful as with just a little more work, he or she might have made it invisible to both scanners. Some scanning software also uses some heuristic techniques to find families of viruses and this is what may be happening here. Scanning is a very imperfect art as viruses can be hacked to fool scanners. - --- . OLX 2.1 . The first myth of management is that it exists. ------------------------------ Date: Fri, 31 Jul 92 06:05:00 -0400 From: james.roy@synapse.isis.org Subject: Re: McAfee GENP/GENY identification (PC) TO: OB77665@IBMH1.ORL.MMC.COM OB>In reference to Padgett's comments on McAfee's GENP / GENY virus OB>identification. OB>I must agree when you have several thousand PC's to keep CLEAN it's OB>almost imperative that you know what your coming against. This type OB>of identification process makes keeping any kind of useful stats very OB>difficult. I certainly agree that IDEALLY one would like to identify the exact virus and be able read up about it and also have a utility to clean it out of the system. However, in practice, there are too many viruses coming out for any anti-virus company to keep up, you risk not getting updates in time even if available, cleaning is not 100%, new polymorphic viruses are self-mutating and as they improve will become invisible to scanners and other heuristic techniques. Rather than look for the perfect scanner, one should accept their limitations and only use them as gross filters for incoming software. Generic protection virus control is essential in a modern computing environment. There are a number of products in this category including TSR virus monitors and integrity checkers. Our firm distributes Victor Charlie which can deal with all known and unknown viruses. Generic products do not identify the virus, they just detect it and purge it from the system. - --- . OLX 2.1 . Jim Roy - Tel. (613) 724-5978 Fax 729-8109 ------------------------------ Date: Sun, 02 Aug 92 06:32:27 +0100 From: scott@sklib.USask.ca Subject: Integrity Master Forwarded from Fidonet (PC) sg #: 88 Area: SHAREWARE Sent: 27 Jul 92 22:37:00 From: Wolfgang Stiller To: All Topic: New Shareware anti-virus Stiller Research announces release of Integrity Master(tm) version 1.23a Integrity Master is ASP shareware providing complete, easy to use, data integrity for your PC plus virus protection. It can also be used to provide file change management and security on your PC. As well as scanning for known viruses, it detects unknown viruses and unlike other products will detect files which have been damaged but not infected by a virus. INTEGRITY MASTER PROTECTS YOU AGAINST ALL THREATS TO YOUR DATA AND PROGRAMS NOT JUST VIRUSES! This upgrade provides the following new features since version 1.22: 1) We added a new option to do nothing but scan programs in the current directory for known viruses. 2) The COMMANDS menu now contains an "uninstall" option to remove integrity data files from the directories on the current disk. This allows you to easily remove protection from a disk. 3) We added three new command line options to scan files and system sectors for known viruses. These parameters are: "/VA" Check ALL files on a disk (not just executables). "/VO" One time quick screening of programs on current disk. "/VR" One time quick screening of programs in current directory. (REMINDER: Scanning by itself is not sufficient protection against viruses!) 4) 35 new viruses and variants are identified by name. To save space I'm listing just the executables included within the archive: PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90 Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help PKUNZIP Reg. U.S. Pat. and Tm. Off. Searching ZIP: I-M123.ZIP Length Method Size Ratio Date Time CRC-32 Attr Name ----- ------ ----- ----- ---- ---- ------ ---- ---- 2183 Implode 2151 2% 07-14-92 01:23 3da7f740 --w GENVIR.EXE 102867 Stored 102867 0% 07-14-92 01:23 92f8d173 --w IM.EXE 3616 Implode 1899 48% 07-14-92 01:23 c8ad2af0 --w IMCHECK.EXE 60912 Stored 60912 0% 07-14-92 01:23 d2aac559 --w SETUPIM.EXE 1118 Implode 1011 10% 07-14-92 01:23 515b8205 --w IMVIEW.COM Integrity Master V1.23a was released on July 14th via SDN and also the ------------------------------ Date: Mon, 03 Aug 92 11:52:00 +1200 From: "Mark Aitchison, U of Canty; Physics" Subject: Re: write protect on C: (PC) smith_s@gc.bitnet (Steven W. Smith) writes: >>yesterday i downloaded a piece of software called NakedEye -- a p.d. gif >>viewer -- when i tried to run it, the screen blanked and the system crashed, >>but when i rebooted i got an error "drive c write protected" -- i am using >>dos 5.0 and as far as i know (and as far as my manual says) you cannot write >>protect a drive. although i am also running stacker and 4dos... > > I've experienced the same thing using DR DOS 6.0 with disk > compression. It was not virus-related in any way. It's very likely > that CHKDSK/F will put everything back in order. I think that it's a > nice feature to add the write protect if you subtly munge your disk, > but it would be nice to clue the user in about using CHKDSK/F to clean > up. Yep, Stacker does exactly this when the disk is messed up, but you need a special program (supplied with Stacker) to properly fix it, or you can copy everything off to diskette while you can, then reformat the disk (not low level, just clear the partition and re-install Stacker and you backed-up software). But don't trust the present copy of the files on the disk! Hopefully you have a backup of everything. Stacker and DRDOS's SuperStore do the same thing, its just with SuperStore that DRDOS's CHKDSK/F does the appropriate fixing (not very well, perhaps, but consider that PKZIPFIX can't work miracles either). So the message didn't come from a virus but I suspect the gif viewer has a bug! The method of testing unknown programs - whether you are worried about a virus or a bug - is to keep your valuable hard disk safe - ideally have a machine somewhere you can practice on, or unplug your hard disk, or change the partition table at the very least. Mark Aitchison. ------------------------------ Date: Mon, 03 Aug 92 11:11:34 -0400 From: "Werner Ente 3-AUG-1992 15:55:13.39" Subject: Problem with SHARE and VSHIELD (PC) Hi, I am using Ms-Dos 5.0 (German-Version) and VSHIELD. When I start the SHARE program and redirect the VSHIELD output to a file I get the following result. ================================== C:\>share SHARE installiert C:\>copy autoexec.bat nul 1 Datei(en) kopiert C:\>vshield > nul VSHIELD 4.9V91 Copyright 1989-92 by McAfee Associates. (408) 988-3832 VSHIELD 4.9V91 is now installed. C:\>copy autoexec.bat nul Unzuldssige SHARE-Operation C:\> ================================== This example works with different filenames too. Has anyone an idea to where this problem comes from? Is it a Microsoft or a McAfee or only my special problem? Werner .............. Werner Ente Wente@ifw.uni-kiel.dbp.de Institut f|r Weltwirtschaft 0431/8814277 Kiel, Germany ------------------------------ Date: Tue, 04 Aug 92 10:00:46 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: MS-DOS 6.0 with Anti-Virus ? (PC) I see in the new PC-Week that MS-DOS 6.0 is scheduled to contain anti- virus software from Central Point. Makes sense since MS & CP have been working together for some time now & CP has a number of utilities in MS-DOS 5.0. Too bad that they have chosen the one product that is notorious for leaving viral signatures scattered in memory though hopefully that will be fixed by the time 6.0 comes out else MS support lines are liable to be swamped with calls. This is interesting in that back at the start of the year once again I sent Microsoft copies of my BIOS stuff and suggested that the best place for it would be in FORMAT, SYS, and FDISK. I received a nice letter back stating that "it was not in MicroSoft's business plan..." be interesting to see what actually ships... Warmly (95 before the thunderstorms, 75 after), Padgett ------------------------------ Date: Tue, 04 Aug 92 14:11:25 -0600 From: kev@inel.gov (Kevin Hemsley) Subject: BIOS level MBR protection (PC) Thuna Technologies has a BIOS upgrade called MR. BIOS(TM) which includes an "Anti-Virus Feature" which when enabled, will trap writes to the Master Boot Record. Additionally, as with other BIOS manufacturers, the boot sequence can be set to boot from C: first, or optionally, a screen prompt which requests an explicit selection of the boot drive. Vendors may be slow, but they are learning! -- Kevin Hemsley | The cute message that used to Information & Technical Security | be here was destroyed by a Idaho National Engineering Laboratory | nasty .sig virus! (208) 526-9322 | kev@inel.gov | Please control your .sigs. ------------------------------ Date: Sat, 01 Aug 92 13:18:54 -0700 From: rslade@sfu.ca (Robert Slade) Subject: YASAS (yet another stupid article story) Number 37 in the series, "Accuracy in the media": The Vancouver Sun, Saturday, August 1, 1992, "Ocean", p. A6 (continued from "Deep Dark Secrets", p. A1) "If that weren't enough, the computer software meant to help guide ROPOS developed a virus. To the shock of the scientists watching the first nerve-wracking descent, the system suddenly froze and "Your system is stoned" flashed on the control room consoles." Editors, The Sun Fax: 732-2323 Gentlemen: I am writing to correct some errors in your article "Deep Dark Secrets" (p. A1 and A6, Saturday, August 1, 1992). I was quite interested in the article, and would normally never dare to question the facts therein: oceanography is not my field. However, your mention of the virus in the computer needs some correction. First of all, the "software meant to help guide ROPOS" did not "develop" the virus. (It was, in fact, written by a high school student in New Zealand about four years ago.) The virus would have been carried to the computer on a floppy disk, probably unknowingly, by one of the people concerned with the project. Secondly, the system did not suddenly "freeze", at least not because of the virus. This virus, most often referred to as "Stoned" because of the message, does not stop systems. (It will, with certain types of disks, overwrite the pointers to some files.) In all instances that I am aware of, the computer would continue to function without interference to any programs. Thirdly, the message was "Your PC is now Stoned" (not "system") and it did not "flash" on the screen. If the message appeared at all, it was displayed when the computer was turned on or "rebooted", and then only if a floppy disk, itself infected with the virus, was in the A: drive of the computer at the time. Why do I bring up these points at all? They do not have anything to do with the oceanographic studies. However, the expedition could have lost valuable data. The tragedy would be that the virus infection could easily have been prevented. Unfortunately, media attention to computer viral programs is so sparse (and so often inaccurate) that the general run of computer users have no idea as to the danger, nor what steps to take to combat the problem. At the current time, a business with 200 PCs can expect to be hit by at least one new virus infection every month, and the problem is growing rapidly. The rapid growth is primarily due to the fact that most computer users take no precautions against viral programs, and those precautions are often insufficient or directed against the wrong type of problem. Hopefully, at some point accurate information about computer viral programs can be promoted, and the threat will diminish almost to nothing. Robert Slade Vancouver Institute for Research into User Security ============== Vancouver ROBERTS@decus.ca | "It says 'Hit any Institute for Robert_Slade@sfu.ca | key to continue.' Research into rslade@cue.bc.ca | I can't find the User p1@CyberStore.ca | 'Any' key on my Security Canada V7K 2G6 | keyboard." ------------------------------ Date: Mon, 03 Aug 92 11:32:11 +0000 From: m13079@mwunix (Mary Anne Walters) Subject: Re: Virus BBS List? brianc@eskimo.celestial.com (Brian C) writes: >Could someone please e-mail me a list of virus related bbs? How about posting it? - -- - --Mary Anne "What we have once enjoyed and deeply loved we can never lose, for all that we love deeply becomes a part of us." Helen Keller [for Alexander] ------------------------------ Date: Thu, 30 Jul 92 14:06:23 -0400 From: Y. Radai Subject: Re: Jerusalem virus (CVP) Robert Slade writes: >A few things are common to pretty much all of the Jerusalem family. ..... >Programs run after the program is resident in memory are infected by >addition of the virus code to the end of the file, with a redirecting >jump added to the beginning of the program. This is accurate for infection of EXE files, but not for COM files. For these the code is *prepended* to the file (at least in the case of the original Jerusalem virus). >The history of the Jerusalem virus is every bit as convoluted as its >functionality and family. The naming alone is a fairly bizarre tale. >As mentioned before, it was originally called the Israeli virus. >Although considered unfair by some, it was fairly natural as the >virus had both been discovered and reported from Israel. .... > .... In an effort to avoid anti-semitism, it >was referred to by its "infective length" of 1813 bytes. For COM >files. .... I agree with almost everything here, but I think it's a bit presump- tuous to conclude that the reason for the name "1813" had anything to do with avoiding anti-semitism. To the best of my knowledge, this name was first given to it by Alan Solomon, who at that time (1988) gave a numeric name, based on the size of the added code, to *all* file viruses. >One of the early infections was found to be in an office belonging to >the Israeli Defence Forces. This fact was reported in an Associated >Press article, and, of course, made much of. It also gave rise to >another alias, the I.D.F. virus. I think you're confusing the Jerusalem with another virus here. The above story and name fit the Frodo (= 4096) virus. To the best of my knowledge, they do not fit the Jerusalem. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Fri, 31 Jul 92 17:37:49 +0000 From: rslade@sfu.ca (Robert Slade) Subject: Jerusalem part 3 (CVP) HISVIR5.CVP 920714 The "Jerusalem" virus - part 3 Although it is difficult to be absolutely certain about pronouncements as to the provenance and family history of viral programs, it is almost certain that the Jerusalem virus is, in fact, two viral programs combined. Among the Jerusalem "family" are three "sURIV" variants (again, named for text in the code.) It is fairly easy to see where "virus" 1, 2 and 3 come from. sURIV 1.01 is a COM file infector, COM being the easier file structure and therefore the easier programs to infect. sURIV 2 is an EXE only infector, and is considerably longer and more complex code. sURIV 3 infects both types of program files, and has considerable duplication of code: it is, in fact, simply the first two versions "stuck" together. (Although the code in the sURIV programs and the "1813" version of Jerusalem is not absolutely identical, all the same features are present. The date of the "payload" is April 1 in the sURIV variants. There is also a "year" condition: some of the payload of the sURIV variants is not supposed to "go off" until after 1988.) Perhaps this explains the "popularity" of the Jerusalem virus as a "template" for variants. The code is reasonably straightforward and, for those with some familiarity with assembly programming, an excellent "primer" for the writing of viral programs affecting both COM and EXE files. (There is, of course, the fact that Jerusalem is both "early" and "successful". There are many copies of Jerusalem "in the wild", and it may be simply availability that has made it so widely copied. Its "value" as a teaching tool may simply be an unfortunate coincidence.) Of course, not every virus writer who used the Jerusalem as a template showed the same good taste and imagination in what they did with it. Not all of them even fixed the obvious flaws in the original. The "variations" tend to be quite simplistic: there are a number of "Thursday the 12th", "Saturday the 14th" and "Sunday the 15th" programs. (Some of the "copy cat" virus authors added errors of their own. One of the "Sunday" variants is supposed to delete files on the "seventh" day of the week. Unfortunately, or perhaps fortunately for those of us in the user community, nobody ever bothered to tell the author that computers start counting from zero and Sunday is actually the "zeroth" day of the week. The file deletions never actually happen.) copyright Robert M. Slade, 1992 HISVIR5.CVP 920714 ============== Vancouver ROBERTS@decus.ca | "It says 'Hit any Institute for Robert_Slade@sfu.ca | key to continue.' Research into rslade@cue.bc.ca | I can't find the User p1@CyberStore.ca | 'Any' key on my Security Canada V7K 2G6 | keyboard." ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 136] ******************************************