------------------------------------------------------------------------ Echo Flag : Permanent: N Export: N Personal Read: N BBS: ICEBER Conference: VIRUS Imported: 5/15/1992 To: ALL Num: 1650 Date: 5/11/1992 From: NEMROD KEDEM Re: 0 Time: 1:42 am Subj: New Virus - Emmie !!! Prvt: N Read: N !!! New Virus !!! New Virus !!! New Virus !!! New Virus !!! New Virus !!! McAfee News, Dated 11-May-1992 A new virus names "EMMIE" was descovered by one of our users. After a short analysis of the virus we came up with the following information: The virus is a .COM file infector, including COMMAND.COM. It infects .COM files larger then 2702. It uses the STEALTH techniq and as such, it hides himself when using the DIR command. The infected files will be longer in at least 2702 bytes. The virus is probebly originated in Israel. When the virus is active in memory, running CHKDSK on an infected disk will report "allocation errors" of all infected files. When the virus is not resident, no errors will be reported. The following strings may be found inside the virus code, "My name is Emmie, I am Eddie`s sister." "It`ll tire you too much." The virus use a new approach to infect files. It does not chenge the begining of the infected file, but changes a JMP instruction within the file. The virus is attached to the end of the infected file and JMPs to the original address he changed. This way of infection eliminates any chance of Generic file recovery. Generic recovery utilities will restore the file to it's original size, but the file will differ in 2-3 bytes and will cause the cleand program to JMP beyond it's end. The virus is not detected by any virus scanner, but a simple HEX Search string may be used with McAfee's ViruSCAN program. Use the following it install this virus string in ViruSCAN: 1. Create a file named SCAN.EXT 2. add the line: "04 07 C3 E8 57 00 B8 01 35 E8 7C FD" Emmie Virus to it. 3. run SCAN.EXE /A /M /EXT SCAN.EXT All infected files sould be erased for there is not anti-virus for this one yet. Stealth virus removers does not help in this case. A sample of this virus was sent to McAfee for analysis and the next version of SCAN will be able to detect it without the use of an external data file. No current anti-virus software can detect this virus, and so called Generic virus removers may permanently damage the cleaned file. Rudy's Place Callers may freely download U-EMMIE.ZIP from Rudy's Place BBS, and use it to detect and remove this virus. Everyone may Freq the above name from 2:403/138 at 14400 V32b/V42b. Nemrod Kedem, Authorized Agent of McAfee Associates. --- Freddie lives ... * Origin: Hard disks never die... (2:403/138.0)