VIRUS-L Digest Wednesday, 19 Jul 1989 Volume 2 : Issue 154 Today's Topics: PLO virus FluShot+ informative message (PC) VIRUSCAN program (PC) Re: VIRUSCAN Availability (PC) Request for info on a/v program (PC) --------------------------------------------------------------------------- Date: 17 Jul 89 21:19:58 +0000 From: pfafman@marlin.nosc.mil (David F. Pfafman) Subject: PLO virus In my travels I ran across several systems which were infected quite heavily with a virus that flushot 1.6 identified as the PLO virus (aka the Jerusalem or israeli virus). It appeared that the infected files grew by about 1.8K each time they were infected. Some files had been infected 40 or more times. It did not appear that the virus infected either the command.com or the two system files, however it did attack anyother executable .com or .exe file. I also noticed that the virus seems to go TSR and conflicts a small section of video memory on highly infected machines. Using PC tools I was able to search for the ascii string "sumsdos" which seems to be in all of the infections. The suggested solution for right now was to boot the system off of a write protected floppy disk then delete all of the files that the infection was found in. Just as an added precaution when the infected files had all been erased, the hard drive was optimized which would overwrite any sections of the disk where any of the deleted files had resided. With any luck this will inhibit the reoccurance of the virus. Does anyone out there have any experience dealing with the PLO virus? As always with the unknown I'm alittle concerned that I might have missed something. Has anyone taken the time to un-assemble the PLO virus to determine eaxctly what it does? I would also like to know what other people have used as a prescribed procedure for dealing with this virus and if there is a program out there that will cutout the infected code. Dave Pfafman (Computer Resource Center NOSC) Responses can be addressed to pfafman@nosc.mil Thank-you in advance for taking the time to respond. ------------------------------ Date: Mon, 17 Jul 00 19:89:43 +0000 From: utoday!greenber@uunet.uu.net Subject: FluShot+ informative message (PC) With regard to FLU_SHOT+'s message on "An attempt is being made to infect your system with the Cascade Virus": FLU_SHOT+ looks for attempts by a program to use the "new" interrupts viruses like the Cascade (1701) virus use. It assumes that any such program is probably a virus, although in reality it might be another anti-virus program. Sorry for the confusion, but I figured better safe than sorry. Ross M. Greenberg Author, FLU_SHOT+ ------------------------------ Date: Tue, 18 Jul 89 09:49:14 -0700 From: rogers@marlin.nosc.mil (Rollo D. Rogers) Subject: VIRUSCAN program (PC) howdy, I would like to submit the following as an update to my previous article concerning a prob. scanning multiple disks on Drive A:, while running DOS 2.11. Recently i experimented with VIRUSCAN by scanning multiple diskettes in Drive B: with the same DOS version. The scan.exe program worked just FINE. REgards, RollO~~ ------------------------------ Date: 19 Jul 89 08:44:18 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Re: VIRUSCAN Availability (PC) The new version of viruscan is now available through the anti-viral archives. Note that this version is called SCANV26.ARC, and replaces the old versions of VIRUSCAN.ARC. Check an archive site near you. (You do save those listings of archive sites, don't you? :-) Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: Tue, 18 Jul 89 11:38:57 -0700 From: wew%naucse.UUCP@arizona.edu (Bill Wilson) Subject: Request for info on a/v program (PC) Can anyone suggest some good virus checkers for MSDOS. PD preferable, non-tsr. Do not have access to FPT but can Bitnet of call a BBS. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253