VIRUS-L Digest Friday, 24 Mar 1989 Volume 2 : Issue 71 Today's Topics: April 1st - Israeli virus strains Request by Roman Olynyk--Manufacturer's Guidelines TV Viruses Russian Virus? (MS DOS) Alameda Virus = Yale Virus --------------------------------------------------------------------------- From: David.J.Ferbrache Date: Thu, 23 Mar 89 13:13:37 GMT Subject: April 1st - Israeli virus strains Hello, just a quick note regarding April 1st IBM viruses, As I suspect many of you will be aware there are two variants of the Friday 13th Israeli virus which have as their target date April 1st, these are: sURIV 1.01 which infects only .COM files sURIV 2.01 which infects only .EXE files They display the message "APRIL 1st HA HA you have a virus" on this date on execution of an infected .COM file or .EXE file. The virus causes a lockup immediately in the case of the .EXE variant or after execution of a further .COM file in the case of the .COM variant. The .EXE variant also has a lockup 1 hour after execution of an infected .EXE file when the default date (1-1-80) remains unchanged. This is based on Y.Radai's report on the Israeli viruses appearing in VIRUS-L on 2 May 1988, hopefully he will provide further details. The above variants seem less well known than the MsDos (1808/1813) Friday 13th virus, however judging by their infection characteristics I see no reason why they should not spread rapidly if released, unlike the sURIV 3.00 variant of Friday 13th whose 30 second delay prior to the insertion of the timer tick delay loop would make it easily identifiable and considerably less dangerous. I would be interested in any reports of these two strains, especially those in the UK and/or continental Europe. Dave Ferbrache Personal mail to: Dept of computer science Internet Heriot-Watt University Janet 79 Grassmarket UUCP ..!mcvax!hwcs!davidf Edinburgh,UK. EH1 2HJ Tel (UK) 031-225-6465 ext 553 ------------------------------ Date: Thu, 23 Mar 89 12:29:10 MST From: Chris McDonald ASQNC-TWS-R 678-4176 Subject: Request by Roman Olynyk--Manufacturer's Guidelines I have subscribed to Computer World for several years, and I do not specifically every seeing the specific guidelines which Roman mentioned. I do have a copy of something which is very close which appeared in the Computers and Security Journal, April 1988. That edition, which is devoted exclusively to computer viruses, has a list of 14 "suggestions" to commercial companies in advising them how to reduce the viral risks. A footnote adds that in later issues of the journal additional measures would be listed. The same edition also provides a product evaluation of 18 virus protection products. The entire edition is still one of the best primers in my opinion on viruses Articles by Fred Cohen, William Murray, Joseph Highland are particularly good. Might it be the source, rather than Computer World? Chris McDonald White Sands Missile Range ------------------------------ Date: THU MAR 23, 1989 15.55.31 EST From: "David A. Bader" Subject: TV Viruses I just saw the latest episode of Star Trek: The Next Generation episode: Contagion. The Enterprise encounters a device that transmits alien code into their own. Systems in the ship start to break down, and anything that reads this code gets infected (e.g. Data, Romulan ship, etc.) Anyway, because this code is foreign to the softwar being run, these ill effects occur and no one knows what to do. Their solution (as Data purges his systems): clear ALL memory and re-load all data from uninfected archives. Is this one way to educate the public on viruses? ------------------------------ Date: Thu, 23 Mar 89 19:13:39 CST From: "Mark S. Zinzow" Subject: Russian Virus? (MS DOS) A Virus was discovered today in a research lab here at the University of Illinois at Urbana-Champaign. I've never heard of this one before, so I'm hoping maybe someone who has could fill me in. It infects COMMAND.COM without changing its size. It can be recognized by looking for the following string in that file: $You have just activated a Russian Virus...THANK You! .........^M^J$ The virus likes to go off during a disk I/O operation and will do something like complain about a write protect error on a hard disk and display the above message after every subsequent keypress. It may just be a simple hack to command.com as a prank; I have not had time to play with it to learn more. - -------Electronic Mail----------------------------U.S. Mail-------------------- ARPA: markz@vmd.cso.uiuc.edu Mark S. Zinzow, Research Programmer BITNET: MARKZ@UIUCVMD.BITNET University of Illinois at Urbana-Champaign CSNET: markz%uiucvmd@uiuc.csnet Computing Services Office "Oh drat these computers, they are 150 Digital Computer Laboratory so naughty and complex I could 1304 West Springfield Ave. just pinch them!" Marvin Martian Urbana, IL 61801-2987 USENET/uucp: {uunet,convex,att}!uiucuxc!uiucuxe!zinzow Phone: (217) 244-1289 Office: CSOB 110 \033markz%uiucvmd ------------------------------ Date: Thu, 23-Mar-89 19:32:13 PST From: portal!cup.portal.com!Gary_F_Tom@Sun.COM Subject: Alameda Virus = Yale Virus In VIRUS-L 2.62, David M. Chess asked about the "Alameda Virus" - > John McAfee's article in the Feb 15 issue of Datamation, "The Virus > Cure" (good article, poor title) lists a boot-sector virus that he > calls the "Alameda Virus". I've never heard that name before, and it > isn't on Dave Ferbrache's February list. It does sound sort of like > the "Yale" boot virus (which McAfee doesn't list under that name); > does anyone know if the two are in fact the same? I relayed David's question to John McAfee, and here is John's response: ! 03/14/89 22:34:46 ! From: JOHN MCAFEE ! ! The Alameda and Yale virus are in fact the same. It was first ! discovered at Merritt College, Oakland, in April of 1977, but garnered ! little publicity at the time. A major outbreak occurred at Alameda ! College (Alameda, CA) in February of 1988 which was widely publicised ! on the West Coast - hence its name. By all rights, however, it should ! be called the Merritt virus. ! ! Thanks for the comments on the article. I had nothing to do with the ! title. It was submitted to Datamation with the title - 'A cursory ! overview of the more obvious issues of virus replication - with a ! brief description of generic methods of virus protection, and ! including an outline of the more common viruses. By John McAfee'. I ! guess Datamation didn't care for it. - ---------------------------- Gary F. Tom Tandem Computers Inc. Internet: 19333 Vallco Parkway Loc 3-22 UUCP: sun!portal!cup.portal.com!garyt Cupertino, CA 95014 Phone: (408) 725-6395 ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253