Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!wuarchive!gem.mps.ohio-state.edu!usc!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: consp21@bingvaxu.cc.binghamton.edu (Ken Hoover)
Newsgroups: comp.virus
Subject: IBM Virus (from EXPERT-L list) (PC)
Message-ID: <0004.8909261721.AA06193@ge.sei.cmu.edu>
Date: 22 Sep 89 00:38:00 GMT
Sender: Virus Discussion List 
Lines: 105
Approved: krvw@sei.cmu.edu

[Ed. This message was forwarded from the BITNET mailing list, EXPERT-L.]

Original-Date:         Mon, 18 Sep 89 17:38:00 EDT
Original-From:         Sanjay Hiranandani 

On Friday morning at 8:00 AM, I came into the Sibley facility, sat
down at IBM #18, and invoked Foxbase.  Instead of the familiar welcome
screen, the machine hung.  Other pieces of software throughout in the
facility had recently quit working for no apparent reason.  Gregg said
"I think there might be a virus here," (or words to that effect); from
that time to now, Gregg and I have spent most of our waking hours
trying to figure this out.  This comes at a specially bad time for
Gregg because he's in the middle of training new operators and so on.

    Here is a brief summary of what is now known about the virus:

    1.  Approximately seven of the Sibley facility's IBM PS/2's have
been found to be infected with a highly contagious IBM virus "time
bomb".  Gregg and I have developed a reliable test for the program and
will soon complete its eradication from the facility.  Some users'
personal applications and disks, however, are probably infected.

     2.  The DMPC program (disk manager) which is intended to restrict
users from copying or deleting our software, is effective in
protecting programs from being corrupted -- but only for those
programs for which DMPC has been properly configured to monitor.

     3.  The virus rewrites *.EXE and *.COM files with many changes
including the virus code itself.  In most cases, these changes are
tolerated by the program and it continues to work.  In the case of Word
Perfect (WP.EXE) and Foxbase (FOXPLUS.EXE), the changes make the program
completely nonfunctional.  In other programs, small difference are
noticed: small rectangles of the screen display may get misplaced, for
example.

     4.  An infected *.EXE file can be recognized by the hex string
10078419C5, a five byte string which apparently takes over the 21st
through 25th bytes near the beginning of the file.  This is not the
only change, but it is a consistent one.  Infected copies of WP.EXE,
FOXPLUS.EXE, APL.EXE, ED.EXE, NU.EXE, etc., etc., all had this same
string in the exact same location.  No uninfected software had this
string anywhere.  Uninfected IBM's had no sign of this string anywhere
on their hard disks.

     5.  This same string also occurs in what appears to be the virus
code itself, which is written to the "slack area" of *.EXE files
between the end-of-file and the end of the file's actual allocated
disk space.  Often, maybe always, the end-of-file marker is
overwritten.  Secondly, a certain fixed distance after the occurence
of 10078419C5 is the ascii text "COMMAND.COM", a further clue for
identifying this virus.

     6.  Files modified by the virus show NO SIGN AT ALL of any change
to the DOS directory command.  The number of bytes and the date and time
of last modification are unchanged, when in fact a file is infected.

     7.  When a file is fragmented on the disk, individual fragments may
become separately infected.

     8.  Setting a file's attributes to "read-only" or "hidden" does NOT
protect it.

     9.  Setting the write protect tab on a diskette appears to
protect diskettes in the 3.5" drives at Sibley.  Executing a program
from a locked 3.5" diskette on an infected machine generates a "Write
protect error writing drive A" message.  The program on the diskette
remains uninfected.

     10.  When an infected machine's internal clock-calendar is
changed to register a date of 10-13-89 (Friday the 13th), all *.EXE
and *.COM files will DELETE themselves when a user tries to execute
them (for example, if a user types WP, for WordPerfect, the WP.EXE
file would be deleted, and the message "Bad command or file name"
would be displayed on the screen).  This condition applies when the
system date is 10-13-89, but not 10-12-89 or 10-14-89 (we speculate
that it may apply to every Friday the 13th, but this has not been
tested).  Attempts to execute a program from an unlocked diskette will
cause the deletion of the program, regardless of whether it was
previously infected.  The virus deletes programs in a normal fashion,
and these files are probably recoverable.  Of course, all these
recoverable files are infected anyway, and not really worth recovering
(unless the virus begins to kill data files as well).

     11.  When the system date is 10-13-89, the virus attempts to
delete DMPC-protected software (the warning bleep sounds), but fails.
Such programs continue to work even on machines heavily infected with
non-DMPC protected software.

     12.  After working all day Friday fighting this virus, I spoke
with my girlfriend, who had heard something on National Public Radio
about a virus which becomes active on October 13.  In the meantime,
Gregg heard a rumor about an October 12th virus.  From a friend in
Michigan, I heard about an October 12th virus which supposedly would
attach itself to *.COM files and disable the hard disk by overwriting
track 0.  I don't know whether these other reports are of the same
exact virus (with a few wrong facts), or whether there is some
national "collective action" to write lots of different viruses which
all spring into view on the same day or so.  (I incline toward the
first view, Gregg toward the second).

     Please let me know if I can be of any further assistance in
getting rid of this thing.

                     Larry Kestenbaum, Sibley PTOP
                     Gregg Cirielli, SIbley FTOP