Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!uakari.primate.wisc.edu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: CJH@CORNELLA.cit.cornell.edu (Chris Haller)
Newsgroups: comp.virus
Subject: Re: IBM Virus (from EXPERT-L list) (PC)
Message-ID: <0010.8909271119.AA09775@ge.sei.cmu.edu>
Date: 26 Sep 89 20:16:10 GMT
Sender: Virus Discussion List 
Lines: 46
Approved: krvw@sei.cmu.edu

>From:    Ken Hoover 
>Subject: IBM Virus (from EXPERT-L list) (PC)
>
>Original-Date:         Mon, 18 Sep 89 17:38:00 EDT
>Original-From:         Sanjay Hiranandani 
>
 [text omitted]

Oh well, I was considering writing to VIRUS-L about this anyway, and
this posting precipitates a response.  Here is the current situation
about the virus that showed up at Sibley Hall at Cornell University.

John McAfee's VIRUSCAN v36 identified this virus as Jerusalem B, and
its appearance and behavior correspond with this identification, AS
FAR AS I KNOW.  (Would some kind soul please send me a type
description of "Jerusalem B" so I can verify the identification more
completely?  I think this is the version of the Israeli that attacks
both .COM and .EXE files on both floppy and hard disks, that was
modified (probably in the U.S.) to be less obtrusive, and that
WordPerfect and FoxBase catch in the act because they detect its
alteration of their file.) We are using UNVIRUS, which we retrieved
from the archive at Kansas State, to clean up.

Incidentally, we find VIRUSCAN and SCANRES very useful and intend to
ask Mr. McAfee about site licensing arrangements for Cornell
University.  (That's why we haven't sent in our shareware fees yet!
Most of us on the staff here won't use software without paying for it,
except preliminarily.)  However, do not let this kind of endorsement
of one person's (or group's) efforts deter those of you who are
writing other protective software.  No single program, indeed no
single way of addressing the problem, will be sufficient to protect a
diverse computing community like this from the threat of viruses.
This semester we may recommend SCANRES, but we are counting on there
still being a lot of people using FLU_SHOT+ here, and next semester we
may recommend something else, or a newer version of FLU_SHOT, or a
program that checks CRC polynomials to detect altered files or disk
sectors.  The idea is that in a large and diverse community like a
major university, a virus may get started locally but it won't get
very far before it sets off an alarm on someone's system.  If everyone
using PC's were using the same kind of protection, a virus written to
evade that particular protection would spread farther.  This is not a
new idea, it's one I learned from reading this list!  Thank you all.

- -Chris Haller, Research and Analysis Systems, Cornell University
BITNET:   Internet: 
Acknowledge-To: