Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!wuarchive!gem.mps.ohio-state.edu!usc!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: consp21@bingvaxu.cc.binghamton.edu (Ken Hoover) Newsgroups: comp.virus Subject: IBM Virus (from EXPERT-L list) (PC) Message-ID: <0004.8909261721.AA06193@ge.sei.cmu.edu> Date: 22 Sep 89 00:38:00 GMT Sender: Virus Discussion ListLines: 105 Approved: krvw@sei.cmu.edu [Ed. This message was forwarded from the BITNET mailing list, EXPERT-L.] Original-Date: Mon, 18 Sep 89 17:38:00 EDT Original-From: Sanjay Hiranandani On Friday morning at 8:00 AM, I came into the Sibley facility, sat down at IBM #18, and invoked Foxbase. Instead of the familiar welcome screen, the machine hung. Other pieces of software throughout in the facility had recently quit working for no apparent reason. Gregg said "I think there might be a virus here," (or words to that effect); from that time to now, Gregg and I have spent most of our waking hours trying to figure this out. This comes at a specially bad time for Gregg because he's in the middle of training new operators and so on. Here is a brief summary of what is now known about the virus: 1. Approximately seven of the Sibley facility's IBM PS/2's have been found to be infected with a highly contagious IBM virus "time bomb". Gregg and I have developed a reliable test for the program and will soon complete its eradication from the facility. Some users' personal applications and disks, however, are probably infected. 2. The DMPC program (disk manager) which is intended to restrict users from copying or deleting our software, is effective in protecting programs from being corrupted -- but only for those programs for which DMPC has been properly configured to monitor. 3. The virus rewrites *.EXE and *.COM files with many changes including the virus code itself. In most cases, these changes are tolerated by the program and it continues to work. In the case of Word Perfect (WP.EXE) and Foxbase (FOXPLUS.EXE), the changes make the program completely nonfunctional. In other programs, small difference are noticed: small rectangles of the screen display may get misplaced, for example. 4. An infected *.EXE file can be recognized by the hex string 10078419C5, a five byte string which apparently takes over the 21st through 25th bytes near the beginning of the file. This is not the only change, but it is a consistent one. Infected copies of WP.EXE, FOXPLUS.EXE, APL.EXE, ED.EXE, NU.EXE, etc., etc., all had this same string in the exact same location. No uninfected software had this string anywhere. Uninfected IBM's had no sign of this string anywhere on their hard disks. 5. This same string also occurs in what appears to be the virus code itself, which is written to the "slack area" of *.EXE files between the end-of-file and the end of the file's actual allocated disk space. Often, maybe always, the end-of-file marker is overwritten. Secondly, a certain fixed distance after the occurence of 10078419C5 is the ascii text "COMMAND.COM", a further clue for identifying this virus. 6. Files modified by the virus show NO SIGN AT ALL of any change to the DOS directory command. The number of bytes and the date and time of last modification are unchanged, when in fact a file is infected. 7. When a file is fragmented on the disk, individual fragments may become separately infected. 8. Setting a file's attributes to "read-only" or "hidden" does NOT protect it. 9. Setting the write protect tab on a diskette appears to protect diskettes in the 3.5" drives at Sibley. Executing a program from a locked 3.5" diskette on an infected machine generates a "Write protect error writing drive A" message. The program on the diskette remains uninfected. 10. When an infected machine's internal clock-calendar is changed to register a date of 10-13-89 (Friday the 13th), all *.EXE and *.COM files will DELETE themselves when a user tries to execute them (for example, if a user types WP, for WordPerfect, the WP.EXE file would be deleted, and the message "Bad command or file name" would be displayed on the screen). This condition applies when the system date is 10-13-89, but not 10-12-89 or 10-14-89 (we speculate that it may apply to every Friday the 13th, but this has not been tested). Attempts to execute a program from an unlocked diskette will cause the deletion of the program, regardless of whether it was previously infected. The virus deletes programs in a normal fashion, and these files are probably recoverable. Of course, all these recoverable files are infected anyway, and not really worth recovering (unless the virus begins to kill data files as well). 11. When the system date is 10-13-89, the virus attempts to delete DMPC-protected software (the warning bleep sounds), but fails. Such programs continue to work even on machines heavily infected with non-DMPC protected software. 12. After working all day Friday fighting this virus, I spoke with my girlfriend, who had heard something on National Public Radio about a virus which becomes active on October 13. In the meantime, Gregg heard a rumor about an October 12th virus. From a friend in Michigan, I heard about an October 12th virus which supposedly would attach itself to *.COM files and disable the hard disk by overwriting track 0. I don't know whether these other reports are of the same exact virus (with a few wrong facts), or whether there is some national "collective action" to write lots of different viruses which all spring into view on the same day or so. (I incline toward the first view, Gregg toward the second). Please let me know if I can be of any further assistance in getting rid of this thing. Larry Kestenbaum, Sibley PTOP Gregg Cirielli, SIbley FTOP