Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!uakari.primate.wisc.edu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: CJH@CORNELLA.cit.cornell.edu (Chris Haller) Newsgroups: comp.virus Subject: Re: IBM Virus (from EXPERT-L list) (PC) Message-ID: <0010.8909271119.AA09775@ge.sei.cmu.edu> Date: 26 Sep 89 20:16:10 GMT Sender: Virus Discussion ListLines: 46 Approved: krvw@sei.cmu.edu >From: Ken Hoover >Subject: IBM Virus (from EXPERT-L list) (PC) > >Original-Date: Mon, 18 Sep 89 17:38:00 EDT >Original-From: Sanjay Hiranandani > [text omitted] Oh well, I was considering writing to VIRUS-L about this anyway, and this posting precipitates a response. Here is the current situation about the virus that showed up at Sibley Hall at Cornell University. John McAfee's VIRUSCAN v36 identified this virus as Jerusalem B, and its appearance and behavior correspond with this identification, AS FAR AS I KNOW. (Would some kind soul please send me a type description of "Jerusalem B" so I can verify the identification more completely? I think this is the version of the Israeli that attacks both .COM and .EXE files on both floppy and hard disks, that was modified (probably in the U.S.) to be less obtrusive, and that WordPerfect and FoxBase catch in the act because they detect its alteration of their file.) We are using UNVIRUS, which we retrieved from the archive at Kansas State, to clean up. Incidentally, we find VIRUSCAN and SCANRES very useful and intend to ask Mr. McAfee about site licensing arrangements for Cornell University. (That's why we haven't sent in our shareware fees yet! Most of us on the staff here won't use software without paying for it, except preliminarily.) However, do not let this kind of endorsement of one person's (or group's) efforts deter those of you who are writing other protective software. No single program, indeed no single way of addressing the problem, will be sufficient to protect a diverse computing community like this from the threat of viruses. This semester we may recommend SCANRES, but we are counting on there still being a lot of people using FLU_SHOT+ here, and next semester we may recommend something else, or a newer version of FLU_SHOT, or a program that checks CRC polynomials to detect altered files or disk sectors. The idea is that in a large and diverse community like a major university, a virus may get started locally but it won't get very far before it sets off an alarm on someone's system. If everyone using PC's were using the same kind of protection, a virus written to evade that particular protection would spread farther. This is not a new idea, it's one I learned from reading this list! Thank you all. - -Chris Haller, Research and Analysis Systems, Cornell University BITNET: Internet: Acknowledge-To: