Path: utzoo!mnetor!uunet!pyrdc!gmu90x!dolqci!bruce
From: bruce@dolqci.UUCP (Bruce Limber)
Newsgroups: comp.misc
Subject: Re: Trojan Horse a Myth?
Message-ID: <698@dolqci.UUCP>
Date: 14 Dec 87 15:58:07 GMT
Reply-To: bruce@dolqci.UUCP (Bruce Limber)
Organization: Dept. of Labor, Unemployment Insurance
Lines: 53
Keywords: VIRUS
Summary: herewith, the requested VIRUS ALERT

The following warning is excerpted from comp.risks:


  Subj:	VIRUS WARNING
  Date: Mon, 23 Nov 87 08:05:57 EST
  From: "Kenneth R. van Wyk" <@vms.cis.pittsburgh.edu:LUKEN@LEHIIBM1.BITNET>
       
                >>>>>>>>>> VIRUS PROGRAM WARNING <<<<<<<<<<

  Last week, some of our student consultants discovered a virus program
  that's been spreading rapidly throughout Lehigh University.  I thought
  I'd take a few minutes and warn as many of you as possible about this
  program since it has the chance of spreading much farther than just our
  University.  We have no idea where the virus started, but some users
  have told me that other universities have recently had similar probems.
       
  The virus: the virus itself is contained in the stack space of COMMAND.COM.
  When a pc is booted from an infected disk, all a user need do to spread
  the virus is to access another disk via TYPE, COPY, DIR, etc.  If the
  other disk contains COMMAND.COM, the virus code is copied to the other
  disk.  Then, a counter is incremented on the parent.  When this counter
  reaches a value of 4, any and every disk in the PC is erased thoroughly.
  The boot tracks are nulled, as are the FAT tables, etc.  All Norton's
  horses couldn't put it back together again...  :-)  This affects both
  floppy and hard disks.  Meanwhile, the four children that were created go
  on to tell four friends, and then they tell four friends, and so on, and
  so on.
       
  Detection: while this virus appears to be very well written, the author
  did leave behind a couple footprints.  First, the write date of the
  command.com changes.  Second, if there's a write protect tab on an
  uninfected disk, you will get a WRITE PROTECT ERROR...  So, boot up from
  a suspected virus'd disk and access a write protected disk - if an
  error comes up, then you're sure.  Note that the length of command.com
  does not get altered.
       
  I urge anyone who comes in contact with publicly accessible (sp?) disks
  to periodically check their own disks.  Also, exercise safe computing -
  always wear a write protect tab.  :-)
       
  This is not a joke.  A large percentage of our public site disks have
  been gonged by this virus in the last couple days.
       
  Kenneth R. van Wyk, User Services Senior Consultant, 
  Lehigh University Computing Center   (215)-758-4988
    
  
  [end of quoted material.]

-- 
Bruce Limber (NEW ADDRESS:  uunet!vrdxhq!dolqci!bruce)    (202) 535-0640

He who slings mud, loses ground.