Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!unmvax!ncar!tank!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: LUCKSMITH%ALISUVAX.BITNET@IBM1.CC.Lehigh.Edu
Newsgroups: comp.virus
Subject: Response to query from A.Berman, Yale,8-14-89 (PC)
Message-ID: <0002.8908161554.AA18203@ge.sei.cmu.edu>
Date: 15 Aug 89 21:51:00 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 28
Approved: krvw@sei.cmu.edu


      The unknown virus that Andrew Berman referred to in his
submission of 14 Aug 89 sounds very much like one encountered here
within the last 90 days. Various names exist for it,
including Friday the 13th, Israeli, Jerusalem, Black Box and others.
The virus is a TSR type that infects .COM and .EXE files replicating
itself into the files (once only for .COM and repeatedly for .EXE).
(It will infect and replicate itself in ANY executible, no matter
the extension..check especially .OVL and .SYS)
The virus under certain circumstances will delete files from the disk
on Friday the 13th. Norton Utilities is capable of identifying the
infected files by searching for the hexadecimal string E9 92 00 73 55
4D 73 44. Those eight bytes invariably occurred in the virus found
here. A system can only be certified clean of the virus if the
system is cold-booted from a clean system and the source files to be
used are checked and found to be clean before they are used.
This virus is very contagious...during the cleanup and check phase we
infected FluShot+ more than once.
There is an article by Yisrael Radai, Hebrew Univ. of Jerusalem, on the
"original" Israeli PC virus in April 1989 issue of Computers and Security
(UK publication, Elsevier Science Pub., Ltd. Vol.8, No. 2) and a paper
by Jim Goodwin on Israeli viruses, available from the moderator of this
forum.
Based on our recent experience, good luck, and happy cleaning.

David Rehbein, Thompson@alisuvax.bitnet
Marsha Luckett-Smithson, LuckSmith@alisuvax.bitnet
Ames Laboratory USDOE, Iowa State University