Path: utzoo!yunexus!lethe!torsqnt!jarvis.csri.toronto.edu!mailrus!wuarchive!udel!haven!mimsy!tank!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: frisk@rhi.hi.is (Fridrik Skulason)
Newsgroups: comp.virus
Subject: Sunday virus (PC)
Message-ID: <0012.8911161543.AA03334@ge.sei.cmu.edu>
Date: 14 Nov 89 22:44:50 GMT
Article-I.D.: ge.0012.8911161543.AA03334
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 24
Approved: krvw@sei.cmu.edu

The "Sunday" virus reported here recently seems to be little more than a
variant of the Israeli/Jerusalem virus.

There are some differences - the length of Israeli/Jerusalem is 1808 bytes,
but "Sunday" is only 1631 bytes long. Jerusalem defines INT 21 subfunction
E0 to check if it is installed, but Sunday uses subfunction FF.

It is, however, so similar to the original virus, that the only modification
I had to make to my virus removal program to cover "Sunday" was to change
one line in the "remove_israeli_or_fu_manchu" procedure:

        if (virlen == 1808)
to
        if (virlen == 1808 || virlen == 1631)

No other changes needed, not even new signature strings.

This means that we only have 39 different viruses to worry about, not 40. :-)

Anyhow - it is always getting harder and harder to determine what is a new
virus and what is just a variant. Viruses Like "Ghost" and "Mix1" that
combine parts of two viruses are not making that job easier...!

- -frisk