Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!uwm.edu!ux1.cso.uiuc.edu!tank!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: IA88@PACE.BITNET (IA88000) Newsgroups: comp.virus Subject: EAGLE.EXE 2nd Version Discovered (PC) Message-ID: <0014.8911271233.AA05551@ge.sei.cmu.edu> Date: 26 Nov 89 14:46:00 GMT Sender: Virus Discussion List Lines: 82 Approved: krvw@sei.cmu.edu I should have know better than to think my last report was the final report on this subject. Over the past several days a NEW version of EAGLE.EXE was discovered in Washington and Wichita. This new version contains the same "trojan", ie; if COMMAND.COM is found in the ROOT directory, AND if the system has a '286, '386, or '486 CPU, EAGLE.EXE will proceed to overwrite the Boot sector and both FAT's as well as several other sectors with an ASCII 246. The major difference is that the new version of EAGLE.EXE has a new strain of the AIDS virus, which is alive, well and infectious. EAGLE.EXE was again compressed, which stops "SCAN.EXE" from recognizing the virus contained in the file. Here is all we know about the two versions of EAGLE.EXE: EAGLE.EXE - Version 1 contains the Jerusalem B virus and a very nasty trojan which will check for COMMAND.COM in the root and if it is found and if the CPU is a '286 or higher, EAGLE.EXE Ver. 1 will overwrite the Boot sector and both FAT's with ASCII 246. EAGLE.EXE - Version 2 - Same as above except it contains a new strain of the AIDS virus. Both programs were written in Quick Basic and compiled using BASCOM. Both programs are compiled and compressed in such a way as to prevent a normal scanning utility from detecting the viruses in these files. A floppy disk can be protected from the trojan by a write protect tab. Both of the viruses are currently active. The trojan part of each IS NOT part of the virus. Now for the good news: EAGLSCAN which was made available by the people at SWE has been modified to detect both versions of EAGLE.EXE and is currently being made available to VIRUS-L readers, FREE of CHARGE, by simply sending a formatted 5.25 inch 360k disk with a return address label and RETURN POSTAGE (stamps ok) to the following address: SWE 132 Heathcote Road Elmont, New York 11003 You will receive the latest version of EAGLSCAN, which can detect and warn you if either version of EAGLE.EXE is present. There is no charge for the program, but PLEASE....include postage (stamps ok)! The people at SWE have gone out of their way to help in this matter and it is only fair to include postage. Of the three hundred requests received so far, twenty three of them did not include return postage. SWE has decided to return these disks, via Parcel Post, so those who did not send postage will receive the program, as soon as the US Mail service gets around to delivering their Parcel Post shipments. In answer to some of the people who have sent mail, neither version of EAGLE.EXE will be available or uploaded to Homebase. The announcement that it would be made available to McAfee Associates was premature to say the least. I am not privy to why this decision was made. It would appear your ONLY source for a program which can detect either version of EAGLE.EXE is the above address. The latest version of SCAN from McAfee was tested again on both versions of EAGLE.EXE and was not able to detect a virus in either file. To those who already sent disks to SWE, I have been informed that every disk sent, (except for the ones without postage) is now on its way back to you, via US mail. SWE finished up the disks early this AM and all were deposited with the US mail service. If you desire to receive a free copy of EAGLSCAN, please be sure your formatted disk, return disk mailer and return postage (stamps ok) arrive at SWE, NO LATER than December 15th. SWE will be closing for the holidays December 18th, and will process all disks received as of 12/15. Thanks must be passed along to the two people in Washington and Kansas who sent the new versions of EAGLE.EXE for examination. That is about it for now. Brought to you by Super Global Mega Corp .com