Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!uwm.edu!ux1.cso.uiuc.edu!tank!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: Tim_G_Curry@cup.portal.com Newsgroups: comp.virus Subject: EAGLE.EXE Trojan (PC) Message-ID: <0009.8911281214.AA07608@ge.sei.cmu.edu> Date: 27 Nov 89 20:00:11 GMT Sender: Virus Discussion List Lines: 22 Approved: krvw@sei.cmu.edu The Jerusalem and AIDS viruses reported inside AXE'd files are similar to dozens of other AXE'd viruses reported on Bulletin Boards in the past 5 months. Viruses discovered compressed in such files have included 1701, 1704, AIDS, Jerusalem (over 20 samples), Vienna, 3066, Alabama, Dark Avenger, Yankee Doodle, Vacsina, Fu Manchu and Datacrime I. I'm not sure that developing identifiers for these AXE'd files is the appropriate thing to do, since there are a virtually unlimited number of hosts that may be included insidecompressed files. Also, each version of AXE will produce different strings for the same executable target. So far, files like EAGLE.EXE have been treated as trojans (even though they may contain replicating code) since the compressed file itself cannot replicate. Any string that identifies the virus in the compressed form will not identify it in the free form, and each virus has an uncountable number of potential compressed identification strings, since each compressed infected host will be different. A thorny problem if we try to tackle it. I don't believe we should treat EAGLE any differently than GUNSHIP, BADGIRL or the dozens of other compressed files that contain previously well known viruses. Tim Grant Curry ICVI BBS Co-ordinator Brought to you by Super Global Mega Corp .com