Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!brutus.cs.uiuc.edu!wuarchive!psuvax1!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: HJW2@PSUVM.PSU.EDU Newsgroups: comp.virus Subject: Jerusalem B virus found (long story) Message-ID: <0006.8912111157.AA07688@ge.sei.cmu.edu> Date: 9 Dec 89 18:27:57 GMT Sender: Virus Discussion List Lines: 109 Approved: krvw@sei.cmu.edu FOR THOSE WHO RESPONDED TO MY PREVIOUS VIRUS POSTING, I HAVE THIS STORY FOR YOU: How I got Jerusalem virus in my computer A user's nightmare came true (88 lines long, anything longer than that would be VIRUS...) To make a short story long, let me go back to some day in late September.... I was playing with my computer, as usual, and my wife was doing her works in the kitchen, as usual. I was using PC Tools to copy some of my files from hard disk to floppy and when I went back to root directory in C:, I saw an empty file that was new and weird to me. It looked like this in PC Tools: Filename File length Attribute Date gEgEgEgE.gEg 0 .SR. 11/07/14 Since I have deleted countless files using PC Tools, I tried the same way to select that file and delete it. To my surprise, PC Tools responded "File not Found". So I said to my self:"It must be the problem of zero length." and tried to write something on it so I can delete it, and you know, it didn't work that way. And the strange thing was that whenever I changed its attribute by using Edit/View function, it didn't work as it supposed to be. So I kept that file and forgot it until someone on campus(or Wall Street Journal) brought up the issue of October 13th and computer virus attack. I went to 12 Willard to get a scanv4 disk and used it to scan my hard disk for at least 13 times and did not spot a virus. I was still nervous about the virus attack, so I got another virus protection program (Flushot, in case it matters) and checked the hard disk again and again and again until my wife reminded me to do homework. I survived the virus hit in October. Before the first snow in November about three weeks ago, I booted up the machine as usual and press the turbo switch when I noticed the slow speed of computer checking my Intel Aboveboard memory. The computer suddenly went nuts for the first time since I bought it a year ago. There was nothing on the screen, the keyboard didn't respond, and the speaker beeped. I powered off and on again and the computer prompted me "8237 Error" and refused to work. I was nervous but not afraid. Since I have played around with computers for a while, I tore down my machine to check what might be the source of error. I didn't find anything suspicious but BIOS and DMA. I went to a local computer store and had my BIOS replaced and the computer worked again. So I gave them $35 for the Phoenix BIOS that worked wonder on my computer. But honeymoon soon was over. One day when I was using my primitive word processor PFS:Professional Write, the computer hung me without any warning. I lost all my editing file and had to reboot it again using reset button not ctrl+alt+del. And after that, it hung from time to time whenever I changed from editing document to print or to spell check. After few days, I found out I cannot use turbo mode anymore, I had to stay with normal mode. When I press the turbo button to boost speed, I got hung. Since I just replaced BIOS, I suspected the problem is in DMA. So I brought my computer back to that local store after Thanksgiving and they said that I need a new motherboard because they cannot fix the motherboard problem. Because they were asking ONLY $200 for a new 12MHz 286 motherboard, I decided to get it replaced. Everything worked fine with the new board until I tried to run Harvard Graphics, it hung again. Same thing happened to Minitab and the new PFS:Professional Write v2.0. I questioned the store about the compatibility of that kind of motherboard and got pissed off. They claimed that their motherboard has been running thousands of software and has never encountered non compatible problem. So I tested everything I could, changing faster memories, changing different BIOS, changing video board, and even swapping hard disks. I could not find out the problem until someday I used MAPMEM to see memory usage and saw an unknown program occupying about 1732k memory above configuration and dos command and I realized that something weird was going on. I immediately (well, next day) got the virus detection disk from office and started checking my hard disk. Boy, was I astonished! I saw a warning line as soon as I issued SCAN command: SCAN file has been damaged.... In the next few minutes, I saw 50 of my command files were infected by Jerusalem B virus. I used pctools to erase all infected files and got a map of my hard disk to see if everything is ok. But I saw some secctors marked "unremovable" where they should be "usable" space. And I realized that the only way to get rid of the virus would be reformatting my entire hard disk. So I did. I am glad I have a back up for every program I have in the hard disk. Now all the viruses are gone except one that I keep in a floppy as a memory or for future research use, I start thinking where I got this little virus. There are only two places: PCLIB at Penn State or that computer store. I cannot think of any other sources except these two. The weired file with 0 byte and unremovable is from some file in PCLIB, but I have checked every file before October 13 and found no virus. After that date, I have not downloaded anything. On the other hand, every weired thing started after I replaced BIOS and used testing software from the computer store. It's also possible that the virus is attached to some file that store has. I will keep tracking down the suspicious source of this virus and if anything comes out interesting, I will summarize and post it. GOOD BYE ! _____ ___ H. WU HJW2@PSUVM.BITNET _|_ |___| DEPARTMENT OF BUSINESS LOGISTICS |_|_| |___| THE PENNSYLVANIA STATE UNIVERSITY _|_|_|_ |___| | | _/ |__|