Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!uwm.edu!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: RY15@DKAUNI2.BITNET (Christoph Fischer)
Newsgroups: comp.virus
Subject: new virus (PC)
Message-ID: <0002.9007051920.AA04382@ubu.cert.sei.cmu.edu>
Date: 3 Jul 90 21:12:00 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1.BITNET>
Lines: 24
Approved: krvw@sei.cmu.edu

I just received a new virus from a friend, the first analysis shows the
following facts:
   Resident virus that infects COM and EXE files!
   It is a appending virus that modifies the EXE header.
   Infection trigger INT 21 subfunction 4Bh (load and execute)
   Infection length 688 bytes.
   Processes R/O and hidden files correctly and restores time and date
      stamp as well as attributes after infection.
   Contains a new way of detecting R/O floppy disks
   Fools debuggers to prevent reverse engineering.
   Selfdetection in memory is not sufficient. (So you might have several
      copies of the virus TSR active)
   Payload: starting with june 1990 it hooks INT 08 and after a random
      time it starts to toggle the screen blanking bit every 7 minutes
      5 cycles. This will only work on MDA, Hercules, CGA but not on
      EGA and VGA. The effect will be a screen flicker that might be
      confused with a bad contact in the CRT system.

*****************************************************************
* Christoph Fischer                                             *
* Micro-BIT Virus Team / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-37 64 22           *
* E-Mail: RY15 at DKAUNI2.BITNET    >>>> NEW NODEID <<<<<       *
*****************************************************************