Path: utzoo!attcan!uunet!lll-winken!elroy.jpl.nasa.gov!sdd.hp.com!samsung!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: lexw@idca.tds.PHILIPS.nl (Lex Wassenberg) Newsgroups: comp.virus Subject: Re: new virus 1022 (PC) Message-ID: <0008.9007111143.AA09571@ubu.cert.sei.cmu.edu> Date: 10 Jul 90 14:45:25 GMT Sender: Virus Discussion List Lines: 64 Approved: krvw@sei.cmu.edu ddavidso@mqccsunc.mqcc.mq.OZ.AU (Dean Davidson) writes: >New Virus "1022" > >Symptoms: >Only infects .EXE files, adding 1022 bytes to them >Infects files even if they are r/o >Changes the date on the files it infects to the current system date. >It appears that after running the first infected .EXE it starts >up a TSR that carries out further infection > >Detection: >running STRINGS on an infected file reveals : > >This message is dedicated to $ >all fellow PC users on Earth $ > Towards A Better Tomorrow $ >And A Better Place To Live In $ > 03/03/90 KV KL MAL > >[There is no CR/LF after the $ character - I added this >so that the message is readable] > >Also detection might be done by looking at the date/time change >on the infected files > >To scan all your files (until a version of SCAN is produced which > detects this virus): >GREP -d+ dedicated *.EXE >[The GREP I used is the one that comes with Turbo Pascal] >[I chose "dedicated" for the search string as it is the most > unique word in the message] Is the text you mentioned contained in straight ASCII in the virus itself? In that case, If you own a virus scanner which is modifiable (that is, it works with a .dat file that contains the fingerprints of virusses) you could easily adapt the scanner so that it will recognize the virus. For example, use as fingerprint the first line: "This message is dedicated to". That would be: 54686973206D6573736167652069732064656469636174656420746F But you could just as easily pick one of the other lines (or all of them). Now that we are talking fingerprints: Does anybody own a list of known fingerprints of (the most common) virusses? If so, could you please mail it to me, or better: post it on the net. Tanks in advance. ________________ / / ___ _____/ Lex Wassenberg, Philips TDS / / /__ \/ ___/ Apeldoorn, The Netherlands / / ___/ /__ lexw@idca.tds.philips.nl / / /____/\___/ / /____________/ It's said that only 10 people on the whole world understood /_______________/ Einstein. I'm so brilliant that nobody understands me at all . Disclaimer: Since nobody understands me, I speak only for myself. [Ed. The danger in looking for ASCII strings, of course, is that you could get a lot of false alarms. This digest, for example, would be identified as containing the virus, since it contains the string "This message is dedicated to". Perhaps searching for the string _and_ some identifiable code would be more robust? Just a thought...]