Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: cc_davidson@vaxa.mqcc.mq.oz.au
Newsgroups: comp.virus
Subject: Re: new virus 1022 (PC)
Message-ID: <0002.9007162008.AA15127@ubu.cert.sei.cmu.edu>
Date: 13 Jul 90 13:43:36 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 41
Approved: krvw@sei.cmu.edu

lexw@idca.tds.PHILIPS.nl (Lex Wassenberg) writes:
>ddavidso@mqccsunc.mqcc.mq.OZ.AU (Dean Davidson) writes:
>>
>>Detection:
>>running STRINGS on an infected file reveals :
>>
>>This message is dedicated to  $

>> *** deleted stuff  ***

>>GREP -d+ dedicated *.EXE
>>[The GREP I used is the one that comes with Turbo Pascal]
>>[I chose "dedicated" for the search string as it is the most
>> unique word in the message]
>
>Is the text you mentioned contained in straight ASCII in the virus
>itself?  In that case, If you own a virus scanner which is modifiable

To clear up a point:

It is a DUMB virus - the strings are in ASCII not encrypted in any way.

'dedicated' is NOT a good signature as the editor points out.  It can
appear in many files - it was but a quick and dirty way to check.

Using GREP, the context in which the string appears becomes apparent and
thus you know if you have an infected file or not.

BTW the program STRINGS is something I have had for years - it goes
searching through any specified file and reports all the ASCII text
it can find - a very useful utiity.

By now John McAfee should have a copy of 1022 so expect to see
a forthcoming version of SCAN being able to detect 1022.

There is also an Australian scanning product, NBY, put out by a
local anti-virus guru - Claude Almer.
His latest version of NBY (Version 122) already detects 1022

If you wish to get a copy and don't mind the cost of the phone call
you can call his BBS on 61 2 482 1716