Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!know!samsung!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: 76304.1407@CompuServe.COM (Ray Glath) Newsgroups: comp.virus Subject: First Documented sighting of the "4096" virus in the U.S.A. (PC) Message-ID: <0005.9007162008.AA15127@ubu.cert.sei.cmu.edu> Date: 15 Jul 90 20:03:07 GMT Sender: Virus Discussion List Lines: 57 Approved: krvw@sei.cmu.edu July 13, 1990 *** First Documented sighting of the "4096" virus in the U.S.A. *** The 4k (a.k.a. 4096, IDF, Israeli Defense Forces, Frodo, 100 Years, Stealth) virus has turned up in the Dallas TX area. A computer dealer about 50 miles south of Dallas TX noticed a few unexplainable system crashes over the last 2 weeks. Upon investigation, he found that EXE file sizes were increased by 4 - 5k bytes. He copied a sample off to diskette, and sent it to RG Software Systems, Inc. for examination. A quick check using our Vi-Spy product found the 4k virus. This dealer is now undergoing an intensive operation to locate and remove all occurrances of the 4k using Vi-Spy. Thus far he has found his demo systems infected; several customers' systems infected; and believes that some demo disks that he has shipped have carried the virus. In addition to clearing up the problem in his own shop, he's contacting his customers and has taken the very unusual and commendable position of "going public" through an interview with Tom Steinert-Threlkeld of the Dallas Morning News, to let others in the Dallas area know of the problem. The story is in the Monday, July 16 edition of the paper. The dealer believes he received the infection from a local software consultant who believes he got it from a local private BBS. (This consultant utilizes "many" private BBS'es and works for several companies in the Dallas area.) At this stage, we do not know how widespread the infection is, however due to the "Stealth" logic this virus employs to avoid detection, and the extremely prolific nature of its infection logic (infects any EXE or COM file OPENED, AND it infects COMMAND.COM) it can go a long way before becoming noticed. Once a system is infected, this virus gives no obvious signs of its presence. Only an experienced and very perceptive user may notice its activity, and then probably only by accident. Since there is no direct trigger, the system crashes seem to be occurring only after massive infection whereby many program files have been expanded by 4 - 5k bytes and disk resources are used up. [Ed. After posting this message, Ray called me back to inform me that the virus does indeed have a trigger - on or after September 22, 1990 - - at which time it will crash the system and/or delete the boot sector, while attempting to display a message, "Frodo lives".] Upon examination at RG, we've determined this virus matches the sample we have in our Lab, which we had received from colleagues in Europe. Raymond M. Glath President RG Software Systems, Inc. 2300 Computer Ave. A-7 Willow Grove, PA 19090 (215) 659-5300 Compuserve 76304,1407