Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: RADAI1@HBUNOS.BITNET (Y. Radai)
Newsgroups: comp.virus
Subject: Re: First Documented sighting of the "4096" virus in the U.S.A. (PC
Message-ID: <0003.9007251512.AA25047@ubu.cert.sei.cmu.edu>
Date: 24 Jul 90 11:05:37 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 36
Approved: krvw@sei.cmu.edu

>[Ed. Ray asked me to check for the record - a quick grep through the
>v-l archives turned up one previous report of a 4096 infection, at
>Weizmann Univ. in Israel.]

Just for the record, the first report in Virus-L of a sighting of the
4096 (albeit not explicitly by that name) was in Vol. 2, Issue 214:

>Date:    Thu, 05 Oct 89 14:33:43 +0200
>From:    Y. Radai <RADAI1%HBUNOS.BITNET@VMA.CC.CMU.EDU>
>Subject: Two new PC viruses
>
>  Two new viruses have been discovered in Israel.  One of them is
>called the Alabama virus.  ....
>
>  I have less information about the other virus (not even a name for
>it).  It adds 4096 to all infected files (both EXE amd COM, incl.
>COMMAND.COM).  But when you perform DIR you don't see the increase in
>file size since the virus shows you the *original* (uninfected) sizes.
>Like the Alabama and MIX1, it does not use the usual TSR function.  It
>also uses INs and OUTs to confuse single-step utilities.

  As for the debate between Ray Glath and John McAfee over whether the
recent Dallas sighting was the first documented case in the U.S., I
don't have any evidence either way.  But IMHO it was very incautious
of Ray to make such an extreme claim without proof, and one of the
most obvious sources of counter-evidence would have been John McAfee.
  Perhaps the problem is that Ray is using the word "documented" in a
very peculiar way.  At one point he seems to imply that a virus sight-
ing hasn't been documented unless it has been reported on Virus-L.
Whatever his definition is, he should have stated it in his original
posting.

                                     Y. Radai
                                     Hebrew Univ. of Jerusalem, Israel
                                     RADAI1@HBUNOS.BITNET
                                     RADAI@HUJIVMS.BITNET