Path: utzoo!attcan!uunet!cs.utexas.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: CHESS@YKTVMV.BITNET (David.M.Chess)
Newsgroups: comp.virus
Subject: Re: We have been hit!!! (Help) (4096) (PC)
Message-ID: <0004.9007301317.AA00380@ubu.cert.sei.cmu.edu>
Date: 27 Jul 90 20:09:01 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 25
Approved: krvw@sei.cmu.edu

David de Leeuw <DAVID@BGUVM.BITNET>:

> 2. The boot-sector does get attacked by 4096.

Interesting!  What have you seen the 4096 do to the boot sector?  The
only boot-sector effect that I know of so far is that some of the
broken/garbled/not_working code seems to be designed to write the
"Frodo Lives!" display program to (some) boot sector.  But I've never
seen a 4096 sample in which enough of that code was intact to even
figure out just what it was supposed to do.  Any more information you
have would be very nice!

> 3. All executables and coms get infected, my suspision is that a file checker
> which is infected spreads the virus to all files, even those not run.

Yep; if the virus is active in memory, executables get infected when
they are opened/closed.  Since virus checkers open/close just about
all executables, running a checker that does not scan memory for
4096-like viruses before scanning files can cause the infection to
spread in a hurry.  It's best to scan only after cold booting from a
known-clean floppy (so you know the virus isn't in memory), with a
known-clean scanner.  That's not always feasible, of course...

DC
IBM T. J. Watson Research Center