Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!zaphod.mps.ohio-state.edu!ub!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: NYEVENBA@WEIZMANN.BITNET (Baruch Even) Newsgroups: comp.virus Subject: NEW VIRUS - The Saddam Virus (PC) Message-ID: <0014.9010041806.AA01362@ubu.cert.sei.cmu.edu> Date: 3 Oct 90 16:39:47 GMT Sender: Virus Discussion List Lines: 76 Approved: krvw@sei.cmu.edu Hello all, There is a new virus in Israel he was discovered on a bbs, on a file names SCAN.COM in a package SCANV68.ZIP so please inform Mcafee not to publish a SCAN ver. numbered 68. Some info that was posted over BBS's net follow's. [Ed. As this information looks (to me) to be somewhat sketchy, I urge readers to regard it as unconfirmed until/unless more information can be found. If anyone does have any _first hand_ information on this, I would appreciate a call or an e-note. (krvw@cert.sei.cmu.edu or (412) 268-7090)] From : Gady Guy Attention all computer users. The file SCANV68.ZIP as downloaded from 'On-Line Today' includes one SCAN.COM file of size about 63Kb. This file when run immidiately terminates, as it includes nothing but one INT 20 (termination) and 60Kb of junk. But, it is also infected by a virus that has a very limited ability: it hooks interrupt 21H (Dos function call) and hooks ONE .COM file in the current directory every time INT 21 is called. It put itself in high memory without changing high mem counter, so that any big program hangs the system. Command.com will not work when infected, so that infection will cause system to hang on BOOT. It has a very bad BUG when hooking INT 21H which causes Command.com to misinterpret commands, so that any DEL will cause deletion of whole directory (I repeat: It is only a BUG!!!). It's main Symptom is typing a message unto screen every 8th INT 21H request: HEY SADAM LEAVE QUEIT BEFORE I COME It's size is about 700 bytes. It is also very bad programmed, probably by someone who has very little control of assembly language. There's nothing to avoiding it: When you get a new COM program, run it in an EMPTY directory eight times. C:> MKDIR EMPTY C:> CD EMPTY C:EMPTY> COPY \PROCOMM\SCAN.COM $One file(s) copied ... C:EMPTY> SCAN $Does NOTHING. C:EMPTY> SCAN C:EMPTY> SCAN C:EMPTY> SCAN C:EMPTY> SCAN HEY SADAM LEAVE QUEIT BEFORE I COME C:EMPTY> Ah hah!!! Continue? [Y/n/=]: LEAVE QUEIT BEFORE I COME C:EMPTY> Ah hah!!! C:EMPTY> DEL *.* Are you sure (yes/no): Y C:EMPTY> Now BOOT!!! Further use of DOS might cause damage to directory. +-------------------------------------------------------+ | Baruch Even | | | | BitNet - NYEVENBA@WEIZMANN.BITNET | | InterNet - nyevenba%weizmann.bitnet@cunyvm.cuny.edu | | | | Enjoy The Silence - Depeche Mode | +-------------------------------------------------------+