Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!maverick.ksu.ksu.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: NYEVENBA@WEIZMANN.BITNET (Baruch Even) Newsgroups: comp.virus Subject: New Virus - The Saddam Virus (PC) (INFO) Message-ID: <0002.9010101940.AA05706@ubu.cert.sei.cmu.edu> Date: 5 Oct 90 17:23:42 GMT Sender: Virus Discussion List Lines: 75 Approved: krvw@sei.cmu.edu Here are specifications of the NEW virus 'The Saddam Virus' The virus was found few days ago on a BBS in Israel and was probably written by the one who wrote the original Stupid Virus. The virus was found on a file named SCAN.COM in a package named SCANV68.ZIP so please let McAffee know about this virus so he wont release ver with this number for the sake of the Israeli Users. The virus isn't widespread (I hope) It was download-able just for few days and then deleted by the SysOp of the BBS, The virus also probably wasn't spred out of Israel. BTW: Please skip over my english mistakes ============================================================================== Entry...............: The Saddam Virus Alias(es)...........: --- Virus strain........: The Stupid Virus Virus detected when.: 1-October-1989 where.: BBS in Israel Classifications.....: COM file infecting virus/extending, resident. Length of virus.....: 917 - 924 bytes depends on the size of the name of infected file. - --------------------- Preconditions ----------------------------------- Operating system(s).: MS-DOS Version/release.....: 2.0 or higher Computer model(s)...: IBM PC,XT,AT and compatibles - --------------------- Attributes -------------------------------------- Identification......: Memory: INT 6Bh points to original INT 21h. (see Particularities [4]) .COM files: The encryped string. to decrypt the string add 6 to each char, the terminating char is 24h before adding 6. The name of the infected file is stored by the virus. Type of infection...: System: The virus copies itself to high memory by the following calculation: [0:413]*40h-867h The virus does not lower the ammount of memory that is written in [0:413] nor making DOS think the area is used so big programs will make the system hang. .COM files: Extends .COM files. Adds about 918 bytes to the end of the file. .EXE files: Not infected. Infection trigger...: every call to INT 21h Interrupts hooked...: 21h, 6Bh. Damage..............: Prints the string: HEY SADAM LEAVE QUEIT BEFORE I COME Damage trigger......: Counts the number of times INT 21H was requested and on every eight time will print the string. Particularities.....: 1. Many programs load themself to this area and erase the virus from the memory. 2. The virus uses INT 6BH replacement for the original INT 21H. 3. The virus infect just files in the current directory. 4. If the disk is write protected you'll see the message from DOS about the write protection, When the virus try to spread. - --------------------- Agents ------------------------------------------ Countermeasures.....: F-Prot 1.13 RESIDENT PART ONLY: identify the virus as The stupid Virus and don't let the program to get on memory. - --------------------- Acknowledgement --------------------------------- Classification by...: Baruch Even (NYEVENBA@WEIZMANN.BITNET) Documentation by....: Baruch Even (NYEVENBA@WEIZMANN.BITNET) Date................: October 5, 1990 +-------------------------------------------------------+ | Baruch Even | | | | BitNet - NYEVENBA@WEIZMANN.BITNET | | InterNet - nyevenba%weizmann.bitnet@cunyvm.cuny.edu | | | | Enjoy The Silence - Depeche Mode | +-------------------------------------------------------+