Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) Newsgroups: comp.virus Subject: V&S (PC) Message-ID: <0013.9011081829.AA17940@ubu.cert.sei.cmu.edu> Date: 9 Nov 90 07:27:09 GMT Sender: Virus Discussion List Lines: 57 Approved: krvw@sei.cmu.edu >From: Dave Goodwin >We've recently picked up the DARK AVENGER virus on some of our >systems, and I'd like to see if anyone can detail the activity this >one engages in. It has been a while since I looked at this one but there are at least two strains: one which is a normal TSR detectable with MAPMEM, and the other is in upper memory detectable with CHKDSK. It is quite nasty and fast- spreading. After a certain delay (xx files infected) it will start corrupting files by writing a copy of a low disk sector into random locations on the disk. It does not use any "stealth" mechanisms not does it affect the boot sector or partition table. Infected files grow by c.a. 1800 bytes. >From: Michael_Kessler.Hum@mailgate.sfsu.edu > although anyone >knowing how to get to the shell from a software package can of course >bypass the protection. Some time ago I "fixed" COMMAND.COM so that a batch shell could not be aborted. All that is necessary is to find the "Terminate Batch Job (Y/N)?" string, back up to the INT 21 call that prints it, and then change the preceeding branch (JN if I rember right) to a JMP. It is a touch more difficult to remove the "system" feature from software packages, but possible. >2. To avoid infecting the network should a student use outside >software on various stations, we recommend that all stations be turned >off after use so that nothing stays in memory (Jerusalem B survives >warm reboots). This seems to be a common mythconception about the Jerusalem but good practise nonetheless. I suspect a direct invocation of INT 19 with POST would have the same effect (but haven't tried it). >3. Administrative and academic usage will be kept on separate servers. >We had one network utility which required an open directory that was >shared between the two sides, and I think that this is how the >infection migrated. Have seen this happen more than once & can be very nasty. Separate directories are essential. Network administrators need special training & tools. (editorial) >4. Until the infection, WordPerfect was in a single open directory. >Now it is in a read-only directory, but linked to its SETUP files in >an open directory. The common wisdom around here is that write >protected files can get infected, but files in read-only directories >will not be infected. It is not well documented, but if the directory files in SETUP (sft-F1,6) are left blank, WP will work in the current default directory. Typically, we just point the DOCUMENTS entry this way, but any of the others should also work. This will give you more freedom in location. Padgett