Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!tut.cis.ohio-state.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: frisk@rhi.hi.is (Fridrik Skulason) Newsgroups: comp.virus Subject: Re: Sunday virus description? (PC) Message-ID: <0002.9012041357.AA13652@ubu.cert.sei.cmu.edu> Date: 29 Nov 90 17:17:55 GMT Sender: Virus Discussion List Lines: 26 Approved: krvw@sei.cmu.edu p0.f7.n391.z1.fidonet.org!David.Hobbs@uafhp.uark.edu (David Hobbs) writes: >Can anyone explain what the Sunday virus is? It seems to be going >around (the town I live in). What does McAfee's clean really do? >Does it make the infected program reusable? The Sunday virus is one of many Jerusalem variants - modified somewhat, but still closely related to Jerusalem, New Jerusalem, Suriv 3, Anarkia, A-204, Payday and all the other viruses in the Jerusalem family. The problem with CLEAN, (as well as my own, and all other disinfection programs) is thal all the above viruses may corrupt the file they infect, making disinfection impossible. This only happens, however, if the true length of an .EXE file does not match the information stored in the header. Worse still, occasionally (I only know of a fandful of examples), this corruption cannot be detected by the disinfection software. Therefore, it is safer not to disinfect, but to replace with originals, when you are dealing with a Jerusalem-family virus. The disinfection works in 99%+ of cases, restoring the program almost to its original state, although the checksum in the header is usually wrong afterwards. - -frisk Brought to you by Super Global Mega Corp .com