Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) Newsgroups: comp.virus Subject: QEMM Virus? (PC) Message-ID: <0011.9101072020.AA02845@ubu.cert.sei.cmu.edu> Date: 7 Jan 91 15:13:28 GMT Sender: Virus Discussion List Lines: 51 Approved: krvw@sei.cmu.edu This appeared in a recent Info-Ibmpc digest. Figured I'd pass it on. I have not seen any mention of this in recent virus-l postings so hopefully I'm not passing on old news. Then again, I hope I'm not also spreading panic! Date: Tue, 1 Jan 91 10:58:09 -0500 From: David Kirschbaum Subject: Reported QEMM virus Received from the Fido Dr. Debug Echo, 1 Jan 91. David Kirschbaum Toad Hall FROM: Richard Crain Area # 23 ( Dr. Debug ) TO: ALL SUBJECT: Virus I have found what appears to be a virus on the factory supplied disk from Quarterdeck on the QEMM386 V5.1 diskette in the Optimize.com amd install.exe programs. These 2 programs contain a HEX signature of EAF0FF00F0 which indicates the possible presence of the 648 virus. This virus is supposed to infect overlay programs, which I have had MAJOR problems with lately. In the last 18 hours, every program that I have used that uses overlays has had its CRC change, or worse yet, totaly crash on invocation locking the system. Further, it has been only the EXE files that have changed. Also, in doing a byte by byte compare of a corrupted file with a good version on backup (tape) I find an absolute pattern of corruption in the files. These changes are the substitution of a HEX 00 00 at loctaions 68B8, 68BC, 78B8, 78BC, 88B8, 88BC, Etc..... This problem started yesterday (again) after running the Optimize program that comes with Qemm386 V5.1 . This problem occured before causing me to panic and wipe out my hard disk, secure erase, reformat, and reload without doing serious research as to the cause, I ASSUMED that a new program that I had just added was the cause. This time, I have found what I believe to be the true cause with some advise from Chris Anderson. Further, Quarterdeck has been notified and the original disk is being returned to them for replacement and analysis. Also, the disk was never written onto by me at any time, the diskette was copied and the copy underwent the registeration process. The HEX string to look for is EAF0FF00F0 - --- msged 1.99S ZTC * Origin: DinoPoint 2 (1:104/114.2)