Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!thunder.mcrcim.mcgill.edu!snorkelwacker.mit.edu!usc!zaphod.mps.ohio-state.edu!wuarchive!psuvax1!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: csas400@vax1.mankato.msus.edu Newsgroups: comp.virus Subject: New virus 1586? (PC) Message-ID: <0009.9101241627.AA14372@ubu.cert.sei.cmu.edu> Date: 23 Jan 91 09:41:00 GMT Sender: Virus Discussion List Lines: 40 Approved: krvw@sei.cmu.edu Hello, I'm new to this group and I'm not familiar with the protocols in anouncing the discovery(sic.) of a new virus...but here goes anyway. Virus attributes: 1. IBM pc/xt/at/ps2 2. Changes files date/time. 3. Changes files size. filename noVir Vir Difference command.com 37637 39223 1586 simcity.exe 191845 193431 1586 share.exe 10301 11879 1578 4. Hooks to following interupts: 22H Terminate xxxx:0147 24H Critical err xxxx:05Bf 2EH Execute cmd xxxx:02B8 FFH User def. 0002:F000 5. Due to the interupts it attaches to during any program termination, disk error, or DOS command the virus finds the first *.com or *.exe file in the directory not attacked and ataches itself and also checks to see if it's active in memory if not it installs itself. 6. Attaches to .com and .exe (.bin not tested) 7. Can be identified in executables with following hex codes. 0E B0 00 E6 20 B8 24 35 CD 21 (taken from virus) If someone (reputable [ie. has written vir.pro. programs before]) would like to tackle this hobbie of killing and detection of this virus I'll send you a copy. Better yet if someone has alread done so TELL ME WHERE TO FIND IT. I'm desperate for a solution; deletion is (to me) not a good solution. Jeffrey E. Hundstad AS/400 System Administrator Mankato State University j3gum@vax1.Mankato.MSUS.EDU CSAS400@vax1.Mankato.MSUS.EDU vax1.Mankato.MSUS.EDU (134.29.1.1)