Path: utzoo!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: frisk@rhi.hi.is (Fridrik Skulason) Newsgroups: comp.virus Subject: Re: Plastique/Taiwan 3/Anticad 2 (confused!) (PC) Message-ID: <0012.9103131701.AA15339@ubu.cert.sei.cmu.edu> Date: 13 Mar 91 09:23:29 GMT Sender: Virus Discussion List Lines: 45 Approved: krvw@sei.cmu.edu ccx020@cck.coventry.ac.uk (James Nash) writes: >Fridik's F-PROT calls it Plastique >McAffee's SCAN calls it Taiwan 3 (as does AVSEARCH) >Solomon's FINDVIRUS calls it Anticad 2 Don't forget the anti-virus programs which call it 'Invader' ..... :-) Anyhow - it is like this. This is a group of several viruses from Taiwan, created by disassembling the Jerusalem virus, modifying it and releasing it again. There are at least 6 viruses in the family: one 2576 bytes long one 2900 bytes long - the one you have. one 3012 bytes long three 4096 bytes long In addition, the (non-working) HM2 virus may be related, and a variant around 3000 bytes long has also been reported. Some of the variants contain the text "Plastique", either in plain text or encrypted - they also produce "explosion" sounds occasionally. All the viruses are targeted against the AutoCAD program - When a program named ACAD.EXE is run or sometimes when Ctrl-Alt-Del is pressed, the viruses will activate, overwriting data on floppy disks and hard disks, as well as garbling the contents of the CMOS. This behaviour produced the 'AntiCAD' name. The three 4096 byte variants also contain code for infecting the boot sector. The "Taiwan" name should IMHO not be used, as there is already a family of 4 viruses which have been called Taiwan-1, Taiwan-2, Taiwan-3 and Taiwan-4, but they are not related to the family discussed above. - -frisk Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |