Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!wuarchive!rex!ukma!widener!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson)
Newsgroups: comp.virus
Subject: EMPIRE virus (contd)
Message-ID: <0010.9104162011.AA07133@ubu.cert.sei.cmu.edu>
Date: 15 Apr 91 12:36:15 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 11
Approved: krvw@sei.cmu.edu

Since the last posting (Virus-L and Valert-L), yet another strain of
the EMPIRE virus has appeared. For the moment it would seem that the
University of Alberta (Canada) is the only victem. The second strain
has the same charactoristics except that this one is encrypts each
infection differently.

For the moment, the best detection is by the intitial JMP which is the
same in both strains and is the viruses signature to itself. "EA 9F 01
C0 07" - jmp 07C0:019F, this will pick up both.
                                      Warmly,
                                                Padgett