Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!sdd.hp.com!spool.mu.edu!news.cs.indiana.edu!nstn.ns.ca!cs.dal.ca!ug.cs.dal.ca!gauthier From: gauthier@ug.cs.dal.ca (Paul Gauthier) Newsgroups: comp.sys.ibm.pc.misc Subject: Re: "Yankee Doodle virus" Keywords: virus Message-ID: <1991May2.211457.14393@cs.dal.ca> Date: 2 May 91 21:14:57 GMT Article-I.D.: cs.1991May2.211457.14393 References: <673197135@mars.cs.duke.edu> Sender: news@cs.dal.ca (USENET News) Organization: Math, Stats & CS, Dalhousie University, Halifax, NS, Canada Lines: 29 Nntp-Posting-Host: ug.cs.dal.ca In article <673197135@mars.cs.duke.edu> lhb@duke.cs.duke.edu (Pete Boyd) writes: >Recently we learned that a PC on campus had been infected with >the "Yankee Doodle" virus. The PC was scanned with the >McAfee Associate's virus detection software and was confirmed >to be infected. > The Yankee Doodle was also seen around these parts a few months ago on our school PCs and some others which I know of. We cleaned it up and it never re-infected, so we have no idea where it came from. It appears to infect EXEs and COMs when they are accessed by the system (COPY, executed, etc) but I'm not sure of the exact method. I'd recommend regular runnings of the SCANning program for a few weeks at least to make sure it doesn't creap back in from floppies or backups. Also, be sure to run the program so that it scans ALL files, not just EXE and COM because YankeeDoodle knows how to infect EXEs which are stored on disk with other extensions. One software package we had used ".UTL" files to store various modules in, but they were really just EXE files renamed to UTL and then named back again whenever the main program wanted to call a sub-program. This is how we re-infected ourselves a few times. We cleaned out all the EXE and COMs but missed those files and the virus came back that way. PG -- ============================================================================ Paul Gauthier | gauthier@ug.cs.dal.ca President, Cerebral Computer Technologies | tyrant@dalac.bitnet Phone: (902)462-8217 Fax: (send email first) | tyrant@ac.dal.ca