Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!wuarchive!uunet!lll-winken!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: walker@AEDC-VAX.AF.MIL (William Walker C60223 x4570) Newsgroups: comp.virus Subject: Yankee Doodle virus (PC) Message-ID: <0012.9104291313.AA23337@ubu.cert.sei.cmu.edu> Date: 27 Apr 91 16:59:00 GMT Sender: Virus Discussion List Lines: 34 Approved: krvw@sei.cmu.edu Hello, people. Glad to be part of this discussion. Jim Schank (JIMS@SERVAX.BITNET) write: > Does anyone out there have information on the Yankee Doodle virus? A little bit: Yankee Doodle is a variant of a virus called Vacsina, both of which, along with Yankee Doodle-B, belong to the "TP" family of about 48 viruses (last time I checked). The second to the last byte of an infected file is believed to be the "version number" of the virus. In the most common Yankee Doodle virus, this number is 2C hex, or 44 decimal, therefore the name "TP-44." The viruses from about 25 (19 hex) earlier are called Vacsina, while the later ones are called Yankee Doodle. I'm not 100% sure when the infection takes place, but I believe that it occurs when a .COM or .EXE file is run. As for playing "Yankee Doodle" on the speaker, TP-44 does indeed play it. I know because I've just removed that version from a machine here. However, when you test it, don't set the clock exactly at 5:00, set it for 4:59, because it starts a few seconds early. Also, be sure that the time is 4:59 PM (not AM), or 16:59. For additional information, the best source (besides this forum) is the VIRUSSUM document by Patricia M. Hoffman, which is available on many BBSs and FTP servers which have anti-virus software. Oh, by the way, some versions of Yankee Doodle hunt down other some other viruses, such as Ping and Cascade. Who knows, with this kind of in-fighting, maybe they'll wipe each other out completely! ;-) Bill Walker OAO Corporation Arnold Engineering Development Center M.S. 100 Arnold Air Force Base, TN 37389-9998