Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!wuarchive!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: mrs@netcom.com (Morgan Schweers)
Newsgroups: comp.virus
Subject: Re: Tequila virus (PC)
Message-ID: <0005.9105211425.AA07798@ubu.cert.sei.cmu.edu>
Date: 21 May 91 01:19:00 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 43
Approved: krvw@sei.cmu.edu

Some time ago microsoft!c-rossgr@uunet.uu.net whispered:
>>From:    "David.M.Chess" <CHESS@YKTVMV.BITNET>
>
>>Has this been around for awhile?  Just in the last week or so, I've
>>heard of it from a couple of different, widely separated, places in
>>Europe, and I hadn't heard of it before.  Does anyone have a good....
>
>By the look of things, it's a flip flop virus: an infected program
>infects the partition record, infected partition records infect
>programs.  Additionally, it looks a lot like a combo of 1260 and v101:
>it is impossible to get a scan string for it.
>
><Enter Patting Self On Back Mode>

Greetings,
    *Chuckle* It's a variant of the Flip virus, actually.  A bit of
psuedo-encryption code was added, and a bit of infection code was
removed, but otherwise it's mostly flip-like.

    Mr. McAfee gave me a scan string quickly after I handed it to
him, and it'll be in the upcoming release of Scan as well.  (Clean,
of course, will remove it.)  It's *VERY* rarely 'impossible' to find
a scan string for something.

    It's been suggested that pirated copies of Golden Axe by Sega
have been spreading it's infection on the other side of the pond.

    A side note, regarding the Flip, it patches COMMAND.COM (under DOS
3.3, at least) to fix the DIR command to hide the filesize increase.  It
modifies two bytes, to chain to itself.  This is important, as if these
bytes are not fixed the COMMAND.COM will crash after being cleaned.
    I haven't checked to see if the Tequila virus does this as well, but
I would guess that it does.

    Dave Chess mentioned to me that the Tequila displays a low resolution
Mandelbrot set upon activation.  I haven't confirmed it, but I plan to.
(Anybody want GIF copies when I do?  *chuckle*)

                                                      --  Morgan Schweers
- --
   "Any opinions are not the express opinions of McAfee Associates.  I
just pattern, in game of life." (Do not meddle in the affairs of cats, for
they are subtle and will piss on your computer.)      --  mrs@netcom.com