Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: dougmc@ccwf.cc.utexas.edu (doug d'glaren)
Newsgroups: comp.virus
Subject: new virus ? (PC)
Message-ID: <0011.9105281939.AA08091@ubu.cert.sei.cmu.edu>
Date: 28 May 91 19:04:28 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 45
Approved: krvw@sei.cmu.edu


   I just finished cleaning up my hard disk after getting a virus from
a local BBS, and I've told them about it, and they've removed the
offending program, and everything is fixed, but some questions remain.
   I know some things about virii, mostly from what I've read in
various text files on the subject and anti-virus program's doc files,
so I was able to figure out what was going on and get rid of it, and I
had backups of most of the files that were damaged so I came out ok,
but I would like to know if anybody else has had problems with this
virus.
   First of all, SCAN77 does not recognize this virus.  So I am led to
believe that it is rather new.  If only SCAN77 did recognize it, it
would have saved me a lot of aggravation!  I now use a disk monitoring
program when checking new programs, but hindsight is always 20-20 ...
   Well, here's some characteristics of this virus:
   I got it from a program called DI.Exe, which is a small directory
making program.  When this program ran, it ran drives A and B (I
noticed this, but paid it no mind!  Once again, hindsight ...)  It
was, I later learned, looking for files to infect.
   What it did was copy a copy of the virus to every EXE file it could
find.  When these programs were run, they again tried to copy the
virus.  The virus apparantly does NOT go TSR, but infected EXE files
seem to only have about 24k to run in, (An infected MEM.Exe file said
maximum executable file size was about 24k) so most of my EXE programs
wouldn't work after that, complaining about lack of memory.  DI.EXE
ran fine, of course.  These EXE files grew by about 3k, the exact
amount varying from file to file.  The virus did not seem to care if a
file was read only or not.  It also created hidden system files in
every subdirectory, named just A, B, C, D, E etc.  I don't know what
their purpose was, but as the infection progressed, I saw higher and
higher letters.  Perhaps a countdown of some sort?  I don't know.
   The virus did not appear to do anything else other than infecting
EXE files which propagated it.
   The virus contains this string which I used to search for it (it
doesn't appear to be self encrypting or anything funky like that ...)
  43 83 FB 0A 72 ED 2B DB EB E9 C3 2E FF 06 FD 00 2E FF 2E FF 00
In the scanning program that I made I looked for the text string of
  Alt-114, Alt-237, ... 043 219 235 233 195 046 (you get the idea ...)

   Does anybody know anything about this particular virus?  I would
like to know a little more about it.  Besides the sysop of the BBS
isn't convinced that it was a virus, and I'd like to know it's not
just me.

   dougmc@ccwf.cc.utexas.edu aka Doug McLaren