Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: frisk@rhi.hi.is (Fridrik Skulason) Newsgroups: comp.virus Subject: New viruses (PC) Message-ID: <0012.9001031142.AA02943@ge.sei.cmu.edu> Date: 3 Jan 90 10:54:39 GMT Sender: Virus Discussion List Lines: 67 Approved: krvw@sei.cmu.edu Several new PC viruses have appeared recently. This short note contains a preliminary description of some of them, including the new viruses in the package from Poland. I have updated my anti-virus programs to detect, stop and remove the viruses listed below (as well as the other 40 PC viruses known), and unless somebody sends me a new virus today, I will start sending the programs out tomorrow or the day after that. The Amstrad virus. This virus is rather interesting. It is a direct-action virus, that will add 847 bytes to the front of any .COM file it finds in the current directory. The virus is very primitive, because the virus code is only around 334 bytes long, which makes this the shortest PC virus known today. The rest contains zeros and the string: "Hello, John Mcafee,please uprade me.Bests regards,Jean Luz." One note: I feel the name "Amstrad" is totally inappropriate, since the virus seems to have nothing to do with Amstrad computers whatsoever. The Payday virus This is not a new virus, just a YAVJV (Yet Another Variant of the Jerusalem Virus). It seems to be very close (or perhaps identical) to Jerusalem-B. Musician One of the viruses from Poland. As reported earlier, it is the same virus as the "Oropax" virus reported several months ago in W-Germany. Perfume (alias 765 or "4711") A .COM infecting virus of German origin, that will sometimes ask the user a question and not run the infected file unless the answer is "4711", which is the name of a perfume. This virus will look for COMMAND.COM and infect it unless it is already infected. Infected files grow by 765 bytes. In the most common variant of the virus, the questions have been overwritten with garbage. W13 This is a rather primitive .COM infecting virus. Two variants are known, the first one is 534 bytes long, but the second (with some bugs corrected) is only 507 bytes long. The virus is of the "Direct Action" type does nothing interesting. Vcomm An .EXE infecting virus that came from Poland. It is not very well written, but easy to study, since the commented source code was included. When an infected program is run, it will infect one .EXE file in the current directory. Infected programs are first padded so their length becomes a multiple of 512 bytes. Then the virus adds 637 bytes to the end of the file. It will also install a resident part that will intercept any disk write and change it into a disk read. December 24th An Icelandic variant of the Icelandic-2 virus. It will infect one out of every ten .EXE files run. Infected files grow by 848-863 bytes. If an infected file is run on December 24th it will stop any other program run later, displaying the message "Gledileg jol" ("Merry Christmas") instead. The virus also contains a number of minor changes and extra NOP instructions.