WARNING !!!! (fwd)

Rob Harper Rob.Harper at CONVEX.CSC.FI
Thu Oct 3 09:27:22 EST 1991


Not to scare anyboby but to keep you informed, here is a clip from
RED-UG the Trickle mailing list. Be careful out there.

*************************** CLIP CLIP *************************
Forwarded message:
> From RED-UG at HEARN.BITNET Thu Oct  3 12:27:21 1991
> Resent-Date: Thu, 3 Oct 1991 12:28 EET
> Date: Thu, 3 Oct 91 11:13:03 CET
> From: Cezar Cichocki <CEZAR at PLEARN.BITNET>
> Subject: WARNING !!!!
> Sender: Red File Server Users Group on Provided Software 
> <RED-UG at HEARN.BITNET>
>  
>                 !!!!!!!!! WARNING !!!!!!!!!
> Text was originaly sent from J McAfee. It is big true, this virus is
> very destructive and there is a big problem to catch it.
> I suggest to stop send trickle files originally sent from eastern Europe.
> cezar.
> ==========================================================================
>  
> Date:    Fri, 27 Sep 91 05:55:41 +0000
> From:    mcafee at netcom.com (McAfee Associates)
> Subject: New Virus Warning (PC)
>  
>               V I R U S   W A R N I N G
>  
>         A new, fast moving, and very destructive virus has been
> reported from multiple countries in Eastern Europe.  The virus uses
> a completely new technique for infecting and replicating and it
> cannot be easily identified or removed with existing anti-virus
> removers.
>  
> The virus infects by first placing itself in the last cluster of
> host disks.  It then modifies the directory entries for all
> executable files in the system so that the directory chains point
> to the virus.  Then it encrypts the original pointers for the
> executable files and places the encrypted pointers in unused space
> within the directory area.  The result of this is that
> whenever a program is executed, the virus is loaded into memory.
> The virus, in turn, loads the program for execution.  Programs
> themselves are not modified.
>  
> A disruptive characteristic of this virus is that if an infected
> system is booted from a clean floppy, none of the executable files
> can be copied from the system.  Neither can they be backed up.  If
> the system is not booted from a clean floppy, then the files can
> be copied and backed up, but the virus will copied along with the
> programs.  It's a catch 22 situation.  Additionally, if an infected
> system is booted from a clean floppy, and then a CHKDSK /F
> is run, then all executable files in the system will be destroyed.
>  
>  
> The virus is also a stealth virus.  While it is active in memory
> it is difficult to detect.
>  
> The Virus has been named DIR-2.  It has been reported at numerous
> sites in Bulgaria, Poland, Yugoslavia and Hungary.  We received our
> copy for analysis from Tamas Szalay in Budapest.
>  
> The virus spreads more rapidly than any virus yet discovered.
> Vesselin Bontchev in Bulgaria reports that it has become the most
> reported virus in his country within the past few weeks.
>  
> We are currently re-writing our SCAN and CLEAN programs to deal
> with this virus, as are most other anti-virus suppliers.  A beta
> version of both programs will be available September 26th.  Anyone
> reporting symptoms similar to the above described, please
> contact us.
>  
> Thank you,
>  
> John McAfee
> - --
> McAfee Associates      | Voice (408) 988-3832 | mcafee at netcom.com  (business)
> 4423 Cheeney Street    | FAX   (408) 970-9727 | aryehg at darkside.com(personal)
> Santa Clara, California  | BBS   (408) 988-4004 |
> 95054-0253  USA          | v.32  (408) 988-5190 | CompuServe ID: 76702,1714
> ViruScan/CleanUp/VShield | HST   (408) 988-5138 | or GO VIRUSFORUM
> 




More information about the Bio-soft mailing list