V.I.R.U.S. Weekly - January 21, 1994

A weekly digest of virus and related news, V.I.R.U.S. Weekly BBS feed and
newsletter is prepared by the Vancouver Institute for Research into User
Security.  For those without online service feeds, both V.I.R.U.S. Weekly and
Monthly are available in hardcopy.  For more information contact Robert Slade
or CyberStore.
copyright 1993, Robert M. Slade

Other columns this week:

8    3.4 Weird behaviour

9    F-Prot Professional


The McAfee suite version 111 is out on the nets.


South African Peace (MS-DOS)
A very simple direct action overwriting COM and EXE infector.  On December 5th
it will attempt to restrict access to the C: drive.  By report, this is only
effective with DOS 5 or higher.  It will also attempt to delete the change
detection image file for MSAV, and if the seconds field is greater than 30 a
message will be displayed.  The file creation date on infected files dates is
changed to 00-17-90 and the file length is increased by 484 bytes.  (It is also
reported that after all files are infected the virus changes to increase
infected lengths by 777 bytes.)  A reported signature is "5E 81 EE 06 01 E9 03
01 43 4F 4D 4D 41 4E".

This COM and EXE infector is reported to be self-encrypting, but will increase
files by 937 bytes and change the file creation date seconds field to 58 as an
infection marker.  The virus is reported to attempt to use the PATH to find
infectable files but may fail.  As a payload, it will zero out the drive type
parameter in the CMOS table, thus causing an apparent loss of the drive.  A
reported signature is "B9 CC 01 BB ?? ?? 2E 81 07 ?? ?? 83 C3 02".  The virus
code was published in the Crypt Newsletter #20.

Blood Sugar (MS-DOS)
A simple direct action COM infector that increases the size of all files in the
current directory by 416 bytes when run.  A reported signature is "5E 81 C6 1E
00 89 F3 81 EB 23 00 8A 27 8A".

Dementia Pracecox (MS-DOS)
A simple direct action COM infector which will increase the size of all files
in the current directory by 512 bytes without change to the file creation date
and time.  A reported signature is "5D 81 ED 12 01 8B F5 81 C6 38 01 8B DD 81".

Atomic (MS-DOS)
This memory residnet companion virus creates hidden 425 byte files.  If the
infection is run on the 14th of the month, the spawned files increase to 456
bytes due to the addition of a text string "Atomix v1.00 by Mnemonix".  A
reported signature is "B8 ED FE CD 21 A3 03 01 0E 8F 06 6F 01 BA".


Lambdin lambasted
I spoke too soon about the amicable resolution to Bill Lambdin's problems with
the Lambdin Accuracy Test postings.  The private virus discussion group
immediately took the opportunity to poke holes in his test procedure.  C'mon,
guys, he's doing it.  And you're not ...  

LAT late
Bill is, however, holding off on the January test to see if any of the
complaints are constructive.  The next version of LAT will be released February
13th.  Give it to your Valentine ... 

Vancouver      ROBERTS@decus.ca         | "If you do buy a
Institute for  Robert_Slade@sfu.ca      |  computer, don't
Research into  rslade@cue.bc.ca         |  turn it on."
User           p1@CyberStore.ca         | Richards' 2nd Law
Security       Canada V7K 2G6           | of Data Security