V.I.R.U.S. Weekly - January 28, 1994

A weekly digest of virus and related news, V.I.R.U.S. Weekly BBS feed and
newsletter is prepared by the Vancouver Institute for Research into User
Security.  For those without online service feeds, both V.I.R.U.S. Weekly and
Monthly are available in hardcopy.  For more information contact Robert Slade
or CyberStore.
copyright 1993, Robert M. Slade

Other columns this week:

8    The SETI virus

9    FREEZE!! by Command Software


False positive mode (MS-DOS)
A number of reports have turned up regarding SCAN 109 giving a false positive
alert for a 1008-B dropper in the MODE.COM program which is a part of MS-DOS. 
Apparently this is only with 3.3 versions of DOS, and possibly only OEM
versions at that.  The false report is only triggered if the "scan all files"
(/A) switch is used (rather oddly, since MODE.COM is a program and should be
scanned in any case).  It is not known whether this is still the case in
version 111 of SCAN.


Nichols (MS-DOS)
This boot sector and MBR infector may contain the text "Nichols" and "Apache"
in the code.  A signature is said to be "EB 23 ?@23 FA 33 C0 8E D0" for the
TBAV program.  (?@23 means there are 23 variable bytes.)  No payload is
reported for this virus.

1364/Addict9 (MS-DOS)
This memory resident COM and EXE infector increases file size by 1364 bytes
without changing the date or time.  It is reported to examine BIOS data and to
increment a counter when a new machine has been infected.  After 255, a payload
will overwrite the beginning tracks of the hard disk which, for most users,
means loss of all data.  A signature is reported to be "2E A1 6C 05 2E 0B 06 6E
05 58 75 07 9C 2E".  F-Prot 2.10C identifies the virus reported as 1364, but as

Trivial 43 (MS-DOS)
This direct action COM infector actually copies itself to all files with a .C*
extension.  Possibly it is because of this that, upon execution, it copies
seeming garbage (actually itself) to the screen and hangs the system.  A
signature is reported to be "B4 4E 33 C9 BA 25 01 CD 21 B8 02 3D BA 9E".

This multipartite virus will go memory resident from its MBR form.  It is
likely that this will be the case with COM and EXE infections as well but this
was not tested in the report seen.  Infected files are increased in size by 347
bytes with no change to date or time.  A signature is reported to be "E8 03 00
?3 5D 0E 16 58 59 33 C8 75 37 B8 01 02".  It is possible that this virus does
not work on 8088/8086 machines.

Sonik Youth (MS-DOS)
This non-resident EXE infector with increase file length by 854 to 866 bytes,
160 of them being added at the beginning.  When the virus is executed one new
file with be infected in the current directory.  The following text strings are
reported to be visible and unexcrypted in the viral code: "My mother used to
say", "You're the boy that can enjoy invisibility", "The pleasure is
everlasting", "Sonik Youth originally released 29 April '92".  After a time EXE
files may be deleted when the virus is run.

Jackel5a (MS-DOS)
This file infector is so buggy it hardly deserves the name of virus at all.  In
the report that we have, it was unable to infect anything except FORMAT.COM. 
It does, however, attempt to disable at least four antiviral programs,
including the resident and change detection modules of CPAV/MSAV.

Vancouver      ROBERTS@decus.ca         | "virtual information"
Institute for  Robert_Slade@sfu.ca      |   - technical description of
Research into  rslade@cue.bc.ca         |     marketing info disguised
User           p1@CyberStore.ca         |     as technical description
Security       Canada V7K 2G6           |            - Greg Rose