       *****************   MS/DOS Virus Warning *******************
 
Last week, some of our student consultants discovered a virus program
that's been spreading rapidly thoughout Lehigh University.  I thought
I'd take a few minutes and warn as many of you as possible about this
program since it has the chance of spreading much farther than just our
University.  We have no idea where the virus started, but some users have
told me that other universities have recently had similar problems.
 
The virus: the virus itself is contained in the stack space of COMMAND.COM.
When a pc is booted from an infected disk, all a user need do to spread
the virus is to access another disk via TYPE, COPY, DIR, etc.  If the
other disk contains COMMAND.COM, the virus code is copied to the other
disk.  Then, a counter is incremented on the parent.  When this counter
reaches a value of 4, any and every disk in the PC is erased thoroughly.
The boot tracks are nulled, as are the FAT tables, etc.  All Norton's horses
couldn't put it back together again... :-)  This affects both floppy
and hard disks.  Meanwhile, the four children that were created go on
to tell four friends, and then they tell four friends, and so on, and so on.
 
Detection: while this virus appears to be very well written, the author
did leave behind a couple footprints.  First, the write date of the
command.com changes.  Second, if there's a write protect tab on an
uninfected disk, you will get a WRITE PROTECT ERROR... So, boot up from
a suspected virus'd disk and access a write protected disk - if an
error comes up, then you're sure.  Note that the length of command.com
does not get altered.
 
I urge anyone who comes in contact with publicly accessible (sp?) disks
to periodically check their own disks.  Also, exercise safe computing -
always were a write protect tab. :-)
 
This is not a joke.  A large percentage of our public site disks has
been gonged by this virus in the last couple days.
 
Kenneth R. van Wyk, User Services Senior Consultant,
Lehigh University Computing Center (215)-758-4988
 
===============================================================================
 
[ The following is translated from an article that appeared on "Maariv" (one
  of Israel's most popular daily newspapers) in 8-Jan-1988. I translated it
  myself, so I apologize for the poor style. My own comments appear in brackets
  '[]' within the translated text - author ]
 
###############################################################################
 
        THE 'COMPUTER AIDS' VIRUS CONTINUES TO RUN WILD:
 
              'BEWARE OF FRIDAY THE 13-TH OF MAY'
 
    The Hebrew University [in Jerusalem] published the warning
    yesterday, as in the above date the virus may destroy any
    information found in the computer memory or on the disks.
    Immunization programs are spread to locate the virus and
    exterminate it.
 
        by Tal Shahaf
 
The computer virus that got the nickname "the Israeli Virus" continues to run
wild. The Hebrew University in Jerusalem spread the warning yesterday: Don't
use your computer on Friday, the 13-th of May this year! In this day the virus
was programmed to wake up from its hibernation - and destroy any information
found in the computer memory or on the disks. Because of this reason, it also
got the nickname "time bomb". Moreover, every 13-th of each month, the virus
will cause a significant slow-down in the computer's response.
 
Evidences were received by Maariv yesterday for the existence of the virus in
many other places in addition to the Hebrew University in Jerusalem. It was
also reported to be detected in one of the I.D.F. [Israeli Defense Forces]
units using personal computers. Other messages mentioned some commercial
companies where the virus had been detected. An owner of a software house from
Tel-Aviv, who asked to stay anonymous, told that the malfunctions were detected
in software kits that were bought with the computers and were installed by the
selling company.
 
Eli Shapira, an owner of a computer store from Haifa, tells about infected
software kits that arrived at him from people in the area. The virus also
infected a computer in his store, and possibly spread to customers who had
bought software kits. According to him there was a thorough disinfection
activity that cleared the computer and the diskettes in the store.
 
Computer experts warn that the virus may now be in any software and in any
computer, including those purchased in computer stores.
 
Currently, the Hebrew University spreads immunization programs that enable
detected the virus in the computer memory and exterminate it. A new problem
popped up though: A mutation of the virus may show up, a few times as dangerous
as the current virus. It all depends on the source of the virus and whether
the person responsible for it is some computer wizard who did it for fun or
some psychopath who does not control his moves.
 
        "THE ISRAELI VIRUS" SPREADS AT THE RATE OF AIDS
 
    The immunization programs fit only the virus from Jerusalem.
    Stopping of unauthorized software copying phenomenon is expected.
 
        by Tal Shahaf
 
The model that fits the best the spreading of the computerized virus is the
AIDS virus, so claim computer staff. The resemblance is in all dimensions. The
spreading rate of the virus is amazing. A single infected diskette is
sufficient for infecting thousands of personal computers. It is passed by
diskettes going between computers, and also by telephone communication between
computers. Yesterday it was found out that the virus was much wider spread than
what was thought.
 
Because of this reason, users are warned not to receive diskettes from unknown
source. First precaution: not to use diskettes without the "computerized
condom": a little sticker that prevents any damage to the information on the
diskette.
 
The computer community is grateful for stopping the process of unauthorized
copying of software that reached incredible use lately. Exactly like AIDS, that
generated the safe sex phenomenon, the computerized virus is about to generate
the phenomenon of decent use only of software .
 
The phenomenon of growing infected software was discovered yesterday as a side
effect only. The real damage is the time bomb hidden: Every 13-th of each
month, the virus will cause significant slow down in the computer response, and
in 13-th of May this year it will erase all the information in the computer.
 
Yuval Rahavi, the computer expert from Jerusalem who discovered the vicious
virus, explains that it is a small and sophisticated computer program. When
the computer is turned on, the program is loaded into the computer memory, and
from now on, any program invoked is contaminated. When the virus identify a new
program, it joins it without disturbing its activity. From now on, any use of
this software, transferring it to other user, means spreading the virus.
 
The temporary solution to the problem is the immunization programs written by
Rahavi. One is used to detect the virus and the other for prevention. It is
loaded into the computer memory before any other software. If the virus then
attempts to reside in the memory, the program will give appropriate warning.
People from the Hebrew University distributed information that described the
virus for all the computer users at the universities, joined with copies of the
immunization programs.
 
Ofer Ahituv, an owner of a software house, thinks the source for the virus is
in one of the software houses which became involved with his programmers.
According to him, all his software kits will now be distributed carrying a
label specifying they were checked and found clean of any virus.
 
The possibility of a new virus, which is more dangerous, scares computer
people.
 
Such a virus may harm the information, erase it slowly in such a way it is not
felt. This way, accountants may find out all their clients accounting data has
been erased, banks will lose their customers data, stores - their cash register
data.
 
The immunization programs are good for fighting the current virus. If a new
virus pops up - these immunizations will be worthless.
 
Ezra Ben-Kohav, chairman of the computer organization I.O.I.P. [Israeli
Organization for Information Processing] told Maariv yesterday: "There is no
law that defined such action as crime. If the author is caught, there will be
nothing to blame him/her for."
 
Arie Bender gives the following message: A search team was established in the
Hebrew University, which includes Hilel Bar-Dayan, Amiram Ofir, Eli Peled and
Elisha Ben-Ezra. People in the university asked yesterday to make clear there
was no information or suspicion about the creators of the virus, including
students of the Talpiot program [a special program for young students that
combines army studying].
 
        THIS IS HOW TO PROTECT YOUR COMPUTER
 
Yossi Gil, from the computer people who discovered the virus, suggests several
defense activities for the computer users who receive a new diskette and want
to check it.
 
1. During the check activate the computer without a hard disk, that may be
   infected by the virus.
 
2. Use diskettes that carry no important information/programs.
 
3. Invoke the checked software with a diskette protected by a sticker.
 
4. Invoke the software again with a diskette without a sticker.
 
5. Compare the two diskettes using a compare program. If no differences are
   found, you may assume the checked diskette is free of the virus.
 
6. Another rule which is always important: Prepare a copy of any important
   diskette, and specify the date when the copy was done. If the virus attacks
   your computer, you will be able to restore the damaged programs from these
   copies.  (by Tal Shahaf)
 
        THE VIRUS REACHED HAIFA
 
The "Israeli virus" was detected, after causing much damage also in the
educational center of the ministry of education in Rotenberg building on the
Carmel [mountain in Haifa]. There is a computer project going on this site, in
which tens of students participate. The center manager, Gideon Goldstein, and
the project people Michael Hazan and Gadi Kats, told that 6 weeks ago there was
a virus discovered, which destroyed 15 thousand dollar worth software and 2
disks in which 7000 hours of work had been invested, in an irrecoverable way.
 
(by Reuven Ben-Zvi)
 
        PANIC AMONG OWNERS OF PERSONAL COMPUTERS
 
The Israeli virus panic moved from within the campus and spread out also to the
computer consumers in Jerusalem. In many stores there were customers reporting
symptoms in their home computers, that matched those which had been found in
the P.C. systems in the university. "This morning we ran into and heard about a
few cases", told Emanuel Marinsky, manager of computer services lab, "It raises
panic".  (by Arie Bender)
 
###############################################################################