This text is found at FidoNet. It is of such importance that I think you all should read it, if you use a IBM PC or clone! 73 de SM0JMN@SM0RZZ ----------------------------------------------------------------------------- (Text 469) 88-03-24 21.21 Jacques Daguerre Mottagare : European Sysop's Conf Kommentar till All ˇrende : Virus -------------- ˇChanged: 24 Mar 88 21:36:21 by Jacques Daguerre¸ You will find below information on Lehigh virus for your own interest. May be you alrady have seen this... I'm also putting another msg (to follow) on a more complex virus. If you are interested in those matters ,I have a couple of files downloaded from Eric Newhouse BBS in LA that gives information on Viruses (or Virii), trojans and some programms to cure. they are : DIRTYD8A.ARC Last edition of the Dirty Dozen Feb. 1988 VIRUS!.ARC 5 different articles on viruses from which Lehigh-Virus NOVIRUS.ARC Virri detector (checks lenght/date of COMMAND.COM with C source code FLUSHOT3.ARC One SysOp cure for the virus menace Innoculate COMMAND.COM ,IBMBIO.COM and IBMSYS.COM against virii. STOP1.ARC Trojan Stop Deluxe Version 1.1 CONDOM.ARC Antivirus protection for systems files. VACCINE.ARC Detects virii that change file length or date. CHK4BOMB.ARC Look for ASCII Strings in Executable programms and checks for suspect I/O accesses. TROJAN!.ARC Information on Trojan horses. ------------------------------------------------------------------------------ ************* WARNING: MS-DOS COMMAND.COM "virus" program will *************** ************* reformat both your hard/floppy disks!!! *************** ------------------------------------------------------------------------------ This came from BITNET... Last week, some of our student consultants discovered a virus program that's been spreading rapidly throughout Lehigh University. I thought I'd take a few minutes and warn as many of you as possible about this program since it has the chance of spreading much farther than just our University. We have no idea where the virus started, but some users have told me that other universities have recently had similar probems. The virus: the virus itself is contained within the stack space of COMMAND.COM. When a pc is booted from an infected disk, all a user need do to spread the virus is to access another disk via TYPE, COPY, DIR, etc. If the other disk contains COMMAND.COM, the virus code is copied to the other disk. Then, a counter is incremented on the parent. When this counter reaches a value of 4, any and every disk in the PC is erased thoroughly. The boot tracks are nulled, as are the FAT tables, etc. All Norton's horses couldn't put it back together again... :-) This affects both floppy and hard disks. Meanwhile, the four children that were created go on to tell four friends, and then they tell four friends, and so on, and so on. Detection: while this virus appears to be very well written, the author did leave behind a couple footprints. First, the write date of the command.com changes. Second, if there's a write protect tab on an uninfected disk, you will get a WRITE PROTECT ERROR... So, boot up from a suspected virus'd disk and access a write protected disk - if an error comes up, then you're sure. Note that the length of command.com does not get altered. I urge anyone who comes in contact with publicly accessible disks to periodically check their own disks. Also, exercise safe computing - always wear a write protect tab. :-) This is not a joke!!! A large percentage of our public site disks have been gonged by this virus in the last couple days. Kenneth R. van Wyk User Services Senior Consultant Lehigh University Computing Center (215)-758-4988 (Text 469 (6525) av Jacques Daguerre) /EX