home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!spool.mu.edu!howland.reston.ans.net!zaphod.mps.ohio-state.edu!cis.ohio-state.edu!news.sei.cmu.edu!cert!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: glarwill@educ.ucalgary.ca (Glen Larwill)
- Newsgroups: comp.virus
- Subject: New Virus? (PC)
- Message-ID: <0011.9301121242.AA22066@barnabas.cert.org>
- Date: 7 Jan 93 07:53:02 GMT
- Sender: virus-l@lehigh.edu
- Lines: 30
- Approved: news@netnews.cc.lehigh.edu
-
- I run a BBS in Calgary Alberta, Canada. Today, one of my users
- claimed he had a virus on his system and was having some "trouble".
- He didn't specify what was going on with his system. I asked him to
- send me a copy of one of the files he had that were infected. He
- uploaded two files. The smallest one appears to be a dropper program.
- It contains 80h bytes of a program (non-virus) that send a few escape
- sequences to PRN:. F-Prot (2.06a) in Secure Scan mode shows the
- smaller file as a possible variant of SVC, and doesn't find anything
- in the larger file. In Quick Scan mode, it says they are both Dark
- Avenger viruses. MacAfee's VScan99 doesn't find anything wrong with
- either of these files.
-
- I haven't completly disasembled the smaller file yet, but I have found
- that it installs it's self in upper memory (using about 2100 bytes).
- It hooks interupt 21H and watches for Load and Exec, Create File,
- Close File, Open File, Get and Set File Attribs calls to Int 21. It
- also contains the following text...
-
- "JERICHO.Eurystheus.Calgary AB".
-
- I have not disasembled the larger file yet, but it contains the following
- text
- "JERICHO by Eurystheus<FoG>.Calgary" in the same location. It seems that
- these are two slightly different versions of the same virus.
-
- If this is a new virus, what is the safest way to send these files via the
- Internet, and who do I send them to.
-
- Glen Larwill, glarwill@educ.ucalgary.ca
- Sysop of The Interlink, Fidonet 1:134/93
-
