**************************************************************************** >C O M P U T E R U N D E R G R O U N D< >D I G E S T< *** Volume 2, Issue #2.19 (December 31, 1990) ** **************************************************************************** MODERATORS: Jim Thomas / Gordon Meyer (TK0JUT2@NIU.bitnet) ARCHIVISTS: Bob Krause / Alex Smith / Bob Kusumoto RESIDENT RAPMASTER: Brendan Kehoe USENET readers can currently receive CuD as alt.society.cu-digest. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors, however, do copyright their material, and those authors should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Contributors assume all responsibility for assuring that articles submitted do not violate copyright protections. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ------------------------------ From: Bob Mahoney (Sysop, PC-Exec) Subject: Z-modem Virus Alert Date: December 5, 1990 ******************************************************************** *** CuD #2.19: File 7 of 7: Z-Modem Virus Alert *** ******************************************************************** %The following was downloaded from Bob Mahoney's BBS% * * * * * W A R N I N G ! ! ! * * * * * On December 3rd, 1990 a group called RABID National Development Corp. released hacked version of Chuck Foresburg's DSZ Z-Modem Protocol dated 12-03-90. This is really the 11-19-90 version with the dates edited and a virus added to the program. *** THIS VIRUS IS DESTRUCTIVE!!! *** I obtained the virused version early this week and worked quickly to provide this program to you. The information I provide here may not be all there is t know about the virus, but it is sufficient to determine that the virus is not what you want to have. RABID Virus Information Preliminary testing has revealed these facts about the virus: * The virus is not memory resident. * The virus infects .COM files only, including COMMAND.COM. (There was one report that it infected and .EXE file and several text files but this could not be confirmed or duplicated.) * Infected files increase in size by 5,302 bytes. * The virus infects other .COM files at execution time. * The virus will activate on 12-25-90 (Christmas) or any date thereafter. * When activated the boot sector, FATs and root directory will be overwritten with garbage. Recovery is impossible unless you use a program such as PcTools Mirror to make backup copies of the system areas. As far as programming goes the virus is poorly written, but it does accomplish what it was designed to do. The actual virus code is about 1,300 bytes with a 4,000 byte ansi screen that is supposed to be displayed upon activation. I sa "supposed to" because on every test I performed the screen displayed as a bunc of video garbage. This occurs when loading the screen data starting at the wrong location. The virus has been passed along to John McAfee and he will have a fix in his next release. However, this release is not due until February and that is too late for those infected already. The information has also been passed along t Chuck Foresburg and he is aware of the situation. VirusFix Instructions The operation of VirusFix is simple. To scan entire disk(s), just specify the disk(s) you wish to scan. Examples: VIRUSFIX C: VIRUSFIX C: D: VIRUSFIX A: To scan a single directory, specify the directory to scan. Examples: VirusFix will notify you if the RABID virus is found and ask if you wish to remove the virus. Every file that I infected and removed the virus from has worked properly so VirusFix should work with most files. If you remove a viru from a file and it doesn't work, delete the file and replace it with and uninfected copy. If you suspect a file other that .COM files is infected, use text search program and search for the string "RABID" in the suspect file. If you have questions or comments about VirusFix or need help with removing a virus from a file I can be reached through the following sources: CompuServe - User ID: 76645,3446 Home Phone - (313) 937-xxxx ******************************************************************** **END OF CuD #2.19** -> END OF VOLUME 2 -- VOLUME 3 BEGINS NEXT ISSUE <- ********************************************************************