|
NCSA Virus Report #62
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
???????????????????????????????
? VIRUS REPORT ?
? Fu Manchu ?
???????????????????????????????
Synonyms: 2080, 2086
Date of Origin: March 10, 1988.
Place of Origin: written by Sax Rohmer.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects COM, EXE, overlay files.
OnScreen Symptoms: You may see the message "You will hear from me again!"
Increase in Size of Infected Files: 2086 bytes for COM files, 2080 bytes
for EXE files.
Nature of Damage: Affects system run-time operation. Corrupts COM and
EXE files. Some versions corrupt overlay, SYS, and BIN files.
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, Scan/D, or F-Prot.
Derived from: Jerusalem.
Scan Code: encrypted. You may be able to find the marker "sAXrEMHOr" in
infected files. You can also search at offset 1EEH for FC B4 E1 CD 21 80
FC E1 73 16.
The virus occurs attached to the beginning of a COM file, or the end
of an EXE file. It is a rewritten ("improved") version of the Jerusalem
virus, and most of what is said for that virus applies here with the
following changes:
* The code to delete programs, slow down the machine, and display the
black window has been removed, as has the dead area at the end of the
virus and some sections of unused code.
* The marker is now 'rEMHOr' (six bytes), and the preceeding 'sU' is
now 'sAX' (Sax Rohmer - creator of Fu Manchu).
* COM files now increase in length by 2086 bytes & EXE files 2080
bytes. EXE files are now only infected once.
* One in sixteen times on infection a timer is installed which runs for
a random number of half-hours (maximum 7.5 hours). At the end of this
time the message "The world will hear from me again!" is displayed in
the center of the screen and the machine reboots. This message is
also displayed every time Ctrl-Alt-Del is pressed on an infected
machine, but the virus does not survive the reboot.
* There is further code which activates on or after the first of August
1989. This monitors the keyboard buffer, and makes derogatory
additions to the names of politicians (Thatcher, Reagan, Botha &
Waldheim), censors out two four-letter words, and to "Fu Manchu" adds
"virus 3/10/88 - latest in the new fun line!" All these additions go
into the keyboard buffer, so their effect is not restricted to the
monitor. All messages are encrypted.
Some versions of this virus can infect overlay, SYS, and BIN files.
It is still rare in the U.S.
??????????????????????????????????????????????????????????????????????
? This document was adapted from the book "Computer Viruses", ?
? which is copyright and distributed by the National Computer ?
? Security Association. It contains information compiled from ?
? many sources. To the best of our knowledge, all information ?
? presented here is accurate. ?
? ?
? Please send any updates or corrections to the NCSA, Suite 309, ?
? 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS ?
? and upload the information: (202) 364-1304. Or call us voice at ?
? (202) 364-8252. This version was produced May 22, 1990. ?
? ?
? The NCSA is a non-profit organization dedicated to improving ?
? computer security. Membership in the association is just $45 per ?
? year. Copies of the book "Computer Viruses", which provides ?
? detailed information on over 145 viruses, can be obtained from ?
? the NCSA. Member price: $44; non-member price: $55. ?
? ?
? The document is copyright © 1990 NCSA. ?
? ?
? This document may be distributed in any format, providing ?
? this message is not removed or altered. ?
??????????????????????????????????????????????????????????????????????
|
|
