| [ The following is translated from an article that appeared on "Maariv" (one
of Israel's most popular daily newspapers) in 8-Jan-1988. I translated it
myself, so I apologize for the poor style. My own comments appear in brackets
'[]' within the translated text - Nitsan ]
################################################################################
THE 'COMPUTER AIDS' VIRUS CONTINUES TO RUN WILD:
'BEWARE OF FRIDAY THE 13-TH OF MAY'
The Hebrew University [in Jerusalem] published the warning
yesterday, as in the above date the virus may destroy any
information found in the computer memory or on the disks.
Immunization programs are spread to locate the virus and
exterminate it.
by Tal Shahaf
The computer virus that got the nickname "the Israeli Virus" continues to run
wild. The Hebrew University in Jerusalem spread the warning yesterday: Don't
use your computer on Friday, the 13-th of May this year! In this day the virus
was programmed to wake up from its hibernation - and destroy any information
found in the computer memory or on the disks. Because of this reason, it also
got the nickname "time bomb". Moreover, every 13-th of each month, the virus
will cause a significant slow-down in the computer's response.
Evidences were received by Maariv yesterday for the existence of the virus in
many other places in addition to the Hebrew University in Jerusalem. It was
also reported to be detected in one of the I.D.F. [Israeli Defense Forces]
units using personal computers. Other messages mentioned some commercial
companies where the virus had been detected. An owner of a software house from
Tel-Aviv, who asked to stay anonymous, told that the malfunctions were detected
in software kits that were bought with the computers and were installed by the
selling company.
Eli Shapira, an owner of a computer store from Haifa, tells about infected
software kits that arrived at him from people in the area. The virus also
infected a computer in his store, and possibly spread to customers who had
bought software kits. According to him there was a thorough disinfection
activity that cleared the computer and the diskettes in the store.
Computer experts warn that the virus may now be in any software and in any
computer, including those purchased in computer stores.
Currently, the Hebrew University spreads immunization programs that enable
detected the virus in the computer memory and exterminate it. A new problem
popped up though: A mutation of the virus may show up, a few times as dangerous
as the current virus. It all depends on the source of the virus and whether
the person responsible for it is some computer wizard who did it for fun or
some psychopath who does not control his moves.
"THE ISRAELI VIRUS" SPREADS AT THE RATE OF AIDS
The immunization programs fit only the virus from Jerusalem.
Stopping of unauthorized software copying phenomenon is expected.
by Tal Shahaf
The model that fits the best the spreading of the computerized virus is the
AIDS virus, so claim computer staff. The resemblance is in all dimensions. The
spreading rate of the virus is amazing. A single infected diskette is
sufficient for infecting thousands of personal computers. It is passed by
diskettes going between computers, and also by telephone communication between
computers. Yesterday it was found out that the virus was much wider spread than
what was thought.
Because of this reason, users are warned not to receive diskettes from unknown
source. First precaution: not to use diskettes without the "computerized
condom": a little sticker that prevents any damage to the information on the
diskette.
The computer community is grateful for stopping the process of unauthorized
copying of software that reached incredible use lately. Exactly like AIDS, that
generated the safe sex phenomenon, the computerized virus is about to generate
the phenomenon of decent use only of software .
The phenomenon of growing infected software was discovered yesterday as a side
effect only. The real damage is the time bomb hidden: Every 13-th of each
month, the virus will cause significant slow down in the computer response, and
in 13-th of May this year it will erase all the information in the computer.
Yuval Rahavi, the computer expert from Jerusalem who discovered the vicious
virus, explains that it is a small and sophisticated computer program. When
the computer is turned on, the program is loaded into the computer memory, and
from now on, any program invoked is contaminated. When the virus identify a new
program, it joins it without disturbing its activity. From now on, any use of
this software, transferring it to other user, means spreading the virus.
The temporary solution to the problem is the immunization programs written by
Rahavi. One is used to detect the virus and the other for prevention. It is
loaded into the computer memory before any other software. If the virus then
attempts to reside in the memory, the program will give appropriate warning.
People from the Hebrew University distributed information that described the
virus for all the computer users at the universities, joined with copies of the
immunization programs.
Ofer Ahituv, an owner of a software house, thinks the source for the virus is
in one of the software houses which became involved with his programmers.
According to him, all his software kits will now be distributed carrying a label
specifying they were checked and found clean of any virus.
The possibility of a new virus, which is more dangerous, scares computer people.
Such a virus may harm the information, erase it slowly in such a way it is not
felt. This way, accountants may find out all their clients accounting data has
been erased, banks will lose their customers data, stores - their cash register
data.
The immunization programs are good for fighting the current virus. If a new
virus pops up - these immunizations will be worthless.
Ezra Ben-Kohav, chairman of the computer organization I.O.I.P. [Israeli
Organization for Information Processing] told Maariv yesterday: "There is no
law that defined such action as crime. If the author is caught, there will be
nothing to blame him/her for."
Arie Bender gives the following message: A search team was established in the
Hebrew University, which includes Hilel Bar-Dayan, Amiram Ofir, Eli Peled and
Elisha Ben-Ezra. People in the university asked yesterday to make clear there
was no information or suspicion about the creators of the virus, including
students of the Talpiot program [a special program for young students that
combines army studying].
THIS IS HOW TO PROTECT YOUR COMPUTER
Yossi Gil, from the computer people who discovered the virus, suggests several
defense activities for the computer users who receive a new diskette and want
to check it.
1. During the check activate the computer without a hard disk, that may be
infected by the virus.
2. Use diskettes that carry no important information/programs.
3. Invoke the checked software with a diskette protected by a sticker.
4. Invoke the software again with a diskette without a sticker.
5. Compare the two diskettes using a compare program. If no differences are
found, you may assume the checked diskette is free of the virus.
6. Another rule which is always important: Prepare a copy of any important
diskette, and specify the date when the copy was done. If the virus attacks
your computer, you will be able to restore the damaged programs from these
copies. (by Tal Shahaf)
THE VIRUS REACHED HAIFA
The "Israeli virus" was detected, after causing much damage also in the
educational center of the ministry of education in Rotenberg building on the
Carmel [mountain in Haifa]. There is a computer project going on this site, in
which tens of students participate. The center manager, Gideon Goldstein, and
the project people Michael Hazan and Gadi Kats, told that 6 weeks ago there was
a virus discovered, which destroyed 15 thousand dollar worth software and 2
disks in which 7000 hours of work had been invested, in an irrecoverable way.
(by Reuven Ben-Zvi)
PANIC AMONG OWNERS OF PERSONAL COMPUTERS
The Israeli virus panic moved from within the campus and spread out also to the
computer consumers in Jerusalem. In many stores there were customers reporting
symptoms in their home computers, that matched those which had been found in
the P.C. systems in the university. "This morning we ran into and heard about a
few cases", told Emanuel Marinsky, manager of computer services lab, "It raises
panic". (by Arie Bender)
################################################################################
[ The following is a local reply to the original note from one of our
engineering group ]
<<< SYS$COMMON:[NOTES$LIBRARY]ADVISORY.NOTE;1 >>>
-< Local Advisory Subjects >-
================================================================================
Note 48.1 P.C. Virus Warning 1 of 1
TAVENG::MONTY "LEG has it now - FCS '91" 25 lines 10-JAN-1988 10:25
-< Important notice about PC virus >-
--------------------------------------------------------------------------------
The PC belonging to the Local Engineering group has been infected by
one of the flavors of viruses commonly doing the rounds.
NOTE : We work in a "safe environment" (AID-less) and only use public
domain or bought programs. So if our PC got infected, I'm pretty sure
everyone else's PC is infected.
I suspect SOMEONE (no finger pointing yet) used an infected diskette on
our PC and thus infected our hard disk.
a. Anyone using a PC should check that it is not infected.
The signs are that after any utility is run, disc space
disappears.
b. Anyone who has used the LEG machine over the last fortnight
or has received a field test diskette, should NOT pass the
diskette to any customer [unless you don't like the
customer ;-) ].
To paraphrase the adverts "PLEASE PRACTICE SAFE COMPUTING", don't
accept diskettes or programs from strangers !!!!!
....... Monty
|
| The following is copied from the "Help" of the CDC
of the Hebrew University in Jerusalem:
--------------------------------------------------------------------------------
The Israeli PC Virus
====================
A very contagious "virus" is spreading on IBM and similar personal computers
in Israel, for the time being mainly in Jerusalem. By a "virus" is meant a
program which not only does deliberate damage (like "Trojan horse") but also
propagation may take place by means of diskettes, electronic mail, or networks.
The present virus, which we shall call the Israeli virus (even though we are
not yet sure whether it began in Israel), has the following effects: (1) It
causes EXE files to grow in size by 1808 bytes each time they are executed,
until they can no longer be loaded into memory or until there is no longer
room on the disk (hard disk or diskette). (It also affects COM files, although
the increase in size takes place only once.) (2) It inserts delays so that
execution is very slow on certain days, namely on Fridays and on the 13th of
each month. (3) Worst of all, ant disk which contains an infected file will be
wiped out entirely on any 13th of the month which falls on a Friday (the next
such date being May 13!) Of course, whenever an infected file is copied to
another disk and executed there, it can begin to infect executable files on
that disk also.
Fortunately, an antidote and a "vaccine" have been developed for this particular
virus. It is available in the form of two programs which we call ANTIVIR and
IMMUNIZ, the first of which cures infected files, while the second prevents
future infection. (These are slightly modified versions of programs written by
Yuval Rakavy and Omri Mann of the Computer Science Dept.)
The program ANTIVIR scans a disk for infected files, reports on any such file
which it finds (incl. the number of times it has been executed), and fixes each
of them by removing the portions which were added by the virus. Actually, there
are several variations on this action, depending on the parameters. This will be
clear from the following examples:
ANTIVIR C:\ reports on and fixes all infected files on drive C (the
root directory and all subdirectories).
ANTIVIR C:\ABC does the same except that it affects only the directory
C:\ABC and its subdirectories.
ANTIVIR A:filename.ext checks and fixes a single file on drive A.
ANTIVIR -N ..... checks the specified drive or file and displays a
message for each file which is infected; however, it
does not fix any files.
Notes:
(1) ANTIVIR requires temporary file space on the disk on which it is activated;
hence if the disk is full or nearly full, you will have to move some of the
files to another disk temporarily.
(2) Files that contain overlays are not fixed correctly, but they are reported.
To fix such files, you must restore them from a backup copy.
(3) The present version does not give an appropriate message when it fixes a
COM file; it says that the virus exists but forgets to mention that it has
been fixed.
The other program, IMMUNIZ, is a RAM-resident program which prevents the virus
from causing any future damage, and displays a message whenever the virus
attempts to infect a program. It is recommended that you place the file
IMMUNIZ.EXE in your root directory and that you insert the line IMMUNIZ near
the beginning of your AUTOEXEC.BAT file so that it will be performed before
any other programs are executed.
These two programs, ANTIVIR.EXE and IMMUNIZ.EXE, as well as other files
described below, have been stored on the CDC mainframe, from which they may be
downloaded to your PC by any file transfer software. For details, see the
description at the end of this document.
How the virus works: When you execute an infected EXE or COM file the first time
after booting, the virus steals interrupt 21h and inserts its own code. After
this has been done, whenever any EXE file is executed, the virus code is copied
to the end of the file. The situation with COM files is similar, except that the
code is added to the beginning of the file and this can occur only once. The
effects of this infection are the delays on certain dates which were mentioned
above, and the destruction of the contents of the disk on Friday the 13th by
means of a format command directly to the controller. Note that this virus
infects even read-only files and that it does not change the date and time of
the file which it enlarges.
We emphasize that these two programs are specific to this particular virus. They
will not help with any other virus; in particular, the author of the virus will
probably try to improve it so as to make the above two programs ineffective at
some time in the future, even if this causes damage to him as well.
Remark: This virus is not the same as that which was discovered at Lehigh
University in the U.S. in November. That virus infects only COMMAND.COM files
and destroys the contents of disks (both hard disks and floppies) after it has
propagated itself four times to other disks.
General Precautions
-------------------
In addition to using the above programs which are specific to the above virus,
there are some general precautions which you can take to protect your files:
(1) When you obtain a new program, make a copy of it for use and save the
original for backup purposes only.
(2) Make periodic backups of all your important data files. (While it is
ordinarily less essential, you can also make backups of executable files
which you have created, but only if you are certain that they are not
already infected.)
(3) Take care when executing a program which comes from someone else. Remember
that he may communicate the virus even though he has not yet noticed any
strange behavior on his own disk.
(4) Whenever you use a diskette which you do not have to write on, put a
write-protect tab on it.
(5) There are software equivalents of write-protect tabs for hard disks. One
such program is known as PROTECT and is available to NOS users (see below).
It works as a toggle, i.e. the first time it is executed, it turns the
protection on; the next time it turns the protection off. (To reduce the
possibility of someone's tampering with this program, it is suggested that
you change the name PROTECT to something else and to turn on the "hidden"
attribute (see below) of the file.) Activate this program especially when
you test new software (which is not supposed to perform any writing) on
your hard disk. (If the software is supposed to perform writing, test it on
a diskette instead.)
(6) There is software which hides files, i.e. which prevents their names from
appearing when DIR is performed. Some of them can also hide subdirectories
from the DIR and TREE commands. One of the better programs of this sort is
called ATTRIBC (see below).
Note: While these measures will work against most trouble makers, they are not
guaranteed to work against all of them. For example, the Israeli virus infects
read-only and hidden files just like ordinary files, and the software write
protection described above can also be circumvented.
How to obtain useful anti-virus programs via NOS
------------------------------------------------
One way of obtaining these programs is by means of a file transfer program such
as CONNECT or KERMIT. After activating such a program, get into terminal mode,
log in, perform the NOS command GET,file[,file2,...]/UN=MICRO and then transfer
each of these files to your PC (in BINARY mode except for the one case described
below). The files which are relevant to this document are as follows:
Host file Micro file Transfer
name UN=MICRO name (DOS) mode Description
------------- ---------- -------- -------------------------------------------
ANTIVIR ANTIVIR.EXE Binary Reports on and fixes infected files
IMMUNIZ IMMUNIZ.EXE Binary Prevents future infection
PROTECT PROTECT.COM Binary Write-protect for hard disks
ATTRIBE ATTRIBC.EXE Binary Displays or changes attributes of files
ATTRIBD ATTRIBC.DOC Ascii Description of use of ATTRIBC
It is also possible to obtain these programs by bringing a formatted diskette to
the advisor in the Taylor Bldg. between 10:00 A.M. and 1:00 P.M.
Note: The micro file names shown are the standard ones. As mentioned above, it
is suggested that you change the name of at least PROTECT.COM to some other
name.
Acknowledgements
----------------
This guide was prepared by Yisrael Radai, Much of it based on information
supplied by Amiram Ofir of the Computer Science Dept.
|