textfiles/virus/NCSA/ncsa002.txt

                    <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
                    <20>        VIRUS REPORT         <20>
                    <20>          405 Virus          <20>
                    <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>

Host Machine: PC compatibles.

Host Files: Overwriting, non-resident. Infects
     COM (and possibly EXE) files.

Increase in Size of Infected Files: If file is
     shorter than 405 bytes, it is replaced with the 405 byte virus. If
     longer than 405 bytes, the first 405 bytes are overwritten.

Nature of Damage: Overwrites COM files.

Detected by: ScanV46+, F-Prot, IBM Scan.

Removed by: Scan/D, F-Prot, or delete the infected files.

Scan Code: B8 00 00 26 A2 49 02 26 A2 4B 02
     26 A2 8B 02 50 B4 19 CD 21 26 A2 49 02 B4 47 04 01. You can
     search at offset 00AH for 26 A2 49 02 26 A2 4B 02 26 A2.

     This virus overwrites the first 405 bytes of a COM file in the
current directory. If the length of the file to be infected is less than
405 bytes, the length is increased to 405.  Due to coding errors, the
virus unsuccessfully attempts to infect in other than the current
directory. The virus is not able to recognize an infected file. Thus it
will re-infect a file again and again. However, because it overwrites
the first 405 bytes, the infected files do not grow in size. It is
similar to the Virus 1.1 published in Ralf Burger's book.


<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD>  This document was adapted from the book "Computer Viruses",       <20>
<EFBFBD>  which is copyright and distributed by the National Computer       <20>
<EFBFBD>  Security Association. It contains information compiled from       <20>
<EFBFBD>  many sources. To the best of our knowledge, all information       <20>
<EFBFBD>  presented here is accurate.                                       <20>
<EFBFBD>                                                                    <20>
<EFBFBD>  Please send any updates or corrections to the NCSA, Suite 309,    <20>
<EFBFBD>  4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS  <20>
<EFBFBD>  and upload the information: (202) 364-1304. Or call us voice at   <20>
<EFBFBD>  (202) 364-8252. This version was produced May 22, 1990.           <20>
<EFBFBD>                                                                    <20>
<EFBFBD>  The NCSA is a non-profit organization dedicated to improving      <20>
<EFBFBD>  computer security. Membership in the association is just $45 per  <20>
<EFBFBD>  year. Copies of the book "Computer Viruses", which provides       <20>
<EFBFBD>  detailed information on over 145 viruses, can be obtained from    <20>
<EFBFBD>  the NCSA. Member price: $44; non-member price: $55.               <20>
<EFBFBD>                                                                    <20>
<EFBFBD>            The document is copyright (c) 1990 NCSA.                <20>
<EFBFBD>                                                                    <20>
<EFBFBD>  This document may be distributed in any format, providing         <20>
<EFBFBD>  this message is not removed or altered.                           <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253