textfiles/virus/NCSA/ncsa034.txt

                    <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
                    <20>        VIRUS REPORT         <20>
                    <20>        Cascade Virus        <20>
                    <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>

Synonyms: 1701, Falling Letters, Falling Tears, Fall virus, Autumn
Leaves.

Date of Origin: late 1987.

Place of Origin: Switzerland?

Host Machine: The 1701 version will infect both true IBM PC's and PC
compatibles; the 1704 version will only affect PC compatibles. This is
the only difference between the two versions.

Host Files: Remains resident. Infects COM files. Uses self-encryption.

OnScreen Symptoms: If the system month is between September and
December, and the system year is either 1980 or 1988, and the monitor is
either CGA or VGA, the cascade display will be activated at random
intervals.

Increase in Size of Infected Files: 1701 or 1704 bytes (two different
versions).

Nature of Damage: Affects system run-time operation. Corrupts program or
overlay files.

Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.

Removed by: M-1704, CleanUp, or F-Prot. You may also follow the
instructions for removing the Jerusalem virus.

Derived from: A NumLock utility Trojan horse.

Scan Code: Uses self-encryption.   FA 8B EC E8 00 00 5B 81 EB 31 01 2E F6
87 2A 01 01 74 0F 8D B7 4D 01 BC 82 06 31 34 31 24 46 4C 75 F8. You can
also search at offset 01BH for 31 34 31 24 46 4C 75 F8.

     This virus was adapted from a Trojan utility which was claimed to
turn of the Num Lock light and mode. The Trojan caused characters on CGA
screens to "fall" to the bottom of the screen. In late 1987 this Trojan
was turned into a memory resident COM virus, and reported by Rudolf
Rindler of Switzerland.

     Two version of the virus exist.

*   The 1701 version increases the size of COM files by 1,701 bytes, and
    infect both machines containing an IBM copyright notice in the ROM
    and clones.

*   The 1704 version increases the size of COM files by 1,704 bytes, and
    infects only clones.

     The virus occurs attached to the end of a COM file.  The first three
bytes of the program are stored in the virus, and replaced by a branch to
the beginning of the virus. It becomes memory-resident when the first
infected program is run, and it will then infect every COM file run (even
if the file has an EXE extension).

     The virus is unique in several ways:

*   The virus is encrypted (apart from the first 35 bytes) using an
    algorithm that includes the length of the host program, so every
    sample looks different.

*   The mechanics of its activation are complex, being based on
    randomizations, machine types, monitor type, presence or absence of
    clock cards, and time of year.  The virus activates on any machine
    with a CGA or VGA monitor, in the months of September, October,
    November or December, in the year 1980 or 1988 (systems without clock
    cards will often have a date set to 1980).

*   Occasionally, 1701 triggers a "hailstorm".  The characters on the
    screen behave as if the were pinned to the screen, and someone is
    removing the pins one at a time <197> it looks a bit like a hailstorm,
    and has appropriate sound effects.  In fact, it is a purely
    audio-visual effect - nothing is happening to your data. But over
   -reaction at this point -- turning the machine off -- may result in
    lost clusters and file damage.

     To remove the virus, either run M-1704 or follow the instructions
offered for the Jerusalem virus.


<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD>  This document was adapted from the book "Computer Viruses",       <20>
<EFBFBD>  which is copyright and distributed by the National Computer       <20>
<EFBFBD>  Security Association. It contains information compiled from       <20>
<EFBFBD>  many sources. To the best of our knowledge, all information       <20>
<EFBFBD>  presented here is accurate.                                       <20>
<EFBFBD>                                                                    <20>
<EFBFBD>  Please send any updates or corrections to the NCSA, Suite 309,    <20>
<EFBFBD>  4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS  <20>
<EFBFBD>  and upload the information: (202) 364-1304. Or call us voice at   <20>
<EFBFBD>  (202) 364-8252. This version was produced May 22, 1990.           <20>
<EFBFBD>                                                                    <20>
<EFBFBD>  The NCSA is a non-profit organization dedicated to improving      <20>
<EFBFBD>  computer security. Membership in the association is just $45 per  <20>
<EFBFBD>  year. Copies of the book "Computer Viruses", which provides       <20>
<EFBFBD>  detailed information on over 145 viruses, can be obtained from    <20>
<EFBFBD>  the NCSA. Member price: $44; non-member price: $55.               <20>
<EFBFBD>                                                                    <20>
<EFBFBD>            The document is copyright (c) 1990 NCSA.                <20>
<EFBFBD>                                                                    <20>
<EFBFBD>  This document may be distributed in any format, providing         <20>
<EFBFBD>  this message is not removed or altered.                           <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253