informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/virus/NCSA/ncsa062.txt
root@procul 278a90f7ce Initial commit
2021-04-15 13:31:59 -05:00

93 lines
4.3 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ VIRUS REPORT ³
³ Fu Manchu ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Synonyms: 2080, 2086
Date of Origin: March 10, 1988.
Place of Origin: written by Sax Rohmer.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects COM, EXE, overlay files.
OnScreen Symptoms: You may see the message "You will hear from me again!"
Increase in Size of Infected Files: 2086 bytes for COM files, 2080 bytes
for EXE files.
Nature of Damage: Affects system run-time operation. Corrupts COM and
EXE files. Some versions corrupt overlay, SYS, and BIN files.
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, Scan/D, or F-Prot.
Derived from: Jerusalem.
Scan Code: encrypted. You may be able to find the marker "sAXrEMHOr" in
infected files. You can also search at offset 1EEH for FC B4 E1 CD 21 80
FC E1 73 16.
The virus occurs attached to the beginning of a COM file, or the end
of an EXE file. It is a rewritten ("improved") version of the Jerusalem
virus, and most of what is said for that virus applies here with the
following changes:
* The code to delete programs, slow down the machine, and display the
black window has been removed, as has the dead area at the end of the
virus and some sections of unused code.
* The marker is now 'rEMHOr' (six bytes), and the preceeding 'sU' is
now 'sAX' (Sax Rohmer - creator of Fu Manchu).
* COM files now increase in length by 2086 bytes & EXE files 2080
bytes. EXE files are now only infected once.
* One in sixteen times on infection a timer is installed which runs for
a random number of half-hours (maximum 7.5 hours). At the end of this
time the message "The world will hear from me again!" is displayed in
the center of the screen and the machine reboots. This message is
also displayed every time Ctrl-Alt-Del is pressed on an infected
machine, but the virus does not survive the reboot.
* There is further code which activates on or after the first of August
1989. This monitors the keyboard buffer, and makes derogatory
additions to the names of politicians (Thatcher, Reagan, Botha &
Waldheim), censors out two four-letter words, and to "Fu Manchu" adds
"virus 3/10/88 - latest in the new fun line!" All these additions go
into the keyboard buffer, so their effect is not restricted to the
monitor. All messages are encrypted.
Some versions of this virus can infect overlay, SYS, and BIN files.
It is still rare in the U.S.
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º This document was adapted from the book "Computer Viruses", º
º which is copyright and distributed by the National Computer º
º Security Association. It contains information compiled from º
º many sources. To the best of our knowledge, all information º
º presented here is accurate. º
º º
º Please send any updates or corrections to the NCSA, Suite 309, º
º 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS º
º and upload the information: (202) 364-1304. Or call us voice at º
º (202) 364-8252. This version was produced May 22, 1990. º
º º
º The NCSA is a non-profit organization dedicated to improving º
º computer security. Membership in the association is just $45 per º
º year. Copies of the book "Computer Viruses", which provides º
º detailed information on over 145 viruses, can be obtained from º
º the NCSA. Member price: $44; non-member price: $55. º
º º
º The document is copyright (c) 1990 NCSA. º
º º
º This document may be distributed in any format, providing º
º this message is not removed or altered. º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ

Downloaded From P-80 International Information Systems 304-744-2253
Reference in New Issue View Git Blame Copy Permalink