ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ VIRUS REPORT ³ ³ Fu Manchu ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Synonyms: 2080, 2086 Date of Origin: March 10, 1988. Place of Origin: written by Sax Rohmer. Host Machine: PC compatibles. Host Files: Remains resident. Infects COM, EXE, overlay files. OnScreen Symptoms: You may see the message "You will hear from me again!" Increase in Size of Infected Files: 2086 bytes for COM files, 2080 bytes for EXE files. Nature of Damage: Affects system run-time operation. Corrupts COM and EXE files. Some versions corrupt overlay, SYS, and BIN files. Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. Removed by: CleanUp, Scan/D, or F-Prot. Derived from: Jerusalem. Scan Code: encrypted. You may be able to find the marker "sAXrEMHOr" in infected files. You can also search at offset 1EEH for FC B4 E1 CD 21 80 FC E1 73 16. The virus occurs attached to the beginning of a COM file, or the end of an EXE file. It is a rewritten ("improved") version of the Jerusalem virus, and most of what is said for that virus applies here with the following changes: * The code to delete programs, slow down the machine, and display the black window has been removed, as has the dead area at the end of the virus and some sections of unused code. * The marker is now 'rEMHOr' (six bytes), and the preceeding 'sU' is now 'sAX' (Sax Rohmer - creator of Fu Manchu). * COM files now increase in length by 2086 bytes & EXE files 2080 bytes. EXE files are now only infected once. * One in sixteen times on infection a timer is installed which runs for a random number of half-hours (maximum 7.5 hours). At the end of this time the message "The world will hear from me again!" is displayed in the center of the screen and the machine reboots. This message is also displayed every time Ctrl-Alt-Del is pressed on an infected machine, but the virus does not survive the reboot. * There is further code which activates on or after the first of August 1989. This monitors the keyboard buffer, and makes derogatory additions to the names of politicians (Thatcher, Reagan, Botha & Waldheim), censors out two four-letter words, and to "Fu Manchu" adds "virus 3/10/88 - latest in the new fun line!" All these additions go into the keyboard buffer, so their effect is not restricted to the monitor. All messages are encrypted. Some versions of this virus can infect overlay, SYS, and BIN files. It is still rare in the U.S. ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º This document was adapted from the book "Computer Viruses", º º which is copyright and distributed by the National Computer º º Security Association. It contains information compiled from º º many sources. To the best of our knowledge, all information º º presented here is accurate. º º º º Please send any updates or corrections to the NCSA, Suite 309, º º 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS º º and upload the information: (202) 364-1304. Or call us voice at º º (202) 364-8252. This version was produced May 22, 1990. º º º º The NCSA is a non-profit organization dedicated to improving º º computer security. Membership in the association is just $45 per º º year. Copies of the book "Computer Viruses", which provides º º detailed information on over 145 viruses, can be obtained from º º the NCSA. Member price: $44; non-member price: $55. º º º º The document is copyright (c) 1990 NCSA. º º º º This document may be distributed in any format, providing º º this message is not removed or altered. º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ  Downloaded From P-80 International Information Systems 304-744-2253