ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ VIRUS REPORT ³ ³ 3066 ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Synonyms: Traceback. Host Machine: PC compatibles. Host Files: Remains resident. Infects COM, EXE files. OnScreen Symptoms: Cascading display one hour after activation, lasting one minute, followed by restoration of screen to condition prior to cascade. Increase in Size of Infected Files: 3066 bytes. Nature of Damage: Corrupts COM and EXE files. Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. Removed by: M-3066, VirClean, F-Prot, or delete any infected files. Derived from: Traceback II/2930. Scan Code: E8 71 06 E8 28 06 B4 19 CD 21 89 B4 51 01 81 84 51 01 84 08 8C 8C 53 01. You can also search at 108H for 89 B4 51 01 81 84 51 01 84 08. After an infected program is run, Traceback becomes memory resident, infecting every COM or EXE that is run. Additionally, if the system date is after December 5, 1988, it will attempt to infect one additional COM or EXE file in the current directory. If no uninfected file are available in the current directory, it searches the entire disk, starting at the root directory, looking for a victim. This search terminates if it encounters an infected file before finding a candidate non-infected file. This virus derives its name from two characteristics: * Infected files contain the directory path of the file causing the infection within the viral code. Consequently, it is possible to "trace back" the infection through a number of files. * When Traceback succeeds in infecting a program, it attempts to update a counter in the program from which Traceback was activated in that session. Because Traceback takes over disk error handling while trying to update the original infected program, the user will be unaware that an error occurred if Traceback can't update its counter. The primary symptom of the Traceback virus having infected the system is that it will produce a screen display with a cascading effect similar to the Cascade/1701/1704 virus. The cascading display occurs one hour after system memory is infected, and lasts one minute, after which the display is restored. Any keystroke during this interval will hang up the system. The cascade/restore sequence is repeated at one hour intervals. See also 2930. ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º This document was adapted from the book "Computer Viruses", º º which is copyright and distributed by the National Computer º º Security Association. It contains information compiled from º º many sources. To the best of our knowledge, all information º º presented here is accurate. º º º º Please send any updates or corrections to the NCSA, Suite 309, º º 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS º º and upload the information: (202) 364-1304. Or call us voice at º º (202) 364-8252. This version was produced May 22, 1990. º º º º The NCSA is a non-profit organization dedicated to improving º º computer security. Membership in the association is just $45 per º º year. Copies of the book "Computer Viruses", which provides º º detailed information on over 145 viruses, can be obtained from º º the NCSA. Member price: $44; non-member price: $55. º º º º The document is copyright (c) 1990 NCSA. º º º º This document may be distributed in any format, providing º º this message is not removed or altered. º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ  Downloaded From P-80 International Information Systems 304-744-2253 .