frisk@rhi.hi.is (Fridrik Skulason) (08/30/90)
Yesterday I wrote that F-PROT was able to handle the removal of a previously
unknown 10000 byte virus. This turned out to be somewhat incorrect, as this
was not a single virus, but a combination of two viruses
Plastique 5.21 4096 bytes
Jerusalem 1808+5 bytes
Plastique 5.21 4096 bytes
=======
10000+5 bytes
This 10000 byte block somehow managed to replicate as if it was a single virus.
It seems that the following sequence of events must have happened:
A program is infected with Plastique, which adds 4096 bytes in front
of the .COM file.
It is then infected by Jerusalem, which adds 1808 bytes to in front
of the Plastique virus, and appends a 5-byte signature to the end.
The next time Plastique sees the program, it will reinfect it,
because it does not find its signature at the beginning of the file.
Now, when the program is executed, it will not be infected again by
Jerusalem, as it appears to be already infected (signature at end of
file), nor will it be infected by Plastique (signature at beginning
of file.
Rather remarkable....
- -frisk