padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (08/09/90)
Otto Stolz was kind enough to forward to me a hex dump of the 453 virus and the following information is now available: 1) Appender class, does not become resident. 2) Signature: The virus looks for 9090h as the last two bytes in a file, virus assumes infected if found & skips file. 3) Replication: Virus looks only for uninfected .COM files in current default directory 4) Trigger: None 5) Bomb: None 6) Evasion: None 7) Comments: Very crude structure with much unnecessary PUSHing & POPing. several places are noticed where more complex instructions could be used more efficiently. All calls are functions of Interrupt 21h. No trigger or bomb is present though numerous NOPs and extraneous JMPs provide plenty of space for addition. 8) Note: The apparent string "TUQ.RPVS" is simply a sequence of PUSH instructions rendered as ASCII.