CHESS@YKTVMV.BITNET (David.M.Chess) (08/01/90)
> First sighting of Slow (PC) virus reported in Australia.
Coincidentally, we just got a report from Australia as well.
Does anyone know offhand why the virus is called "slow"?
I don't see any code that slows the machine down all that
much. I probably just missed it...
Some findings about "Slow"; based on code analysis, not
on any testing:
- Self-garbling, like the 17xx family et all, but with a
reasonably large invariant part. Data areas are stored
under a second level of XOR-garble, for some reason.
- Much of the code is taken from the 1813 (Jerusalem) virus,
but Slow is better at telling EXE-format from COM-format
files, and doesn't have the EXE-reinfecting bug.
- Like the 1813, it goes resident when the first infected
program is run, and infects anything executed thereafter.
- Only "damage" seems to be that, on some Fridays after 1990,
something like every other file-close will cause the file's
timestamp to be set to zero. Sort of odd!
- The virus has a five-byte self-id string that infected files
will end with. It will rarely -change- this self-id; it
stores both the current one, and one previous one, to avoid
too much re-infection. This is no doubt to avoid
"innoculators" (which were never very interesting to start with).
- Like the 1813, it sets the CRC in the header of infected EXE
files to 1984; but it never uses the fact. Either the author
wanted to make Slow-infected files immune to the 1813, or
(more likely) he just didn't understand the 1813's code
well enough to know that the setting-to-1984 wasn't needed.
Any information about the "Slow" that adds to, or contradicts,
the above would be appreciated!
DC