RZOTTO@DKNKURZ1.BITNET (Otto Stolz) (07/20/90)
Hello folks,
the adventures of Martin Zejma are a vivid example of the shortcomings
dis-infector programs inevitably tend to exhibit. I think I have
expressed my views towards these programs before, but now the time has
come to re-phrase them.
What does a dis-infector? It is not so important to remove the viral
code from the program file, rather the invokation of this code must be
suppressed. This code is usually invoked by a JMP-instruction right
at the program start: This instruction will have to be replaced with
the original content of the respective bytes. (In the general case,
the virus will have replaced some part of the original program with part
of its own code, at least with one JMP- or CALL-instruction; and this
changed code will have to be restored by the dis-infector.)
Luckilly, the dis-infector will find the information to restore the
original content of the changed locations somewhere in the viral code,
as the virus will restore the original program in the main-storage
before it will invoke it to hide the virus' existence from the user.
Now, if the dis-infector hits on a hitherto unknown variant of the
virus, it may take the wrong bytes from the viral code, put them in
place of the sayed JMP- or CALL-instruction, and in due course it will
destroy the program instead of repairing it.
I conjecture that the Vienna variant of the 1704 is unknown to McAfee
and his team, and hence this sort of thing happened.
Martin Zejma: I think it would be a good idea to send a copy of the
virus you experienced to McAfee Asociates (and also to Frisk).
But even this will not mend the basic problem| Next week (month, or
year), some kind soul will send a new 1704-variant (or whatever-variant)
on its way that will fool the dis-infectors again :-(
Best wishes
Otto Stolz