RZOTTO@DKNKURZ1.BITNET (Otto Stolz) (07/20/90)
Hello folks, the adventures of Martin Zejma are a vivid example of the shortcomings dis-infector programs inevitably tend to exhibit. I think I have expressed my views towards these programs before, but now the time has come to re-phrase them. What does a dis-infector? It is not so important to remove the viral code from the program file, rather the invokation of this code must be suppressed. This code is usually invoked by a JMP-instruction right at the program start: This instruction will have to be replaced with the original content of the respective bytes. (In the general case, the virus will have replaced some part of the original program with part of its own code, at least with one JMP- or CALL-instruction; and this changed code will have to be restored by the dis-infector.) Luckilly, the dis-infector will find the information to restore the original content of the changed locations somewhere in the viral code, as the virus will restore the original program in the main-storage before it will invoke it to hide the virus' existence from the user. Now, if the dis-infector hits on a hitherto unknown variant of the virus, it may take the wrong bytes from the viral code, put them in place of the sayed JMP- or CALL-instruction, and in due course it will destroy the program instead of repairing it. I conjecture that the Vienna variant of the 1704 is unknown to McAfee and his team, and hence this sort of thing happened. Martin Zejma: I think it would be a good idea to send a copy of the virus you experienced to McAfee Asociates (and also to Frisk). But even this will not mend the basic problem| Next week (month, or year), some kind soul will send a new 1704-variant (or whatever-variant) on its way that will fool the dis-infectors again :-( Best wishes Otto Stolz