T762102@DM0LRZ01.BITNET (02/25/90)
Hi!
Since this was not mentioned yet (I hope, I receive the digests with
some delay), I would like to point out how the 1554 virus recognizes
which files are infected by him.
For .COM files:
If the contents of the word at offset 02 in the file is 12Eh,
then the file is infected. This means that the contents of the bytes
at offset 02 and 03 are 2Eh and 01h respectively. Offsets are counted
from 0, i.e. the first byte of the file is at offset 0.
For .EXE files:
If the contents of the word at offset 02 in the file is equal
to the negated contents of the word at offset 12h, then the file is
infected.
Unfortunately, this does not give us a method for file vaccination,
since the contents of the bytes mentioned above is used. For .COM
files, the byte at offset 02 is usually (not always!) the third byte of
a JMP instruction. For .EXE files the situation is easier --- the word
at offset 12h contains the so-called checksum, which is never used and
can be modified.
Vesselin BontchevLISTVIR@USACHVM1.BITNET (Gonzalo M. Rojas Costa) (03/02/90)
Hi... Vesselin Bontchev (T762102@DM0LRZ01.BITNET) writes: >> For .COM files: >> If the contents of the word at offset 02 in the file is 12Eh, >> then the file is infected. No. The file isn't infected if the contents of the word at offset 02 in the file is 12Eh. (i.e. If I have an infected program, this always have the word 12Eh at offset 02, because this word is part of an instruction of the virus). >> For .EXE files: >> If the contents of the word at offset 02 in the file is equal >> to the negated contents of the word at offset 12h, then the file is >> infected. No. If the contents of the word at offset 02 (Number of bytes contained in last page) is equal to the negated contents of the word at offset 12h (negative sum of all the words in the file), then the program ISN'T INFECTED. (In the process of infection, the virus negates the number of bytes contained in the last page of the EXE program, and this value it puts at offset 12h of the header (i.e. as the negative sum of all the words in the file). >> Unfortunately, this does not give us a method for file vaccination, >> since the contents of the bytes mentioned above is used. For .COM >> files, the byte at offset 02 is usually (not always!) the third >> byte of a JMP instruction. For .EXE files the situation is >> easier --- the word at offset 12h contains the so-called checksum, >> which is never used and can be modified. I completely agree with you. Disclaimer: The views expressed are my own! I do not speak for, nor do I represent any other person or company. Gonzalo M. Rojas Costa BITNET: LISTVIR@USACHVM1 ARPA: LISTVIR%USACHVM1.BITNET@CUNYVM.CUNY.EDU Owner of ASSMPC-L ("Assembly for the IBM-PC") Antiviral Research Group Technical Support Unit Universidad de Santiago de Chile