T762102@DM0LRZ01.BITNET (02/05/90)
In issue #27 John McAfee (Alan_J_Roberts@cup.portal.com) writes: > The virus is memory resident and infects COMMAND.COM, EXE >files and COM files. The virus initially places the machine in >single-step mode and then issues an interrupt 21, sub-function 52 to >determine the real address of the interrupt 21 code within DOS. >Thereafter, it issues a long jump to that location to avoid any >interrupt trapping antivirals that may be resident. Thus the >infection process, after the virus becomes resident, is transparent. > The strangest part of the virus is that it is also able to >trap all other disk reads and writes, and whenever an infected file is >accessed by any program, the virus performs a disinfection of the >program on the fly. Thus checksumming techniques, file length checks, >and other file modification detectors cannot perceive the infection on >the disk. Even searching the disk for the specific virus code will >fail, since the code is removed from the file during the read request. I was sure that somewhen someone of the virus writers out there would have the same idea! The latest versions of the Bulgarian TP viruses perform exactly in the same way! (The 4096 virus however is not known in Bulgaria.) I purposely didn't discuss in deep these techniques but I see now that this was useless --- someone had already reinvented them. Too sad... By the way, I have some general questions about viruses: (1). Which of the known viruses will run under OS/2? I mean exactly OS/2, not its DOS 3.3 compatibility box. (2). Does anybody know something about a VAX/VMS virus which, when activated, slows down the data exchange with the terminals (something about 3 bps)? There were some rumors about such virus in Bulgaria, but I've never seen a working copy.