frisk@rhi.hi.is (Fridrik Skulason) (02/05/90)
David Chess has just informed me of an interesting fact I missed in my earlier note dealing with the 1260 virus. If the encryption module is removed, what is left is just a variant of the old and well-known "Vienna" virus. This variant is clearly derived from the version published in "Computer Viruses: A high-tech disease". The book is then responsible for three viruses, because Lisbon and GhostBalls were also based on that disassembly. I have now disassembled the virus and a detailed description of it will appear in the March issue of the Virus Bulletin. My F-PROT package has been modified, and now it can detect and disinfect "1260" and other viruses that use encryption methods with permutations of the decoding instructions. This new version (1.08) will be uploaded to SIMTEL tomorrow. The bugs found in 1.07 have also been fixed: One program (F-OSCHK) contained a message in Icelandic, and another (F-DLOCK) interfered with CHKDSK and some other programs. Those of you who have asked me for a copy of F-PROT and not yet received a reply - I will send you a copy of version 1.08 - sorry about the delay. Version 1.08 will also contain code to identify and remove the "new" Bulgarian viruses. - ------------------------------------------------------------------------------ frisk - Fridrik Skulason University of Iceland, Computing Services. Technical Editor, Virus Bulletin.