frisk@rhi.hi.is (Fridrik Skulason) (02/05/90)
David Chess has just informed me of an interesting fact I missed in my
earlier note dealing with the 1260 virus. If the encryption module is
removed, what is left is just a variant of the old and well-known
"Vienna" virus.
This variant is clearly derived from the version published in
"Computer Viruses: A high-tech disease". The book is then responsible
for three viruses, because Lisbon and GhostBalls were also based on
that disassembly.
I have now disassembled the virus and a detailed description of it
will appear in the March issue of the Virus Bulletin.
My F-PROT package has been modified, and now it can detect and
disinfect "1260" and other viruses that use encryption methods with
permutations of the decoding instructions.
This new version (1.08) will be uploaded to SIMTEL tomorrow. The bugs
found in 1.07 have also been fixed: One program (F-OSCHK) contained a
message in Icelandic, and another (F-DLOCK) interfered with CHKDSK and
some other programs.
Those of you who have asked me for a copy of F-PROT and not yet
received a reply - I will send you a copy of version 1.08 - sorry
about the delay.
Version 1.08 will also contain code to identify and remove the "new"
Bulgarian viruses.
- ------------------------------------------------------------------------------
frisk - Fridrik Skulason University of Iceland, Computing Services.
Technical Editor, Virus Bulletin.