RY15%DKAUNI11.BITNET@IBM1.CC.Lehigh.Edu (Christoph Fischer) (11/15/89)
Hi, we just completed our virus catalog entry for the VACSINA virus and checked with some friends. One of them: David M. Chess pointed out that we overlooked a fact. Well it is a very important fact: VACSINA contains an update facility. The last 4 bytes of an infected file contain F4 7A 05 00. The F4 7A is the VACSINA id and 05 00 is the version number ( lo byte first ) so we have version 0005 of VACSINA. If the virus finds anything less than 0005 it will reconstruct the original file and then it will infect with the new version of VACSINA. Now we understand why the author left so much space in the head of the virus. Also the 3 byte used for the 'VACSINA-TSR is in memory' flag contain a 05 so future versions of VACSINA will know if an older version of VACSINA installed its TSR. If anybody has virus infected files that show F4 7A 06 00 or higher please post a note. Thanks to David again! Chris ***************************************************************** * Torsten Boerstler and Christoph Fischer and Rainer Stober * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * *****************************************************************