David.M..Chess.CHESS@YKTVMV (11/15/89)
I've been looking through a couple of new PC viruses (thanks
to John M. and Fridrik S. for the samples), and thought I'd
write down a couple of things:
- The 867-long COM-infector that only infects on even-numbered
days and sometimes messes up one's typing has been called
"Typo" and "Fumble" here. To either add to or subtract
from the confusion, I'd suggest calling it the "867" until
a good reason not to comes along...
- The 648-long COM-infector that Alan Roberts reported above
is in fact Vienna-derived. It's functionally identical
to the Vienna, except that it overwrites the occasional
victim with "@AIDS" instead of the Vienna's 5-byte reboot
program. The code has been messed with considerably; the
author seems to have taken a sample of the Vienna, and
asked, for every instruction, "how can I change this to
do exactly the same thing using a different set of bytes?".
In many places the code is identical; in others, it has
been tightened up, or expanded with NOOPS, or tiny and
non-functional changes in register usage have been made.
The perpetrator was clearly interested in fooling any
virus scanner looking for Vienna identification strings
(to use Joe Hirst's phrase).
DC