frisk@rhi.hi.is (Fridrik Skulason) (11/15/89)
The "Lisbon" virus reported recently is nothing but a variant of the
Vienna virus. The major difference is that the virus seems to have been
created from the disassembly in Ralf Burger's book "Computer Viruses..."
and assembled using a different assembler than the one used to create the
original virus.
The "Lisbon" virus contains the patches added in the book to make the
virus a little less harmful than the original, just like the "Ghost"
virus I reported recently.
The reason I say that the virus has been created using a different assembler
is that in many cases different forms of the same instructions are used.
It is a rather little known fact that many x86 instructions have two
different forms, in particular the XOR instructions. For example, the
"XOR AX,AX" instruction can both be represented as
31 C0 or 33 C0
The Microsoft assembler will generate one of the forms, but DEBUG the
other one. I don't know about TASM and other assemblers, I use MASM
and DEBUG for everything :-)
Since Lisbon contains the form not used by the original virus, it was
obviously not created by patching of Vienna. Still, this small difference
was enough to confuse both the scanning programs from IBM and McAfee,
but not my own....... :-)
There are a few differences in the code, but they are trivial.
- -frisk