frisk@rhi.hi.is (Fridrik Skulason) (09/19/89)
I just finished examining the Typo virus. This virus is rather new - it
was first detected in Israel this summer. It creates errors in printouts,
by (sometimes) replacing some characters or digits.
(By the way - a surprisingly large number of viruses seems to have
originated in Israel. First to arrive were the two versions of the
April 1. virus (sURIV 1.0 and sURIV 2.0) that later were merged into
one virus, (sURIV 3.0) which evolved into the well-known Jerusalem
virus (sUMsDos) variant. That virus was then used as a basis for the
"Fu Manchu" virus.
Later the two boot sector viruses, Typo and SWAP, arrived.
Finally, just a few days ago a new virus, MIX1 was reported.
Anyhow - as has been reported before (Y. Radai and others) the TYPO virus
is closely related to the Ping-Pong or "Italian" virus, which is one of
the most common viruses around.
In fact, the viruses are so similar that some anti-virus programs even
identified Typo as the Italian virus. This is not so surprising, since the
boot sectors are almost identical. Almost - but not quite. The differences
between the boot sectors are:
Some local variables have been moved. For example, the word
containing the location of the original boot sector is now located
two bytes earlier than before.
The signature (two bytes that the virus uses to see if a diskette
has already been infected) has been changed.
The activation times have been changed. Ping-Pong had an "activation
window" (a second or so long) every half hour. Typo will become
active 112.5 seconds after power-on, and will stay active most of
the time.
The major differences between the two viruses are in the other part of the
virus code, which is not stored in the boot sector, but in the cluster the
viruses mark as "bad" in the FAT.
Of course, there are quite a few interesting things the viruses have in
common.
Typo contains the same "bug" as Ping-Pong does, that prevents it
from working on '286 and '386 machines.
It is possible to remove Typo with some programs designed to
remove Ping-Pong.
Since the signature is stored in the same place on both viruses, it is
possible to inoculate diskettes against one of them, but not both.
Fridrik Skulason University of Iceland
frisk@rhi.hi.is
Guvf yvar vagragvbanyyl yrsg oynax .................