Alan_J_Roberts@Sun.COM (08/11/89)
I just caught David Chess's posting about the Datacrime-2 virus. He's absolutely correct about the ease in bypassing the virus's de-garbling code. Not that I had a chance to find out for myself. As I was psyching myself up to the disassembly challenge, John McAfee sent me two very good and well commented disassemblies, one of which, I believe, was from David Chess himself. It's not very satisfying to settle for someone else's disassembly, no matter how well done, but it's even harder to do your own when at least two are in front of your face. Which leads me to a question. Why do three or four dozen people (at least) disassemble every new virus that pops up? I'm not complaining in the least. Just wondering if some of us are redundant. Should we maybe draw straws to see who gets to do the next one, and the rest of us go see a movie or something instead? I don't know. But back to the Datacrime-2. Even though, as I was shown, you can set a breakpoint at 124H, it is still unnerving not to be able to single step a virus. I like to take my time - do one instruction and contemplate it. Savor the meaning of a single branch instruction; the simplicity of an XOR; the power of a multiply. To be forced to submit to the brutal pace of two to three hundred operations per millisecond - - even for a short loop - is not my idea of a good time. And as to Dave's comment about adding 90 seconds to his disassembly time, he can only speak for himself. When MY debugger kicked out to DOS, I spent at least a half hour trying to figure out which virus had infected my debugger, and how could I have been so stupid as to let it happen. I spent the next half hour complaining about the bug in Codeview, and the half hour after that I watched a 1963 Andy Griffith Show on television to try and calm down. So I'm not so sure the virus designer was just showing off. He/she/it nearly off'd one of us. Alan Roberts