RY15@DKAUNI11.BITNET (Christoph Fischer) (07/03/89)
DURING THE WEEKEND WE DISASSEMBLED THE VIRUS AND SOLVED THE
MYSTERY ABOUT THE CONTINOUS BOOTING:
AT BOTH LOCATIONS WE WERE CALLED TO, THE VIRUS HAD PATCHED
A JUMP TO THE BIOS WARMBOOT ROUTINE IN TO THE COMMAND.COM
WHICH WILL YIELD AN ENDLES BOOTING PROCESS SINCE WHEN THE SYSTEM
COMES UP THE FIRST THING IT DOES IS STARTING COMMAND.COM.
THE VIRUS PATCHES ITSELF INTO A PROGRAM IF ANY OF THE LOWORDER BITS
OF SYSTEM TIME (SECONDS) ARE NON ZERO. IF ALL ARE ZERO IT PATCHES THIS
FAR JUMP TO THE BIOS INTO THE PROGRAM. SO OUR CASE HAPPENS ONLY IN
ONE OUT OF EIGHT CASES. FOR TWO LOCATIONS THIS MAKES 1 IN 64 CASES. :-)
THE CODE OF THE VIRUS SEEMS TO BE IDENTICAL TO WHAT IS DESCRIBED AS
DOS62 OR VIENNA SINCE WE DO NOT HAVE EITHER OF THE ORIGINAL VIRUSES
WE CANNOT TELL FOR SURE WHETHER IT IS AN ORIGINAL OR A MUTANT.
ANYHOW THE CODE SEEMS TO BE SOMEWHAT ARKWARD IN SOME PLACES,
WHICH COULD BE A SIGN FOR A PATCHED VERSION.
BYE
CHRIS & TOBI
*****************************************************************
* Torsten Boerstler and Christoph Fiscier *
* Micro-BIT Virus Team / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 *
* E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET *
*****************************************************************