RY15@DKAUNI11.BITNET (Christoph Fischer) (06/30/89)
CONTINOUS BOOT VIRUS UPDATE
Finally we received a copy of the virus that appeared at two places
in West-Germany.
1. Both Viruses are identical
2. It infects COM files
3. It is a direct virus (no TSR)
4. Its size is 648 bytes (like the DOS62 virus) (the first value we
announced was 50bytes the value phoned to us by the panicing owner
of the infected PC. We assumed part of the virus hiding out in
uninitialized DATA sections.
5. It continuosly boots over and over again
6. It overwrites the first 5 bytes with a JMP (3 Bytes) and
byte 4 with BAh and byte 5 with B8h.
7. The JMP points to the beginning of the virus wich starts with
PUSH CX MOV DX,<comfilesize+648)
Maybe someone has encountered this apperently hacked version of
DOS62.
We'll present more after diassembly of the virus.
Have a nice weekend
Chris
*****************************************************************
* Torsten Boerstler and Christoph Fischer *
* Micro-BIT Virus Team / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 *
* E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET *
*****************************************************************