RY15@DKAUNI11.BITNET (Christoph Fischer) (06/30/89)
CONTINOUS BOOT VIRUS UPDATE Finally we received a copy of the virus that appeared at two places in West-Germany. 1. Both Viruses are identical 2. It infects COM files 3. It is a direct virus (no TSR) 4. Its size is 648 bytes (like the DOS62 virus) (the first value we announced was 50bytes the value phoned to us by the panicing owner of the infected PC. We assumed part of the virus hiding out in uninitialized DATA sections. 5. It continuosly boots over and over again 6. It overwrites the first 5 bytes with a JMP (3 Bytes) and byte 4 with BAh and byte 5 with B8h. 7. The JMP points to the beginning of the virus wich starts with PUSH CX MOV DX,<comfilesize+648) Maybe someone has encountered this apperently hacked version of DOS62. We'll present more after diassembly of the virus. Have a nice weekend Chris ***************************************************************** * Torsten Boerstler and Christoph Fischer * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * *****************************************************************