Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!decwrl!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: RY15@DKAUNI11.BITNET (Christoph Fischer)
Newsgroups: comp.virus
Subject: Update on boot virus in Germany (PC)
Message-ID: <0004.y8907031143.AA09258@ge.sei.cmu.edu>
Date: 30 Jun 89 00:00:00 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Reply-To: VIRUS-L@IBM1.CC.Lehigh.EDU
Lines: 27
Approved: krvw@sei.cmu.edu

CONTINOUS BOOT VIRUS UPDATE
  Finally we received a copy of the virus that appeared at two places
in West-Germany.
1. Both Viruses are identical
2. It infects COM files
3. It is a direct virus (no TSR)
4. Its size is 648 bytes (like the DOS62 virus) (the first value we
   announced was 50bytes the value phoned to us by the panicing owner
   of the infected PC. We assumed part of the virus hiding out in
   uninitialized DATA sections.
5. It continuosly boots over and over again
6. It overwrites the first 5 bytes with a JMP (3 Bytes) and
   byte 4 with BAh and byte 5 with B8h.
7. The JMP points to the beginning of the virus wich starts with
PUSH CX  MOV DX,<comfilesize+648)

Maybe someone has encountered this apperently hacked version of
DOS62.
We'll present more after diassembly of the virus.
Have a nice weekend
       Chris
*****************************************************************
* Torsten Boerstler and Christoph Fischer                       *
* Micro-BIT Virus Team / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067   *
* E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET    *
*****************************************************************