Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!decwrl!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: RY15@DKAUNI11.BITNET (Christoph Fischer) Newsgroups: comp.virus Subject: more on West German boot virus Message-ID: <0007.y8907031857.AA11952@ge.sei.cmu.edu> Date: 3 Jul 89 00:00:00 GMT Sender: Virus Discussion List Reply-To: VIRUS-L@IBM1.CC.Lehigh.EDU Lines: 23 Approved: krvw@sei.cmu.edu DURING THE WEEKEND WE DISASSEMBLED THE VIRUS AND SOLVED THE MYSTERY ABOUT THE CONTINOUS BOOTING: AT BOTH LOCATIONS WE WERE CALLED TO, THE VIRUS HAD PATCHED A JUMP TO THE BIOS WARMBOOT ROUTINE IN TO THE COMMAND.COM WHICH WILL YIELD AN ENDLES BOOTING PROCESS SINCE WHEN THE SYSTEM COMES UP THE FIRST THING IT DOES IS STARTING COMMAND.COM. THE VIRUS PATCHES ITSELF INTO A PROGRAM IF ANY OF THE LOWORDER BITS OF SYSTEM TIME (SECONDS) ARE NON ZERO. IF ALL ARE ZERO IT PATCHES THIS FAR JUMP TO THE BIOS INTO THE PROGRAM. SO OUR CASE HAPPENS ONLY IN ONE OUT OF EIGHT CASES. FOR TWO LOCATIONS THIS MAKES 1 IN 64 CASES. :-) THE CODE OF THE VIRUS SEEMS TO BE IDENTICAL TO WHAT IS DESCRIBED AS DOS62 OR VIENNA SINCE WE DO NOT HAVE EITHER OF THE ORIGINAL VIRUSES WE CANNOT TELL FOR SURE WHETHER IT IS AN ORIGINAL OR A MUTANT. ANYHOW THE CODE SEEMS TO BE SOMEWHAT ARKWARD IN SOME PLACES, WHICH COULD BE A SIGN FOR A PATCHED VERSION. BYE CHRIS & TOBI ***************************************************************** * Torsten Boerstler and Christoph Fiscier * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * *****************************************************************