Path: utzoo!utgpu!watmath!att!dptg!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
Newsgroups: comp.virus
Subject: Typo Virus (PC)
Message-ID: <0002.8908081126.AA21881@ge.sei.cmu.edu>
Date: 5 Aug 89 23:55:21 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 18
Approved: krvw@sei.cmu.edu


    I just began an analysis of the Typo virus and, as with all new
reported viruses, I ran McAfee's ViruScan against it as a first step.
Imagine my surprise when it identified it as the Ping Pong virus!
After tearing it apart, it turned out to be 90% original Ping Pong.
Someone has taken the Ping Pong Carrier mechanism and modified the
code that displays the bouncing dot to effect the typographical errors
reported by Y Radai.  I gave the disassembly to John and I believe
Scan version 33 discriminates between the two viruses.  John also just
gave me a copy of the new Datacrime-2 virus, which is a strange beast.
The encryption at the front of the virus is very different from the
1701/4 encryption method.  Included in the decryption code is a
routine to prevent looking at the code through debug, Codeview or
other single step utility.  I'll report back when I've ripped the
beast apart, meanwhile I gave John sufficient info to update ViruScan
so it can identify it (I think it's also included in V33).

Alan