Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!tut.cis.ohio-state.edu!bloom-beacon!usc!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: CHESS@YKTVMV.BITNET (David M. Chess)
Newsgroups: comp.virus
Subject: Re: DataCrime II - tiny clarification (PC)
Message-ID: <0001.8908141126.AA08231@ge.sei.cmu.edu>
Date: 11 Aug 89 00:00:00 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 29
Approved: krvw@sei.cmu.edu

Not to prolong the technical discussion too long, but...
Kelly Goen and Alan Roberts are both completely correct
(or, actually, I'll assume they are, not knowing myself!);
CodeView probably does get confused by the odd things the
virus does.   I always use good old DEBUG for initial
examination of viruses, because I know exactly what it's doing!
(CodeView is much more powerful, but for that reason
also more complex.)   I didn't get thrown out to DOS at
any point, but I *did* notice that the virus was doing
some bizarre self-alteration, decided that it was trying
to avoid being single-stepped, and then confirmed that
by experiment.  (If you single-step through it, it
degarbles to garbage, rather then to the actual virus code.)
So I never got to observe the effect that Kelly and
Alan saw!   (So I don't think anything I said was
"fallacious"; we were just talking about different effects.)

Alan asks a good question about disassemblies.   I think
it's probably a Good Thing if at least two or three people
do independant disassemblies of each virus, just to make
it less likely that something subtle will be missed.  I
know my disassemblies (except the ones I've spent lots of
time on) always contain sections marked with vaguenesses
like "Does something subtle with the EXE file header here".
At some point, I guess, some time does start to be wasted
by duplication of effort; hard to say where, though.  I
probably tend to lean towards "the more the merrier"!

DC