Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!sunybcs!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: frisk@rhi.hi.is (Fridrik Skulason)
Newsgroups: comp.virus
Subject: Re: new virus 1022 (PC)
Message-ID: <0010.9007241234.AA23686@ubu.cert.sei.cmu.edu>
Date: 24 Jul 90 10:20:59 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 30
Approved: krvw@sei.cmu.edu

RZOTTO@DKNKURZ1.BITNET (Otto Stolz) writes:
>> Only infects .EXE files, adding 1022 bytes to them
>Is this figure accurate?
>
>I think that EXE files can only grow by multiples of 16.
>Am I mistaken?

I just finished writing the routine to disinfect the Fellowship virus
(called 1022 above).  The virus code itself is in fact 1019 bytes, at
least in the version I have.  Actually, files may grow by less than
1019 bytes, as the virus may overwrite the last few bytes of the
programs it infects, making 100% disinfection impossible.  A 1022-byte
version may exist, however.

About .EXE infections in general...many viruses first pad the programs they
infect with 1-15 bytes of garbage, so their length becomes a multiple of
16 bytes.  The virus code is then added , but as it is of a fixed length,
the length of the infected file MOD 16 will be constant for a given virus.
This padding is done to ensure the virus starts on a paragraph boundary,
making it possible to set the initial IP value to a fixed number.  A
disinfection program may be able to remove the virus, but probably not
those extra 1-15 bytes.

Other viruses just appent the virus code to the file, and set the initial IP
value to a number that depends on the length of the original file MOD 16.

- --
Fridrik Skulason      University of Iceland  |
Technical Editor of the Virus Bulletin (UK)  |  Reserved for future expansion
E-Mail: frisk@rhi.hi.is    Fax: 354-1-28801  |