Path: utzoo!attcan!uunet!wuarchive!usc!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: CHESS@YKTVMV.BITNET (David.M.Chess) Newsgroups: comp.virus Subject: "Slow" virus (PC) Message-ID: <0002.9008021208.AA05484@ubu.cert.sei.cmu.edu> Date: 1 Aug 90 14:02:04 GMT Sender: Virus Discussion List Lines: 35 Approved: krvw@sei.cmu.edu > First sighting of Slow (PC) virus reported in Australia. Coincidentally, we just got a report from Australia as well. Does anyone know offhand why the virus is called "slow"? I don't see any code that slows the machine down all that much. I probably just missed it... Some findings about "Slow"; based on code analysis, not on any testing: - Self-garbling, like the 17xx family et all, but with a reasonably large invariant part. Data areas are stored under a second level of XOR-garble, for some reason. - Much of the code is taken from the 1813 (Jerusalem) virus, but Slow is better at telling EXE-format from COM-format files, and doesn't have the EXE-reinfecting bug. - Like the 1813, it goes resident when the first infected program is run, and infects anything executed thereafter. - Only "damage" seems to be that, on some Fridays after 1990, something like every other file-close will cause the file's timestamp to be set to zero. Sort of odd! - The virus has a five-byte self-id string that infected files will end with. It will rarely -change- this self-id; it stores both the current one, and one previous one, to avoid too much re-infection. This is no doubt to avoid "innoculators" (which were never very interesting to start with). - Like the 1813, it sets the CRC in the header of infected EXE files to 1984; but it never uses the fact. Either the author wanted to make Slow-infected files immune to the 1813, or (more likely) he just didn't understand the 1813's code well enough to know that the setting-to-1984 wasn't needed. Any information about the "Slow" that adds to, or contradicts, the above would be appreciated! DC