Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!bcm!dimacs.rutgers.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: 8326442@AWIWUW11.BITNET (Martin Zejma)
Newsgroups: comp.virus
Subject: discovering 170x infection path (PC)
Message-ID: <0011.9101092021.AA06041@ubu.cert.sei.cmu.edu>
Date: 9 Jan 91 17:26:16 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 34
Approved: krvw@sei.cmu.edu

hello hunters |

During autumn I worked out a TurboPascal 5.5 ( without OOP , so just
5.0 ) program , that tries to show the infection path of a group of
infections with the 1701/1704 Virus , found with (no brackets) (170X)
when using SCAN.  The virus stores the 32-bit system clock from
0040:006C or something like that, --> ( you get the TIME when the
virus gets resident )

 2) it stores the jump instruction to the eof from the previous infection
    ( so you get the length of the previous infected file while being resident)

 3) and all the original interrupt-vectors , so you can seperate different envi
    ronments while infections occured

 4) the original length of the current infected file

all that stuff quite simple programmed.

Now I want to know : IS this interesting enough to be posted in the
VIRUS-L archives ???

Please send opinions ( to me directly or to the list , i'm a maniac
reader ) especially the moderator of these fabulous list , Mr Ken van
Wyk .

                                                Thank's for waisting your time
                                                Martin

+-----------------------------------------------------------------------+
| Martin Zejma                                8326442 @ AWIWUW11.BITNET |
|                                                                       |
| Wirtschaftsuniversitaet Wien  ---   Univ. of Economics Vienna/Austria |
+-----------------------------------------------------------------------+