Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!nstn.ns.ca!news.cs.indiana.edu!samsung!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: frisk@rhi.hi.is (Fridrik Skulason)
Newsgroups: comp.virus
Subject: Re: New virus 1586? (PC)
Message-ID: <0009.9101281420.AA16983@ubu.cert.sei.cmu.edu>
Date: 26 Jan 91 08:48:08 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 43
Approved: krvw@sei.cmu.edu

csas400@vax1.mankato.msus.edu writes:
>        3. Changes files size.
>                filename        noVir           Vir     Difference
>                command.com     37637           39223   1586
>                simcity.exe    191845          193431   1586
>                share.exe       10301           11879   1578

From this information it is clear the length of the virus is not 1586
bytes, nor 1578, but rather 1575 bytes.  The reason is as follows.  In
almost all cases, a variable length increase means the virus first
pads the program to make the length a multiple of 16 bytes, before
appending the virus.

Assuming this is the case, we get

             before padding   after padding   after infection   difference
command.com      37637            37648            39223           1575
simcity.exe     191845           191856           193431           1575
share.exe        10301            10304            11879           1575

A side effect is that disinfectors may not be able to restore infected
files 100% - they may contain 1-15 garbage bytes at the end, after the
virus has been removed.This will not affect the operation of the
program in any way, unless it does a check of its own integrity.

>If someone (reputable [ie. has written vir.pro. programs before]) would like
>to tackle this hobbie of killing and detection of this virus I'll send you a
>copy.

Well - I would be heppy to add detection/removal of this virus to my
F-PROT program - assuming it does not use any really complex
encryption, it should not take more than a couple of hours to have the
disinfector ready.

But be careful in who you send the virus to - there are not more than
10-12 people I would send it to.

- -frisk

- --
Fridrik Skulason      University of Iceland  |
Technical Editor of the Virus Bulletin (UK)  |  Reserved for future expansion
E-Mail: frisk@rhi.hi.is    Fax: 354-1-28801  |