Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!zaphod.mps.ohio-state.edu!mips!pacbell.com!att!news.cs.indiana.edu!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: mrs@netcom.com (Morgan Schweers) Newsgroups: comp.virus Subject: Re: Tequila virus (PC) Message-ID: <0002.9105291438.AA09086@ubu.cert.sei.cmu.edu> Date: 29 May 91 08:01:56 GMT Sender: Virus Discussion List Lines: 55 Approved: krvw@sei.cmu.edu Greetings, Some time ago microsoft!c-rossgr@uunet.uu.net happily mumbled: >>From: mrs@netcom.com (Morgan Schweers) >> >> *Chuckle* It's a variant of the Flip virus, actually. A bit of >>psuedo-encryption code was added, and a bit of infection code was >>removed, but otherwise it's mostly flip-like. > >Interesting phrase, "psuedo-encryption". What, exactly, does it mean? There aren't any viruses which use anything that could be considered 'real' encryption (yeah, yeah, I know, 'define real'... We'll take it to sci.philosophy.meta, okay?) However, what I meant by 'psuedo-encryption' is a situation in which the METHOD is different each time. For example, the Tequila uses XOR *OR* ADDitive encryption. This is more than one form of encryption, so in referring to the entire group I call it psuedo-encryption. The same with the Whale, etc. It could also be called variable encryption if you wish. >Sorry: I don't count "wild card" strings as a search pattern. There's >too much chance for false positives. But, true, if you don't mind the >occasional false positive, I guess you could state that a search >string was available for Tequilaa. Odd that you would claim that... I could have sworn... Oh, never mind. Actually, if you are using five bytes to search for the virus, and someone else is using 15 (interspersed with a few wildcards), is it automatically to be assumed that the wildcarded one is going to be less specific? Do you have any statistics behind it? The most important thing is the person putting together a string. One has to realize that if one is going to use wildcards, one has to use more bytes to detect than one normally would. (For verification purposes.) There is also a second trick, used by some. When the file is detected as almost certainly being a virus, the decryption method is used on a portion of the file. That portion is compared against a standard, known block of code. If a match ISN'T made, the file is ignored. >> Dave Chess mentioned to me that the Tequila displays a low resolution >>Mandelbrot set upon activation. I haven't confirmed it, but I plan to. >>(Anybody want GIF copies when I do? *chuckle*) > >Sorry, I'l wait for the sequel: Tequila Part II: The Resolution >Improves! Yupyup. I figure the sequel will come around January... You know what I mean... A new years resolution increase... *duck* -- Morgan Schweers - -- My company has nothing to do with this. So there. Besides, most people here *HATE* bad puns! -- mrs@netcom.com