Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: frisk@rhi.hi.is (Fridrik Skulason)
Newsgroups: comp.virus
Subject: Wildcards (Was: Re: Tequila virus) (PC)
Message-ID: <0008.9105301427.AA10625@ubu.cert.sei.cmu.edu>
Date: 29 May 91 21:21:02 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 38
Approved: krvw@sei.cmu.edu

David Chess wrote:
  Any sort of less-than-virus-length scan string is somewhat prone to
  false alarms, but ones with wildcards, if properly chosen, aren't
  necessarily any worse than ones without...

Ross Greenberg wrote:
  We'll have to agree to disagree on this one, Dave.

Well, tend to agree with David - I use wildcards in 15% or so of my
search patterns - but only in the following cases:

1) When the pattern contains a reference to an address outside it.
   Example:

		:
		MOV AX,CS:[some_address_elsewhere]
		:
	or
		:
		JNE a_fairly_long_distance
		:

2) When the pattern contains an instruction which depends on the assembler
   used - Example:

	XOR AX,AX	; 31 C0
	XOR AX,AX	; 33 C0

I have some variants of viruses where the only difference is due to this.

Variable-length wildcards are in my opinion an absolute no-no...I never use
them.  For the viruses using the most complex types of encryption (Whale,
Tequila, V2P2 and Adolph) I use an algorithmic approach, not a search string.

I also try to avoid search patterns for viruses written entirely in a
high-level language.

- -frisk