Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!zaphod.mps.ohio-state.edu!mips!pacbell.com!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: microsoft!c-rossgr@uunet.uu.net Newsgroups: comp.virus Subject: Re: Tequila virus (PC) Message-ID: <0009.9105311330.AA00359@ubu.cert.sei.cmu.edu> Date: 30 May 91 21:20:01 GMT Sender: Virus Discussion List Lines: 37 Approved: krvw@sei.cmu.edu >From: mrs@netcom.com (Morgan Schweers) > However, what I meant by >'psuedo-encryption' is a situation in which the METHOD is different >each time. For example, the Tequila uses XOR *OR* ADDitive >encryption. This is more than one form of encryption, so in referring >to the entire group I call it psuedo-encryption. The same with the >Whale, etc. It could also be called variable encryption if you wish. Hmmm. Interesting definition. I use "variable encoding" to indicate that something in the virus is designed to thwart scanners: variable "NOP" type instructions, that kinda stuff. I use "encryption" to indicate that the code has been mangled in some form, regardless of how many methods a given program uses. That would make Tequila a "variable encoding encrypted" virus, I guess. Pain in the butt, in any case. > Actually, if you are using five bytes to search for the virus, >and someone else is using 15 (interspersed with a few wildcards), is >it automatically to be assumed that the wildcarded one is going to be >less specific? Do you have any statistics behind it? That is too obviously backwards to require stats and is not what I was implying. Of course having 16 bytes with no wild cards *should* be more specific that 16 bytes with wildcards. > There is also a second trick, used by some. When the file is >detected as almost certainly being a virus, the decryption method is >used on a portion of the file. That portion is compared against a >standard, known block of code. If a match ISN'T made, the file is >ignored. Yeah, we use that for 1260 and Caspar and a coupla others. Another pain in the butt, frankly. Maybe I'm just getting burned out in the anti-virus arena and would rather be scuba-diving... Ross