Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)
Newsgroups: comp.virus
Subject: Re: virus detection by scanners ? (PC)
Message-ID: <0001.9106202012.AA20764@ubu.cert.sei.cmu.edu>
Date: 19 Jun 91 15:53:28 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 27
Approved: krvw@sei.cmu.edu

I'm somewhat suspicious of any code with the following instructions:

E80000            CALL   (next instruction)

(except that some linkers produce that for a near call to an
unsatisfied external, and it could be required for
ROM/position-independent code that needs to access data)

3134              XOR    [SI],SI

(except that that is ASCII '14')

There doesn't appear to much else fixed in there except

B*8206            MOV   ??,0682

which could also be changed if you have a spare byte, which you can
get in your last try.  (Details omitted -- let's not make it TOO
easy.)

I hope some virus scanners have a signature for 1701 in the encrypted
portion.

- --
2165888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
a_rubin@dsg4.dse.beckman.com (work)
My opinions are my own, and do not represent those of my employer.