Path: utzoo!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!ucbvax!pro-carolina.cts.COM!delton
From: delton@pro-carolina.cts.COM (Don Elton)
Newsgroups: comp.sys.apple
Subject: finding the virus code I mentioned earlier
Message-ID: <8807240816.AA21449@crash.cts.com>
Date: 24 Jul 88 04:22:47 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Reply-To: pnet01!pro-simasd!pro-carolina!delton@nosc.mil
Organization: The Internet
Lines: 21

Files infected by the prodos based virus I mentioned earlier start with the
following code sequence:

        jmp     relocate



relocate jsr    $ff58
         tsx
         etc etc etc

This means that you can use a block editor with a hex search feature and look
for the string 20 58 FF BA BD to identify blocks containing the virus
relocator code.

UUCP: [ ihnp4 sdcsvax nosc ] !crash!pro-carolina!delton
ARPA: crash!pro-carolina!delton@nosc.mil
INET: delton@pro-carolina.cts.com

Pro-Carolina: 803-776-3936 (300-2400 baud, login as 'register')

US Mail: 3207 Berkeley Forest Drive, Columbia, SC  29209-4111