Path: utzoo!censor!geac!torsqnt!jarvis.csri.toronto.edu!cs.utexas.edu!yale!think!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: T762102@DM0LRZ01.BITNET
Newsgroups: comp.virus
Subject: How the 1554 virus recognizes infected files (PC)
Message-ID: <0011.9002261315.AA04379@ge.sei.cmu.edu>
Date: 25 Feb 90 12:37:00 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 27
Approved: krvw@sei.cmu.edu

Hi!

Since this was not mentioned yet (I hope, I receive the digests with
some delay), I would like to point out how the 1554 virus recognizes
which files are infected by him.

For .COM files:

        If the contents of the word at offset 02 in the file is 12Eh,
then the file is infected.  This means that the contents of the bytes
at offset 02 and 03 are 2Eh and 01h respectively.  Offsets are counted
from 0, i.e.  the first byte of the file is at offset 0.

For .EXE files:

        If the contents of the word at offset 02 in the file is equal
to the negated contents of the word at offset 12h, then the file is
infected.

Unfortunately, this does not give us a method for file vaccination,
since the contents of the bytes mentioned above is used. For .COM
files, the byte at offset 02 is usually (not always!) the third byte of
a JMP instruction. For .EXE files the situation is easier --- the word
at offset 12h contains the so-called checksum, which is never used and
can be modified.

                                        Vesselin Bontchev