BBS: Inland Empire Archive
Date: 11-01-92 (11:02) Number: 2
From: JAMES VAHN Refer#: 400
To: MARK BUTLER Recvd: NO
Subj: Postit Conf: (2) Quik_Bas
JV> OPEN "virus.com" FOR OUTPUT AS #1
JV> FOR t = 1 TO 12: READ a: PRINT #1, CHR$(a); : NEXT
JV> CLOSE : DATA 205,20,14,1,207,232,0,0,91,129,235,169
205,32, shucks... see below for the lame excuse..
JV> Completely harmless despite the name. Run this Basic file to
JV> generate virus.com, then run McAffee's SCAN on the drive. You
JV> will find yourself
JV> Even harder to eyeball this one, eh?
MB> SCAN reports that
MB>
MB> "Fish" virus is active in memory even after a warmboot.
MB> Tell us all about this latest "whoopee cushion" of yours
MB> here James. Just how did you deduce that it would trip SCAN
MB> off to the presence of the
MB> =actually= doing (assuming it was
This is REALLY off-topic, but it should be explained I suppose..
SCAN and all the others use Search Strings to locate
viruses. That is simply SCAN's FISH virus search string...
Other virus scanners use other strings and won't detect this
demo. That is also why false detections are made.
If you tried to execute VIRUS.COM, you loaded it into memory. A
warm boot does not erase memory.
A debug dump of those 12 bytes:
-nvirus.com
-l
-u100 10b
0D24:0100 CD20 INT 20
0D24:0102 0E PUSH CS
0D24:0103 01CF ADD DI,CX
0D24:0105 E80000 CALL 0108
0D24:0108 5B POP BX
0D24:0109 81EBA93D SUB BX,3DA9
-q
BTW- I blew it.
JV> CLOSE : DATA 205,20,14,1,207,232,0,0,91,129,235,169
^^
That should be 32, like:
DATA 205,32,14,1,207,232,0,0,91,129,235,169
SCAN uses a search string of 10 characters. JUST IN CASE someone
ACTUALLY executed this thing, I inserted INT 20h to simply return
to DOS- making it "Harmless". Ahem...
Well, I forgot to convert the 20h to a decimal 32 and it actually
calls INT 14h and continues executing the string doing who-knows-what.
It depends on what else was in memory at the time. My sincere
appologies for this error. If you archived that message, please
correct it.
* SLMR 2.1a *
