BBS: Inland Empire Archive
Date: 11-01-92 (11:02)             Number: 2
From: JAMES VAHN                   Refer#: 400
  To: MARK BUTLER                   Recvd: NO  
Subj: Postit                         Conf: (2) Quik_Bas

JV> FOR t = 1 TO 12: READ a: PRINT #1, CHR$(a); : NEXT
JV> CLOSE : DATA 205,20,14,1,207,232,0,0,91,129,235,169
                 205,32, shucks...  see below for the lame excuse..
JV> Completely harmless despite the name.  Run this Basic file to
JV> generate, then run McAffee's SCAN on the drive. You
JV> will find yourself 'infected'- and without using postit.
JV> Even harder to eyeball this one, eh?

MB>  SCAN reports that '' contains the "Fish" virus. If
MB>  '' is actually executed SCAN will report that the
MB>  "Fish" virus is active in memory even after a warmboot.

MB>  Tell us all about this latest "whoopee cushion" of yours
MB>  here James. Just how did you deduce that it would trip SCAN
MB>  off to the presence of the 'Fish' virus? What is this code
MB>  =actually= doing (assuming it was 'harmless' as you said)

This is REALLY off-topic, but it should be explained I suppose..

SCAN and all the others use Search Strings to locate 'Known'
viruses.  That is simply SCAN's FISH virus search string...
Other virus scanners use other strings and won't detect this
demo.  That is also why false detections are made.

If you tried to execute VIRUS.COM, you loaded it into memory.  A
warm boot does not erase memory.

A debug dump of those 12 bytes:
-u100 10b
0D24:0100 CD20          INT     20
0D24:0102 0E            PUSH    CS
0D24:0103 01CF          ADD     DI,CX
0D24:0105 E80000        CALL    0108
0D24:0108 5B            POP     BX
0D24:0109 81EBA93D      SUB     BX,3DA9

BTW-  I blew it.

   JV> CLOSE : DATA 205,20,14,1,207,232,0,0,91,129,235,169
               That should be 32, like:

DATA 205,32,14,1,207,232,0,0,91,129,235,169

SCAN uses a search string of 10 characters.  JUST IN CASE someone
ACTUALLY executed this thing, I inserted INT 20h to simply return
to DOS- making it "Harmless".  Ahem...

Well, I forgot to convert the 20h to a decimal 32 and it actually
calls INT 14h and continues executing the string doing who-knows-what.
It depends on what else was in memory at the time.  My sincere
appologies for this error.  If you archived that message, please
correct it.

 * SLMR 2.1a *
Outer Court
Echo Basic Postings

Books at Amazon:

Back to BASIC: The History, Corruption, and Future of the Language

Hackers: Heroes of the Computer Revolution (including Tiny BASIC)

Go to: The Story of the Math Majors, Bridge Players, Engineers, Chess Wizards, Scientists and Iconoclasts who were the Hero Programmers of the Software Revolution

The Advent of the Algorithm: The Idea that Rules the World

Moths in the Machine: The Power and Perils of Programming

Mastering Visual Basic .NET