Code Cipher Nesting
category: residue [glöplog]
Hi All,
Stumled upon about old DOS virus 1990. The Whale. It was 10 years ahead, according how cleverly it was coded.
Now, im asking our praised reverser, Sauron. This 1990 dos based virus is not fully analyzed by any virus researchers by the time. Because it uses tamperin, its steath, it can mutate, it crypts.... but what one thing i dont know, is code cipher nesting.
Our praised reverser, Sauron, what is "code cipher nesting".
Thank You.
Stumled upon about old DOS virus 1990. The Whale. It was 10 years ahead, according how cleverly it was coded.
Now, im asking our praised reverser, Sauron. This 1990 dos based virus is not fully analyzed by any virus researchers by the time. Because it uses tamperin, its steath, it can mutate, it crypts.... but what one thing i dont know, is code cipher nesting.
Our praised reverser, Sauron, what is "code cipher nesting".
Thank You.
EDIT:
It is very difficult to analyze this virus, because all 9Kb of its code are full of program traps hampering a trace, disassembling and analysis the virus. If the virus listing is to be printed, you should check a dozen special programming methods (dynamic de/enciphering, dummies, use of conveyor, code cipher nesting and so on). As a file is infected, the encrypted virus body is written to it so as a decipher should check 30 variants. That is, you have to use 30 masks to find the virus in the file.
The virus also contains the strings: "THE WHALE", "5HS5IF", "5IF5HS". It hooks INT 9, 21h.
It is very difficult to analyze this virus, because all 9Kb of its code are full of program traps hampering a trace, disassembling and analysis the virus. If the virus listing is to be printed, you should check a dozen special programming methods (dynamic de/enciphering, dummies, use of conveyor, code cipher nesting and so on). As a file is infected, the encrypted virus body is written to it so as a decipher should check 30 variants. That is, you have to use 30 masks to find the virus in the file.
The virus also contains the strings: "THE WHALE", "5HS5IF", "5IF5HS". It hooks INT 9, 21h.
I know it may sound a bit simple (but might be a good way to sandbox) - dosbox on a live linux disto with your flavor of bedugger? I've played with some virii but no expert but that might catch some of the hooks.