------------------------------------------------------------------------

Echo Flag :         Permanent: N       Export: N      Personal Read: Y

 BBS: ICEBER          Conference: VIRUS           Imported:  5/15/1992
  To: ALL                             Num: 1683       Date:  5/11/1992
From: NEMROD KEDEM                     Re: 0          Time:  1:12 pm
Subj: Emmie Virus - more...          Prvt: N          Read: N

Hello, All.
 
After continueing with the analysis of Emmie virus we came up with a simple 
way to check if Emmie virus is present in memory.
 
Emmie uses INT 21 service 0FACEh to check it's presence in memory.
If this function returns AX=0CEFAh and BX=000Ch then the virus is resident.
 
The following DEBUG script will create a 93 bytes COM file that can check if 
Emmie virus is present in memory:
 
---------------------------------------------------------
 N CHKEMMIE.COM
 E 0100 EB 33 45 6D 6D 69 65 20 76 69 72 75 73 20 69 73
 E 0110 20 24 72 65 73 69 64 65 6E 74 20 69 6E 20 6D 65
 E 0120 6D 6F 72 79 21 07 24 4E 4F 54 20 72 65 73 69 64
 E 0130 65 6E 74 2E 24 BA 02 01 B4 09 CD 21 B8 CE FA BB
 E 0140 00 00 CD 21 3D FA CE 75 07 83 FB 0C 75 02 EB 05
 E 0150 BA 27 01 EB 03 BA 12 01 B4 09 CD 21 C3
 RCX
 005D
 W
 Q
---------------------------------------------------------
 
    If you have downloaded this script file, remove
    any captured communications header and then enter
 
        DEBUG < filename
 
    where filename is the name of this script file.
 
BTW- This COM file can not be infected by Emmie for it is only 93 bytes and 
Emmie infects files larger then 2702 bytes.
 
Good luck.
 
Nemrod Kedem,
Authorized Agent of McAfee Associates.
 
---
 * Origin: <Rudy's Place - Israel> Hard disks never die... (2:403/138.0)