Jump to content

Talk:Whale (computer virus)

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
Whale (computer virus) needs to be Wikified!
So here's what needs to be done:
Check if the article is a copyright violation or meets deletion criteria. ✔ check
    Suggestion: Do a quick Google or Yahoo! search with a sentence from the article.
Check if another article already exists on this subject. ✔ check
    Suggestion: Use the Wikipedia search to see what comes up.
Add Wikipedia markup. ✔ check
    Suggestion: Read up on m:Help:Editing.
Format the article. ✔ check
    Suggestion: Read up on Guide to Layout and Manual of Style.
Remove the {{wikify}} tag (if there is one). ✔ check
Join the Wikification effort!How to use this template


...Could someone please clarify what exactly the virus does? ~Mandy! (For best results, use twice daily.) 01:44, 6 May 2007 (UTC) [reply]


I just added a stub tag. --Flashflash; 07:20, 18 December 2008 (UTC)
[reply]

What it does in response to questions on this page / Claims made by the article

[edit]

It infects files and little else.

Anyway I suppose at the time, if you looked at antivirus databases, you'd find something about "complicated stealth techniques" or maybe "non-functioning" depending on the AV company. I always took it to mean that none of them had bothered analyzing it or couldn't understand what it was doing, and just throwing it in their detection lists and not actually detecting it was a safe bet.

IIRC from my own disassembly of it (wouldn't run on my machine) it didn't really have any polymorphic code, it just picked a decryptor from a bunch of pre-written ones. The system slowdown was due to it putting the machine in debug trace mode almost constantly to prevent debuggers from getting into it, and hooking the keyboard interrupt and re-checking the interrupt vectors for trace and breakpoint (01h / 03h) on every keypress to determine whether anything had hooked one, whereupon it would immediately try to reboot the system which is the exact opposite of stealth. It used the standard technique of cutting off an MCB towards the upper end of memory by flagging the previous as the last in the chain so it wouldn't show up as used memory, but half the viruses in existence were doing that. It looks like there might have been a bug in the trace interrupt handler that could cause it to chain the handler to itself during the interrupt, which probably built up over time until it was executing the handler hundreds of times per instruction executed, and the handler wasn't very efficient so there's some more slowdown. That's as far as I care to look, it wasn't all that interesting except for the cryptic message about it doing something special with another virus but that part was never written apparently so nothing special there either. It had some payload that only applied to some obscure patch in IBM-DOS I couldn't be bothered to look up the meaning of and didn't have a machine that it would do anything to. A Shortfall Of Gravitas (talk) 11:10, 17 April 2024 (UTC)[reply]