Talk:DoublePulsar

Zero Day Vulnerability
This malware uses a fault (of which their are many) when emulating MS DOS. In Virtual mode (as apposed to real), the monitor cannot spot self-modifying code allowing a TSR to hook into the real (ring-0) kernal vectors. The action of reading a 16-bit number from address $ffff works on an 8086, 80186 and 80386 BUT crashes in 80286. To emulate MS DOS programs, the monitor has to emulate how different cores reacted. The length of ignore.dll in Wannacry and analysis of this file shows that the file itself and the 16K NTWINKR.exe file it downloads are identical. — Preceding unsigned comment added by 81.99.74.135 (talk) 21:11, 13 June 2017 (UTC)