From: SDS::"virus-l@lehigh.edu" 8-SEP-1992 15:35:35.85 To: 3338$SPAN::HENDEE CC: Subj: VIRUS-L Digest V5 #147 Received: from CS2.CC.Lehigh.EDU by Sdsc.Edu (sds.sdsc.edu STMG) via INTERNET; Tue, 8 Sep 92 18:47:36 GMT Received: from (localhost) by CS2.CC.Lehigh.EDU with SMTP id AA08062 (5.65c/IDA-1.4.4 for ); Tue, 8 Sep 1992 13:41:43 -0400 Date: Tue, 8 Sep 1992 13:41:43 -0400 Message-Id: <9209081605.AA21066@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: Kenneth R. van Wyk To: Multiple recipients of list Subject: VIRUS-L Digest V5 #147 VIRUS-L Digest Tuesday, 8 Sep 1992 Volume 5 : Issue 147 Today's Topics: Public Domain TSR Virus Checker (PC) Re: Network Virus protection. Help. (PC) re: Info on "Invol" virus (PC) Re: Bug in F-PROT? (PC) Re: Bug in F-PROT? (PC) Padgett Peterson's DISKSECURE upadate (PC) re: BIOS Virus Protection (PC) F-Prot 2.05 on NetWare.... (PC) Re: Auto-detecting virus (PC) Re: F-PROT reports Bugsres 3 Jokes program? (PC) Re: F-Prot & SuperStor (PC) is there a SCAN95? (PC) Netware and viruses - some new results (PC) Stoned/Azusa haunting (PC) 15xx problems (PC) Windows virus? exists? (PC) Re: F-PROT reports Bugsres 3 Jokes program? (PC) Auto-detecting virus (PC) re: 62 seconds (was: F-Prot & SuperStor) (PC) Re: Bugs on my Atari (Atari) Re: Virus Armour Re: Fingerprinting files (c) Brain - part 4 (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 03 Sep 92 08:42:17 +0000 From: dafj@vaxc.aud.auc.dk (Flemming Holm Jensen) Subject: Public Domain TSR Virus Checker (PC) I'm looking for a Public Domain Virus-checker (and remover if possible). It must be a TSR-version. I'm running DOS 5.0, on 386 PC's. I have FTP-access. Anyone who knows about such a program, and where to get it. Thanks in advance Flemming Jensen University of Aalborg, DENMARK dafj@aud.auc.dk ------------------------------ Date: Wed, 02 Sep 92 22:18:00 -0000 From: Jonny_Bergdahl@f1.n9.z9.virnet.bad.se (Jonny Bergdahl) Subject: Re: Network Virus protection. Help. (PC) > that we should consider. Are there any virus protection packages that > are NLM's and are they reasonably priced? Based on discussions on McAfee has recently released NetShield, a NLM version of SCAN. It is very reasonably priced as well, and finds more virus than Intels NLM. But note that it will not protect against locally infected bootsectors, since the server would never know that an infection has occured, so another protection level will have to be installed for better security. Jonny Bergdahl, NewAge productions, Sweden ------------------------------ Date: Thu, 03 Sep 92 07:03:23 -0400 From: "David M. Chess" Subject: re: Info on "Invol" virus (PC) A few more notes on INVOL, since Tarkan brings it up: - - It's only sometimes resident. In particular, when in a device driver it functions as a resident EXE infector, but when in an EXE file it functions as a non-resident SYS infector. So if you run an infected EXE, it looks around for SYS files to infect, but doesn't go resident. When you boot with an infected SYS file in CONFIG.SYS, it goes resident and infects EXE files that are executed. - - The sample that I have triggers on the 19th of the month (13h). I guess there are date-variants? - - The silly message doesn't always appear twice in infected SYS files; there's some "filler" space that gets filled with random junk, sometimes from the virus itself (sometimes not). - - There are actually about 24 bytes that always occur in the degarbler, and always in the same order; there are just single NOPs between them at times. If you support variable-length don't-cares in your scanner, it's not hard to do a signature for even the EXE form. - - The virus will try any device driver at all that's mentioned in CONFIG.SYS, I think (I captured it in TD.SYS). I'm not entirely certain what the "vansi" strings are doing in the virus; it looks as though the code is supposed to create a vansi.sys device driver to infect if no other sys was found to infect, but I've never actually gotten the virus to behave that way! (If a mysterious new vansi.sys device driver, or one by any other name for that matter, suddenly appears in your CONFIG.SYS, it's probably worth investigating...) - - In general, I wouldn't expect this virus to be a real winner; it activates much too often, and much too severely, to survive (people will know they have it, and be unwilling to just live with it). DC ------------------------------ Date: Thu, 03 Sep 92 15:33:32 +0000 From: dcleek@csd4.csd.uwm.edu (Dick Cleek) Subject: Re: Bug in F-PROT? (PC) fprot 2.05 thinks a couple of menu.com files are infected with CREW. However, that happens o:x w/ Secure or Heuristics and 2.04 finds no problem. Unfortunately, Virstop also detects CREW and halts. I've notified Frisk, but unfortunately he's off on vacation. - -- ......... ......................... ....................... : |_|\/\/ : Dick Cleek dcleek@csd4.csd.uwm.edu :.centers.: Univ.of Wisconsin Centers dcleek@uwcmail.uwc.edu ------------------------------ Date: Thu, 03 Sep 92 16:10:08 +0000 From: gerald@vmars.tuwien.ac.at (Gerald Pfeifer (Prak Gusti)) Subject: Re: Bug in F-PROT? (PC) Kevin_Haney@nihcr31.bitnet writes: >I was using F-PROT 2.04c from a bootable DOS 5.0 diskette. After >booting from the A: drive, I wanted to scan another diskette in the A: >drive. F-PROT produced unintelligible messages, such as "cotaaly >tanmcyng, ico staro%Nnurta...". Another user here reported the same >phenomenon. Does anyone have an explanation and/or fix for this >problem? With Frisk being on holidays, I think I might answer the question as well: It's not a bug, it's a feature!! :-) But seriously: As stated somewhere in F-Prot's documentation, F-Prot needs to (re)load parts of it now and then. (I think every text appearing on screen is stored in one of two datafiles - one for the user interface and the other one for virus descriptions). Frisk is well aware of the kind of problems you've got, but - if I remember correctly - does not plan to change it anytime soon. I hope I put it right and Frisk won't kill me when reading this! Gerald, sign of the mouse .............................................................................. . Gerald Pfeifer (Jerry) Technical University Vienna, Austria . . gerald@kongo.vmars.tuwien.ac.at . .............................................................................. . Sorry, I'm not a native speaker (flames to /dev/null) . .............................................................................. ------------------------------ Date: Thu, 03 Sep 92 13:14:15 -0400 From: HAYES@urvax.urich.edu Subject: Padgett Peterson's DISKSECURE upadate (PC) Hi. Just received directly from Padgett Peterson an update for his DISKSECURE program. The archive (.ZIP) name is DS115.ZIP, and will be available for FTPO processing. Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. Best, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Thu, 03 Sep 92 13:31:20 -0400 From: "David M. Chess" Subject: re: BIOS Virus Protection (PC) > From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) > > A major development seems to have quietly slipped in that > should make it possible for effective *free* reduction of risk to PC > users who have purchased their machines in the last year. > ... > In the process my 1989 vintage AMI BIOS (AMI, Phoenix, & Award > are the three major clone BIOS manufacturers) was replaced with an AMI > dated 5 May, 1991 and referred to as the "New" BIOS. In the "Advanced > Setup Menu" is an entry for "System Boot Up Sequence" which may be > selected as A:,C: (original flavor) or C:,A:... This is true of some of the latest PS/2 systems as well; you can set it up to try the disks in just about any order. If you really want to try A: first (in case C: contains a CONFIG.SYS that hangs the machine, for instance), there's a baroque key-sequence that you can do during boot to make that happen (or to get into the menu that lets you change the order; I forget which). I don't know any more details of it, I'm afraid, or even which models have it. But it's certainly catching on; good thing! - - -- - David M. Chess \ High Integrity Computing Lab \ The devil finds work for idle MIPS. IBM Watson Research \ ------------------------------ Date: Thu, 03 Sep 92 20:44:49 +0000 From: gary@sci34hub.sci.com (Gary Heston) Subject: F-Prot 2.05 on NetWare.... (PC) Greetings, all.... I've run into a *very* strange interaction problem. When using F-Prot 2.05 to scan a group of servers, it works it's way through five servers running NetWare 3.11 without any problem. When it gets to the last server, which is the one it's being run from and which has NetWare 2.15c installed, it scans merrily along until it hits the \public\ms_dos\v500 directory, then locks up *solidly*. I can't even toggle the numlock LED, or do a warm boot. It's red switch time. However, it'll scan a DOS 5 system without any problems at all. I tried changing the command line to remove the /all file selection switch, with the result that it locks up on a *different* file. Actions are identical if run interactively (I've got a user set up on each server to attach the other five and kick off F-Prot automatically upon login; I run this each morning), scanning all files or executables. It's consistent about which files it crashes on; scanning all files it doesn't like DOSSHELL.HLP, and locks *every* time. If checking executables only, it dies on another file. Has anyone else seen this? I've been running 2.04a for weeks without a glitch, and have dropped back to it until I can figure out what's going on. It still runs fine. My copy of FP-205 was retrieved from uunet, FWIW. Puzzled; Gary - -- Gary Heston SCI Systems, Inc. gary@sci34hub.sci.com site admin The Chairman of the Board and the CFO speak for SCI. I'm neither. The most dangerous person in the world is Jessica Fletcher. Everywhere she goes, people die. ------------------------------ Date: Thu, 03 Sep 92 20:09:43 -0400 From: Anthony Naggs Subject: Re: Auto-detecting virus (PC) Denis Beauregard, , says: > I would like to write a program that will check if it is per se > holder of a virus. The method I have in view : > > Compile the program. > Compute the checksum of the program. > Put the checksum in the program. > When starting the program : Stop the program if the checksum has been altered. This is the most common method used by programmers to fight viruses. I have lost count of the number of articles here and in magazines that try something similar. > Advantages : > 1- User can not modify the program to remove the copyright notice > (whic I can code anyway) Yes. > 2- Virus modifying hte program would be catched immediately so that > my programs will be reputed for being virus-safe No. For two reasons: 1. Any virus attached to your program can operate before your program does the checksum. So your program can only say "program changed", after the virus has done what it wishes. 2. The increasing number of "stealth" viruses are able to hide by making their changes invisible. So when an infected program is run the virus becomes a TSR and stops you, or your program, seeing the changes made by the virus. > Also, I never saw a self-protected program. Even an anti-virus program > has as instructions : use the included diskette if infection is known. > I think this is because DOS can be infected, but I feel these programs > are not self-immunated (but I can be wrong). A number of programs, including most anti-virus programs, include checks similar to yours. The problems, especially with "stealth" viruses, mean that this feature is often not mentioned, and is not relied upon. Yours, Anthony Naggs Software/Electronics Engineer P O Box 1080, Peacehaven (and virus researcher) East Sussex BN10 8PZ Phone: +44 273 589701 Great Britain Email: (c/o Univ of Brighton) amn@vms.brighton.ac.uk or xa329@city.ac.uk ------------------------------ Date: Thu, 03 Sep 92 20:11:22 -0400 From: Anthony Naggs Subject: Re: F-PROT reports Bugsres 3 Jokes program? (PC) Dana E. Keil, , asks: > I just obtained F-PROT. Running a scan with it reports that a file > named bugres.com is infected with a virus named "bugsres 3 jokes > program". I can find no mention of this virus anywhere in F-PROT > documentation (nor elsewhere). Can anyone enlighten me about it? F-PROT means exactly what it says, it has found "bugsres 3 joke program". This is not a virus, although Frisk should give information about the message in his documentation. There are a series of joke programs known as "Bugsres", when run they don't appear to do anything, but sometime later they generate a video effect of a number of little bugs messing about on the screen. Most commonly such programs are run, 'for fun', on a computer without the owner's permission. F-PROT, and other anti-virus software, therefore recognise these programs due to the concern that a virus might be causing these effects. Hope this helps, Anthony Naggs Software/Electronics Engineer P O Box 1080, Peacehaven (and virus researcher) East Sussex BN10 8PZ Phone: +44 273 589701 Great Britain Email: (c/o Univ of Brighton) amn@vms.brighton.ac.uk or xa329@city.ac.uk ------------------------------ Date: Thu, 03 Sep 92 20:13:08 -0400 From: Anthony Naggs Subject: Re: F-Prot & SuperStor (PC) Andy Clark, , asks: > Has anyone used F-Prot's F-Driver.SYS with SuperStor from DR-DOS6. > > I tried to install this but got the message INT 13h modified.... > > I am sure that I do not have a virus, and am assuming the INT 13h is > used for disk access (which superstor would need to modify to redirect > disk accesses to itself) I am not familiar with SuperStor, but i would indeed expect it to modify Int 13h. So you should make sure that SuperStor does this before F-Prot is loaded. I would expect SuperStor to be a device driver, in which case you would just move the line, in CONFIG.SYS, "device=f-driver.sys" below the line loading the SuperStor software. > Second: IBM PC question. > Can anyone advise me whether there is a virus that modifies the > seconds field in a files time value to 62. I seem to recall that there > is a virus which does this. There are several viruses that do this, and some virus protection software may even do this to all your files so that such viruses think that they are already infected. > If there is then how do I remove it? what does it do etc. Try running F-PROT, this should recognise most viruses that do this. I hope this is of assistance, Anthony Naggs Software/Electronics Engineer P O Box 1080, Peacehaven (and virus researcher) East Sussex BN10 8PZ Phone: +44 273 589701 Great Britain Email: (c/o Univ of Brighton) amn@vms.brighton.ac.uk or xa329@city.ac.uk ------------------------------ Date: Sun, 30 Aug 92 09:26:00 -0400 From: Felix.Lafontaine@f23.n367.z1.FIDONET.ORG (Felix Lafontaine) Subject: is there a SCAN95? (PC) HH> From: HAYES@urvax.urich.edu HH> On a local BBS, a file called SCAN95.ZIP was uploaded, with the HH> it was fetched from McAfee Associates BBS - as well as some HH> files. The upload was reported to me by the SYSOP of the HH> What are these files (beside SCAN their names escape me)? HH> versions? Up- dates? HH> the net, At this moment the latest McAFee software are version 95B or C, depends if it clean or scan. Not remember know but you can check with them at 1-408-988-4004 (BBS) - -- Internet: Felix.Lafontaine@f23.n367.z1.FIDONET.ORG UUCP: ...!myrddin!tct!psycho!367!23!Felix.Lafontaine Note:psycho is a free gateway between Usenet & Fidonet. For info write to root@psycho.fidonet.org. ------------------------------ Date: Sun, 30 Aug 92 09:18:00 -0400 From: Felix.Lafontaine@f23.n367.z1.FIDONET.ORG (Felix Lafontaine) Subject: Netware and viruses - some new results (PC) JJ> From: JFORD@seebeck.ua.edu JJ> Newsgroups: comp.virus JJ> >At QUT, we have set up an experimental network to test viruses JJ> >networked environments, and the first results have just come JJ> >Test 1: Exhaustive test of netware preotection setting on JJ> files and JJ> >directories against common viruses. Thats sound well, but most of the commons virus have an erradicated status, so what about new viruses, like MTE bases viruses. - -- Internet: Felix.Lafontaine@f23.n367.z1.FIDONET.ORG UUCP: ...!myrddin!tct!psycho!367!23!Felix.Lafontaine Note:psycho is a free gateway between Usenet & Fidonet. For info write to root@psycho.fidonet.org. ------------------------------ Date: Sun, 30 Aug 92 09:28:00 -0400 From: Felix.Lafontaine@f23.n367.z1.FIDONET.ORG (Felix Lafontaine) Subject: Stoned/Azusa haunting (PC) DT> scan a: - 1 virus found [azusa] DT> clean a: [azusa] - 1 virus removed [azusa] DT> Anyone know if these two virii mutate when they're together? Do you boot from a clean floppie. Both are Memory resident - -- Internet: Felix.Lafontaine@f23.n367.z1.FIDONET.ORG UUCP: ...!myrddin!tct!psycho!367!23!Felix.Lafontaine Note:psycho is a free gateway between Usenet & Fidonet. For info write to root@psycho.fidonet.org. ------------------------------ Date: Sun, 30 Aug 92 09:24:00 -0400 From: Felix.Lafontaine@f23.n367.z1.FIDONET.ORG (Felix Lafontaine) Subject: 15xx problems (PC) HB> From: howard@maccs.dcss.mcmaster.ca (Howard Betel) HB> My brother recently asked me to disinfect his computer as scan HB> verifying I ran clean to remove the virus. Then I installed HB> (both wer v89) Thinking everything was now clean we started HB> more work. Vshield then caught 15xx again and notified me. I HB> clean again thinking that somehow I missed something. Sure HB> little while later another file seemed to be infected. I then HB> again with the all parameter. It picked up an infected file in HB> the subdirectories. When I ran scan again with that file name HB> file with a name something like '.xxxxx.exe' I can't remember HB> deleted HB> recently found out that 15xx mutates. After telling my brother HB> been freezing randomly on boot up (right after vshield finishes HB> of the HB> floppies are infected? Fisrt thing you have to do get a new scan/clean version. Version 89 is out of date. The latest software for antivirus are available in ftp sites like urvax.urich.edu Second, you must boot your sistem from a clean/write protect floppie to avoid the virus if it in TSR. After you boot you can scan your computer and clean it. - -- Internet: Felix.Lafontaine@f23.n367.z1.FIDONET.ORG UUCP: ...!myrddin!tct!psycho!367!23!Felix.Lafontaine Note:psycho is a free gateway between Usenet & Fidonet. For info write to root@psycho.fidonet.org. ------------------------------ Date: 04 Sep 92 05:57:15 +0000 From: alan@saturn.cs.swin.OZ.AU (Alan Christiansen) Subject: Windows virus? exists? (PC) I was just wondering. Are there any viruses that are windows specific. ie they infect windows programs only? infect windows OS. have sysmptoms only when windows runs etc. Alan ------------------------------ Date: Fri, 04 Sep 92 09:06:55 -0400 From: sgr4211@ggr.co.uk Subject: Re: F-PROT reports Bugsres 3 Jokes program? (PC) Dana E. Keil writes: > I just obtained F-PROT. Running a scan with it reports that a file > named bugres.com is infected with a virus named "bugsres 3 jokes > program". I can find no mention of this virus anywhere in F-PROT > documentation (nor elsewhere). Can anyone enlighten me about it? Yes. The file BUGSRES.COM is not *infected* with the "bugsres 3 joke program" - BUGSRES.COM *is* the joke program F-Prot has spotted. It's a terminate-and-stay-resident (TSR) program that can be installed so that it is "triggered" on a certain keystroke (eg, the 50th time the user hits the "A" key). When this event occurs, several simplistic "ants" race around the screen "eating" the characters on the display. A certain key combination restores the original screen. (Can't remember all the details - something like both shift keys together, I think - try running it with "/Help" or other such switches and you should get a brief summary) F-Prot presumably reports this beacause it could cause panic if someone installs it on someone else's PC as a "joke", as the victim may think they have been hit by a virus. Paradoxically, you have been caused concern *because* of the warning :-) Steve Richards. ------------------------------ Date: Fri, 04 Sep 92 11:50:51 -0400 From: "David M. Chess" Subject: Auto-detecting virus (PC) >From: beaurega@ireq.hydro.qc.ca (Denis Beauregard) > >I would like to write a program that will check if it is per se >holder of a virus. The method I have in view : > >Compile the program. >Compute the checksum of the program. >Put the checksum in the program. >When starting the program : Stop the program if the checksum has >been altered. All self-respecting anti-virus programs do exactly this (or some equivalent check). The reason that most advise you to reboot anyway if there's a virus active is just caution; trying to clean up with an unkilled virus active in memory can be messy and, while it will often work, they don't want you to take the chance. Remember that (unless you do something other than just normal DOS calls to read yourself), this doesn't work against stealthed viruses, because you'll see a clean image of yourself. If your program is big (so many are these days!) it can slow down loading considerably on slow machines. If that's a concern, you don't really have to checksum every byte of yourself (at least if viruses are your main worry). But you do have to check the important ones! *8) Virtually any reasonably good check-code will do; unless your programs become *extremely* popular, no virus author will target them specifically. DC ------------------------------ Date: Fri, 04 Sep 92 11:53:39 -0400 From: "David M. Chess" Subject: re: 62 seconds (was: F-Prot & SuperStor) (PC) >From: Andrew_Clark.sdb-e@rx.xerox.com > >Second: IBM PC question. >Can anyone advise me whether there is a virus that modifies the >seconds field in a files time value to 62. >If there is then how do I remove it? what does it do etc. There are quite a few viruses that do this; how to remove it and what it does depends on which one you have. Get ahold of a good scanner and see what it says... DC ------------------------------ Date: 03 Sep 92 20:51:20 +0000 From: a_rubin%dsg4.dse.beckman.com (Arthur Rubin) Subject: Re: Bugs on my Atari (Atari) cmontoya%carina.unm.edu@lynx.unm.edu (Red Dragon) writes: >I know I'm the not the only person with an old Atari. I just had a >bunch of bugs appear on my screen and eat up the screen and trash my >disk. Help please. I was just going to help a friend with an Amiga >virus and this happens! BTW, can PC viruses infect my Atari? I was >using a DOS disk when this happened. PC viruses cannot infect a non-IBM-architecture machine unless it is running a PC simulator/emulator. That program, in addition, sounds like a joke program I've heard of. Are you SURE your disk is damaged? - -- Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea 216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal) My opinions are my own, and do not represent those of my employer. My interaction with our news system is unstable; please mail anything important. ------------------------------ Date: Thu, 03 Sep 92 20:16:47 -0400 From: Anthony Naggs Subject: Re: Virus Armour Suresh Thennarangam, , raises some questions: > In the Jan 1992 issue of Virus Bulletin,column Virus Anlysis, > James Beckett writes: > > <> Designers realized some time ago that the efficiency of micro-processors > <> can be increased by using the spare bus time to pre-fetch the next few > <> bytes of instructions. This has the curious corollary that if the > <> memory is modified a very short distance in front of the current > <> instruction, the processor never sees the change, as it has already > <> read the relevant bytes ........ > > While this seems somewhat plausible I wonder if Intel's chip designers > didn't make the 80x86 processors smart enough to detect memory changes > in the vicinity of the current instruction and reload the pre-fetch > queue in response. No they don't. This would make the processor much more complicated, as it would have to monitor and understand all DMA accesses (including DRAM refresh cycles, disk data transfers, ..). And you are asking it throw away instructions that are already partly executed, and restart them from their original start conditions. Cache memory, on the other hand, uses techniques such as "bus snooping" to ensure that the cache contents are not used if they vary from the real memory. It should be noted that the more recent CPUs of most families use pipelining, (starting to execute several instructions before earlier ones are complete), to help give their increase in speed. > Well, if not then this is a hazard for programs that modify themselves > during runtime. For most purposes, self modifying programs went out of fashion with the Commodore PET, around 1979. (The PET did indeed use a considerable quantity of self modifying code, too get the maximum speed of operation). The only use I have made of self-modifying code was for a magazine article in 1989, to identify through software the different members of the 80x86 family. This indeed relied in the effect of the CPU pre-fetch in one of its tests. Yours, Anthony Naggs Software/Electronics Engineer P O Box 1080, Peacehaven (and virus researcher) East Sussex BN10 8PZ Phone: +44 273 589701 Great Britain Email: (c/o Univ of Brighton) amn@vms.brighton.ac.uk or xa329@city.ac.uk ------------------------------ Date: Thu, 03 Sep 92 08:31:28 -0400 From: Brian Seborg Subject: Re: Fingerprinting files Suresh, Your observation that fingerprinting files is the most proven me best way of virus detection is for the most part true. Some tricks have to be pulled to ensure that you bypass stealth viruses, but other than that, it is the best way. You raise a very good question regarding self-modifying exe files (e.g. setver.exe that comes with DOS 5.0). There are several ways to handle these. First, one can put them on an exception list and ignore them. This is not a good idea for programs which are executed every time the PC is turned on (again setver.exe comes to mind), but may be appropriate for files which change due to their being programs under development (such as would be seen in some directories of a programmers machine). The second way to deal with this is to note the modifi- cation and query the user as to whether this should be allowed. This works well for power users, but is prone to error for the general user who may not un understand what is going on on his PC, and could, therefore, make the wrong decision. The third way is to note where the change occurred, and what type of change occurred. Whereas it may be okay for a program to make a change to its data area, it is probably not okay to see a change in the program entry point. Fourth and finally, you can raise the flag to industry to stop this technique of self-modifyable executables. It is irresponsible to have self- modifying executables in today's computer environment. Just when we think we are getting a handle on the virus problem, along comes a suit of programs which modify themselves. Not the best idea in my book, regardless of the fact that it provides a neat solution to some other problems such as making sure that data-files are located in the right directory, and the need to execute files from the same directory where their data files are contained to run properly. Hope this answers the question. :-) Brian Seborg ------------------------------ Date: Thu, 03 Sep 92 16:17:01 -0700 From: rslade@sfu.ca Subject: (c) Brain - part 4 (CVP) HISVIR9.CVP 920810 (c) Brain - part 4 Technically, the Brain family, although old, has a number of interesting points. Brain itself is the first known MS-DOS virus, aside from those written by Fred Cohen for his thesis. In opposition to his, Brain is a boot sector infector. One wonders, given the fact that the two earliest viral programs (for the Apple II family) were "system" viri, whether there was not some influence from these earlier, and similar, programs. Brain is the first example of "stealth" technology. Not, perhaps, as fully armoured as other, later, programs, but impressive nonetheless. The intercepting and redirection of the system interrupts had to be limited in order for the virus to determine, itself, whether or not a target was infected. The Den Zuk and Ohio variants use the trapping technology which can be used to have a virus survive a warm boot. Although they do not survive, the fact that the key sequence is trapped, and that another piece of programming (in this case, the onscreen display) is substituted for the reboot code proves the point. The virus could be made to survive and to "fake" a reboot. (The recovery of the system would likely require a lot of programming and code. This has been pointed out before, and the "recovery mode" of Windows 3.1 probably proves it.) Den Zuk and Ohio are also "virus hunting viri". This possibility has long been discussed, and these examples prove it can be done. They also indicate that it is not a good idea: Den Zuk and Ohio are far more dangerous than Brain ever was. The Solomon and Skulason analyses are fascinating for tracking the trail of a virus "mutation" through the same, and different, authors. The evolution of programming sophistication, the hesitation to alter the length of text strings, even while they are being replaced, and the retention and addition of bugs form an engrossing pattern to follow. copyright Robert M. Slade, 1992 HISVIR9.CVP 920810 ============== Vancouver ROBERTS@decus.ca | "My son, beware ... of the Institute for Robert_Slade@sfu.ca | making of books there is Research into rslade@cue.bc.ca | no end, and much study is User p1@CyberStore.ca | a weariness of the flesh." Security Canada V7K 2G6 | Ecclesiastes 12:12 ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 147] ******************************************