Return-Path: <
[email protected]>
Received: from csmes.ncsl.nist.gov (MACBETH.NCSL.NIST.GOV) by csrc.ncsl.nist.gov (4.1/NIST)
id AA05045; Tue, 8 Sep 92 14:27:46 EDT
Posted-Date: Tue, 8 Sep 1992 14:08:03 -0400
Received-Date: Tue, 8 Sep 92 14:27:46 EDT
Errors-To:
[email protected]
Received: from CS2.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm))
id AA22570; Tue, 8 Sep 92 14:21:17 EDT
Received: from (localhost) by CS2.CC.Lehigh.EDU with SMTP id AA14192
(5.65c/IDA-1.4.4); Tue, 8 Sep 1992 14:08:03 -0400
Date: Tue, 8 Sep 1992 14:08:03 -0400
Message-Id: <
[email protected]>
Comment: Virus Discussion List
Originator:
[email protected]
Errors-To:
[email protected]
Reply-To: <
[email protected]>
Sender:
[email protected]
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: Kenneth R. van Wyk <
[email protected]>
To: Multiple recipients of list <
[email protected]>
Subject: VIRUS-L Digest V5 #147
Status: R
VIRUS-L Digest Tuesday, 8 Sep 1992 Volume 5 : Issue 147
Today's Topics:
Public Domain TSR Virus Checker (PC)
Re: Network Virus protection. Help. (PC)
re: Info on "Invol" virus (PC)
Re: Bug in F-PROT? (PC)
Re: Bug in F-PROT? (PC)
Padgett Peterson's DISKSECURE upadate (PC)
re: BIOS Virus Protection (PC)
F-Prot 2.05 on NetWare.... (PC)
Re: Auto-detecting virus (PC)
Re: F-PROT reports Bugsres 3 Jokes program? (PC)
Re: F-Prot & SuperStor (PC)
is there a SCAN95? (PC)
Netware and viruses - some new results (PC)
Stoned/Azusa haunting (PC)
15xx problems (PC)
Windows virus? exists? (PC)
Re: F-PROT reports Bugsres 3 Jokes program? (PC)
Auto-detecting virus (PC)
re: 62 seconds (was: F-Prot & SuperStor) (PC)
Re: Bugs on my Atari (Atari)
Re: Virus Armour
Re: Fingerprinting files
(c) Brain - part 4 (CVP)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name. Send contributions to
[email protected].
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<
[email protected]>.
Ken van Wyk
----------------------------------------------------------------------
Date: Thu, 03 Sep 92 08:42:17 +0000
>From:
[email protected] (Flemming Holm Jensen)
Subject: Public Domain TSR Virus Checker (PC)
I'm looking for a Public Domain Virus-checker (and remover if
possible). It must be a TSR-version.
I'm running DOS 5.0, on 386 PC's. I have FTP-access.
Anyone who knows about such a program, and where to get it.
Thanks in advance
Flemming Jensen
University of Aalborg, DENMARK
[email protected]
------------------------------
Date: Wed, 02 Sep 92 22:18:00 -0000
>From:
[email protected] (Jonny Bergdahl)
Subject: Re: Network Virus protection. Help. (PC)
> that we should consider. Are there any virus protection packages that
> are NLM's and are they reasonably priced? Based on discussions on
McAfee has recently released NetShield, a NLM version of SCAN. It is
very reasonably priced as well, and finds more virus than Intels NLM.
But note that it will not protect against locally infected
bootsectors, since the server would never know that an infection has
occured, so another protection level will have to be installed for
better security.
Jonny Bergdahl, NewAge productions, Sweden
------------------------------
Date: Thu, 03 Sep 92 07:03:23 -0400
>From: "David M. Chess" <
[email protected]>
Subject: re: Info on "Invol" virus (PC)
A few more notes on INVOL, since Tarkan brings it up:
- - It's only sometimes resident. In particular, when in a device
driver it functions as a resident EXE infector, but when in
an EXE file it functions as a non-resident SYS infector. So
if you run an infected EXE, it looks around for SYS files to
infect, but doesn't go resident. When you boot with an
infected SYS file in CONFIG.SYS, it goes resident and infects
EXE files that are executed.
- - The sample that I have triggers on the 19th of the month (13h).
I guess there are date-variants?
- - The silly message doesn't always appear twice in infected SYS
files; there's some "filler" space that gets filled with random
junk, sometimes from the virus itself (sometimes not).
- - There are actually about 24 bytes that always occur in the
degarbler, and always in the same order; there are just
single NOPs between them at times. If you support
variable-length don't-cares in your scanner, it's
not hard to do a signature for even the EXE form.
- - The virus will try any device driver at all that's mentioned
in CONFIG.SYS, I think (I captured it in TD.SYS). I'm not
entirely certain what the "vansi" strings are doing in the virus;
it looks as though the code is supposed to create a vansi.sys
device driver to infect if no other sys was found to infect,
but I've never actually gotten the virus to behave that way!
(If a mysterious new vansi.sys device driver, or one by any
other name for that matter, suddenly appears in your CONFIG.SYS,
it's probably worth investigating...)
- - In general, I wouldn't expect this virus to be a real winner;
it activates much too often, and much too severely, to survive
(people will know they have it, and be unwilling to just live
with it).
DC
------------------------------
Date: Thu, 03 Sep 92 15:33:32 +0000
>From:
[email protected] (Dick Cleek)
Subject: Re: Bug in F-PROT? (PC)
fprot 2.05 thinks a couple of menu.com files are infected with CREW.
However, that happens only w/Quickscan, not w/ Secure or Heuristics and
2.04 finds no problem. Unfortunately, Virstop also detects CREW and halts.
I've notified Frisk, but unfortunately he's off on vacation.
- --
........ ......................... .......................
: |_|\/\/ : Dick Cleek
[email protected]
:.centers.: Univ.of Wisconsin Centers
[email protected]
------------------------------
Date: Thu, 03 Sep 92 16:10:08 +0000
>From:
[email protected] (Gerald Pfeifer (Prak Gusti))
Subject: Re: Bug in F-PROT? (PC)
[email protected] writes:
>I was using F-PROT 2.04c from a bootable DOS 5.0 diskette. After
>booting from the A: drive, I wanted to scan another diskette in the A:
>drive. F-PROT produced unintelligible messages, such as "cotaaly
>tanmcyng, ico staro%Nnurta...". Another user here reported the same
>phenomenon. Does anyone have an explanation and/or fix for this
>problem?
With Frisk being on holidays, I think I might answer the question as
well:
It's not a bug, it's a feature!! :-)
But seriously: As stated somewhere in F-Prot's documentation, F-Prot
needs to (re)load parts of it now and then. (I think every text
appearing on screen is stored in one of two datafiles - one for the
user interface and the other one for virus descriptions).
Frisk is well aware of the kind of problems you've got, but - if I remember
correctly - does not plan to change it anytime soon.
I hope I put it right and Frisk won't kill me when reading this!
Gerald, sign of the mouse
.............................................................................
Gerald Pfeifer (Jerry) Technical University Vienna, Austria .
[email protected] .
.............................................................................
Sorry, I'm not a native speaker (flames to /dev/null) .
.............................................................................
------------------------------
Date: Thu, 03 Sep 92 13:14:15 -0400
>From:
[email protected]
Subject: Padgett Peterson's DISKSECURE upadate (PC)
Hi.
Just received directly from Padgett Peterson an update for his
DISKSECURE program. The archive (.ZIP) name is DS115.ZIP, and will be
available for FTPO processing.
Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet)
Directory: [anonymous.msdos.antivirus]
FTP to urvax.urich.edu with username anonymous and your email address
as password. You are in the [anonymous] directory when you connect.
cd msdos.antivirus, and remember to use binary mode for the zip files.
Best, Claude.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond
[email protected] (Bitnet or Internet)
Richmond, VA 23173
------------------------------
Date: Thu, 03 Sep 92 13:31:20 -0400
>From: "David M. Chess" <
[email protected]>
Subject: re: BIOS Virus Protection (PC)
> From:
[email protected] (A. Padgett Peterson)
>
> A major development seems to have quietly slipped in that
> should make it possible for effective *free* reduction of risk to PC
> users who have purchased their machines in the last year.
> ...
> In the process my 1989 vintage AMI BIOS (AMI, Phoenix, & Award
> are the three major clone BIOS manufacturers) was replaced with an AMI
> dated 5 May, 1991 and referred to as the "New" BIOS. In the "Advanced
> Setup Menu" is an entry for "System Boot Up Sequence" which may be
> selected as A:,C: (original flavor) or C:,A:...
This is true of some of the latest PS/2 systems as well; you can set
it up to try the disks in just about any order. If you really want to
try A: first (in case C: contains a CONFIG.SYS that hangs the machine,
for instance), there's a baroque key-sequence that you can do during
boot to make that happen (or to get into the menu that lets you change
the order; I forget which).
I don't know any more details of it, I'm afraid, or even which models
have it. But it's certainly catching on; good thing!
- - -- -
David M. Chess \
High Integrity Computing Lab \ The devil finds work for idle MIPS.
IBM Watson Research \
------------------------------
Date: Thu, 03 Sep 92 20:44:49 +0000
>From:
[email protected] (Gary Heston)
Subject: F-Prot 2.05 on NetWare.... (PC)
Greetings, all....
I've run into a *very* strange interaction problem. When using
F-Prot 2.05 to scan a group of servers, it works it's way through five
servers running NetWare 3.11 without any problem. When it gets to the
last server, which is the one it's being run from and which has
NetWare 2.15c installed, it scans merrily along until it hits the
\public\ms_dos\v500 directory, then locks up *solidly*. I can't even
toggle the numlock LED, or do a warm boot. It's red switch time.
However, it'll scan a DOS 5 system without any problems at all. I
tried changing the command line to remove the /all file selection
switch, with the result that it locks up on a *different* file.
Actions are identical if run interactively (I've got a user set up on
each server to attach the other five and kick off F-Prot automatically
upon login; I run this each morning), scanning all files or
executables. It's consistent about which files it crashes on; scanning
all files it doesn't like DOSSHELL.HLP, and locks *every* time. If
checking executables only, it dies on another file.
Has anyone else seen this? I've been running 2.04a for weeks without
a glitch, and have dropped back to it until I can figure out what's
going on. It still runs fine.
My copy of FP-205 was retrieved from uunet, FWIW.
Puzzled;
Gary
- --
Gary Heston SCI Systems, Inc.
[email protected] site admin
The Chairman of the Board and the CFO speak for SCI. I'm neither.
The most dangerous person in the world is Jessica Fletcher.
Everywhere she goes, people die.
------------------------------
Date: Thu, 03 Sep 92 20:09:43 -0400
>From: Anthony Naggs <
[email protected]>
Subject: Re: Auto-detecting virus (PC)
Denis Beauregard, <
[email protected]>, says:
> I would like to write a program that will check if it is per se
> holder of a virus. The method I have in view :
>
> Compile the program.
> Compute the checksum of the program.
> Put the checksum in the program.
> When starting the program : Stop the program if the checksum has been altered.
This is the most common method used by programmers to fight viruses.
I have lost count of the number of articles here and in magazines that try
something similar.
> Advantages :
> 1- User can not modify the program to remove the copyright notice
> (whic I can code anyway)
Yes.
> 2- Virus modifying hte program would be catched immediately so that
> my programs will be reputed for being virus-safe
No. For two reasons:
1. Any virus attached to your program can operate before your program does
the checksum. So your program can only say "program changed", after the
virus has done what it wishes.
2. The increasing number of "stealth" viruses are able to hide by making
their changes invisible. So when an infected program is run the virus
becomes a TSR and stops you, or your program, seeing the changes made by
the virus.
> Also, I never saw a self-protected program. Even an anti-virus program
> has as instructions : use the included diskette if infection is known.
> I think this is because DOS can be infected, but I feel these programs
> are not self-immunated (but I can be wrong).
A number of programs, including most anti-virus programs, include checks
similar to yours. The problems, especially with "stealth" viruses, mean
that this feature is often not mentioned, and is not relied upon.
Yours,
Anthony Naggs
Software/Electronics Engineer P O Box 1080, Peacehaven
(and virus researcher) East Sussex BN10 8PZ
Phone: +44 273 589701 Great Britain
Email: (c/o Univ of Brighton)
[email protected] or
[email protected]
------------------------------
Date: Thu, 03 Sep 92 20:11:22 -0400
>From: Anthony Naggs <
[email protected]>
Subject: Re: F-PROT reports Bugsres 3 Jokes program? (PC)
Dana E. Keil, <
[email protected]>, asks:
> I just obtained F-PROT. Running a scan with it reports that a file
> named bugres.com is infected with a virus named "bugsres 3 jokes
> program". I can find no mention of this virus anywhere in F-PROT
> documentation (nor elsewhere). Can anyone enlighten me about it?
F-PROT means exactly what it says, it has found "bugsres 3 joke
program". This is not a virus, although Frisk should give information
about the message in his documentation.
There are a series of joke programs known as "Bugsres", when run they
don't appear to do anything, but sometime later they generate a video
effect of a number of little bugs messing about on the screen. Most
commonly such programs are run, 'for fun', on a computer without the
owner's permission. F-PROT, and other anti-virus software, therefore
recognise these programs due to the concern that a virus might be
causing these effects.
Hope this helps,
Anthony Naggs
Software/Electronics Engineer P O Box 1080, Peacehaven
(and virus researcher) East Sussex BN10 8PZ
Phone: +44 273 589701 Great Britain
Email: (c/o Univ of Brighton)
[email protected] or
[email protected]
------------------------------
Date: Thu, 03 Sep 92 20:13:08 -0400
>From: Anthony Naggs <
[email protected]>
Subject: Re: F-Prot & SuperStor (PC)
Andy Clark, <
[email protected]>, asks:
> Has anyone used F-Prot's F-Driver.SYS with SuperStor from DR-DOS6.
>
> I tried to install this but got the message INT 13h modified....
>
> I am sure that I do not have a virus, and am assuming the INT 13h is
> used for disk access (which superstor would need to modify to redirect
> disk accesses to itself)
I am not familiar with SuperStor, but i would indeed expect it to
modify Int 13h. So you should make sure that SuperStor does this
before F-Prot is loaded. I would expect SuperStor to be a device
driver, in which case you would just move the line, in CONFIG.SYS,
"device=f-driver.sys" below the line loading the SuperStor software.
> Second: IBM PC question.
> Can anyone advise me whether there is a virus that modifies the
> seconds field in a files time value to 62. I seem to recall that there
> is a virus which does this.
There are several viruses that do this, and some virus protection
software may even do this to all your files so that such viruses think
that they are already infected.
> If there is then how do I remove it? what does it do etc.
Try running F-PROT, this should recognise most viruses that do this.
I hope this is of assistance,
Anthony Naggs
Software/Electronics Engineer P O Box 1080, Peacehaven
(and virus researcher) East Sussex BN10 8PZ
Phone: +44 273 589701 Great Britain
Email: (c/o Univ of Brighton)
[email protected] or
[email protected]
------------------------------
Date: Sun, 30 Aug 92 09:26:00 -0400
>From:
[email protected] (Felix Lafontaine)
Subject: is there a SCAN95? (PC)
HH> From:
[email protected]
HH> On a local BBS, a file called SCAN95.ZIP was uploaded, with the
HH> it was fetched from McAfee Associates BBS - as well as some
HH> files. The upload was reported to me by the SYSOP of the
HH> What are these files (beside SCAN their names escape me)?
HH> versions? Up- dates?
HH> the net,
At this moment the latest McAFee software are version 95B or C,
depends if it clean or scan. Not remember know but you can check
with them at 1-408-988-4004 (BBS)
- --
Internet:
[email protected]
UUCP: ...!myrddin!tct!psycho!367!23!Felix.Lafontaine
Note:psycho is a free gateway between Usenet & Fidonet. For info write to
[email protected].
------------------------------
Date: Sun, 30 Aug 92 09:18:00 -0400
>From:
[email protected] (Felix Lafontaine)
Subject: Netware and viruses - some new results (PC)
JJ> From:
[email protected]
JJ> Newsgroups: comp.virus
JJ> >At QUT, we have set up an experimental network to test viruses
JJ> >networked environments, and the first results have just come
JJ> >Test 1: Exhaustive test of netware preotection setting on
JJ> files and
JJ> >directories against common viruses.
Thats sound well, but most of the commons virus have an
erradicated status, so what about new viruses, like MTE bases
viruses.
- --
Internet:
[email protected]
UUCP: ...!myrddin!tct!psycho!367!23!Felix.Lafontaine
Note:psycho is a free gateway between Usenet & Fidonet. For info write to
[email protected].
------------------------------
Date: Sun, 30 Aug 92 09:28:00 -0400
>From:
[email protected] (Felix Lafontaine)
Subject: Stoned/Azusa haunting (PC)
DT> scan a: - 1 virus found [azusa]
DT> clean a: [azusa] - 1 virus removed [azusa]
DT> Anyone know if these two virii mutate when they're together?
Do you boot from a clean floppie. Both are Memory resident
- --
Internet:
[email protected]
UUCP: ...!myrddin!tct!psycho!367!23!Felix.Lafontaine
Note:psycho is a free gateway between Usenet & Fidonet. For info write to
[email protected].
------------------------------
Date: Sun, 30 Aug 92 09:24:00 -0400
>From:
[email protected] (Felix Lafontaine)
Subject: 15xx problems (PC)
HB> From:
[email protected] (Howard Betel)
HB> My brother recently asked me to disinfect his computer as scan
HB> verifying I ran clean to remove the virus. Then I installed
HB> (both wer v89) Thinking everything was now clean we started
HB> more work. Vshield then caught 15xx again and notified me. I
HB> clean again thinking that somehow I missed something. Sure
HB> little while later another file seemed to be infected. I then
HB> again with the all parameter. It picked up an infected file in
HB> the subdirectories. When I ran scan again with that file name
HB> file with a name something like '.xxxxx.exe' I can't remember
HB> deleted
HB> recently found out that 15xx mutates. After telling my brother
HB> been freezing randomly on boot up (right after vshield finishes
HB> of the
HB> floppies are infected?
Fisrt thing you have to do get a new scan/clean version. Version 89
is out of date. The latest software for antivirus are available in
ftp sites like urvax.urich.edu
Second, you must boot your sistem from a clean/write protect floppie
to avoid the virus if it in TSR. After you boot you can scan your
computer and clean it.
- --
Internet:
[email protected]
UUCP: ...!myrddin!tct!psycho!367!23!Felix.Lafontaine
Note:psycho is a free gateway between Usenet & Fidonet. For info write to
[email protected].
------------------------------
Date: 04 Sep 92 05:57:15 +0000
>From:
[email protected] (Alan Christiansen)
Subject: Windows virus? exists? (PC)
I was just wondering. Are there any viruses that are windows
specific.
ie they infect windows programs only? infect windows OS. have
sysmptoms only when windows runs etc.
Alan
------------------------------
Date: Fri, 04 Sep 92 09:06:55 -0400
>From:
[email protected]
Subject: Re: F-PROT reports Bugsres 3 Jokes program? (PC)
Dana E. Keil writes:
> I just obtained F-PROT. Running a scan with it reports that a file
> named bugres.com is infected with a virus named "bugsres 3 jokes
> program". I can find no mention of this virus anywhere in F-PROT
> documentation (nor elsewhere). Can anyone enlighten me about it?
Yes. The file BUGSRES.COM is not *infected* with the "bugsres 3 joke
program" - BUGSRES.COM *is* the joke program F-Prot has spotted.
It's a terminate-and-stay-resident (TSR) program that can be installed
so that it is "triggered" on a certain keystroke (eg, the 50th time the
user hits the "A" key). When this event occurs, several simplistic
"ants" race around the screen "eating" the characters on the display. A
certain key combination restores the original screen. (Can't remember
all the details - something like both shift keys together, I think - try
running it with "/Help" or other such switches and you should get a
brief summary)
F-Prot presumably reports this beacause it could cause panic if someone
installs it on someone else's PC as a "joke", as the victim may think
they have been hit by a virus. Paradoxically, you have been caused
concern *because* of the warning :-)
Steve Richards.
------------------------------
Date: Fri, 04 Sep 92 11:50:51 -0400
>From: "David M. Chess" <
[email protected]>
Subject: Auto-detecting virus (PC)
>From:
[email protected] (Denis Beauregard)
>
>I would like to write a program that will check if it is per se
>holder of a virus. The method I have in view :
>
>Compile the program.
>Compute the checksum of the program.
>Put the checksum in the program.
>When starting the program : Stop the program if the checksum has
>been altered.
All self-respecting anti-virus programs do exactly this (or some
equivalent check). The reason that most advise you to reboot anyway
if there's a virus active is just caution; trying to clean up with an
unkilled virus active in memory can be messy and, while it will often
work, they don't want you to take the chance.
Remember that (unless you do something other than just normal DOS
calls to read yourself), this doesn't work against stealthed viruses,
because you'll see a clean image of yourself. If your program is big
(so many are these days!) it can slow down loading considerably on
slow machines. If that's a concern, you don't really have to checksum
every byte of yourself (at least if viruses are your main worry). But
you do have to check the important ones! *8)
Virtually any reasonably good check-code will do; unless your programs
become *extremely* popular, no virus author will target them
specifically.
DC
------------------------------
Date: Fri, 04 Sep 92 11:53:39 -0400
>From: "David M. Chess" <
[email protected]>
Subject: re: 62 seconds (was: F-Prot & SuperStor) (PC)
>From:
[email protected]
>
>Second: IBM PC question.
>Can anyone advise me whether there is a virus that modifies the
>seconds field in a files time value to 62.
>If there is then how do I remove it? what does it do etc.
There are quite a few viruses that do this; how to remove it
and what it does depends on which one you have. Get ahold of
a good scanner and see what it says...
DC
------------------------------
Date: 03 Sep 92 20:51:20 +0000
>From: a_rubin%dsg4.dse.beckman.com (Arthur Rubin)
Subject: Re: Bugs on my Atari (Atari)
cmontoya%
[email protected] (Red Dragon) writes:
>I know I'm the not the only person with an old Atari. I just had a
>bunch of bugs appear on my screen and eat up the screen and trash my
>disk. Help please. I was just going to help a friend with an Amiga
>virus and this happens! BTW, can PC viruses infect my Atari? I was
>using a DOS disk when this happened.
PC viruses cannot infect a non-IBM-architecture machine unless it is
running a PC simulator/emulator. That program, in addition, sounds
like a joke program I've heard of. Are you SURE your disk is damaged?
- --
Arthur L. Rubin:
[email protected] (work) Beckman Instruments/Brea
[email protected] [email protected] [email protected] (personal)
My opinions are my own, and do not represent those of my employer.
My interaction with our news system is unstable; please mail anything important.
------------------------------
Date: Thu, 03 Sep 92 20:16:47 -0400
>From: Anthony Naggs <
[email protected]>
Subject: Re: Virus Armour
Suresh Thennarangam, <
[email protected]>, raises some questions:
> In the Jan 1992 issue of Virus Bulletin,column Virus Anlysis,
> James Beckett writes:
>
> <> Designers realized some time ago that the efficiency of micro-processors
> <> can be increased by using the spare bus time to pre-fetch the next few
> <> bytes of instructions. This has the curious corollary that if the
> <> memory is modified a very short distance in front of the current
> <> instruction, the processor never sees the change, as it has already
> <> read the relevant bytes ........
>
> While this seems somewhat plausible I wonder if Intel's chip designers
> didn't make the 80x86 processors smart enough to detect memory changes
> in the vicinity of the current instruction and reload the pre-fetch
> queue in response.
No they don't. This would make the processor much more complicated, as it
would have to monitor and understand all DMA accesses (including DRAM refresh
cycles, disk data transfers, ..). And you are asking it throw away
instructions that are already partly executed, and restart them from
their original start conditions.
Cache memory, on the other hand, uses techniques such as "bus snooping" to
ensure that the cache contents are not used if they vary from the real
memory. It should be noted that the more recent CPUs of most families use
pipelining, (starting to execute several instructions before earlier ones are
complete), to help give their increase in speed.
> Well, if not then this is a hazard for programs that modify themselves
> during runtime.
For most purposes, self modifying programs went out of fashion with the
Commodore PET, around 1979. (The PET did indeed use a considerable quantity
of self modifying code, too get the maximum speed of operation).
The only use I have made of self-modifying code was for a magazine article in
1989, to identify through software the different members of the 80x86 family.
This indeed relied in the effect of the CPU pre-fetch in one of its tests.
Yours, Anthony Naggs
Software/Electronics Engineer P O Box 1080, Peacehaven
(and virus researcher) East Sussex BN10 8PZ
Phone: +44 273 589701 Great Britain
Email: (c/o Univ of Brighton)
[email protected] or
[email protected]
------------------------------
Date: Thu, 03 Sep 92 08:31:28 -0400
>From: Brian Seborg <
[email protected]>
Subject: Re: Fingerprinting files
Suresh,
Your observation that fingerprinting files is the most proven me best
way of virus detection is for the most part true. Some tricks have to
be pulled to ensure that you bypass stealth viruses, but other than
that, it is the best way. You raise a very good question regarding
self-modifying exe files (e.g. setver.exe that comes with DOS 5.0).
There are several ways to handle these. First, one can put them on an
exception list and ignore them. This is not a good idea for programs
which are executed every time the PC is turned on (again setver.exe
comes to mind), but may be appropriate for files which change due to
their being programs under development (such as would be seen in some
directories of a programmers machine). The second way to deal with
this is to note the modifi- cation and query the user as to whether
this should be allowed. This works well for power users, but is prone
to error for the general user who may not un understand what is going
on on his PC, and could, therefore, make the wrong decision. The
third way is to note where the change occurred, and what type of
change occurred. Whereas it may be okay for a program to make a
change to its data area, it is probably not okay to see a change in
the program entry point. Fourth and finally, you can raise the flag
to industry to stop this technique of self-modifyable executables. It
is irresponsible to have self- modifying executables in today's
computer environment. Just when we think we are getting a handle on
the virus problem, along comes a suit of programs which modify
themselves. Not the best idea in my book, regardless of the fact that
it provides a neat solution to some other problems such as making sure
that data-files are located in the right directory, and the need to
execute files from the same directory where their data files are
contained to run properly. Hope this answers the question.
:-) Brian Seborg
------------------------------
Date: Thu, 03 Sep 92 16:17:01 -0700
>From:
[email protected]
Subject: (c) Brain - part 4 (CVP)
HISVIR9.CVP 920810
(c) Brain - part 4
Technically, the Brain family, although old, has a number of
interesting points.
Brain itself is the first known MS-DOS virus, aside from those
written by Fred Cohen for his thesis. In opposition to his, Brain
is a boot sector infector. One wonders, given the fact that the two
earliest viral programs (for the Apple II family) were "system"
viri, whether there was not some influence from these earlier, and
similar, programs.
Brain is the first example of "stealth" technology. Not, perhaps,
as fully armoured as other, later, programs, but impressive
nonetheless. The intercepting and redirection of the system
interrupts had to be limited in order for the virus to determine,
itself, whether or not a target was infected.
The Den Zuk and Ohio variants use the trapping technology which can
be used to have a virus survive a warm boot. Although they do not
survive, the fact that the <Ctrl><Alt><Del> key sequence is trapped,
and that another piece of programming (in this case, the onscreen
display) is substituted for the reboot code proves the point. The
virus could be made to survive and to "fake" a reboot. (The
recovery of the system would likely require a lot of programming and
code. This has been pointed out before, and the "recovery mode" of
Windows 3.1 probably proves it.)
Den Zuk and Ohio are also "virus hunting viri". This possibility
has long been discussed, and these examples prove it can be done.
They also indicate that it is not a good idea: Den Zuk and Ohio are
far more dangerous than Brain ever was.
The Solomon and Skulason analyses are fascinating for tracking the
trail of a virus "mutation" through the same, and different,
authors. The evolution of programming sophistication, the
hesitation to alter the length of text strings, even while they are
being replaced, and the retention and addition of bugs form an
engrossing pattern to follow.
copyright Robert M. Slade, 1992 HISVIR9.CVP 920810
==============
Vancouver
[email protected] | "My son, beware ... of the
Institute for
[email protected] | making of books there is
Research into
[email protected] | no end, and much study is
User
[email protected] | a weariness of the flesh."
Security Canada V7K 2G6 | Ecclesiastes 12:12
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 147]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
