mcgraw@sunspot.UUCP (Robert McGraw) (03/01/88)
Here is a suggestion in fighting the common virus.
1. make a test directory and keep a copy of COMMAND.COM plus (optional)any
other .exe, .com programs that you know to be free of the virus i.e.
programs from the original disketts.
2. write a simple test program and make into a .com and store two
copies in the test directory you created above (obviously under
different names). You know these do not have the virus.
3. create a .BAT file that will:
a. execute one of your test programs
b. run a DIFF on the COMMAND.COM in your root directory
and your test directory, run a DIFF on your two test programs in your
test directory, run a
diff on your other .exe/.com programs that you have in the test directory.
4. run the above .BAT file at bootup, shutdown, and/or after you have
downloaded a file from a BBS and executed the program.
If any differences are indicated your disk might have a cold. I am not
sure if certain .exe/.com programs might get changed when you
run a reconfigure on the software package so you will have to keep
this in mind.
This system will check if COMMAND.COM gets modified but does not change
size and checks .exe/.com files that get modified when executed.
I use the DIFF in the MKS package and it is fast. I am sure there are
DIFF programs in the PD if you don't have one.
This is a quick but dirty way of checking for the bugs that
have been going around. The good point to this system is that you know
the programs you are checking against are free of the virus since you
copied them from the original diskette. If you really feel insecure you
could make a known difference in your test program to check that you
DIFF program is working correctly. OH WELL..
--
-Robert P. McGraw, Jr. National Solar Observatory SPO
USPS Mail: Box 62, Sunspot, NM 88349 USA
Phone: (505)434-1390, FTS: 571-0232
Internet: rmcgraw@noao.arizona.edu
SPAN/HEPNET: DRACO::RMCGRAW [DRACO=5356]
UUCP: {arizona,decvax,hao,ihnp4},noao!sunspot!rmcgrawmollusk@squid.UUCP (03/02/88)
From squid!mollusk Wed Mar 02 21:00 CDT 1988 remote from occrsh Subject: re: FIGHTING THE VIRUS * Send replies to address in signature below, unless you're so hungry for * human contact that bounced mail is better than no mail >3. create a .BAT file that will: > > a. execute one of your test programs > b. run a DIFF on the COMMAND.COM in your root directory >and your test directory, run a DIFF on your two test programs in your >test directory, run a >diff on your other .exe/.com programs that you have in the test directory. Naw, too much work. Much easier, possibly more effective: Strip the crc check code out of something reasonable, and make a program that crc checks all the executables and device drivers, and stores the results in a table, which is checked every time the program is run. Maybe the first thing it should do, the very first time it is run, is to crc itself, and write that number into itself, then check it every time after that. The program should be distributed in SOURCE form ONLY! Ya gotta be shy a few marbles to run any exe from an anonymous source like a newsgroup, these days. It would be an IDEAL place to spread a virus; too many trusting users out there. If you didn't compile it, don't run it! Here's something to start with; if someone makes something good out of this, please send me a copy. /*** ***/ #include <stdio.h> #include <fcntl.h> /* crc table and routine taken from BENCODE/BDECODE */ #define CRC(crc, c) crc = (crc >> 8) ^ crctab[(crc^c) & 0xff] /* generated using the CRC-16 polynomial x^16 + x^15 + x^2 + 1 = 0120001 */ short crctab[256] = { 0x0000, 0xc0c1, 0xc181, 0x0140, 0xc301, 0x03c0, 0x0280, 0xc241, 0xc601, 0x06c0, 0x0780, 0xc741, 0x0500, 0xc5c1, 0xc481, 0x0440, 0xcc01, 0x0cc0, 0x0d80, 0xcd41, 0x0f00, 0xcfc1, 0xce81, 0x0e40, 0x0a00, 0xcac1, 0xcb81, 0x0b40, 0xc901, 0x09c0, 0x0880, 0xc841, 0xd801, 0x18c0, 0x1980, 0xd941, 0x1b00, 0xdbc1, 0xda81, 0x1a40, 0x1e00, 0xdec1, 0xdf81, 0x1f40, 0xdd01, 0x1dc0, 0x1c80, 0xdc41, 0x1400, 0xd4c1, 0xd581, 0x1540, 0xd701, 0x17c0, 0x1680, 0xd641, 0xd201, 0x12c0, 0x1380, 0xd341, 0x1100, 0xd1c1, 0xd081, 0x1040, 0xf001, 0x30c0, 0x3180, 0xf141, 0x3300, 0xf3c1, 0xf281, 0x3240, 0x3600, 0xf6c1, 0xf781, 0x3740, 0xf501, 0x35c0, 0x3480, 0xf441, 0x3c00, 0xfcc1, 0xfd81, 0x3d40, 0xff01, 0x3fc0, 0x3e80, 0xfe41, 0xfa01, 0x3ac0, 0x3b80, 0xfb41, 0x3900, 0xf9c1, 0xf881, 0x3840, 0x2800, 0xe8c1, 0xe981, 0x2940, 0xeb01, 0x2bc0, 0x2a80, 0xea41, 0xee01, 0x2ec0, 0x2f80, 0xef41, 0x2d00, 0xedc1, 0xec81, 0x2c40, 0xe401, 0x24c0, 0x2580, 0xe541, 0x2700, 0xe7c1, 0xe681, 0x2640, 0x2200, 0xe2c1, 0xe381, 0x2340, 0xe101, 0x21c0, 0x2080, 0xe041, 0xa001, 0x60c0, 0x6180, 0xa141, 0x6300, 0xa3c1, 0xa281, 0x6240, 0x6600, 0xa6c1, 0xa781, 0x6740, 0xa501, 0x65c0, 0x6480, 0xa441, 0x6c00, 0xacc1, 0xad81, 0x6d40, 0xaf01, 0x6fc0, 0x6e80, 0xae41, 0xaa01, 0x6ac0, 0x6b80, 0xab41, 0x6900, 0xa9c1, 0xa881, 0x6840, 0x7800, 0xb8c1, 0xb981, 0x7940, 0xbb01, 0x7bc0, 0x7a80, 0xba41, 0xbe01, 0x7ec0, 0x7f80, 0xbf41, 0x7d00, 0xbdc1, 0xbc81, 0x7c40, 0xb401, 0x74c0, 0x7580, 0xb541, 0x7700, 0xb7c1, 0xb681, 0x7640, 0x7200, 0xb2c1, 0xb381, 0x7340, 0xb101, 0x71c0, 0x7080, 0xb041, 0x5000, 0x90c1, 0x9181, 0x5140, 0x9301, 0x53c0, 0x5280, 0x9241, 0x9601, 0x56c0, 0x5780, 0x9741, 0x5500, 0x95c1, 0x9481, 0x5440, 0x9c01, 0x5cc0, 0x5d80, 0x9d41, 0x5f00, 0x9fc1, 0x9e81, 0x5e40, 0x5a00, 0x9ac1, 0x9b81, 0x5b40, 0x9901, 0x59c0, 0x5880, 0x9841, 0x8801, 0x48c0, 0x4980, 0x8941, 0x4b00, 0x8bc1, 0x8a81, 0x4a40, 0x4e00, 0x8ec1, 0x8f81, 0x4f40, 0x8d01, 0x4dc0, 0x4c80, 0x8c41, 0x4400, 0x84c1, 0x8581, 0x4540, 0x8701, 0x47c0, 0x4680, 0x8641, 0x8201, 0x42c0, 0x4380, 0x8341, 0x4100, 0x81c1, 0x8081, 0x4040 }; main( int argc, char *argv[] ) { char buff[4096] ; int Handle, crc, cnt, x ; crc = 0 ; if( argc != 2 ) { puts( "Filename?" ) ; exit( 0 ) ; } /* vvv---------MSDOS nonsense */ Handle = open( argv[1], O_RDONLY | O_BINARY ) ; if( -1 == Handle ) { perror( argv[1] ) ; exit( 1 ) ; } while( cnt = read( Handle, buff, 4096 ) ) { for( x=0; x<cnt; ++x ) CRC( crc, buff[x] ) ; } printf( "%-12s %x\n", argv[1], crc & 0xffff ) ; } /*** ***/ /\_______ __________________________ (_)\avid ihnp4!occrsh!squid!mollusk If I'm not dead, then what am I do- | )----- 1:19/1 vox=<405> 848-8868 ing here? And if I'm dead, then why |/rexler POB 1214, Bethany OK 73008 do I have to go to the bathroom?
hst@mhres.mh.nl (Klaas Hemstra) (03/02/88)
In article <571@sunspot.UUCP> mcgraw@noao.UUCP (Robert McGraw) writes: >Here is a suggestion in fighting the common virus. > >1. make a test directory and keep a copy of COMMAND.COM plus (optional)any >other .exe, .com programs that you know to be free of the virus i.e. >programs from the original disketts. > etc. stuff deleted. >-Robert P. McGraw, Jr. National Solar Observatory SPO > USPS Mail: Box 62, Sunspot, NM 88349 USA > Phone: (505)434-1390, FTS: 571-0232 > Internet: rmcgraw@noao.arizona.edu > SPAN/HEPNET: DRACO::RMCGRAW [DRACO=5356] > UUCP: {arizona,decvax,hao,ihnp4},noao!sunspot!rmcgraw A very good idea. Specially if the copy of COMMAND.COM does not have the .COM extension. etc. But how about the two hidden DOS files (IBMBIO.COM & IBMDOS.COM) ? Shouldn't you protect these files too ? My opinion is YES. That would make things a little less simple but still possible without to much trouble. You have to make your own diff program for that, or have a diff program that also reads hidden files etc. -- Klaas Hemstra (hst@mh.nl) | / / ,~~~ ~~/~~ uucp: ..{uunet!}mcvax!mh.nl!hst | /--/ `-, / ___ |_/ |__| Multihouse N.V., Gouda, the Netherlands | / / ___/ / --- | \ | |
campbell@maynard.BSW.COM (Larry Campbell) (03/03/88)
In article <571@sunspot.UUCP> mcgraw@noao.UUCP (Robert McGraw) writes:
<>Here is a suggestion in fighting the common virus.
Here is a better suggestion, which takes much less work and is more
airtight.
Never run free software on your machine, unless it came in source form,
and you inspected it before compiling it.
I wouldn't touch binaries with a ten-foot pole.
--
Larry Campbell The Boston Software Works, Inc.
Internet: campbell@maynard.bsw.com 120 Fulton Street, Boston MA 02109
uucp: {husc6,mirror,think}!maynard!campbell +1 617 367 6846