padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (03/29/91)
>From: frisk@rhi.hi.is (Fridrik Skulason) >Subject: Re: Integrity Checking, programs & system >I don't mean to be insulting, but I have said it before, and I will >say it again: The six-byte check is no sustitute for a full system >integrity check! Athough it will detect most wiruses, it will NOT >detect them all, in particular it will miss some "stealth" viruses, >like the "Number of the Beast". I did not think I ever said that it was. In fact in my New York paper specific mention was made that it did not detect the 512 (Number of the Beast). It will also not detect the Alabama, Icelandic, EDV, or any virus that does not go resident. What was said was that it will detect all currently "common" viruses (though to detect the Jerusalem/Sunday or 1701/1704 variants, knowlege of the system is required). Also, thought I usually tell people that intelligent use of CHKDSK will perform essentially the same function. Sure, a lot more can be done, but my purpose was to defuse some of the "undetectable viruses" hysteria that was surrounding the last crop of "stealth" (FLIP, 4096, WHALE, JOSHI) viruses when they are really easy to spot (also BRAIN {the first "stealth"}, YALE, STONED, DATALOCK, AZUSA, MUSICBUG, etc). Point is that most of the postings I see here asking for assistance are not from experts with some new research virus that can expoit an obscure hole in a specific system (or does the INT13 understand both DOS 3.X and 4.X buffer chains ?), but real people needing real help now. CHKDSK or Int 12/Int 21 fn 48 values are also an easy way for someone a continent away and without any software tools that don't come with DOS to describe what is happening, something I have done several times on the telephone. 655360 "total bytes memory" should be engraved in every technicians mind. I will admit to tailoring most of my postings to be educational for the participant who is reasonably PC-lucid but has not had the opportunity to spend years of in depth study on undocumented interrupts. For this reason, my public comments have been slanted toward what can be done in five minutes with DEBUG and be stated as easily. Private conversations with people in trouble have gone into much greater depth but I have found that the simple techniques are effective most of the time. Possibly, my last posting on removal of AZUSA was too technical but did not know another way to phrase it. "Send all your money and a plane ticket" seems a bit commercial and enough people had asked that I felt it might be useful. >However, my main point is this - it is possible to make a program >integrity check which will detect infection by all "stealth" viruses >known today, and (I hope) tomorrow's viruses as well. I agree completely, such a program is not only feasible, but relatively simple. Readers who have been following our discussions will recall one statement I have been making for sometime: an effective defense MUST start at the BIOS level, something that has nothing to do with the "six bytes". Such a program's major difficulty will be to handle every oddball O/S, patitioning scheme, and non-compliant application around. One of my detectors went off on a MicroSoft WORD for Windows ver 1.1 installation disk. For some reason the disk was formatted with IBM 3.3 as used by COMPAQ (figure that one out). To get the COMPAQ logo into the boot record, the information was one byte too long to follow the MicroSoft specification so the code appeared to start one byte back in a "reserved" area. BONG ! >I cannot go into details, but I do have a working program which is >able to do this - more details next month. Is this why the "insulting" of the "six bytes" ? I admit to being surprised that someone with your well-deserved reputation and many contributions would feel it necessary to harp on admitted flaws in something that is not a commercial product but merely a technique some people find useful. Bemusedly, Padgett
mrs@netcom.com (Morgan Schweers) (03/31/91)
Greetings,
Actually, an extremely simple method of generic 'virus detection'
for viruses which infect on execute (or open) is to create a program
that records the FREE DISK SPACE, then opens a file named 'TEST.COM'
and fills it with 8192 copies of 'INT 20h', then spawns out to execute
it. The free disk space is loaded again, and compared against the
original minus 16384. (8192*2 bytes of code.) This should
successfully handle all cluster-sizes, etc. If the values aren't
equal then there is Something Wrong(tm).
Admittedly, it won't work on all viruses, but it sure will handle
the large majority of them. Another useful trick is to have your
CONFIG.SYS SHELL your COMMAND.COM from a different filename, and load
it over to a RAMDISK in your AUTOEXEC.BAT... Then (of course) set
COMSPEC=<ramdisk>:\COMMAND.COM... It speeds up your system, too!
<Grin> (It helps against some of the Stealth viruses, but only a
little...)
There are dozens of little precautions you can take to protect
your system from viruses. None of them will work in all cases (the
most difficult being the direct action viruses... Stopping them
easily is *ANNOYING*) but they do provide a modicum of security.
I'll point out that Padgett Peterson has a reasonably correct idea
in stating that the place to start from *IS* from the boot sector, or
the partition table. It's a cleaner environment down there, and can
be checked *MUCH* easier.
A total system checkout is feasible, as frisk has suggested. If
you have a memory resident virus, it *CAN* be detected. Period. For
it to work *WELL*, you have to know your system. If you don't know
what's on your computer, it's tough for an AV product to accurately
tell you what's *NOT SUPPOSED* to be there.
In relation to that, I'll put in my two cents about the six
bytes... For a technician helping out a non-PC-literate user, it's
probably a good thing. For a technician helping out a user with lots
of specialized drivers, and/or unusual partitioning stuff, etc., it's
can lead one down the wrong path entirely, if used as the FIRST check
on a system.
-- Morgan Schweers
P.S. It sounds strange, I suppose, but if you're the type of person
who takes precautions about possible 'new' virus infections,
then you're a lot less likely to be the kind of person who GETS
new virus infections.
+------------
"The views expressed within are the opinion of the author only. Nobody
could possibly be crazy enough to support these views. My memory may be
faulty, or could even have a parity error..."
-- mrs@netcom.com, ms@gnu.ai.mit.edu
- ------------+