padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) (03/30/91)
[Ed. This is the beginning of Padgett Peterson's paper, "Six Bytes for
Virus Detection in the MS-DOS Environment". The complete paper is
available by anonymous FTP on cert.sei.cmu.edu in pub/virus-l/docs
under the filename six.bytes.padgett.]
WARNING: The method depicted in this paper will not detect every conceivable
virus, to do so would take far more than six bytes. What it will
do is to detect all currently "common" viruses for a knowlegable user,
however, CHKDSK can do the same thing if intelligently applied. A
short .COM file following these principles will make a good "first
check" before using a scanner to determine if something unknown
might be resident.
Some viruses revealed immediately include Brain, Yale, Datalock,
Stoned, 4096, Fish-6, Flip, Whale, Joshi, MusicBug, and Azusa.
TSR viruses such as the Jerusalem, Sunday, and 1701/1704 variants
will also be revealed if the user is knowlegable about the system.
Padgett Peterson, 3/29/91
Six Bytes for Virus Detection
in the
MS-DOS Environment
A. Padgett Peterson, P.E.
Orlando, Florida
Introduction
Concerning the size of the population (over fifty million MS-DOS
platforms at last estimate), to the macro, the 240+ known viruses
represent a relatively small statistic. In the micro however, they
can be devastating.
With the growth in size of fixed disks and applications, often
backups are obsolete or incomplete where proper discipline has not
been established. Unfortunately, this seems to include the majority
of the non-power users.
Since the number of known viruses appears to be doubling each
year, the threat is not diminishing, yet the most accepted utilities,
John McAfee's SCAN & CLEAN, rely on detection of known infections.
While there are some products that actually perform integrity
management of a system (Certus International CERTUS, Enigma-Logic
VIRUS-SAFE and PC-SAFE, Fischer International PC-WATCHDOG, Dr. Panda
BEARTRAP), most are oriented to file protection rather than system
protection.
To adequately protect a machine that possesses no native
integrity management requires a layered approach of user management,
files/applications management, and systems management. We have a good
handle on the first two but the question of systems integrity,
something so pervasive in mainframes that it is taken for granted,
does not currently exist for the PC.
Until recently, a large enough population did not exist of not
only successful but also unsuccessful viruses to draw any inferences
concerning their viability in the general population. At the close of
1990, however, certain characteristics of "successful" viruses, those
listed as "common" in Patricia Hoffman's Virus Summary, have become
clear:
1: Become resident in memory following infection
2: Allocate memory to themselves
3: Redirect part of the operating system (not necessarily interrupts)
Each of these elements is easily detected, often in more than
one way, yet few people or programs bother to look. Some years ago,
this author wrote three simple assembly language programs, each
about 1k bytes long. The first tests file integrity, the second tests
disk integrity, and the third tests system integrity. Taken together
these still detect every "common" virus, not because they "know" all
viruses but because they "know" an uninfected system. There is
nothing magical involved, merely a knowledge of how the architecture
operates.
This paper does not address those viruses that attach themselves
to programs or files specifically, rather consideration is made to
those that attack elements of the operation system. That these
infections may later attack programs or files is incidental. Rather,
a description is provided of the third of these routines.