padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (03/22/91)
Note: 44 was the first posting received since 39. Apologies if something
was missed in the middle.
>From: ***CURTIS*** <csg020@cck.coventry.ac.uk>
>Subject: Unknown virus help! (PC)
>Yesterday, I ran my virus checker from hard disk. It came up with the
>warning "Virus checker Infected. Do not use" So I ran the
>write-protected version I had on floppy, No virus's found.
Many times virus removal programs will pad the end of a program to an
even boundary following disinfection since the original program size
has been lost. This is usually noticed on .EXE files. If this happens
to a quality anti-virus program, the internal validation routine will
detect the change and flag the user such as Mr. Curtis noticed. I suspect
that he will find that the file on his hard disk is now a few bytes longer
than the original and if DEBUG (yes you can, rename) is used to remove the
"extra" bytes, the program will execute normally.
- -----------------------------------------------------------------------
>From: CAH0@gte.com (Chuck Hoffman)
>Subject: Preformatted disks, flopticals, etc.
>Why can't the disks be formatted? Is the problem related to software or
>hardware, or both?
I was told this by people at both Brier and Insite. At the time I did not
ask why but suspect that a consumer drive may not be able to properly detect
"weak" sectors or that tracking correction information may be hard-coded at
the factory. In the case of fixed disks, I have heard it both ways & suspect
that it may depend on the drive/manufacturer (rumor has it that Packard-Bell
is shipping a "special" version of Ontrack's DISK MANAGER {ver 4.01 ?} to
customers reporting the MusicBug).
The point I was trying to make was that a physically sound disk
NEVER has to be "low-level formatted" just because a virus attacked it,
but is often used as a substitute for proper training.
- ----------------------------------------------------------------------------
From: "Mark Aitchison, U of Canty; Physics" <PHYS169@csc.canterbury.ac.nz>
Subject: Re: PC MS-DOS vs BIOS protection (PC)
HOORAH ! An intelligent discussion (not that I agree with all of the concepts
but at least Mr. Aitchison has done his homework).
>If DOS became the sort of standard that CPM or (better)
>Unix is, where all manner of incompatible hardware run the same o/s,
>then viruses would have a tough time spreading.
Unix is a very good platform but the O/S diversity requires that most
imported files (from Ultrix to Sun say) must be recompiled from the
source code to run properly. Few of the 80+ million DOS users have
this kind of expertise available. The stability and ease of use that has
made the IBM-PC so popular is also favorable for malicious software.
(I live in Florida because I like the climate. Insects also like the climate.
I do not support changing the climate to eliminate the bugs but do have
very fine mesh window screens.)
>So a good anti-virus approach is going to consider the whole system:
>hardware, BIOS, DOS, applications and end-user education. That, I
>think, is a good idea, but you soon end up with something that looks
>nothing like the present PC (or Mac or whatever).
Not necessarily, at least not from the user or software level. I do
not think that users would have a problem with a screen that popped up
during installation or modification, and informed the user that something
was going to happen and did he/she/it mind so long as it was not constant.
For some time I have been using such a package and when installing a new
program from 'leventy floppies received (and scanned) from a trusted vendor,
just turn off the directory the installation is to be into from checking
for the duration.
Similarly, following a modification to WordStar, the next invocation pops a
screen before loading informing me that it has changed and do I want the
signature updated ? A single keystroke returns everything to normalcy & I
would be more disturbed if the screen did not appear.
Admittedly, this is not a "normal" DOS function, but can be added
without affecting performance or functionality. {am running everything
including Prodigy from Windows on the 386KS (kitchen sink) with 120k of
TSRs loaded high (QEMM/DOS 5.00) and 636k "free" (trade and service marks
mentioned). Testing done by wife, son, and assorted cats}.
Point is that it can be layered on to DOS effectively and transparently,
without "expert" help, but needs more than just a simple program, (some
assembly reuired).
Would love to continue this discussion at your place, I hear New Zealand
is beautiful.
- --------------------------------------------------------------------
Not sure if this is from Stan Pickthall or Robert Slade - app
> SCAN does have an "internal" self check, but if a
>"stealth" virus is active in memory, it will defeat any kind of
>integrity check.
NO ! It will not defeat "any kind of integrity check" though "stealth"
will defeat SCAN's if the /nomem switch is in use (wish we had italics) While
the "stealth" seen so far will defeat a program integrity check, it will NOT
defeat a system integrity check (the six bytes). The fact that few anti-virus
programs bother to check system integrity first does not mean that it can't
be done or even that it is difficult. Even CHKDSK will reveal most "sucessful"
anomalies when resident and "stealth" MUST be resident to work.
Padgettfrisk@rhi.hi.is (Fridrik Skulason) (03/27/91)
padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) writes: >> SCAN does have an "internal" self check, but if a "stealth" virus is >>active in memory, it will defeat any kind of integrity check. > >NO ! It will not defeat "any kind of integrity check" though "stealth" >will defeat SCAN's if the /nomem switch is in use (wish we had italics) While >the "stealth" seen so far will defeat a program integrity check, it will NOT >defeat a system integrity check (the six bytes). I don't mean to be insulting, but I have said it before, and I will say it again: The six-byte check is no sustitute for a full system integrity check! Athough it will detect most wiruses, it will NOT detect them all, in particular it will miss some "stealth" viruses, like the "Number of the Beast". The method will also miss viruses like Saddam, Do-Nothing, Micro-128 and all non-resident viruses. Worse, it will "detect" all TRS programs, even programs like PRINT.COM However, my main point is this - it is possible to make a program integrity check which will detect infection by all "stealth" viruses known today, and (I hope) tomorrow's viruses as well. I cannot go into details, but I do have a working program which is able to do this - more details next month. - -frisk