boone@athena.cs.uga.edu (Roggie Boone) (02/06/91)
I have 4 questions regarding computer viruses. I am rather new to the
study of compuer viruses and the texts that I have read have not answered
these questions for me.
1) I have seen the SCAN software (MaAffee) scan a computer's memory for
viruses and noticed that it only scanned the base 640K of RAM. Do
viruses typically not infect or use extended/expanded memory? Are there
virus scanning packages that will scan the additional memory? I raise
this question, because it seems I read somewhere that some computers
with certain memory management drivers may not erase the contents of
extended memory on a warm boot, and hence may not erase any virus that
may be sitting in extended memory. (My memory isn't too good on this
topic).
2) Are there anti-virus packages (for PC or any computer) that use
artificial intelligence techniques to protect the system, or is such
an effort overkill?
3) Not meaning to plant ideas, but I was talking with a facutly member
in the dept. where I work, and the question arose as to whether a virus
could be transmitted to an orbiting satellite and cause the same havoc
that viruses cause us PC users. Is this possible?
4) I have also noticed that SCAN, for instance, scans basically the .EXE,
.COM, .SYS, .OVL files in a directory. Do viruses not infect .TXT or
.DOC files or maybe C (Pascal, Basic) source code?
I hope these questions have not recently been asked (I'm a new subscriber
to this group). Thanks for any info about any or all of these questions.
Roggie Boone (boone@athena.cs.uga.edu)
Research Tech. III
University of Georgiams@pogo.ai.mit.edu (Morgan Schweers) (02/09/91)
Greetings,
In regards to the question about viruses loading themselves
high... No viruses as yet have the capability to place themselves
high in memory. To understand why, look at it like this... First you
would need a memory manager. You can't assume that every system you
infect will have one, so you need to carry it around with you. Then
you need a load-high routine (much less difficult). For Some Reason
(tm) viruses don't successfully load high. It may be due to the
oft-used technique of determining their own location and modifying
themselves thereby. This may not be supported by the memory managers
I've tested viruses under. I just recieved a new environment, and
will be testing to see if this is susceptible.
If anyone has experience with a virus which successfully loaded
high, I would *VERY* much like to know!
-- Morgan Schweers
P.S. No, viruses do not infect non-executable code on PC's.
P.P.S. What sort of AI techniques were you thinking of?frisk@rhi.hi.is (Fridrik Skulason) (02/10/91)
Roggie Boone wrote: >I have 4 questions regarding computer viruses. >1) I have seen the SCAN software (MaAffee) scan a computer's memory for > viruses and noticed that it only scanned the base 640K of RAM. Do > viruses typically not infect or use extended/expanded memory? There are no viruses which use or infect extended/expanded memory. A virus could theoretically place a part of itself there, but it would also have to change something in tke lowest 640K, in order to load and execute this code. There is one virus, however, which locates itself between 640K and 1Meg. > Are there virus scanning packages that will scan the additional memory? No - there is no need to do so (yet). > I raise this question, because it seems I read somewhere that some > computers with certain memory management drivers may not erase the > contents of extended memory on a warm boot, and hence may not erase any > virus that may be sitting in extended memory. (My memory isn't too good > on this topic). So what? The virus code would be "dead", as it could never be activated. Just having it in memory will not do any harm whatsoever, as it is not active. >2) Are there anti-virus packages (for PC or any computer) that use > artificial intelligence techniques to protect the system, or is such > an effort overkill? Several packages claim to use AI methods - none do. The closest thing to AI in anti-virus products are the sets of rules some packages use to search for previously unknown viruses. >3) Not meaning to plant ideas, but I was talking with a facutly member > in the dept. where I work, and the question arose as to whether a virus > could be transmitted to an orbiting satellite and cause the same havoc > that viruses cause us PC users. Is this possible? A Trojan, yes - it could be sent to the satellite, just as any other software "update". A virus ? Well, why bother making the program replicate inside the satellite, when a simple Trojan will do the job ? >4) I have also noticed that SCAN, for instance, scans basically the .EXE, > .COM, .SYS, .OVL files in a directory. Do viruses not infect .TXT or > .DOC files or maybe C (Pascal, Basic) source code? Known viruses may either: infect EXE and/or COM files. (unconfirmed reports of SYS-infecting viruses) The one or two BAT viruses are not a serious threat. or Infect any file which is loaded/executed by INT 21/4B. That is, programs and overlays. The latter group typically includes COM/EXE/APP/OVL/OVR/OV1/BIN and a few other extensions. A file which cannot be executed/ loaded as overlay cannot be infected. A virus could infect source or object code, but no such viruses exist. DOC and TXT files cannot be infected.
millerje@holst.tmc.edu (jeffrey scott miller) (02/11/91)
While I am by no means a virus expert, I hope these answers help... boone@athena.cs.uga.edu (Roggie Boone) writes: >I have 4 questions regarding computer viruses. I am rather new to the >study of compuer viruses and the texts that I have read have not answered >these questions for me. > >1) I have seen the SCAN software (MaAffee) scan a computer's memory for > viruses and noticed that it only scanned the base 640K of RAM. Do > viruses typically not infect or use extended/expanded memory? Are there > virus scanning packages that will scan the additional memory? I raise > this question, because it seems I read somewhere that some computers > with certain memory management drivers may not erase the contents of > extended memory on a warm boot, and hence may not erase any virus that > may be sitting in extended memory. (My memory isn't too good on this > topic). It would seem to be a waste for any virus to affect EMS, as not all pc users have exp/ext memory, while ALL users (I hope!) have 1 MB. Furthermore, I would assume that any hi memory managers would be able to detect a change in high memory, as they usually intercept the vectors. >2) Are there anti-virus packages (for PC or any computer) that use > artificial intelligence techniques to protect the system, or is such > an effort overkill? Artifical intelligence? For what purpose. 99% of scanning for viruses just requires looking for a "search string". The only way AI might help is to see if there is more disk activity than normal, but how do you define "more disk activity"? >3) Not meaning to plant ideas, but I was talking with a facutly member > in the dept. where I work, and the question arose as to whether a virus > could be transmitted to an orbiting satellite and cause the same havoc > that viruses cause us PC users. Is this possible? Any thing is possible... whether it's likely or not is another story... >4) I have also noticed that SCAN, for instance, scans basically the .EXE, > .COM, .SYS, .OVL files in a directory. Do viruses not infect .TXT or > .DOC files or maybe C (Pascal, Basic) source code? True. Viruses cannot infect text files, as they are never executed. Viruses CAN look to see if a certain filetype is being accesses (i.e. DBF), but since there is no executable code in a text file, there is no way a virus can "latch" onto the file. _____________________________________________________________________________ | | | "NUKE THE UNBORN GAY WHALES!" | Jeff Miller | | - graffiti | millerje@handel.CS.ColoState.Edu | |_____________________________________________________________________________|
campbell@dev8n.mdcbbs.com (Tim Campbell) (02/13/91)
boone@athena.cs.uga.edu (Roggie Boone) writes: > I have 4 questions regarding computer viruses. I am rather new to the > study of compuer viruses and the texts that I have read have not answered > these questions for me. > 2) Are there anti-virus packages (for PC or any computer) that use > artificial intelligence techniques to protect the system, or is such > an effort overkill? Depends on your idea of AI. Some say any program that is user friendly, say by not giving you menu choices that you aren't allowed to perform at the moment constitues an "expert system" - a form of AI. If you're referring to something extravagant that tries to figure out what some program is up to, by searching a large AI database then your latter answer is probably correct - it's overkill. You'll be wasting more memory, disk, and cpu than it's worth. > 3) Not meaning to plant ideas, but I was talking with a facutly member > in the dept. where I work, and the question arose as to whether a virus > could be transmitted to an orbiting satellite and cause the same havoc > that viruses cause us PC users. Is this possible? A virus must be able to "execute" somehow. If a satallite is just relaying "data", then no (unless of course some type of "trojan horse" was planted already in the satallite's program to be "triggered" by some data - but this would not truly be a "virus".) > 4) I have also noticed that SCAN, for instance, scans basically the .EXE, > .COM, .SYS, .OVL files in a directory. Do viruses not infect .TXT or > .DOC files or maybe C (Pascal, Basic) source code? Similarly to number 3 above, the program must be able to "execute". All these files do that. ".doc" and ".txt" files don't execute - so hooking some viral instructions on could be done, but would accomplish little execpt to probably corrupt the affected file. Here's an interesting angle... It is technically possible to write a virus out of ".bat" file instructions to propogate itself to other ".bat" files. I've never seen or even heard of such a thing. It would be relatively easy to detect and remove, and it would be blatently obvious to find out everything about it (what it does, how it spreads, etc.) so to make such a virus would probably be an exercise in futility. But the point is simply that it is "possible" by virtue of the fact that the ".bat" file is executable. You can carry this a step farther. If it is possible to infect a ".bat" file, then it is also possible to infect, interpreter "basic" programs, "dBase" programs, and practically every other "interpretive" language - - even a spreadsheet macro could be infected. (although I'm not fluent in macros so I'm uncertain about the ability of the macro to "propogate" itself to other spreadsheets - the language in use imposes restrictions upon what a virus can get away with.) This brings us to your final question about source code. Yes, a virus can alter them. But they can't execute unless they're compiled. So a virus here can't propogate without some intervening action. In most languages the virus would be obvious to anybody examining the source code, but I can think of at least one way to plant a virus that would almost NEVER be detected without a lot of thought (to someone browsing the source) - so the dangerous possibility does exist. ----------------------------------------------------------------------------- In real life: Tim Campbell - Electronic Data Systems Corp. Usenet: campbell@dev8.mdcbbs.com @ McDonnell Douglas M&E - Cypress, CA also: tcampbel@einstein.eds.com @ EDS - Troy, MI Prodigy: MPTX77A CompuServe: 71631,654 P.S. If anyone asks, just remember, you never saw any of this -- in fact, I wasn't even here.