padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (11/27/90)
>From: Herbert Lin <HLIN@NAS.BITNET> >In a recent msg, someone said that a "stealth" virus could evade >checksum and CRC checks. Can anyone tell me how this is done? Basically, "stealth" viruses go resident in memory and trap the interrupts used by DOS. Then, whenever a file is requested, the virus checks to see if the file is infected. If so, the virus code is stripped off and the original file is presented. Nothing magic is done to defeat checksums. Of course, the fact that the virus goes resident is detectable, usually just by recording the CHKDSK memory return. - -------------------------- In issue 184 and in a VALERT-L posting I wrote concerning the DataLock/920 PC virus: >Each time an .EXE file is executed, it >will increase in size by 920 bytes. The virus will only infect a file >once but will infect any .EXE executed. I must apologise for the poor English. This virus will only infect an EXE ONCE (an algorithm is used to place a signature in the file header) adding 920 bytes to the file. No "stealth" mechanisms are used. - --------------------------------------------- >From: William C Tom <wct1@unix.cis.pitt.edu> >*AND*, more importantly, how can I get rid of "Stoned" ?? Is there >a virus-killer program available ? McAfee's CLEAN will work or you can copy the original partition table on a hard disk back to sector 1 (I believe it is stored in sector 7) using DEBUG. On a floppy, simple replacement of the boot sector will render the virus harmless though some data/executables may be corrupted. (how fast can you press two keys and change floppies ?) - ----------------------------------------------------------- >From: p0.f7.n391.z1.fidonet.org!David.Hobbs@uafhp.uark.edu (David Hobbs) >Subject: Sunday virus description? (PC) The SUNDAY virus is a JERUSALEM derivative that goes resident as a 20xx byte un-nammed TSR. On Sundays the virus will print a message and delete (undeletable with several utilities) programs executed. A mistake in the code in one varient keeps it from ever triggering but all infect both .COM (once) and .EXE (each time run) programs. - ------------------------------------------------------------ Again, Patricia Hoffman's VSUM (currently VSUM9011.ZIP) should be required reading for VIRUS-L participants.