DKAZEM@NAS.BITNET (Don Kazem) (10/26/90)
I have couple of questions: Is there any way to obtain the signatures of all known viruses? What is the correct definition of an encrypted virus? Thanks. Don Kazem DKAZEM@NAS.BITNET National Academy of Sciences Washington, DC
frisk@rhi.hi.is (Fridrik Skulason) (10/30/90)
DKAZEM@NAS.BITNET (Don Kazem) writes: >I have couple of questions: > >Is there any way to obtain the signatures of all known viruses? Depends on what you mean by "signature", as the term has two different meanings.. A: The signature the virus itself uses to mark files or boot sectors as infected. Example: Jerusalem 'SuMsdos' signature at the end of .COM files. B: The signature string used by virus scanning program to check if a virus is present. Now if you mean (A), the answer is yes, apart from the fact that several viruses, ('405' for example) do not check if files are infected, and therefore they have no signature. If (B), the answer is also yes, except that it is not possible to provide any string at all for some of the latest viruses. The Phoenix fanily (Phoenix, Proud, 1226 and Evil) from Bulgaria is one example, the Whale is another. In either case, no 100% complete lists are available, simply because no virus researcher has a copy of all known or reported viruses. Even the best virus collections only contain 250-270 variants. >What is the correct definition of an encrypted virus? Encrypted viruses - my favourite subject at the monemt (I just wrote a 4-page article about them for the Virus Bulletin) - are a bit hard to define. We have viruses, like 'Brain', where only a single text string or so is encrypted. We have the following viruses, where the first part of the virus code performs a decryption of the rest: Pretoria: simple XOR operation wit a fixed value July 13th: simple XOR with a fixed value Slow: simple XOR with a fixed value Cascade: complex XOR Datacrime II: complex XOR - slightly self-modifying 800: simple XOR Syslock/Macho: complex XOR 1260/Casper: complex XOR, self-modifying Suomi: simple XOR, self-modifying Phoenix family:simple XOR, self-modifying In addition to the above viruses, Mark Washburn, the author of '1260' (according to the list by Patricia Hoffman), has also written some other encrypted 'research' viruses: V2P2, V2P6 and V2P6Z. And finally we have the Whale, where most of the code is devoted to implementing multiple layers of encryption. [And the rest is devoted to driving virus-researchers insane.... :-( ] Without doubt a formal definition could be written, to cover the encrypted viruses, but I'll leave that to somebody else... - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |