MMCCUNE@sctnve.BITNET (10/01/90)
Here is a program that will detect stealth type viruses in memory. It works on the 4096, and Fish-6. It should work on the Mother Fish (Whale) also, since it uses the same method of redirecting the interrupts. I wrote it for the shareware A86, but it should assemble with MASM, TASM or WASM with minor modifications. ADD [BX+SI],AL ADD [BX+SI],AL ADD [BX+SI],AL MOV AX,3521h INT 21h ES: CMP B[BX],0EAh JE FOUND MOV AH,9h LEA DX,NOT_FOUND_MESSAGE INT 21h INT 20h NOT_FOUND_MESSAGE: DB 'Stealth Virus not found in memory$' FOUND: MOV AH,9h LEA DX,FOUND_MESSAGE INT 21h INT 20h FOUND_MESSAGE: DB ' Stealth Virus active in memory $' This program will not become infected by the 4096, although the Fish-6 and Mother Fish (Whale) will attack it easily (the 4096 thinks the file is already infected). Any comments and suggestions are appreciated. This program is free to use by all private individual (others, please ask me first). I can be reached on the Interlink and Fidonet virus conferences (as well as Virus-L). My Bitnet address is MMCCUNE@SCTNVE. My next posting will include a stealth virus remover...<MM>.
CHESS@YKTVMV.BITNET (David.M.Chess) (10/11/90)
Um, how thoroughly have you tested that? From looking at the code, it appears that it will only work if the current INT21 vector points at the virus's far-JMP. That won't be true, I don't think, if any INT21-hooking programs have been run since the virus installed itself (or, for viruses like the 4096 that find the "real" DOS entry point in various ways, if any INT21-hooking programs have been installed at all). INT21-hooking programs are very common (NDOSEDIT and so on); if they stop your detector from working, you might want to include that as a caveat when distributing it... DC