RADAI1@HBUNOS.BITNET (Y. Radai) (07/30/90)
David de Leeuw writes: >2. The boot-sector does get attacked by 4096. (John McAfee's Virlist says >it does not.) McAfee's Virlist indicates that the 4096 does not *infect* the boot sector, and that is correct. It also indicates that it does not cor- rupt or overwrite the boot sector. As far as I know, that too is cor- rect. True, the 4096 contains a routine which *tries* to modify the boot sector in order to display the FRODO LIVES message on subsequent boots, but I haven't heard of a version which actually *succeeds* in doing this. If you have a version which really does this, please let us know. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI1@HBUNOS.BITNET RADAI@HUJIVMS.BITNET
padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (08/03/90)
I have been surprised to the the excitement caused by this virus. Admittedly, it uses some "stealth" techniques to hide itself, but the "stealth" itself should be detectable in memory. Certainly a thorough virus checking routine will not rely on DOS to provide accurate information. Next, despite roumors of CMOS and Modem viruses, to be able to become resident in an XT class machine, some memory MUST be used somewhere and this is detectable. Thus there are (at the moment) three checkpoints: either available memory has been reduced, interrupts are being vectored into never-never land (virus hiding in unassigned memory - note: this may not be obvious from the interrupt table), or crashes will occur often as the virus is overwritten. While I have not yet seen the 4096 (a copy is coming but not yet arrived), I feel certain that it is detectable reasonably easily in memory - if not directly then by its process of hiding. As soon as I determine an easy way to detect it, the answer will be posted. In the meantime, booting from a write- protected floppy and running a clean SCAN of version 53 or later is known to be effective.
CHESS@YKTVMV.BITNET (David.M.Chess) (08/09/90)
Padgett Peterson <padgett%tccslr.dnet@uvs1.orl.mmc.com>: > I have been surprised to the the excitement caused by this virus. > Admittedly, it uses some "stealth" techniques to hide itself, but > the "stealth" itself should be detectable in memory. Yep, the 4096 is easily detectable in memory. I think the main cause for worry has been the feeling that there are lots of people out there who don't use virus scanners, and whose main hope of noticing an infection is noticing file lengths (or contents) changing, or programs malfunctioning. A "stealth" style virus with few bugs will tend to be less noticeable by those means than a non-stealthy one. I definitely agree, though, that for users who have a good virus-scanning program, the 4096 is no more worrisome than a comparable non-stealthy virus would be. DC P.S. Detecting a virus in memory is a little more prone to false alarms than detecting one in files, because after an infected system has been cleaned up the virus signature may still make it into memory, because it is still in the "cluster gas" somewhere on the disk, and may get loaded into unused parts of disk buffers or whatever.
padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (08/12/90)
It was promised that after a look had been taken at the 4096, a locating method would be posted: as was first surmised, when resident available memory is reduced by a touch over 5k. The 4096/JOSHI did require a revision in my statement that common viruses can be detected by looking at three bytes. It now takes five bytes. This does bear out the earlier comment as to why there are few mainframe viruses (worms are easier) - once signature algorithms become sophisticated enough, the simpler way becomes to mislead the checker, not try to guess the algorithm. However, so long as the authentification mechanism is invoked by the CONFIG.SYS (only thing better would be a ROM extension and that means hardware) the 4096 should trigger a flag at least twice even if the checker does not examine the environment periodically: 1) Virus is introduced (new file) 2) Virus is invoked (changed signature of first infected file loaded) at next boot. Of course, if the system is booted only from a write-protected floppy and critical files are checked during boot, it will trigger a warning each time. Incidently, Mr. McAfee's v66 is out (65 was skipped) and it will flag the 4096 in memory unless the /nomem switch is set (you don't do you ?) Padgett