T762102@DM0LRZ01.BITNET (02/28/90)
Hi! John McAfee (in vol. 3, issue 50) writes: > the process of disinfecting a >file always leaves an element of uncertainty in the system. > For example, the Jerusalem virus uses information in the EXE >header record to determine how to infect. Often this header record >is inaccurate, causing the virus to overlay part of the EXE file, >and also causing the virus to update the header record incorrectly. Often? How often? I know about a version of WordPerfect and that's all. >The virus has, in effect, destroyed part of the EXE file, and this >destruction is often not noticed immediately by the user. The >corrupted area might be seldom referenced, or in a program function >area that is bypassed in normal processing. If this is the case, >removal will leave a program that will at some point cause >inconsistencies, data corruption, or system crashes when the erased >area is referenced. There is simply no way to recover the file >because there is no way (short of using the original uninfected >program) to determine what was in the file before it was >overwritten. Well, the file was *already* destroyed when it was infected. If you disinfect it you won't cause more damage (besides the false sense of security). If you don't have the appropriate backups (or the originals, of course), you have only two possibilities --- to leave the file destroyed but infected and to leave it destroyed but *not* infected. I prefer the second solution, since the first will continue to spread the infection. Of course, you can also completely delete the file. > The Jerusalem is not alone in causing these problems. There >are numerous EXE infectors and some COM infectors (405, Vienna) >that cannot be successfully recovered in all cases. Ooops! Files, which are *infected* by the Vienna virus can *always* be recovered. In all cases. You cannot recover the files *destroyed* by this virus (with their first 5 bytes overwritten), but this is the case with all files destroyed by a virus. (They know well how to destroy our data, these nasty things :-).) > To get back to my point, I would strongly suggest that >infected files be overwritten in their entirety and then deleted >if at all possible. Only as a last resort, where backups or >original diskettes are unavailable, should disinfection be used. OK, OK! I agree that it is better to have backups. But it is *best* to have *both* backups and a disinfector. If this was not true all the work done by the antivirus researchers would be useless. This forum would be useless too. It is relatively easy (if you have non-infected backups, of course) to recover from any virus attack --- even if it was performed by the most sophisticated virus. You have only to follow a set of computer hygiene rules, which fin on a half page. Even that dumb fool --- the so-called average user can be teach to follow them.... Hmmm, can he? :-) - -------------- John Sangster (JHSangster@DOCKMASTER.NCSC.MIL) writes: >Possibly a useful approach to posting virus scan patterns would be >for virologists to extract one or more segments of the virus code of, >say, 1K bytes (that's a fairly reasonable 12 lines at 80 bytes per >line). >Of course, viruses can be constructed which alter themselves at each >replication, making any search with a fixed string futile, or at >best, "challenging" to design. CAN BE?! Whey *were* constructed. The 1701/1704 virus contains only a small piece of code which can be scanned for --- all the rest is encrypted. The virus uses the file length as an encryption key --- therefore the encrypted part is always (well, almost always) different. And there exist much more clever viruses like the 4096 and the 1260 viruses, in which even the (small) part which is not encrypted and which is used to decrypt the rest of the virus, even this small part is somewhat different for every infected file. (Well, I think so, I have no examples of these viruses.) And it is also possible to design a virus (hey, catch that virus writer who is reading this behind your back :-)), which will be impossible to be recognized --- in the file. The virus itself will not be able to say if a file is already infected. Eventually, there will be two (or more) copies of the virus in the file. But when the file is run, the virus will figure out that there is something after it and will strip it off the file. It is hard to implement such a thing, but once someone gets the idea, it will be much easier --- remember the problem "write a program which outputs its own source". Vesselin