Alan_J_Roberts@cup.portal.com (02/06/90)
This is a forward from John McAfee: ================================================================= Dave Chess sent us another new virus that uses "creative" techniques to avoid detection from scanning type programs. Dave calls it the EDV virus. The virus infects boot sectors of floppy diskettes and the partition table (master boot record) of hard disks -- similar to the stoned virus. It saves the original boot sector and if any program attempts to read the boot sector, the virus intercepts the read and retrieves the original boot sector instead. Thus the system will appear normal even if infected. This technique is not new. The Pakistani Brain was the first virus to use this avoidance technique. What is new about this virus is that it also avoids detection from a memory scan. The virus accomplishes this feat by intercepting the clock tic and at each tic the virus interrogates ES and DS to determine if anyone is looking at the virus code. If someone is looking, the virus hangs the system. All these new detection avoidance techniques can of course be circumvented. They do require development time, however, and are becoming a nuisance. We have opted in SCAN not to block the timer interrupt (the obvious bypass to circumvent this virus) due to potential problems with time dependent background code. Instead, we've chosen to outrun the virus using our own "creative" memory scan. Seems to work so far and will be included in V58 of SCAN - - due out Feb 15th -- if beta testing goes well. John McAfee ...................