thomas@mvac23.uucp (Thomas Lapp) (10/10/89)
Regarding a recent message sent which reproduced an IBM internal memo about their VIRSCAN program: > September 29, 1989 > > The program tests executable files on disks for signature strings that > are found in some common DOS computer viruses. For each drive specified > it will also test the drive for boot sector viruses. > > VIRSCAN.EXE is the executable program. It will run under DOS 2.0, 2.1, > 3.1, 3.2, 3.3, 4.0 and OS/2* 1.0, 1.1, and 1.2. It will not support > OS/2 1.2 with high performance file system names. I used this program on some PC's at work last week. The program VIRSCAN is the executable, however it uses two other files to obtain the search strings and the message to be sent to the user if the search string is found. The search files are in ASCII and can be modified to include more virus strings as necessary. Obviously, greater the search string, the less likely there will be a false positive. Since it reports the number of files searched and number of disks checked, I suspect that this program would not be able to find those viruses which reside on sectors which are then marked bad. - tom - -- internet : mvac23!thomas@udel.edu or thomas%mvac23@udel.edu uucp : {ucbvax,mcvax,psuvax1,uunet}!udel!mvac23!thomas Europe Bitnet: THOMAS1@GRATHUN1 Location: Newark, DE, USA Quote : Virtual Address eXtension. Is that like a 9-digit zip code?
CHESS@YKTVMV.BITNET (10/23/89)
Thomas Lapp <thomas@mvac23.uucp> writes: > Since it reports the number of files searched and number of > disks checked, I suspect that this program would not be able to find > those viruses which reside on sectors which are then marked bad. All the viruses that I've heard of that live even partially in bad sectors are boot-sector viruses; the "initial hook" of the virus is written to the boot sector, and that hook then reads the rest of the virus off of some sector elsewhere on the disk (which was marked bad in the FAT at initial infection). The IBM virus scanner (and the McAfee one, and probably others) scans boot records to detect this type of virus. In general, a virus has to arrange to get executed; the viruses we've seen so far do this either by modifying executable files, or by modifying the boot record of a disk or diskette. So scanners for known viruses that scan executable files and boot records are looking in the right places! A "virus" that just marked a sector as bad and wrote itself there, without altering the boot sector or any other executable object, would never get executed... DC