RCSTRN@HEITUE5.BITNET (ROB_NAUTA) (06/08/89)
I got nobrain.c, a program that removes a Brain virus from a diskette, and antidote, which removes the pingpong virus from a disk. These tools made me wonder, is there a program that recognises viruses for the PC ? Mac antiviral programmes do, because everytime a new virus is found the tools can't help and a new version comes out, extended to recognise that one as well. Is there a program that says 'this disk (or COM or EXE file) is infected by ......' ?? I know FluShot+ warns if you boot from a Lehigh-infected disk. Furthermore, is there a program that desinfects COM or EXE files that were infected by, say, the 1701/1704, TSR virus etc ?? At the moment everybody says 'install your software from your backups and start with a clean system' but seeing how fast I can clear the Pingpong from a disk makes me interested to find out if there are programs that restore program files... If those programs don't exist, I may start writing my own tool for it, I will need some info then how I can recognise known viruses and how I can reconstruct the file (delete the first 1701 or 1704 bytes seems logical in that case, but is it correct, and what about the others??) I hope someone can help me, thanks in advance Rob J. Nauta - Fidelio Software
RZOTTO@DKNKURZ1.BITNET (Otto Stolz) (06/08/89)
Rob J. Nauta asked: > Furthermore, is there a program that desinfects COM or EXE files [...] > I may start writing my own tool for it [...] delete the first 1701 or > 1704 bytes seems logical in that case This procedure would certainly destroy your program. In fact, the term "relocating" link-virus is only a metaphor (as is virus, at all) for various techniques to achieve the following behaviour of the infected (another metaphor) program: 1. run viral code (a whole transient virus, or at least the installa- tion part in case of a resident virus); 2. resume normal operations of original program. With fully relocatable programs (I'm not quite sure whether all MS-DOS COM files qualify as such), this could indeed be achieved by inserting the viral code at the beginning of the file, but the 1704 (and other virus strains) use a different approach. 1704 overwrites the 1st 3 bytes of the COM file with a Jump instruction to the end of the file, where the main part of the viral code is appended; the original contents of the 3 bytes being overwritten are saved somwhere in the viral code (i.e. every file gets its own, suitably adapted, version of the virus appended). When the program is invoked, the virus restores the original content of its 1st 3 bytes before transferring controll there. Hence, if you want to remove a 1704 from a COM file, you have to: 1. Retrieve the original 1st 3 bytes from the viral code (which is not trivial, but I won't go into details, here); 2. Replace the 1st 3 bytes of the files with their original content; 3. optionally, remove the last 1704 bytes from the file. See below for a warning on the usefulness of this scheme. EXE files have an elaborated structure, complicating desinfecting (and btw. infecting) even more. > At the moment everybody says 'install your software from your backups > and start with a clean system' I'd rather say: start with a clean system and install your software from original distribution disks. - - In any case, you have to start with a clean system (i.e. switch off your computer, and boot it from a clean floppy disk), before you attempt anti-viral measures (be it diagnose, or repair). - - Usually, you don't know how long you have hosted the virus, so you do not know which of your backups to trust. So, rather use original (hopefully clean) distribution disks. - - If you devise a des-infectant program as outlined above, you can use it only for a particular virus strain. But the next day, you will run across a variant of the virus (which saves the 3 bytes at some other place or in some other way), and your des-infectant will destroy your program instead of repairing it. Better safe than sorry--hence, I do not use des-infectand programs, even if they are available. Otto Stolz