Gold Medal Software 3

home *** CD-ROM | disk | FTP | other *** search

/ Gold Medal Software 3 / Gold Medal Software - Volume 3 (Gold Medal) (1994).iso / virus / redal15.arj / REDALERT.DOC < prev next >

Wrap

Text File | 1993-12-20 | 62KB | 1,258 lines

RED ALERT! Users Manual Release 1.15 December 1993 PROFESSIONAL VERSION Copyright (c)1993 Servile Software 2 INTRODUCTION In 1986 the world's first "computer virus" was detected. It was nicknamed "brain" after its effect of changing the volume label of an infected hard disk to read "(c) Brain" Brain scanned an intended victim (hard disk) for a signature in the boot sector. If it did not find the signature it would copy itself from memory to the hard disk, and hide its presence by marking the areas of the disk it occupied as bad in the disk file allocation table (FAT). Brain hides by taking over BIOS interrupt 13h. When an attempt is made to read an infected boot sector using the BIOS absolute disk read function, Brain would just show the original boot sector instead. This meant that if the boot sector of an infected hard disk was examined using DEBUG or a similar program, everything would appear normal, if brain were active in memory. The discovery of brain caused an uproar in the media. Paranoida swept the computing industry, and hundreds of bright, malicious programmers set about creating their own computer viruses. Some more materialistic programmers starting writing software that would either detect or destroy computer viruses. Some of those authors are known to have written computer viruses and hyped the paranoida in order to promote the sales of their own product. One American gentleman even went as far as to write a book. In his book he describes computer viruses, and how to write them. He even included program listings of some. Needless to say many variants of his viruses are still infecting computers and destroying data. Shortly after the publication of his book, the author released a program which would detect and destroy computer viruses. With the discovery that brain used a signature to prevent itself from reinfecting a disk, programmers developed the technique of virus signature scanning as a defence against potential infection. This technique is still widely used among virus scanners. However, it has the fundamental flaw that it will not detect a hitherto undiscovered virus. In order for a signature to be recorded, a virus must have been discovered. And without a technique for detecting an unknown virus, the only way a virus is to be detected is when it has infected a system. As well as computer viruses, there are also rogue programs that can cause havoc on a system. These come in tow forms; Trojans, named after the Trojan horse that allowed the Greeks access to Troy. And Bombs that are so named because they require triggering. A Trojan is a seemingly innocent program, but when run detroys data on the host computer. A bomb is a piece of code within a seemingly innocent program, which when triggered, perhaps by the computer's system date, destroys data on the host computer. These types of program are very easy to write, and impossible to detect with conventional virus scanners. Red Alert! is a new type of disk protection program. Red Alert! analyses programs searching for possible virus infection, trojans and bombs. In this way Red Alert! can often identify a new strain of virus or trojan before any other virus scanner. Red Alert! also reports some known virii, particuarly the multitude of strains manufactured with the Virus Creation Lab (as wriiten and 3 released by Nowhere Man and NuKe Warez). Red Alert! is suitable for use in domestic, business and bulletin board (BBS) environments. Because of the slightly different needs of the different hosts that may use Red Alert!, Red Alert! may be run in either of two modes. The first, normal, mode displays status messages on the PC screen as Red Alert! works. The second, quiet, mode does not display any status messages. This results in a somewhat faster analysis being carried out and is particuarly suited to batch file and BBS operations. A feature that may be of particular interest to BBS sysops, is the /MOVE parameter. This enables VERY suspicious files to be automatically moved to a specified directory. Red Alert! is designed to be used along side your existing anti-virus software. We recommend F-PROT as the most reliable detector of existing virii and new strains. Although F-PROT is still not as good as Red Alert! at detecting completely new virii! And F-PROT doesn't detect trojan's. Red Alert! does nothing more than report (and move files if told to do so). If you want to disinfect contaminated programs/files you must use a separate product. Remember though, prevention is better than cure. Many virii kill their hosts, sometimes intentionally, but sometimes by accident. All warnings may be individually inhibited, except known virii warnings that will ALWAYS trigger a red alert. 4 COMMAND LINE OPTIONS: Red Alert! may be run from DOS with a variety of optional command line parameters: REDALERT [d:][file spec | /ALL]][/NOWARN | /REDONLY][/COMMAND][/QUIET][-enn] [/MOVE dir][/MONO] Where d: is an optional drive letter of the disk drive to check. File spec is the specification of the files to check, for example 'unknown.*'. /NOWARN inhibits WARNING messages /REDONLY only reports red alert status messages. /ALL checks ALL files whatever extension. The default, if the file specification is ommited, is for Red Alert! to check only files with an extension of .EXE, .COM, .SYS, .APP. or .BAT A simple trick for uploading virii to BBS is to name them with an extension not normally checked by virus scanners, such as .DAT, and then to rename the virii files from within an otherwise clean Trojan program. The /ALL option bypasses this approach. /COMMAND runs Red Alert in command line mode. Only Red Alerts are reported. /QUIET prevents the display of any messages, although messages are still echoed to file REDALERT.REP /MOVE <directory> Moves all files triggering a Red Alert into the specified directory. The target directory MUST be on the same disk as the files being checked. If a .COM and a .EXE form of the same file occur in the same directory, and the companion virus warning is enabled, then the .COM file will be moved, since this is the file that would be executed by DOS. /MONO Forces Red Alert! to operate in monochrome mode. This is primarily for use where a monochrome monitor is connected to a colour display card. -enn inhibits the appropriate warning number, where nn is the number of the warning to inhibit. Inhibiting warnings also inhibits the moving of suspect files that would have otherwise triggered the inhibited warning. 5 COMMAND LINE EXAMPLES To check every executable, device driver and batch file on hard disk C: REDALERT C: To check every file on hard disk C: REDALERT C: /ALL To check only the file 'suspect.exe' in the current directory: REDALERT SUSPECT.EXE To check only the file 'suspect.exe' in a specified directory: REDALERT C:\DIRECTORY\SUSPECT.EXE To check all files in a specified directory: REDALERT C:\DIRECTORY /ALL or REDALERT C:\DIRECTORY\*.* To check all files of a particular extension in a specified directory: REDALERT C:\DIRECTORY\*.EXT To check all files of a particular extension on the disk REDALERT *.EXT 6 USING RED ALERT! WITH A BATCH FILE Red Alert! can be simply used with a batch file to test an individual file. If Red Alert! detects code or data within the file that triggers a "red alert" then ERRORLEVEL ONE will be set. This can be tested by the batch file and appropriate action taken. The following is a listing of the example batch file, RA.BAT, supplied with Red Alert! @echo off rem Sample batch file for BBS testing of files rem ONLY red alerts will be reported rem reported findings will NOT be echoed to the screen redalert %1 /QUIET /REDONLY IF ERRORLEVEL 1 GOTO DANGER GOTO END :DANGER echo %1 is a SUSPICIOUS file :END 7 INTERACTIVE MODE If you don't specify either of the command line options /QUIET or COMMAND, then Red Alert! will operate in the interactive mode. This provides an easy to use menu of facilities for repetetive scanning of diskettes, or multiple drives. Menu: Facilities are chosen from the menu by moving the highlight bar with the cursor up and down arrow keys. The highlighted facility may be selected by pressing the return key. ┌──────────────────────────────────────────────────────────────────────────────┐ │Servile Software R E D A L E R T Copyright 1993│ └──────────────────────────────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────────────────────────┐ │ ╔════════════════════╗ │ │ ║ Begin Scanning ║ │ │ ║ Specify Warnings ║ │ │ ║ Specify Path ║ │ │ ║ Specify Move Path ║ │ │ ║ View Last Report ║ │ │ ║ Print Last Report ║ │ │ ║ Analyse ║ │ │ ║ Quit ║ │ │ ╚════════════════════╝ │ │ │ │ │ │ ┌─────────────────────────────────────────────────────────────────────────┐ │ │ │ Begin scanning of the selected path │ │ │ │ │ │ │ │ C: │ │ │ │ │ │ │ └─────────────────────────────────────────────────────────────────────────┘ │ │ │ └──────────────────────────────────────────────────────────────────────────────┘ 8 Begin Scanning: Selecting this option will commence a scan of the path or file indicated in the lower box. The scan will take place with the current warnings settings which may have been specified by command line parameters, or specified with the Specify Warnings menu facility. As scanning occurs, Red Alert! displays the current status and operation on screen. These messags may scroll off the screen too fast to read. However, all mssages are echoed to the report file which may be viewed or printed after scanning has finished. SCANNING MAY BE ABORTED BY PRESSING THE ESC KEY. ┌──────────────────────────────────────────────────────────────────────────────┐ │Servile Software R E D A L E R T Copyright 1993│ └──────────────────────────────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────────────────────────┐ │[6]WARNING! │ │D:\DRAW\THEDRAW.EXE may contain a call to DOS 'rename file' function │ │[7]WARNING! │ │D:\DRAW\THEDRAW.EXE may contain a call to DOS 'delete file' function │ │[8]YELLOW ALERT! │ │D:\DRAW\THEDRAW.EXE may contain a call to DOS 'exec' function │ │[18]WARNING! │ │D:\GRAM\DICTUTIL.EXE is a packed file │ │[6]WARNING! │ │D:\GRAM\GMK.EXE may contain a call to DOS 'rename file' function │ │[7]WARNING! │ │D:\GRAM\GMK.EXE may contain a call to DOS 'delete file' function │ │[18]WARNING! │ │D:\GRAM\GMK.EXE is a packed file │ │[8]YELLOW ALERT! │ │D:\GRAM\GMK.EXE may contain a call to DOS 'exec' function │ │[18]WARNING! │ │D:\GRAM\GMKCVTWP.EXE is a packed file │ │SCANNING: D:\GRAM\GMKED.EXE │ └──────────────────────────────────────────────────────────────────────────────┘ Some innocuous warnings.... 9 When scanning, Red Alert! will display warning messages. The screen dump below illustrates the sort of messages you can expect to be displayed when rogue programs are detected: ┌──────────────────────────────────────────────────────────────────────────────┐ │Servile Software R E D A L E R T Copyright 1993│ └──────────────────────────────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────────────────────────┐ │D:\VIRUS\VIRII\INCSPD.COM may open a file handle to command.com │ │[32]RED ALERT! │ │D:\VIRUS\VIRII\INCSPD.COM may open a file handle to ibmdos.com │ │[28]RED ALERT! │ │D:\VIRUS\VIRII\INCSPD.COM searches directories for *.COM │ │[9]YELLOW ALERT! │ │D:\VIRUS\VIRII\CODEZERO.COM may contain a call to dos 'set file date/time' fun│ │ction │ │[12]RED ALERT! │ │D:\VIRUS\VIRII\CODEZERO.COM contains code known to lock the keyboard │ │[15]YELLOW ALERT! │ │D:\VIRUS\VIRII\CODEZERO.COM contains a reference to '*.COM' │ │[20]RED ALERT! │ │D:\VIRUS\VIRII\CODEZERO.COM contains a reference to '[VCL]' │ │[21]RED ALERT! │ │D:\VIRUS\VIRII\CODEZERO.COM contains known virus commands │ │RED ALERT! │ │D:\VIRUS\VIRII\CODEZERO.COM is probably infected with a virus │ │ │ └──────────────────────────────────────────────────────────────────────────────┘ Viruses detected.... 10 Specify Warnings: Individual warnings may be toggled on and off. Highlight the warning to change, and press the space bar. When the warning is enabled, a tick (√) appears to the left of it. As a short cut, you can press key Y to enable all yellow and red alerts, and disable all warnings. Or you can press key R to disable all warning mssages except red alerts. ┌──────────────────────────────────────────────────────────────────────────────┐ │Servile Software R E D A L E R T Copyright 1993│ └──────────────────────────────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────────────────────────┐ │ √ ( 0) has strange time stamp (18) is a packed file │ │ √ ( 1) Code to format drive (19) contains a reference to 'virus'│ │ ( 2) is a hidden executable file √ (20) contains reference to [VCL] │ │ ( 3) is a hidden file √ (21) contains known virus commands │ │ √ ( 4) may be a VCL encrypted virus √ (22) is a PKZIP packed file │ │ √ ( 5) may remain resident in memory √ (23) Both .COM and .EXE forms │ │ ( 6) may call rename file function √ (24) contains code to delete files │ │ ( 7) may call delete file function √ (25) is encrypted │ │ √ ( 8) may call exec function √ (26) determines if is an EXE or COM │ │ √ ( 9) may set file date/time √ (27) code to move itself in memory │ │ (10) may get/set file attributes √ (28) searches directories for *.COM │ │ √ (11) contains code to destroy FAT √ (29) searches directories for *.EXE │ │ √ (12) contains code to lock keyboard √ (30) contains ANSI key redefinition │ │ (13) may call format function √ (31) may open a file to command.com │ │ √ (14) contains reference to 'format' √ (32) may open a file to ibmdos.com │ │ √ (15) contains a reference to '*.COM' √ (33) may capture interrupt 21 │ │ √ (16) contains reference to IBMIO.COM √ (34) may capture interrupt 13 │ │ √ (17) may call absolute disk write √ (35) is actually an EXE file │ │ │ └──────────────────────────────────────────────────────────────────────────────┘ 11 Specify Path: To select a new path to be searched, select the "Specify Path" facility from the menu. Red Alert! will then wait while you type in the path to be scanned. If the entered path is a drive specification, or a directory specification, Red Alert! will scan all files in that drive or directory which have an extension of: .EXE, .COM, .APP, .SYS or .BAT. If you specify a file or group of files without a drive or directory specified, then Red Alert! will search the entire current drive and scan files matching the entered name or specification. Entering a directory and a file specification forces Red Alert! to scan just the specified files in the named directory. ┌──────────────────────────────────────────────────────────────────────────────┐ │Servile Software R E D A L E R T Copyright 1993│ └──────────────────────────────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────────────────────────┐ │ ╔════════════════════╗ │ │ ║ Begin Scanning ║ │ │ ║ Specify Warnings ║ │ │ ║ Specify Path ║ │ │ ║ Specify Move Path ║ │ │ ║ View Last Report ║ │ │ ║ Print Last Report ║ │ │ ║ Analyse ║ │ │ ║ Quit ║ │ │ ╚════════════════════╝ │ │ │ │ │ │ ┌─────────────────────────────────────────────────────────────────────────┐ │ │ │PATH:[C: ]│ │ │ │ │ │ │ │ Enter the path and/or file specification to scan. │ │ │ │EG: C:\UPLOAD or A:\*.ASC or NEWFILE.EXE or A: │ │ │ └─────────────────────────────────────────────────────────────────────────┘ │ │ │ └──────────────────────────────────────────────────────────────────────────────┘ 12 Specify Move Path: You may optionally specify a directory, which must be on the current drive, into which to move all files triggering an enabled Red Alert. If you enter a blank path, the move operation will be inhibited. ┌──────────────────────────────────────────────────────────────────────────────┐ │Servile Software R E D A L E R T Copyright 1993│ └──────────────────────────────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────────────────────────┐ │ ╔════════════════════╗ │ │ ║ Begin Scanning ║ │ │ ║ Specify Warnings ║ │ │ ║ Specify Path ║ │ │ ║ Specify Move Path ║ │ │ ║ View Last Report ║ │ │ ║ Print Last Report ║ │ │ ║ Analyse ║ │ │ ║ Quit ║ │ │ ╚════════════════════╝ │ │ │ │ │ │ ┌─────────────────────────────────────────────────────────────────────────┐ │ │ │PATH:[ ]│ │ │ │ │ │ │ │ Enter the directory to move files into, or leave blank to inhibit move │ │ │ │ (NOTE: Must be a directory on the current disk) │ │ │ └─────────────────────────────────────────────────────────────────────────┘ │ │ │ └──────────────────────────────────────────────────────────────────────────────┘ 13 View Last Report: (REGISTERED USERS ONLY) Red Alert! always generates a report following a scan. This report is written to the directory where redalert.exe is to be found. This report may be viewed through Red Alert's "View Last Report" facility. To move around the screen use the cursor arrow keys, the page up and page down keys, and the home and end eyes to move to the start and end of the current display line. Often a report will include lines which are too long to be shown on the screen. Red Alert! will allow the screen to scroll from left to right to show the remainder of these lines. ┌──────────────────────────────────────────────────────────────────────────────┐ │Servile Software R E D A L E R T Copyright 1993│ └──────────────────────────────────────────────────────────────────────────────┘ [14]RED ALERT! D:\VIRUS\VIRII\ANTIV.EXE contains a reference to 'format.com' [9]D:\VIRUS\VIRII\MI2SOLVE.EXE YELLOW ALERT! may contain a call to dos 'set file RED ALERT! D:\VIRUS\VIRII\MI2SOLVE.EXE is probably infected with a virus [25]RED ALERT! D:\VIRUS\VIRII\MI2SOLVE.EXE is encrypted [26]YELLOW ALERT! D:\VIRUS\VIRII\MI2SOLVE.EXE determines if it is an EXE or COM [27]RED ALERT! D:\VIRUS\VIRII\MI2SOLVE.EXE contains code to move itself in memor ┌──────────────────────────────────────────────────────────────────────────────┐ │Move cursor with [PgUp], [PgDn], [Home], [End], [], [|], [|], [] [Esc] Quit│ └──────────────────────────────────────────────────────────────────────────────┘ Print Last Report: (REGISTERED USERS ONLY) Red Alert! can send the current report to a printer connected to the parallel port. No printer formatting instructions are sent before or after printing the report, so you should ensure that your printer is correctly setup before selecting this facility. 14 REPORT Red Alert! always writes the result of its findings to a report file titled "redalert.rep". This file is created in the current directory, overwriting any existing report file. The report file commences with an author's acknowledgment, and then information about the scan that has been conducted. This information includes the date of the scan, whether any warnings have been inhibited and the specifications of files being analysed. For example: Servile Software R E D A L E R T Copyright 1993 Results of scan on date <date> Checking file specifications *.EXE *.COM *.SYS *.APP *.BAT After the heading text is the body of the report that lists all warnimgs appertaining to suspicious files scanned. For example: WARNING! D:\DRAW\THEDRAW.EXE may contain a call to DOS 'rename file' function WARNING! D:\DRAW\THEDRAW.EXE may contain a call to DOS 'delete file' function YELLOW ALERT! D:\DRAW\THEDRAW.EXE may contain a call to DOS 'exec' function The report is a standard text file that may be printed or viewed with a text editor. For details of the messages reported please refer to the section entitled "Messages" in this document. 15 ANALYSE Interesting information can be obtained about suspect programs with the 'analyse' option. This causes Red Alert! to simulate execution of the program. Red Alert! displays details of what the program is doing as it does it. Most okay programs will display very little. Virus infected programs or programs which attack other files will display quite a lot of information! THE ANALYSIS MAY BE ABORTED BY PRESSING THE ESC KEY ┌──────────────────────────────────────────────────────────────────────────────┐ │Servile Software R E D A L E R T Copyright 1993│ └──────────────────────────────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────────────────────────┐ │ ╔════════════════════╗ │ │ ║ Begin Scanning ║ │ │ ║ Specify Warnings ║ │ │ ║ Specify Path ║ │ │ ║ Specify Move Path ║ │ │ ║ View Last Report ║ │ │ ║ Print Last Report ║ │ │ ║ Analyse ║ │ │ ║ Quit ║ │ │ ╚════════════════════╝ │ │ │ │ │ │ ┌─────────────────────────────────────────────────────────────────────────┐ │ │ │PROGRAM:[d:\virus\virii\yankee2.com ]│ │ │ │ │ │ │ │ Enter the name of the program to analyse │ │ │ │ │ │ │ └─────────────────────────────────────────────────────────────────────────┘ │ │ │ └──────────────────────────────────────────────────────────────────────────────┘ 16 The following screen dumps show the results of analysing one virus infected program. Other virus infected programs may display different results. ┌──────────────────────────────────────────────────────────────────────────────┐ │Servile Software R E D A L E R T Copyright 1993│ └──────────────────────────────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────────────────────────┐ │Get DTA │ │Set DTA │ │Get current directory │ │CD │ │Get DTA │ │Set DTA │ │Find first *.COM │ │Get DTA │ │Open file CPROBE.COM │ │Read 3 bytes from file [CPROBE.COM] │ │Move file [CPROBE.COM] pointer relative to start of file │ │Get file attributes │ │CPROBE.COM file closed │ │Set [CPROBE.COM] file attributes │ │Open file CPROBE.COM │ │Write 3 bytes to file [CPROBE.COM] │ │Move file [CPROBE.COM] pointer relative to start of file │ │Get file attributes │ │Press a key to continue.... │ └──────────────────────────────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────────────────────────┐ │Servile Software R E D A L E R T Copyright 1993│ └──────────────────────────────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────────────────────────┐ │Read 3 bytes from file [CPROBE.COM] │ │Move file [CPROBE.COM] pointer relative to start of file │ │Get file attributes │ │CPROBE.COM file closed │ │Set [CPROBE.COM] file attributes │ │Open file CPROBE.COM │ │Write 3 bytes to file [CPROBE.COM] │ │Move file [CPROBE.COM] pointer relative to start of file │ │Get file attributes │ │Press a key to continue.... │ │Write 821 bytes to file [CPROBE.COM] │ │Set [CPROBE.COM] file date/time │ │CPROBE.COM file closed │ │Set [CPROBE.COM] file attributes │ │Set DTA │ │CD \ │ │Get current directory │ │Aborted by operator.... │ │Press a key to return to the main menu.... │ └──────────────────────────────────────────────────────────────────────────────┘ 17 LIVING WITH RED ALERT! Red Alert! can generate a vast quantity of warning messages and take a long time to scan. A suspect file is best scanned with all warning messages enabled. However, allowances should be made that many legitimate programs delete files. Even spreadsheet applications often delete files because they use temporary files that they later delete. Consequently singular file deletion is a low suspicion warning. Red Alert! is slower than other virus scanners because it has a built in code analyser that actually "activates" the programs being tested. This activation involves a "quick" test of what the program would do if it was run from the current disk and directory. This method of analysis is often effective at bypassing encryption. However, it is important that Red Alert! is run from the disk where the suspect program will be used. The code analyser can detect a number of VERY suspicious states. These are: the program being tested attempts to open either "command.com" or "ibmdos.com". These are warnings 31 and 32 and are displayed as: [31]RED ALERT! <filename> may open a file handle to command.com [32]RED ALERT! <filename> may open a file handle to ibmdos.com And the program tries to take control of either interrupt 13h or 21h. These are warnings 33 and 34 and are each displayed in one of two forms. If the program under test analyses the address of the interrupt, Red Alert! warns that the program may capture the interrupt. If Red Alert! detects that the program does change the interrupt, then you will be informed that the program does capture the interrupt. [33]RED ALERT! <filename> may capture interrupt 21 [33]RED ALERT! <filename> captures interrupt 21 [34]RED ALERT! <filename> may capture interrupt 13 [34]RED ALERT! <filename> captures interrupt 13 Very few normal programs assign a file handle to either of these files. Viruses however will often search for .COM files to infect, and as such may attempt to infect either of these files. These warnings give a pretty clear indication that the program being scanned IS a virus. One program is known to trigger Red Alert! This is Format.com. It has a structure commonly found in viruses, but not in any other programs I have come across! This triggers the: RED ALERT! <filename> is probably infected with a virus warning. You should not be complacent about this warning, even when it applies to format.com. Instead you should compare your copy of format.com with the master copy on your DOS disk. 18 So what suggests a dangerous program? Certainly a "red alert" suggests that the program could be dangerous. But, many straight programs can be dangerous. If you receive multiple red alerts you should be very suspicious of the file. Also, there is in existence a virus creation tool, entitled VCL. This enables non-programmers to churn out vast quantities of destructive viruses and Trojans. Fortunatelt they all contain the signature "[VCL]". However, due to their prolific nature, any reference to VCL triggers a red alert, and you should also be suspicious of the program triggering the warning. The particuarly nasty warnings are: [4]RED ALERT! <filename> may be a VCL encrypted virus [12]RED ALERT! <filename> contains code known to lock the keyboard [20]RED ALERT! <filename> contains a reference to '[VCL]' [21]RED ALERT! <filename> contains known virus commands [27]RED ALERT! <filename> contains code to move itself in memory [28]RED ALERT! <filename> searches directories for *.COM [29]RED ALERT! <filename> searches directories for *.EXE [31]RED ALERT! <filename> may open a file handle to command.com [32]RED ALERT! <filename> may open a file handle to ibmdos.com RED ALERT! <filename> is probably infected with a virus 19 METHODS OF INFECTION In order for a computer virus to infect another system, it has to write itself to a disk. It can do this in a variety of ways. Boot Sector: When the PC is switched on, the BIOS ROM chip loads a program from the floppy disk A: or the hard disk, boot sector. This is the first physical sector of the disk. This program then takes over the loading of the operating system, DOS. A boot sector infection replaces the host computer's disk boot sector program with its own program. Then, whenever a computer is booted (started) from the infected disk, the rogue program is loaded into memory and takes over. Program Appending: A virus may spread by appending a copy of itself to other programs on a disk. These other programs may be .COM, .EXE or anyother executable file. This includes overlay files. When the infected program is loaded by the operating system, the virus is also loaded into memory and activated. Overwriting: A simpler way for a virus to spread is for it to replace an existing program file with itself. This is called overwritng. It is easy to detect because the original program no longer operates. Companion: Another simple form of infection is the companion method. This method makes use of the operating system's method of program loading. When a program name is supplied to the operating system the operating system first appends the extension .COM to the program name and tries to load and run that name. If this fails, then the extension is changed for .EXE and the operating system tries to load and run this program name. Should this operation fail then the operating system replaces the extension with .BAT and tries to load and run a batch file. It follows that if two programs have the same name, but one has the extension .COM and the other the extension .EXE or .BAT, then the .COM program will be loaded and run. Companion infection involves storing the virus on the host disk with the same name as an existing .EXE file, but with an extension of .COM. The companion virus is then loaded and run by the operating system when the operator types in the program name. The companion virus can do its business and then load the original program so that the operator is unaware of what is happening. Device: A device virus is one which infects bootable disks by appending a DEVICE=myname to the file "config.sys", where myname is the name of the virus program, in the boot disk's root directory. When the computer is switched on, 20 programs listed in the config.sys file are automaticaly loaded into memory. This takes place before any other programs, such as those listed in "autoexec.bat" are run. With a device virus, it becomes active in memory every time a computer is booted from an infected disk. 21 TROJANS & BOMBS A common source of lost computer data is the Trojan. A program that appears innocuous, and yet, like the Trojan horse, is deadly. Trojan program's may contain a bomb that will wait for a trigger, or just go off when the program is run. Consider the following batch file entitled 'install.bat'. You are told to run it with the command line: INSTALL X: Where X: is the drive where you want to install the package to. Not uncommon? No! But what if the batch file contains the code: echo Y | format %1 What will happen is that the specified drive will be reformmated without you being given the chance to stop it. Just think if that were your hard disk! Can you remember where the master disk for your restore software is? You will need it to be able to restore from a backup. Assuming that is that you have a backup of your disk! Fortunately, Red Alert! searches .BAT files and reports dangerous code like this. Compiled batch files are more tricky. There are a number of batch file compiler products on the market which convert batch files into .COM programs. These programs cannot be easily read, unlike batch files. As such they can easily hide dangerous instructions. But not from Red Alert! Pictures and text files can also be trojans. The ansi device driver includes a facility for reporgramming the computer keyboard. A picture made up of ansi commands can also reprogram the 'n' key to produce the code for 'y'. In a batch file a picture can be displayed, which also reprograms the keyboard, and then the batch file must issue a format C: command. The operator presses 'n' to abort the format, and the computer gets the signal to carry on. Nasty! Also nasty is reprogramming lots of keys to produce strings such as "format c:", or "echo Y | del *.*". All these are quite common techniques used in ansi and batch file trojans. Fortunately, Red Alert! searchs for them. 22 TYPES OF DATA DESTRUCTION There are many ways to destroy computer data. The two basic methods are deletion, and corruption. Deletion simply implies the data is removed from the disk. Perhaps by "deleting" a file or by "formatting" the disk. Corruption involves replacing data with random values. A "deleted" file is fairly easy to recover, if no additional files have been written to the disk. This is because DOS records the names of all the files on a disk in a table. When a file is "deleted" DOS simply replaces the first character of the file's name within the table. This prevents DOS from locating the file, but the file is left intact on the disk. A program can then replace the first characetr of the file's name to recover the file and its data. It is not so easy to recover data from a formatted disk, but it may sometimes be possible if the format program stored "unformat" information. Recovering data that has been corrupted is impossible! 23 HOW VIRUSES AVOID DETECTION All computer viruses and trojans are programs. That is they are sequences of instructions to the computer. This suggests that a technicaly competent computer programmer can "read" them, if he has the proper tools. Computer viruses try to avoid detection for as long as possible. The longer they remain undetected, the further they can spread and the more damage they can do. If a programmer can read a computer virus, he can in theory detect it. Viruses often avoid being read by being encrypted. The Brain virus, mentioned earlier, also avoided detection by preventing itself being read. However, Brain did not avoid being read by being encrypted, rather it trapped any attempts to read it and showed other data instead of its own code. This is called the "stealth" technique. The tools used by programmers for reading virus programs depend upon the type of virus. A virus stored in a file is read with an assembly debugger. A virus stored in the boot sector is read with a disk editor. Both tools are susceptable to attack from the viruses they are reading. A debugger is used to step through a program, executing one command at a time. Some viruses include instructions that lock the keyboard. Reading them with a debugger is okay untill the keyboard locking commands are executed. Disk editors read disk sectors. Reading disk sectors means making use of the BIOS ROM interrupt 13h. Some viruses take control of this interrupt and can then decide what to let a disk editor see. Inorder to do this though, the virus must already be running, and be in memory. Programs which stay running in memory are called "TSR". Viruses which infect program files must open a file handle to the victim file, and then close it. This sets the file's directory entry to the current computer date and time. It also sets the A attribute of the directory entry. Since it would be an easy matter to notice a change in the directory entry for a file, viruses often read the victim file's date, time and attribute entry and reset them after infecting the file. 24 MESSAGES Red Alert! reports three types of message. Warnings, Yellow Alerts, and Red Alerts. These range in severity from 'possibly rogue' through to 'very possibly rogue'. The least severe 'Warnings' can be disabled with the /NOWARN command line option. Then Red Alert! will only report Yellow and Red Alerts. Red Alert! may produce the following warning messages, where <filename> is substituted for the name of the suspicious file: Low Suspicion warnings: [2]WARNING! <filename> is a hidden executable file (Perhaps a sign of a companion virii). [3]WARNING! <filename> is a hidden file (Perhaps a sign of a companion virii). [6]WARNING! <filename> may contain a call to DOS 'rename file' function (As used by some virii). [7]WARNING! <filename> may contain a call to DOS 'delete file' function (As used by virii). [10]WARNING! <filename> may contain a call to DOS 'Get/Set file attributes' function (As used by virii to cover their tracks). [13]WARNING! <filename> may contain a call to DOS 'format' function (Used to format disk tracks). [18]WARNING! <filename> is a packed file (Makes analysis unreliable). [19]WARNING! <filename> contains a reference to 'virus' (Could be a virus or a virus scanner). 25 Medium suspicion Yellow Alerts: These are warnings of a more severe nature than the standard warnings, suggesting a need for caution with the listed files. These warnings may be disabled with either the /REDONLY or /COMMAND command line parameters. [0]YELLOW ALERT! <filename> has strange time stamp (May be an infected file) [5]YELLOW ALERT! <filename> may remain resident in memory (Some viruses go TSR) [8]YELLOW ALERT! <filename> may contain a call to DOS 'exec' function (As used by companion virii). [9]YELLOW ALERT! <filename> may contain a call to dos 'set file date/time' function (As used by virii to hide their tracks) [15]YELLOW ALERT! <filename> contains a reference to '*.COM' (As used by virii to locate .COM files) [16]YELLOW ALERT! <filename> contains a reference to 'IBMIO.COM' (A VERY important DOS system file) [17]YELLOW ALERT! <filename> may contain a call to DOS 'absolute disk write' function (As used by virus to trash disks). [22]YELLOW ALERT! <filename> is a PKZIP packed file. (The contained files are hidden to Red Alert!) [22]YELLOW ALERT! <filename> is a PKLITE packed file. (The program has been compressed with PKLITE) [26]YELLOW ALERT! <filename> learns if it is an EXE or COM (The program contains code to learn whether it is a .EXE or .COM) (This is suspicious!) [30]YELLOW ALERT! <filename> may contain ANSI key redefinitions (If you display/run the file with ANSI.SYS installed it may redefine some) (keys to produce other values. Common in ANSI-Bomb Trojans) [35]YELLOW ALERT! <filename> is actually an EXE file (The file is suffixed .COM, but is actually an EXE) 26 Very Suspicious Red Alerts: These messages are quite severe. They may show the presence of a virus, trojan or program containing a bomb. It is advisable to check any files listed with a red alert status carefully before using them. If the /MOVE parameter was specified, these warnings will coincide with the offending file(s) being moved to the specified directory. [1]RED ALERT! <filename> may contain code to format drive ?: (For example "format C:") [4]RED ALERT! <filename> may be a VCL encrypted virus (Probably a strain of VCL encrypted virus) Warning 11 has two variants. One for general FAT destruction, and one for drive C: specific FAT destruction commands: [11]RED ALERT! <filename> contains code known to destroy drive C: FAT data (Very dangerous instructions commonly found in virii/trojans/bombs) [11]RED ALERT! <filename> contains code known to destroy FAT data (Very dangerous instructions commonly found in virii/trojans/bombs) [12]RED ALERT! <filename> contains code known to lock the keyboard (May show a virus). [14]RED ALERT! <filename> contains a reference to 'format.com' (An unusual and risky program to exec). [14]RED ALERT! <filename> contains a reference to 'format' (As above, but as used in batch files) [20]RED ALERT! <filename> contains a reference to '[VCL]' (May show a virus produced with VCL). [21]RED ALERT! <filename> contains known virus commands (Very probably a virus)! [23]RED ALERT! Both .COM and .EXE forms of <filename> (May show a companion virus) [24]RED ALERT! <filename> may contain code to delete bulk files (For example "del *.*") [25]RED ALERT! <filename> is encrypted (Common among viruses, but also compression systems such as PKLITE) [27]RED ALERT! <filename> contains code to move itself in memory (Common among TSR viruses) [28]RED ALERT! <filename> searches directories for *.COM (Typical among viruses) 27 [29]RED ALERT! <filename> searches directories for *.EXE (Typical among viruses) [31]RED ALERT! <filename> may open a file handle to command.com (The code analyser detected an attempt to open a file handle to command.com) [32]RED ALERT! <filename> may open a file handle to ibmdos.com (The code analyser detected an attempt to open a file handle to ibmdos.com) [33]RED ALERT! <filename> may capture interrupt 21 [33]RED ALERT! <filename> captures interrupt 21 (Allows the program to redirect DOS function calls) [34]RED ALERT! <filename> may capture interrupt 13 [34]RED ALERT! <filename> captures interrupt 13 (Allows the program to intercept disk editors) Other warning messages cannot be inhibited due to their severity. These include very likely infections of known viruses and the following: RED ALERT! <filename> is probably infected with a virus (Almost certainly a virus!) RED ALERT! <filename> Contains a reference to 'Dark Avenger' (An infamous and prolific virus author) Information messages: INFO <filename> moved to <path> The file triggered a non-inhibited Red Alert, and the command line option /MOVE was declared so the file has been moved to the indicated path. 28 USING RED ALERT! WITH TRANSCAN A number of WildCat BBSs use "Transcan" for scanning uploads. The following text comes from Peter Friedlos, sysop of Ooh! BBS and describes how to use Red Alert! with Transcan: "It [Red Alert!] works with the /Command line set up. It upsets the screen write locally during the transcan though if you compress on line. I don't know if there is a "reject" number so that transcan will reject the file but I just get it to copy the .REP file to a temporary directory and post the results once a night using Postmaster. If you set it up on the page where it lists SCAN and Fprot - it will read the opened files and analyse them. I wouldn't recommend the Move feature with RedAlert if in conjunction with transcan as this will move the tempory files to your "infected" directory and leave the original zip intact. The program works fine if you use it as a stand alone however. If you make a nightly event to run Red Alert on your new uploads path with the MOVE command it works well. Don't forget to manually delete any WildCat database entries for any files that get shunted though." 29 What is Int 21? Users who are not familiar with system level programming may wonder what the fuss is about "int 21". Int 21 is a "door way" into DOS used by, amongst others, the commands for copying files, deleting files and formatting disks. If a program "captures" int 21, it can control how ordinary DOS commands function. The results could be chaotic! Many legitimate programs make good use of this feature. However, because of the risks involved Red Alert! gives a red alert warning of any program which captures int 21. This should not be taken as an indication that the program is a virus, or a trojan. Rather, that the program in question has great power over the operation of the computer, and could be very dangerous. 30 APPENDIX Details of some common viruses Details are supplied here about a few common computer viruses. These details are offered to illustrate some of the effects of, and techniques used by computer viruses. THE VIENNA VIRUS The "Vienna" virus is one of the most prolific, and adapted computer viruses in existence. The source code for the Vienna virus was published in a book called "Computer viruses: A High-Tech Disease" written by Ralf Burger, and published in America. The original version, published in the book, only infects files with the extension .COM which are in the current directory. When a program infected with the Vienna virus is run, Vienna searchs for an uninfected file and infects it by appending a copy of itself to the victim. Usually, the infected programs will still run. However, one in eight infected programs have the first few bytes replaced with instructions that will cause a restart when the program is run. Files infected with Vienna are quite easy to spot as they have a value of 62 in the "seconds" field of the directory time entry. A variant of the Vienna virus is the "Lisbon" virus, so called because it was discovered in Portugal. The Lisbon variant was a modified form of Vienna intended to avoid signature detection. Lisbon also destroys some infected programs, but unlike Vienna it overwrites the start of the program with the text string "@AIDS". From Bulgaria have come a group of Vienna virus variations which include a critical error handler. They don't destroy data by overwriting some program files. Rather they reformat the computer's hard disk drive! VIRAL MESSIAH Viral Messiah is a virus which overwrites .COM and .EXE programs. When an infected program is run, Viral Messiah searches the DOS search path and overwrites five programs with a copy of itself. It then displays a poem on the screen, and if a printer is plugged in to the parallel port, the poem is printed as well. Viral Messiah was wriiten by "Nowhere Man" using VCL V1.0 CODE ZERO Code Zero infects .COM programs on the current disk. When an infected program is run, Code Zero searches the disk for a program to infect. If it finds one 31 it appends a copy of itself to the end of the file. Unfortunately, if the file was actually an EXE file masquerading as a .COM file, then the infected program will no longer run. If Code Zero cannot find any more programs to infect it displays "** CODE ZERO **" and beeps the speaker. KINISON Kinison infects .COM programs on the current disk. When an infected program is run, Code Zero searches the disk for a program to infect. If it finds one it appends a copy of itself to the end of the file. Unfortunately, if the file was actually an EXE file masquerading as a .COM file, then the infected program will no longer run. If an infected program is run on any Friday the 11th of the month, Kinison displays a message in rememberance of the comedian Sam Kinison who was killed by a drunk-driver. It then scrambles the file allocation tables of any disk drives it finds. PEARL HARBOR Pear Harbor is a companion virus, and a shocking example of a bomb. If an infected program is run on December the 7th the anniversary of the Japanese sneak-attack on Pearl Harbor it will display a message asking you to remember Pearl Harbor. If the host computer has its country set to JAPAN, then Pearl Harbor will also corrupt all the files in the directory C:\. To quote the author, "How's that for a sneak-attack, Hirohito?" YANKEE DOODLE The Yankee Doodle virus is circulating in at least two variations. The original infects .EXE files. A variation, Yankee II infects .COM files by appending itself to them. Unfortunately, if the file was actually an EXE file masquerading as a .COM file, then the infected program will no longer run. When an infected program is run, the DOS search path is searched for a file to infect. If the computer's clock reports the time to be between five and seven PM, then the tune "Yankee Doodle" is also played. THE AIDS TROJAN An infamous computer blackmail attempt took place a few years ago. Many companies, including the one I was working for, received through the post an unsolicited disk. The disk claimed to provide information about the "Aids" virus. The disk contained two programs; install.exe and aids.exe. The main program, would not run unless the install program was first run. The install program was actually a trojan. When run install.exe did the following: 1. A subdirectory was created on drive C: This subdirectory had a single 32 character name, ASCII code 255. This made it hidden from DOS DIR commands. 2. Copied INSTALL.EXE from the floppy disk to the new directory as REM .EXE (the space between the "M" and the "." was ASCII code 255, making the file hidden from DIR commands). 3. Renamed AUTOEXEC.BAT to AUTO.BAT. 4. Created a new, and hidden AUTOEXEC.BAT file that runs REM.EXE and then displays the message "For convenience, please use AUTO.BAT." The line calling REM .EXE looked like an ordinary BAT file REM (remark) line. 5. Created a file called AUTOEXEC.BAK which consisted of a single line saying "File not PC found." If this file was displayed with the DOS TYPE command, it would appear as though the file did not exist. The scenario then went on as follows. Aids.exe did indeed provide some information about AIDS. However, after 90 os so reboots, REM.EXE would wipe the hard disk leaving a file called PCCYBORG.DOC that said, inter alia, "lease expired." A complex Trojan, and a very unpleasant one. MICHELANGELO The Michelangelo virus was first reported in April 1991 in Sweden. The Michelangelo virus infects the boot sector of its host computer, and then remains resident in memory when the computer is switched on. When Michelangelo is active, it infects the boot sector of all disks it comes into contact with. Including floppy disks. If the computer's clock reports the date as being the 6th of March, then the Michelangelo virsu will scramble the computer's hard disk by overwriting it with random characters from memory. As with all memory resident viruses, the amount of memory available for programs is reduced. This is one way of detecting the presence of the Michelangelo virus in memory. 33 Red Alert! was written during late 1993 by Matthew Probert and published by Servile Software. This is the Shareware version of the program. You may use this program for a period not exceeding thirty days in order to evaluate it. If you decide to keep it, you must register your copy. To register your copy please fill out and print the order form in the file order.doc and send this with a cheque for 19.95 pounds STERLING made payable to M. PROBERT. Send these to the address below. FOREIGN CUSTOMERS NOTE: Due to high banking charges in the UK, payments made in foreign currency (eg non-sterling) are subject to an additional five pounds surcharge. For example, if you wish to pay for Red Alert in US dollars, the price is 19.95 pounds plus 5 pounds surcharge. Total 24.95 pounds sterling. With an exchange rate of 1.5 dollars to the pound, this works out at 37 US dollars. If you have a problem with a possible virus or trojan program please contact: Matthew Probert Servile Software 5 Longcroft Close Basingstoke Hampshire RG21 1XG Telephone 0256 478576 *** Telephone lines are open 7 days a week ***