home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The 640 MEG Shareware Studio 2
/
The 640 Meg Shareware Studio CD-ROM Volume II (Data Express)(1993).ISO
/
virus
/
virsim20.zip
/
VIRSIM.DOC
< prev
Wrap
Text File
|
1992-09-06
|
17KB
|
286 lines
--------------------------------------------------------------------
Virus Simulator - Safe & Sterile Virus Protection Validation.
--------------------------------------------------------------------
Virus Simulator
Copyright Rosenthal Engineering 1991 all rights reserved.
3737 Sequoia, San Luis Obispo, CA USA 93401
Version 2.0
VIRSIM.COM generates controlled programs infected with the signatures
(only) of every known virus available. Virus Simulator's ability to
harmlessly compile and infect with safe viruses, is very valuable for
demonstrating and evaluating anti-virus security measures without harm
or contamination of the system. The infected programs can be renamed
and copied to other disks and directories as bait for virus detecting
programs.
Viruses are a form of terrorism and require many of the same
precautionary measures. Airports test the effectiveness of their
security measures in much the same way. An official disguised as a
passenger will attempt to bring a disarmed bomb through, trying to evade
security measures and avoid detection. Real viruses, like real
terrorists, are much more difficult to test with. The test viruses
generated by Virus Simulator are safe and sterile, but form a validation
test suite that triggers vigilant virus detectors.
Because of the security nature of this program, you should not trust it
to be harmless unless you can directly trace its source to Rosenthal
Engineering without compromise. Never make copies from anything other
than the original write protected distribution disk. Remove all test
viruses from your system immediately after completing tests. Insist on
having Virus Simulator generate your own unique simulation files and
never accept or distribute the simulated viruses themselves. This is
especially important if the simulations are to retain their safe and
sterile integrity.
Virus Simulator creates simulated test suites for every known virus
available at the time of release. Real viruses are most often not
created from scratch, but by modifying existing viruses and thus pose
additional problems for virus detecting programs. To further emulate
real viruses that might actually be encountered, Virus Simulator creates
a completely new modified simulated virus the same way. No two files or
disks will be created identically. New virus signatures are regularly
being added, so the latest version is sent by first class mail directly
for a single user license registration fee of $25. US
Businesses, corporations, government agencies and institutions require
a negotiated site license.
Virus Simulator prompts the user to generate any (or all) of three test
suite types: Files, boot sector, and memory.
1) Generate A:\VIRUS\VIR_#.COM & .EXE files. (Erase to remove)
2) Overwrite A: boot with (new) simulated virus (Format A: to remove)
3) Install memory test simulated virus (Power off system to remove)
VIRSIM.COM compiles simulated viruses directly. VIRSIM.COM itself is
virus-free, and when scanned by virus detection programs, must always
be found free of infection. Only the simulated viruses should result
in any infection report. Each time Virus Simulator is run, it generates
a completely new and unique test suite of simulated viruses with
accompanying documentation. The text files A:VIR_LIST.DOC and
A:VIR_BOOT.DOC are created at execution time and provide an audit trail
describing each unique virus test simulation suite. Executing the
generated test suite programs is not required, and they will only
display their Rosenthal Engineering origin. The virus signature strings
contained within the individual test suite member programs are protected
from entering execution, but will be detected by a virus scanner.
Virus Simulator will only generate file and boot sector simulations on a
formatted disk in drive A:. You must have an A: drive. Copy VIRSIM.COM
to what ever drive you wish to run it from. Precautions have been taken
to force VIRSIM to run only from the directory it appears in so no
paths, please.
NOTE. A:> VIRSIM or C:> VIRSIM (works ok)
C:> A:VIRSIM or C:>\TEST\VIRSIM (won't work)
Place a freshly formatted diskette in the A: drive. This diskette
will receive the generated test virus simulation suite. If you select
the "2) Overwrite A: boot sector" option, the system will not be
bootable from this disk, but will display an "Infected with simulated
boot sector virus" message if you attempt to boot from the diskette.
If you select the "1) Generate A:\VIRUS\VIR_#.COM & .EXE files" option,
VIRSIM.COM will generate a subdirectory on the diskette containing
a set of simulated virus-infected files which are named with sequential
numbers as VIR_[#].COM or .EXE. The A:\VIRUS\VIR_#.COM or .EXE files
can be renamed and copied to other disks (including hard disks) for
testing, but remember to erase all test viruses after completing your
tests.
If the "3) Install memory test virus" option is selected, a warning
message will appear in the upper right corner of the screen until power
for the system is turned off. When power is restored, the system will
return to normal, and the memory virus test suite will be removed.
Run VIRSIM and follow the prompts. Then, scan for viruses. A note here
about false alarms, especially when using disk cacheing. Anytime you
read or write using a disk, the data is first buffered by memory. If
you've just written or read a test suite, your virus scanning program
may discover it still in the disk buffer memory. Just power down the
system and watch it go away.
These test suites are only safe and sterile simulations to evaluate your
security measures. A virus detecting program is validated when it
detects and reports the presence of the simulated viruses. Virus
detecting programs that fail to find these simulations may indeed
discover their real counterparts and variations, but should only
be trusted after that ability is demonstrated.
- - - - - - - - - - -
History of Virus Simulator
Virus simulator was first developed to support testing my System Monitor
program. System Monitor is not a virus scanner or even a program devoted
to virus protection. It installs in your IBM PC/XT/AT 386 or 486
Compatible computer to test and extensively monitor a number of
performance indicators. Each time you use your computer, System Monitor
re-evaluates the system and alerts you to any discrepancies it finds
with an announcement that is hard to ignore.
You install System Monitor as soon as you're confident that your
computer is configured and operational. From then on, System Monitor
will intervene immediately upon detecting problems, usually long before
a user even suspects any difficulty. This early monitoring and detection
is essential in avoiding and correcting problems before they can
compound and provides formidable anti-virus protection.
Virus Simulator can help determine which anti-virus programs are best
for you. These programs then can be installed ahead of System Monitor so
a virus that attempts to disable either of these programs will have the
very Herculean task of disabling or circumventing them both or risk
detection by the other.
The first version of Virus Simulator was only intended as a tool to
assist volunteers who were beta testing System Monitor in a real world
environment. Before beta testing, System Monitor had been tested in a
controlled environment, using a considerable collection of real viruses.
You can imagine the enthusiasm my beta testers showed to turning real
viruses loose on their systems.
During the beta testing of System Monitor, we discovered a real need for
Virus Simulator beyond its' original intention. Some virus detectors not
only didn't find the simulated viruses... on closer inspection, they
didn't find the real ones either. We found several cases where no
security procedures were being adhered to and even though the
organization had acquired a site license for a very capable program, few
users had ever run it. Additionally, a virus detecting program thought
to be protecting a system used to duplicate distribution disks for other
offices was found to be an obsolete version which missed nearly all of
the current viruses. No virus protection program will ever be effective
without the cooperation of its users, and Virus Simulator provides a
means to verify compliance with established security procedures.
The current version Virus Simulator creates simulated test suites for
every known virus available.
- - - - - - - - - - -
Statistics, Probability and Making Sense of Tests
Virus Simulator makes an infinite number of simulated test viruses by
varying each one in a different way. This is much the same way a real
virus might be discovered in the world at large. Even testing with a
program infected with a real virus can not assure every combination will
be examined. Is it a .COM file, .EXE, system, compressed? Is it the same
for all programs or just large ones? How about files created before or
after a certain date or time. What about a virus that was modified, even
trivially, offset a few bytes, or changed from one message to another.
Or, a virus that only attacks one vendor's brand of software. The only
way to test with any kind of absolute certainty would be to perform
tests with every combination and variation, and even then, hope you
didn't overlook any.
Now, try that with well into many hundreds of viruses and combinations.
It becomes apparent that no matter how exhaustive the tests are, they
are just random, probabilistic distributions. The study of probability
assumes that you know the entire population or universe from which you
are going to sample. Statistics assumes that you have only a sample and
that you are trying to determine, or at least guess, the parameters or
characteristics of the most likely population or source from which the
sample was taken. That's what Virus Simulator supplies, a large enough
sample population size to establish statistical significance with some
reliability.
Allowing Virus simulator to fill a single 360 K disk should be more than
adequate to support reliable testing. Although a 1.2 M disk offers some
improvement, additional disks offer ever diminishing benefits, as the
distribution confidence interval shows an insignificant improvement
beyond that point. In other words, for files...One disk ought to do it.
Testing using boot sector viruses is another matter because, unlike the
hundreds of files that can be created on a disk by Virus Simulator,
there is only one boot sector per disk. You can generate a simulated
boot sector virus onto as many different disks as you like, or overwrite
a single disk repeatedly. A new simulation will be generated each time.
Evaluating anti-virus measures with viruses active in memory should only
be demonstrated with simulated viruses produced by Virus Simulator,
never real viruses. You're fairly safe scanning a write protected disk
which contains a real virus, providing you don't attempt to run it or
boot from the disk. However, a virus active in memory is another story.
A real virus active in memory has taken over control of your
system. Any validation tests you attempt at this point would be
suspect. Virus Simulator provides a safe way to validate your anti-
virus measures against viruses present in memory.
You'll find that some scanners stop immediately upon discovering the
first virus in memory, while others continue to scan until they have
reported every virus they can find. An argument can be made for either
approach, but the important thing is to show that the scanner reveals
a virus in memory.
System Administrators should design their own tests to see which users
are practicing safe computing and complying with established safeguards.
The amount of user cooperation required by anti-virus programs varies.
Some users require more automatic and regimented procedures, and Virus
Simulator provides system administrators with a practical way to
evaluate the overall effectiveness of their security measures. These
simulated test viruses are sterile; they won't reproduce and spread by
themselves, so they have to be planted (copied). Such an exercise can go
a long way to raising the vigilance of complacent users, so when a real
virus attacks, destructive damage is held to a minimum.
- - - - - - - - - - -
Shareware Announcement
Please feel free to use and evaluate this software without charge for 10
days. You are encouraged to copy and distribute it freely, provided it
remains unmodified, complete in it's original form and no fee (other
than a nominal copy charge) is required. This software is provided "as
is" without warranty either expressed or implied.
This software is fully functional and not copy protected or crippled. If
you determine it to be useful, you must register it before the end of
the 10 day evaluation period.
Once the required registration fee is received, the latest registered
version will be sent directly by (US) priority first class mail.
- - - - - - - - - - -
Software License agreement
This Software is copyrighted material. It is not sold, but licensed. The
registration fee must be paid before the free 10 day evaluation period
expires or use of the software discontinued.
You are encouraged to copy and distribute Virus Simulator freely
provided it remains unmodified, complete in it's original form and no
fee (other than a nominal copy charge) is required. This software is
provided "as is" without warranty either expressed or implied.
You may not make any changes or modifications to the software and you
may not decompile, disassemble or in anyway reverse engineer the
software.
This constitutes the entire agreement and understanding between the
parties and supersedes any prior agreement or understanding, whether
oral or written and may only be modified in writing.
This software is provided "as is" without warranties of any kind.
Responsibility rests entirely with the user to determine its fitness for
a particular purpose. ROSENTHAL ENGINEERING SHALL NOT IN ANY CASE BE
LIABLE FOR SPECIAL, INCIDENTAL, CONSEQUENTIAL, INDIRECT OR OTHER SIMILAR
DAMAGES ARISING FROM ANY USE OF THIS SOFTWARE. Some states may not allow
these limits on warranties, so they may not apply to you. In no case
shall Rosenthal Engineering's liability exceed the license fees paid by
you to Rosenthal Engineering for the right to use the Licensed Software.
The single users license is obtained by sending your check for $25 (US)
to:
Rosenthal Engineering, 3737 Sequoia, San Luis Obispo, CA 93401 USA
Businesses, corporations, government agencies and institutions require a
negotiated site license.