home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware 1 2 the Maxx
/
sw_1.zip
/
sw_1
/
VIRUS
/
VSIG9214.ZIP
/
COMPRSCA.NFO
< prev
next >
Wrap
Text File
|
1992-11-01
|
7KB
|
181 lines
┌───────────────────────────────────────────────────┐
│ "Mate(s) it simply makes sense, make a backup..." │▐
└───────────────────────────────────────────────────┘▐
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
-====== COMPRSCA.DAT INFO ======-
0 Revision 921101
1 Introduction to Comprsca.dat
2 Executable File Compressor overview
3 Why you should use Comprsca.dat
4 When you should use Comprsca.dat
5 How to use it....
6 Hint for Sysops
7 What's new!!
8 Disclaimer
1. Introduction to Comprsca.dat
──────────────────────────────
The introduction of executable file compressors has added a new dimension
to virus scanning. Previously it was fairly easy to scan executable files.
You just ran your favorite scan program and the job was done. If you do this
now it's possible your scanner might miss something, not because you have a
bad scanner but because the virus string it is looking for has been encrypted
by an executable file compressor. The signatures in comprsca.dat will help
you to recognize compressed files. They cannot tell you if a compressed file
is infected internally. This can only be done by rescanning the file after
it has been extracted to its original size.
2. Executable File Compressor overview
─────────────────────────────────────
Executable File Compressors (efc's) compress your executable files in order
to save diskspace. When the program is compressed a small amount of
extraction code is added to the file. If you run this program the program
will automatically be expanded into memory. If you're not familiar with this
phenomenon you'll be surprised to see how many files on your HD will be
compressed with such a program.
Popular EFC's are: Pklite
Lzexe
Diet
Exepack
Tiny
Compack
3. Why you should use comprsca.dat
─────────────────────────────────
If you have received new files. It's possible that an infected file has been
compressed and the virus has been encrypted.
Well you may say 'my favorite scanner scans inside Pklited and Lzexed files.'
My answer to this is: 'Yes, but not always and never inside Diet, Exepack,
Compack and Tiny compressed files'. I sincerely hope, they will do this
tomorrow.
Compressed files can easily be modified. After modification even the own
compressor doesn't recognize the file any more. It remains fully functional.
I've seen several examples of this. Some commercial, freeware and shareware
authors do this trick to prevent other people hacking their programs. And not
to forget the people who spread viruses.
With this technique they could spread most known viruses, say 600. This
multiplied with 10 (efc versions) makes 6000 unrecognized viruses (droppers).
Of course if you scan your HD regularly, you'll detect something is wrong,
because other files on your harddisk get infected.
After a 'simple' cleaning job your scanner will report that your HD is clean,
but the virus in the encrypted file has not been detected, and you'll see
that the next time you scan your HD, it is possibly reinfected. After a few
times this will drive you mad.
***** So better find them soon rather than later. *******
4. When to use comprsca.dat
──────────────────────────
1 When you want to scan new files.
2 If your HD is regularly reinfected.
Don't worry about compressed files on your HD if your HD is clean after
regular scanning. We advise you to keep a logfile of your compressed
executables which may be of great importance if situation 2 occurs.
Most of your MS_DOS files have been compressed with Exepack. You shouldn't
worry about them either.
5. How to use comprsca.dat
─────────────────────────
We recommend the use of the powerful features from HTSCAN Version 1.17+ This
version fully supports these compressed signatures. Other scanners (tbscan)
may not perform the same and in some cases not perform at all.
Just copy comprsca.dat to the directory where you keep the other .dat files.
That's all.... syntax example: Htscan c: /o=htscan.log
Htscan uses its own hardcoded signatures to detect compressed executables,
but you'll notice more of them will be detected when Htscan uses comprsca.dat
As a sidenote, at detection time the signatures triggered by comprsca.dat can
be recognized as being in all UPPERCASE, as htscan internal signatures are
only partly Uppercase.
For further information read your scanner docfiles thoroughly.
To decompress compressed files, you need at least the following programs:
- Pklite
- Diet
- Upackexe
- Unlzexe
Read the docfiles thoroughly or use the online help. You can also use other
unpack utilities. If you cannot decompress a file there are several
possibilities.
1 It was modified after compression by the author of the program.
2 The commercial version of pklite has been used with the E switch.
3 The above has been done with criminal intentions to spread a virus.
4 Your unpack utility is out of date. Unpack programs are not always upwards
compatible.
5 It's a false positive (not likely).
6. Hint for Sysops
─────────────────
Htscan is an extremely useful tool for system operators. Used in a batchfile
it exits with a specific errorlevel, if a virus, compressed executable or
changed header etc. has been found. Now you are able to take an appropriate
action. This is perfect in automated scanning procedures.
Extensive information is available in Htscan.doc.
7. What's new!!
──────────────
comprsca.dat Revision 921101
1) Improved Pklite detection, added new sig.4 (again)
8. Disclaimer
────────────
The sigs are released by Jan Terpstra with his Virscan.dat (VsigYyMm.Zip)
They are made by Edwin Cleton (2:512/1007.2@fidonet)
This info has been written by Dean Bührmann (2:500/45.10450@fidonet)
These sigs are thoroughly tested with Htscan and the persons mentioned above
cannot be held liable for any special, incidental, consequential, indirect or
similar damages caused by false positives or by not detecting a compressed
file. We appreciate any remarks. If you find a compressor which is not detec-
ted by these sigs. Contact us by netmail please. (Zone 2)
Edwin Cleton, 512/1007.2 EXACT-TBBS, 31-15-610079,9600,MO,HST,CM,XA
Dean Bührmann 500/45.10450 Kennemerland,31-23-316333,9600,V22,V32B,V42B,CM,XA
My personal view is that the authors of EFC's should prevent that their
programs are used this way. If a modification has been made after compressing
the file it should be noticed by the program (selfcheck). If you're in a
position to inform the authors, please don't hesitate (DB).
┌───────────────────────────────────────────────────┐
│ "Mate(s) it simply makes sense, make a backup..." │▐
└───────────────────────────────────────────────────┘▐
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀