home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The Best of the Best
/
_.img
/
01193
/
tbscan33
/
comprsca.nfo
< prev
next >
Wrap
Text File
|
1992-04-12
|
7KB
|
187 lines
-====== COMPRSCA.DAT INFO ======-
1 Introduction to Comprsca.dat
2 Executable File Compressor overview
3 Why you should use Comprsca.dat
4 When you should use Comprsca.dat
5 How to use it....
6 Example virusbul.dat
7 Disclaimer
1 Introduction Comprsca.dat
──────────────────────────-
The introduction of executable file compressors has added a new dimension
to virus scanning. Previously it was fairly easy to scan executable files.
You just ran your favorite scan program and the job was done. If you do this
now it's possible your scanner might miss something, not because you have a
bad scanner but because the virusstring it is looking for has been encrypted
by an executable file compressor. The signatures in comprsca.dat will help
you to recognize compressed files. They cannot tell you if a compressed is
infected internally. This can only be done by rescanning the file after it
has been extracted to its original size.
2 Executable File Compressor overview
────────────────────────────────────-
Executable File Compressors (efc's) compress your executable files in order
to save diskspace. When the program is compressed a small amount of
extraction code is added to the file. If you run this program the program
will automatically be expanded into memory. If you're not familiar with this
phenomenon you'll be surprised to see how many files on your HD will be
compressed with such a program.
Popular EFC's are: Pklite
Lzexe
Diet
Exepack
3 Why you should use comprsca.dat
────────────────────────────────-
If you have received new files. It's possible that an infected file has been
compressed and the virus has been encrypted.
Well you may say 'my favorite scanner scans inside Pklited and Lzexed files.'
My answer to this is: "Yes, but not always" and never inside Diet and Exepack
compressed files. I sincerely hope, they will do this tomorrow.
Compressed files can easily be modified. After modification even the own
compressor doesn't recognize the file anymore. It remains fully functional.
I've seen several examples of this. Some commercial, freeware- and shareware
authors do this trick to prevent other people hacking their programs. And not
to forget the people who spread viruses.
With this technique they could spread most known viruses, say 600. This
multiplied with 10 (efc versions) makes 6000 unrecognized viruses.
Of course if you scan your HD regularly, you'll detect something is wrong,
because other files on your harddisk get infected.
After a "simple" cleaning job your scanner will report that your HD is clean,
but the virus in the encrypted file is not found, and you'll see that the
next time you scan your HD it is possibly reinfected. After a few times this
will drive you mad.
***** So better find them soon rather than later. *******
4 When to use comprsca.dat
──────────────────────────
1 When you want to scan new files.
2 If your HD is regularly reinfected.
Don't worry about compressed files on your HD if your HD is clean after
regular scanning. We advise you to keep a logfile of your compressed
executables which may be of great importance if situation 2 occurs.
Most of your MS_DOS files are compressed with Exepack. You shouldn't worry
about them either.
5 How to use comprsca.dat
────────────────────────-
These signatures can be used with Htscan and Tbscan. Don't use them with
Tbscan(x).
You can add the sigs in comprsca.dat after the sanity check in Virscan.dat.
This can easily be done with the copy command.
Copy virscan.dat + comprsca.dat xxxxxxxx.dat (xxxxxxx stands for any valid
prefix name, i.e. findem.dat)
Tell your scanner (i.e. Htscan) which sign.file it should use. Add the
following switch /V[=]<sign.file>: use the specified virus-signature list,
It could look like this:
Htscan c: /v=findem.dat /o=c:\novirus\htscan.log
Part of htscan.log
DELDIR.EXE 1 time infected with: [Compressed with PKLITE]
GRASPRT.EXE 1 time infected with: [Compressed with EXEPACK.2]
STARTPRT.EXE 1 time infected with: [Compressed with EXEPACK]
UPACKEXE.EXE 1 time infected with: [Compressed with LZX]
IMPORTANT NOTICE: This only means that the files are compressed ......
Future versions of Htscan (1.17) will display a more appropriate message.
Another easy way to use these sigs:
Htscan supports automatically several datfiles: Virscan.dat
Trojan.dat
Virusbul.dat
Rename comprsca.dat to virusbul.dat Add at the beginning of virusbul.dat
;$VB-
6 Example Virusbul.dat
──────────────────────
;$VB-
;────────────────────────────────────────────────────────────────────────────-;
;%
;% Signatures for compressed executables
;% Revision: 920208
;% Copyright (C) Saesoft 1991,1992
;% {permission granted for non-commercial use}
;%
;────────────────────────────────────────────────────────────────────────────-;
;
[Compressed with PKLITE]
COM EXE
8E????B9????33FF57BE????FCF3A5CBB409BA
;
[Compressed with PKLITE.2]
──────- cut────────────-cut────────────cut────────────────────────────────-
For further information read your scanner docfiles thoroughly.
To decompress compressed files, you need at least the following programs:
Pklite
Diet
Upackexe
Unlzexe
Read the docfiles thoroughly or use the online help. You can also use other
unpack utilities. If you cannot decompress a file there are several
possibilities.
1 It was modified after compression by the author of the program.
2 The commercial version of pklite has been used with the E switch.
3 The above has been done with criminal intentions to spread a virus.
4 Your unpack utility is outdated.
4 It's a false positive.
Disclaimer
──────────
The sigs are released by Jan Terpstra with his Virscan.dat
They are made by Edwin Cleton.
This info has been written by Dean Buhrmann.
These sigs are thoroughly tested and the persons mentioned above cannot be
held liable for any special, incidental, consequential, indirect or similar
damages caused by false positives or by not detecting a compressed file. We
appreciate any remarks. If you find a compressor which is not detected by
these sigs. Contact us by netmail please. (Zone 2)
Edwin Cleton, 512/1007.2 EXACT-TBBS ,31-15-610079,9600,MO,HST,CM,XA
Dean Buhrmann 500/45.10450 Kennemerland,31-23-316333,9600,V22,V32B,V42B,CM,XA
My personal view is that the authors of EFC's should prevent that their
programs are used this way. If a modification has been made after compressing
the file it should be noticed by the program (selfcheck). If you're in a
position to inform the authors, please don't hesitate.