home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.96
< prev
next >
Wrap
Text File
|
1995-01-03
|
5KB
|
111 lines
VIRUS-L Digest Friday, 21 Apr 1989 Volume 2 : Issue 96
Today's Topics:
re: Hiding Viruses by Intercepting Output
McAfee's SENTRY a-v software (PC)
re: Virus disassemblies (PC)
[Ed. I apologize for sending out such a short digest; we're testing a
mail<-->news gateway and need something to feed it.]
---------------------------------------------------------------------------
Date: 21 April 1989, 08:51:33 EDT
From: David M. Chess <CHESS@YKTVMV.BITNET>
Subject: re: Hiding Viruses by Intercepting Output
> Could anyone tell me how this method of hiding a virus
> would fail?
The "Brain" virus (I think it is) does something very much like
this. It fails when a user who is checking out an infected
diskette does the checkout on a *clean* system, in which the
virus hasn't gotten control. Another illustration of how
important it can be to get your system into a known clean
state before doing virus-scanning. DC
------------------------------
Date: FRI APR 21, 1989 11.47.23 EST
From: "David A. Bader" <DAB3@LEHIGH.BITNET>
Subject: McAfee's SENTRY a-v software (PC)
I just had the chance to try out John McAfee's Sentry Anti-viral
software for the PC, and frankly - it is worthless. I followed the
instructions on installation, and it automatically places itself in
autoexec.bat and reboots (maybe John, you could have told me that you
were going to modify my file, or that you would do a cold boot - for
me, it matters.) Anyway, After Sentry did a check of filesize and a
random checksum at the beginning, middle, and end of every file on my
harddisk, it told me nothing. Ok, so I run Sentry a second time just
to see what happens and I get told my interrupt vectors have changed
and I should contact someone because that could mean a virus. Have you
ever heard about FASTOPEN, or FluShot Plus, or one million other
programs that I give permission to to take over my interrupt vectors?
You could at least scan the memory tables and tell me who the owner of
the interrupt vectors is. And then, after taking a minute to scan all
my files, I would appreciate "XXXXX file changed since last use" - NOT
"3 files were modified".. Useless, John, absolutely useless.
-I'm sticking with FluShot Plus!
-David Bader
DAB3@LEHIGH
------------------------------
Date: 21 April 1989, 14:06:08 EDT
From: David M. Chess <CHESS@YKTVMV.BITNET>
Subject: re: Virus disassemblies (PC)
Some comments on Jim Goodwin's comments.
> It is also the first virus I've come across
> that will NOT infect a true IBM PC. It will only infect clones. The
> code to test for the true blue IBM machine was quite simple, and
> follows:
If you'll look carefully at that code, you'll notice a bug; the last
compare should be a BYTE compare, not a word compare. As it is, it's
testing for "IBM" followed by a byte of 00. Even True Blue IBM BIOSs
don't have that, so in fact it will work identically on IBMs and
clones. (Either the virus writer didn't have a real IBM to test on,
or he's intentionally trying to confuse us!) So it *will* infect a
true IBM PC (I've tested it).
The two levels of encryption are just a couple of XORs; one simple way
to crack most of it is to let it run (on a machine with no hard disks,
of course!) up to the point where it has finished descrambling itself,
and then dumping the descrambled code to disk and killing the
execution.
COM and EXE files: The only virus that I know of that will infect both
is the Jerusalem. The only other virus that I know that will infect
EXE files is the EXE flavor of the April 1st Israeli virus. All the
others I know of are either COM or boot infectors. Do you know of
other EXE infectors? I'm sure the list would be interested.
All the COM and EXE infectors that I know of use INT21 to do their
infecting. Do you know of some that don't? It's possible in theory
of course, but I've never seen one. Again, I'm sure the list would be
interested.
> we have it in over 6,000 systems now and it has
> caught us a total of 31 new viruses.
Wow! Only about 14 or 15 (counting liberally) PC-DOS viruses have
been reported on this list. Do you have capsule summaries of the
viruses you've found? (Or does that 31 perhaps include viruses for
other operating systems, or perhaps some non-virus Trojan horses?)
Sounds like you've got a gold mine of information, there! I'll
attempt to check out the BBS myself.
Dave Chess
Watson Research
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253