home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Best of www.BestZips.com (Collector's Edition)
/
Best of WWW.BESTZIPS.COM Collector's Edition (JCSM Shareware) (JCS Marketing).ISO
/
virusprt
/
virsim30.zip
/
VIRSIM.DOC
< prev
next >
Wrap
Text File
|
1997-01-01
|
43KB
|
827 lines
Rosenthal Engineering, P.O.Box 1650 San Luis Obispo, CA USA 93406
e-mail doren@slonet.org http://slonet.org/~doren/
--------------------------------------------------------------------
Rosenthal Virus Simulator and Supplements
Safe & Sterile Viruses
Validate Security Measures
--------------------------------------------------------------------
The time to be concerned about computer viruses is before you get one.
Virus Simulator and Supplements are intended to help users and technical
managers understand the problems viruses pose and provide a practical
way to exercise the protective measures they have taken to defend their
computer systems.
These Virus Simulator programs generate safe and sterile, controlled
test suites of sample virus programs. Virus Simulator's ability to
harmlessly compile and infect with safe viruses, is valuable for
demonstrating and evaluating anti-virus security measures without harm
or contamination of the system. The infected programs can be used as
bait for virus detecting programs to gain practical virus protection
experience.
Informed, experienced users are more knowledgeable and better prepared
to protect themselves and others they exchange information with.
Real Viruses or Simulated Viruses for Testing
These test virus simulations are not intended to replace the
comprehensive collection of real virus samples as maintained by
Rosenthal Engineering and other anti-virus product developers for
testing. They are, however, suitable for use by general and advanced
users, system administrators and educators. These virus simulations set
off virus detectors for testing and demonstration without the danger
associated with their malicious virus counterparts.
The simulators all produce safe and controlled dummy test virus samples
that enable users to verify that they have installed and are using their
virus detecting programs correctly, additionally affording an
opportunity for a practice training exercise under safe and controlled
conditions.
- - - - - - - - - - -
Access to the Rosenthal Engineering Virus Collection
The Virus Simulators and supplements are really intended to give users
some hands on practical experience using their virus protection
products, on their own systems, without using live ammo. The simulators
ability to actually test products exhaustively is limited. That's why
Rosenthal Engineering maintains a very comprehensive collection of real
sample viruses for testing at our facility.
Most users find these simulated viruses more than adequate for their
needs, however anyone requiring access to our independent virus sample
collection should contact us directly. The collection is generally
recognized as one of the most comprehensive, verifiable available
anywhere. It is accessible, in our facility, on a workstation dedicated
for testing with real viruses.
- - - - - - - - - - -
Obtaining a Trusted Virus Simulator Copy
Because of the security nature of this program, you should not trust it
to be harmless unless you can directly trace its source to Rosenthal
Engineering without compromise. Never make copies from anything other
than the original write protected distribution disk. Remove all test
viruses from your system immediately after completing tests. Insist on
having the Virus Simulators generate your own unique simulation files
and never accept or distribute the simulated viruses themselves. This is
especially important if the simulations are to retain their safe and
sterile integrity.
There are several programs that generate the sample test viruses. Virus
Simulator and the Virus Simulator Supplements. Virus Simulator is
distributed as shareware. If you find the program useful, you are
requested to fill out and return the ORDER.FRM with registration
payment. When the registration fee is received, the latest version of
Virus Simulator along with all the Virus Simulator Supplements is sent
by priority first class or international airmail. Business,
corporations, government agencies and institutions require a negotiated
site license. The Virus Simulator Supplement "A" is included with the
shareware evaluation version, but the other supplements are available
only to registered users, and are not shareware.
Registered copies of Virus Simulator are sent on write protected
diskettes in mailers protected by a special "Tamper Resistant" seal.
- - - - - - - - - - -
Virus Simulator
Virus Simulator VIRSIM.COM creates a simulated test suite of COM and EXE
programs as well as boot sector and memory resident viruses. These
programs contain the signatures (only) from real viruses. The programs
themselves are not really infected with anything, but contain carefully
selected portions of code from their real virus counterparts. Whenever
possible, these sections of code or virus signatures are selected to
trigger vigilant virus detectors. Since these are really only dummy
viruses, not all infected program simulations produced by Virus
Simulator will trigger every virus detecting program.
In addition to simulating COM and EXE infected files, Virus Simulator
allows the user to experiment with boot sector and memory resident virus
simulations. Again, signatures (only) from real viruses are used, but
the boot sector of the floppy disk is actually overwritten with very
executable code (you can verify this by resetting the system with the
test floppy disk in place). The memory resident virus simulation
actually puts a suspicious program in memory and displays its presence
on screen.
Most often, real viruses are not created from scratch, but by modifying
existing viruses and thus pose additional problems for virus detecting
programs. To further emulate real viruses that might actually be
encountered, Virus Simulator creates a completely new modified simulated
virus the same way. No two files or disks will be created identically.
Virus Simulator prompts the user to generate any (or all) of three test
suite types: files, boot sector and memory.
1) Generate A:\VIRUS\VIR_#.COM & .EXE files. (Erase to remove)
2) Overwrite A: boot with (new) simulated virus (Format A: to remove)
3) Install memory test simulated virus (Power off system to remove)
Any or all of the options may be selected at the same time.
Place a freshly formatted diskette to be infected in the A: drive. If
you select the "2) Overwrite A: boot sector" option, the the system will
not be bootable from this disk, but will display an "Infected with
simulated boot sector virus" message. Virus Simulator actually
overwrites the boot sector with executable code; programs that purport to
intervene in this situation should report that.
The A:\VIRUS\VIR_#.COM or .EXE files can be renamed and copied to other
disks for testing but remember to erase all test viruses after
completing your tests.
If option three ( "3) Install memory test virus" ) is selected, a
warning message will appear in the upper right corner of the screen
until power for the system is turned off. When power is restored, the
system will return to normal, and the memory virus will be removed.
Virus Simulator actually places a suspicious test program in memory as a
simulation and, programs that purport to intervene in this situation
should report the memory resident program.
How to Use Virus Simulator (VIRSIM.COM)
Copy your special write protected distribution disk to your working
drive and store the original in a safe place.
Run VIRSIM at the DOS prompt, and follow the directions displayed. Then
use your anti-virus program to scan for viruses following the directions
supplied with that product. A note here about false alarms especially
when using disk caching. Anytime you read or write using a disk, the
data is first buffered by memory. If you've just written or read a test
suite, your virus scanning program may discover it still in the disk
buffer memory. Just power down the system and watch it go away.
These test suites are only safe and sterile simulations to evaluate your
security measures. A virus detecting program is validated when it
reports the simulations. Virus detecting programs that fail to find
these simulations may indeed discover their real counterparts and
variations, but should only be trusted after that ability is
demonstrated.
Virus Simulator and Virus Simulator Supplements will only generate file
and boot sector simulations on a formatted disk in drive A:, you must
have an A: drive. Copy VIRSIM.COM and VSIM_A.COM (and for registered
users only, VSIM_B.COM, VSIM_C.COM and VSIM_MtE.COM) to whatever drive
you wish to run it from. Precautions have been taken to force VIRSIM to
run only from the default directory.
NOTE. A:> VIRSIM or C:> VIRSIM (works ok)
C:> A:VIRSIM or C:>\TEST\VIRSIM (won't work)
VIRSIM.COM (and the supplements) compiles simulated viruses directly and
when scanned by virus detection programs, must always indicate being
free of infection. Only the simulated viruses should report any
infection. Each time Virus Simulator is run, it generates a completely
new and unique suite of with accompanying documentation. Text files
A:VIR_LIST.DOC and A:VIR_BOOT.DOC are created at execution time and
describe each unique virus test simulation suite. Executing the
generated test suite programs is not required. If executed, they will
only display their Rosenthal Engineering origin.
Windows users should shut down Windows and restart in DOS mode to create
the simulations. Then restart Windows and employ their normal anti-virus
measures to detect the samples.
- - - - - - - - - - -
Virus Simulator Supplement "A" (Included)
Once you have gained experience using the original Virus Simulator
VIRSIM.COM, the supplements offer additional insights into how viruses
work, and more importantly, how to defend against them. Use VIRSIM.COM
to verify your anti-virus product is installed and you are using it
correctly before advancing to the supplements.
VSIM_A.COM is one of several additional supplements included as part of
the Rosenthal Virus Simulator test suite. Safe test bait for virus
detecting programs is generated to help users better prepare to protect
themselves. Virus Simulator's ability to harmlessly compile and infect
with safe virus samples provides a means to demonstrate, evaluate and
confirm the correct installation and use of anti-virus security
measures.
Supplement "A" creates the functional, but controlled, test virus sample
VIRUS_A.COM on the A: floppy diskette. This program is capable of
replicating throughout any drive it is copied to for one hour upon
informing the user and receiving permission. After expiring, it removes
itself and any copies it made on that drive if run again.
Included with other safeguards, the test virus generated by this
supplement has a limited life span. It will only replicate throughout
the drive for a limited time. Take a moment to confirm your systems date
and time are set correctly. The sample will only replicate during that
one hour period (see the file date). Outside of that period, running the
virus will disinfect (remove) itself and all copies of itself anywhere
on the same drive.
Place a formatted diskette in the A: floppy disk drive as before. Run
VSIM_A.COM at the DOS prompt and confirm the date and time displayed at
the top of the screen are accurate. Virus Simulator Supplement "A" will
generate two files on the A: floppy diskette, VIRUS_A.COM a live, safe
and controlled, replicating virus, and VIRUS_A.DOC, a brief ASCII text
documentation file describing the test virus.
There is no need to run VIRUS_A.COM to practice employing your anti-
virus product to detect and remove it. However should you wish to
experiment or have any doubts that it will replicate, simply copy
VIRUS_A.COM from the floppy disk to your hard drive and run it from
there. It will announce and display its intention, then ask your
permission to proceed. If you consent, enter "Y" and it will replicate
itself throughout the drive. You can then gain practical experience
using your anti-virus product to detect and remove it.
One hour to detect and remove the test samples should be more than
adequate for any capable anti-virus product. If you fail to detect or
remove any of the Virus Simulator Supplement "A" samples, running
VIRUS_A.COM or copies it created one hour after its creation, will
remove itself and any copies that remain on that drive. Vigilant anti-
virus products should have no problem demonstrating their capabilities
with the Virus Simulator Supplement "A" samples.
- - - - - - - - - - -
Virus Simulator Supplement "B"
The Virus Simulator "B" Supplement provides users with hands on
experience protecting themselves from a boot sector virus. Although
easily detected, these are by far the most prolific and extremely
infectious. Like the other simulations the test samples are completely
safe, but are far more operational, and provide users with the hands on
experience required to defend themselves.
Several educational institutions have now incorporated this
demonstration into their lesson plans. It harmlessly illustrates the
importance of adhering to established anti-virus security measures quite
dramatically.
This type of virus hides in a special portion of the disk reserved for
the power up sequence, called "booting" and is therefore called the
"boot track" or "boot sector". A boot sector virus replaces the
legitimate boot sector program with its' own code. When the user "boots"
from the infected disk, the virus first loads itself into the computer
ahead of the legitimate programs.
Using Virus Simulator Supplement B (registered users only)
Copy VSIM_B.COM from the special write protected distribution disk to
your working or hard disk. Use a freshly formatted disk in drive A. You
must have an A: drive.
Run the VSIM_B from the DOS prompt and the program will instruct you to
select the anti-virus product they employ. These are listed
alphabetically.
The Virus Simulator B Supplement program infects the floppy disk and
makes a DOC file labeling the disk as well. Users are encouraged to also
mark the disk label appropriately as well. Be sure to plainly mark the
sample disk so you don't stumble across it by accident and panic at some
future date. As a convenience, the simulation will expire in a few days
on systems that support a CMOS clock.
You can now scan the disk etc. as the anti-virus product recommends.
Now the fun part.... With the disk in place, re-boot the system.
The boot program displays it's intention (Test Virus), the copyright,
the expiration date and loads itself into memory. The system then boots
through from the hard drive, while "TEST VIRUS in memory!" flashes in
the upper right corner of the screen and the speaker beeps about every
seven seconds. Other than the beeping and flashing, the system appears
to work normally. If you are using MS Windows, the beeping will continue
even though the display remaps. If you open a DOS window, from within MS
Windows, the flashing message will display as well.
You now have about four minutes to try your anti-virus measures, or what
ever. Then, the screen becomes dominated with the "TEST VIRUS" flashing
message. The beep rate goes up to about two seconds, and on most
systems, the keyboard locks up! If you are in MS Windows, the mouse if
left enabled so you can exit elegantly, the keyboard is then re-enabled
when you return to DOS for a few minutes and finally locks again.
Some BIOS's allow you to disable booting from the A drive, which
prevents the demonstration from working. Real viruses have no problem
infecting your hard drives' boot sector, but these simulations are safe
so they will only boot from the floppy in A:, they will not infect or
otherwise compromise a hard drive or other disks. Unlike these safe and
sterile simulations, real viruses are not limited to being harmless.
- - - - - - - - - - -
Virus Simulator MtE Supplement
Viruses are becoming much more sophisticated and difficult to combat
especially with the introduction of polymorphic mutating viruses such as
those based on the Dark Avenger MtE Mutation engine. These viruses
obsolete the traditional pattern matching techniques of detection, which
are ineffective against this type of virus.
VSIM_MTE.COM compiles a safe set of test viruses and special dummy
program files they will infect (only). The test viruses will only infect
the special dummy test programs generated by the Virus Simulator MtE
Supplement. Unlike their malicious real world counterparts, these
simulations will only attack the dummy files provided in the A:\M_VIRUS
directory. Provisions have been taken to discourage modification and
tampering. Both .EXE and .COM viruses and dummies are provided. With the
exception of their special safety and security provisions, the MtE test
simulations are real polymorphic viruses.
At the heart of these MtE virus simulations is an actual MtE mutation
engine. The MtE engine provides virus writers with the ability to turn
their relatively simple programs into very sophisticated polymorphic
viruses which are extremely difficult to detect by virus scanners. Each
time the virus infects a host program, it mutates, changing its
signature pattern to avoid recognition. A few examples of viruses that
employ the MtE engine are:
Dark Avenger Mutating Engine, Dame, MtE, Pogue, Gotcha, 7S, Mut,
Dedicated, Fear, Groove, Coffee Shop, MtE-Spawn, Questo, Crypto Lab,
Encroach.
Although the MtE simulations produced by this program are safe and
controlled, they are real viruses, capable of infecting their special
dummy host programs. Vigilant anti-virus programs that are capable of
reliably detecting the MtE mutation engine should report these
simulations as being infected. Because these are polymorphic viruses
several samples are required to validate a virus detector, as each time
the virus mutates in attempt to avoid detection, its signature changes.
Using the MtE Supplement Virus Simulations
(registered users only)
To generate the MtE simulations and dummy files to be infected, run
VSIM_MTE from the default directory. Once again, make sure you have
installed your anti-virus software in accordance with the author's
instructions. Prepare freshly formatted disks to be infected in your A:
drive.
When you run the MtE supplement, it will first verify itself (by voice)
and display the sign on message, which asks if you wish to continue.
Enter "Y". (NOTE! These programs should be run directly from the DOS
prompt and not from inside MS Windows)
The Virus Simulator will then generate a directory full of dummy test
programs, until the disk is nearly full (allowing for an increase in
size as the programs are infected). Originally, only the first two
samples (A:\M_VIRUS\VIR_1.EXE and A:\M_VIRUS\VIR_2.COM) will be
infected. Examine the directory, and you will see a considerable
difference in size between the infected and clean programs. Execute an
infected program, and you can observe that the test virus will spread to
the other samples (only). The infected programs will display that they
are indeed infected and ask if you wish to continue. If you enter "Y",
the simulation will spread to from one to 15 other programs. Those
programs can then be run and they will, in turn infect the others. If
you enter "A" (for all) instead of "Y", the infection will spread to all
the dummy .COM or .EXE samples in the directory. Because of the
sensitive nature of these test samples, the infection will not spread to
any sample which has been modified. For security reasons the infections
will only activate on the A: drive in the A:\M_VIRUS directory, and only
if no modifications have been made to the dummy program files.
Once the files produced by Virus Simulator MtE Supplement become
infected, your virus detecting program should report them as such.
- - - - - - - - - - -
Virus Simulator Supplement C
The Virus Simulator Supplement C illustrated how a companion virus
works, and provides a functional demonstration that affords an
opportunity to exercise protective measures. These simulations, like the
others, are dramatic, but safe and harmless.
Companion viruses exploit a feature of the computers' operating system
that differentiates between programs with a COM or EXE file extension in
their name. When two programs have the same file name, for example
VIRUS_1.COM and VIRUS_1.EXE, the operating system will attempt to run
the COM program first.
The companion virus assumes the name (with a COM extension) of a
legitimate program with an EXE file name extension. When the user enters
the name of the program, the companion virus does its dirty work first,
and then allows the legitimate program to operate normally. Usually the
whole procedure is completely transparent to the user to avoid
detection.
If the user examines the original program, they find it unchanged. The
companion virus remains even if the user reloads the legitimate program
directly from the distribution backup unless the program with the same
name (and COM file extension) is removed.
Using the Virus Simulator Supplement C
(registered users only)
Copy VSIM_C.COM from the special write protected distribution disk to
your working or hard disk. As with the other simulators, place a freshly
formatted disk in drive A.
When you run VSIM_C it will generate several dummy programs on the
floppy disk in the A:\C_VIRUS directory. These test programs are
identical except for their name (VIRUS_##.EXE). One of them is
associated with a companion virus simulation.
When the VIRUS_## programs are run, they will only display a simple
message. However, when the program associated with the companion virus
simulation runs, it will produce a dramatic, but harmless demonstration.
Execute each of the test programs until you discover the companion
virus. To terminate the demonstration, simply reset the system. You may
repeat the demonstration without generating new dummy samples on the
floppy disk again. You'll notice the simulation will assume the name of
a different dummy test program each time.
To reveal the companion virus simulation use the DOS command ATTRIB
A:\C_VIRUS\*.* and you will discover the hidden companion virus
simulation.
With DOS 5 and above, you can also use the DOS command DIR A: /S /A
- - - - - - - - - - -
How Anti-Virus Measures Protect Your System
There are several popular methods employed to detect viruses that these
simulators can exercise. Generally they occupy three categories;
scanners, monitor filters, and change monitors.
Scanners are the most popular. They check the system for pieces of code
that form a signature or fingerprint that is unique to each virus.
Because the scanning program will only detect viruses that it knows the
signature for, it may not detect a new or modified virus. Virus
Simulator offers the signatures of many real viruses, but may not be
using the same signatures your viruses detector uses. If your signature
scanner fails to report the dummy sample test viruses produced by Virus
Simulator, it is most likely that they are different than those required
by that scanner. Unlike the test viruses produced by the "A" and MtE
Supplements, the Virus Simulator and other supplements produce only
dummy viruses, not real viruses.
Monitor filters are TSRs (terminate and stay resident programs) that
watch for suspicious virus-like activity, such as creating or writing to
a program file or the boot sector or terminating with a TSR still active
in memory. Virus Simulator should have no difficulty demonstrating this
type of virus detector as it allows the user to actually overwrite the
boot sector of the floppy disk, install a very suspicious (but safe) TSR
in memory, and generate plenty of executable program files.
Change monitors learn what the original program or boot sector etc.
looks like and re-examines them periodically for modification. Virus
Simulator and supplements can demonstrate this, since the user can
actually elect to modify the floppy disk boot sector. Additionally, when
the MtE dummy test programs become infected, they change substantially.
You may also conduct additional tests on your system. For example, many
users mistakenly believe that changing the attribute of a program to
READ-ONLY will protect it from infection. You can test this using the
DOS ATTRIB command for example ( C>ATTRIB +R A:\M_VIRUS\VIR_99.EXE )
will not protect the dummy files from becoming infected by the MtE
simulation.
The best and simplest way to protect a floppy disk from infection is to
take advantage of the write protect tab. These are very effective unless
yours is some how inoperative. You may wish to conduct your own test by
enabling the write protect tab, and repeating the experiment. If your
write protect circuitry is functional, you should not be able to make
modifications to the protected disk and the MtE simulations will be
unable to infect the dummy files.
- - - - - - - - - - -
History of Virus Simulator
Virus simulator was first developed to support testing my System Monitor
program. System Monitor was not a virus scanner or even a program
devoted to exclusively to virus protection. There are enough things that
go astray in a normal computing environment to justify System Monitor on
its own. It installs in your IBM PC/XT/AT 386 or 486 Compatible computer
to test and extensively monitor a number of performance indicators. Each
time you use your computer, System Monitor re-evaluates the system and
alerts you to any discrepancies it finds with an announcement that is
hard to ignore.
You install System Monitor as soon as you're confident that your
computer is configured and operational. From then on, System Monitor
will intervene immediately upon detecting problems, usually long before
a user even suspects any difficulty. This early monitoring and detection
is essential in avoiding and correcting problems before they can
compound. It also provides formidable anti-virus protection.
Virus Simulator can help determine which anti-virus programs are best
for you. These programs can then be installed ahead of System Monitor so
a virus that attempts to disable either of these programs will have the
very Herculean task of disabling or circumventing them both, or risk
detection by the other.
The first version of Virus Simulator was only intended as a tool to
assist volunteers who were beta testing System Monitor in a real world
environment. Before beta testing, System Monitor had been tested in a
controlled environment, using a considerable collection of real viruses.
You can imagine the enthusiasm my beta testers showed to turning real
viruses loose on their systems.
During the beta testing of System Monitor, we discovered a real need for
Virus Simulator beyond its original intention. Some virus detectors not
only didn't find the simulated viruses, on closer inspection, they
didn't find the real ones either. We found several cases where no
security procedures were being adhered to and even though the
organization had purchased site license for a very capable program. Few
users had ever run it. Additionally, a virus detecting program thought
to be protecting a system used to duplicate distribution disks for other
offices, was found to be an obsolete version, which missed nearly all of
the currently simulated viruses. No virus protection program will ever
be effective without the cooperation of its users. Virus Simulator
provides a means to verify adherence to established security procedures.
Virus Simulator was made available to assist system administrators, end
users, and educators enabling them to perform their own tests. Virus
Simulator is not a replacement for the comprehensive collection of real
viruses maintained by Rosenthal Engineering and other researchers for
testing anti-virus programs.
Viruses are a form of terrorism and require many of the same
precautionary measures. Airports test the effectiveness of their
security measures in much the same way. An official, disguised as a
passenger, will attempt to bring a disarmed bomb through, trying to
evade security measures and avoid detection. Real viruses, like real
terrorists, are much more difficult to test with. The test viruses
generated by these virus simulators are safe and controlled, but form a
validation test suite that trigger vigilant anti-virus detectors.
Not all virus detectors use the same virus signatures that Virus
Simulator supplies. Some anti-virus software (like Dr. Solomons Tool
Kit, TBSCAN, VShield, VirStop and others) provide their own dummy sample
programs, so users can perform similar tests. Users can use these safe
simulations to verify that their anti-virus measures are correctly in
place and functional.
Anti-virus programs that report suspicious activity (like FLUSHOT or
SECURE ) should detect Virus Simulator actually overwriting the sample
floppy disk boot sector, installing an unauthorized memory resident
program, or modifying an executable program.
Authors of viruses are very aware of how virus detectors work. As
polymorphic viruses (especially the MtE mutation engine) were developed,
signature scanning alone became inadequate. The Virus Simulator MtE
Supplement addresses that need and some of the other comments users have
brought to my attention.
As more users of these programs began incorporating them into training
lesson plans, and demonstrations, the additional supplements A, B and C
were added.
- - - - - - - - - - -
Statistics, Probability and Making Sense of Tests
Virus Simulator makes an infinite number of simulated test viruses by
varying each one in a different way. This is much the same way a real
virus might be discovered in the world at large. Even testing with a
program infected with a real virus can not assure every combination will
be examined: Is it a .COM file? .EXE? system? compressed? Is it the same
for all programs or just large ones? How about files created before or
after a certain date or time. What about a virus that was modified, even
trivialy, offset a few bytes or changed from one message to another. Or,
a virus that only attacks one vendor's brand of software. The only way
to test with any kind of absolute certainty would be to perform tests
with every combination and variation, and, even then, hope you didn't
overlook any.
Now, try that with well into many hundreds of viruses and combinations.
It becomes apparent that no matter how exhaustive the tests are, they
are just random, probabilistic distributions. The study of probability
assumes that you know the entire population or universe from which you
are going to sample. Statistics assumes that you have only a sample and
that you are trying to determine, or at least guess, the parameters or
characteristics of the most likely population or source from which the
sample was taken. That's what Virus Simulator supplies, a large enough
sample population size to establish statistical significance with some
reliability.
A large sample size is especially important when attempting to validate
polymorphic viruses, as each sample will have a different signature.
These sophisticated viruses attempt to avoid detection by altering their
signatures, so it is not uncommon for several copies to escape
detection. The Virus Simulator MtE Supplement attempts to generate as
broad a spectrum of test samples as practical.
Allowing Virus Simulator to fill a single 360 k disk should be more than
adequate to support reliable testing. Although a 1.2 meg disk offers
some improvement, additional disks offers diminishing benefits, as the
distribution confidence interval shows an insignificant improvement
beyond that point. In other words, for files... One disk ought to do it.
Testing using boot sector viruses is another matter, because unlike the
hundreds of files that can be created on a disk by Virus Simulator,
there is only one boot sector per disk. You can generate a simulated
boot sector virus onto as many different disks as you like or overwrite
a single disk repeatedly. A new simulation will be generated each time.
- - - - - - - - - - -
Shareware Announcement
Please feel free to use and evaluate Virus Simulator without charge for
10 days. You are encouraged to copy and distribute shareware version
VIRSIM##.ZIP archive freely, provided it remains unmodified, complete in
it's original form, and no fee (other than a nominal copy charge) is
required.
The additional Virus Simulator Supplements are only available directly
from Rosenthal Engineering once the single user registration fee is
received. All copyrights are reserved.
Once the required registration fee is received, the latest registered
version of Virus Simulator along with all the Virus Simulator
Supplements will be sent by priority first class mail, or international
air-mail.
_______
____|__ | (R)
--| | |-------------------
| ____|__ | Association of
| | |_| Shareware
|__| o | Professionals
-----| | |---------------------
|___|___| MEMBER
Association of Shareware Professionals (ASP)
Rosenthal Engineering is a member of the Association of Shareware
Professionals (ASP). ASP wants to make sure that the shareware principle
works for you. If you are unable to resolve a shareware-related problem
with an ASP member by contacting the member directly, ASP may be able to
help. The ASP Ombudsman can help you resolve a dispute or problem with an
ASP member, but does not provide technical support for members' products.
Please write to The ASP Ombudsman, at 545 Grover Road, Muskegon, MI 49442,
or send a message via CompuServe Mail to: ASP Ombudsman 70007,3536.
----------------------------------------------------------------
Date: November 22, 1996
From: Brad Kaenel, Chairman, ASP Author Standards Committee
To: Shareware Consumer
Subject: Rosenthal Virus Simulator
At the request of the author, Doren Rosenthal, I submit to you this
letter of clarification concerning the purpose and usage of the
Rosenthal Virus Simulator software suite (VirSim).
I have examined VirSim and found it to be exactly what it claims: a set
of tools for testing the effectiveness of so-called "anti-virus" utilities.
VirSim allows you to create safe, benign viruses that can be instructed
to "infect" your computer in harmless (and reversible) ways.
Doren Rosenthal is a member in good-standing of the Association
of Shareware Professionals (ASP), an organization that maintains strict
"non-destructive, non-intrusive" usability rules for its authors' software.
VirSim complies with these rules.
It is not the policy of the ASP to endorse the specific functionality
of an application, nor to recommend its suitability for any particular
purpose. However, we do pledge that our authors make every effort to
produce software that is well-written, well-supported, and absolutely
safe to install and evaluate on your computer.
Brad Kaenel,
Chairman, ASP Author Standards Committee
---------------------------------------------------------------
Bibliography and Additional Sources of information
National Computer Security Center - Guidelines for Formal Verification
Systems (NCSC-TG-014)
National Computer Security Center - Computer Security Subsystem
Interpretation of the Trusted Computer System Evaluation Criteria (NSC-
TG-009)
National Computer Security Center - Rating Maintenance Phase Program
Document (NCSC-TG-013)
National Computer Security Center, Trusted Network Interpretation of the
Trusted Computer System Evaluation Criteria (NCSC-TG-005)
Department of Defense -Trusted Computer Systems Evaluation Criteria (DOD
5200.28-STD)
Richard A. Kemmerer - Verification Assessment Study Final Report,
University of California
Peter J. Denning, ACM Press/Addison-Wesley - Computers Under Attack:
Intruders, Worms and Viruses
Lance J. Hoffman, Van Nostrand Reinhold, Anne Branscomb - Rogue
Programs: Viruses, Worms and Trojan Horses
Springer-Verlag, David Ferbrache - A Pathology of Computer Viruses
Dr. Fred B. Cohen, ASP Press - A Short Course on Computer Viruses
Dr. Solomons Virus Encyclopedia - S & S International
R. Burger - Computer Viruses: A High-Tech Disease
Dr. Mark Ludwig - The Little Black Book of Computer Viruses
Virus Bulletin Ltd - Abingdon England
Virus News International Ltd. - Berkhamsted, Hertfordshire UK
Computer Virus Developments Quarterly - American Eagle Pub. Inc.
P.O. Box 1507, Show Low, Arizona 85901
- - - - - - - - - - - -
Orders Outside the U.S.
All international orders are sent by air-mail. See the order form
(ORDER.FRM) for shipping and handling rates.
Yes! Visa or Master Card can now be accepted and makes currency exchange
to US Dollars very simple.
Please be sure to make your payment in "US Dollars" either by (US) cash,
Visa or Master Card, international money order or check drawn on a US
member bank. Otherwise banks want a fifty dollar processing fee to cash
a twenty five dollar check. Sorry, euro-checks can not be processed.
Local restrictions, regulations, tariffs and taxes etc. are the
responsibility of the recipient. Check with your local government. Only
California state residents need include sales tax.
- - - - - - - - - - - -
CD-Rom, Magazine and Book Publishers
Publishers are encouraged to include "Rosenthal Virus Simulator (tm)" as
shareware with CD-Rom collections, books and magazines. Please contact
Rosenthal Engineering directly.
- - - - - - - - - - - -
Anti-Virus Researchers and Product Developers
Rosenthal Engineering is pleased to cooperate with anyone engaged in the
development of anti-virus products. All developers are encouraged to
contact Rosenthal Engineering and will be supported without prejudice.
Software License Agreement
This Software is copyrighted material. It is not sold, but licensed. The
registration fee must be paid before evaluation period expires or use of
the software must be discontinued.
You are encouraged to copy and distribute only the Virus Simulator
archive VIRSIM##.ZIP file freely, provided it remains unmodified,
complete in it's original form and no fee (other than a nominal copy
charge) is required. This software is provided "as is" without warranty,
either expressed or implied.
You may not make any changes or modifications to the software and you
may not decompile, disassemble, or in any way, reverse-engineer the
software.
This constitutes the entire agreement and understanding between the
parties and supersedes any prior agreement or understanding whether oral
or written and may only be modified in writing.
This software is provided "as is" without warranties of any kind.
Responsibility rests entirely with the user to determine its fitness for
a particular purpose. ROSENTHAL ENGINEERING SHALL NOT IN ANY CASE BE
LIABLE FOR SPECIAL, INCIDENTAL, CONSEQUENTIAL, INDIRECT OR OTHER SIMILAR
DAMAGES ARISING FROM ANY USE OF THIS SOFTWARE. Some states may not allow
these limits on warranties, so they may not apply to you. In no case
shall Rosenthal Engineering's liability exceed the license fees paid by
you to Rosenthal Engineering for the right to use the Licensed Software.
Virus Simulator and Virus Simulator Supplements,
Copyright Rosenthal Engineering 1990 - 1996. All rights reserved.