home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Gold Medal Software 1
/
Gold Medal Software Volume 1 (Gold Medal) (1994).iso
/
virus
/
redal113.arj
/
REDALERT.DOC
< prev
next >
Wrap
Text File
|
1993-12-05
|
54KB
|
1,150 lines
RED ALERT!
Users Manual
Release 1.13 December 1993
PROFESSIONAL VERSION
Copyright (c)1993 Servile Software
2
INTRODUCTION
In 1986 the world's first "computer virus" was detected. It was nicknamed
"brain" after its effect of changing the volume label of an infected hard disk
to read "(c) Brain" Brain scanned an intended victim (hard disk) for a
signature in the boot sector. If it did not find the signature it would copy
itself from memory to the hard disk, and hide its presence by marking the
areas of the disk it occupied as bad in the disk file allocation table (FAT).
Brain hides by taking over BIOS interrupt 13h. When an attempt is made to
read an infected boot sector using the BIOS absolute disk read function, Brain
would just show the original boot sector instead. This meant that if the boot
sector of an infected hard disk was examined using DEBUG or a similar program,
everything would appear normal, if brain were active in memory.
The discovery of brain caused an uproar in the media. Paranoida swept the
computing industry, and hundreds of bright, malicious programmers set about
creating their own computer viruses. Some more materialistic programmers
starting writing software that would either detect or destroy computer
viruses. Some of those authors are known to have written computer viruses and
hyped the paranoida in order to promote the sales of their own product. One
American gentleman even went as far as to write a book. In his book he
describes computer viruses, and how to write them. He even included program
listings of some. Needless to say many variants of his viruses are still
infecting computers and destroying data. Shortly after the publication of his
book, the author released a program which would detect and destroy computer
viruses.
With the discovery that brain used a signature to prevent itself from
reinfecting a disk, programmers developed the technique of virus signature
scanning as a defence against potential infection. This technique is still
widely used among virus scanners. However, it has the fundamental flaw that it
will not detect a hitherto undiscovered virus. In order for a signature to be
recorded, a virus must have been discovered. And without a technique for
detecting an unknown virus, the only way a virus is to be detected is when it
has infected a system.
As well as computer viruses, there are also rogue programs that can cause
havoc on a system. These come in tow forms; Trojans, named after the Trojan
horse that allowed the Greeks access to Troy. And Bombs that are so named
because they require triggering.
A Trojan is a seemingly innocent program, but when run detroys data on the
host computer. A bomb is a piece of code within a seemingly innocent program,
which when triggered, perhaps by the computer's system date, destroys data on
the host computer. These types of program are very easy to write, and
impossible to detect with conventional virus scanners.
Red Alert! is a new type of disk protection program. Red Alert! analyses
programs searching for possible virus infection, trojans and bombs. In this
way Red Alert! can often identify a new strain of virus or trojan before any
other virus scanner. Red Alert! also reports some known virii, particuarly the
multitude of strains manufactured with the Virus Creation Lab (as wriiten and
3
released by Nowhere Man and NuKe Warez).
Red Alert! is suitable for use in domestic, business and bulletin board (BBS)
environments. Because of the slightly different needs of the different hosts
that may use Red Alert!, Red Alert! may be run in either of two modes. The
first, normal, mode displays status messages on the PC screen as Red Alert!
works. The second, quiet, mode does not display any status messages. This
results in a somewhat faster analysis being carried out and is particuarly
suited to batch file and BBS operations. A feature that may be of particular
interest to BBS sysops, is the /MOVE parameter. This enables VERY suspicious
files to be automatically moved to a specified directory.
Red Alert! is designed to be used along side your existing anti-virus
software. We recommend F-PROT as the most reliable detector of existing virii
and new strains. Although F-PROT is still not as good as Red Alert! at
detecting completely new virii! And F-PROT doesn't detect trojan's.
Red Alert! does nothing more than report (and move files if told to do so). If
you want to disinfect contaminated programs/files you must use a separate
product. Remember though, prevention is better than cure. Many virii kill
their hosts, sometimes intentionally, but sometimes by accident.
All warnings may be individually inhibited, except known virii warnings that
will ALWAYS trigger a red alert.
4
COMMAND LINE OPTIONS:
Red Alert! may be run from DOS with a variety of optional command line
parameters:
REDALERT [d:][file spec | /ALL]][/NOWARN | /REDONLY][/COMMAND][/QUIET][-enn]
[/MOVE dir][/MONO]
Where d: is an optional drive letter of the disk drive to check.
File spec is the specification of the files to check, for example 'unknown.*'.
/NOWARN inhibits WARNING messages
/REDONLY only reports red alert status messages.
/ALL checks ALL files whatever extension. The default, if the file
specification is ommited, is for Red Alert! to check only files with an
extension of .EXE, .COM, .SYS, .APP. or .BAT A simple trick for uploading
virii to BBS is to name them with an extension not normally checked by virus
scanners, such as .DAT, and then to rename the virii files from within an
otherwise clean Trojan program. The /ALL option bypasses this approach.
/COMMAND runs Red Alert in command line mode. Only Red Alerts are reported.
/QUIET prevents the display of any messages, although messages are still
echoed to file REDALERT.REP
/MOVE <directory> Moves all files triggering a Red Alert into the specified
directory. The target directory MUST be on the same disk as the files being
checked. If a .COM and a .EXE form of the same file occur in the same
directory, and the companion virus warning is enabled, then the .COM file will
be moved, since this is the file that would be executed by DOS.
/MONO Forces Red Alert! to operate in monochrome mode. This is primarily for
use where a monochrome monitor is connected to a colour display card.
-enn inhibits the appropriate warning number, where nn is the number of the
warning to inhibit. Inhibiting warnings also inhibits the moving of suspect
files that would have otherwise triggered the inhibited warning.
5
COMMAND LINE EXAMPLES
To check every executable, device driver and batch file on hard disk C:
REDALERT C:
To check every file on hard disk C:
REDALERT C: /ALL
To check only the file 'suspect.exe' in the current directory:
REDALERT SUSPECT.EXE
To check only the file 'suspect.exe' in a specified directory:
REDALERT C:\DIRECTORY\SUSPECT.EXE
To check all files in a specified directory:
REDALERT C:\DIRECTORY /ALL
or
REDALERT C:\DIRECTORY\*.*
To check all files of a particular extension in a specified directory:
REDALERT C:\DIRECTORY\*.EXT
To check all files of a particular extension on the disk
REDALERT *.EXT
6
USING RED ALERT! WITH A BATCH FILE
Red Alert! can be simply used with a batch file to test an individual file. If
Red Alert! detects code or data within the file that triggers a "red alert"
then ERRORLEVEL ONE will be set. This can be tested by the batch file and
appropriate action taken. The following is a listing of the example batch
file, RA.BAT, supplied with Red Alert!
@echo off
rem Sample batch file for BBS testing of files
rem ONLY red alerts will be reported
rem reported findings will NOT be echoed to the screen
redalert %1 /QUIET /REDONLY
IF ERRORLEVEL 1 GOTO DANGER
GOTO END
:DANGER
echo %1 is a SUSPICIOUS file
:END
7
INTERACTIVE MODE
If you don't specify either of the command line options /QUIET or COMMAND,
then Red Alert! will operate in the interactive mode. This provides an easy to
use menu of facilities for repetetive scanning of diskettes, or multiple
drives.
Menu:
Facilities are chosen from the menu by moving the highlight bar with the
cursor up and down arrow keys. The highlighted facility may be selected by
pressing the return key.
┌──────────────────────────────────────────────────────────────────────────────┐
│Servile Software R E D A L E R T Copyright 1993│
└──────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────┐
│ ╔════════════════════╗ │
│ ║ Begin Scanning ║ │
│ ║ Specify Warnings ║ │
│ ║ Specify Path ║ │
│ ║ Specify Move Path ║ │
│ ║ View Last Report ║ │
│ ║ Print Last Report ║ │
│ ║ Quit ║ │
│ ╚════════════════════╝ │
│ │
│ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ Begin scanning of the selected path │ │
│ │ │ │
│ │ C: │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────┘
8
Begin Scanning:
Selecting this option will commence a scan of the path or file indicated in
the lower box. The scan will take place with the current warnings settings
which may have been specified by command line parameters, or specified with
the Specify Warnings menu facility. As scanning occurs, Red Alert! displays
the current status and operation on screen. These messags may scroll off the
screen too fast to read. However, all mssages are echoed to the report file
which may be viewed or printed after scanning has finished.
┌──────────────────────────────────────────────────────────────────────────────┐
│Servile Software R E D A L E R T Copyright 1993│
└──────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────┐
│[6]WARNING! │
│D:\DRAW\THEDRAW.EXE may contain a call to DOS 'rename file' function │
│[7]WARNING! │
│D:\DRAW\THEDRAW.EXE may contain a call to DOS 'delete file' function │
│[8]YELLOW ALERT! │
│D:\DRAW\THEDRAW.EXE may contain a call to DOS 'exec' function │
│[18]WARNING! │
│D:\GRAM\DICTUTIL.EXE is a packed file │
│[6]WARNING! │
│D:\GRAM\GMK.EXE may contain a call to DOS 'rename file' function │
│[7]WARNING! │
│D:\GRAM\GMK.EXE may contain a call to DOS 'delete file' function │
│[18]WARNING! │
│D:\GRAM\GMK.EXE is a packed file │
│[8]YELLOW ALERT! │
│D:\GRAM\GMK.EXE may contain a call to DOS 'exec' function │
│[18]WARNING! │
│D:\GRAM\GMKCVTWP.EXE is a packed file │
│SCANNING: D:\GRAM\GMKED.EXE │
└──────────────────────────────────────────────────────────────────────────────┘
Some innocuous warnings....
9
When scanning, Red Alert! will display warning messages. The screen dump below
illustrates the sort of messages you can expect to be displayed when rogue
programs are detected:
┌──────────────────────────────────────────────────────────────────────────────┐
│Servile Software R E D A L E R T Copyright 1993│
└──────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────┐
│D:\VIRUS\VIRII\INCSPD.COM may open a file handle to command.com │
│[32]RED ALERT! │
│D:\VIRUS\VIRII\INCSPD.COM may open a file handle to ibmdos.com │
│[28]RED ALERT! │
│D:\VIRUS\VIRII\INCSPD.COM searches directories for *.COM │
│[9]YELLOW ALERT! │
│D:\VIRUS\VIRII\CODEZERO.COM may contain a call to dos 'set file date/time' fun│
│ction │
│[12]RED ALERT! │
│D:\VIRUS\VIRII\CODEZERO.COM contains code known to lock the keyboard │
│[15]YELLOW ALERT! │
│D:\VIRUS\VIRII\CODEZERO.COM contains a reference to '*.COM' │
│[20]RED ALERT! │
│D:\VIRUS\VIRII\CODEZERO.COM contains a reference to '[VCL]' │
│[21]RED ALERT! │
│D:\VIRUS\VIRII\CODEZERO.COM contains known virus commands │
│RED ALERT! │
│D:\VIRUS\VIRII\CODEZERO.COM is probably infected with a virus │
│ │
└──────────────────────────────────────────────────────────────────────────────┘
Viruses detected....
10
Specify Warnings:
Individual warnings may be toggled on and off. Highlight the warning to
change, and press the space bar. When the warning is enabled, a tick (√)
appears to the left of it.
As a short cut, you can press key Y to enable all yellow and red alerts, and
disable all warnings. Or you can press key R to disable all warning mssages
except red alerts.
┌──────────────────────────────────────────────────────────────────────────────┐
│Servile Software R E D A L E R T Copyright 1993│
└──────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────┐
│ √ ( 0) has strange time stamp (18) is a packed file │
│ √ ( 1) Code to format drive (19) contains a reference to 'virus'│
│ ( 2) is a hidden executable file √ (20) contains reference to [VCL] │
│ ( 3) is a hidden file √ (21) contains known virus commands │
│ √ ( 4) may be a VCL encrypted virus √ (22) is a PKZIP packed file │
│ √ ( 5) may remain resident in memory √ (23) Both .COM and .EXE forms │
│ ( 6) may call rename file function √ (24) contains code to delete files │
│ ( 7) may call delete file function √ (25) is encrypted │
│ √ ( 8) may call exec function √ (26) determines if is an EXE or COM │
│ √ ( 9) may set file date/time √ (27) code to move itself in memory │
│ (10) may get/set file attributes √ (28) searches directories for *.COM │
│ √ (11) contains code to destroy FAT √ (29) searches directories for *.EXE │
│ √ (12) contains code to lock keyboard √ (30) contains ANSI key redefinition │
│ (13) may call format function √ (31) may open a file to command.com │
│ √ (14) contains reference to 'format' √ (32) may open a file to ibmdos.com │
│ √ (15) contains a reference to '*.COM' √ (33) may capture interrupt 21 │
│ √ (16) contains reference to IBMIO.COM √ (34) may capture interrupt 13 │
│ √ (17) may call absolute disk write √ (35) is actually an EXE file │
│ │
└──────────────────────────────────────────────────────────────────────────────┘
11
Specify Path:
To select a new path to be searched, select the "Specify Path" facility from
the menu. Red Alert! will then wait while you type in the path to be scanned.
If the entered path is a drive specification, or a directory specification,
Red Alert! will scan all files in that drive or directory which have an
extension of: .EXE, .COM, .APP, .SYS or .BAT.
If you specify a file or group of files without a drive or directory
specified, then Red Alert! will search the entire current drive and scan files
matching the entered name or specification.
Entering a directory and a file specification forces Red Alert! to scan just
the specified files in the named directory.
┌──────────────────────────────────────────────────────────────────────────────┐
│Servile Software R E D A L E R T Copyright 1993│
└──────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────┐
│ ╔════════════════════╗ │
│ ║ Begin Scanning ║ │
│ ║ Specify Warnings ║ │
│ ║ Specify Path ║ │
│ ║ Specify Move Path ║ │
│ ║ View Last Report ║ │
│ ║ Print Last Report ║ │
│ ║ Quit ║ │
│ ╚════════════════════╝ │
│ │
│ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │PATH:[C: ]│ │
│ │ │ │
│ │ Enter the path and/or file specification to scan. │ │
│ │EG: C:\UPLOAD or A:\*.ASC or NEWFILE.EXE or A: │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────┘
12
Specify Move Path:
You may optionally specify a directory, which must be on the current drive,
into which to move all files triggering an enabled Red Alert. If you enter a
blank path, the move operation will be inhibited.
┌──────────────────────────────────────────────────────────────────────────────┐
│Servile Software R E D A L E R T Copyright 1993│
└──────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────┐
│ ╔════════════════════╗ │
│ ║ Begin Scanning ║ │
│ ║ Specify Warnings ║ │
│ ║ Specify Path ║ │
│ ║ Specify Move Path ║ │
│ ║ View Last Report ║ │
│ ║ Print Last Report ║ │
│ ║ Quit ║ │
│ ╚════════════════════╝ │
│ │
│ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │PATH:[ ]│ │
│ │ │ │
│ │ Enter the directory to move files into, or leave blank to inhibit move │ │
│ │ (NOTE: Must be a directory on the current disk) │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────────────┘
13
View Last Report:
Red Alert! always generates a report following a scan. This report is written
to the directory where redalert.exe is to be found. This report may be viewed
through Red Alert's "View Last Report" facility. To move around the screen use
the cursor arrow keys, the page up and page down keys, and the home and end
eyes to move to the start and end of the current display line. Often a report
will include lines which are too long to be shown on the screen. Red Alert!
will allow the screen to scroll from left to right to show the remainder of
these lines.
┌──────────────────────────────────────────────────────────────────────────────┐
│Servile Software R E D A L E R T Copyright 1993│
└──────────────────────────────────────────────────────────────────────────────┘
[14]RED ALERT! D:\VIRUS\VIRII\ANTIV.EXE contains a reference to 'format.com'
[9]D:\VIRUS\VIRII\MI2SOLVE.EXE YELLOW ALERT! may contain a call to dos 'set file
RED ALERT! D:\VIRUS\VIRII\MI2SOLVE.EXE is probably infected with a virus
[25]RED ALERT! D:\VIRUS\VIRII\MI2SOLVE.EXE is encrypted
[26]YELLOW ALERT! D:\VIRUS\VIRII\MI2SOLVE.EXE determines if it is an EXE or COM
[27]RED ALERT! D:\VIRUS\VIRII\MI2SOLVE.EXE contains code to move itself in memor
┌──────────────────────────────────────────────────────────────────────────────┐
│Move cursor with [PgUp], [PgDn], [Home], [End], [], [|], [|], [] [Esc] Quit│
└──────────────────────────────────────────────────────────────────────────────┘
Print Last Report:
Red Alert! can send the current report to a printer connected to the parallel
port. No printer formatting instructions are sent before or after printing the
report, so you should ensure that your printer is correctly setup before
selecting this facility.
14
REPORT
Red Alert! always writes the result of its findings to a report file titled
"redalert.rep". This file is created in the current directory, overwriting any
existing report file.
The report file commences with an author's acknowledgment, and then
information about the scan that has been conducted. This information includes
the date of the scan, whether any warnings have been inhibited and the
specifications of files being analysed. For example:
Servile Software R E D A L E R T Copyright 1993
Results of scan on date <date>
Checking file specifications *.EXE *.COM *.SYS *.APP *.BAT
After the heading text is the body of the report that lists all warnimgs
appertaining to suspicious files scanned. For example:
WARNING! D:\DRAW\THEDRAW.EXE may contain a call to DOS 'rename file' function
WARNING! D:\DRAW\THEDRAW.EXE may contain a call to DOS 'delete file' function
YELLOW ALERT! D:\DRAW\THEDRAW.EXE may contain a call to DOS 'exec' function
The report is a standard text file that may be printed or viewed with a text
editor.
For details of the messages reported please refer to the section entitled
"Messages" in this document.
15
LIVING WITH RED ALERT!
Red Alert! can generate a vast quantity of warning messages and take a long
time to scan. A suspect file is best scanned with all warning messages
enabled. However, allowances should be made that many legitimate programs
delete files. Even spreadsheet applications often delete files because they
use temporary files that they later delete. Consequently singular file
deletion is a low suspicion warning.
Red Alert! is slower than other virus scanners because it has a
built in code analyser that actually "activates" the programs being tested.
This activation involves a "quick" test of what the program would do if it was
run from the current disk and directory. This method of analysis is often
effective at bypassing encryption. However, it is important that Red Alert! is
run from the disk where the suspect program will be used.
The code analyser can detect a number of VERY suspicious states. These are:
the program being tested attempts to open either "command.com" or
"ibmdos.com". These are warnings 31 and 32 and are displayed as:
[31]RED ALERT! <filename> may open a file handle to command.com
[32]RED ALERT! <filename> may open a file handle to ibmdos.com
And the program tries to take control of either interrupt 13h or 21h. These
are warnings 33 and 34 and are each displayed in one of two forms. If the
program under test analyses the address of the interrupt, Red Alert! warns
that the program may capture the interrupt. If Red Alert! detects that the
program does change the interrupt, then you will be informed that the program
does capture the interrupt.
[33]RED ALERT! <filename> may capture interrupt 21
[33]RED ALERT! <filename> captures interrupt 21
[34]RED ALERT! <filename> may capture interrupt 13
[34]RED ALERT! <filename> captures interrupt 13
Very few normal programs assign a file handle to either of these files.
Viruses however will often search for .COM files to infect, and as such may
attempt to infect either of these files. These warnings give a pretty clear
indication that the program being scanned IS a virus.
One program is known to trigger Red Alert! This is Format.com. It has a
structure commonly found in viruses, but not in any other programs I have come
across! This triggers the:
RED ALERT! <filename> is probably infected with a virus warning.
You should not be complacent about this warning, even when it applies to
format.com. Instead you should compare your copy of format.com with the master
copy on your DOS disk.
16
So what suggests a dangerous program? Certainly a "red alert" suggests that
the program could be dangerous. But, many straight programs can be dangerous.
If you receive multiple red alerts you should be very suspicious of the file.
Also, there is in existence a virus creation tool, entitled VCL. This enables
non-programmers to churn out vast quantities of destructive viruses and
Trojans. Fortunatelt they all contain the signature "[VCL]". However, due to
their prolific nature, any reference to VCL triggers a red alert, and you
should also be suspicious of the program triggering the warning. The
particuarly nasty warnings are:
[4]RED ALERT! <filename> may be a VCL encrypted virus
[12]RED ALERT! <filename> contains code known to lock the keyboard
[20]RED ALERT! <filename> contains a reference to '[VCL]'
[21]RED ALERT! <filename> contains known virus commands
[27]RED ALERT! <filename> contains code to move itself in memory
[28]RED ALERT! <filename> searches directories for *.COM
[29]RED ALERT! <filename> searches directories for *.EXE
[31]RED ALERT! <filename> may open a file handle to command.com
[32]RED ALERT! <filename> may open a file handle to ibmdos.com
RED ALERT! <filename> is probably infected with a virus
17
METHODS OF INFECTION
In order for a computer virus to infect another system, it has to write
itself to a disk. It can do this in a variety of ways.
Boot Sector:
When the PC is switched on, the BIOS ROM chip loads a program from the floppy
disk A: or the hard disk, boot sector. This is the first physical sector of
the disk. This program then takes over the loading of the operating system,
DOS. A boot sector infection replaces the host computer's disk boot sector
program with its own program. Then, whenever a computer is booted (started)
from the infected disk, the rogue program is loaded into memory and takes
over.
Program Appending:
A virus may spread by appending a copy of itself to other programs on a disk.
These other programs may be .COM, .EXE or anyother executable file. This
includes overlay files. When the infected program is loaded by the operating
system, the virus is also loaded into memory and activated.
Overwriting:
A simpler way for a virus to spread is for it to replace an existing program
file with itself. This is called overwritng. It is easy to detect because the
original program no longer operates.
Companion:
Another simple form of infection is the companion method. This method makes
use of the operating system's method of program loading. When a program name
is supplied to the operating system the operating system first appends the
extension .COM to the program name and tries to load and run that name. If
this fails, then the extension is changed for .EXE and the operating system
tries to load and run this program name. Should this operation fail then the
operating system replaces the extension with .BAT and tries to load and run a
batch file. It follows that if two programs have the same name, but one has
the extension .COM and the other the extension .EXE or .BAT, then the .COM
program will be loaded and run. Companion infection involves storing the virus
on the host disk with the same name as an existing .EXE file, but with an
extension of .COM. The companion virus is then loaded and run by the operating
system when the operator types in the program name. The companion virus can do
its business and then load the original program so that the operator is
unaware of what is happening.
Device:
A device virus is one which infects bootable disks by appending a
DEVICE=myname to the file "config.sys", where myname is the name of the virus
program, in the boot disk's root directory. When the computer is switched on,
18
programs listed in the config.sys file are automaticaly loaded into memory.
This takes place before any other programs, such as those listed in
"autoexec.bat" are run. With a device virus, it becomes active in memory every
time a computer is booted from an infected disk.
19
TROJANS & BOMBS
A common source of lost computer data is the Trojan. A program that appears
innocuous, and yet, like the Trojan horse, is deadly. Trojan program's may
contain a bomb that will wait for a trigger, or just go off when the program
is run. Consider the following batch file entitled 'install.bat'. You are told
to run it with the command line:
INSTALL X:
Where X: is the drive where you want to install the package to. Not uncommon?
No! But what if the batch file contains the code:
echo Y | format %1
What will happen is that the specified drive will be reformmated without you
being given the chance to stop it. Just think if that were your hard disk! Can
you remember where the master disk for your restore software is? You will need
it to be able to restore from a backup. Assuming that is that you have a
backup of your disk!
Fortunately, Red Alert! searches .BAT files and reports dangerous code like
this.
Compiled batch files are more tricky. There are a number of batch file
compiler products on the market which convert batch files into .COM programs.
These programs cannot be easily read, unlike batch files. As such they can
easily hide dangerous instructions. But not from Red Alert!
Pictures and text files can also be trojans. The ansi device driver includes a
facility for reporgramming the computer keyboard. A picture made up of ansi
commands can also reprogram the 'n' key to produce the code for 'y'. In a
batch file a picture can be displayed, which also reprograms the keyboard, and
then the batch file must issue a format C: command. The operator presses 'n'
to abort the format, and the computer gets the signal to carry on. Nasty! Also
nasty is reprogramming lots of keys to produce strings such as "format c:", or
"echo Y | del *.*". All these are quite common techniques used in ansi and
batch file trojans. Fortunately, Red Alert! searchs for them.
20
TYPES OF DATA DESTRUCTION
There are many ways to destroy computer data. The two basic methods are
deletion, and corruption. Deletion simply implies the data is removed from the
disk. Perhaps by "deleting" a file or by "formatting" the disk. Corruption
involves replacing data with random values.
A "deleted" file is fairly easy to recover, if no additional files have been
written to the disk. This is because DOS records the names of all the files on
a disk in a table. When a file is "deleted" DOS simply replaces the first
character of the file's name within the table. This prevents DOS from locating
the file, but the file is left intact on the disk. A program can then replace
the first characetr of the file's name to recover the file and its data.
It is not so easy to recover data from a formatted disk, but it may sometimes
be possible if the format program stored "unformat" information.
Recovering data that has been corrupted is impossible!
21
HOW VIRUSES AVOID DETECTION
All computer viruses and trojans are programs. That is they are sequences of
instructions to the computer. This suggests that a technicaly competent
computer programmer can "read" them, if he has the proper tools. Computer
viruses try to avoid detection for as long as possible. The longer they remain
undetected, the further they can spread and the more damage they can do. If a
programmer can read a computer virus, he can in theory detect it. Viruses
often avoid being read by being encrypted. The Brain virus, mentioned earlier,
also avoided detection by preventing itself being read. However, Brain did not
avoid being read by being encrypted, rather it trapped any attempts to read it
and showed other data instead of its own code. This is called the "stealth"
technique.
The tools used by programmers for reading virus programs depend upon the type
of virus. A virus stored in a file is read with an assembly debugger. A virus
stored in the boot sector is read with a disk editor. Both tools are
susceptable to attack from the viruses they are reading.
A debugger is used to step through a program, executing one command at a time.
Some viruses include instructions that lock the keyboard. Reading them with a
debugger is okay untill the keyboard locking commands are executed.
Disk editors read disk sectors. Reading disk sectors means making use of the
BIOS ROM interrupt 13h. Some viruses take control of this interrupt and can
then decide what to let a disk editor see. Inorder to do this though, the
virus must already be running, and be in memory. Programs which stay running
in memory are called "TSR".
Viruses which infect program files must open a file handle to the victim file,
and then close it. This sets the file's directory entry to the current
computer date and time. It also sets the A attribute of the directory entry.
Since it would be an easy matter to notice a change in the directory entry for
a file, viruses often read the victim file's date, time and attribute entry
and reset them after infecting the file.
22
MESSAGES
Red Alert! reports three types of message. Warnings, Yellow Alerts, and Red
Alerts. These range in severity from 'possibly rogue' through to 'very
possibly rogue'.
The least severe 'Warnings' can be disabled with the /NOWARN command line
option. Then Red Alert! will only report Yellow and Red Alerts. Red
Alert! may produce the following warning messages, where <filename> is
substituted for the name of the suspicious file:
Low Suspicion warnings:
[2]WARNING! <filename> is a hidden executable file
(Perhaps a sign of a companion virii).
[3]WARNING! <filename> is a hidden file
(Perhaps a sign of a companion virii).
[6]WARNING! <filename> may contain a call to DOS 'rename file' function
(As used by some virii).
[7]WARNING! <filename> may contain a call to DOS 'delete file' function
(As used by virii).
[10]WARNING! <filename> may contain a call to DOS 'Get/Set file attributes'
function
(As used by virii to cover their tracks).
[13]WARNING! <filename> may contain a call to DOS 'format' function
(Used to format disk tracks).
[18]WARNING! <filename> is a packed file
(Makes analysis unreliable).
[19]WARNING! <filename> contains a reference to 'virus'
(Could be a virus or a virus scanner).
23
Medium suspicion Yellow Alerts:
These are warnings of a more severe nature than the standard warnings,
suggesting a need for caution with the listed files. These warnings may be
disabled with either the /REDONLY or /COMMAND command line parameters.
[0]YELLOW ALERT! <filename> has strange time stamp
(May be an infected file)
[5]YELLOW ALERT! <filename> may remain resident in memory
(Some viruses go TSR)
[8]YELLOW ALERT! <filename> may contain a call to DOS 'exec' function
(As used by companion virii).
[9]YELLOW ALERT! <filename> may contain a call to dos 'set file date/time'
function
(As used by virii to hide their tracks)
[15]YELLOW ALERT! <filename> contains a reference to '*.COM'
(As used by virii to locate .COM files)
[16]YELLOW ALERT! <filename> contains a reference to 'IBMIO.COM'
(A VERY important DOS system file)
[17]YELLOW ALERT! <filename> may contain a call to DOS 'absolute disk write'
function
(As used by virus to trash disks).
[22]YELLOW ALERT! <filename> is a PKZIP packed file.
(The contained files are hidden to Red Alert!)
[22]YELLOW ALERT! <filename> is a PKLITE packed file.
(The program has been compressed with PKLITE)
[26]YELLOW ALERT! <filename> learns if it is an EXE or COM
(The program contains code to learn whether it is a .EXE or .COM)
(This is suspicious!)
[30]YELLOW ALERT! <filename> may contain ANSI key redefinitions
(If you display/run the file with ANSI.SYS installed it may redefine some)
(keys to produce other values. Common in ANSI-Bomb Trojans)
[35]YELLOW ALERT! <filename> is actually an EXE file
(The file is suffixed .COM, but is actually an EXE)
24
Very Suspicious Red Alerts:
These messages are quite severe. They may show the presence of a virus,
trojan or program containing a bomb. It is advisable to check any files listed
with a red alert status carefully before using them. If the /MOVE parameter
was specified, these warnings will coincide with the offending file(s) being
moved to the specified directory.
[1]RED ALERT! <filename> may contain code to format drive ?:
(For example "format C:")
[4]RED ALERT! <filename> may be a VCL encrypted virus
(Probably a strain of VCL encrypted virus)
Warning 11 has two variants. One for general FAT destruction, and one for
drive C: specific FAT destruction commands:
[11]RED ALERT! <filename> contains code known to destroy drive C: FAT data
(Very dangerous instructions commonly found in virii/trojans/bombs)
[11]RED ALERT! <filename> contains code known to destroy FAT data
(Very dangerous instructions commonly found in virii/trojans/bombs)
[12]RED ALERT! <filename> contains code known to lock the keyboard
(May show a virus).
[14]RED ALERT! <filename> contains a reference to 'format.com'
(An unusual and risky program to exec).
[14]RED ALERT! <filename> contains a reference to 'format'
(As above, but as used in batch files)
[20]RED ALERT! <filename> contains a reference to '[VCL]'
(May show a virus produced with VCL).
[21]RED ALERT! <filename> contains known virus commands
(Very probably a virus)!
[23]RED ALERT! Both .COM and .EXE forms of <filename>
(May show a companion virus)
[24]RED ALERT! <filename> may contain code to delete bulk files
(For example "del *.*")
[25]RED ALERT! <filename> is encrypted
(Common among viruses, but also compression systems such as PKLITE)
[27]RED ALERT! <filename> contains code to move itself in memory
(Common among TSR viruses)
[28]RED ALERT! <filename> searches directories for *.COM
(Typical among viruses)
25
[29]RED ALERT! <filename> searches directories for *.EXE
(Typical among viruses)
[31]RED ALERT! <filename> may open a file handle to command.com
(The code analyser detected an attempt to open a file handle to command.com)
[32]RED ALERT! <filename> may open a file handle to ibmdos.com
(The code analyser detected an attempt to open a file handle to ibmdos.com)
[33]RED ALERT! <filename> may capture interrupt 21
[33]RED ALERT! <filename> captures interrupt 21
(Allows the program to redirect DOS function calls)
[34]RED ALERT! <filename> may capture interrupt 13
[34]RED ALERT! <filename> captures interrupt 13
(Allows the program to intercept disk editors)
Other warning messages cannot be inhibited due to their severity. These
include very likely infections of known viruses and the following:
RED ALERT! <filename> is probably infected with a virus
(Almost certainly a virus!)
RED ALERT! <filename> Contains a reference to 'Dark Avenger'
(An infamous and prolific virus author)
Information messages:
INFO <filename> moved to <path>
The file triggered a non-inhibited Red Alert, and the command line option
/MOVE was declared so the file has been moved to the indicated path.
26
USING RED ALERT! WITH TRANSCAN
A number of WildCat BBSs use "Transcan" for scanning uploads. The following
text comes from Peter Friedlos, sysop of Ooh! BBS and describes how to use
Red Alert! with Transcan:
"It [Red Alert!] works with the /Command line set up. It upsets the screen
write locally during the transcan though if you compress on line. I don't
know if there is a "reject" number so that transcan will reject the file but
I just get it to copy the .REP file to a temporary directory and post
the results once a night using Postmaster.
If you set it up on the page where it lists SCAN and Fprot - it will
read the opened files and analyse them. I wouldn't recommend the Move
feature with RedAlert if in conjunction with transcan as this will
move the tempory files to your "infected" directory and leave the
original zip intact.
The program works fine if you use it as a stand alone however. If you
make a nightly event to run Red Alert on your new uploads path with
the MOVE command it works well. Don't forget to manually delete any
WildCat database entries for any files that get shunted though."
27
What is Int 21?
Users who are not familiar with system level programming may wonder what the
fuss is about "int 21". Int 21 is a "door way" into DOS used by, amongst
others, the commands for copying files, deleting files and formatting disks.
If a program "captures" int 21, it can control how ordinary DOS commands
function. The results could be chaotic! Many legitimate programs make good use
of this feature. However, because of the risks involved Red Alert! gives a red
alert warning of any program which captures int 21. This should not be taken
as an indication that the program is a virus, or a trojan. Rather, that the
program in question has great power over the operation of the computer, and
could be very dangerous.
28
APPENDIX
Details of some common viruses
Details are supplied here about a few common computer viruses. These details
are offered to illustrate some of the effects of, and techniques used by
computer viruses.
THE VIENNA VIRUS
The "Vienna" virus is one of the most prolific, and adapted computer viruses
in existence. The source code for the Vienna virus was published in a book
called "Computer viruses: A High-Tech Disease" written by Ralf Burger, and
published in America. The original version, published in the book, only
infects files with the extension .COM which are in the current directory.
When a program infected with the Vienna virus is run, Vienna searchs for an
uninfected file and infects it by appending a copy of itself to the victim.
Usually, the infected programs will still run. However, one in eight infected
programs have the first few bytes replaced with instructions that will cause a
restart when the program is run.
Files infected with Vienna are quite easy to spot as they have a value of 62
in the "seconds" field of the directory time entry.
A variant of the Vienna virus is the "Lisbon" virus, so called because it was
discovered in Portugal. The Lisbon variant was a modified form of Vienna
intended to avoid signature detection. Lisbon also destroys some infected
programs, but unlike Vienna it overwrites the start of the program with the
text string "@AIDS".
From Bulgaria have come a group of Vienna virus variations which include a
critical error handler. They don't destroy data by overwriting some program
files. Rather they reformat the computer's hard disk drive!
VIRAL MESSIAH
Viral Messiah is a virus which overwrites .COM and .EXE programs. When an
infected program is run, Viral Messiah searches the DOS search path and
overwrites five programs with a copy of itself. It then displays a poem on the
screen, and if a printer is plugged in to the parallel port, the poem is
printed as well. Viral Messiah was wriiten by "Nowhere Man" using VCL V1.0
CODE ZERO
Code Zero infects .COM programs on the current disk. When an infected program
is run, Code Zero searches the disk for a program to infect. If it finds one
29
it appends a copy of itself to the end of the file. Unfortunately, if the file
was actually an EXE file masquerading as a .COM file, then the infected
program will no longer run. If Code Zero cannot find any more programs to
infect it displays "** CODE ZERO **" and beeps the speaker.
KINISON
Kinison infects .COM programs on the current disk. When an infected program is
run, Code Zero searches the disk for a program to infect. If it finds one it
appends a copy of itself to the end of the file. Unfortunately, if the file
was actually an EXE file masquerading as a .COM file, then the infected
program will no longer run. If an infected program is run on any Friday the
11th of the month, Kinison displays a message in rememberance of the comedian
Sam Kinison who was killed by a drunk-driver. It then scrambles the file
allocation tables of any disk drives it finds.
PEARL HARBOR
Pear Harbor is a companion virus, and a shocking example of a bomb. If an
infected program is run on December the 7th the anniversary of the Japanese
sneak-attack on Pearl Harbor it will display a message asking you to remember
Pearl Harbor. If the host computer has its country set to JAPAN, then Pearl
Harbor will also corrupt all the files in the directory C:\. To quote the
author, "How's that for a sneak-attack, Hirohito?"
YANKEE DOODLE
The Yankee Doodle virus is circulating in at least two variations. The
original infects .EXE files. A variation, Yankee II infects .COM files by
appending itself to them. Unfortunately, if the file was actually an EXE file
masquerading as a .COM file, then the infected program will no longer run.
When an infected program is run, the DOS search path is searched for a file to
infect. If the computer's clock reports the time to be between five and seven
PM, then the tune "Yankee Doodle" is also played.
THE AIDS TROJAN
An infamous computer blackmail attempt took place a few years ago. Many
companies, including the one I was working for, received through the post an
unsolicited disk. The disk claimed to provide information about the "Aids"
virus. The disk contained two programs; install.exe and aids.exe. The main
program, would not run unless the install program was first run. The install
program was actually a trojan. When run install.exe did the following:
1. A subdirectory was created on drive C: This subdirectory had a single
30
character name, ASCII code 255. This made it hidden from DOS DIR commands.
2. Copied INSTALL.EXE from the floppy disk to the new directory as REM .EXE
(the space between the "M" and the "." was ASCII code 255, making the file
hidden from DIR commands).
3. Renamed AUTOEXEC.BAT to AUTO.BAT.
4. Created a new, and hidden AUTOEXEC.BAT file that runs REM.EXE and then
displays the message "For convenience, please use AUTO.BAT." The line calling
REM .EXE looked like an ordinary BAT file REM (remark) line.
5. Created a file called AUTOEXEC.BAK which consisted of a single line saying
"File not PC found." If this file was displayed with the DOS TYPE command, it
would appear as though the file did not exist.
The scenario then went on as follows. Aids.exe did indeed provide some
information about AIDS. However, after 90 os so reboots, REM.EXE would wipe
the hard disk leaving a file called PCCYBORG.DOC that said, inter alia, "lease
expired."
A complex Trojan, and a very unpleasant one.
MICHELANGELO
The Michelangelo virus was first reported in April 1991 in Sweden. The
Michelangelo virus infects the boot sector of its host computer, and then
remains resident in memory when the computer is switched on. When Michelangelo
is active, it infects the boot sector of all disks it comes into contact with.
Including floppy disks. If the computer's clock reports the date as being the
6th of March, then the Michelangelo virsu will scramble the computer's hard
disk by overwriting it with random characters from memory. As with all memory
resident viruses, the amount of memory available for programs is reduced. This
is one way of detecting the presence of the Michelangelo virus in memory.
31
Red Alert! was written during late 1993 by Matthew Probert and published by
Servile Software.
If you have a problem with a possible virus or trojan program please contact:
Matthew Probert
Servile Software
5 Longcroft Close
Basingstoke
Hampshire
RG21 1XG
Telephone 0256 478576
*** Telephone lines are open 7 days a week ***