home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Gold Medal Software 1
/
Gold Medal Software Volume 1 (Gold Medal) (1994).iso
/
virus
/
vds30c.arj
/
VDS.DOC
< prev
next >
Wrap
Text File
|
1993-12-02
|
55KB
|
1,146 lines
Virus Detection System 3.0
Shareware Release
Copyright (c) 1992-93 by VDS Advanced Research Group
P.O. Box 9393, Baltimore, MD 21228, U.S.A.
VDS 3.0 User's Guide
12/2/93
rev. C
WARNING
THIS SOFTWARE AND MANUAL ARE BOTH PROTECTED BY U.S.
COPYRIGHT LAW (TITLE 17 UNITED STATES CODE). UNAUTHORIZED
REPRODUCTION AND/OR SALES MAY RESULT IN IMPRISONMENT OF UP TO
ONE YEAR AND FINES OF UP TO $10,000 (17 USC 506). COPYRIGHT
INFRINGERS MAY ALSO BE SUBJECT TO CIVIL LIABILITY.
DISCLAIMER
The developers of VDS make no warranty of any kind, either express or
implied, with respect to this software and accompanying documentation.
In no event shall the developers be liable for any damages arising out of
the use of or inability to use the included programs. The entire risk as to
the results and performance of this software package is assumed by the
customer. We specifically disclaim any implied warranties of merchantability
or fitness for any purpose. Use at your own risk.
The developers of VDS reserve the right to revise the software and
accompanying documentation and to make changes in the contents without
obligation to notify any person of such revision or changes.
WARNING
VDS shareware edition may be freely distributed to other individuals by
electronic means such as BBSes. You must keep the archive intact except that
you may add an archive message introducing your BBS. VDS shareware edition
expires at the end of May 1994. We will most likely have an updated copy
long before then. You are allowed to use VDS shareware edition at home as
long as you wish. If you register it, you will get the complete Pro edition.
Organizations and companies may use VDS shareware edition to evaluate its
effectiveness. We allow 30 days for such evaluation, after which you must
remove VDS from your company's computers or get the registered copy for a
very reasonable site license fee.
Table of Contents
I. Introduction
1. Description
2. Components
3. System Requirements
4. Command Line Options
II. Installation
1. On stand-alone PCs
2. Installing VDS 3.0 in Novell Netware(tm) Environments
a. Protecting Programs On The File Server
b. Installing VDS On Workstations From The Server
c. Using The Network Emergency Diskette
d. Known Problems
3. Uninstall
4. Configuration (VDS30.INI)
III. Operational Overview
1. Scanning
2. Integrity Checking
3. Real-time Anti-virus Protection
IV. Viruses Explained
1. Description
2. Features
a. Stealth Virus
b. Dumb Virus
c. Encryptive Virus
d. Polymorphic Virus
e. Multi-partite Virus
3. Types
a. MBR/BR Virus
b. Program Infector
Simple Infector
Companion Virus
System Infector
--------------------------------------------------------------------------
I. Introduction
---------------
This chapter introduces the VDS anti-virus software, and provides an
overview of requirements to install and run the programs in the package.
1. Description
VDS is a set of programs designed to contain the spread of PC viruses by
providing early detection and easy removal. By using sophisticated methods,
VDS can handle new stealth, dumb, and polymorphic viruses as easily as
the old ones. It works on stand-alone computers as well as LAN workstations.
It can protect LAN file servers by performing scans and integrity checks.
NOTE: The shareware release of VDS is intended to allow potential customers
to test its operation and make an informed decision about buying VDS as their
choice of protection against PC viruses. If you would like to obtain the
full package (VDS Pro), then you must fill out and send in the registration
form with your payment. The registration fee is only $19 (U.S.). The
professional release includes a state-of-the-art real-time anti-virus tool
and many other features to give you a formidable anti-virus defense mechanism.
VDS outperforms other commercial and shareware anti-virus packages not only
by its operational speed and robustness but also by its ease of use. Its
user interface shifts the emphasis from actions buried under many levels of
menus to objects such as drives and directories. Compare it to the sexiest-
looking anti-virus package out there and see which one is more functional.
Site licenses are available. You get the following by registering VDS 3.0:
- A set of diskettes with the latest copy of VDS Pro 3.0.
- A more comprehensive and detailed reference manual.
- VDSTSR for memory-resident scanning to prevent viruses from getting
into your system in the first place.
- ISVDSTSR for better network support and LAN access control.
- DUMPSIG to extract signatures from viruses you might capture. The
professional release has the capability to use an external signature
file to allow you to add your own signatures.
- VDS integrity checker can catalog up to 32 instead of 10 levels.
- A copy of our "Polymorphic Engines" paper exposing this latest trend
in virus development.
- Our gratitude and thanks for your support.
2. Components
VDS package includes the following components:
VDS.EXE
- A known and heuristic virus scanner that searches for patterns or code
sequences and uses advanced algorithms to identify polymorphic and simple
viruses inside executable code such as program files and boot sectors.
VDS.EXE
- An integrity checker that creates a fingerprint database for possible
virus targets (programs, boot sectors) and verifies them later for
suspicious modifications. In the case of such modifications, the
integrity checker offers to restore affected areas to their original
state by using generic disinfection techniques, and backups (for system
areas). If the restoration attemt is futile, the integrity checker
informs the user and requests permission to remove the damaged object
by deletion. For example, some overwriting viruses do not preserve the
functionality of their victims. To be able to restore such programs,
one needs to use the original copies or good backups. In 95% of the
cases that involve a virus that can successfully spread, restoration
by generic disinfection is possible, and guarantees 100% recovery.
Viruses that corrupt the operation of their victims get noticed easily
and do not tend to get too far.
VDSTSR.EXE (not available in the shareware release)
- A memory-resident (TSR) program that searches programs before execution
or optionally before they are copied. It also examines the boot sector
of floppy diskettes that may have been left in drive A: before warmboot
attempts. What's more, it can scan programs being unzipped or
de-archived by a compression utility regardless of the version or the
maker of such software. In other words, you do not need to update the
TSR just because you decided to use a newer release of your favorite
file compression utility.
ISVDSTSR.COM (not available in the shareware release)
- A small (17 bytes) program that sets the DOS errorlevel to indicate the
presence of the TSR component in memory. The purpose of this program is
to allow system administrators in networked environments to enforce
loading TSR anti-virus protection on workstations before they are
permitted to access programs on a file server.
DUMPSIG.EXE (not available in the shareware release)
- A virus signature extraction utility.
VITALFIX.EXE
- A disk repair utility designed specifically to deal with boot sector
infections. It provides the user with various options to eradicate a
possible virus, to save and to restore important system information such
as the partition table, and to search disks for a possibly relocated
copy of the boot sector. It is much safer to use this utility than
other disk sector editors since it performs "sanity" checks before
overwriting important sectors.
INSTALL.EXE
- An installation program that automates loading VDS on local
and on network drives. It prepares an "emergency diskette" for your
computer so that you can check and restore system areas and program
files after booting from a clean floppy diskette. This emergency
diskette is formatted as a bootable DOS diskette and the required VDS
components and fingerprint and recovery information are copied over.
VDSCATCH.BIN
- A device driver that implements several anti-stealth features and aids
VDS integrity checker in maintaining reliable operation even when
a stealth virus is active in memory. It also prohibits direct writes
to the master and DOS boot sectors as well as low-level format attempts.
3. System Requirements
VDS has the following minimum requirements to operate correctly:
- An IBM PC or compatible computer
- MS/PC-DOS 3.0 or later
- 420K of free memory
- A hard drive (only for integrity checker)
- Up to 4000 program files per integrity database (16000 if XMS is available)
- 192K extended memory is recommended but not required
- Up to 10 integrity databases
In addition, VDSTSR takes up about 28K of memory when loaded. It can be
loaded into upper memory area under DOS 5.0 or later. VDSCATCH.BIN device
driver takes up about 360 bytes, and it can also be loaded high.
Some systems utilize disk compression software that increases the storage
capacity of drives by compressing and decompressing data on the fly. You
must have the necessary device drivers loaded before VDS. MS-DOS 6.0
now includes this feature by providing DoubleSpace(tm) interface. The
operation of DoubleSpace is well-integrated into DOS, and works in a
transparent manner. VDS is tested and found to work as expected on
drives compressed using DoubleSpace.
4. Command Line Options
Most of the programs in the VDS package offer a variety of command
line options to customize their operation to suit your needs. Here is a
list of VDS components and their respective command line options:
VDS.EXE [{-|/}BIRDSUVX] [Drive: | Path] [{-|/}C<filepath>] [{-|/}X<filepath>]
-Batch Check the system areas and the files depending on
frequency. This option is the default used during Express
installation. It must be followed by a drive letter.
-Init Create fingerprint database for the system areas and the
files for a given drive. This option is used by INSTALL
program to start VDS during installation. It must be
followed by a drive letter.
-Disks C: D: Process the drives listed. Must specify at least one.
-Rescue Use the emergency diskette to check the specified drive.
-Scan Perform virus scanning on the specified drive or path.
-UMB Scan upper memory blocks as well as the base memory.
-Verify Perform integrity checking on the specified drive or path.
-C<filepath> Use the specified configuration file.
-X<filepath> Use the specified external signature file, not XTERNAL.SIG.
Examples:
To check drive C: for modifications using a non-default configuration
file, you can type the following:
VDS -V C: -Cc:\integ\vds30.ini
To check drive C: using the emergency diskette, you can type the
following:
VDS -R C:
To scan DOS directory for viruses, type the following:
VDS -S C:\DOS
To scan drives C: and D: for viruses, type the following:
VDS -S -D C: D:
To perform automatic integrity checks, you can include the following
line in your AUTOEXEC.BAT
VDS -B C:
VDSTSR.EXE [{-|/}C]
To load VDSTSR high and scan programs during execution and copy
operations, as well as when they are unzipped:
LH VDSTSR.EXE /C
INSTALL.EXE [{-|/}UNEX] [source_path] [destination_path]
To install VDS down from a file server onto the hard disk on
a workstation:
INSTALL -N F:\VDS30 C:\VDS30
To prepare an emergency diskette for drive C: because it got lost:
INSTALL -E C:\VDS30
To uninstall VDS from your hard drive:
INSTALL -U C:\VDS30
DUMPSIG.EXE <filename>
To extract bytes from the program entry point:
DUMPSIG sample.exe > nasty.vir
II. Installation
----------------
You will need your bootable DOS diskette (preferably the original), VDS
Distribution diskette, and at least one blank floppy diskette that can go in
your drive A: for installation. The blank diskette will be formatted and
prepared as a bootable DOS diskette by VDS. The emergency diskette will be
used in the case of infections that affect the master boot/partition sector
or MBR (if VDS cannot repair it on the fly).
The floppy restoration process requires you to use this VDS emergency
diskette. Some computers have a boot sequence setting in CMOS that allows
booting from the hard disk even if there is a floppy diskette in drive A:.
Before starting the installation, please change this setting to boot from
drive A:.
1. Installing VDS On Stand-alone PCs
1) Turn off the computer (NOTE: It is very important that you do not perform
a warmboot by holding down Ctrl-Alt-Del keys since it is possible for a
virus to "fake" a warmboot and stay in memory).
2) Put the DOS diskette in drive A: (NOTE: The version of DOS on the floppy
diskette must be the same as the one installed on your hard drive).
3) If the boot was successful, you should now see the "A:>" prompt. If the
system asks you for time and date, just press "Enter" or "Return" until
you are at the "A:>" prompt.
4) Remove the DOS diskette and replace it with the VDS distribution diskette.
5) Type A:\INSTALL and press "Enter" or "Return."
* INSTALL will now complete the installation process by asking you a few
questions.
6) You will see two options: Express setup and custom setup. If you press the
"Enter" key, INSTALL will use the default settings to configure the
operation of VDS. Custom setup allows you to modify many parameters to
suit your needs.
* From this point on, we will assume you have chosen express setup. Custom
setup is explained in the VDS manual.
7) A configuration file will be created and the necessary files will be
transferred to the hard disk in C:\VDS30 directory.
8) If this is the first time you are installing VDS on your computer, INSTALL
will modify your AUTOEXEC.BAT and CONFIG.SYS to add the necessary lines
to load VDSCATCH.BIN, VDSTSR.EXE and run VDS.EXE every time you reboot the
computer. VDSCATCH.BIN takes up only a few hundred bytes.
9) You will next see the list of files on the hard drive scroll by as VDS
scans for infections and creates the baseline profile of all executable
files on the disk. There should be lots of disk activity. You can actually
observe this by looking at the drive light, or you should hear the disk
head move around. If VDS finds that there are infected files, you will be
asked if VDS should remove them.
10) INSTALL will ask you if you would like to prepare an emergency diskette.
Put a blank diskette in drive A:. MAKE SURE YOU DO NOT HAVE ANYTHING YOU
NEED ON THIS DISKETTE. It will be formatted as a bootable DOS diskette.
11) You can write-protect the emergency diskette at this time and store it
in a convenient location. INSTALL will inform you that the computer will
restart, please remove any floppy diskettes and then press a key. If VDS
is installed correctly, you will see it verify the complete system. This
completes the install process (if you enabled floppy booting in CMOS
previously, you can change it back to the hard disk now).
2. Installing VDS 3.0 On Novell Netware(tm) LAN Servers
You can use VDS 3.0 to protect your Novell Netware servers against PC
viruses by establishing an integrity database for programs on the server as
well as performing periodic virus scans. To be able to take advantage of the
powerful integrity checker built into VDS, you must first install it on
the server and prepare a VDS Network Emergency Disk.
You can also install VDS on workstations without having to go to each
workstation: Simply install it down from the file server as the users login.
This process is also explained in this document. When we refer to Netware, it
is implied that the version is 2.2 or 3.x.
a. Protecting Programs On The File Server
This section describes how to install VDS on a Netware file server and
explains what is involved in preparing a network emergency disk.
1. Log into the server as SUPERVISOR. Map one drive letter to each separate
volume you wish to protect. Do not use MAP ROOT command. Suppose we have
a server named SMART with two volumes: SYS and APPS.
MAP F := SMART/SYS:
MAP G := SMART/APPS:
2. We wish to put VDS in its own home directory on the SYS volume. Create
a home directory for VDS on the server, and map it to a drive letter.
MD F:\VDS30
MAP H:=SMART/SYS:VDS30
2. Put VDS distribution diskette in drive A: (or B:)
3. At the DOS prompt, type:
A:INSTALL <enter>
4. When INSTALL asks you for the method of installation, choose CUSTOM.
5. Press <enter> to accept the default source directory (A:\ or B:\).
6. Enter a directory such as F:\VDS30 as VDS home directory.
F: drive refers to the server that you logged into. This directory
should be accessible only to the SUPERVISOR (or equivalent). By not
allowing anyone else to access this directory, you can reduce the risk
of getting VDS files infected by network users.
7. INSTALL will start copying the necessary files and it will offer you a
list of drive letters currently available. Answer YES to F: and any
other drive letter mapped to a different volume on the server. We picked
F: and G: drives. Note that if more than one drive letter is mapped to
different subdirectories on the same volume, you need to protect only
one drive. VDS is a Netware-aware application and it processes the
complete volume regardless of the drive letter. You can also attach to
multiple file servers. VDS will automatically check which server
each drive letter refers to by consulting the Netware shell server name
table and the drive connection ID table.
8. INSTALL will run VDS to scan the selected drives and initialize an
integrity and recovery database for each one.
9. After initialization, INSTALL will ask you if you wish to prepare an
emergency diskette. Get a blank high density floppy diskette that will
fit in your A: drive. Let INSTALL format it for you. INSTALL will back
up the integrity database(s) to the floppy disk for off-line integrity
checks and emergency recovery.
10. Once the emergency diskette is prepared, INSTALL will inform you that
it has completed its operation and return you to the DOS prompt.
11. Copy the necessary login files to the emergency diskette. If you ever
suspect a virus infection on your server, you will need to boot from the
emergency diskette and login using the programs on this floppy, not the
ones on the server. Many system administrators actually help the virus
spread by logging into the server as SUPERVISOR and running an infected
program off of the server. Following is an example list of network files
you may need to have on this floppy for a clean login:
For ODI workstations:
LSL
NE2000 (should match your NIC)
IPXODI
NETX
NET.CFG
LOGIN.EXE
LOGOUT.EXE
MAP.EXE
MYSCRIPT.SCR
For old-style IPX workstations:
NE2000 (should match your NIC)
IPX
NETX
SHELL.CFG
LOGIN.EXE
MAP.EXE
LOGOUT.EXE
MYSCRIPT.SCR
After copying these files to the emergency diskette, edit the
A:\AUTOEXEC.BAT to run these programs in the correct order. Refer to
your Netware system administrator's guide for details. We used the
following in our AUTOEXEC.BAT:
@ECHO OFF
PROMPT $P$G
PATH A:\
SET COMSPEC=A:\COMMAND.COM
LSL
NE2000
IPXODI
NETX
A:
LOGIN /S A:MYSCRIPT.SCR
In our MYSCRIPT.SCR, we have the following lines:
DRIVE A:
MAP F:=SMART/SYS:
MAP G:=SMART/APPS:
MAP H:=SMART/SYS:VDS30
EXIT ""
IMPORTANT: In the case of an emergency, you should have a login script
on the floppy disk and use it to login. Otherwise, the system
login script gets processed. Note that the EXIT "" command
shown above ensures that the user login script does not get
executed. If an infected program is run from the login script,
it invalidates your efforts to achieve a clean login.
You should map the drive letter you used in Step 2 above to the volume
where VDS30 directory is located (not necessarily to that directory)
so that the configuration file will be processed correctly.
In our NET.CFG, we have the following:
PREFERRED SERVER = SMART
PROTOCOL IPXODI
BIND NE2000
LINK DRIVER NE2000
INT 3
PORT 360
FRAME ETHERNET_802.3
Of course, your NET.CFG file will be different to reflect the name of
the server and hardware settings. We are presenting this information
just to give a concrete example.
12. A prudent step at this point is to check and see if you can actually use
this diskette to login and perform an integrity check on the server.
Please refer to the next section on how to perform this operation using
the network emergency diskette. Remove the emergency diskette from drive
A: and write-protect the diskette. Label it VDS Network Emergency Disk
and store it in a convenient location.
B. Installing VDS On Workstations From The Server
This section describes the procedure to set up VDS on your file server
so that it gets installed on each workstation upon login. You do not need to
go to each workstation to install VDS. With a little planning, you can
have every workstation well-protected without ever having to leave your desk.
1. Log into the server as SUPERVISOR.
2. Create a subdirectory that is accessible to all users on the server.
IMPORTANT: You CANNOT use the same VDS directory that is created
above to protect the file server. The configuration files
are different.
MD F:\VDS30
3. Copy the following files from the VDS emergency diskette to this
directory.
INSTALL.EXE
VDS.EXE
VDSTSR.EXE
ISVDSTSR.COM
VDS30.INI
AV-INST.BAT
4. Edit VDS30.INI to suit your needs.
5. Edit AV-INST.BAT to match the directory name if you used something other
than VDS30. Even if you do not wish to modify AV-INST.BAT, please study
it to understand what it is doing. Here it is:
@ECHO OFF
rem AV-INST.BAT
rem This is a sample batch file that can be used to install VDS 3.0
rem on local workstations as they log into the network server.
rem It also loads the VDSTSR if it is not active.
rem The system administrator should place VDS PRO 3.0 files in a common
rem directory on the file server. This batch file should also be placed
rem in the same directory. All files should be flagged as Shareable.
rem Users should be able to search and read files in this directory. In
rem the system login script (or equivalent), a drive letter should be
rem mapped to this directory. We use J: here.
rem After that, the batch file should be invoked. Please consult your
rem network administrator's guide for detailed instructions.
rem For example, Netware system login script would contain:
rem MAP J:=MYSERVER/SYS:APPS\VDS30
rem #command /c J:AV-INST.BAT
rem *******************************************************************
rem System administrator mapped VDS 3.0 directory to J: drive
J:
rem If VDS was already installed, then do nothing
IF EXIST C:\VDS30\VDS.EXE GOTO DONE
echo A new anti-virus package will be installed on your workstation.
echo This will take only a few minutes. Please be patient.
PAUSE
J:INSTALL.EXE -N J:\VDS30 C:\VDS30
CLS
:DONE
rem Check and see if VDSTSR is loaded on the workstation
J:ISVDSTSR.COM
IF ERRORLEVEL = 1 GOTO FINISH
echo You have not loaded VDSTSR anti-virus on your workstation.
echo To protect the LAN, we do not allow access until VDSTSR is loaded.
echo Please contact the system manager if you need help.
rem Since it was not loaded, we will load the VDSTSR now
LH J:VDSTSR.EXE
:FINISH
rem Change back to the original drive (H: in our case)
H:
6. Mark all files in VDS30 as READONLY and SHAREABLE.
FLAG F:\VDS30\*.* ros
7. Use SYSCON to make the group EVERYONE a trustee of the F:\VDS30
directory. Assign only READ and FILE SCAN rights.
8. While still in SYSCON, edit the system login script to invoke the
AV-INST.BAT file.
#COMMAND /C F:\VDS30\AV-INST.BAT
9. Now you are ready to test if the installation will proceed as planned.
Go to a workstation that does not yet have VDS installed. Login as
GUEST, not SUPERVISOR. GUEST should have no more rights than the members
of the group EVERYONE. INSTALL should download the VDS onto the
workstation's hard disk and configure it automatically. No user
intervention except for pressing a key a few times is required.
10. If you encounter any problems, go back and check each step above.
C. Using The Network Emergency Diskette
This procedure may be necessary in the case of a suspected infection of the
programs on the LAN server, or for the purpose of checking for corruption of
program files. At any rate, it is vital that you understand how to perform a
clean boot from the network emergency diskette and gain access to the server
without running any programs off of the server. This might sound a bit
unusual first. However, it is a fact that most virus incidents in networked
environments are made worse because the SUPERVISOR logs in to the server to
check things out. As soon as the SUPERVISOR runs an infected program either
from the workstation's hard disk or the server, the virus may load itself
into memory and spread infection as the supervisor accesses programs on the
server or it may infect other workstations as users login. Remember one thing:
If you inadvertently run an infected program, it will have the same access
privileges as the SUPERVISOR on the file server! On the other hand, you can
easily isolate the problem and contain the virus spread by following a few
simple steps.
IMPORTANT: If you suspect a virus infection on your file server, you
should ask users to log out and disable any further logins.
This will save you many hours of clean-up work later. The
most difficult part of handling virus incidents in LAN
environments is preventing reintroduction of the virus from
the workstations to the file server. Even if you do a full
restore from tape, the virus might come back because the
workstations are not clean and some programs on the server
are not protected.
1. Go to the workstation you have used to prepare the VDS Network Emergency
Disk.
2. Insert this diskette in drive A: and reboot (coldboot) the computer.
3. If you modified the AUTOEXEC.BAT as shown in section A, then you should
see the familiar Netware login prompt asking for your login name. If not,
run the workstation programs to establish a network connection, and run
LOGIN from drive A: (not the server).
4. After entering your name and password, map the necessary drive letters to
the volumes you are interested in. This step is performed for you if you
have set up a MYSCRIPT file as outlined in the previous section. If you
are mapping drives manually, make sure that you run the MAP command off
of the emergency diskette, not the server.
5. Switch to drive A:, and type VDS <enter>.
6. VDS should come up as usual, launch decoys, check system areas and so on.
7. Once you see the drive letters, highlight the drive mapped to the volume
you are interested in checking.
8. Press F4 to perform an integrity check. VDS should go through the files
on that volume and provide feedback as it is checking.
9. If there are modified files, VDS will usually offer to restore them
for you. For this operation to succeed, you must have sufficient rights to
those files. For example, if a program file is marked as READONLY, then you
must have MODIFY right so that VDS can mark the file as WRITABLE before
it can fix it. If you logged in as SUPERVISOR, this should not be a problem.
D. Known Problems
1. You must not mark VDS program files as EXECUTE ONLY (Netware 3.11).
They perform self-checks upon activation, and therefore require READ
access to their program files.
2. If you used the MAP ROOT command to establish a "fake" root on the
server, VDS will not try to use the actual path to the access files.
It might report programs located under the fake root as new, although an
integrity database for that volume exists. Simply map another drive
letter to that volume using only the MAP command.
3. VDS reports an error condition on some files such as DIRSTAMP.SYS
and NET$BIND.SYS. This is nothing unusual. These files are for use only
by the Netware operating system. They contain certain network
information such as the bindery. VDS recognizes these files and
skips them, although it will report ERROR.
3. Uninstall
You can remove VDS from your hard drive by running the INSTALL program
with the -Unistall command line option:
C:\> C:\VDS30\INSTALL -U C:\VDS30 <enter>
If you have performed a custom setup and specified a different directory
name, then you should substitute that name in the line above. INSTALL checks
to see if there were other files in the directory before VDS was
installed. If there were not any, it removes all the files in VDS30
directory, and then the directory itself. If there were other files, it
displays a warning message and aborts without removing any files. It is up
to you to delete or keep any of those files. You need to perform a "manual"
uninstall. Since VDS keeps almost all of its files in its own directory,
removal is a simple procedure. You should also edit your CONFIG.SYS and
AUTOEXEC.BAT to remove the lines loading VDS components. Your original
CONFIG.SYS is renamed to CONFIG.VDS, and the original AUTOEXEC.BAT is
renamed to AUTOEXEC.VDS during installation. You could use them as well;
however, if you have installed any other programs after VDS, then they
might have modified your AUTOEXEC.BAT. Be careful before you copy over the
CONFIG.VDS and AUTOEXEC.VDS if that is the case.
4. Configuration (VDS30.INI)
Many of the operational parameters for VDS are specified in a file
named VDS30.INI, which can be found in the VDS home directory. This is
a simple text file and it can be viewed or edited easily using an ASCII text
editor. Following is an explanation of each line that can be placed in this
file. Lines starting with a semi-colon (;) are comments only.
; This configuration file specifies operational parameters for VDS Pro.
; The following is the directory where VDS.EXE is located.
[HOMEDIR]
C:\VDS30
; VDS uses the directory listed under VERIFY section to find and store
; the integrity databases it maintains
[VERIFY]
C:\VDS30
; Files with the following extensions are processed
; You can modify these lists. Make sure you keep the comma at the end.
[EXT]
SCAN = COM,EXE,SYS,OVL,BOO,
VERIFY = COM,EXE,SYS,OVL,BAT,
; Following directories/files are NOT processed
; Subdirectories to ignore. If you modify certain executable files as in
; a programming project, then you might want to exclude those directories.
[IGNORE_DIR]
C:\C-CODE
C:\ASM-CODE
; files to ignore
; Most people modify their AUTOEXEC and CONFIG all the time. VDS will ignore
; them by default.
[IGNORE_FILE]
C:\AUTOEXEC.BAT
C:\CONFIG.SYS
; Directory tree(s) are stored in the following directory
; If the directory is on a floppy, trees are not saved.
[TREE]
C:\VDS30
; Messages are written to the following file
; If you change it to PRN, all messages are sent to the printer
; If you leave it blank, no audit log will be created.
[REPORT]
C:\VDS30\VDS-STAT.LOG
; Message to be displayed if a virus is found
[MSG]
Call system administrator ASAP!
; Operational flags
[FLAGS]
; If you are checking data files, you should set QUICK_VERIFY to No.
; For programs, leave it set to Yes for faster processing.
QUICK_VERIFY = Yes
; Heuristic check refers to looking for virus-like code sequences. It may
; cause some false positives.
HEURISTIC_CHECK = Yes
; If a virus is found, VDS will ask you for an action if you set it to Yes.
PAUSE = No
; You can eliminate most beeps by setting it to No
BEEP = Yes
; Leave it set to Yes and make sure VDSCATCH.BIN device driver is loaded
; from your CONFIG.SYS.
ANTI_STEALTH = Yes
; VDS will ask your permission before attempting to undo modifications to
; a program file. If it fails, nothing will be changed.
AUTO_RESTORE = No
; ENTER key can be assigned to SCAN or VERIFY a file
ENTER_KEY = Scan
III. Operational Overview
-------------------------
This chapter presents the basic approach VDS uses to detect and eradicate
PC viruses.
Protection against viruses can take many forms. The variety of anti-virus
software (and even hardware) in the market is the best indication of this.
After analyzing a large number of viruses and actual virus epidemics in
large environments, we have implemented VDS. The main goal of our effort
is to provide a reliable, unobtrusive, compatible, fast, and sophisticated
set of tools to contain the spread of viruses. A major implementation
requirement has been to hide the complexity of operation from the user, and
present a clear and easy-to-use interface.
You will find the details of each capability provided by VDS and the
rationale behind it in the following paragraphs.
1. Scanning
The most popular anti-virus tool is known as a "virus scanner". The idea
behind scanning is very simple: Obtain a pattern of bytes from infected
samples and look for it in possible target areas to determine if the same
virus may be present. The pattern used must be chosen carefully so that it
will not trigger "false positives", and cause undue panic.
Although this idea is a very simple one, its implementation may not be
as straight-forward. In the old days, there were a few dozen viruses and you
could scan for them using a simple pattern matching program. This is no
longer the case. The virus development accelerated in the early 90's and
reached a higher level of sophistication. Viruses began to use variable
encryption so that a discernible pattern cannot be extracted. Some of them
went much further and included a "polymorphic engine" to defy easy
recognition attempts. Every time such a virus infects another program, it
alters the virus so that no one pattern will remain constant. Usually the
virus body is encrypted and the decryption routine is made variable.
To cope with such viruses, scanners have also evolved. More powerful
search algorithms have been designed. For example, by allowing for wildcard
bytes in the pattern, a scanner can detect many encryptive viruses that do
not have a polymorphic capability. This is a continual effort since there
are more and more new viruses distributed all around the world. There are
even some virus writing groups that take pride in not being caught by a
popular scanner product.
Yet another concern for scanners is speed. Searching for hundreds of
patterns can become very time-consuming if a simple pattern matching
algorithm is used. Fortunately, there are some advanced methods to speed
up the search significantly so that it does not take hours to look for many
viruses. Without such modern techniques, the war against viruses would be
quite tiresome.
VDS looks for viruses in certain areas that are known to be targets.
For example, some viruses reside in the disk boot sector. To find them, one
must examine the boot sector. On hard disks, there are two separate areas
that a boot sector virus may be present: Master Boot Record (more commonly
targeted) and the DOS Boot Record. Floppy diskettes have only one kind of
boot sector.
Program files are another common target for viruses. Since a virus must
gain control of the CPU to be able to performs its task, it can attach to
a program file in such a way that the virus code gets executed before the
host program. After it is done, the virus can simply return control to the
host, and the program operation proceeds as usual.
To determine which files to search, VDS processes the configuration
file (VDS30.INI) and reads in the section [EXT]. This section can have
two entries: SCAN and VERIFY. The SCAN line lists comma-separated extensions.
If VDS finds a file with one of these extensions, it will search it for
viruses. You can edit VDS30.INI to add more extensions.
VDS also scans the memory of the computer for viruses known to stay
resident. Such viruses attack programs when they are accessed for execution
or copying. These viruses trap the operating system requests and monitor
file access. Some of them also try to hide any modifications they have made
so that the user will not notice anything such as file size growth. This
evasion technique is commonly referred to as "stealth".
In some cases, you might discover a new virus that VDS does not have
a pattern to search for. It is likely that the VDS decoy launcher captured
a sample for you. It is now desirable to search for this virus on your floppy
diskettes and other computers as well. To speed up eradication, VDS
offers an external signature file capability. You can extract a signature
from a known-to-be-infected sample, and put it in the user-defined signature
file. VDS will look for the signature you provided just as it is one of
its internal signatures. In the meantime, you can forward us a sample for
analysis, and we will update our scanner and probably get back to you with
a detailed report on the new virus. You can have up to 32 signatures.
A virus signature consists of up to 16 bytes, expressed in hex. You should
not use signatures shorter than 10 bytes to reduce the possibility of a false
positive. For example:
09 A0 B8 4E 00 87 55 AA 12 34 75 06 90 90 CD 21
Note that some viruses use variable encryption and a simple pattern cannot
be extracted. A full analysis and an algorithm to detect them must be
designed. On the other hand, many encryptive viruses can be found using a
wildcard signature. VDS can handle wildcard signatures. For variable
bytes, you should simply place two question marks instead of two hex digits.
First and the last values cannot be wildcard. Here is an example:
09 A0 B8 4E ?? 87 55 AA 12 34 75 06 ?? ?? CD 21
Due to its operation, VDS requires that the extracted virus signature
is extracted from a location after the virus entry point. To simplify this
process, we include a utility called DUMPSIG. The result of running DUMPSIG
on a file is a sequence of up to 256 bytes after the virus entry point. You
should pick a 16-byte signature that does not have many repeated bytes. The
signature you decide to use should be present in every infected program.
You could also use more than one signature for the same virus. After placing
the signature in the external signature file, run some tests to see if VDS
finds it in two or more known-to-be-infected programs.
2. Integrity Checking
The second major capability VDS provides is called integrity checking.
The idea behind integrity checking is as simple as scanning: Compute and
record unique fingerprints for system areas and programs, and recompute and
compare them to the original fingerprints. If there are any modifications,
then VDS will investigate further by scanning the affected area for
viruses. If there is no known virus found, it will offer to restore it for
you. After the restoration attempt, VDS will verify that the restoration
is 100%.
During installation, VDS creates the fingerprints for specified
drives. Before computing the fingerprint value, it first scans the object
for known viruses to make sure that it is clean. Once an integrity database
is established, it is very fast to go through the disk and verify the system
areas and programs against the baseline. VDS also records recovery
information it needs to have for generic disinfection.
Since viruses must modify other existing executable objects to spread,
they can be detected by integrity checkers. The strength of this technique
comes from the fact that no virus specific information is needed and new
viruses can be detected. There is one drawback that we must mention. What
happens if the modification is legitimate such as installation of an update
for a program? VDS will detect this modification, attempt to identify
a known virus, and try to restore it. You have the option to override any
alarms and update the fingerprint for the affected program. It requires some
decision-making on your part.
VDS also performs integrity checks on itself. If it detects a
modification, it will attempt to heal itself using the backup copy it has made
during installation. VDS integrity checker verifies other components in the
package such as the VDSTSR and the device drivers and restores them as well.
We added this simple fault-tolerance to cope with viruses that can infect
VDS components.
File checks are performed by VDS.EXE. They include all program files
with extensions specified in the configuration file VDS30.INI under
section [EXT]. The entry for VERIFY lists the extensions for files that
VDS should check. You can modify this list to suit your needs. For example,
you could maintain integrity information for your data files as well. If
you choose to do that, you must know that there are two different ways to
perform integrity checks: Full and Quick. You must use the 'Full' check mode.
The 'Quick' mode is applicable only to executable programs. You can change
this setting in the VDS30.INI file under [FLAGS] section.
To look for suspicious activity in a PC, VDS uses an advanced
technique called "decoy launching". In simple terms, a decoy is a small
executable program created and run by VDS at run-time to attract a virus
active in memory. Since many memory-resident viruses infect upon execution
or copying of programs, they immediately attack the decoys. VDS records
this and provides you with detailed information about the type of
modifications made to the decoy such as number of bytes added, whether the
program entry point is adjusted, and so on. Besides, you will have a sample
of the virus to examine. Decoys do not contain much program code and make it
easy to analyze a captured virus. In other words, an infected decoy will be
mostly virus code and little else.
Decoys are launched every time you run VDS. You can also launch decoys
in any directory you wish by using the F7 key.
We consider decoy launching capability part of integrity checking because
it is a generic technique that does not depend on any specific virus. It is
designed to exploit a weakness in the operation of certain types of viruses.
3. Real-time AV Protection
To prevent viruses from entering your computer, VDS includes a
memory-resident program called VDSTSR. This program is a scanner that
accomplishes its task in a manner transparent to the user, unless it finds
a virus. It operates by monitoring operating system requests for execution
and copying of programs, and then scanning them before allowing the operation.
VDSTSR also monitors warmboot attempts using the Ctrl-Alt-Del keys. If the
user is trying to warmboot the computer, VDSTSR checks to see if there is
a floppy diskette left in drive A:. If there is one, it scans the boot
sector of the floppy for viruses. After making sure that it is not an infected
diskette, VDSTSR allows the warmboot to proceed as usual.
If there is a virus found in the boot sector, VDSTSR will display its
name, beep to get the user's attention, and cancel the warmboot. It will
instruct the user to remove the floppy diskette from drive A:. This capability
is very effective against boot sector viruses that can only spread if the
system is started from an infected diskette. Infamous "Michelangelo" virus
spreads in this manner, as does the world's most common "Stoned" virus.
VDSTSR always scans programs before they are run. It provides an option
to scan during copy operations. As a side effect, copy operations will be
slowed down to some extent.
VDSTSR also disallows attempts to "trace" INT 21h. Some stealth viruses
patch the original DOS entry point for file access by using a method known
as "tracing". This is a feature of the Intel 80x86 microprocessors and its
purpose is to provide debugging support. Once in trace mode, the CPU calls a
programmer-defined interrupt handler after executing almost every instruction.
Once the execution reaches the original entry point inside DOS, the virus
replaces code in that part and redirects the operating system to its code
in memory. After the virus is well-entrenched, it can implement very potent
stealth techniques to evade detection. Besides debuggers, there are very few
programs that use tracing. A few anti-virus programs in the market also
use tracing in order not to be fooled by a stealth virus!
VDSCATCH.BIN includes several features to aid VDS integrity checker in its
reliable operation. It provides a clean entry point into the DOS kernel and
into the BIOS disk access. This way, VDS can bypass almost any stealth virus.
In addition, VDSCATCH.BIN also prohibits tracing INT 21h and INT 13h. Many
stealth viruses exploit tracing capability of 80x86 to plant their hooks into
the system surrepticiously.
IV. Viruses Explained
---------------------
This chapter presents basic information about PC viruses and defines a
few buzzwords commonly used in the anti-virus field.
A virus is a program that has the ability to replicate itself by attaching
to other existing executable objects, either by logical or physical means.
In addition to its replication task, a virus may have a manipulation task in
the form of a damage routine.
Researchers classify viruses in several ways. We prefer to separate the
structure of the implementation of viruses from the objects they attack.
We classify them by their "features" and "types". Here are the details:
Features of PC Viruses
There are several features of viruses:
a. Stealth Virus: A virus that has the capability to hide the modifications
it has made to its victims to evade detection. For example, the virus
may hide the file size increase when the user attempts to get a
directory listing. Another example would be a boot sector virus that
returns the original boot sector when a program attempts to read it.
To accomplish such tricks, a stealth virus usually stays resident in
memory and monitors disk access either at the DOS or BIOS level. This
way, it can see each disk access request and alter the results to hide
the modifications it has made. There are varying degrees of stealth
capability. In other words, it may be possible to discover the presence
of a virus using an alternate mechanism to examine the object that
may have been affected.
b. Dumb Virus: A virus with no stealth capability. Such a virus makes
no attempts to conceal its presence. The most apparent change is the
increase in file size since the virus added its code to the program
file. An alert user can notice such a change easily.
c. Encryptive Virus: A virus that keeps its code encrypted and includes
a decryptor to restore itself. The purpose of encryption is to make
it impossible to extract a scan string. The decryption routine is
designed to contain variable sections so that it is not easily
recognized. It is possible to detect such viruses using a wildcard
pattern that matches the decryptor.
d. Polymorphic Virus: A virus that keeps its code encrypted and includes
a highly variable decryptor to restore itself. It is not possible to
extract a wildcard scan string to recognize the decryptor. One has to
design an appropriate algorithm to detect it. We usually analyze the
structure of the decryptor and identify its key features, and then
use this information to implement a detection routine.
e. Multi-partite Virus: A virus that can infect both program files and
boot sector of a disk. Dealing with such a virus can be quite a
nuisance since the first portion of the virus gets control of the
system even before DOS is loaded. The virus can alter the system
vectors to implement a potent stealth mechanism, for example. Removing
this type of virus requires that all affected areas are restored.
Types of PC Viruses
There are two major types of PC viruses:
a. MBR/BR Virus: A virus that attacks the master boot record or the DOS
boot record of a disk. This type of virus usually moves the original
contents of the boot sector and replaces it with its own code. Key
data structures within the boot sector (partition table or BIOS
parameter block) are almost always left intact not to mess up the
operation of DOS. A boot sector virus reserves memory for itself by
reducing the base memory size (e.g., 640K to 638K), and copies its
code to the top of memory. There are a few boot sector viruses that
remain in low memory as well. Almost all boot sector viruses monitor
the BIOS disk interrupt (INT 13h) to spread or to hide themselves.
Every time a disk is accessed, they get control and check if the disk
being accessed is already infected. If not, they can infect it before
returning control to the original interrupt handler.
b. Program Infector: A virus that attaches to program files. There are
a few subcategories for this type of viruses:
Simple Infector: A virus that modifies a program file physically to
add its code. The program file entry point is adjusted so that the
virus gets control when the program is executed.
Companion Virus: A virus that logically inserts itself into the search
path so that it gets control when the user attempts to run a program
that has the same file name. The most common implementation exploits
the fact that DOS runs a program file with a COM extension rather
than the one with an EXE extension if both of them exist. Another
possibility is to insert the virus in the search path. If the user
does not specify the exact location of the program, then DOS will use
the path to look for it. If the virus program comes before the actual
program in the search path, then the virus will get executed.
System Infector: A virus that alters DOS system data structures
so that it gets control instead of the program the user intends to
run. For example, DIR-2 virus manipulates the directory entries to
point the starting cluster to its location. When DOS reads the disk to
load a program, the virus gets loaded. Another possibility is to insert
the virus in a system location that DOS is known to always load.
