NetNews Usenet Archive 1993 #1

home *** CD-ROM | disk | FTP | other *** search

/ NetNews Usenet Archive 1993 #1 / NN_1993_1.iso / spool / comp / virus / 4837 < prev next >

Wrap

Internet Message Format | 1993-01-06 | 3.8 KB

Path: sparky!uunet!olivea!spool.mu.edu!darwin.sura.net!jvnc.net!netnews.upenn.edu!netnews.cc.lehigh.edu!news From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Newsgroups: comp.virus Subject: Re: Virus Simulator MtE Suppliment (PC) Message-ID: <0012.9301062041.AA14693@barnabas.cert.org> Date: 5 Jan 93 18:39:30 GMT Sender: virus-l@lehigh.edu Lines: 66 Approved: news@netnews.cc.lehigh.edu as194@cleveland.Freenet.Edu (Doren Rosenthal) writes: > Thank you for your comments on my Virus Simulator MtE Supplement. I'll be > mailing the first copies january 1, so I hope your opinion is mistakenly > based on my original Virus Simulator and not your technical review of a > program you could not possibly have examined yet. Readers of this forum may > recall the considerable controversy and strong opinion you expressed > beginning two weeks before my release of that program as well. Well, Frisk's comments about your Virus Simulator turned out to be right even after it appeared, so I would guess that he understands the principles behind such "test" tools even better than you do... > pattern to avoid recognition. A few examples of viruses that employ this > same MtE engine are: > > Pogue, Dame, MtE, Gotcha, 7S, Mut, Dedicated, Fear, Groove, Coffee Shop, > MtE-Spawn, Questo, Crypto Lab, Encroach. Corrections: By "7S" you probably mean "Seventh_Son" ("7S" is how SCAN calls it) and it is NOT based on MtE. "Dame" is not a virus, it is just how SCAN call -all- MtE-based viruses. Gotcha is NOT an MtE-based virus. Dunno what you are calling "Mut" but I know about no such MtE-based virus. The CARO name for "MtE-Spawn" is "Insufficient". The correct spelling of the last two names is "CryptLab" and "Encroacher". "MtE" is not a virus; it is a tool for building polymorphic viruses. When looking at the names you quoted, I am getting the impression that you knowledge about the names of the existing MtE-based viruses is based on the reports generated by SCAN, since it sometimes reports the unencrypted variants of Pogue as "Gotcha" (which is correct - Pogue is actually a Gotcha variant with MtE polymorphism added), and one of the older versions of SCAN reported "7S" in some unencrypted variants of one of the other MtE-based viruses (not certain about that; have to check). > Although the MtE simulations produced by my program are safe and > controlled, they are real viruses, capable of infecting their special dummy > host programs. So, you are not only distributing malicious software (MtE) but also real viruses, hmm? Anyway, Frisk's comment is still valid. The ability of a scanner to detect "your" viruses may or may not be related to its ability to detect -real- MtE-based viruses. > Vigilant anti-virus programs that are capable of reliably > detecting the MtE mutation engine should report these simulations as being > infected. Usually, yes, but not necessarily. It depends on how your viruses infect their victims, how often they are generating unencrypted replicants, how exactly the particular scanner works, and so on. As I said, it may or it may not be connected with the actual ability of the scanner to detect the existing MtE-based viruses... But if a scanner - -doesn't- detect some of "your" viruses, this is a serious reason for further investigation. It does not necessarily mean that that particular scanner will also miss a real MtE-based virus, but it is worth checking why it misses your virus... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany