VIRUS-L Digest Friday, 21 Apr 1989 Volume 2 : Issue 96 Today's Topics: re: Hiding Viruses by Intercepting Output McAfee's SENTRY a-v software (PC) re: Virus disassemblies (PC) [Ed. I apologize for sending out such a short digest; we're testing a mail<-->news gateway and need something to feed it.] --------------------------------------------------------------------------- Date: 21 April 1989, 08:51:33 EDT From: David M. Chess Subject: re: Hiding Viruses by Intercepting Output > Could anyone tell me how this method of hiding a virus > would fail? The "Brain" virus (I think it is) does something very much like this. It fails when a user who is checking out an infected diskette does the checkout on a *clean* system, in which the virus hasn't gotten control. Another illustration of how important it can be to get your system into a known clean state before doing virus-scanning. DC ------------------------------ Date: FRI APR 21, 1989 11.47.23 EST From: "David A. Bader" Subject: McAfee's SENTRY a-v software (PC) I just had the chance to try out John McAfee's Sentry Anti-viral software for the PC, and frankly - it is worthless. I followed the instructions on installation, and it automatically places itself in autoexec.bat and reboots (maybe John, you could have told me that you were going to modify my file, or that you would do a cold boot - for me, it matters.) Anyway, After Sentry did a check of filesize and a random checksum at the beginning, middle, and end of every file on my harddisk, it told me nothing. Ok, so I run Sentry a second time just to see what happens and I get told my interrupt vectors have changed and I should contact someone because that could mean a virus. Have you ever heard about FASTOPEN, or FluShot Plus, or one million other programs that I give permission to to take over my interrupt vectors? You could at least scan the memory tables and tell me who the owner of the interrupt vectors is. And then, after taking a minute to scan all my files, I would appreciate "XXXXX file changed since last use" - NOT "3 files were modified".. Useless, John, absolutely useless. -I'm sticking with FluShot Plus! -David Bader DAB3@LEHIGH ------------------------------ Date: 21 April 1989, 14:06:08 EDT From: David M. Chess Subject: re: Virus disassemblies (PC) Some comments on Jim Goodwin's comments. > It is also the first virus I've come across > that will NOT infect a true IBM PC. It will only infect clones. The > code to test for the true blue IBM machine was quite simple, and > follows: If you'll look carefully at that code, you'll notice a bug; the last compare should be a BYTE compare, not a word compare. As it is, it's testing for "IBM" followed by a byte of 00. Even True Blue IBM BIOSs don't have that, so in fact it will work identically on IBMs and clones. (Either the virus writer didn't have a real IBM to test on, or he's intentionally trying to confuse us!) So it *will* infect a true IBM PC (I've tested it). The two levels of encryption are just a couple of XORs; one simple way to crack most of it is to let it run (on a machine with no hard disks, of course!) up to the point where it has finished descrambling itself, and then dumping the descrambled code to disk and killing the execution. COM and EXE files: The only virus that I know of that will infect both is the Jerusalem. The only other virus that I know that will infect EXE files is the EXE flavor of the April 1st Israeli virus. All the others I know of are either COM or boot infectors. Do you know of other EXE infectors? I'm sure the list would be interested. All the COM and EXE infectors that I know of use INT21 to do their infecting. Do you know of some that don't? It's possible in theory of course, but I've never seen one. Again, I'm sure the list would be interested. > we have it in over 6,000 systems now and it has > caught us a total of 31 new viruses. Wow! Only about 14 or 15 (counting liberally) PC-DOS viruses have been reported on this list. Do you have capsule summaries of the viruses you've found? (Or does that 31 perhaps include viruses for other operating systems, or perhaps some non-virus Trojan horses?) Sounds like you've got a gold mine of information, there! I'll attempt to check out the BBS myself. Dave Chess Watson Research ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253