=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= = F.U.C.K. - Fucked Up College Kids - Born Jan. 24th, 1993 - F.U.C.K. = =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The Epidemic ------------ Introduction: ------------- I would like to first off start by giving a defintion of a Computer Virus and a Trojan Horse. Although this file will be dealing mainly with computer viruses, I thought I would stick in a comment here and there about Trojans. Definitions: ------------ COMPUTER VIRUS : a computer program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself. The correct English plural of "virus" is "viruses." The Latin word is a mass noun (like "air"), and there is no correct Latin plural. TROJAN HORSE : a program that does something undocumented which the programmer intended, but that the user would not approve of if he knew about it. A "Trojan" refers only to a non-replicating malicious program. Since it is non-replicating it is seperate from the virus family. To date there are 2500 known viruses. This is an estimate. In all actuality there is 2300-3000 viruses depending on how you count them too. When placed in families there is over 800 known families of viruses. As you can probably guess too, with new viruses being created and old ones being modified, that number is going up very rapidly. Some estimate that there will be around 20,000 viruses or so by the year 2000. Although this is just an opinion, in all actuality it may very well be reached. In the following sections I will go into the different types of computer viruses, how to tell if you are infected, how to remove them, and the best for last: virus scanners and how they rate. Virus Types: ------------ Viruses infect in two differnt ways. We either have FILE INFECTORS or SYSTEM or BOOT-RECORD INFECTORS. File infectors attach themselves to ordinary program files. These usually infect other .COM and/or .EXE files. Some have been known, though, to infect .SYS, .OVL, and other types of executable files. Breaking it down even further, there are two types of file infectors, a NON-RESIDENT or a MEMORY RESIDENT virus. A Non-Resident virus selects one or more programs to infect at the time of execution, while a Memory Resident virus hides somewhere in memory. The first time a memory resident virus infected program is executed it hides in memory, after that it begins to infect other programs when they are executed or when ever else the virus is programmed to do. Most of the viruses written today are memory resident. SYSTEM or BOOT-RECORD INFECTORS are memory resident and infect certain system areas on a disk which are not ordinary files. Boot-sector viruses infect only the DOS boot sector, and MBR viruses infect the Master Boot Record on fixed disks and the DOS boot sector on diskettes. Some examples of this type of infector are the Brain, Stoned, and Michelangelo viruses. Some viruses do special 'tricks' in order to hide themselves from virus scanners. Three of the most common types of viruses are the stealth, self-encrypting, and the even more powerful polymorphic virus. A STEALTH virus is a memory resident virus which hides by monitoring the system functions that read files or physical blocks, and make the results to be the original uninfected form of the file instead of the actual infected form. This makes the virus go undetected by anti-virus scanners. A SELF-ENCRYPTING virus is one which encrypts itself using a key. When the virus executes, it uses this key to decrypt itself, and then performs the task it was written to do. When completed, the virus uses this key to 'lock' itself with encryption. A POLYMORPHIC virus is a virus which produces various copies of itself. This makes it hard for virus scanners to detect because usually it will not be able to detect all instances of the virus. One method a polymorphic virus uses is to choose a variety of different encryption schemes. Each one requiring different encryption algorithm. A signature-driven virus scanner would have to use several signatures. It would have to use one for each encrytion method. Another type of polymorphic virus will vary the sequence of instructions by using unessesscary instructions like a No Operation instruction. A signature-based virus scanner would not be able to reliably identify this sort of virus. The most sophisticated form of polymorphism discovered so far is the MtE "Mutation Engine" written by the Bulgarian virus writer Dark Avenger. It comes in the form of an object module, and when added to any virus, the result will be a polymorphic virus by adding certain call in the code and linking it to the mutation engine. Polymorphic viruses have made virus-scanning more difficult than ever. Normal signature strings will not be able to pick up these viruses. Complex algorithms will have to be created to detect these new viruses. Some viruses use special tricks to make the tracing, disassembling, and virus detection more difficult. Probably the first method of making an old virus sneak by virus scanners was by PKLITEing them. This worked for a while until researchers picked up on this this little trick. Then people moved onto LZ-EXE and DIET compressing files, but soon these tricks were picked up on. One that is still able to slide by scanners is to PGM-PAK a file. As of date, no scanner I have come across has been able to pick this one up. How to determine if you have been infected. ------------------------------------------- A biological virus can only live as long as its host is alive, if it kills of its host, then it also dies. This is also true with computer viruses. They try to spread as much as possible before they try and kill the host computer. This is the best time to try and remove the virus before any real damage is done. There are several things you should watch for if you think you might be infected with a virus. Changes in a files size, date, and/or contents could mean that you are infected. Also, missing RAM could be an indicator. Watch for longer disk activity, system slowdown and other strange hardware behavior. These factors could mean that you are infected with a virus. What to do if you think you are infected. ----------------------------------------- Use the DOS MEM command. MEM /C will tell you if there are any changes in your systems memory. Also CHKDSK or publicly available utilities like PMAP or MAPMEM can help you notice any changes with system memory. Use several different virus scanners. No one virus scanner is 100% perfect. Later in the file I list the results of several different virus scanners of 700 various types of viruses. You can use this to be a starting guide, and go from there to find out which virus scanner you like best. Be sure to scan Upper Memory (640k - 1024k) and High Memory (1024k - 1088k). It is possible for viruses to locate themselves in these areas, so be sure to scan in these locations. Most scanners have a switch that will make them check the Upper and High memory locations. Virus Scanners: --------------- There are many virus scanners out on the market, but only a few are actually reliable. Scan (McAfee Associates), F-Prot (Fridrik Skulason), and VireX PC (Datawatch) are the most widely known. Scan by McAfee Associates is probably used and trusted more than any of the other virus scanners out there. It can be easily obtained off of any BBS, and updates come out regularly. The problem is, McAfee associates are more into marketing than virus prevention. They boast that they can detect over 2,149 viruses. Well we have extracted the signature strings from Scan v104, and they only have 1131 viruses signature strings. What happened to the remaining 569 viruses that it supposedly detects? As you will see in the benchmarks that I did on the virus scanners later, Scan just isn't as good as some of the other virus scanners out there. McAfee Associates claim that there are 2,149 known viruses, and that Scan can detect all 2,149 of these. During a conversation with them, I asked them how they handle polymorphic viruses, and all they had to say was very well, and it uses a special algorithm to detect them. F-Prot claims to pick up 95% of known viruses 95% of those are picked up by signature strings, but in a few cases it uses algorithmic scan techniques for polymorphic viruses BenchMark: ---------- 700 Viruses Tested Scan v108 619 infected F-prot 2.09d Secure Scan 654 infected, 10 suspicous F-prot 2.09d Quick Scan 496 infected, 0 suspicous F-Prot 2.09d Huerstic Scan 654 infected, 10 suspicous MicroSoft's Dos 6.0 Msav 434 infected Virex 2.8 568 infected 18 Trojans Tested Scan v108 0 F-Prot 2.09d Secure Scan 14 F-Prot 2.09d Quick Scan 0 F-Prot 2.09d Huerstic Scan 14 MicroSoft's Dos 6.0 Msav 0 Virex 2.8 thought 1 trojan was a virus What to do if you are infected. ------------------------------- Common rule: Do the minimum that you must to restore the system to a normal state. This is just common sense. Why low-level format your Hard Drive when you could just delete an infected file, or run a virus cleaner on it. Start with booting the system from a CLEAN disk. Use your original write-protected DOS diskette to boot from. This will keep any boot- sector or other viruses from becoming active while booting. If you have a backup of the infected files, and if the backups are not infected, then this will be the best and easiest solution. Just start copying the backed-up files over the infected files. If back-ups don't exist, or if you just don't want to go through all that trouble, then a disinfecting program can be used. Since some viruses overwrite the files that they infect, those files can not be replaced because of the damage caused by overwriting. If it is possible to disinfect the file, then use your favorite virus disinfector. If you have a boot sector infection. Then an easy two-step method can be used. First of all replace your MBR (Master Boot Record) by using a backup, or by using the FDISK/MBR command. Then use the SYS command to replace the DOS boot sector. Virus Prevention: ----------------- There are many things one can do to help prevent being infected by a virus. First off, boot from a clean, write-protected diskette. This will prevent any viruses from becomming active during the booting process. This should stop most boot sector viruses which become active during booting. Another method is to have a memory resident virus scanner. These programs monitor any unusual disk activity or 'virus like' instructions. Usually you can have different degrees of protection. Ranging from no protection to being prompted for approval for any disk writes. You can also write-protect your harddrive. This will stop viruses from spreading to the disk that is protected, but it doesn't stop the virus from running. Setting the DOS file attributes to READ ONLY doesn't always protect from viruses. It may stop some viruses, but most override it, and infect as normal. Write protect your floppies. Viruses can't infect a disk when it is write protected. ô õMax Headroomô õ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= = Questions, comments, bitches, ideas, etc : z1max@ttuvm1.ttu.edu :FUCK = =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= = Official F.U.C.K. Distribution sites and information = = Board Number Other = = ----- ------ ----- = = Ionic Destruction 215.722.0570 Eastern HQ = = Flatline 303.466.5368 Western HQ = = Purple Hell 806.791.0747 Southern HQ = = Culture Shock 717.652.5851 Dist. = = PCI 806.794.1438 Dist. = = Celestial Woodlands 806.798.6262 Dist. = =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= = Accounts NOT guaranteed on any F.U.C.K. distribution site. If you are = = interested in writing for, or in becoming a distribution site for = = F.U.C.K. call the Woodlands, and apply for an account, or mail Max = = at z1max@ttuvm1.ttu.edu or on the Woodlands. Knowledge is power... = =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=