=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= F.U.C.K. - Fucked Up College Kids - Born Jan. 24th, 1993 - F.U.C.K. =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The Epidemic
------------
Introduction:
-------------
I would like to first off start by giving a defintion of a Computer
Virus and a Trojan Horse. Although this file will be dealing mainly
with computer viruses, I thought I would stick in a comment here
and there about Trojans.
Definitions:
------------
COMPUTER VIRUS : a computer program that can infect other computer
programs by modifying them in such a way as to include a (possibly
evolved) copy of itself.
The correct English plural of "virus" is "viruses." The Latin word is
a mass noun (like "air"), and there is no correct Latin plural.
TROJAN HORSE : a program that does something undocumented which the
programmer intended, but that the user would not approve of if he knew
about it. A "Trojan" refers only to a non-replicating malicious program.
Since it is non-replicating it is seperate from the virus family.
To date there are 2500 known viruses. This is an estimate. In all
actuality there is 2300-3000 viruses depending on how you count them too.
When placed in families there is over 800 known families of viruses. As
you can probably guess too, with new viruses being created and old ones
being modified, that number is going up very rapidly. Some estimate that
there will be around 20,000 viruses or so by the year 2000. Although
this is just an opinion, in all actuality it may very well be reached.
In the following sections I will go into the different types of computer
viruses, how to tell if you are infected, how to remove them, and the
best for last: virus scanners and how they rate.
Virus Types:
------------
Viruses infect in two differnt ways. We either have FILE INFECTORS
or SYSTEM or BOOT-RECORD INFECTORS.
File infectors attach themselves to ordinary program files. These
usually infect other .COM and/or .EXE files. Some have been known,
though, to infect .SYS, .OVL, and other types of executable files.
Breaking it down even further, there are two types of file infectors,
a NON-RESIDENT or a MEMORY RESIDENT virus. A Non-Resident virus selects
one or more programs to infect at the time of execution, while a Memory
Resident virus hides somewhere in memory. The first time a memory resident
virus infected program is executed it hides in memory, after that it
begins to infect other programs when they are executed or when ever else
the virus is programmed to do. Most of the viruses written today are
memory resident.
SYSTEM or BOOT-RECORD INFECTORS are memory resident and infect certain
system areas on a disk which are not ordinary files. Boot-sector viruses
infect only the DOS boot sector, and MBR viruses infect the Master Boot
Record on fixed disks and the DOS boot sector on diskettes. Some examples
of this type of infector are the Brain, Stoned, and Michelangelo viruses.
Some viruses do special 'tricks' in order to hide themselves from
virus scanners. Three of the most common types of viruses are the
stealth, self-encrypting, and the even more powerful polymorphic virus.
A STEALTH virus is a memory resident virus which hides by monitoring the
system functions that read files or physical blocks, and make the results
to be the original uninfected form of the file instead of the actual infected
form. This makes the virus go undetected by anti-virus scanners.
A SELF-ENCRYPTING virus is one which encrypts itself using a key.
When the virus executes, it uses this key to decrypt itself, and
then performs the task it was written to do. When completed,
the virus uses this key to 'lock' itself with encryption.
A POLYMORPHIC virus is a virus which produces various copies of itself.
This makes it hard for virus scanners to detect because usually it
will not be able to detect all instances of the virus. One method a
polymorphic virus uses is to choose a variety of different encryption schemes.
Each one requiring different encryption algorithm. A signature-driven
virus scanner would have to use several signatures. It would have to
use one for each encrytion method. Another type of polymorphic virus
will vary the sequence of instructions by using unessesscary instructions
like a No Operation instruction. A signature-based virus scanner would
not be able to reliably identify this sort of virus.
The most sophisticated form of polymorphism discovered so far is the
MtE "Mutation Engine" written by the Bulgarian virus writer Dark Avenger.
It comes in the form of an object module, and when added to any virus,
the result will be a polymorphic virus by adding certain call in the code
and linking it to the mutation engine.
Polymorphic viruses have made virus-scanning more difficult than ever.
Normal signature strings will not be able to pick up these viruses.
Complex algorithms will have to be created to detect these new viruses.
Some viruses use special tricks to make the tracing, disassembling,
and virus detection more difficult. Probably the first method of
making an old virus sneak by virus scanners was by PKLITEing them.
This worked for a while until researchers picked up on this this little
trick. Then people moved onto LZ-EXE and DIET compressing files, but soon
these tricks were picked up on. One that is still able to slide by scanners
is to PGM-PAK a file. As of date, no scanner I have come across has been
able to pick this one up.
How to determine if you have been infected.
-------------------------------------------
A biological virus can only live as long as its host is alive, if it
kills of its host, then it also dies. This is also true with computer
viruses. They try to spread as much as possible before they try and
kill the host computer. This is the best time to try and remove the
virus before any real damage is done.
There are several things you should watch for if you think you might
be infected with a virus. Changes in a files size, date, and/or contents
could mean that you are infected. Also, missing RAM could be an
indicator. Watch for longer disk activity, system slowdown and other
strange hardware behavior. These factors could mean that you are
infected with a virus.
What to do if you think you are infected.
-----------------------------------------
Use the DOS MEM command. MEM /C will tell you if there are any
changes in your systems memory. Also CHKDSK or publicly available
utilities like PMAP or MAPMEM can help you notice any changes
with system memory.
Use several different virus scanners. No one virus scanner is 100%
perfect. Later in the file I list the results of several different
virus scanners of 700 various types of viruses. You can use this to
be a starting guide, and go from there to find out which virus scanner
you like best.
Be sure to scan Upper Memory (640k - 1024k) and High Memory (1024k -
1088k). It is possible for viruses to locate themselves in these areas,
so be sure to scan in these locations. Most scanners have a switch
that will make them check the Upper and High memory locations.
Virus Scanners:
---------------
There are many virus scanners out on the market, but only a few
are actually reliable. Scan (McAfee Associates), F-Prot (Fridrik
Skulason), and VireX PC (Datawatch) are the most widely known.
Scan by McAfee Associates is probably used and trusted more than any
of the other virus scanners out there. It can be easily obtained off of
any BBS, and updates come out regularly. The problem is, McAfee
associates are more into marketing than virus prevention. They boast
that they can detect over 2,149 viruses. Well we have extracted the
signature strings from Scan v104, and they only have 1131 viruses
signature strings. What happened to the remaining 569 viruses that
it supposedly detects? As you will see in the benchmarks that I did
on the virus scanners later, Scan just isn't as good as some of the
other virus scanners out there.
McAfee Associates claim that there are 2,149 known viruses, and that
Scan can detect all 2,149 of these. During a conversation with them, I
asked them how they handle polymorphic viruses, and all they had to say
was very well, and it uses a special algorithm to detect them.
F-Prot claims to pick up 95% of known viruses
95% of those are picked up by signature strings, but in a few
cases it uses algorithmic scan techniques for polymorphic viruses
BenchMark:
----------
700 Viruses Tested
Scan v108 619 infected
F-prot 2.09d Secure Scan 654 infected, 10 suspicous
F-prot 2.09d Quick Scan 496 infected, 0 suspicous
F-Prot 2.09d Huerstic Scan 654 infected, 10 suspicous
MicroSoft's Dos 6.0 Msav 434 infected
Virex 2.8 568 infected
18 Trojans Tested
Scan v108 0
F-Prot 2.09d Secure Scan 14
F-Prot 2.09d Quick Scan 0
F-Prot 2.09d Huerstic Scan 14
MicroSoft's Dos 6.0 Msav 0
Virex 2.8 thought 1 trojan was a virus
What to do if you are infected.
-------------------------------
Common rule: Do the minimum that you must to restore the system to
a normal state.
This is just common sense. Why low-level format your Hard Drive
when you could just delete an infected file, or run a virus cleaner
on it.
Start with booting the system from a CLEAN disk. Use your original
write-protected DOS diskette to boot from. This will keep any boot-
sector or other viruses from becoming active while booting.
If you have a backup of the infected files, and if the backups are
not infected, then this will be the best and easiest solution. Just
start copying the backed-up files over the infected files.
If back-ups don't exist, or if you just don't want to go through all that
trouble, then a disinfecting program can be used. Since some viruses
overwrite the files that they infect, those files can not be replaced
because of the damage caused by overwriting. If it is possible to
disinfect the file, then use your favorite virus disinfector.
If you have a boot sector infection. Then an easy two-step method
can be used. First of all replace your MBR (Master Boot Record) by
using a backup, or by using the FDISK/MBR command. Then use the
SYS command to replace the DOS boot sector.
Virus Prevention:
-----------------
There are many things one can do to help prevent being infected by a
virus. First off, boot from a clean, write-protected diskette. This
will prevent any viruses from becomming active during the booting
process. This should stop most boot sector viruses which become active
during booting.
Another method is to have a memory resident virus scanner. These
programs monitor any unusual disk activity or 'virus like' instructions.
Usually you can have different degrees of protection. Ranging from no
protection to being prompted for approval for any disk writes.
You can also write-protect your harddrive. This will stop viruses from
spreading to the disk that is protected, but it doesn't stop the virus
from running.
Setting the DOS file attributes to READ ONLY doesn't always protect
from viruses. It may stop some viruses, but most override it, and
infect as normal.
Write protect your floppies. Viruses can't infect a disk when it
is write protected.
ô
õMax Headroomô
õ
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= Questions, comments, bitches, ideas, etc : z1max@ttuvm1.ttu.edu :FUCK =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= Official F.U.C.K. Distribution sites and information =
= Board Number Other =
= ----- ------ ----- =
= Ionic Destruction 215.722.0570 Eastern HQ =
= Flatline 303.466.5368 Western HQ =
= Purple Hell 806.791.0747 Southern HQ =
= Culture Shock 717.652.5851 Dist. =
= PCI 806.794.1438 Dist. =
= Celestial Woodlands 806.798.6262 Dist. =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= Accounts NOT guaranteed on any F.U.C.K. distribution site. If you are =
= interested in writing for, or in becoming a distribution site for =
= F.U.C.K. call the Woodlands, and apply for an account, or mail Max =
= at z1max@ttuvm1.ttu.edu or on the Woodlands. Knowledge is power... =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=