Copy Link
Add to Bookmark
Report
Cris Vol 1 Issue 07
-----BEGIN PGP SIGNED MESSAGE-----
Submitted to Crisnews by:
Bill Lambdin
I posted this routine once before. I have done further testing on this
idea, and it does work. even on some stealth infectors without the
necessity of booting clean from a bootable diskette.
I want to state up front, that this will not identify the virus, nor help
you get rid of it. This is detection only, and should be considered as an
enhancement to scanners, and integrity checking, and not be used to replace
either.
This will detect most (if not all) file infectors that a scanner may miss.
This will act as an early warning system for people that use integrity
checking software. namely limiting the number of infected files to a
minimum.
This can detect many viruses without the need to boot clean prior to
running the test.
If you wish to use my idea, you will need the following.
LHA. I use LHA 2.13
Archive your most common used files.
FC.EXE that comes with DOS 4.0 and above
The .BAT file below.
BAIT.BAT
@ECHO OFF
CLS
C:
CD\BAIT
DEL VIRUS.LZH
LHA A -A VIRUS \COMMAND.COM \DOS\CHKDSK.*
FC BAIT.LZH VIRUS.LZH
CD\
It would be a very good idea to rename the utilties, and directory. to
prevent a hacker from writing a virus that will delete or fool this
routine.
You can archive as many files as you wish, but I would recommend a minimum
of two files. 1.COM file, and one .EXE file. Currently; I am archiving
eight files. six are DOS programs, and two of them are Windows programs. So
I can detect either DOS or Windows viruses in one test that takes only a
few seconds on my 486. Be sure to use the asterisk for the .EXE extension.
This will make LHA add any companion infectors that are present.
Part of that .BAT file is complex, and it is vital that it be typed exactly
as shown. So I should explain how it works in more detail.
DEL VIRUS.LZH
This deletes the previous test to give you a clean and fresh test every
time.
LHA A -A VIRUS \COMMAND.COM \DOS\CHKDSK.*
In the command line above, the first A instructs LHA to add the files to
the archive.
The second paramater -A instructs LHA to add the file regardless of which
atribute(s) are set. It works for all four atributes.
Hidden
System
Read only
Archive
I have been thouroughly testing this routine for weeks.
I have tested it against the following stealth viruses.
X = detected change.
active inactive
Virus in memory booting clean
SBC X X
FRODO X X
TREMOR X
My routine should have detected SBC because it is not fully stealthed, and
it doesn't disinfect the host file when the it is opened.
My routine should not have detected FRODO because it is fully stealthed,
and does disinfect the host file on the fly when it is opened for any
reason. FRODO sets the date stamp forward 100 years. This is how that Frodo
Marks the files as infected. My routine detected the change to the date
stamp even though Frodo had disinfected the host file when LHA archived the
host file(s).
My routine is able to detect the following types of changes.
1. Change to files
2. change of file attributes
3. change of file time stamp
4. change of file date stamp
I release this routine to the public domain, and anyone may use it freely.
Bill Lambdin
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQBVAgUBLNc4LaM4CDusTF+9AQHRagH/VBeKGX7Nbdpcwo3xHzRCCGVFppDbPQZz
KvGmA1Y8EL5dOx0ozjw57knsNGjbzU+FST5USsQfmVnf2Nc//FCiBQ==
=w7Cq
-----END PGP SIGNATURE-----
