Copy Link
Add to Bookmark
Report
Cris Vol 1 Issue 03
-----BEGIN PGP SIGNED MESSAGE-----
Written By:
Michael Paris (Cris)
THE BEGINNERS GUIDE TO VIRUS RESEARCH
Part One
EXE & COM Infecters
Just The Start
Well to start with, this was supposed to go another way then it
has. This article was supposed to be written already and complete.
But it happens that the person that started this had a hard disk
failure and will not be able to start it over with his schedule. So
I will be forced to write this article fast and sloppy. I hope what
I think of here will serve as some help to some out there with
questions.
Seeing this is the "Beginners Guide" I will keep it at just that,
and assume you know nothing at all about computer viruses.
The first thing that should be mentioned is the tools you will need
to get you started and some simple rules for the beginner.
TOOLS NEEDED FOR THE BEGINNER
1. Anti-Virus software
This will depend on what you plan on doing. your idea of
researching might be scanning a virus to see what it scans as, or
maybe you will want to run the file, see what it infects and be
done with it. Well in either case you will want to try a number of
different scanners. To begin with you might want to get all of them
you can get your hands on to further your knowledge. But we here
will mention some of the best known for their reputation.
TBAV
Tbav is one of the best to use for what you will need. A registered
copy is what you will want if you are serious. TBAV has some
registered only options that you will be using as you learn more.
In the tests we have run here it seems to be the best for catching
viruses that others seem to miss. It has many options and modes
that are not in other scanners, and in these modes, seems to do the
better job. Tbav also sells a hardware card that you will want if
you really start to get into researching. With the hardware card
you will be able to rest at ease that your data will be 100% safe.
Thunderbyte USA
P. O. Box 527
Dagsboro, DE 19939
Phone: (302) 732-3105
Fax: (302) 732-3105
BBS: (302) 732-6399
F-PROTECT
F-prot is a good tool you will use for virus names, it is one of
the best for this seeing it uses the Caro naming standard. The
names you find for the viruses scanning with F-prot will be closer
then any other scanner at this time for the real names and variant
names. It will find most of the viruses out there, but it at this
time will only allow for ten user definable strings or virus
signatures, where Tbscan will allow as many as you want to add.
These strings will be used more as you go on to researching new
virus that is still yet not in the scanners. You will be able to
add the virus to your personal copy of your virus scanner when you
get to that point. Or add viruses yourself from our signature
reports as we release them. these two scanners are the main ones
you will want to use, but then there are others that will help in
other areas. You might want to check out other for yourself to see
who is on the ball.
Other noted programs might be: McAfee's Scan, CPAV, NAV,
VIRUSBUSTER, UTScan, VirexPC, Anti-Virus Toolkit and others.
2. Reference
It will be a big help to find info on viruses before you run the
files. This way you will know what to expect them to do. One of the
best tools for this will be Patricia M. Hoffman's Virus Information
Summary List (VSUM). This is A very easy to use information tool.
It is menu driven and all you have to do is look up the virus name.
There are also functions to do searches for viruses that might be
under another name. There are other summary lists you can get also
that will help for even more info. Vbase, would be one. Then there
are text files of lots of information at your finger tips. Allot of
this text is on the bbs, but you will want to start with Vsum or
Vbase.
3. Virus Shell
Allot of the software has memory resident software included, you
will want to load something like Vsafe, that comes with Dos 6.0, or
some thing that does the same thing. Remember we are starting with
simple .Com and .EXE infecting files here. When you move on to
other files you will want added protection. Allot of the newer
viruses today will slip by this kind of protection, but you will
want it for these older files you will be testing to start out
with. These shell programs will aid you in seeing just what the
virus wants to do, and what file it is going to infect, and in most
cases give you the option to infect the file or stop on the spot.
4. A Second Computer Just For Testing
This is nice, you should be using a computer that you will not have
to worry about the data on it, but this is not always the case.
Computers cost money, and for some of us it is hard to come by. In
any case, you should back up all of your data before ever
attempting to run a virus. If you do not, be sure that you will
loose it all. Someday it will happen, take my word for it. Backup
your computer!
5. Bait Files
It is good to have some bait files handy. These will be files that
you will have in a directory that you will have the virus you are
running infect. These can be copies of any program in your computer
that you put into a directory, ready to copy into your directory
you will be testing in. You can use someone's already made up bait
files to start with. The advantage of these type of bait files will
be that the file sizes will be even, like 1000, 2000, 3000 etc.
With these type of files you will be able to see the file size
changes real easy. If you use your own dos files, make sure they
are copies, and you have the file sizes and the dates written down.
6. Screen Capture Utility
There will be times you will want to take a picture of your screen.
If a car starts driving across your screen you will want to take a
picture of the moment in history. Or lets say a slot machine pops
up and tells you that your fat has just been deleted and to take
your chance at getting it back on the slot machine. You can be sure
that you will not win, so take a picture of this moment, you
probably will not try this every time you want to play a game, or
if you want to show a friend what it does just show him the
picture. Here is an example of this.
DISK DESTROYER ù A SOUVENIR OF MALTA
I have just DESTROYED the FAT on your Disk !!
However, I have a copy in RAM, and I`m giving you a last chance
to restore your precious data.
WARNING: IF YOU RESET NOW, ALL YOUR DATA WILL BE LOST - FOREVER !!
Your Data depends on a game of JACKPOT
CASINO DE MALTE JACKPOT
ÉÍ» ÉÍ» ÉÍ»
×× ×?× ××
Èͼ Èͼ Èͼ
CREDITS : 5
= Your Disk
??? = My Phone No.
ANY KEY TO PLAY
7. BOOT DISK
You will want to make a boatable disk incase you will need it to
clean the boot sector, or stop an infection that got away from you.
To make this disk, put a disk in your drive A: and type format A:/s
{enter}. This will make you a disk to get back into the system. you
might want to do a directory on the disk and make sure Command.Com
is on the disk. you can test to see if the system is on the disk by
typing dir a:/ah {enter} if the system is on the disk you will see
the hidden files on the disk. Now either put a write protect tab on
the disk, or if it is a 3.5 inch open the hole on the disk to make
sure nothing can be copied to the disk. Before you write protect
the disk, you might want to put utilities on it like Dos CHKDSK, or
Format, SYS,COM, FDISK, Virus Scanner, etc.
STARTING THE RESEARCH
Ok now we are ready. Remember be careful, if you are not sure of
something, or have that funny feeling, go over your checklist. This
is something you do not want to make any mistakes with. And PLEASE,
read this entire document before trying anything. This is meant as
A guide, not something that is right in ALL cases.
1. Pick your virus.
2. Copy it into a secure directory
3. Scan the file with every thing you have, Write down exactly what
it scans as. McAfee and others will always be off a bit on most
viruses, you can count on f-prot most of the time to have the
right name. If your virus is not found by at least two of the
scanners, do not go by the name on the file. Delete it and
start again at step one. If the name on the file goes with the
virus description you got from the scanner, there is a good
chance that you have the right name.
4. Look up your virus in Vsum or Vbase or both. Find it and read
the info. (ALL of it) If you do not find it listed anywhere, and
have made a real good check, Delete the file and start at step
one again.
5. Assuming you have found A file in one of the Vbases, read all of
the info before you continue. If you are not sure that the virus is
the one you scanned, pick another virus. Now that you are sure,
look at what the virus does. If it says that they are not sure if
it does anything but replicate, delete the file and start over. We
want you to start with something you will be aware of what is
going to happen, no surprises. read the info and be sure that
this is what you want to test. From reading the info you can
pick something that does little or no damage. If you wish, you
may look through Vsum or Vbase and find something you want to
test and look for the file on the bbs.
6. Make sure that the file is not memory resident, if you are ready
for this fine, but we would rather if this was your first time
to choose a simple .COM infector. If you want to live
dangerously fine though. Ok, copy your bait files into the
directory with the virus.
7. Load your memory resident shell. If you are using Vsafe from Dos
6.0 or CPAV, type alt V on your keyboard. This will allow you to
choose what you want to protect. A little window will pop up and
allow you to choose options. this will be the time to load your
other memory resident programs as well, like your screen capture
utility.
8. Take note of the sizes and dates of the bait files in the
directory, and also the size and date of the virus.
9. Now you may run the virus in the current directory, watch to see
what it wants to do, your shell will let you know what it is
trying to do, either it will try to go memory resident and try
to infect files (it should tell you which ones it trying to
infect) and ask you if it is ok, or it will try to infect files
in the current or directory path. If the virus spawns, it might
write .EXE files into the current directory or path the same
size of the virus. Sometimes these spawn files will be hidden
files. Type Dir /ah {enter} to see the hidden files.
Ok, now that you have infected everything in your directory that
you wanted to, by typing both the virus name, and running the
different files in the directory, like bait1.exe, bait1.com, etc,
you are ready to shut your computer down. Do -not- use ctrl alt
delete to do this. turn the power off on the machine, wait a few
seconds, and turn it back on. It would be good to use a small
program like Bill Lambden's boot test included in this newsletter.
this is a simple batch file that you can call from the autoexec.bat
file. you will need the archive program for this and make a simple
directory for this, but it is a simple program and worth adding for
the restart here. This is what my .BAT file looks like, you can add
the files for compare that you want. (read Bill's article in this
newsletter, or in VLD Volume 6 Issue 100 for the instructions.
rem This is bait.bat
CLS
C:
CD\UPTEST
DEL VIRUS.LZH
LHA A -A VIRUS \COMMAND.COM \util\l.* \dos\edit.* \zip\pkunzip.exe
FC BAIT.LZH VIRUS.LZH
CD\
A handy batch file indeed. Now that you have rebooted, you can scan
the files in your test directory. see which files are infected.
from this point you know that the virus worked or not. also you can
run the virus and try to get it to do other things it is supposed
to do. Like for example, lets say you are working with a original
copy of Yankee Doodle. You can run the file, then change the time
in your dos (by typing time {enter}) and then set the clock to
right before the virus is supposed to activate. Or lets say the
virus displays a message after so many infections. Infect that many
files until you get the message. At this point you can do a screen
capture of the message.
If you have had a fear of viruses, do this a few times and the fear
will leave. There is so much fear out there, that people are afraid
to even have a .Zip file on their computer with a virus in it, much
less unzipping and scanning it. If you have a fear like this, try
unzipping a virus into a directory and scanning it. After you scan
the file delete it. Now scan your entire hard disk. You will never
see infection, because you deleted the virus file, and never ran it
in the first place. Now do it again, and again, until your fear
leaves. You will quickly come to the realization that unzipping
this virus, or having it will not destroy your computer. Running it
might, so do not get over confident.
TROUBLE SHOOTING
Question: I run the virus file, but it locks the machine.
Answer: This could be a number of things here. Check to see that
the virus can work with the config that you have. it could be
conflicting with some sort of setup you have. Try different
configs. another possibility would be that the virus does not work
with your processor, ie: A XT machine. Remember, the person that
wrote the virus checked it, it probably worked on his machine, but
like any software out there, some has problems running on different
machines. Try a different machine. If the writer is available
through crisnet or nukenet, post the writer and see if he has any
suggestions. Also if the virus comes with source, recompile the
file and try it again, it could be that the file got corrupted some
how.
Question: I scan the file and it scans as the virus, but when I
execute it just returns the prompt with no infection.
Answer: First try to see if there is a disk write when you do this.
It might be making spawn files. Spawn files are sometimes hidden in
the directory you are testing your viruses in. Type /ah to look for
hidden files, or look in the directory for duplicate file names
with different extensions (usually with the same file size as the
virus.)
For example:
VIRUS COM 1044 10-29-59
FORMAT COM 42250 09-10-92
FORMAT EXE 1044 10-29-59
If you see these spawn type files, and they are not the exact same
size scan the directory again and make sure the spawn files scan as
the virus. it may be that they are making trojan files that will
run when you try to run your program. if the spawned files do not
scan this will be a good thing to check out. If they do not scan,
and you run the file, you could loose your hard disk.
Or it could be that this file is not a virus or be a bad or damaged
file. Another thing you would want to check is maybe this virus
infects files on a certain number of executions. Try running the
file several times. It could be looking for a number of files in
the current directory also. Or maybe a file with a certain file
name or files that meet certain specs. Something like this will
take some time, but worth what you find in the end.
Question: I scan my hard disk and it reports a virus in memory even
after I rebooted.
Answer: Do you have Vsafe or another memory resident scanner loaded
at the same time? If so some scanners will report infection when
these programs are loaded together. Unload the memory resident
scanner and try the one that reported the infection again. You also
might have got one of you files infected that are in your
autoexec.bat or config.sys file. Reboot with a write protected boot
disk and scan again. You can also run your bait.bat file we talked
about earlier in this lesson. You may have encountered a Boot
sector infector, type fdisk /mbr {enter}
Question: I ran the virus and it formatted my hard disk.
Answer: You did not read the Vsum info right or the info was wrong.
This is why we say to back up your hard disk first. REMEMBER, you
are at risk here, at any time, no matter how safe it looks of
having your FAT destroyed, Disk Formatted, Data Lost, Etc, Always
back up your machine before testing.
Question: I did not scan the file, look it up or follow any of the
instructions here. I unzipped all of the files I had into one
directory and ran all of the files one at a time until a message
came up on the screen that said "You Dumb ASS .... I just Wiped
your Hard disk"
Answer: The message you got says it all.
These files can be requested from Cris BBS at:
Cris BBS
708-863-5285
1:115/863 or 77:708/0
TBAV (Last copy of TBAV)
SCAN (Last copy of McAfee's Scan)
VSUM (Last copy of Vsum)
F-PROT (Last copy of F-protect)
PGPKEY (Cris PGP Signarure)
NODELIST (Last Crisnet Nodelist)
CRIS (Information about Joining Crisnet and research)
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQBVAgUBLNc4B6M4CDusTF+9AQHNzgIAkbBgy6OWyPi9MhLPOA7tFnj3rzSdUDw2
/dpkJIrowcr1mZoD4xqWzZ46OzMiJRcSqIHaJjmde408RS5zz3sdGA==
=TUqS
-----END PGP SIGNATURE-----