Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!snorkelwacker!tut.cis.ohio-state.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: mweiner@bene.at.eu.net (Michael Weiner) Newsgroups: comp.virus Subject: Dangerous virus removal programs Message-ID: <0007.9007241234.AA23686@ubu.cert.sei.cmu.edu> Date: 23 Jul 90 16:58:02 GMT Sender: Virus Discussion List Lines: 73 Approved: krvw@sei.cmu.edu Otto Stolz writes: > Luckilly, the dis-infector will find the information > to restore the > original content of the changed locations somewhere in > the viral code, The method you mention (scanning for a bit pattern at a certain position, taking bytes from a certain offset within the viral code and copying them to the beginning of the program in my opinion is exteremely dangerous and should not be used. We will experience a LOT of viruses that will carry identical signatures and will store the original code at a different offset within their code to fool anti-virus programs like McAffees' into destroying programs they are trying to recover. > Now, if the dis-infector hits on a hitherto unknown > variant of the > virus, it may take the wrong bytes from the viral > code, put them in > place of the sayed JMP- or CALL-instruction, and in > due course it will > destroy the program instead of repairing it. Perfect agreement with that - but it could even get worse: Imagine virus derivates deliberately placing JMPs to killer code within their body at the location where a recovery program expects the original start of the program. Consequences would be disastrous because viruses could be 'tailormade' to certain anti-virus programs. > I conjecture that the Vienna variant of the 1704 is > unknown to McAfee > and his team, and hence this sort of thing happened. > Martin Zejma: I think it would be a good idea to send > a copy of the > virus you experienced to McAfee Asociates (and also to > Frisk). Now how could they be supposed to know about all these viruses if the only thing any virus writer has to do is change 1 (one) byte at the right location of the virus to make virtually ALL removal programs destroy data. We will have to find a way to describe viruses in a way that will enable us to recognize and to react to some derivates. > some kind soul will send a new 1704-variant (or > whatever-variant) > on its way that will fool the dis-infectors again :-( To wrap it up, removal of a virus should ONLY be performed by a program if it has found a virus and identified ALL it's code (not just some short part of the code). If a single byte of the code found differs from the 'known' virus, the removal program should not attempt to mess around with it. A combination of signature scanning and checksumming comes up to my mind when I think about the dillema again: First check, if the (known) virus CAN be in the program assumed to be infected by using a signature the way we use it today and then use a range definition file to define the location of static fields within virus code and calculate checksums over that code area. If these checksums match, we can safely remove the virus from the file. Of course other algorithmic methods have to be used for 4096 and the like. There is hope after all :-) Hoping for comments, Michael Weiner +------------------------------------------------------------+ I UUCP: mweiner@bene.at.eu.net I I Internet: mweiner@f23.z2.FIDONET.ORG Voice ++43 1 8232400 I I Michael Weiner -- Ghelengasse 4 -- A-1130 Wien -- Austria I +------------------------------------------------------------+