Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: RADAI@HUJIVMS.BITNET (Y. Radai) Newsgroups: comp.virus Subject: Re: 4096 Virus and Checksums (PC) Message-ID: <0005.9008101840.AA07688@ubu.cert.sei.cmu.edu> Date: 9 Aug 90 12:21:00 GMT Sender: Virus Discussion List Lines: 37 Approved: krvw@sei.cmu.edu Steve Albrecht asks about the following statement by Dr. Highland on the 4096 virus: > "This recently published computer virus is particularly > disturbing in that...checksum techniques likewise appear to > be useless, the virus `disappears' during the checksum > process..." > >Can someone please elaborate on how the virus avoids the checksum >process, or perhaps direct me to more detailed information on this >virus? > >In particular, does it avoid all checksum algorithms, or only >certain ones? How does it avoid detection from the checksum >operation? The virus "disappears during the checksum process" only in the sense that files infected by this virus do not appear to have been altered *IF THE VIRUS IS IN MEMORY WHEN CHECKSUMMING IS PERFORMED*. Didn't Dr. Highland mention this in his article? The same is true of some other viruses, incl. EDV and Number of the Beast (V512). From this it is obvious that the answer to your question whether it avoids *all* checksum algorithms is affirmative. But this is only under the above circumstances. The remedy is obvious: Instead of performing checksumming from your hard disk, do it only after cold booting from your original (write- protected) DOS diskette, with the checksum program and database also on a diskette. This will ensure that RAM is uninfected when the check- sum program is run. (At least it's much surer than depending on checks such as those advocated by Jim Molini and Chris Ruhl on this forum several months ago.) Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET (Note new address)