Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: vail@tegra.com (Johnathan Vail) Newsgroups: comp.virus Subject: Re: 4096 Virus and Checksums (PC) Message-ID: <0010.9008101840.AA07688@ubu.cert.sei.cmu.edu> Date: 9 Aug 90 20:11:15 GMT Sender: Virus Discussion List Lines: 47 Approved: krvw@sei.cmu.edu 70033.1271@CompuServe.COM (Steve Albrecht) writes: In browsing through the April 1990 issue of Computers and Security, Volume 9, No. 2, I read the following comments of Dr. Harold Highland on the 4096 virus: "This recently published computer virus is particularly disturbing in that...checksum techniques likewise appear to be useless, the virus `disappears' during the checksum process..." Can someone please elaborate on how the virus avoids the checksum process, or perhaps direct me to more detailed information on this virus? Back when it was fun to hack with viral code I thought it would be necessary to avoid the checksum built into the .EXE header. The first approach was to compute a new checksum based on the entire new file. A better and more efficient way is to simple force the checksum of the actual added virus code be zero. That way, any checker will take the CS of the original file data and add it to the CS of the added virus code. This being zero it will result in the same CS as the original. This method will easily spoof checksums but not CRCs or LRCs. And I still don't know how to spoof a combination of these. I think that there are programs that will wrap around an executable and detect any changes made to itself. These can't be beat by the method described above. Probably what happens here is the the virus code gets executed first after being loaded. It then relocates itself and hides its tracks. Then it can pass control back to whatever program it has infected. The resulting load image is the same as it would have been without a virus. Just some random musings... jv [Ed. Unless I'm mistaken, the 4096 doesn't use this sort of mechanism to hide from checksums; it traps the interrupts that read files and disinfects files on the fly so that a checksum/crc/whatever actually sees the non-infected files.] The inability of snakes to count is actually a refusal, on their part, to appreciate the Cardinal Number system. -- "Actual Facts" _____ | | Johnathan Vail | n1dxg@tegra.com |Tegra| (508) 663-7435 | N1DXG@448.625-(WorldNet) ----- jv@n1dxg.ampr.org {...sun!sunne ..uunet}!tegra!vail