Path: utzoo!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) Newsgroups: comp.virus Subject: Re: Plastique/Taiwan 3/Anticad 2 (confused!) (PC) Message-ID: <0007.9103131701.AA15339@ubu.cert.sei.cmu.edu> Date: 13 Mar 91 13:19:00 GMT Sender: Virus Discussion List Lines: 49 Approved: krvw@sei.cmu.edu ccx020@cck.coventry.ac.uk (James Nash) writes: > Fridik's F-PROT calls it Plastique > McAffee's SCAN calls it Taiwan 3 (as does AVSEARCH) > Solomon's FINDVIRUS calls it Anticad 2 > > Now, I know that all these virii are related in some way or another > but I am confused as to whether they are all the same or not. VIRUSSUM > does not help much as it calls Taiwan 3 and Plastique seperate virii. This, plus other recent comments about difficulties in naming variants of viruses, suggests a better approach to naming viruses is needed. I posted a note recently about naming/identifying boot sector viruses - anyone who missed that can get a copy of BOOTID.ZOO and/or CHECKOUT.ZOO by anonymous ftp to 132.181.30.3 - these are still experimental, but worth looking at. [Ed. The hostname of 132.181.30.3 is cantva.canterbury.ac.nz] What I am suggesting now is a naming system for all types of virus (such as trojans), which depends on the contents of the virus, not where it was discovered or a piece of text one version displays. This isn't as easy as naming boot sector viruses, but should be possible. (Read: I haven't made a nice demo program this time; let's discuss it before anyone goes to the effort of programming something). If you've already looked at BOOTID.PAS, you may have noticed a range of hashcodes left unassigned (in byte 2), so I do intend to extend the hashcode into other areas. My guess is that a naming scheme would... 1. Use only letters and digits, 2. Not try to be pronouncable, but be short (up to 12 characters) and maybe have a "popular name" tacked on the end for convience. The reason is that good, descriptive "real" words becode easily exhausted, and may be just as difficult to pronounce in some countries as computer-generated names! 3. Certain bytes would flag what the virus attacks (.EXE, .COM, .SYS, .BAT files, and so on), whether it overwrites or appends to the original file, what interrupts it uses, and other distinguishing features of its effects. 4. The rest of the code would be a sophisticated checksum of the virus code, hopefully weighting important code in some way to give similar viruses similar codes. The aims, as with BOOTID, are to positively identify viruses, avoiding confusion as mentioned above. The method, I suspect, would be to isolate the virus fromn what it has infected (e.g. compare an infected .EXE file with the uninfected original, or (better still) use some automated dis- assembly software which works out what instructions are executed before the original program is executed). As I said, it probably won't be easy. But what do you think? Is it worthwhile? Essential? Mark Aitchison, Physics, University of Canterbury, New Zealand.