Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!caen!uflorida!reef.cis.ufl.edu!jdb
From: jdb@reef.cis.ufl.edu (Brian K. W. Hook)
Newsgroups: comp.os.msdos.apps
Subject: Re: Virus Utility????
Message-ID: <27569@uflorida.cis.ufl.EDU>
Date: 22 Mar 91 13:45:21 GMT
References: <Mar.19.17.59.25.1991.3838@remus.rutgers.edu> <LyP7y2w163w@cybrspc> <2453@umriscc.isc.umr.edu>
Sender: news@uflorida.cis.ufl.EDU
Organization: UF CIS Dept.
Lines: 53

In article <2453@umriscc.isc.umr.edu> mcastle@mcs213e.cs.umr.edu (Mike Castle {Nexus}) writes:
|>In article <LyP7y2w163w@cybrspc> roy%cybrspc@cs.umn.edu (Roy M. Silvernail) writes:
|>>
|>>McAfee's SCAN will scan .COM, .EXE, .SYS and .OV? files for you, as well
|>>as your boot sector. Beyond those types, scanning is of little value, since a
|>>virus must be executed to do any damage.
|>
|>Oh, really?  What about franke.387 (a 80387 emulator)??  Scan won't scan it 
|>using defaults (someone posted /a as the option to force scanning of all 
|>files?), and franke wouldn't load as 387.sys or franke.sys.  What about 
|>windows .dll files??  What about Procomm aspect files (you can do lots of 
|>poking and peeking from those)??   
|>
|>Granted, the last is a little far-fetched, but the idea is the same.  It is
|>possible to have executable code in files with other file names.

THANK YOU!  Where I work I have to be the PC support technician, in charge
of maintaining, recommending, installing, etc. new PCs and software.  We
got nailed by the Jerusalem-B and the Pakistani Brain virus since our PCs
(about 240 of them) are spread over a very large area (a factory facility
of 3 buildings).

Two identical copies were introduced when two CAD workers in the Aerospace
department brough in copies of a shareware "game" called FUCKHARD (no
kidding).  I got a chance to look at the original diskettes on this one:

INSTALLH.COM
FHARD.LBY

INSTALLH installs the program to the hard drive (HD installable ONLY -- not
a good sign), copies a hidden file (FHARD.BIN), then RENAMES FHARD.LBY TO
FHARD.COM!!!!

We use SCAN (we have a site license) by McAfee Assoc.  All the employees
with PCs watch out for viruses real well since we really came down on them
another time this occured....so this one was SCANed, and I even SCANed the
original files.  NOTHING.  NADA.  No warnings of any type.

That shows you a major flaw.

One other thing:

How a self-extracting virus in a self-extracting file using PKSFX?  GO.EXE
won't show any of the traits of a virus, but the extracted files will.  And
most people only check the diskettes BEFORE installation.

Another way to get around you really have to watch for is a simple launch
file ( probably a .COM file) that does a RENAME then an EXEC of another
file....that could've been used with the FHARD example above.

MORAL?  ALWAYS SCAN AFTER INSTALLATIONS!!!  ESPECIALLY ON ARCHIVED FILES!

Brian