Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!comp.vuw.ac.nz!canterbury!cctr132 From: cctr132@csc.canterbury.ac.nz (Nick FitzGerald, CSC, Uni. of Canterbury, NZ) Newsgroups: comp.os.msdos.apps Subject: Re: Virus Utility???? Message-ID: <1991Mar23.121708.300@csc.canterbury.ac.nz> Date: 23 Mar 91 00:17:08 GMT References: <2453@umriscc.isc.umr.edu> <27569@uflorida.cis.ufl.EDU> Organization: University of Canterbury, Christchurch, New Zealand Lines: 77 In article <27569@uflorida.cis.ufl.EDU>, jdb@reef.cis.ufl.edu (Brian K. W. Hook) writes: > [Several quotes from previous posts about what files are scanned by McAfee's SCAN program deleted] > THANK YOU! Where I work I have to be the PC support technician, in charge > of maintaining, recommending, installing, etc. new PCs and software. We > got nailed by the Jerusalem-B and the Pakistani Brain virus since our PCs > (about 240 of them) are spread over a very large area (a factory facility > of 3 buildings). > > Two identical copies were introduced when two CAD workers in the Aerospace > department brough in copies of a shareware "game" called FUCKHARD (no > kidding). I got a chance to look at the original diskettes on this one: > > INSTALLH.COM > FHARD.LBY > > INSTALLH installs the program to the hard drive (HD installable ONLY -- not > a good sign), copies a hidden file (FHARD.BIN), then RENAMES FHARD.LBY TO > FHARD.COM!!!! OK - so this shows how Jerusalem got onto your machines (an .EXE and .COM infector), but how did the Paki Brain get there? - it is a boot sector infector, not an executable infector. Maybe this "game" (or its install program) is a trojan, and deviously installs PB as its payload - next boot and the machine is busily infecting all the floppies it is fed. > We use SCAN (we have a site license) by McAfee Assoc. All the employees > with PCs watch out for viruses real well since we really came down on them > another time this occured....so this one was SCANed, and I even SCANed the > original files. NOTHING. NADA. No warnings of any type. > > That shows you a major flaw. In the following, assume my contention above about the PB implanting trojan is correct: But the problem is worse than you think. OK, so we now all add .LBY to our SCAN invocations so it searches any .LBY files, and so on. Even better, we always SCAN new disks with the /A switch (All files). At most, this would have told us that FHARD.LBY was infected with JeruB. No great problem, it's common and CLEAN (or somesuch) will easily disinfect it, so we do so and say "All's well - play your game (wink, wink)". On playing, the machine is "artificially infected" with PB. Why didn't the scanner pick up the PB code. Ignoring the obvious possibility of the sleazoid "author" of this trojan having encrypted it in some way - hell, it's what I'd do if I ever sunk that low - the answer is simple: the virus scanner *wasn't looking for it*. Why? - because everyone knows that PB (and Stoned and.. and.. and..) are only boot sector infectors, so the scanners (this applies to most/all, not just the McAfee product mentioned earlier) don't look in executables for them (like they don't look in boot sectors for executable infectors). This, of course, speeds up the scanning process somewhat. > One other thing: > > How a self-extracting virus in a self-extracting file using PKSFX? GO.EXE > won't show any of the traits of a virus, but the extracted files will. And > most people only check the diskettes BEFORE installation. > > Another way to get around you really have to watch for is a simple launch > file ( probably a .COM file) that does a RENAME then an EXEC of another > file....that could've been used with the FHARD example above. Good points you should all take note of. > MORAL? ALWAYS SCAN AFTER INSTALLATIONS!!! ESPECIALLY ON ARCHIVED FILES! ... and always scan ALL files on new disks **REGARDLESS OF WHERE THEY COME FROM**. Also, if your "commercially supplied" software doesn't come on unnotched floppies *complain to the company* - if enough of you do so, some things might change (apparently this worked with WP!). --------------------------------------------------------------------------- Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337