Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) Newsgroups: comp.virus Subject: "Six Bytes" (PC) Message-ID: <0012.9103291939.AA00169@ubu.cert.sei.cmu.edu> Date: 29 Mar 91 00:32:00 GMT Sender: Virus Discussion List Lines: 79 Approved: krvw@sei.cmu.edu >From: frisk@rhi.hi.is (Fridrik Skulason) >Subject: Re: Integrity Checking, programs & system >I don't mean to be insulting, but I have said it before, and I will >say it again: The six-byte check is no sustitute for a full system >integrity check! Athough it will detect most wiruses, it will NOT >detect them all, in particular it will miss some "stealth" viruses, >like the "Number of the Beast". I did not think I ever said that it was. In fact in my New York paper specific mention was made that it did not detect the 512 (Number of the Beast). It will also not detect the Alabama, Icelandic, EDV, or any virus that does not go resident. What was said was that it will detect all currently "common" viruses (though to detect the Jerusalem/Sunday or 1701/1704 variants, knowlege of the system is required). Also, thought I usually tell people that intelligent use of CHKDSK will perform essentially the same function. Sure, a lot more can be done, but my purpose was to defuse some of the "undetectable viruses" hysteria that was surrounding the last crop of "stealth" (FLIP, 4096, WHALE, JOSHI) viruses when they are really easy to spot (also BRAIN {the first "stealth"}, YALE, STONED, DATALOCK, AZUSA, MUSICBUG, etc). Point is that most of the postings I see here asking for assistance are not from experts with some new research virus that can expoit an obscure hole in a specific system (or does the INT13 understand both DOS 3.X and 4.X buffer chains ?), but real people needing real help now. CHKDSK or Int 12/Int 21 fn 48 values are also an easy way for someone a continent away and without any software tools that don't come with DOS to describe what is happening, something I have done several times on the telephone. 655360 "total bytes memory" should be engraved in every technicians mind. I will admit to tailoring most of my postings to be educational for the participant who is reasonably PC-lucid but has not had the opportunity to spend years of in depth study on undocumented interrupts. For this reason, my public comments have been slanted toward what can be done in five minutes with DEBUG and be stated as easily. Private conversations with people in trouble have gone into much greater depth but I have found that the simple techniques are effective most of the time. Possibly, my last posting on removal of AZUSA was too technical but did not know another way to phrase it. "Send all your money and a plane ticket" seems a bit commercial and enough people had asked that I felt it might be useful. >However, my main point is this - it is possible to make a program >integrity check which will detect infection by all "stealth" viruses >known today, and (I hope) tomorrow's viruses as well. I agree completely, such a program is not only feasible, but relatively simple. Readers who have been following our discussions will recall one statement I have been making for sometime: an effective defense MUST start at the BIOS level, something that has nothing to do with the "six bytes". Such a program's major difficulty will be to handle every oddball O/S, patitioning scheme, and non-compliant application around. One of my detectors went off on a MicroSoft WORD for Windows ver 1.1 installation disk. For some reason the disk was formatted with IBM 3.3 as used by COMPAQ (figure that one out). To get the COMPAQ logo into the boot record, the information was one byte too long to follow the MicroSoft specification so the code appeared to start one byte back in a "reserved" area. BONG ! >I cannot go into details, but I do have a working program which is >able to do this - more details next month. Is this why the "insulting" of the "six bytes" ? I admit to being surprised that someone with your well-deserved reputation and many contributions would feel it necessary to harp on admitted flaws in something that is not a commercial product but merely a technique some people find useful. Bemusedly, Padgett