Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!wuarchive!udel!rochester!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: mrs@netcom.com (Morgan Schweers)
Newsgroups: comp.virus
Subject: Re: "Six Bytes" (PC)
Message-ID: <0002.9104011657.AA02353@ubu.cert.sei.cmu.edu>
Date: 31 Mar 91 09:54:00 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 54
Approved: krvw@sei.cmu.edu

Greetings,
    Actually, an extremely simple method of generic 'virus detection'
for viruses which infect on execute (or open) is to create a program
that records the FREE DISK SPACE, then opens a file named 'TEST.COM'
and fills it with 8192 copies of 'INT 20h', then spawns out to execute
it.  The free disk space is loaded again, and compared against the
original minus 16384.  (8192*2 bytes of code.)  This should
successfully handle all cluster-sizes, etc.  If the values aren't
equal then there is Something Wrong(tm).

    Admittedly, it won't work on all viruses, but it sure will handle
the large majority of them.  Another useful trick is to have your
CONFIG.SYS SHELL your COMMAND.COM from a different filename, and load
it over to a RAMDISK in your AUTOEXEC.BAT...  Then (of course) set
COMSPEC=<ramdisk>:\COMMAND.COM...  It speeds up your system, too!
<Grin> (It helps against some of the Stealth viruses, but only a
little...)

    There are dozens of little precautions you can take to protect
your system from viruses.  None of them will work in all cases (the
most difficult being the direct action viruses...  Stopping them
easily is *ANNOYING*) but they do provide a modicum of security.

    I'll point out that Padgett Peterson has a reasonably correct idea
in stating that the place to start from *IS* from the boot sector, or
the partition table.  It's a cleaner environment down there, and can
be checked *MUCH* easier.

    A total system checkout is feasible, as frisk has suggested.  If
you have a memory resident virus, it *CAN* be detected.  Period.  For
it to work *WELL*, you have to know your system.  If you don't know
what's on your computer, it's tough for an AV product to accurately
tell you what's *NOT SUPPOSED* to be there.

    In relation to that, I'll put in my two cents about the six
bytes...  For a technician helping out a non-PC-literate user, it's
probably a good thing.  For a technician helping out a user with lots
of specialized drivers, and/or unusual partitioning stuff, etc., it's
can lead one down the wrong path entirely, if used as the FIRST check
on a system.

                                                        --  Morgan Schweers

P.S.  It sounds strange, I suppose, but if you're the type of person
      who takes precautions about possible 'new' virus infections,
      then you're a lot less likely to be the kind of person who GETS
      new virus infections.

+------------
"The views expressed within are the opinion of the author only.  Nobody
 could possibly be crazy enough to support these views.  My memory may be
 faulty, or could even have a parity error..."
                                        --  mrs@netcom.com, ms@gnu.ai.mit.edu
- ------------+