Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!elroy.jpl.nasa.gov!swrinde!mips!pacbell.com!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: frisk@rhi.hi.is (Fridrik Skulason) Newsgroups: comp.virus Subject: Re: F-PROT and FluShot problems (PC) Message-ID: <0010.9105091351.AA04501@ubu.cert.sei.cmu.edu> Date: 8 May 91 22:46:04 GMT Sender: Virus Discussion List Lines: 36 Approved: krvw@sei.cmu.edu umbc3!umbc3.umbc.edu!cs106132@uunet.UU.NET (cs106132) writes: >It happened when a variant of 4096 was active. Since F-PROT did not know >this strain, it could not detect it. This is expected as the documentation >hints. However, when I ran F-OSCHK, the virus infected the system files >.....This is not a bug type of thing, it is a design flaw! This problem is of course not unique to F-PROT - every other scanner has this same problem. In fact, the DOS 'COPY' command can also cause a similar effect - infection of files when they are read. Is it a design flaw in DOS ? The reason for the problem is as follows: If a file is opened for reading, with a virus active in memory, the file may become infected when it is read. A scanner may therfore infect the entire system, just by scanning the files. This is the major reason why one should generally only run a scanner after having booted the computer from a write-protected system disk. The problem is harder in the case of a "stealth" virus, like 4096, as no change may be apparent after the files are infected. This can be avoided by either scanning the memory for viruses before scanning the files, or by running a resident virus-monitor which will prevent the virus from ever being activated. However, in the case of a brand new "stealth" virus, as in this case, these methods are of no use. Memory scanning will not detect anything, and file scanning will just help spreading the virus, and will not pick up any infection. So - with the current generation of scanners, this problem cannot be avoided. - -frisk