Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!zaphod.mps.ohio-state.edu!mips!pacbell.com!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: ccml@hippo.ru.ac.za (Mike Lawrie) Newsgroups: comp.virus Subject: Re: Checksumming (was: Interesting advert) (PC) Message-ID: <0003.9106111458.AA11286@ubu.cert.sei.cmu.edu> Date: 8 Jun 91 15:40:46 GMT Sender: Virus Discussion List Lines: 61 Approved: krvw@sei.cmu.edu RADAI@HUJIVMS.BITNET (Y. Radai) writes: > Mike Lawrie writes: >>They [checksum programs] don't cater for this scenario:- >> >>1. Somehow infect the RAM of your PC with a COM/EXE targetting >> virus, such as Plastique (eg run an infected program from a >> floppy, or from a network). >>2. Run SCAN on your hard disk - this does a DOS open on all COM/EXE >> files on your hard disk, and thus infects each and every such >> file _after_ SCAN has pronounced them virus-free >>.. >First of all, Step 2 of this scenario is certainly not characteristic >of COM/EXE infectors in general, as you seem to imply. (E.g., it >won't happen with the Jerusalem virus.) It has to be a very special >virus to do this. We were hit with Plastique. Having inspected it, there seemed to be reason for me to believe that other viruses might use a similar method to trigger the infection algorithm. > Secondly, what you have described shouldn't happen with SCAN, since >before scanning it checks for the presence in RAM of viruses which act >in this way, and that includes Plastique, unless you're using an old >version of SCAN. (If this really did happen to you with a *recent* >version, contact McAfee.) Indeed, McAfee contacted me (good Company, they were concerned). We had an old SCAN at the time, but sooner or later this scenario will re-occur, as you will get hit with a similar type of virus that McAfee has not yet catered for, even if you have their very latest version. You then end up with your RAM infected, but you are living in Disneyland (like we did) believing otherwise, and you then proceed to zap your hard disk. Sure, theory says that it won't happen. hahaha. > Finally and most important, suppose we have a virus in memory which >SCAN or some other program does not recognize, and the above scenario >does occur. What does this have to do with checksumming programs?? We have a checksumming program as well - the original article to which I tried to reply asked for comments on such a thing. The checksumming program indeed may let you know that you _have_ been infected - big deal, in my opinion, if any advert lulls you into a sense of security because you have a checksummer in place. A checksummer gives you no security whatsoever, because it does not prevent a viral infection. Not that much else does either, for that matter, but that is not the point, the advert needs to be taken with a hefty pinch of salt. Just that our experience that I wished to share was that with a checksummer in place and use of SCAN, you can end up with every last EXE/COM file on you hard disk looking very sick indeed. Mike - -- Mike Lawrie Director Computing Services, Rhodes University, South Africa .............................................. Rhodes University condemns racism and racial segregation