Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!elroy.jpl.nasa.gov!lll-winken!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Newsgroups: comp.virus Subject: Infected networks (PC) Message-ID: <0001.9106121957.AA12675@ubu.cert.sei.cmu.edu> Date: 11 Jun 91 14:52:14 GMT Sender: Virus Discussion List Lines: 31 Approved: krvw@sei.cmu.edu Last week I had occasion to disinfect another large network with the Jerusalem (not ours - an outside company). The traditional respons is to take down the net, clean the server, and check all of the clients before reconnection. On reflection, this seemed inordinately inefficient so I came up with a new methodology which I offer for comment. Note: this works for Jerusalem, Sunday, and non-stealth infections which infect an executable before allowing it to run - please be aware of this limitation up front. The method was as follows: a) take down net & clean server b) remove non-essential applications c) replace essential applications with a batch file that 1) copies a clean selfcheck program from a writelocked directory 2) runs the self check program 3) runs the requested application In this case I had such a self-check program (1400 bytes) that just checks its own length & checksum. If it passes, the program exits, if it fails, the client machine displays a warning message and is locked up. In this manner, the server application files are protected from infection (are never called by an infected client). Each client gets a new copy of the "goat" file so clean clients are not affected, and infected clients are identified. Admittedly, this is a special case and directed to a small number of viruses, but they seem to be the most common. Comments ? Warmly, Padgett