Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!lll-winken!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: CHESS@YKTVMV.BITNET (David.M.Chess) Newsgroups: comp.virus Subject: virus detection by scanners ? (PC) Message-ID: <0003.9106201437.AA20289@ubu.cert.sei.cmu.edu> Date: 18 Jun 91 17:05:32 GMT Sender: Virus Discussion List Lines: 69 Approved: krvw@sei.cmu.edu >From: hermann@uran.informatik.uni-bonn.de (Hermann Stamm) >Date: 07 Jun 91 14:33:23 +0000 >I have a few questions concerning detection of virii in general and >1701 in special. The main thing you've discovered here is that scanners only reliably detect the viruses that they know about. If you create a new virus (from scratch, or by modifying an old one), it's very likely that some scanners will no longer detect it. No big surprises there! >First of all, I hope that only good guys are on this list, because the >remarks made here would otherwise result in hundreds of newly virii. Almost certainly a false hope; there's no reason to think that no virus writers are reading this. On the other hand, I think they already understand the principle! One could have wished you'd been a little less explicitly helpful to them, but I don't it'll hurt, at least in the long run. > - what other scanner should I try for these versions ? Some scanners may be "lucky", and see your home-grown variants as infected. IBM's Virus Scanning Product, for instance, will recognize the first of your monsters as a variant of the 1701. > - is it true, that any scanner must try to look at the > semantics of such decoders, and not at the shape ? > (undecidable problem ?) Yep, deciding whether or not a given program is a virus is definitely undecidable. Fred Cohen proved that awhile back. So if you take some existing virus, and make some changes to it, the question of whether or not the result is still a virus is not one that *any* program is going to get right all the time. Scanners reliably detect only *exactly* the viruses they know about, not variants that you (probably unwisely) choose to create. > - which systems are good by looking at the length of > files and reporting differences ? Any good modification-detection program will look at the *contents* of files (not just the length), and tell you what's changed. Of course, if you want to be able to trust the result, you have to get the machine into a known state first (cold-boot from a trusted floppy, don't run anything from the suspect hard disk). > - Is the following behaviour possible for a virus: > > After getting resident, it forces to do a warm-start > with ctrl-alt-del, and then it copies itself to all > .com-files encountered during rebooting > (like command.com, ...). > > I think, that this is the way most of my .com-files > were infected. A virus could certainly do that, but the 1701 doesn't. Most likely it infected something in the autoexec, so that the next time you booted, it got control early, and then infected everything else executed thereafter (that's how the 1701 works; it infects every com executed after you run the first infected one). DC P.S. Assume that anything you post in public will be read by large number of virus authors. Please *don't* post live virus code, or suggestions for improvements to existing viruses! *8)