115 lines
3.6 KiB
Plaintext
115 lines
3.6 KiB
Plaintext
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
Submitted to Crisnews by:
|
|
Bill Lambdin
|
|
|
|
I posted this routine once before. I have done further testing on this
|
|
idea, and it does work. even on some stealth infectors without the
|
|
necessity of booting clean from a bootable diskette.
|
|
|
|
I want to state up front, that this will not identify the virus, nor help
|
|
you get rid of it. This is detection only, and should be considered as an
|
|
enhancement to scanners, and integrity checking, and not be used to replace
|
|
either.
|
|
|
|
This will detect most (if not all) file infectors that a scanner may miss.
|
|
|
|
This will act as an early warning system for people that use integrity
|
|
checking software. namely limiting the number of infected files to a
|
|
minimum.
|
|
|
|
This can detect many viruses without the need to boot clean prior to
|
|
running the test.
|
|
|
|
If you wish to use my idea, you will need the following.
|
|
|
|
LHA. I use LHA 2.13
|
|
Archive your most common used files.
|
|
FC.EXE that comes with DOS 4.0 and above
|
|
The .BAT file below.
|
|
|
|
BAIT.BAT
|
|
|
|
@ECHO OFF
|
|
CLS
|
|
C:
|
|
CD\BAIT
|
|
DEL VIRUS.LZH
|
|
LHA A -A VIRUS \COMMAND.COM \DOS\CHKDSK.*
|
|
FC BAIT.LZH VIRUS.LZH
|
|
CD\
|
|
|
|
It would be a very good idea to rename the utilties, and directory. to
|
|
prevent a hacker from writing a virus that will delete or fool this
|
|
routine.
|
|
|
|
You can archive as many files as you wish, but I would recommend a minimum
|
|
of two files. 1.COM file, and one .EXE file. Currently; I am archiving
|
|
eight files. six are DOS programs, and two of them are Windows programs. So
|
|
I can detect either DOS or Windows viruses in one test that takes only a
|
|
few seconds on my 486. Be sure to use the asterisk for the .EXE extension.
|
|
This will make LHA add any companion infectors that are present.
|
|
|
|
Part of that .BAT file is complex, and it is vital that it be typed exactly
|
|
as shown. So I should explain how it works in more detail.
|
|
|
|
DEL VIRUS.LZH
|
|
|
|
This deletes the previous test to give you a clean and fresh test every
|
|
time.
|
|
|
|
LHA A -A VIRUS \COMMAND.COM \DOS\CHKDSK.*
|
|
|
|
In the command line above, the first A instructs LHA to add the files to
|
|
the archive.
|
|
|
|
The second paramater -A instructs LHA to add the file regardless of which
|
|
atribute(s) are set. It works for all four atributes.
|
|
|
|
Hidden
|
|
System
|
|
Read only
|
|
Archive
|
|
|
|
I have been thouroughly testing this routine for weeks.
|
|
|
|
I have tested it against the following stealth viruses.
|
|
|
|
X = detected change.
|
|
|
|
active inactive
|
|
Virus in memory booting clean
|
|
SBC X X
|
|
FRODO X X
|
|
TREMOR X
|
|
|
|
My routine should have detected SBC because it is not fully stealthed, and
|
|
it doesn't disinfect the host file when the it is opened.
|
|
|
|
My routine should not have detected FRODO because it is fully stealthed,
|
|
and does disinfect the host file on the fly when it is opened for any
|
|
reason. FRODO sets the date stamp forward 100 years. This is how that Frodo
|
|
Marks the files as infected. My routine detected the change to the date
|
|
stamp even though Frodo had disinfected the host file when LHA archived the
|
|
host file(s).
|
|
|
|
My routine is able to detect the following types of changes.
|
|
|
|
1. Change to files
|
|
2. change of file attributes
|
|
3. change of file time stamp
|
|
4. change of file date stamp
|
|
|
|
I release this routine to the public domain, and anyone may use it freely.
|
|
|
|
Bill Lambdin
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.3a
|
|
|
|
iQBVAgUBLNc4LaM4CDusTF+9AQHRagH/VBeKGX7Nbdpcwo3xHzRCCGVFppDbPQZz
|
|
KvGmA1Y8EL5dOx0ozjw57knsNGjbzU+FST5USsQfmVnf2Nc//FCiBQ==
|
|
=w7Cq
|
|
-----END PGP SIGNATURE-----
|