396 lines
18 KiB
Plaintext
396 lines
18 KiB
Plaintext
-----BEGIN PGP SIGNED MESSAGE-----
|
||
|
||
Written By:
|
||
Michael Paris (Cris)
|
||
|
||
|
||
THE BEGINNERS GUIDE TO VIRUS RESEARCH
|
||
Part One
|
||
EXE & COM Infecters
|
||
Just The Start
|
||
|
||
|
||
Well to start with, this was supposed to go another way then it
|
||
has. This article was supposed to be written already and complete.
|
||
But it happens that the person that started this had a hard disk
|
||
failure and will not be able to start it over with his schedule. So
|
||
I will be forced to write this article fast and sloppy. I hope what
|
||
I think of here will serve as some help to some out there with
|
||
questions.
|
||
|
||
Seeing this is the "Beginners Guide" I will keep it at just that,
|
||
and assume you know nothing at all about computer viruses.
|
||
|
||
The first thing that should be mentioned is the tools you will need
|
||
to get you started and some simple rules for the beginner.
|
||
|
||
TOOLS NEEDED FOR THE BEGINNER
|
||
|
||
1. Anti-Virus software
|
||
|
||
This will depend on what you plan on doing. your idea of
|
||
researching might be scanning a virus to see what it scans as, or
|
||
maybe you will want to run the file, see what it infects and be
|
||
done with it. Well in either case you will want to try a number of
|
||
different scanners. To begin with you might want to get all of them
|
||
you can get your hands on to further your knowledge. But we here
|
||
will mention some of the best known for their reputation.
|
||
|
||
TBAV
|
||
|
||
Tbav is one of the best to use for what you will need. A registered
|
||
copy is what you will want if you are serious. TBAV has some
|
||
registered only options that you will be using as you learn more.
|
||
In the tests we have run here it seems to be the best for catching
|
||
viruses that others seem to miss. It has many options and modes
|
||
that are not in other scanners, and in these modes, seems to do the
|
||
better job. Tbav also sells a hardware card that you will want if
|
||
you really start to get into researching. With the hardware card
|
||
you will be able to rest at ease that your data will be 100% safe.
|
||
|
||
Thunderbyte USA
|
||
P. O. Box 527
|
||
Dagsboro, DE 19939
|
||
|
||
Phone: (302) 732-3105
|
||
Fax: (302) 732-3105
|
||
BBS: (302) 732-6399
|
||
|
||
|
||
F-PROTECT
|
||
|
||
F-prot is a good tool you will use for virus names, it is one of
|
||
the best for this seeing it uses the Caro naming standard. The
|
||
names you find for the viruses scanning with F-prot will be closer
|
||
then any other scanner at this time for the real names and variant
|
||
names. It will find most of the viruses out there, but it at this
|
||
time will only allow for ten user definable strings or virus
|
||
signatures, where Tbscan will allow as many as you want to add.
|
||
These strings will be used more as you go on to researching new
|
||
virus that is still yet not in the scanners. You will be able to
|
||
add the virus to your personal copy of your virus scanner when you
|
||
get to that point. Or add viruses yourself from our signature
|
||
reports as we release them. these two scanners are the main ones
|
||
you will want to use, but then there are others that will help in
|
||
other areas. You might want to check out other for yourself to see
|
||
who is on the ball.
|
||
|
||
Other noted programs might be: McAfee's Scan, CPAV, NAV,
|
||
VIRUSBUSTER, UTScan, VirexPC, Anti-Virus Toolkit and others.
|
||
|
||
2. Reference
|
||
|
||
It will be a big help to find info on viruses before you run the
|
||
files. This way you will know what to expect them to do. One of the
|
||
best tools for this will be Patricia M. Hoffman's Virus Information
|
||
Summary List (VSUM). This is A very easy to use information tool.
|
||
It is menu driven and all you have to do is look up the virus name.
|
||
There are also functions to do searches for viruses that might be
|
||
under another name. There are other summary lists you can get also
|
||
that will help for even more info. Vbase, would be one. Then there
|
||
are text files of lots of information at your finger tips. Allot of
|
||
this text is on the bbs, but you will want to start with Vsum or
|
||
Vbase.
|
||
|
||
3. Virus Shell
|
||
|
||
Allot of the software has memory resident software included, you
|
||
will want to load something like Vsafe, that comes with Dos 6.0, or
|
||
some thing that does the same thing. Remember we are starting with
|
||
simple .Com and .EXE infecting files here. When you move on to
|
||
other files you will want added protection. Allot of the newer
|
||
viruses today will slip by this kind of protection, but you will
|
||
want it for these older files you will be testing to start out
|
||
with. These shell programs will aid you in seeing just what the
|
||
virus wants to do, and what file it is going to infect, and in most
|
||
cases give you the option to infect the file or stop on the spot.
|
||
|
||
4. A Second Computer Just For Testing
|
||
|
||
This is nice, you should be using a computer that you will not have
|
||
to worry about the data on it, but this is not always the case.
|
||
Computers cost money, and for some of us it is hard to come by. In
|
||
any case, you should back up all of your data before ever
|
||
attempting to run a virus. If you do not, be sure that you will
|
||
loose it all. Someday it will happen, take my word for it. Backup
|
||
your computer!
|
||
|
||
5. Bait Files
|
||
|
||
It is good to have some bait files handy. These will be files that
|
||
you will have in a directory that you will have the virus you are
|
||
running infect. These can be copies of any program in your computer
|
||
that you put into a directory, ready to copy into your directory
|
||
you will be testing in. You can use someone's already made up bait
|
||
files to start with. The advantage of these type of bait files will
|
||
be that the file sizes will be even, like 1000, 2000, 3000 etc.
|
||
With these type of files you will be able to see the file size
|
||
changes real easy. If you use your own dos files, make sure they
|
||
are copies, and you have the file sizes and the dates written down.
|
||
|
||
6. Screen Capture Utility
|
||
|
||
There will be times you will want to take a picture of your screen.
|
||
If a car starts driving across your screen you will want to take a
|
||
picture of the moment in history. Or lets say a slot machine pops
|
||
up and tells you that your fat has just been deleted and to take
|
||
your chance at getting it back on the slot machine. You can be sure
|
||
that you will not win, so take a picture of this moment, you
|
||
probably will not try this every time you want to play a game, or
|
||
if you want to show a friend what it does just show him the
|
||
picture. Here is an example of this.
|
||
|
||
DISK DESTROYER <20> A SOUVENIR OF MALTA
|
||
|
||
I have just DESTROYED the FAT on your Disk !!
|
||
However, I have a copy in RAM, and I`m giving you a last chance
|
||
to restore your precious data.
|
||
WARNING: IF YOU RESET NOW, ALL YOUR DATA WILL BE LOST - FOREVER !!
|
||
Your Data depends on a game of JACKPOT
|
||
|
||
CASINO DE MALTE JACKPOT
|
||
|
||
<20>ͻ <20>ͻ <20>ͻ
|
||
ל<> <20>?<3F> כ<>
|
||
<20>ͼ <20>ͼ <20>ͼ
|
||
CREDITS : 5
|
||
|
||
|
||
<20><><EFBFBD> = Your Disk
|
||
??? = My Phone No.
|
||
|
||
ANY KEY TO PLAY
|
||
|
||
|
||
7. BOOT DISK
|
||
|
||
You will want to make a boatable disk incase you will need it to
|
||
clean the boot sector, or stop an infection that got away from you.
|
||
To make this disk, put a disk in your drive A: and type format A:/s
|
||
{enter}. This will make you a disk to get back into the system. you
|
||
might want to do a directory on the disk and make sure Command.Com
|
||
is on the disk. you can test to see if the system is on the disk by
|
||
typing dir a:/ah {enter} if the system is on the disk you will see
|
||
the hidden files on the disk. Now either put a write protect tab on
|
||
the disk, or if it is a 3.5 inch open the hole on the disk to make
|
||
sure nothing can be copied to the disk. Before you write protect
|
||
the disk, you might want to put utilities on it like Dos CHKDSK, or
|
||
Format, SYS,COM, FDISK, Virus Scanner, etc.
|
||
|
||
|
||
STARTING THE RESEARCH
|
||
|
||
Ok now we are ready. Remember be careful, if you are not sure of
|
||
something, or have that funny feeling, go over your checklist. This
|
||
is something you do not want to make any mistakes with. And PLEASE,
|
||
read this entire document before trying anything. This is meant as
|
||
A guide, not something that is right in ALL cases.
|
||
|
||
|
||
1. Pick your virus.
|
||
|
||
2. Copy it into a secure directory
|
||
|
||
3. Scan the file with every thing you have, Write down exactly what
|
||
it scans as. McAfee and others will always be off a bit on most
|
||
viruses, you can count on f-prot most of the time to have the
|
||
right name. If your virus is not found by at least two of the
|
||
scanners, do not go by the name on the file. Delete it and
|
||
start again at step one. If the name on the file goes with the
|
||
virus description you got from the scanner, there is a good
|
||
chance that you have the right name.
|
||
|
||
4. Look up your virus in Vsum or Vbase or both. Find it and read
|
||
the info. (ALL of it) If you do not find it listed anywhere, and
|
||
have made a real good check, Delete the file and start at step
|
||
one again.
|
||
|
||
5. Assuming you have found A file in one of the Vbases, read all of
|
||
the info before you continue. If you are not sure that the virus is
|
||
the one you scanned, pick another virus. Now that you are sure,
|
||
look at what the virus does. If it says that they are not sure if
|
||
it does anything but replicate, delete the file and start over. We
|
||
want you to start with something you will be aware of what is
|
||
going to happen, no surprises. read the info and be sure that
|
||
this is what you want to test. From reading the info you can
|
||
pick something that does little or no damage. If you wish, you
|
||
may look through Vsum or Vbase and find something you want to
|
||
test and look for the file on the bbs.
|
||
|
||
6. Make sure that the file is not memory resident, if you are ready
|
||
for this fine, but we would rather if this was your first time
|
||
to choose a simple .COM infector. If you want to live
|
||
dangerously fine though. Ok, copy your bait files into the
|
||
directory with the virus.
|
||
|
||
7. Load your memory resident shell. If you are using Vsafe from Dos
|
||
6.0 or CPAV, type alt V on your keyboard. This will allow you to
|
||
choose what you want to protect. A little window will pop up and
|
||
allow you to choose options. this will be the time to load your
|
||
other memory resident programs as well, like your screen capture
|
||
utility.
|
||
|
||
8. Take note of the sizes and dates of the bait files in the
|
||
directory, and also the size and date of the virus.
|
||
|
||
9. Now you may run the virus in the current directory, watch to see
|
||
what it wants to do, your shell will let you know what it is
|
||
trying to do, either it will try to go memory resident and try
|
||
to infect files (it should tell you which ones it trying to
|
||
infect) and ask you if it is ok, or it will try to infect files
|
||
in the current or directory path. If the virus spawns, it might
|
||
write .EXE files into the current directory or path the same
|
||
size of the virus. Sometimes these spawn files will be hidden
|
||
files. Type Dir /ah {enter} to see the hidden files.
|
||
|
||
Ok, now that you have infected everything in your directory that
|
||
you wanted to, by typing both the virus name, and running the
|
||
different files in the directory, like bait1.exe, bait1.com, etc,
|
||
you are ready to shut your computer down. Do -not- use ctrl alt
|
||
delete to do this. turn the power off on the machine, wait a few
|
||
seconds, and turn it back on. It would be good to use a small
|
||
program like Bill Lambden's boot test included in this newsletter.
|
||
this is a simple batch file that you can call from the autoexec.bat
|
||
file. you will need the archive program for this and make a simple
|
||
directory for this, but it is a simple program and worth adding for
|
||
the restart here. This is what my .BAT file looks like, you can add
|
||
the files for compare that you want. (read Bill's article in this
|
||
newsletter, or in VLD Volume 6 Issue 100 for the instructions.
|
||
|
||
rem This is bait.bat
|
||
CLS
|
||
C:
|
||
CD\UPTEST
|
||
DEL VIRUS.LZH
|
||
LHA A -A VIRUS \COMMAND.COM \util\l.* \dos\edit.* \zip\pkunzip.exe
|
||
FC BAIT.LZH VIRUS.LZH
|
||
CD\
|
||
|
||
A handy batch file indeed. Now that you have rebooted, you can scan
|
||
the files in your test directory. see which files are infected.
|
||
from this point you know that the virus worked or not. also you can
|
||
run the virus and try to get it to do other things it is supposed
|
||
to do. Like for example, lets say you are working with a original
|
||
copy of Yankee Doodle. You can run the file, then change the time
|
||
in your dos (by typing time {enter}) and then set the clock to
|
||
right before the virus is supposed to activate. Or lets say the
|
||
virus displays a message after so many infections. Infect that many
|
||
files until you get the message. At this point you can do a screen
|
||
capture of the message.
|
||
|
||
|
||
If you have had a fear of viruses, do this a few times and the fear
|
||
will leave. There is so much fear out there, that people are afraid
|
||
to even have a .Zip file on their computer with a virus in it, much
|
||
less unzipping and scanning it. If you have a fear like this, try
|
||
unzipping a virus into a directory and scanning it. After you scan
|
||
the file delete it. Now scan your entire hard disk. You will never
|
||
see infection, because you deleted the virus file, and never ran it
|
||
in the first place. Now do it again, and again, until your fear
|
||
leaves. You will quickly come to the realization that unzipping
|
||
this virus, or having it will not destroy your computer. Running it
|
||
might, so do not get over confident.
|
||
|
||
TROUBLE SHOOTING
|
||
|
||
Question: I run the virus file, but it locks the machine.
|
||
|
||
Answer: This could be a number of things here. Check to see that
|
||
the virus can work with the config that you have. it could be
|
||
conflicting with some sort of setup you have. Try different
|
||
configs. another possibility would be that the virus does not work
|
||
with your processor, ie: A XT machine. Remember, the person that
|
||
wrote the virus checked it, it probably worked on his machine, but
|
||
like any software out there, some has problems running on different
|
||
machines. Try a different machine. If the writer is available
|
||
through crisnet or nukenet, post the writer and see if he has any
|
||
suggestions. Also if the virus comes with source, recompile the
|
||
file and try it again, it could be that the file got corrupted some
|
||
how.
|
||
|
||
Question: I scan the file and it scans as the virus, but when I
|
||
execute it just returns the prompt with no infection.
|
||
|
||
Answer: First try to see if there is a disk write when you do this.
|
||
It might be making spawn files. Spawn files are sometimes hidden in
|
||
the directory you are testing your viruses in. Type /ah to look for
|
||
hidden files, or look in the directory for duplicate file names
|
||
with different extensions (usually with the same file size as the
|
||
virus.)
|
||
|
||
For example:
|
||
|
||
VIRUS COM 1044 10-29-59
|
||
FORMAT COM 42250 09-10-92
|
||
FORMAT EXE 1044 10-29-59
|
||
|
||
If you see these spawn type files, and they are not the exact same
|
||
size scan the directory again and make sure the spawn files scan as
|
||
the virus. it may be that they are making trojan files that will
|
||
run when you try to run your program. if the spawned files do not
|
||
scan this will be a good thing to check out. If they do not scan,
|
||
and you run the file, you could loose your hard disk.
|
||
|
||
Or it could be that this file is not a virus or be a bad or damaged
|
||
file. Another thing you would want to check is maybe this virus
|
||
infects files on a certain number of executions. Try running the
|
||
file several times. It could be looking for a number of files in
|
||
the current directory also. Or maybe a file with a certain file
|
||
name or files that meet certain specs. Something like this will
|
||
take some time, but worth what you find in the end.
|
||
|
||
Question: I scan my hard disk and it reports a virus in memory even
|
||
after I rebooted.
|
||
|
||
Answer: Do you have Vsafe or another memory resident scanner loaded
|
||
at the same time? If so some scanners will report infection when
|
||
these programs are loaded together. Unload the memory resident
|
||
scanner and try the one that reported the infection again. You also
|
||
might have got one of you files infected that are in your
|
||
autoexec.bat or config.sys file. Reboot with a write protected boot
|
||
disk and scan again. You can also run your bait.bat file we talked
|
||
about earlier in this lesson. You may have encountered a Boot
|
||
sector infector, type fdisk /mbr {enter}
|
||
|
||
Question: I ran the virus and it formatted my hard disk.
|
||
|
||
Answer: You did not read the Vsum info right or the info was wrong.
|
||
This is why we say to back up your hard disk first. REMEMBER, you
|
||
are at risk here, at any time, no matter how safe it looks of
|
||
having your FAT destroyed, Disk Formatted, Data Lost, Etc, Always
|
||
back up your machine before testing.
|
||
|
||
Question: I did not scan the file, look it up or follow any of the
|
||
instructions here. I unzipped all of the files I had into one
|
||
directory and ran all of the files one at a time until a message
|
||
came up on the screen that said "You Dumb ASS .... I just Wiped
|
||
your Hard disk"
|
||
|
||
Answer: The message you got says it all.
|
||
|
||
|
||
These files can be requested from Cris BBS at:
|
||
|
||
Cris BBS
|
||
708-863-5285
|
||
1:115/863 or 77:708/0
|
||
|
||
TBAV (Last copy of TBAV)
|
||
SCAN (Last copy of McAfee's Scan)
|
||
VSUM (Last copy of Vsum)
|
||
F-PROT (Last copy of F-protect)
|
||
PGPKEY (Cris PGP Signarure)
|
||
NODELIST (Last Crisnet Nodelist)
|
||
CRIS (Information about Joining Crisnet and research)
|
||
|
||
|
||
|
||
|
||
-----BEGIN PGP SIGNATURE-----
|
||
Version: 2.3a
|
||
|
||
iQBVAgUBLNc4B6M4CDusTF+9AQHNzgIAkbBgy6OWyPi9MhLPOA7tFnj3rzSdUDw2
|
||
/dpkJIrowcr1mZoD4xqWzZ46OzMiJRcSqIHaJjmde408RS5zz3sdGA==
|
||
=TUqS
|
||
-----END PGP SIGNATURE-----
|