SCANRS\SCANRS61.DOC ·
DOC ·
17.4 KB ·
1990-04-22 ·
from PCToday_Vol-1_June-1990
┌──────────────────┐
│ SCANRES.EXE V61 │
└──────────────────┘
From: McAfee Associates (USA) 408 988 3832
Executable Program (SCANRES.EXE):
Versions 46 and above are packaged with a VALIDATE program
that will authenticate the integrity of SCANRES.EXE. Refer to the
VALIDATE.DOC instructions for the use of the validation program.
The validation results for V61 should be:
SIZE: 36,983
DATE: 3-31-1990
FILE AUTHENTICATION:
Check Method 1 - 1712
Check Method 2 - 0BB9
You may also call the McAfee Associates bulletin board at 408
988 4004 to obtain on-line SCANRES.EXE verification data. The
VALIDATE program distributed with SCANRES may be used to
authenticate all future versions of SCANRES.
Notes on Version 61:
Version 61 is able to detect five new viruses reported since
March 1, 1990. The first virus was submitted by Dave Chess of IBM.
It is a destructive COM and EXE infector called the Saturday the
14th virus. The virus activates every Saturday that falls on the
14th of any month and causes the first 100 sectors of the A, B, and
C drives to be overwritten. The net result is loss of all of the
control information for the media assigned to those drives. The
Partition table, Boot Sector and FAT will be destroyed. The virus
is 685 bytes long and is memory resident.
The second new virus is the 1392 virus which was also
submitted by Dave Chess of IBM. The virus does little damage,
other than corruption of the infected programs, but it does display
the following message: "SMA KHETAPUNK - Nouvel Band A.M.O.E.B.A."
No idea what this means. The virus changes the date of infected
files to the date of infection; it is memory resident; it infects
both COM and EXE files, including COMMAND.COM and is 1392 bytes
long.
The third new virus is the XA1, or Christmas Tree virus. It
was submitted by Christoff Fischer of West Germany. It is an
encrypted virus that only infects COM files. It activates on April
the 1st and destroys the partition table of the hard disk. From
December 24th till January 1st it will draw a full screen picture
of a christmas tree when an infected program is executed. It is
not memory resident.
The fourth and fifth new viruses were discovered in Spain and
are called the 1720 and 1210 viruses. The 1720 infects both COM
and EXE files, while the 1210 only infects EXE files. Little is
know of these viruses at this point other than that the 1720
appears to be destructive. The viruses were named after their
respective lengths.
In addition to the above new viruses, version 61 fixes a bug
which caused it to mis-identify the Korea Virus.
Introduction:
SCANRES, the memory resident version of VIRUSCAN, prevents
viruses from getting into your system. It monitors and scans
programs as they are loaded and prevents infected programs from
executing. It also scans specific areas of the system - the boot
sector, partition table, hidden files, Command Interpreter and
itself, when it is first executed.
The memory resident module -- SCANRES.EXE - will identify the
virus strain which has caused the infection in all cases of the
known viruses. It remains active in your system at all times after
it is loaded.
SCANRES version 1.4V61 can identify 82 major virus strains
and numerous sub-varieties for each strain. The 82 viruses include
the ten most common viruses which account for over 95% of all
reported PC infections. The complete list (in order of most recent
appearance) is outlined in the acompanying file: VIRLIST.TXT.
It is important to note that existing virus strains can be
grouped and counted differently than the ordering in the
VIRLIST.TXT file. DEN ZUK, for example has two separate versions.
Likewise, the STONED, VIENNA, ALAMEDA and JERUSALEM-B viruses have
been modified a number of times. Some researchers would define each
of these modifications, or sub-varieties, as separate viruses.
SCANRES chooses to group them as the same virus, because the same
scan string can identify each of them. This is only done if
disinfection requirements for the different sub-varieties are
identical. If removal procedures differ for different varieties,
then SCANRES will differentiate between them.
These viruses infect one of the following areas: The hard
disk partition table; the DOS boot sector of hard disks or
floppies; or one or more executable files within the system. The
executable files may be operating system programs, system device
drivers, .COM files, .EXE files, overlay files or any other file
which can be loaded into memory and executed. SCANRES identifies
the area or file that has become infected and indicates the name
of the virus that has infected each area.
When an infection is identified, the VIRUSCAN non-resident
system scanner should be used to scan the entire system and
determine the extent of the infection. If you do not have the
VIRUSCAN non-resident program, it may be downloaded from the
HomeBase BBS at 408 988 4004.
Operation:
IMPORTANT: First place SCANRES on a write protected floppy prior
to installing it. This will ensure a valid copy in the event that
the program becomes infected.
To install SCANRES, place the following line as the FIRST
entry in your AUTOEXEC.BAT file:
SCANRES
Then copy the file SCANRES.EXE to the root directory of your
bootable hard drive (usually C:).
SCANRES will then become active each time the system is
powered-on or re-booted. It will check the critical areas of the
system for viruses, including itself, and then monitor all program
loads. As programs are loaded, SCANRES will scan the programs
looking for viruses. If a virus is found, SCANRES will display a
warning message and name the infection. The infected program will
then be terminated.
Unlike many memory resident virus filter programs, SCANRES
will not cause false alarms. If a warning message is issued by
SCANRES, you can be assured the identified program is infected.
Also, since it does not attempt to monitor file I/O or normal disk
accesses, it will not conflict with other memory resident programs.
SYSTEM OVERHEAD:
SCANRES requires 19K of system memory. It will add an average
of 4 seconds to each program load. After a program has loaded and
begun execution, however, SCANRES will not degrade the performance
or speed of the system in any way.
Registration:
A Registration fee of $25 is required for the use of SCANRES
by individual home users. Please send registrations to the address
below. This registration covers the copy currently in use and
future versions for one year, providing they are obtained from the
McAfee Associates bulletin board or other public or private board.
Diskettes will not be mailed unless specifically requested. Add
$9 for diskette mailings. The McAfee Associates board number is
- 408 988 4004 - 1200/2400, N,8,1; 5 lines.
Corporate and organizational use:
Corporate site licenses are required for corporate, agency and
organizational use. For site license information contact:
McAfee Associates
4423 Cheeney Street
Santa Clara, CA 95054
408 988 3832
Virus Removal:
What do you do if a virus is found? Well, if you are a
registered VIRUSCAN or SCANRES user, you may contact McAfee
Associates for free assistance in manually removing the virus. We
strongly recommend that you get experienced help in dealing with
many of the viruses, particularly partition table and boot sector
infections. If you are not a registered user, the following steps
should be followed:
Boot sector infections:
Power down the system. Power up and boot from an uninfected,
write protected floppy. Execute the DOS SYS command to
attempt an overwrite of the boot sector. This works in many
cases. If this does not work, backup all data files and
perform a low level format of the disk.
Executable file infections:
Remove all infected files. Replace from the original
distribution diskettes.
Partition table infections:
Without a removal utility, the only option is to low level
format the media.
Disinfecting utilities are available from McAfee Associates
for the majority of the common viruses. If you are not a
registered user of VIRUSCAN, you may purchase these utilities
from:
McAfee Associates
4423 Cheeney Street
Santa Clara, CA 95054
408 988 3832
BBS: 408 988 4004
Version Notes
Version 60:
Version 60 identifies four new viruses that have been reported
from widely dispersed parts of the world. The first virus, the
Solano 2000, or Dyslexia virus, was widely and suddenly reported
in Solano County California in late February and Early March 1990.
The first person to isolate and submit the virus was Edward
Winters. The virus is 2000 bytes long, but bears no resemblance
to the V2000 virus from Bulgaria. The virus infects only COM
files, is memory resident, and infects each file as it is executed.
The virus randomly reverses contiguous numeric data in the video
buffer. No other damage has been observed.
The second virus, ItaVir, was submitted by Andrea Salvia and
Emilio Caravaglia of Milan Polytechnic in Milan, Italy. The virus
is 3,880 bytes long, infects only EXE files and is not memory
resident. The virus is activated based on the amount of time it
has been in the system (apparently a random time greater than 24
hours) and when activated, it sequentially writes all values
(between 0 and 255) to all I/O ports in the system. The result is
a dramatic confusion of all peripherals. The video monitor will
flicker and if the monitor is VGA, will also hiss. The boot sector
is also wiped out and the system will be non-bootable on power-up.
The third virus, Vcomm, was submitted by Yuval Tal from
Rehovot, Israel. It is a non-memory resident EXE infector and is
1074 bytes long. After the virus is first executed, it infects one
other EXE file and then modifies the in-memory Command Interpreter
so that the DOS COPY command no longer works. No other disruptions
have been reported from this virus.
The fourth virus is a boot sector infector submitted from
Korea. Limited analysis has been done so far on this virus other
than developing an identifier. The virus has been named the Korea
Virus.
Version 59:
Version 59 now catches a number of new variations of the
Vienna, Yankee Doodle and Vacsina. These variations were submitted
by researchers in Eastern Europe. The variations of the Yankee
Doodle and Vacsina appear to be earlier trial versions of these
viruses. They don't appear to be harmful, other than corrupting
the programs that are infected and there have been no reported
incidents of infection in the U.S. or Western Europe. The
variations of Vienna are likewise apparently harmless.
A completely new virus has also been added to the scan
list. Called the V2000 virus, it works as follows:
It installs resident in memory and then searches for and
infects the Command Interpreter (COMMAND.COM). It will then infect
any COM or EXE file whenever the file is opened. Thus, the
executable files are infected whenever they are executed, copied
or manipulated in any way. The virus hides the length increase of
infected files, much like the 4096, so the user will not see the
increased file lengths in the listing displayed by the DIR command.
The virus is very virulent and has caused system crashes and
lost data, as well as causing some systems to become non-bootable
after infection.
Version 58:
Version 58 includes tests for three new viruses: EDV, 512 and
1559 viruses. These viruses are listed in the accompanying
VIRLIST.TXT document.
Version 57:
SCANRS57 has been substantially modified to prevent infection
by viruses that use variable encryption techniques. Two such
viruses surfaced for the first time in January. These viruses
cannot be accurately identified with simple I.D. strings. The
changes to SCANRES now allow these two viruses to be positively
blocked, and blocking future viruses that use similar techniques
has been simplified.
Both of these encrypted viruses were written as "experimental"
viruses. One surfaced on a number of bulletin boards in Minnesota
under the name of COM_AIDS.ZIP. I have named it the 1260 virus,
although it is based in part on the original Vienna virus. The
other was written by Patrick Toulme in Washington D.C. (author of
Virus-90). He has called the new virus Virus-101. Neither of
these viruses was designed to be destructive - they just attach
themselves to other programs. However, there is no such thing as
a "harmless" virus. All viruses corrupt the code of the host
programs, and none enter your system under invitation. And none
have yet successfully been contained. Even the most well designed
and coded "harmless" virus will cause problems in some mix of
hardware/BIOS/DOS-Version/Memory-resident-programs etc. The
Pakistani Brain is a prime example of this. For this reason we
oppose the public distribution of any kind of virus. Once
released, they cannot be controlled. In addition, many lazier
hackers can easily modify "harmless" viruses to become destructive,
and many instances of such modification exist. Thus, V57 of
SCANRES includes prevention for both of these viruses.
In addition to the above two viruses, V57 blocks the Joker
and Perfume viruses from Poland, the Icelandic-3 found by
Fridrik Skulason in Iceland and the Halloechen virus reported by
Christoff Fischer at the University of Karlsruhe in West Germany.
These are detailed in VIRLIST.TXT.
Version 56:
Version 56 now does a memory scan for the Dark Avenger and
4096 viruses at the time it is loaded. It also adds the Chaos and
Taiwan viruses to the list of identifiable viruses.
Version 54:
Version 54 fixes a bug in V54 that caused false alarms for the
4096 virus in a few instances. Please do not use version 53.
Version 52:
Version 52 includes detection for the Devil's Dance virus and
the AIDS Information Trojan program.
Version 50:
Version 50 detects the Holland Girl virus. It infects .COM
files and increases their size by 1332 bytes. It contains the name
and phone number of a girl named Sylvia in Holland. Potential
damage from this virus is currently unknown.
Version 49:
A new file - VIRLIST.TXT has been added to the SCANRES
package. This file lists the known viruses and describes, in table
format, their critical characteristics.
Version 49 also checks for the following new viruses:
- Do-Nothing virus. This virus was reported in
October by Uval Tal in Israel. It infects COM files
but does no other damage and does not affect the
system in any observable way.
- Lisbon Virus. This virus was discovered by Jean Luz
of Lisbon, Portugal in November. It infects COM
files and increases the size of infected programs
by 648 bytes. It destroys 1 out of 8 infected
programs by overwriting - @AIDS over the first five
bytes of the infected program.
- Sunday Virus. This virus was discovered by multiple
users in the Seattle, Washington area. It activates
on Sundays and displays the message - "Today is
Sunday, why do you work so hard?". Damage to the
FAT has been reported from a number of infected
sites.
Version 48:
Version 48 identifies the TYPO .COM virus that has been
reported by Joe Hirst of Brighton, U.K. The virus infects COM
files and garbles data sent to the parallel port.
Version 47:
Version 47 identifies the DBASE virus reported by Ross
Greenburg of New York. This virus infects COM files and will
corrupt data in any file with a DBF extension.
Version 46:
Version 46 now includes a test for the Ghost virus. This
virus was discovered in September by Fridrik Skulason at Icelandic
University. The virus infects .COM files and the boot sectors of
hard disks and floppies. The virus increases the size of infected
COM files by 2,351 bytes, and replaces the boot sector of infected
systems with a boot virus similar to Ping Pong. Random file
corruption by this virus has been reported. SCANRES identifies
both the COM version and the boot version of this virus.
Version 45:
Version 45 now checks for the New Jerusalem virus discovered
by FIDONET SysOps Jan Terpstra and Ernst Raedecker in the
Netherlands.
Version 44:
Version 44 fixes a bug in 43. Version 43 cannot identify the
Jerusalem-B virus (earlier versions of SCANRES work correctly).
DO NOT USE version 43.
Version 43:
Version 43 now identifies the Alabama Virus. This virus was
discovered by Ysrael Radai at Hebrew University and forwarded to
us through Dave Chess at IBM. The virus infects .EXE files and
increases their size by 1560 bytes. It manipulates the file
allocation table and swaps file names so that files are slowly
lost.
Additional Version 43 enhancements are:
- Fix to include EXE file searches for DataCrime II
- Fix for duplicate reporting when Ashar virus is
identified
Version 42:
Version 42 of SCANRES includes an identifier for the Yankee
Doodle Virus. This virus was discovered in Vienna by Alexander
Holy at the United Nation's office on Sept 30th. The virus has
reportedly been transmitted to the U.S. through U.N. employees via
the game - 'Outrun'. The virus plays the tune - 'Yankee Doodle
Dandy' on the system's speaker 17 hours after an infected program
is loaded. Both COM and EXE files can be infected, and infected
files grow by 2899 bytes. No knowledge yet of eventual damage
potential.