MemScan - Memory Scanner: A rule based, universal memory virus scanner for DOS viruses. Not limited to known viruses! Will not run on 64 bit Windows systems.
__ __ ____ ______ ___ ____
| \/ | ___ _ __ ___ / ___| ___ __ _ _ __ / / _ \ / _ \/ ___|
| |\/| |/ _ \ '_ ` _ \\___ \ / __/ _` | '_ \ / /| | | | | | \___ \
| | | | __/ | | | | |___) | (_| (_| | | | |/ / | |_| | |_| |___) |
|_| |_|\___|_| |_| |_|____/ \___\__,_|_| |_/_/ |____/ \___/|____/
(c) 16.10.1990-2018 by ROSE SWE, Ralph Roth
$Id: MemScan_Eng.txt,v 1.40 2018/04/12 20:13:42 ralph Exp $
Written in ASCIIDOC using the UTF-8 code set and Windows LF/CR
Umlaute and screen copy may look ugly if our text program don't use UTF-8
|
A short English "FAQ" for QMS, MemScan and TestBoot can be found at the end of the document! |
Function of MemScan
MemScan examines your working memory for resident MS-DOS computer viruses. If you have further questions about computer viruses, please read the files VIRSCAN.DOC & VIRSCAN.TXT (if available).
MemScan can also check the "UPPER" DOS Memory (UMB = memory between 640 KB and 1 MB) and the HMA (High Memory Area = 1088 KB) gate. MemScan needs approx. 450 KB of free working DOS memory for the virus database and hash tables! MemScan main memory usage was adapted especially to network environments and therefore needs only 450 KB of free memory!
MemScan detects due to heuristic scanning unknown viruses (option /UNB). MemScan usually reports such viruses with one of the following messages:
Execution-Function [Exec] or
Generic File Open [Fopen] or
Memory Control Of Blocks [MCB] or
Generic Exeheader.????-???? or
Generic Boot virus [BOOT] etc.In case of detection of one of these two viruses please send me an infected file: To classify the virus (if VirScan reports the same virus type with the option /HEUR) and to include it in MemScan! Try to make the virus infect the "victim/bait/goat files" INFECTME.* included in this package!
|
|
MS-DOS 6.xx and Novell DOS 7.0 produce a false alarm with the option /UNB together with the option /HIGH. In most cases a Generic Exec Virus is reported in the segment Fxxx:xxxx which, however, is occupied by COMMAND.COM loaded high. |
Why MemScan?
We are using MemScan internally to quickly and securely add new viruses to VirScan. However, customers frequently asked us for a program that checks ONLY the working memory. For this reason MemScan was made accessible to the public for FREE.
Optional parameters
/? Displays a short help
/HIGH Search high memory (to 1 MB) too
/IVT Check interrupts for viruses, see also VIRSCAN.DOC
/NOLIVEBAIT Skip Live Bait Test
/NOMEM Skip complete "Quick Memory Check"
/NOPATHCOMPANION Skip path Companion Test
/UNB /UNK Search for new unknown viruses
No output on argument syntax (Guru option).
/AKTION Display information on virus special offer.
|
To see a short description of more options execute MemScan with the parameter /? for a short help! |
Option /UNB
This option is only for the case of emergency! This function ALWAYS produces false alarms! I use it for finding known and new viruses! Almost every new resident MS-DOS virus can be found with MemScan!
Option /IVT
With the parameter /IVT the working memory can be examined for approx. 180 of the most known DOS viruses. This is being done by so called "Am I there" calls in a split of a second (in comparison to the slow memory scan). Among other things, the working memory is being examined for the following viruses:
-
Jerusalem and related viruses (at least 48 variants)
-
Frere Jacques
-
Fu Manchu
-
-
Tequila (Stealth virus)
-
Yankee Doodle/Vacsina (45 variants)
-
Cascade and Yap (14 variants)
-
Flip/Omicron (6 variant/Sub-stealth virus)
-
Parity (4 variants, boot virus)
-
dBase
-
Plastique (AntiCad, Invader, Tobacco, 4.21, 5.21 and Cobol)
-
Tremor (Stealth virus)
-
Hare (Stealth multipartite virus)
On detection of the virus the user is being informed about that.
|
|
You should not use this option if you have Novell Netware installed because it results in overlapping of the interrupt calls. This function used to be executed automatically, but it emerged that the so called "Am I There" calls were not 100% compatible with different operating systems and configurations. So, if unusual side effects occur, this option might be the reason. This option also checks the high memory (HMA) - if available - for viruses. |
Notes on parameter usage
Customers familiar with the American or UNIX parameter syntax (minus sign) instead of the slash (/) can also use the minus sign (-) to start an option.
Example: -IVT is equivalent to /IVT|
|
There must be at least one blank between the individual arguments! The arguments are not case sensitive. |
The environment variable MemScan
Instead of always calling MemScan with arguments, MemScan can be controlled with a so called environment variable. For example, enter the following at the DOS prompt:
SET MEMSCAN=/unb -high -IVTIf you start MemScan now, MemScan reads all required arguments from the variable.
Rollback of preset values
Sometimes it might be desired to reset already set options (i.e. set by SET MEMSCAN=…) This can simply be done by a minus sign following the option on the command line. With this action the option is being switched off.
For example, you have entered the following:
SET MEMSCAN=/highThen start MemScan with the following argument:
MEMSCAN /high-In this case the command line option overrides the option set by the environment variable! Command line always override environment options.
False alarms of MemScan
MemScan detects approx. 98% of ALL new resident DOS or boot viruses with the option /UNB; however, this option is only for absolute virus gurus. Hint: If you suspect a virus on your system, execute VirScan Plus with the following parameters:
Virscan -auto -HEUR -log|
|
If VirScan Plus finds in several EXE/COM files the same virus as MemScan: New virus! If VirScan finds a different virus in many COM/EXE files, for example: Crypt/FamZ, then it is a new ENCRYPTED virus! In these cases please send me an email with the infected files! Note: The option /HEUR is available only in the full version of VirScan Plus! |
This screen shot is normally a false positive, because the "virus" is only found with
-
the
-unboption -
only in the main screen
¦¦¦¦¦+-----------------------------------------------------------------+¦¦¦¦¦
¦¦¦¦¦¦ MemScan 10.x.x - (c) 03.01.1991-2018 by ROSE SWE, Ralph Roth ¦¦¦¦¦¦
¦¦¦¦¦+-----------------------------------------------------------------+¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦+-------------------------------- Messages ----------------------------+¦¦¦
¦¦¦ ¦¦¦¦
¦¦¦ ¦ Free memory available for MemScan: 68.000/68.000 ¦¦¦¦
¦¦¦ ¦ Command line: -unb ¦¦¦¦
¦¦¦ ¦ Signatures created: Mi 25. Feb. 2004, build 3.073, 5.165 signs ¦¦¦¦
¦¦¦ ¦ This PC has 640/640 kb free base memory ¦¦¦¦
¦¦¦ ¦ HMA/A20 gate present at segment: 0xFFFF:0000 ¦¦¦¦
¦¦¦ ¦ Checking conventional memory (640 kb) ¦¦¦¦
¦¦¦ - Found the Type_Exec2a.35C6-D0A0 virus! ¦¦¦¦
¦¦¦ ¦¦¦¦
¦¦¦ Warning: A virus found in your main memory! ¦¦¦¦
¦¦¦ ¦¦¦¦
¦¦¦ ¦¦¦¦
¦¦¦ ¦¦¦¦
¦¦¦ ¦¦¦¦
¦¦+----------------------------------------------------------------------+¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦+---------- Scanning ---------+¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ Please press a key! ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦+-----------------------------+¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦A normal virus infection looks like this, and MemScan won’t go to the main screen at all (in this case a 572 byte long new COM infector):
-----[ Quick scan of the system and memory for viruses ]----------------------
MBR - HDD 0 (512) .......(45FC:2A00)..... -- OK! --
Interrupt 13h (DOS) .....(0D58:18C5)..... -- OK! --
Interrupt 13h (Orig) ....(F000:E3FE)..... -- OK! --
Interrupt 21h (DOS) .....(9F75:0119)..... Type_Exec1a.4A77-F232 Virus
Interrupt 40h (DOS) .....(F000:EC59)..... -- OK! --
Memory (Low-System) .....(0000:0000)..... -- OK! --
Memory (639 KB) .........(9C00:0000)..... Type_Exec1a.4A77-F232 Virus
Memory (HMA) ............(FFFF:0001)..... -- OK! --
HDD-IRQ 76h .............(0CC5:0117)..... -- OK! --
Path Companion Test ..................... -- OK! --
Live Bait Test ..........(295 KB)........ Type: COM=572 Virus
Heuristic mode:
Single Step .............(0070:06F4)..... -- OK! --
Misc BIOS ...............(0D58:19A0)..... -- OK! --
Reboot ..................(0D3B:002F*).... -- OK! --
Multiplex ...............(14E2:1180)..... Type_Exec2b.CF14-B4E4 Virus
VCPI ....................(F000:FF53)..... -- OK! --
Interrupt D3h ...........(F000:FF53)..... -- OK! --
Interrupt 0Dh ...........(F000:FF53)..... -- OK! --
Interrupt 0Eh ...........(0CC5:00B7)..... -- OK! --
Please deactivate the virus through a cold boot from a system disc!
Press any key to continue...Program Return Values
MemScan return an error-code back to DOS that can be evaluated by the variable ERRORLEVEL. The following error-codes are used:
ERRORLEVEL Short description
-----------------------------------------------------------------
0 All OK, Option -?, -h etc.
1 Internal error
2 Option -exit
3 Overlay (MemScan.ovr) handling error
8 Not enough free memory available
10 QuickMemoryScan found a virus
11 NOSTEALTHTEST found a virus
12 NOWINTEST found a virus
13 Found a virus in the main scan functionHints and FAQ
Q: can you help me fix the virus on my main memory...?
attached is the view of MemScan and QMS...A: I think this is a so called "false positive". Please read the attached document (MemScan_Eng.txt). If you have a DOS or boot virus, you should be able to trace it (as described in MemScan_Eng.txt) with QMS/MemScan and VirScan Plus. What DOS Version and Windows Version do you use. Some special DOS drivers in usage?
Q: Only the TESTBOOT routine found something. Since it was in German, I really
didn't know what it said. I went to an online translator and realized that
it said "wert ermittelt" and "wurden gesichert" which translated "worth
determines" and "became secured". After that I ran it again and it didn'tA: That’s normal for the first (initial run) - I have added were possible an English translation in the new version!
|
|
How you can possibly detect a file-/boot virus: |
-
MemScan -unb -high
-
QMS -unb
-
put testboot.exe into the Autoexec.bat as last command (DOS/Win9x based systems only)
-
rhbvs -auto -log -all -high
Integrated virus protection
The program contains an integrated check-sum tester to alert the user on a possible virus infection. The check-sum for the program can be found in the file with the extension ".XXX".
This check-sum contained in the file as well as the main program must not be changed nor modified in any case! Otherwise, the main program regards itself being possibly infected by a virus (a virus still unknown to the program)!
Following features of the EXE file are monitored and checked for modifications every time the program is executed:
-
Check-sum (CRC32) - If only one bit of the program is changed by a virus, the check-sum will no longer match (own secure routine, according to ANSI X3.66 - CRC-Poly is: 0xDEBB20E3).
-
File size - If a program becomes one or two KB longer, it is infected!
-
Overlay size - If the program uses overlays (".OVR").
I strongly recommend not making any changes to the EXE & XXX-file since the program will not run any more!
The file with the extension ".XXX" also contains the creation date and the standard MD5 checksum that can be checked with other tools like md5dir or hashall from ROSE SWE. Verifying the CRC32 checksum takes less than 1 second (depending on computer type and hard disk drive). If the check-sum is OK, the program is being executed. Otherwise a detailed error report with indications of possible error reasons will be displayed.
This is a screen shot of MemScan self check envelope finding itself infected with an 647 bytes EXE infector!
##### Länge der Datei MEMSCAN.EXE hat sich geändert! #####
Hierfür gibt es mehrere Möglichkeiten für diese Fehlermeldung:
¦ Ein Virus hat das Programm befallen!
Am besten gleich mit VirScan Plus testen ...
WARNUNG: Programm ist um 647 Bytes größer geworden!!!
SENDEN SIE UNS DIESE DATEI ZU ANALYSEZWECKEN ZU! TYPISCH FÜR VIREN!
¦ Sie haben die Datei MEMSCAN manipuliert, deshalb ist die
Checksumme verändert worden.
¦ Sie haben nicht alle Dateien mit kopiert (s. o.), oder auf dem
Datenträger sind Informationen verloren gegangen (Bits umgekippt).
¦ Verwenden Sie die Option /NOCHECKCRC um diese Überprüfung zu umgehen!
Bitte die ENTER-Taste zum Fortsetzen drücken...Other/Misc
If you want to obtain the full versions of my antivirus software, please start the program REGISTER.COM, and an order form will be printed.
By the way: MemScan is compressed from 380 KB to currently 87 KB EXE + 183 KB overlay!
What’s new?
Version Changes
#######################################################################
3.00 Parts of MemScan were swapped out to the overlay
file MEMSCAN.OVR, therefore MEMSCAN needs 50 KB less
working memory. Added checksum tester.
3.10 Extended 'Am I There' Virus test.
3.17 Program does not wait any more for key stroke
if NO virus was found!
3.33 Number of detected viruses: approx. 3.000!
3.36 The package now includes HMS.COM.
3.50 Live Bait Test to detect
unknown file viruses.
3.53 New ChkPC version (Hare & Boot-437)
3.55 50 new viruses, i. e. CriCri & Grief.
3.98 4180 viruses. QMS, TestBoot & HMS were
considerably enhanced. The Live Bait
Test was considerably enhanced.
4.xx New Viruses.
5.0.1 Completely redesigned version. Program in English!
5.1.0 Added Stealth Live Goat Test.
5.6 /NOPATHCOMPANION, /NOLIVEBAIT
5.7 /NoMem
6.0 Win32 Live Bait Test
6.2.7 /NoWin32Test, /NoStealthTest, DOKU revised
6.3.1 This English documentation added
6.5.5 /NoHMA fixes, A20-Gate/HMA fixes
6.6.8 Tons of new viruses due to F_Mirc Linux porting
9.5.5 adapted to run with DosEMU (Linux)
9.5.8 30.08.2017 - Ported this documentation to ASCIIDOC
10.1.5 22.01.2018 - new virusesBANNERWARE from ROSE SWE
This program may be freely copied and passed on. It is considered as so- called Bannerware. I only request the following declarations to be kept:
-
©opyright by ROSE SWE, Ralph Roth (the so-called Banner)
-
sale and/or industrial transmitting of the programs is forbidden. No commercial transmitting without ours hard-copy consent!
-
the programs MUST distributed free and/or passed on against a small copying-charge (Shareware trader) (max. EUR 10,--).
-
the program/documentation must not be changed!
-
the program package must be passed on complete and unchanged!
Trademarks of other companies mentioned in this documentation and package appear for identification purposes only and are property of their respective companies.
NOTICE TO USER: You should read the following terms and conditions carefully before using this software. Your use of this software indicates your full acceptance of this license agreement and warranty. BY INSTALLING THIS SOFTWARE YOU ACCEPT ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT.
The SOFTWARE is owned and copyrighted by ROSE SWE. Your license confers no title or ownership in the SOFTWARE and should not be construed as a sale of any right in the SOFTWARE.
No Warranty. The Software is being delivered to you AS IS and ROSE SWE makes no warranty as to its use or performance. ROSE SWE AND ITS SUPPLIERS DO NOT AND CANNOT WARRANT THE PERFORMANCE OR RESULTS YOU MAY OBTAIN BY USING THE SOFTWARE OR DOCUMENTATION. ROSE SWE AND ITS SUPPLIERS MAKE NO WARRANTIES, EXPRESS OR IMPLIED, AS TO NON INFRINGEMENT OF THIRD PARTY RIGHTS, MERCHANTABILITY, OR FITNESS FOR ANY PARTICULAR PURPOSE. IN NO EVENT WILL ROSE SWE OR ITS SUPPLIERS BE LIABLE TO YOU FOR ANY CONSEQUENTIAL, INCIDENTAL OR SPECIAL DAMAGES, INCLUDING ANY LOST PROFITS OR LOST SAVINGS, EVEN IF AN ROSE SWE REPRESENTATIVE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY THIRD PARTY.
In short: This software is provided as-is, without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. If you do NOT agree simply do NOT install and use this software!
Copyright
(C)opyright by (ALL RIGHTS RESERVED!)
__________ ________ ____________________ ___________ _____________
\______ \\_____ \ / _____/\_ _____/ / _____/ \ / \_ _____/
| _/ / | \ \_____ \ | __)_ \_____ \\ \/\/ /| __)_
| | \/ | \/ \ | \ / \\ / | \
|____|_ /\_______ /_______ //_______ / /_______ / \__/\ / /_______ /
\/ \/ \/ \/ \/ \/ \/
-------------------------------------=-----------------------------------
ROSE SWE See ROSEBBS.TXT for
Dipl.-Ing. Ralph Roth full address, FAX and PGP keys.
http://rose.rult.at
rose_swe@hotmail.com All Rights Reserved!
-------------------------------------=-----------------------------------|
|
Initial Translation by ez-web Digital Services, ezweb@gmx.net in 03/2002 |
Computer Viruses and Malware - A Short Overview
A computer virus is a piece of code (software) that is installed on a computer either by a hacker, by another compromised computer (replication), malicious attachments/mails or a website (drive-by infection). It performs functions that the computer owner does not authorize and does not want.
Viruses are sometimes also referred to as malware. This is usually where they have adverse effects on the computer user, such as logging each keystroke (through a keylogger), audio recording or snapshots of each screen.
Such infection can lead to identity theft, endangerment of bank or purchase card data or loss of confidential data. It is more likely to occur on home computers that are normally not as security managed as corporate computers.
Malware
Malware, or malicious software, is a generic term for a variety of malicious or intrusive software, including computer viruses, worms, Trojans, ramsomware (ransoms), spyware, adware, scareware and other malicious programs. It can take the form of executable code, scripts, active content and other software. Malware is defined by its malicious intent, which violates the requirements of the computer user - and therefore does not include software that causes unintentional damage due to a defect.
Programs officially delivered by companies can be considered malware if they secretly violate the interests of the computer user.
(Computer) Virus
A computer virus is a type of malicious software program ("malware") that, when executed, replicates itself by modifying other computer programs and appending or inserting its own code. When this replication succeeds, the affected programs are then said to be "infected" with a computer virus.
The term "virus" is also commonly, but erroneously, used to refer to other types of malware. "Malware" encompasses computer viruses along with many other forms of malicious software, such as computer "worms", ransomware, spyware, adware, Trojan horses, keyloggers, rootkits, bootkits, malicious Browser Helper Object (BHOs) and other malicious software. The majority of active malware threats are actually Trojan horse programs or computer worms rather than classic computer viruses.
(Computer) Boot Virus
Boot viruses are the oldest known computer viruses. These viruses were the most common form of viruses until 1995, but are now extinct. Nowadays there are almost no boot sector viruses any more, because BIOS and operating systems usually have a well-functioning software or hardware protection.
A boot virus is a computer virus that becomes active when the computer starts (boots) before the operating system (DOS, Linux or Windows) is fully loaded. Boot sector viruses exploit the fact that the boot sector is always loaded first. On floppy disks, the virus is at least partially in the boot sector, so that even floppy disks that do not contain any files can be infected. On hard disks, the virus infects the master boot record (MBR) or in the logical boot sector.
A boot sector virus infects the boot sector of floppy disks and the master boot record (MBR) of a hard disk. The boot sector is the first physical part of a floppy disk and one sector (512 bytes). The boot sector is used by boot floppies to boot from the floppy disk. If a user wants to boot from an infected boot floppy or forgets an infected floppy disk in the floppy drive when the computer starts, the BIOS accesses this sector and executes it with the appropriate BIOS boot setting. The virus then attempts to infect the MBR of the hard disk each time the computer starts. When an infected computer starts, the MBR, which is normally responsible for recognizing the different partitions on the hard disk, is loaded. The now loaded virus remains in memory and monitors access to floppies. When a diskette is inserted into a computer infected with a boot sector virus, the virus infects the boot sector of the diskette.
Known boot viruses are the form virus, Parity Boot and Boot-437.
Multipartite Virus
A multipartite virus is a computer virus that infects and spreads in multiple ways. The term was introduced to describe the first viruses that included DOS executable files and PC BIOS boot sector virus code, where both parts are viral themselves. Prior to the discovery of the first of these, viruses were categorized as either file infectors or boot infectors. Because of the multiple vectors for the spread of infection, these viruses could spread faster than a boot or file infector alone.
Trojan horses
A Trojan horse is a program that does something undocumented which the programmer intended, but that users would not accept if they knew about it. By some definitions, a virus is a particular case of a Trojan horse, namely, one which is able to spread to other programs (i.e., it turns them into Trojans too). According to others, a virus that does not do any deliberate damage (other than merely replicating) is not a Trojan. Finally, despite the definitions, many people use the term "Trojan" to refer only to a non-replicating malicious program.
Ramsomware
Ransomware is a particularly invasive form of malware that takes a victim’s data or device and holds it hostage (or displays bogus claims of illegal activity, porn usage or suggests that a system is already infected with viruses) until a sum of money is handed over in order to secure its release. Ransomware has existed since around 1989, in the form of the “DOS-AIDS” Trojan (aka PC Cyborg) which encrypted files on a hard drive and then demanded a payment of $189 to unlock them again. Ramsomware had become in the last few years a significant and global threat.
Malicious Mining Software (Crypto-Miner)
Starting in 2018 Malware authors are increasingly relying on malicious mining software. This year for the first time there have been more infections of this type than with ransomware. More and more online criminals seem to turn their backs on Ramsonware and rely on crypto-miner. They secretly dig crypto money on infected computers - Monero is particularly popular. This is obviously extremely lucrative, as the latest figures show.
Reasons for the turnaround? If a ransomware/Trojan strikes and encrypts data from victims, they usually have to pay a ransom in the form of bitcoins. This is an obstacle that not every victim can or will take. Crypto-miner, on the other hand, only needs to infect computers. Afterwards, they dig in secret without any sacrifices and make silently sure that they bring the authors big profits - and not too short when you look at the exploding prices of different crypto currencies.
Scam
Any means of cheating or misleading a person and gaining their trust or receiving information to which the cheater is not entitled.
Spyware
Spyware is a type of computer virus that hides on your computer or mobile device, records your private data and sends that information back to whoever created it or monitors it. The tricky thing about spyware, and what separates it from the growing threat of ransomware is the fact that, spyware is designed to both install discretely and operate silently in the background.
Backdoors
A point of access to a hidden program/system. Backdoors are usually intentionally created by a programmer for debugging or maintenance purposes, but if compromised, they can pose a security risk to unauthorized users or software, allowing access and causing damage. Malware often installs Backdoors on compromised systems!
Botnets
A bot is a programs that run automated tasks over the Internet. Botnets are collection of bots that run autonomously and automatically. Typically they perform repetitive tasks at a much higher rate than a human is capable of. They can be used for malicious purposes, such as denial of service attacks or infecting other computers. An infected computer is called a bot or zombie.
Macro viruses
A macro is a piece of code that can be embedded in a data file. A macro virus is thus a virus that exists as a macro attached to a data file. In most respects, macro viruses are like all other viruses. The main difference is that they are attached to data files (i.e., documents) rather than executable programs. Document-based viruses are, and will likely continue to be, more prevalent than any other type of virus.
Worms
Worms are very similar to viruses in that they are computer programs that replicate functional copies of themselves (usually to other computer systems via network connections) and often, but not always, contain some functionality that will interfere with the normal use of a computer or a program. Unlike viruses, however, worms exist as separate entities; they do not attach themselves to other files or programs. Because of their similarity to viruses, worms also are often referred to as viruses.
Stealth viruses
What is a stealth virus? A stealth virus is one that, while active, hides the modifications it has made to files or boot records. It usually achieves this by monitoring the system functions used to read files or sectors from storage media and forging the results of calls to such functions. This means that programs that try to read infected files or sectors see the original, uninfected form instead of the actual, infected form. Thus the virus’s modifications may go undetected by antivirus programs. However, in order to do this, the virus must be resident in memory when the antivirus program is executed, and the antivirus program may be able to detect its presence.
The very first DOS virus, Brain, a boot-sector infector for example monitored physical disk input/output and redirected any attempt to read a Brain-infected boot sector to the disk area where the original boot sector was stored.
File stealth viruses
In addition to hiding the boot information, DOS file stealth viruses attack .com and .exe files when opened or copied, and hide the file size changes from the DIR command. The major problem arises when you try to use the CHKDSK/F command and there appears to be a difference in the reported files size and the apparent size. CHKDSK assumes this is the result of some cross-linked files and attempts to repair the damage. The result is the destruction of the files involved.
Full stealth viruses
With a full stealth virus, all normal calls to file locations are cached, while the virus subtracts its own length so that the system appears clean.
Countermeasures against Stealth Viruses?
You need a clean system so that no virus is present to distort the results of system status checks. Thus you should start the system from a trusted, clean, bootable diskette before you attempt any virus checking.
Encryption
One method of evading malware detection is to use simple encryption to encipher (encode) the body of the malware, leaving only the encryption module and a static cryptographic key in cleartext which does not change from one infection to the next.
What is a polymorphic virus?
A polymorphic virus is one that produces varied but operational copies of itself. This strategy assumes that virus scanners will not be able to detect all instances of the virus. One method of evading scan-string driven virus detectors is self-encryption with a variable key. Polymorphic code was the first technique that posed a serious threat to virus scanners.
More sophisticated polymorphic viruses (e.g., V2P6) vary the sequences of instructions in their variants by interspersing the decryption instructions with "noise" instructions (e.g., a No OPeration instruction (NOP), or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g., Subtract A from A, and Move 0 to A). A simple-minded, scan-string based virus scanner would not be able to reliably identify all variants of this sort of virus; in this case, a sophisticated scanning engine has to be constructed after thorough research into the particular virus.
One of the most sophisticated forms of polymorphism used so far is the Mutation Engine (MtE) or the Trident Polymorph Engine (TPE), which comes in the form of an object module. With such mutation engines, any virus can be made polymorphic by adding certain calls to its assembler source code and linking to the mutation-engine and random-number generator modules.
The advent of polymorphic viruses has rendered virus scanning an increasingly difficult and expensive endeavor; adding more and more search strings to simple scanners will not adequately deal with these viruses.
What is an armored virus?
Armored viruses use special tricks to make the tracing, disassembling, and understanding of their code more difficult. A good example is the Whale virus.
What is Phishing/Vishing?
Phishing is when a 3rd party tricks an user into giving information in an email or by a phone call (vishing).
Links / Pointers
Some viruses that were very widespread
Cascade
The Cascade virus (also known as Herbstlaub in Germany) is a prominent DOS computer virus that is a memory resident virus written in assembly language. Cascade was widespread in the 1980s and early 1990s. It infected DOS .COM files and had the effect of making text on the screen cascade down and form a heap at the bottom of the screen. It was notable for using an encryption algorithm to avoid being detected. However, one could see that infected files had their size increased by 1701 or 1704 bytes. In response, IBM developed its own antivirus software.
The virus has a number of variants. Cascade-17Y4, which is reported to have originated in Yugoslavia, is almost identical to the most common 1704 byte variant. One byte has been changed, probably due to a random "mutation". This, however, has resulted in a "bug" in the virus. Another mutated variant is also known - it infects the same file over and over.
Jerusalem
Jerusalem is a DOS virus first detected in Jerusalem, in October 1987. On infection, the Jerusalem virus becomes memory resident (using 2kb of memory), and then infects every executable file run, except for COMMAND.COM. COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. .EXE files grow by 1,808 to 1,823 bytes each time they are infected. The virus re-infects .EXE files each time the files are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.
The virus code itself hooks into interrupt processing and other low level DOS services. For example, code in the virus suppresses the printing of console messages if, for example, the virus is not able to infect a file on a read-only device such as a floppy disk. One of the clues that a computer is infected is the mis-capitalization of the well-known message "Bad command or file name" as "Bad Command or file name".
The program contains one destructive payload that is set to go off on Friday the 13th, all years but not in 1987. On that date, the virus deletes every program file that was executed. Jerusalem is also known as BlackBox because of a black box it displays during the payload sequence. If the system is in text mode, Jerusalem creates a small black rectangle from row 5, column 5 to row 16, column 16. The rectangle is scrolled up by two lines.
As a result of the virus hooking into the low-level timer interrupt, PC-XT systems slow down to one fifth of their normal speeds 30 minutes after the virus has installed itself. The slowdown is less noticeable on faster machines. The virus contains code that enters a processing loop each time the processor’s timer tick is activated.
Symptoms also include spontaneous disconnection of workstations from networks and creation of large printer spooling files. Disconnections occur since Jerusalem uses the interrupt 21h low-level DOS functions that Novell Netware and other networking implementations required to hook into the file system.
Jerusalem was initially very common (for a virus of the day) and spawned a large number of variants. However, since the advent of Windows, these DOS interrupts are no longer used, so Jerusalem and its variants have become obsolete.
/* End of Document */