=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 
=  F.U.C.K. - Fucked Up College Kids - Born Jan. 24th, 1993 - F.U.C.K.  = 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 
 
                              The Epidemic 
                              ------------ 
 
Introduction: 
------------- 
 
I would like to first off start by giving a defintion of a Computer 
Virus and a Trojan Horse.  Although this file will be dealing mainly 
with computer viruses, I thought I would stick in a comment here 
and there about Trojans. 
 
Definitions: 
------------ 
 
COMPUTER VIRUS : a computer program that can infect other computer 
programs by modifying them in such a way as to include a (possibly 
evolved) copy of itself. 
 
The correct English plural of "virus" is "viruses."  The Latin word is 
a mass noun (like "air"), and there is no correct Latin plural. 
 
TROJAN HORSE : a program that does something undocumented which the 
programmer intended, but that the user would not approve of if he knew 
about it.  A "Trojan" refers only to a non-replicating malicious program. 
Since it is non-replicating it is seperate from the virus family. 
 
To date there are 2500 known viruses.  This is an estimate.  In all 
actuality there is 2300-3000 viruses depending on how you count them too. 
When placed in families there is over 800 known families of viruses.  As 
you can probably guess too, with new viruses being created and old ones 
being modified, that number is going up very rapidly.  Some estimate that 
there will be around 20,000 viruses or so by the year 2000.  Although 
this is just an opinion, in all actuality it may very well be reached. 
 
In the following sections I will go into the different types of computer 
viruses, how to tell if you are infected, how to remove them, and the 
best for last:  virus scanners and how they rate. 
 
Virus Types: 
------------ 
 
Viruses infect in two differnt ways.  We either have FILE INFECTORS 
or SYSTEM or BOOT-RECORD INFECTORS. 
 
File infectors attach themselves to ordinary program files.  These 
usually infect other .COM and/or .EXE files.  Some have been known, 
though, to infect .SYS, .OVL, and other types of executable files. 
 
Breaking it down even further, there are two types of file infectors, 
a NON-RESIDENT or a MEMORY RESIDENT virus.  A Non-Resident virus selects 
one or more programs to infect at the time of execution, while a Memory 
Resident virus hides somewhere in memory.  The first time a memory resident 
virus infected program is executed it hides in memory, after that it 
begins to infect other programs when they are executed or when ever else 
the virus is programmed to do.  Most of the viruses written today are 
memory resident. 
 
SYSTEM or BOOT-RECORD INFECTORS are memory resident and infect certain 
system areas on a disk which are not ordinary files.  Boot-sector viruses 
infect only the DOS boot sector, and MBR viruses infect the Master Boot 
Record on fixed disks and the DOS boot sector on diskettes.  Some examples 
of this type of infector are the Brain, Stoned, and Michelangelo viruses. 
 
Some viruses do special 'tricks' in order to hide themselves from 
virus scanners.  Three of the most common types of viruses are the 
stealth, self-encrypting, and the even more powerful polymorphic virus. 
 
A STEALTH virus is a memory resident virus which hides by monitoring the 
system functions that read files or physical blocks, and make the results 
to be the original uninfected form of the file instead of the actual infected 
form.  This makes the virus go undetected by anti-virus scanners. 
 
A SELF-ENCRYPTING virus is one which encrypts itself using a key. 
When the virus executes, it uses this key to decrypt itself, and 
then performs the task it was written to do.  When completed, 
the virus uses this key to 'lock' itself with encryption. 
 
A POLYMORPHIC virus is a virus which produces various copies of itself. 
This makes it hard for virus scanners to detect because usually it 
will not be able to detect all instances of the virus.  One method a 
polymorphic virus uses is to choose a variety of different encryption schemes. 
Each one requiring different encryption algorithm.  A signature-driven 
virus scanner would have to use several signatures.  It would have to 
use one for each encrytion method.  Another type of polymorphic virus 
will vary the sequence of instructions by using unessesscary instructions 
like a No Operation instruction.  A signature-based virus scanner would 
not be able to reliably identify this sort of virus. 
 
The most sophisticated form of polymorphism discovered so far is the 
MtE "Mutation Engine" written by the Bulgarian virus writer Dark Avenger. 
It comes in the form of an object module, and when added to any virus, 
the result will be a polymorphic virus by adding certain call in the code 
and linking it to the mutation engine. 
 
Polymorphic viruses have made virus-scanning more difficult than ever. 
Normal signature strings will not be able to pick up these viruses. 
Complex algorithms will have to be created to detect these new viruses. 
 
Some viruses use special tricks to make the tracing, disassembling, 
and virus detection more difficult.  Probably the first method of 
making an old virus sneak by virus scanners was by PKLITEing them. 
This worked for a while until researchers picked up on this this little 
trick.  Then people moved onto LZ-EXE and DIET compressing files, but soon 
these tricks were picked up on.  One that is still able to slide by scanners 
is to PGM-PAK a file.  As of date, no scanner I have come across has been 
able to pick this one up. 
 
How to determine if you have been infected. 
------------------------------------------- 
 
A biological virus can only live as long as its host is alive, if it 
kills of its host, then it also dies.  This is also true with computer 
viruses.  They try to spread as much as possible before they try and 
kill the host computer.  This is the best time to try and remove the 
virus before any real damage is done. 
 
There are several things you should watch for if you think you might 
be infected with a virus.  Changes in a files size, date, and/or contents 
could mean that you are infected.  Also, missing RAM could be an 
indicator.  Watch for longer disk activity, system slowdown and other 
strange hardware behavior.  These factors could mean that you are 
infected with a virus. 
 
What to do if you think you are infected. 
----------------------------------------- 
 
Use the DOS MEM command.  MEM /C will tell you if there are any 
changes in your systems memory.  Also CHKDSK or publicly available 
utilities like PMAP or MAPMEM can help you notice any changes 
with system memory. 
 
Use several different virus scanners.  No one virus scanner is 100% 
perfect.  Later in the file I list the results of several different 
virus scanners of 700 various types of viruses.  You can use this to 
be a starting guide, and go from there to find out which virus scanner 
you like best. 
 
Be sure to scan Upper Memory (640k - 1024k) and High Memory (1024k - 
1088k).  It is possible for viruses to locate themselves in these areas, 
so be sure to scan in these locations.  Most scanners have a switch 
that will make them check the Upper and High memory locations. 
 
Virus Scanners: 
--------------- 
 
There are many virus scanners out on the market, but only a few 
are actually reliable.  Scan (McAfee Associates), F-Prot (Fridrik 
Skulason), and VireX PC (Datawatch) are the most widely known. 
Scan by McAfee Associates is probably used and trusted more than any 
of the other virus scanners out there.  It can be easily obtained off of 
any BBS, and updates come out regularly.  The problem is, McAfee 
associates are more into marketing than virus prevention.  They boast 
that they can detect over 2,149 viruses.  Well we have extracted the 
signature strings from Scan v104, and they only have 1131 viruses 
signature strings.  What happened to the remaining 569 viruses that 
it supposedly detects?  As you will see in the benchmarks that I did 
on the virus scanners later, Scan just isn't as good as some of the 
other virus scanners out there. 
 
McAfee Associates claim that there are 2,149 known viruses, and that 
Scan can detect all 2,149 of these.  During a conversation with them, I 
asked them how they handle polymorphic viruses, and all they had to say 
was very well, and it uses a special algorithm to detect them. 
 
F-Prot claims to pick up 95% of known viruses 
95% of those are picked up by signature strings, but in a few 
cases it uses algorithmic scan techniques for polymorphic viruses 
 
BenchMark: 
---------- 
 
700 Viruses Tested 
 
Scan v108 619 infected 
F-prot 2.09d Secure Scan 654 infected, 10 suspicous 
F-prot 2.09d Quick Scan 496 infected, 0 suspicous 
F-Prot 2.09d Huerstic Scan 654 infected, 10 suspicous 
MicroSoft's Dos 6.0 Msav 434 infected 
Virex 2.8 568 infected 
 
18 Trojans Tested 
 
Scan v108 0 
F-Prot 2.09d Secure Scan 14 
F-Prot 2.09d Quick Scan 0 
F-Prot 2.09d Huerstic Scan 14 
MicroSoft's Dos 6.0 Msav 0 
Virex 2.8 thought 1 trojan was a virus 
 
What to do if you are infected. 
------------------------------- 
 
Common rule: Do the minimum that you must to restore the system to 
a normal state. 
 
This is just common sense.  Why low-level format your Hard Drive 
when you could just delete an infected file, or run a virus cleaner 
on it. 
 
Start with booting the system from a CLEAN disk.  Use your original 
write-protected DOS diskette to boot from.  This will keep any boot- 
sector or other viruses from becoming active while booting. 
 
If you have a backup of the infected files, and if the backups are 
not infected, then this will be the best and easiest solution.  Just 
start copying the backed-up files over the infected files. 
 
If back-ups don't exist, or if you just don't want to go through all that 
trouble, then a disinfecting program can be used.  Since some viruses 
overwrite the files that they infect, those files can not be replaced 
because of the damage caused by overwriting.  If it is possible to 
disinfect the file, then use your favorite virus disinfector. 
 
If you have a boot sector infection.  Then an easy two-step method 
can be used.  First of all replace your MBR (Master Boot Record) by 
using a backup, or by using the FDISK/MBR command.  Then use the 
SYS command to replace the DOS boot sector. 
 
Virus Prevention: 
----------------- 
 
There are many things one can do to help prevent being infected by a 
virus.  First off, boot from a clean, write-protected diskette.  This 
will prevent any viruses from becomming active during the booting 
process.  This should stop most boot sector viruses which become active 
during booting. 
 
Another method is to have a memory resident virus scanner.  These 
programs monitor any unusual disk activity or 'virus like' instructions. 
Usually you can have different degrees of protection.  Ranging from no 
protection to being prompted for approval for any disk writes. 
 
You can also write-protect your harddrive.  This will stop viruses from 
spreading to the disk that is protected, but it doesn't stop the virus 
from running. 
 
Setting the DOS file attributes to READ ONLY doesn't always protect 
from viruses.  It may stop some viruses, but most override it, and 
infect as normal. 
 
Write protect your floppies.  Viruses can't infect a disk when it 
is write protected. 
 
 
Max Headroom 
              
 
 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 
= Questions, comments, bitches, ideas, etc : z1max@ttuvm1.ttu.edu :FUCK = 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 
= Official F.U.C.K. Distribution sites and information                  = 
= Board                     Number                Other                 = 
= -----                     ------                -----                 = 
= Ionic Destruction         215.722.0570          Eastern HQ            = 
= Flatline                  303.466.5368          Western HQ            = 
= Purple Hell               806.791.0747          Southern HQ           = 
= Culture Shock             717.652.5851          Dist.                 = 
= PCI                       806.794.1438          Dist.                 = 
= Celestial Woodlands       806.798.6262          Dist.                 = 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 
= Accounts NOT guaranteed on any F.U.C.K. distribution site. If you are = 
= interested in writing for, or in becoming a distribution site for     = 
= F.U.C.K. call the Woodlands, and apply for an account, or mail Max    = 
= at z1max@ttuvm1.ttu.edu or on the Woodlands. Knowledge is power...    = 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 
