-----BEGIN PGP SIGNED MESSAGE----- Written By: Michael Paris (Cris) THE BEGINNERS GUIDE TO VIRUS RESEARCH Part One EXE & COM Infecters Just The Start Well to start with, this was supposed to go another way then it has. This article was supposed to be written already and complete. But it happens that the person that started this had a hard disk failure and will not be able to start it over with his schedule. So I will be forced to write this article fast and sloppy. I hope what I think of here will serve as some help to some out there with questions. Seeing this is the "Beginners Guide" I will keep it at just that, and assume you know nothing at all about computer viruses. The first thing that should be mentioned is the tools you will need to get you started and some simple rules for the beginner. TOOLS NEEDED FOR THE BEGINNER 1. Anti-Virus software This will depend on what you plan on doing. your idea of researching might be scanning a virus to see what it scans as, or maybe you will want to run the file, see what it infects and be done with it. Well in either case you will want to try a number of different scanners. To begin with you might want to get all of them you can get your hands on to further your knowledge. But we here will mention some of the best known for their reputation. TBAV Tbav is one of the best to use for what you will need. A registered copy is what you will want if you are serious. TBAV has some registered only options that you will be using as you learn more. In the tests we have run here it seems to be the best for catching viruses that others seem to miss. It has many options and modes that are not in other scanners, and in these modes, seems to do the better job. Tbav also sells a hardware card that you will want if you really start to get into researching. With the hardware card you will be able to rest at ease that your data will be 100% safe. Thunderbyte USA P. O. Box 527 Dagsboro, DE 19939 Phone: (302) 732-3105 Fax: (302) 732-3105 BBS: (302) 732-6399 F-PROTECT F-prot is a good tool you will use for virus names, it is one of the best for this seeing it uses the Caro naming standard. The names you find for the viruses scanning with F-prot will be closer then any other scanner at this time for the real names and variant names. It will find most of the viruses out there, but it at this time will only allow for ten user definable strings or virus signatures, where Tbscan will allow as many as you want to add. These strings will be used more as you go on to researching new virus that is still yet not in the scanners. You will be able to add the virus to your personal copy of your virus scanner when you get to that point. Or add viruses yourself from our signature reports as we release them. these two scanners are the main ones you will want to use, but then there are others that will help in other areas. You might want to check out other for yourself to see who is on the ball. Other noted programs might be: McAfee's Scan, CPAV, NAV, VIRUSBUSTER, UTScan, VirexPC, Anti-Virus Toolkit and others. 2. Reference It will be a big help to find info on viruses before you run the files. This way you will know what to expect them to do. One of the best tools for this will be Patricia M. Hoffman's Virus Information Summary List (VSUM). This is A very easy to use information tool. It is menu driven and all you have to do is look up the virus name. There are also functions to do searches for viruses that might be under another name. There are other summary lists you can get also that will help for even more info. Vbase, would be one. Then there are text files of lots of information at your finger tips. Allot of this text is on the bbs, but you will want to start with Vsum or Vbase. 3. Virus Shell Allot of the software has memory resident software included, you will want to load something like Vsafe, that comes with Dos 6.0, or some thing that does the same thing. Remember we are starting with simple .Com and .EXE infecting files here. When you move on to other files you will want added protection. Allot of the newer viruses today will slip by this kind of protection, but you will want it for these older files you will be testing to start out with. These shell programs will aid you in seeing just what the virus wants to do, and what file it is going to infect, and in most cases give you the option to infect the file or stop on the spot. 4. A Second Computer Just For Testing This is nice, you should be using a computer that you will not have to worry about the data on it, but this is not always the case. Computers cost money, and for some of us it is hard to come by. In any case, you should back up all of your data before ever attempting to run a virus. If you do not, be sure that you will loose it all. Someday it will happen, take my word for it. Backup your computer! 5. Bait Files It is good to have some bait files handy. These will be files that you will have in a directory that you will have the virus you are running infect. These can be copies of any program in your computer that you put into a directory, ready to copy into your directory you will be testing in. You can use someone's already made up bait files to start with. The advantage of these type of bait files will be that the file sizes will be even, like 1000, 2000, 3000 etc. With these type of files you will be able to see the file size changes real easy. If you use your own dos files, make sure they are copies, and you have the file sizes and the dates written down. 6. Screen Capture Utility There will be times you will want to take a picture of your screen. If a car starts driving across your screen you will want to take a picture of the moment in history. Or lets say a slot machine pops up and tells you that your fat has just been deleted and to take your chance at getting it back on the slot machine. You can be sure that you will not win, so take a picture of this moment, you probably will not try this every time you want to play a game, or if you want to show a friend what it does just show him the picture. Here is an example of this. DISK DESTROYER ù A SOUVENIR OF MALTA I have just DESTROYED the FAT on your Disk !! However, I have a copy in RAM, and I`m giving you a last chance to restore your precious data. WARNING: IF YOU RESET NOW, ALL YOUR DATA WILL BE LOST - FOREVER !! Your Data depends on a game of JACKPOT CASINO DE MALTE JACKPOT ÉÍ» ÉÍ» ÉÍ» ×œ× ×?× ×›× Èͼ Èͼ Èͼ CREDITS : 5 œœœ = Your Disk ??? = My Phone No. ANY KEY TO PLAY 7. BOOT DISK You will want to make a boatable disk incase you will need it to clean the boot sector, or stop an infection that got away from you. To make this disk, put a disk in your drive A: and type format A:/s {enter}. This will make you a disk to get back into the system. you might want to do a directory on the disk and make sure Command.Com is on the disk. you can test to see if the system is on the disk by typing dir a:/ah {enter} if the system is on the disk you will see the hidden files on the disk. Now either put a write protect tab on the disk, or if it is a 3.5 inch open the hole on the disk to make sure nothing can be copied to the disk. Before you write protect the disk, you might want to put utilities on it like Dos CHKDSK, or Format, SYS,COM, FDISK, Virus Scanner, etc. STARTING THE RESEARCH Ok now we are ready. Remember be careful, if you are not sure of something, or have that funny feeling, go over your checklist. This is something you do not want to make any mistakes with. And PLEASE, read this entire document before trying anything. This is meant as A guide, not something that is right in ALL cases. 1. Pick your virus. 2. Copy it into a secure directory 3. Scan the file with every thing you have, Write down exactly what it scans as. McAfee and others will always be off a bit on most viruses, you can count on f-prot most of the time to have the right name. If your virus is not found by at least two of the scanners, do not go by the name on the file. Delete it and start again at step one. If the name on the file goes with the virus description you got from the scanner, there is a good chance that you have the right name. 4. Look up your virus in Vsum or Vbase or both. Find it and read the info. (ALL of it) If you do not find it listed anywhere, and have made a real good check, Delete the file and start at step one again. 5. Assuming you have found A file in one of the Vbases, read all of the info before you continue. If you are not sure that the virus is the one you scanned, pick another virus. Now that you are sure, look at what the virus does. If it says that they are not sure if it does anything but replicate, delete the file and start over. We want you to start with something you will be aware of what is going to happen, no surprises. read the info and be sure that this is what you want to test. From reading the info you can pick something that does little or no damage. If you wish, you may look through Vsum or Vbase and find something you want to test and look for the file on the bbs. 6. Make sure that the file is not memory resident, if you are ready for this fine, but we would rather if this was your first time to choose a simple .COM infector. If you want to live dangerously fine though. Ok, copy your bait files into the directory with the virus. 7. Load your memory resident shell. If you are using Vsafe from Dos 6.0 or CPAV, type alt V on your keyboard. This will allow you to choose what you want to protect. A little window will pop up and allow you to choose options. this will be the time to load your other memory resident programs as well, like your screen capture utility. 8. Take note of the sizes and dates of the bait files in the directory, and also the size and date of the virus. 9. Now you may run the virus in the current directory, watch to see what it wants to do, your shell will let you know what it is trying to do, either it will try to go memory resident and try to infect files (it should tell you which ones it trying to infect) and ask you if it is ok, or it will try to infect files in the current or directory path. If the virus spawns, it might write .EXE files into the current directory or path the same size of the virus. Sometimes these spawn files will be hidden files. Type Dir /ah {enter} to see the hidden files. Ok, now that you have infected everything in your directory that you wanted to, by typing both the virus name, and running the different files in the directory, like bait1.exe, bait1.com, etc, you are ready to shut your computer down. Do -not- use ctrl alt delete to do this. turn the power off on the machine, wait a few seconds, and turn it back on. It would be good to use a small program like Bill Lambden's boot test included in this newsletter. this is a simple batch file that you can call from the autoexec.bat file. you will need the archive program for this and make a simple directory for this, but it is a simple program and worth adding for the restart here. This is what my .BAT file looks like, you can add the files for compare that you want. (read Bill's article in this newsletter, or in VLD Volume 6 Issue 100 for the instructions. rem This is bait.bat CLS C: CD\UPTEST DEL VIRUS.LZH LHA A -A VIRUS \COMMAND.COM \util\l.* \dos\edit.* \zip\pkunzip.exe FC BAIT.LZH VIRUS.LZH CD\ A handy batch file indeed. Now that you have rebooted, you can scan the files in your test directory. see which files are infected. from this point you know that the virus worked or not. also you can run the virus and try to get it to do other things it is supposed to do. Like for example, lets say you are working with a original copy of Yankee Doodle. You can run the file, then change the time in your dos (by typing time {enter}) and then set the clock to right before the virus is supposed to activate. Or lets say the virus displays a message after so many infections. Infect that many files until you get the message. At this point you can do a screen capture of the message. If you have had a fear of viruses, do this a few times and the fear will leave. There is so much fear out there, that people are afraid to even have a .Zip file on their computer with a virus in it, much less unzipping and scanning it. If you have a fear like this, try unzipping a virus into a directory and scanning it. After you scan the file delete it. Now scan your entire hard disk. You will never see infection, because you deleted the virus file, and never ran it in the first place. Now do it again, and again, until your fear leaves. You will quickly come to the realization that unzipping this virus, or having it will not destroy your computer. Running it might, so do not get over confident. TROUBLE SHOOTING Question: I run the virus file, but it locks the machine. Answer: This could be a number of things here. Check to see that the virus can work with the config that you have. it could be conflicting with some sort of setup you have. Try different configs. another possibility would be that the virus does not work with your processor, ie: A XT machine. Remember, the person that wrote the virus checked it, it probably worked on his machine, but like any software out there, some has problems running on different machines. Try a different machine. If the writer is available through crisnet or nukenet, post the writer and see if he has any suggestions. Also if the virus comes with source, recompile the file and try it again, it could be that the file got corrupted some how. Question: I scan the file and it scans as the virus, but when I execute it just returns the prompt with no infection. Answer: First try to see if there is a disk write when you do this. It might be making spawn files. Spawn files are sometimes hidden in the directory you are testing your viruses in. Type /ah to look for hidden files, or look in the directory for duplicate file names with different extensions (usually with the same file size as the virus.) For example: VIRUS COM 1044 10-29-59 FORMAT COM 42250 09-10-92 FORMAT EXE 1044 10-29-59 If you see these spawn type files, and they are not the exact same size scan the directory again and make sure the spawn files scan as the virus. it may be that they are making trojan files that will run when you try to run your program. if the spawned files do not scan this will be a good thing to check out. If they do not scan, and you run the file, you could loose your hard disk. Or it could be that this file is not a virus or be a bad or damaged file. Another thing you would want to check is maybe this virus infects files on a certain number of executions. Try running the file several times. It could be looking for a number of files in the current directory also. Or maybe a file with a certain file name or files that meet certain specs. Something like this will take some time, but worth what you find in the end. Question: I scan my hard disk and it reports a virus in memory even after I rebooted. Answer: Do you have Vsafe or another memory resident scanner loaded at the same time? If so some scanners will report infection when these programs are loaded together. Unload the memory resident scanner and try the one that reported the infection again. You also might have got one of you files infected that are in your autoexec.bat or config.sys file. Reboot with a write protected boot disk and scan again. You can also run your bait.bat file we talked about earlier in this lesson. You may have encountered a Boot sector infector, type fdisk /mbr {enter} Question: I ran the virus and it formatted my hard disk. Answer: You did not read the Vsum info right or the info was wrong. This is why we say to back up your hard disk first. REMEMBER, you are at risk here, at any time, no matter how safe it looks of having your FAT destroyed, Disk Formatted, Data Lost, Etc, Always back up your machine before testing. Question: I did not scan the file, look it up or follow any of the instructions here. I unzipped all of the files I had into one directory and ran all of the files one at a time until a message came up on the screen that said "You Dumb ASS .... I just Wiped your Hard disk" Answer: The message you got says it all. These files can be requested from Cris BBS at: Cris BBS 708-863-5285 1:115/863 or 77:708/0 TBAV (Last copy of TBAV) SCAN (Last copy of McAfee's Scan) VSUM (Last copy of Vsum) F-PROT (Last copy of F-protect) PGPKEY (Cris PGP Signarure) NODELIST (Last Crisnet Nodelist) CRIS (Information about Joining Crisnet and research) -----BEGIN PGP SIGNATURE----- Version: 2.3a iQBVAgUBLNc4B6M4CDusTF+9AQHNzgIAkbBgy6OWyPi9MhLPOA7tFnj3rzSdUDw2 /dpkJIrowcr1mZoD4xqWzZ46OzMiJRcSqIHaJjmde408RS5zz3sdGA== =TUqS -----END PGP SIGNATURE-----