computer security.txt

1000 HOWTOs for various needs [WINDOWS]

                                    - 19 -

6.9  VIRUS DETECTOR AND ANTIDOTE SOFTWARE

          *** None offer complete protection ***

Some do NOT test for boot sector viruses, modification of the command
interpreter, branching into the BIOS, etc., unconventional things that
nasty viruses are known to do.  This is not a comprehensive list, but
you'll have an idea of what's available, either commercially or through
public domain.  Look for a product that will detect as many of the
effects identified in the previous section as possible.  Warning:  some
highly publicized virus detectors only search for ONE (1) virus!  Others
are more sophisticated, and may even act as a disinfector as well as a
detector.


Old virus symptoms vs file changes
Antidote
Antigen

Bombsqad
Canary
Cylene-4
C-4
Disk Defender * recommended (add-on board - write-protects hard disk)
Disk watcher
Dr. Panda Utilities
IBM - COMPare in DOS
Mace vaccine
Magic Bullets
Syringe
Sentry * recommended for systems booted regularly
Vaccine
Viraid
Virus-Pro * recommended for large corporate environments
Shareware:   Novirus
             Flushot4+
             Virusck
             Viruscan

Plus what's shown on preceding pages as a "Disinfector that works".  I
also have a list of over 100 shareware products that do everything from
detect and/or disinfect to write-protecting the hard drive and requiring
password access .... but my fingers are getting tired from typing at this
point, and there are more important things to cover - after all, if
you're careful, you won't need a list of detectors/disinfectors.



















                                 - 20 -

6.10  TROJAN HORSES

While a "virus" is something hidden within another program that is
waiting to make your system really sick, and a "worm" may be something
that lives on its own and usually transmits through networked computers, 
a "Trojan Horse" is a little of both, so I've included it with this virus
section if only to warn you of its existence.  It lives on its own as a
program, and will bring you down like Helen of Troy's soldiers.  "I
wouldn't copy something like that," you say.  Well, like Helen's horse,
it comes disguised.  It will purport to do something really neat, like
compress files (so you have more disk space available), sort your
directories (so you can find things more easily), or play chess or
another game with you.  In actuality, it's really just waiting to do the
things that viruses do - trash your files, scramble your boot sector, fry
your FAT, or erase your hard disk.  It doesn't usually do anything it
promises to do.

The following are just a few examples of the known Trojan Horses, most
of which come from bulletin boards.  Please don't misunderstand me, most
BB operators are honest people who are trying to help the computer
industry as a whole, but they can't be held responsible for the people
who might dial into their BB and leave a disaster waiting until the next
caller(s).


SCRNSAVE.COM:  This is supposed to blank your screen after x seconds of
               inactivity, thus preventing image burn-in or apparently
               offering a sense of security;  say goodbye to your files
               while it erases your harddisk.

TSRMAP:        For the 'sophisticated' user who uses Terminate and Stay
               Resident programs, it's sometimes handy to have a map of
               where these programs are loaded in memory, and be able to
               delete some if you're short of memory;  hopefully this
               same 'sophisticated' user has a copy of track 0, because
               his was just sent to heaven ..... or elsewhere.

DOS-HELP:      Sounds great, doesn't it?  This TSR program is supposed to
               give on-line help on DOS commands.  Your hard disk was
               just formatted.

ULTIMATE.EXE:  This is supposed to be a DOS shell (if you've used
               Directory Scanner or some other software that allows you
               to move around directories and load programs easily, or
               even a menu system, then you know what a DOS shell is). 
               While the "Loading..." message shows on your screen, the
               FAT (file allocation table) of your hard disk went to the
               trash bin.

BARDTALE.ZIP   This purports to be a commercial game from Electronic Arts
               (BARDTALE I)  Someone reverse engineered this program, and
               wrote in a routine to format your hard disk upon
               invocation.











                                 - 21 -

COMPRESS.ARC   This is dated April 1 1987, is executed from a file named
               RUN-ME.BAT, and is advertised as "shareware from Borland"
               (Borland is a highly reputable company).  It will not
               compress your files, but it will very competently destroy
               your FAT table.


DANCERS.BAS    You'll actually see some animated dancers in colour -
               while your FAT is being tromped on.

DEFENDER.ARC   Think you're going to get a copy of Atari's DEFENDER for
               nothing, huh?  There's still no such thing as a free
               lunch, and this one will be particularly expensive:  it
               not only formats your hard disk, but it writes itself to
               your ROM BIOS - the chip that holds the Basic Input Output
               System for your machine.  Get your wallet out.

SIDEWAYS.COM   The good "SIDEWAYS.EXE" is about 30Kb, while this version
               is about 3Kb.  The really big difference, though, is what
               happens to your hard drive - it's spun off into oblivion.


These are only a few of the 70 or so Trojans I have listed at work, but
I'm sure you've got the idea.  These programs (a) stand alone, (b) often
claim to do something useful, (c) may be hacked versions of good
software, (d) may be named the same as good software, (e) may send you
back to using a quill pen.





































                                 - 22 -

7.   PC RULES OF THUMB  (Additional to Basic Rules of Thumb)

Run virus check BEFORE backup

Boot floppy systems from known, protected disks only

Never work with masters - first make copies on a trusted machine

Store data on floppy:
     set path in autoexec.bat, but load from A: to 
     ensure data goes to floppy

Save your data periodically while working

Use write protect tabs

Use write protect software on hard disk / backup track 0

Never boot HD systems from floppies (unless known and
     protected)

New/repaired hard disk? - run a virus detector

Use protection package (practice safe hex)

Avoid shareware / BB demos
     if you use a BB, set path to A: beforehand,
     download only to A:, poweroff immediately after,
     then powerup and do a virus scan on the floppy;
     always scan shareware

Know the source of your software

Don't use illegal copies

If your data is truly confidential, don't depend on
     DELETE - you must use, e.g., Wipefile

Autopark software

Hardcards























                                 - 23 -

6.   A FEW EASY TRICKS FOR PC SECURITY


1.   Set Read only attributes on all files ending with .COM, .EXE, .SYS,
     . OVL,  .BIN,  .BAT

          e.g.:     ATTRIB +R *.SYS



2.   Use an undocumented trick in DOS of naming your data files ending
     with an ASCII blank or NUL character (ASCII 32 or 255): ***

          e.g.:     COPY  A:OLDFILE.TXT  NEWFILECHR$(255).TXT
              or    REN  A:MYFILE.DAT  MYFILECHR$(32).DAT

     ***  Newer versions of DOS will give the ASCII blank or null by
          holding the [Alt] key and striking the numeric keypad numbers;
          e.g.  COPY  A:OLDFILE.TXT  NEWFILE[Alt]255



3.   Prevent inadvertent formatting of the hard disk:

          Rename FORMAT.EXE to (e.g.) DANGER.EXE
          Write a 1-line batch file called FORMAT.BAT:
               DANGER A: %1 %2 %3 %4 %5 %6


4.   Have a batch program as a shutdown routine, to run:

          1. Virus Check
          2. Copy Track 0
          3. Back up your data files
          4. Park the heads





























                                 - 24 -

9.   SO YOU'RE INFECTED


Terminate all connections with other computers

Record your last activities

Determine the nature and extent of the damage

Notify other users

Contact the source of the carrier software

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 


Back up data files to new diskettes

Erase infected disk (using high or low level format -
     low level is preferred to re-write track 0)

Check master disks with detection program(s)

Restore system files

Restore data files

Run detection program(s) again

Be careful in future - think like a thief!
                       ------------------