home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!ukma!cs.widener.edu!dsinc!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: eugene@kamis.msk.su (Eugene V. Kaspersky)
- Newsgroups: comp.virus
- Subject: MegaVirus as Re: On the definition of viruses
- Message-ID: <0004.9301281842.AA17847@barnabas.cert.org>
- Date: 18 Jan 93 18:45:30 GMT
- Sender: virus-l@lehigh.edu
- Lines: 153
- Approved: news@netnews.cc.lehigh.edu
-
- Hello!
-
- Fred Cohen writes:
-
- > Computer viruses do not have to be malicious, they do not have
- > to be Trojan horses, and they do not have to enter without the
- > knowledge or consent of the user. Any definition that depends on
- > these properties depends on peoples' opinions, skills, and knowledge,
- > and are thus not "testable" in the scientific sense of the word.
-
- Yes, to set the virus definition it's a very difficult task. I think that
- it is impossible to define the virus. A small example for beginning:
-
- One my friend wrote a virus. It's a extremely primitive program that
- contains several MS-DOS commands which are united into one BAT-file named
- VIRUS.BAT.
-
- echo ---
- echo Hello! I'm the virus!
- echo Look at your watch. Waiting ...
- pause
- echo Is today Friday, 13th ?
- echo If 'yes' please type FORMAT C: and say YES for all the questions.
- echo If it's not enough please drop your monitor and
- echo [...skiped...]
- echo If 'no' please copy this program to all your friends because
- echo this is a very useful program!
- echo ---
-
- Several color effects were added to this BAT file also.
- Is this a virus? No? One week after first execution of this program
- about 100 computers were 'infected' by this ... program? ... virus? Those
- are about a half of all the computers of the company where this gay works
- now. The users like this program-joke and copy it. So this program
- replicates very well, its name is VIRUS.BAT and it's a dangerous because it
- say "FORMAT C:" and 'good user' can do this. Is this not a virus?
-
- Another one example: virus-packer.
- This imaginary program stays resident and on running any not packed COM or
- EXE files asks: "Do you wish to PACK your program? <Y/N>" and then packs
- and appends itself to the packed file at 'Y' pressing. On execution
- 'infected' program types "I'm infected by VIRUS-PACK, do you wish to
- remove me? <Y/N>" and then unpacks the file and removes its body on 'Y' or
- stays memory resident on 'N'. Is this the virus-like utility only and not a
- virus?
-
-
- > So what is a computer virus? In simple terms, it is a sequence
- > of instructions that, when interpreted in an appropriate environment,
- > "replicates" in that at least one relica also "replicates", etc., ad
- > infinitum.
-
- The last condition is incorrect because there are the viruses which
- replicates a limited times. I forgot the name of example but this virus
- contains the 'generation counter' and it not replicates on N generation. So
- the condition must be as: "it 'replicates' at least several (more than 1)
- times, on other cases this is a Trojan horse installator".
-
-
- > Want an example? A backup program replicates by making an
- > exact copy of itself (if it does a good job) on the backup media. In
-
- It's a bad example. MS-DOS, PC-DOS (I operate the IBM-PC terms only, sorry)
- are the viruses also:
-
- - - they replicate:
- SYS A:
- COPY *.* A:
-
- - - they are very dangerous (I found one MS-DOS security option only, this is
- two FAT copies);
-
- - - they load itself silently and without user consent.
-
- MS-DOS is a virus! That is a shock for antiviral researchers and vendors!
- It's need to update all the antiviral databases.
-
-
- So I'll try to set several virus definitions.
-
- DEF_1: The virus
- > is a sequence
- > of instructions that, when interpreted in an appropriate environment,
- > "replicates" in that at least one relica also
- The virus is useless program *and* it can't restore the infected object and
- remove itself by 'DOS prompt' way.
-
- But this definition is bad also.
- There are several question: that is 'useless program' ?
- The virus packer is useful virus. That is 'remove itself by ... ' ?
- Could somebody extend this way of virus definition?
-
-
- And who say that the virus is 'a sequence of instructions'? The real
- virus can consists of several parts of code, a *sequences* of instructions
- i.e. several different files, sectors, RAM areas. Well, let this virus
- named as 'multipartite virus'.
-
- So, the MS-DOS is useful programs, but the MS-DOS floppy with specific
- AUTOEXEC.BAT is a multipartite-virus:
-
- AUTOEXEC.BAT:
-
- sys a:
- copy *.* a:\
- sys b:
- copy *.* b:\
- ...
- sys z:
- copy *.* z:\
-
- This MP-virus (multipartite virus) infects all the accessible logical disks
- very well.
-
- Well, lets examine all the sequences of instructions of all the computers.
- This multitude of files, sectors, RAMs is one great MP-virus (it's very
- dangerous and it can replicate). So,
-
- DEF_2: All the programs of all the computers are the parts of the World
- MegaVirus.
-
-
- DEF_3: It's impossible to set the virus definition.
-
- It's because the viruses are manufactured by men and the virus definitions
- are produced by men also. So if we say new virus definition there are
- someone who can write the counter-example virus. As the result the true
- virus definition is DEF_2 only.
-
- :-)
-
-
- Last note:
-
- > I'm really glad that I no longer sell virus defenses, because I think it's
- > a pretty shady business (except for a few good companies that tell the
- > truth about viruses and their products).
-
- It's a good statement but it's limited. It's better to say
-
- To sell [anything]
- > it's a pretty shady business (except for a few good companies that tell the
- > truth about
- [skipped]
- > their products).
-
-
- Best regards,
-
- Eugene
- - --
- - -- Eugene Kaspersky, KAMI Group, Moscow, Russia
- - -- eugene@kamis.msk.su, +7 (095) 499-1500
-
