Bill Lambdin's Fourth test of IV. InVircible 6.10c tested February 13, 1996 This is my fourth test of InVircible called IV. later in this document Unfortunately; IV has failed again. Pay close attention to the results dealing with Jerusalem.antiscan, Lehigh, Pinky.952, and Tremor. IV combines a combination of a virus scanner (IVscan), and generic A-V routines (IVB, IVINIT, IVTEST, and others. After testing, I am unable to recommend IV as either a scanner, or Generic A-V software in good conscience because of security flaws. I will NOT recommeend IV until passes my test. I do not recommend A-V software lightly.. Some insisted this report contain everything I did. If you find this too boring. Please skim down to the section "VIRUSES USED", then read this boring part later. This test was performed on a 33 MHZ 486 computer with 4 MEG of RAM. and a 170 MEG IDE hard drive. See FINAL COMMENTS below. I started by performing the following tasks. a. backing up the hard drive. b. Preparing a bootable diskette with the necessary programs I would need during this test. c. Placed the viruses to be used during the test on a second diskette d. placed bait files to be used during this test on a third diskette. e. formatted the hard drive with a minimum DOS 6.2 on the hard drive. f. wrote minimum CONFIG.SYS. and AUTOEXEC.BAT files. CONFIG.SYS FILES=30 BUFFERS=30 AUTOEXEC.BAT PATH=C:\ I run this test on this type of a system because there is less to clean up, and save a lot of time.. g. Install InVircible 6.10C to the hard drive. h. copied bait files to the hard drive. i. Had IV prepare the ResQdisk for the system I was testing IV on. IV complained SYS.COM was not present in the path. I rebooted from a system diskette and copied SYS.COM to the hard drive. then rebooted from the hard drive and had IV prepare the Rescue diskette. j. archived the files on the hard drive to a diskette. This is a backup so I could restore the files on the hard drive quickly. k. Ran CHK-SAFE to calculate MD5 Hash values for the files prior to infection so I could determine whether IV detected all infected files, and repaired the files to the byte as IVB and IVSCAN claim to do. VIRUSES USED IN THE TEST. Cascade.1701.b. This virus was selected because it is a simple resident appending virus. IVINIT.EXE reported "WARNING! activity of a memory resident virus detected!. After successfuly reporting this virus active in RAM. I booted clean from the rescue diskette, and ran IVB to detect the infected files. (A clean boot is to turn off the computer. Insert a bootable diskette in A: like the system diskette that comes with DOS. Turn on the computer, and boot from this diskette.) I Run IVB /R to remove the virus from the files. IVB reported the infected files had been restored to their original status. I Calculated new MD5 Hash values for the files after infection, & removal, then compared these hash values to the ones I had prepared earlier. The Hash values matched. Success Emmie.2823 This virus was selected because it is a resident, and partialy stealthed, appending infector of .COM files. It doesn't modify the entry point of files. The virus puts a JMP to it's body not at the beginning of the file; but at the place where the initial JMP at the beginning of the file points to. IVINIT.EXE reported "Warning! activity of a memory resident virus detected" After successfuly reporting this virus active in RAM. I booted clean from the rescue diskette. Ran IVB to detect infected files. IVB correctly detected the infected file. I ran IVB /R to remove the virus from the infected files. IVB reported the files had been restored to their original status. I Calculated new MD5 Hash values for the files, then compared these to the hash values prepared prior to infection. The Hash values matched. Success Frodo.Frodo.A This virus was selected because it is a resident, appending, fully stealthed virus. IVINIT.EXE reported "Warning! a stealthy virus is active" After successfuly reporting this virus active in RAM. I booted clean from the rescue diskette, and. Ran IVB from the rescue diskette. IVB reported four infected files. I ran IVB /R to remove the virus. and IVB reported these four files had been cleaned. I Calculated new MD5 Hash values for the files, then compared these to the hash values prepared prior to infection. The Hash values matched. Success Jerusalem.Antiscan This virus was selected because it is a resident. COM and .EXE file infector. It Prepends on .COM files and appends on .EXE files. IVINIT.EXE reported "Activity of a memory resident virus detected" After successfuly reporting this virus active in RAM. I booted clean from the rescue diskette. I ran IVB to detect the infected files. IVB reported the infected files, and reported that IVINIT grew in size by 1609 bytes. The IV modules are supposed to detect infection and repair themselves if infected to prevent piggybacking. I ran IVB /r, and IV reported the files had been restored to their original status. partial failure (because IVINIT.EXE was infected, and did not report this infection or clean itself to prevent piggybacking.) Lehigh.A This virus was selected because it is a resident infector of COMMAND.COM. The virus is written to a cavity inside COMMAND.COM. There is no filesize increase to COMMAND.COM. when running amother file after this virus was run; the system hangs. I re-boot the computer (from the hard drive). At Bootup IVINIT.EXE reported The COMSPEC data has changed. this might indicate an infection." "Do you accept the change? Please confirm! [Y/N]? After successfuly reporting this virus. I booted clean from the rescue diskette. I ran IVB, and it reported "COMMAND.COM was modified, not necessarily by a virus". I ran IVB /R to remove the virus. IVB reported "COMMAND.COM changed in size by 0 bytes. COMMAND.COM is restored to it's original status." I calculated new MD5 Hash values for the files after infection, & removal to the ones on file. The Hash values did not match. Before infection by Lehigh COMMAND.COM 54619 09-30-93 06:20 c98e0df201047722fec01cfda0db3ce0 After infection by Lehigh COMMAND.COM 54619 09-30-93 06:20 71612f0eea595e731c544185c1e6831b Partial failure (on detection) IV did not properly label this change to COMMAND.COM due to a virus. failure (on removal) The virus was reportedly removed; but the file was NOT returned to the original uninfected status. The "clean" file was a somewhat corrupted file that should not be trusted. Pinky.952 This virus was selected because it is a resident companion infector. IVINIT.EXE reported "Warning! a companion virus to this program was found!" After successfuly reporting a companion virus. I boot clean from the rescue diskette. and run IVB. IVB mindlessly added file signatures for the additional 952 byte .COM files, to the integrity datafile and reported. "All file(s) match their recorded signature(s)" IV reports companion infectors that use the same name of an IV module. but disregards the othres. Partial Failure. Tremor This virus was selected because it is a resident, appending, polymorphic, fully stealthed, and Tunneling virus. This virus is in the wild. IVINIT.EXE reported "No virus activity detected in memory!" IVTEST.EXE reported "No virus activity detected at this time!" IVB.EXE reported "All file(s) match their recorded signature(s)." Since none of these report anything (while Tremor was active in RAM. the users would incorrectly assume there is no virus activity while Tremor continued to infect their programs. Since IV's Modules were unable to detect Tremor active in RAM or on infected files while Tremor is active. Users of IV are very succeptable to this and other similar viruses. The only way IV can find Tremor is to boot clean and run IVB from the secured rescue diskette mentioned earlier. After I booted clean. and IV was in a position to take control; IV found Tremor easily. How are users supposed to know there is anything wrong, and know to boot clean from a secured diskette? Failure. FINAL COMMENTS. IVTEST runs bait files to entice viruses to infect them. There are seven problems with this. a. Not all viruses will infect the same bait files. b. The bait files are too small. 8 Tunes refuses to infect any files smaller than 9216 bytes. Tremor refuses to infect any files smaller than 10240 bytes, and there are other viruses that refuse to infect anything smaller than 30720 bytes. c. Icelandic.saratoga only infects every 10th .EXE file run. if the .EXE file were appropriate for Icelandic.Saratoga to infect, there is only a 1 in 10 chance of Saratoga infecting the bait file. d. These bait files still do not detect companion infectors. e. These bait files will not detect path companion infectors. f. IVtest can not detect non resident file infectors. as demonstrated with the Trivial.45.A virus. g. boot sector viruses do not infect files. IV still doesn't detect Tremor in RAM or on infected files When Tremor is active. Tremor hooks INT 21h, and steals 4228 bytes of RAM. IVB still doesn't detect many companion infectors. IVB doesn't detect path companion infectors. IVB still doesn't check the entire file, but only gathers a small signature from file areas likely to be modified by a virus. This is flawed technology at best; and does fail to detect several types of viruses. IVB Still doesn't give the users an option to check the integrity of all files. Many viruses also infect files regardless of extension as they are loaded and executed with DOS function call 4Bh when accessed through INT 21h. Two good examples of executable files with non executable extensions are the small programs in Side Kick, and PC-Tools Desktop. IVB still places the integrity data files on the hard drive, leaving them open to attack from viruses. There are several viruses that delete integrity datafiles used by CPAV, MSAV, NAV, NOVI, and others. Users can Rename the integrity Datafiles used by IVB, and the hypertext online manual suggests for users to rename the integrity datafiles. But a virus would only need to check the filenames in directories, and when it encounters the same filename in multiple directories, and delete these files. In my honest opininion: generic A-V software should use one of the two options below. 1. Place all integrity datafiles on a secure diskette. 2. Place all integrity data in one data file, and allow users to rename this integrity datafile. IVB still names all integrity data files the same. Any virus could be modified to delete these integrity data files. If the integrity data files are corrupted or deleted, the generic detection, and generic removal capabilities are rendered non functional. If the integrity datafiles are deleted, IVB generates a new integrity data file for the directory. I might add this new integrity data file is generated AFTER infection. so IV can't detect or remove the virus because IV doesn't have a file signature that was generated before infection. I wish Zvi would close these security problems in IV. I have been complaining about many of these same security problems since version 5.07; thyat I tested in August 1994. For anyone wishing to duplicate any portion of this test; Here are the contents of the archive tested. ---------------------------------------------------------------------- Searching ZIP: INVBFREE.ZIP Length Method Size Ratio Date Time CRC-32 Attr Name ------ ------ ----- ----- ---- ---- -------- ---- ---- 3719 DeflatN 1524 60% 01-24-96 00:04 826edb7b --w- AGENTS.LST 548 DeflatN 368 33% 01-24-96 00:34 d4ff2a53 --w- AVEXTRA.TXT 548 DeflatN 368 33% 01-24-96 00:34 d4ff2a53 --w- EXPIRY.TXT 250 DeflatN 207 18% 01-24-96 00:32 fa3237da --w- FILE_ID.DIZ 14999 DeflatN 14560 3% 11-17-95 06:10 c19a8e1a --w- FIND-SIG.EXE 1421 DeflatN 698 51% 01-24-96 00:20 e4104d71 --w- FIXBOOT.DOC 16365 DeflatN 15878 3% 01-23-96 06:10 21c5cf52 --w- FIXBOOT.EXE 13468 DeflatN 13029 4% 11-17-95 06:10 ac6e0f9e --w- GET-HD.EXE 27156 DeflatN 10228 63% 11-17-95 11:52 7536c6ed --w- HISTORY.TXT 39400 DeflatN 38058 4% 01-01-96 06:10 c39b1331 --w- INSTALL.EXE 35729 DeflatN 34706 3% 01-01-96 06:10 16fe57d8 --w- IV.EXE 2608 DeflatN 415 85% 09-03-95 06:10 eb8bb52c --w- IV.ICO 545 DeflatN 159 71% 09-17-95 17:23 3bdda439 --w- IV.PIF 13691 DeflatN 5403 61% 01-24-96 00:17 59dffb10 --w- IV4WIN95.TXT 69090 DeflatN 68945 1% 01-24-96 00:07 fa6d6d9f --w- IV4WIN95.ZIP 39892 DeflatN 38653 4% 01-24-96 00:35 7f901cf7 --w- IVB.EXE 924 DeflatN 728 22% 01-01-96 14:50 95fa9116 --w- IVB.NTZ 22197 DeflatN 21591 3% 09-03-95 06:10 6baa5a14 --w- IVHELP.EXE 41676 DeflatN 21197 50% 11-17-95 11:45 a3c44ccb --w- IVHELP.H! 28572 DeflatN 27785 3% 01-01-96 06:10 5f717488 --w- IVINIT.EXE 18938 DeflatN 18385 3% 01-01-96 06:10 607086ea --w- IVLOGIN.EXE 91007 DeflatN 90907 1% 01-24-96 00:18 d40e8621 --w- IVMANUAL.ZIP 53118 DeflatN 51550 3% 01-01-96 06:10 fee1db81 --w- IVSCAN.EXE 21201 DeflatN 20615 3% 01-01-96 06:10 dc0656c4 --w- IVTEST.EXE 34292 DeflatN 33304 3% 01-01-96 06:10 0a6393e3 --w- IVX.EXE 167148 DeflatN 78309 54% 12-28-95 02:13 7db38f14 --w- MANUAL.H! 5678 DeflatN 5477 4% 11-17-95 06:10 e70ab8aa --w- NOCMOS.EXE 5527 DeflatN 2496 55% 10-02-95 21:07 cf6a54d6 --w- README.1ST 3349 DeflatN 1341 60% 01-24-96 00:16 09cb6c9b --w- REGISTER.TXT 40653 DeflatN 39406 4% 01-01-96 06:10 1f3f146d --w- RESQDISK.EXE 5259 DeflatN 2292 57% 10-25-95 17:57 59ab5b5d --w- UPGRADE.TXT 2386 DeflatN 1131 53% 11-17-95 12:10 d15a80b9 --w- WHATSNEW.10C ------ ------ --- ------- 821354 659713 20% 32 ---------------------------------------------------------------------- GLOSSARY Appending: These viruses are tacked onto the end of the file and modify a .JMP instruction at the beginning of the file that runs the virus, then returns to the host file. Bait files: These are small do nothing programs that attempt to entice viruses to infect them. Boot Sector Virus: These viruses infect the boot sector of diskettes, and the Master Boot Record, or boot sector of hard drives. Cavity virus: This is an area in files where there will be a series of bytes. 00, 20, 90 etc This usually represents an internal buffer for the program. Companion Infectors: These viruses generaly create small .COM files with the same name of an .EXE files (These .COM files are placed in the same directory). If you do not specify an extension, DOS tries to load a .COM file with the same filename first. The .COM file contains the virus with a link to run the .EXE file after the virus has run. Data file: These are small files (created by A-V software) that contain information about the files on the computer, and other data about the file. Fully stealthed File infectors: The virus will temporarily disinfect infected host files when the infected host files are opened for any reason, then reinfect the file when the file is closed. Overwriting Virus: These viruses overwrite the beginning of .COM files generaly (trivial.vootie.66.a overwrites the beginning of all files in the currect directory). The host file is corrupted and will no longer run. Path Companion Infectors: PATH companions do not rely on the existence of an EXE file and do not necessarily put their body in a file with a COM extension. They just copy themselves in a directory which is listed earlier in the PATH than the directory of the attacked file - and copy themselves in a file with the same name as the name of the attacked file; the extension doesn't matter. Polymorph: The virus mutates on every infection, so the virus never looks the same twice. A simple scan string to detect the virus is useless. Prepending: A prepending virus is a virus which inserts itself at the beginning of the file, shifting the original file backwards. Resident: Hook Interrupts and remain active in RAM. Stealthed Boot sector viruses: These intercept the call to access the MBR, then displays the uninfected copy of the MBR. An example a stealthed Boot Sector Virus is NO-INT. Trojan: This is a program that appears to do something useful, but is slyly doing something destructive. Tunneling: Tunneling is a technique used by viruses to bypass resident software that monitors or attempts to stop disk access.