Bill Lambdin's Fourth test of IV.
InVircible 6.10c tested February 13, 1996
This is my fourth test of InVircible called IV. later in this
document Unfortunately; IV has failed again. Pay close attention to
the results dealing with Jerusalem.antiscan, Lehigh, Pinky.952, and
Tremor.
IV combines a combination of a virus scanner (IVscan), and
generic A-V routines (IVB, IVINIT, IVTEST, and others. After
testing, I am unable to recommend IV as either a scanner, or
Generic A-V software in good conscience because of security
flaws.
I will NOT recommeend IV until passes my test. I do not recommend A-V
software lightly..
Some insisted this report contain everything I did. If
you find this too boring. Please skim down to the
section "VIRUSES USED", then read this boring part later.
This test was performed on a 33 MHZ 486 computer with 4 MEG of RAM.
and a 170 MEG IDE hard drive. See FINAL COMMENTS below.
I started by performing the following tasks.
a. backing up the hard drive.
b. Preparing a bootable diskette with the necessary programs I
would need during this test.
c. Placed the viruses to be used during the test on a second
diskette
d. placed bait files to be used during this test on a third
diskette.
e. formatted the hard drive with a minimum DOS 6.2 on the hard
drive.
f. wrote minimum CONFIG.SYS. and AUTOEXEC.BAT files.
CONFIG.SYS
FILES=30
BUFFERS=30
AUTOEXEC.BAT
PATH=C:\
I run this test on this type of a system because there
is less to clean up, and save a lot of time..
g. Install InVircible 6.10C to the hard drive.
h. copied bait files to the hard drive.
i. Had IV prepare the ResQdisk for the system I was testing IV
on.
IV complained SYS.COM was not present in the path. I
rebooted from a system diskette and copied SYS.COM to
the hard drive. then rebooted from the hard drive and
had IV prepare the Rescue diskette.
j. archived the files on the hard drive to a diskette. This is
a backup so I could restore the files on the hard drive quickly.
k. Ran CHK-SAFE to calculate MD5 Hash values for the files
prior to infection so I could determine whether IV detected
all infected files, and repaired the files to the byte as IVB
and IVSCAN claim to do.
VIRUSES USED IN THE TEST.
Cascade.1701.b.
This virus was selected because it is a simple
resident appending virus.
IVINIT.EXE reported
"WARNING! activity of a memory resident virus
detected!.
After successfuly reporting this virus active in RAM. I booted
clean from the rescue diskette, and ran IVB to detect the
infected files.
(A clean boot is to turn off the computer. Insert a
bootable diskette in A: like the system diskette that
comes with DOS. Turn on the computer, and boot from
this diskette.)
I Run IVB /R to remove the virus from the files. IVB reported
the infected files had been restored to their original status.
I Calculated new MD5 Hash values for the files after
infection, & removal, then compared these hash values to the
ones I had prepared earlier. The Hash values matched.
Success
Emmie.2823
This virus was selected because it is a resident, and
partialy stealthed, appending infector of .COM files.
It doesn't modify the entry point of files. The virus
puts a JMP to it's body not at the beginning of the
file; but at the place where the initial JMP at the
beginning of the file points to.
IVINIT.EXE reported
"Warning! activity of a memory resident virus
detected"
After successfuly reporting this virus active in RAM. I booted
clean from the rescue diskette. Ran IVB to detect infected
files. IVB correctly detected the infected file.
I ran IVB /R to remove the virus from the infected files. IVB
reported the files had been restored to their original status.
I Calculated new MD5 Hash values for the files, then compared
these to the hash values prepared prior to infection. The Hash
values matched.
Success
Frodo.Frodo.A
This virus was selected because it is a resident,
appending, fully stealthed virus.
IVINIT.EXE reported
"Warning! a stealthy virus is active"
After successfuly reporting this virus active in RAM. I booted
clean from the rescue diskette, and. Ran IVB from the rescue
diskette. IVB reported four infected files.
I ran IVB /R to remove the virus. and IVB reported these four
files had been cleaned.
I Calculated new MD5 Hash values for the files, then compared
these to the hash values prepared prior to infection. The Hash
values matched.
Success
Jerusalem.Antiscan
This virus was selected because it is a resident. COM
and .EXE file infector. It Prepends on .COM files and
appends on .EXE files.
IVINIT.EXE reported
"Activity of a memory resident virus detected"
After successfuly reporting this virus active in RAM. I booted
clean from the rescue diskette. I ran IVB to detect the
infected files. IVB reported the infected files, and reported
that IVINIT grew in size by 1609 bytes.
The IV modules are supposed to detect infection and repair
themselves if infected to prevent piggybacking.
I ran IVB /r, and IV reported the files had been restored to
their original status.
partial failure (because IVINIT.EXE was infected, and
did not report this infection or clean itself to
prevent piggybacking.)
Lehigh.A
This virus was selected because it is a resident
infector of COMMAND.COM. The virus is written to a
cavity inside COMMAND.COM. There is no filesize
increase to COMMAND.COM.
when running amother file after this virus was run; the system
hangs.
I re-boot the computer (from the hard drive).
At Bootup IVINIT.EXE reported
The COMSPEC data has changed. this might indicate an
infection."
"Do you accept the change? Please confirm! [Y/N]?
After successfuly reporting this virus. I booted clean from
the rescue diskette. I ran IVB, and it reported "COMMAND.COM
was modified, not necessarily by a virus".
I ran IVB /R to remove the virus. IVB reported "COMMAND.COM
changed in size by 0 bytes. COMMAND.COM is restored to it's
original status."
I calculated new MD5 Hash values for the files after
infection, & removal to the ones on file. The Hash values did
not match.
Before infection by Lehigh
COMMAND.COM 54619 09-30-93 06:20 c98e0df201047722fec01cfda0db3ce0
After infection by Lehigh
COMMAND.COM 54619 09-30-93 06:20 71612f0eea595e731c544185c1e6831b
Partial failure (on detection) IV did not properly
label this change to COMMAND.COM due to a virus.
failure (on removal) The virus was reportedly removed;
but the file was NOT returned to the original
uninfected status. The "clean" file was a somewhat
corrupted file that should not be trusted.
Pinky.952
This virus was selected because it is a resident
companion infector.
IVINIT.EXE reported
"Warning! a companion virus to this program
was found!"
After successfuly reporting a companion virus. I boot clean
from the rescue diskette. and run IVB. IVB mindlessly added
file signatures for the additional 952 byte .COM files, to the
integrity datafile and reported. "All file(s) match their
recorded signature(s)"
IV reports companion infectors that use the same name of an IV
module. but disregards the othres.
Partial Failure.
Tremor
This virus was selected because it is a resident,
appending, polymorphic, fully stealthed, and Tunneling
virus. This virus is in the wild.
IVINIT.EXE reported
"No virus activity detected in memory!"
IVTEST.EXE reported
"No virus activity detected at this time!"
IVB.EXE reported
"All file(s) match their recorded
signature(s)."
Since none of these report anything (while Tremor
was active in RAM. the users would incorrectly
assume there is no virus activity while Tremor
continued to infect their programs.
Since IV's Modules were unable to detect Tremor active in RAM
or on infected files while Tremor is active. Users of IV are
very succeptable to this and other similar viruses.
The only way IV can find Tremor is to boot clean and run IVB
from the secured rescue diskette mentioned earlier. After I
booted clean. and IV was in a position to take control; IV
found Tremor easily.
How are users supposed to know there is anything wrong, and
know to boot clean from a secured diskette?
Failure.
FINAL COMMENTS.
IVTEST runs bait files to entice viruses to infect them. There are
seven problems with this.
a. Not all viruses will infect the same bait files.
b. The bait files are too small. 8 Tunes refuses
to infect any files smaller than 9216 bytes. Tremor refuses
to infect any files smaller than 10240 bytes, and there are
other viruses that refuse to infect anything smaller than
30720 bytes.
c. Icelandic.saratoga only infects every 10th .EXE file run.
if the .EXE file were appropriate for Icelandic.Saratoga to
infect, there is only a 1 in 10 chance of Saratoga infecting
the bait file.
d. These bait files still do not detect companion infectors.
e. These bait files will not detect path companion infectors.
f. IVtest can not detect non resident file infectors. as
demonstrated with the Trivial.45.A virus.
g. boot sector viruses do not infect files.
IV still doesn't detect Tremor in RAM or on infected files When Tremor
is active. Tremor hooks INT 21h, and steals 4228 bytes of RAM.
IVB still doesn't detect many companion infectors.
IVB doesn't detect path companion infectors.
IVB still doesn't check the entire file, but only gathers a small signature
from file areas likely to be modified by a virus. This is flawed
technology at best; and does fail to detect several types of
viruses.
IVB Still doesn't give the users an option to check the
integrity of all files. Many viruses also infect
files regardless of extension as they are loaded and
executed with DOS function call 4Bh when accessed
through INT 21h. Two good examples of executable
files with non executable extensions are the small
programs in Side Kick, and PC-Tools Desktop.
IVB still places the integrity data files on the hard drive, leaving
them open to attack from viruses. There are several viruses
that delete integrity datafiles used by CPAV, MSAV, NAV, NOVI,
and others. Users can Rename the integrity Datafiles used
by IVB, and the hypertext online manual suggests for users to
rename the integrity datafiles. But a virus would only need
to check the filenames in directories, and when it encounters
the same filename in multiple directories, and delete these
files.
In my honest opininion: generic A-V software should use one of
the two options below.
1. Place all integrity datafiles on a secure diskette.
2. Place all integrity data in one data file, and allow users
to rename this integrity datafile.
IVB still names all integrity data files the same. Any virus could be
modified to delete these integrity data files.
If the integrity data files are corrupted or deleted, the generic
detection, and generic removal capabilities are rendered
non functional.
If the integrity datafiles are deleted, IVB generates a new
integrity data file for the directory. I might add
this new integrity data file is generated AFTER
infection. so IV can't detect or remove the virus
because IV doesn't have a file signature that was
generated before infection.
I wish Zvi would close these security problems in IV. I have been
complaining about many of these same security problems since version
5.07; thyat I tested in August 1994.
For anyone wishing to duplicate any portion of this test;
Here are the contents of the archive tested.
----------------------------------------------------------------------
Searching ZIP: INVBFREE.ZIP
Length Method Size Ratio Date Time CRC-32 Attr Name
------ ------ ----- ----- ---- ---- -------- ---- ----
3719 DeflatN 1524 60% 01-24-96 00:04 826edb7b --w- AGENTS.LST
548 DeflatN 368 33% 01-24-96 00:34 d4ff2a53 --w- AVEXTRA.TXT
548 DeflatN 368 33% 01-24-96 00:34 d4ff2a53 --w- EXPIRY.TXT
250 DeflatN 207 18% 01-24-96 00:32 fa3237da --w- FILE_ID.DIZ
14999 DeflatN 14560 3% 11-17-95 06:10 c19a8e1a --w- FIND-SIG.EXE
1421 DeflatN 698 51% 01-24-96 00:20 e4104d71 --w- FIXBOOT.DOC
16365 DeflatN 15878 3% 01-23-96 06:10 21c5cf52 --w- FIXBOOT.EXE
13468 DeflatN 13029 4% 11-17-95 06:10 ac6e0f9e --w- GET-HD.EXE
27156 DeflatN 10228 63% 11-17-95 11:52 7536c6ed --w- HISTORY.TXT
39400 DeflatN 38058 4% 01-01-96 06:10 c39b1331 --w- INSTALL.EXE
35729 DeflatN 34706 3% 01-01-96 06:10 16fe57d8 --w- IV.EXE
2608 DeflatN 415 85% 09-03-95 06:10 eb8bb52c --w- IV.ICO
545 DeflatN 159 71% 09-17-95 17:23 3bdda439 --w- IV.PIF
13691 DeflatN 5403 61% 01-24-96 00:17 59dffb10 --w- IV4WIN95.TXT
69090 DeflatN 68945 1% 01-24-96 00:07 fa6d6d9f --w- IV4WIN95.ZIP
39892 DeflatN 38653 4% 01-24-96 00:35 7f901cf7 --w- IVB.EXE
924 DeflatN 728 22% 01-01-96 14:50 95fa9116 --w- IVB.NTZ
22197 DeflatN 21591 3% 09-03-95 06:10 6baa5a14 --w- IVHELP.EXE
41676 DeflatN 21197 50% 11-17-95 11:45 a3c44ccb --w- IVHELP.H!
28572 DeflatN 27785 3% 01-01-96 06:10 5f717488 --w- IVINIT.EXE
18938 DeflatN 18385 3% 01-01-96 06:10 607086ea --w- IVLOGIN.EXE
91007 DeflatN 90907 1% 01-24-96 00:18 d40e8621 --w- IVMANUAL.ZIP
53118 DeflatN 51550 3% 01-01-96 06:10 fee1db81 --w- IVSCAN.EXE
21201 DeflatN 20615 3% 01-01-96 06:10 dc0656c4 --w- IVTEST.EXE
34292 DeflatN 33304 3% 01-01-96 06:10 0a6393e3 --w- IVX.EXE
167148 DeflatN 78309 54% 12-28-95 02:13 7db38f14 --w- MANUAL.H!
5678 DeflatN 5477 4% 11-17-95 06:10 e70ab8aa --w- NOCMOS.EXE
5527 DeflatN 2496 55% 10-02-95 21:07 cf6a54d6 --w- README.1ST
3349 DeflatN 1341 60% 01-24-96 00:16 09cb6c9b --w- REGISTER.TXT
40653 DeflatN 39406 4% 01-01-96 06:10 1f3f146d --w- RESQDISK.EXE
5259 DeflatN 2292 57% 10-25-95 17:57 59ab5b5d --w- UPGRADE.TXT
2386 DeflatN 1131 53% 11-17-95 12:10 d15a80b9 --w- WHATSNEW.10C
------ ------ --- -------
821354 659713 20% 32
----------------------------------------------------------------------
GLOSSARY
Appending: These viruses are tacked onto the end of the file and
modify a .JMP instruction at the beginning of the file
that runs the virus, then returns to the host file.
Bait files: These are small do nothing programs that attempt to
entice viruses to infect them.
Boot Sector Virus: These viruses infect the boot sector of
diskettes, and the Master Boot Record, or boot sector
of hard drives.
Cavity virus: This is an area in files where there will be a
series of bytes. 00, 20, 90 etc This usually represents
an internal buffer for the program.
Companion Infectors: These viruses generaly create small .COM
files with the same name of an .EXE files (These .COM
files are placed in the same directory). If you do not
specify an extension, DOS tries to load a .COM file with
the same filename first. The .COM file contains the
virus with a link to run the .EXE file after the virus
has run.
Data file: These are small files (created by A-V software) that
contain information about the files on the computer, and
other data about the file.
Fully stealthed File infectors: The virus will temporarily
disinfect infected host files when the infected host
files are opened for any reason, then reinfect the
file when the file is closed.
Overwriting Virus: These viruses overwrite the beginning of .COM
files generaly (trivial.vootie.66.a overwrites the
beginning of all files in the currect directory). The
host file is corrupted and will no longer run.
Path Companion Infectors: PATH companions do not rely on
the existence of an EXE file and do not necessarily
put their body in a file with a COM extension. They
just copy themselves in a directory which is listed
earlier in the PATH than the directory of the attacked
file - and copy themselves in a file with the same
name as the name of the attacked file; the extension
doesn't matter.
Polymorph: The virus mutates on every infection, so the virus
never looks the same twice. A simple scan string to
detect the virus is useless.
Prepending: A prepending virus is a virus which inserts itself
at the beginning of the file, shifting the original
file backwards.
Resident: Hook Interrupts and remain active in RAM.
Stealthed Boot sector viruses: These intercept the call to
access the MBR, then displays the uninfected copy of the
MBR. An example a stealthed Boot Sector Virus is NO-INT.
Trojan: This is a program that appears to do something useful,
but is slyly doing something destructive.
Tunneling: Tunneling is a technique used by viruses to bypass
resident software that monitors or attempts to stop
disk access.