[ Pobierz całość w formacie PDF ]
combinations of situations listed may be considered worth
investigating, whereas others may not.
Simply put, a faulty EXE header is nothing to be
alarmed about. A faulty EXE header with code written to
format disks located in a graphics utility is probably
something to worry about.
Fortunately, most heuristic scanners have a rating
system, where certain traits are considered non-threatening.
An example would be where a decryption routine is used, but
no damaging code appears to be hiding inside. Only files
which are potentially virus-like code (for instance, one
which is encrypted, contains code to determine if a file is
a .COM or .EXE file, goes TSR, and is able to bypass DOS to
write to the hard drive) are considered suspicious enough
for further investigation.
Heuristics are especially suited for use in
conjunction with another method of virus detection such as
change-checking. As well, some viruses have been written
with specific routines to render certain heuristic scan
techniques useless against them. This is not as problematic
as the virus writers assume. Once the virus begins
infecting other files, their heuristic information will
change, thus giving the computer user a valuable clue.
Appropriate actions should be taken on any file that changes
for no recognizable reason.
Virus Cleaning Strategies
There are presently only four virus cleaning methods
available. They are simple erasure, database cleaning,
integrity check cleaning and simulation cleaning. Each has
its own vices and virtues.
Simple Erasure
This is the only cure for overwriting viruses. This
type of virus overwrites its code overtop the victim's entry
code. The virus does not restore the entry code when the
infected file is executed. Overwriting viruses are rare, as
they are extremely noticeable.
Companion viruses, which infect .EXE files by creating
a .COM files bearing the same name, are also cured by simple
erasure of the .COM files they generate. Once the virus is
deleted, the file is no longer infected. It must be noted
that most companion viruses employ hidden files to remain
unnoticed. Using a command-line interface such as Microsoft
Shell or Norton Commander will quickly uncover these hidden
files, as will the DOS program, ATTRIB. Companion virus
techology is explained more in-depth later.
Any file infected by a virus may be deleted, then re-
installed (excluding boot sector and master boot record
files). In rare cases, like those mentioned above, erasure
may be the only method available. In the case of appending
viruses (viruses which restore the original file before
executing them) deletion is time consuming and unneccessary,
as they may be removed using any of the ensuing cleaning
methods.
Note: Most database cleaners provide automatic
deletion of files which are infected by overwriting viruses,
and often can erase companion viruses.
Database Cleaning
This is the most common method of virus cleaning
simply because it is directly related to scan-string
technology; McAfee's CLEAN-Up program employs this
technique.
As long as the cleaning program being utilized is able
to recognize the virus, it will usually be able to restore
the file. Information on what to do with the virus, and
where to find the original file startup code are stored
within the cleaner's database. This information is
referenced to restore the victim's startup code, and cut it
to the original state.
The only drawbacks are that this technology cannot
clean unfamiliar viruses (sometimes even if only one byte
has been changed from a previously scannable virus), and
that there is a risk that the file will be damaged instead
of cleaned if the scanner program used finds incorrect scan
strings. Many virus cleaning programs will check the file
to determine if the virus identification used is correct.
Integrity Checker Cleaning
This form of cleaning is surprisingly simple. If a
file does not match the information stored in the integrity-
check file, it can often be repaired via the information
that is known about the file s clean state.
For instance: If the file is 1000 bytes longer than
its record lists, and the first three bytes are not the
same, then there is a good chance that the file may be
repaired by replacing the original first three bytes, then
chopping off the extra 1000 bytes. This only works for
appending viruses. Considering that the very majority of
viruses that infect executable files (.COM and .EXE's) are
of this type, the odds are in your favour.
The drawbacks of this style of cleaning are glaring.
Using this technique on a file infected with a prepending
virus, which locates its viral code at the beginning instead
of the end of the victim, will destroy the file.
Overwritten files will remain, although the first few bytes
may have been changed. This could cause a variety of
problems. Usually the system will crash if the "cleaned"
file is executed.
Virus Simulation Cleaning
Virus simulation is not quite what its name seems to
imply. Presently Thunderbyte's TBCLEAN is the only product
using this technology.
The clean program first patches key DOS services, thus
disallowing unauthorized programs to write to the disks.
For simplicity's sake, only .COM file cleaning is described
in this chapter.
First, the file's entry point is recorded. The entry
point is the location where the actual execution begins.
This will be either at the file startup, or at a location
pointed to by any form of JMP statement. (JMP is the
machine-language instruction for JuMP.)
If a jump is found, the cleaner emulates the execution
of the infected file until the entrypoint code is replaced,
and the code resumes execution there. It can be assumed
that the file is restored at this point. Next, the cleaner
truncates the file at the virus entrypoint, thereby cutting
the file to its previous length.
With some viruses, the cleaned file may still retain a
[ Pobierz całość w formacie PDF ]