On Mon, 19 Feb 2001 17:48:26 -0700, Bob George wrote:
> Uh, if this is Stoned.Monkey, it goes back to '92 and is a DOS MBR virus.
> Nothing Windows-specific about it, and I suspect ANY DOS version would be
> vulnerable if not protected, Microsoft or not.
Well, sure, but how does it get into the system in the first place?
With windoz, you can have sabotage software inserted by email. I dont
think you can do that with Arachne, or any of the other DOS tools.
The worst DOS virus attack by far, was years ago, a Michaelangelo, and
it was not downloaded off the net, but on the disk, in the shrinkwrap,
at the computer store, with proprietary software. Turns out, that some
contract hacker realized that the software house was going to screw him.
After all, they knew they had enough lawyers to keep him in court until
he was bankrupt, so they just stole his work.
But- he saw this coming, and left the virus sitting in his opcode in
the event that they stole it. They tried to charge him, but when it
came out that they had no right to the code in the first place...
Nowadays, I download DOS utilities and apps from Simtel and a few other
well established trustworthy sources. Since dos apps rarely run over a
meg, and most of them only a couple hundred thousand bytes, scanner
software can do a far more thorough and reliable job of identifying any
sobotage software than it can in the multi-meg windoz apps which are
often 100 times larger.
The Win OS now runs in excess of 100 megs, which is not a set sequence
of bytes, but compiled during installation, the sequence varys according
to the hardware. Given the diversity of hardware, this is a bewildering
array of windoz installations which the virus scanners havta deal with.
Since a virus can be on the order of 100 bytes, in a 100 meg install,
this is a needle in a haystack. The only thing the scanner can do is
to look for sabotage patterns which it knows to exist. A new patter is
beyond it's ability to detect.
With DOS and Linux, there are versions out there which have their source
code published, and which produce a standard MBR, disk I/O, and other
functionality. Even 100 bytes at variance from standard procedure would
be readily recognized, and flagged, whether the scanner had ever seen
that particular sequence or not.
IF I understand correctly, you can download a copy of DR-DOS into an
infected system. After extraction, DR-DOS has a utility to create a
boot floppy, and any variance to what it wants to write on the boot
sector of that floppy would be recognized in spite of the fact that
the hard drive had been infected.
uncopywritten. do what you will with it.
-- Arachne V1.70;rev.3, NON-COMMERCIAL copy, http://arachne.cz/
To unsubscribe from SURVPC send a message to [EMAIL PROTECTED] with
unsubscribe SURVPC in the body of the message.
Also, trim this footer from any quoted replies.
More info can be found at;
http://www.softcon.com/archives/SURVPC.html
