BEGPANB.CVP 931111
Other Antivirals - Change Detectors
If your "generic" antiviral is a change detection program, then you
will probably have a much better idea of what is infected, although
less idea of how. Change detectors will usually tell you that the
boot sector, or master boot record, or a specific file has been
changed. Sometimes, in the case of a stealth virus, it will not be
able to "see" any change on the disk, but will report a change in
memory of the interrupts.
Activity monitors usually run all the time, and so, in addition to
sometimes telling you, specifically, what type of action is being
done, they generally give you some clues by catching something as it
happens. Change detectors are usually run at set intervals, often
at boot time, and so only report after the fact. However, because
change detection software identifies specific objects, you will
generally get more information from them about boot sector infectors
than you will get from activity monitors, and boot infectors are
much more common.
As with activity monitors, if the antiviral identifies a file that
you can easily replace, copy it off and replace it. If a change
detector shows only one file changed, then it is highly unlikely
that any other files are infected. If a cluster of files are
changed, particularly in one directory, then the chances are very
good that you do have a real infection.
However, like activity monitors, change detectors are subject to
false positive alarms. If you have made changes to WordPerfect,
SETVER or another program, these will generate alerts from change
detectors. If you upgrade your DOS version, the boot sector will
change. If you repartition the disk, the master boot record will
change.
If, therefore, it is inconvenient to replace the modified program,
or if the boot sector appears to be infected, then you may have to
do the same types of investigations as were outlined for activity
monitors. Since boot sector infectors are more likely to be
identified here, trying to trap an infection on a floppy disk is
more important. If you have two different sized floppy disks, then
format two new disks, one for each. Label each as to whether it is
drive A: or B: on the computer. Copy some files onto them, and take
several directory listings. If you have utility software, try to
look at the boot sectors of the floppy disks. The reason for all
this activity is that one must try to force the virus to infect the
disk, and this is not always as easy as it sounds.
Also, if a boot sector infector is identified, recovery is not quite
as simple as replacing a file. Boot from a system disk that is
known to be free from infection. If you cannot access the hard disk
at this point, do not try anything further. If the hard drive is
readable, then do a SYS C: command (if the boot sector is changed)
or an FDISK /MBR (if the master boot record has been altered). This
should fix the problem, but you will also need to check *all*
diskettes for infection.
copyright Robert M. Slade, 1993 BEGPANB.CVP 931111
==============
Vancouver ROBERTS@decus.ca | Slade's Law of Computer
Institute for Robert_Slade@sfu.ca | Literacy:
Research into rslade@cue.bc.ca | - There is no such thing
User p1@CyberStore.ca | as "computer illiteracy";
Security Canada V7K 2G6 | only illiteracy itself.