VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Developing virus identification products

Tim Sankary

[Back to index] [Comments]


In January of 1986, the world's first computer virus was unleashed upon an unsuspecting and largely defenseless population of global IBM personal computers users. The virus originated in Lahore, Pakistan, and spread rapidly from country to country through Europe and across to the North American Continent. In less than twelve months it had infected nearly a half-million computers and was causing minor havoc in hundreds of universities, corporations and government agencies.

This virus, later dubbed the "Pakistani Brain", caught the user community unawares and the problems resulting from its many infections demonstrated how unprepared we were for this phenomenon. The computer systems targeted by the virus contained no specific hardware or software elements that could prevent or even slow its spread, and few utilities could even detect its presence after an infection occurrence. Fortunately, the virus was not destructive, and it limited its infections to floppy diskettes; avoiding hard disks entirely.

The first defensive procedure developed to counteract this virus involved a simple visual inspection of a suspected diskette's volume serial label. The virus erased every infected diskette's volume label and replaced it with the character string - "@BRAIN". Thus, any inspection of the volume label, such as performing a simple DIRECTORY command, would indicate the presence or absence of the virus. An infected diskette could then be reformatted, or the virus could be removed by replacing the boot sector. This manual procedure is a typical, if somewhat rudimentary, example of the type of functions performed by a class of antiviral utilities commonly called Infection Identification products.

Infection identification products generally employ "passive" techniques for virus detection. That is; they work by examining the virus in its inert state. This contrasts with active detection products which look for specific actions employed by a virus. For example, looking for a Format instruction within a segment of code on a disk would be a passive method of detecting a potentially destructive program. If we detected the Format attempt during program execution, however, we would be performing an active detection. Passive methods concern themselves with the static attributes of viruses, active methods concern themselves with the results of virus execution.

Example active indicators are: the attempted erasure of critical files, destruction of the FAT table, re-direction of system interrupt vectors, general slowdown of the system, or an attempt to modify an executable program. These indicators are generic; that is, they are common to a large class of viruses. Because so many viruses perform these common activities, however, they are of little use in identifying individual virus strains. It is the passive virus indicators that prove most useful to a positive identification: The characteristic text imbedded within the virus, specific flags, singular filenames or a distinctive sequence of instructions that are unique to the virus. These and other similar indicators can best be ascertained by scanning system storage and examining the program files and other inert data.

[Read the article]

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka