MemScan - Memory Scanner: A rule based, universal memory virus scanner for DOS viruses. Not limited to known viruses! Will not run on 64 bit Windows systems.
|
Nowadays, pure DOS or Windows 9x and Win32 is hardly ever used, the main use case for which MemScan was developed. Nevertheless, we continue to offer MemScan for free use, because we believe that this is the only program that is still maintained and developed worldwide for DOS compatible operating systems! |
__ __ ____ ______ ___ ____
| \/ | ___ _ __ ___ / ___| ___ __ _ _ __ / / _ \ / _ \/ ___|
| |\/| |/ _ \ '_ ` _ \\___ \ / __/ _` | '_ \ / /| | | | | | \___ \
| | | | __/ | | | | |___) | (_| (_| | | | |/ / | |_| | |_| |___) |
|_| |_|\___|_| |_| |_|____/ \___\__,_|_| |_/_/ |____/ \___/|____/
(c) 16.10.1990-2024 by ROSE SWE, Ralph Roth
$Id: MemScan_Eng.txt,v 1.49 2024/06/07 14:12:06 ralph Exp $
Written in ASCIIDOC using the UTF-8 code set and Windows LF/CR
Umlaute and screen copy may look ugly if our text program don't use UTF-8
|
|
A short English "FAQ" for QMS, MemScan and TestBoot can be found at the end of the document! |
1. Function of MemScan
MemScan examines your working memory for resident MS-DOS computer viruses. If you have further questions about computer viruses, please read the files VIRSCAN.DOC & VIRSCAN.TXT (if available).
MemScan can also check the "UPPER" DOS Memory (UMB = memory between 640 KB and 1 MB) and the HMA (High Memory Area = 1088 KB) gate. MemScan needs approx. 450 KB of free working DOS memory for the virus database and hash tables! MemScan main memory usage was adapted especially to network environments and therefore needs only 450 KB of free memory!
MemScan detects due to heuristic scanning unknown viruses (option /UNB). MemScan usually reports such viruses with one of the following messages:
Execution-Function [Exec] or Generic File Open [Fopen] or Memory Control Of Blocks [MCB] or Generic Exeheader.????-???? or Generic Boot virus [BOOT] etc.
In case of detection of one of these two viruses please send me an infected file: To classify the virus (if VirScan reports the same virus type with the option /HEUR) and to include it in MemScan! Try to make the virus infect the "victim/bait/goat files" INFECTME.* included in this package!
|
|
MS-DOS 6.xx and Novell DOS 7.0 produce a false alarm with the option /UNB together with the option /HIGH. In most cases a Generic Exec Virus is reported in the segment Fxxx:xxxx which, however, is occupied by COMMAND.COM loaded high. |
2. Why MemScan?
We are using MemScan internally to quickly and securely add new viruses to VirScan. However, customers frequently asked us for a program that checks ONLY the working memory. For this reason MemScan was made accessible to the public for FREE.
3. Optional parameters
/? Displays a short help
/HIGH Search high memory (to 1 MB) too
/IVT Check interrupts for viruses, see also VIRSCAN.DOC
/NOLIVEBAIT Skip Live Bait Test
/NOMEM Skip complete "Quick Memory Check"
/NOPATHCOMPANION Skip path Companion Test
/UNB /UNK Search for new unknown viruses
No output on argument syntax (Guru option).
/AKTION Display information on virus special offer.
|
To see a short description of more options execute MemScan with the parameter /? for a short help! |
3.1. Option /UNB
This option is only for the case of emergency! This function ALWAYS produces false alarms! I use it for finding known and new viruses! Almost every new resident MS-DOS virus can be found with MemScan!
3.2. Option /IVT
With the parameter /IVT the working memory can be examined for approx. 180 of the most known DOS viruses. This is being done by so called "Am I there" calls in a split of a second (in comparison to the slow memory scan). Among other things, the working memory is being examined for the following viruses:
-
Jerusalem and related viruses (at least 48 variants)
-
Frere Jacques
-
Fu Manchu
-
-
Tequila (Stealth virus)
-
Yankee Doodle/Vacsina (45 variants)
-
Cascade and Yap (14 variants)
-
Flip/Omicron (6 variant/Sub-stealth virus)
-
Parity (4 variants, boot virus)
-
dBase
-
Plastique (AntiCad, Invader, Tobacco, 4.21, 5.21 and Cobol)
-
Tremor (Stealth virus)
-
Hare (Stealth multipartite virus)
On detection of the virus the user is being informed about that.
|
|
You should not use this option if you have Novell Netware installed because it results in overlapping of the interrupt calls. This function used to be executed automatically, but it emerged that the so called "Am I There" calls were not 100% compatible with different operating systems and configurations. So, if unusual side effects occur, this option might be the reason. This option also checks the high memory (HMA) - if available - for viruses. |
3.3. Notes on parameter usage
Customers familiar with the American or UNIX parameter syntax (minus sign) instead of the slash (/) can also use the minus sign (-) to start an option.
Example: -IVT is equivalent to /IVT
|
|
There must be at least one blank between the individual arguments! The arguments are not case sensitive. |
3.4. The environment variable MemScan
Instead of always calling MemScan with arguments, MemScan can be controlled with a so called environment variable. For example, enter the following at the DOS prompt:
SET MEMSCAN=/unb -high -IVT
If you start MemScan now, MemScan reads all required arguments from the variable.
3.5. Rollback of preset values
Sometimes it might be desired to reset already set options (i.e. set by SET MEMSCAN=…) This can simply be done by a minus sign following the option on the command line. With this action the option is being switched off.
For example, you have entered the following:
SET MEMSCAN=/high
Then start MemScan with the following argument:
MEMSCAN /high-
In this case the command line option overrides the option set by the environment variable! Command line always override environment options.
4. False alarms of MemScan
MemScan detects approx. 98% of ALL new resident DOS or boot viruses with the option /UNB; however, this option is only for absolute virus gurus. Hint: If you suspect a virus on your system, execute VirScan Plus with the following parameters:
Virscan -auto -HEUR -log
|
|
If VirScan Plus finds in several EXE/COM files the same virus as MemScan: New virus! If VirScan finds a different virus in many COM/EXE files, for example: Crypt/FamZ, then it is a new ENCRYPTED virus! In these cases please send me an email with the infected files! Note: The option /HEUR is available only in the full version of VirScan Plus! |
This screen shot is normally a false positive, because the "virus" is only found with
-
the -unb option
-
only in the main screen
¦¦¦¦¦+-----------------------------------------------------------------+¦¦¦¦¦ ¦¦¦¦¦¦ MemScan 20.x.x - (c) 03.01.1991-2024 by ROSE SWE, Ralph Roth ¦¦¦¦¦¦ ¦¦¦¦¦+-----------------------------------------------------------------+¦¦¦¦¦ ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ ¦¦+-------------------------------- Messages ----------------------------+¦¦¦ ¦¦¦ ¦¦¦¦ ¦¦¦ ¦ Free memory available for MemScan: 68.000/68.000 ¦¦¦¦ ¦¦¦ ¦ Command line: -unb ¦¦¦¦ ¦¦¦ ¦ Signatures created: Mi 25. Feb. 2004, build 3.073, 5.165 signs ¦¦¦¦ ¦¦¦ ¦ This PC has 640/640 kb free base memory ¦¦¦¦ ¦¦¦ ¦ HMA/A20 gate present at segment: 0xFFFF:0000 ¦¦¦¦ ¦¦¦ ¦ Checking conventional memory (640 kb) ¦¦¦¦ ¦¦¦ - Found the Type_Exec2a.35C6-D0A0 virus! ¦¦¦¦ ¦¦¦ ¦¦¦¦ ¦¦¦ Warning: A virus found in your main memory! ¦¦¦¦ ¦¦¦ ¦¦¦¦ ¦¦¦ ¦¦¦¦ ¦¦¦ ¦¦¦¦ ¦¦¦ ¦¦¦¦ ¦¦+----------------------------------------------------------------------+¦¦¦ ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦+---------- Scanning ---------+¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ Please press a key! ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦+-----------------------------+¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
A normal virus infection looks like this, and MemScan won’t go to the main screen at all (in this case a 572 byte long new DOS COM infector):
-----[ Quick scan of the system and memory for viruses ]---------------------- MBR - HDD 0 (512) .......(45FC:2A00)..... -- OK! -- Interrupt 13h (DOS) .....(0D58:18C5)..... -- OK! -- Interrupt 13h (Orig) ....(F000:E3FE)..... -- OK! -- Interrupt 21h (DOS) .....(9F75:0119)..... Type_Exec1a.4A77-F232 Virus Interrupt 40h (DOS) .....(F000:EC59)..... -- OK! -- Memory (Low-System) .....(0000:0000)..... -- OK! -- Memory (639 KB) .........(9C00:0000)..... Type_Exec1a.4A77-F232 Virus Memory (HMA) ............(FFFF:0001)..... -- OK! -- HDD-IRQ 76h .............(0CC5:0117)..... -- OK! -- Path Companion Test ..................... -- OK! -- Live Bait Test ..........(295 KB)........ Type: COM=572 Virus Heuristic mode: Single Step .............(0070:06F4)..... -- OK! -- Misc BIOS ...............(0D58:19A0)..... -- OK! -- Reboot ..................(0D3B:002F*).... -- OK! -- Multiplex ...............(14E2:1180)..... Type_Exec2b.CF14-B4E4 Virus VCPI ....................(F000:FF53)..... -- OK! -- Interrupt D3h ...........(F000:FF53)..... -- OK! -- Interrupt 0Dh ...........(F000:FF53)..... -- OK! -- Interrupt 0Eh ...........(0CC5:00B7)..... -- OK! -- Please deactivate the virus through a cold boot from a system disc! Press any key to continue...
5. Program Return Values
MemScan return an error-code back to DOS that can be evaluated by the variable ERRORLEVEL. The following error-codes are used:
ERRORLEVEL Short description
-----------------------------------------------------------------
0 All OK, Option -?, -h etc.
1 Internal error
2 Option -exit
3 Overlay (MemScan.ovr) handling error
8 Not enough free memory available
10 QuickMemoryScan found a virus
11 NOSTEALTHTEST found a virus
12 NOWINTEST found a virus
13 Found a virus in the main scan function
6. Hints and FAQ
Q: can you help me fix the virus on my main memory…? attached is the view of MemScan and QMS…
A: I think this is a so called "false positive". Please read the attached document (MemScan_Eng.txt). If you have a DOS or boot virus, you should be able to trace it (as described in MemScan_Eng.txt) with QMS/MemScan and VirScan Plus. What DOS Version and Windows Version do you use. Some special DOS drivers in usage?
Q: Only the TESTBOOT routine found something. Since it was in German, I really didn’t know what it said. I went to an online translator and realized that it said "wert ermittelt" and "wurden gesichert" which translated "worth determines" and "became secured". After that I ran it again and it didn’t
A: That’s normal for the first (initial run) - I have added were possible an English translation in the new version!
|
|
How you can possibly detect a file-/boot virus: |
-
MemScan -unb -high
-
QMS -unb
-
put testboot.exe into the Autoexec.bat as last command (DOS/Win9x based systems only)
-
rhbvs -auto -log -all -high
7. Integrated virus protection
The program contains an integrated check-sum tester to alert the user on a possible virus infection. The check-sum for the program can be found in the file with the extension ".XXX".
This check-sum contained in the file as well as the main program must not be changed nor modified in any case! Otherwise, the main program regards itself being possibly infected by a virus (a virus still unknown to the program)!
Following features of the EXE file are monitored and checked for modifications every time the program is executed:
-
Check-sum (CRC32) - If only one bit of the program is changed by a virus, the
-
check-sum will no longer match (own secure routine, according to ANSI X3.66 -
-
CRC-Poly is: 0xDEBB20E3).
-
File size - If a program becomes one or two KB longer, it is infected!
-
Overlay size - If the program uses overlays (".OVR").
I strongly recommend not making any changes to the EXE & XXX-file since the program will not run any more!
The file with the extension ".XXX" also contains the creation date and the standard MD5 checksum that can be checked with other tools like md5dir or hashall from ROSE SWE. Verifying the CRC32 checksum takes less than 1 second (depending on computer type and hard disk drive). If the check-sum is OK, the program is being executed. Otherwise a detailed error report with indications of possible error reasons will be displayed.
This is a screen shot of MemScan self check envelope finding itself infected with an 647 bytes EXE infector!
##### Länge der Datei MEMSCAN.EXE hat sich geändert! #####
Hierfür gibt es mehrere Möglichkeiten für diese Fehlermeldung:
¦ Ein Virus hat das Programm befallen!
Am besten gleich mit VirScan Plus testen ...
WARNUNG: Programm ist um 647 Bytes größer geworden!!!
SENDEN SIE UNS DIESE DATEI ZU ANALYSEZWECKEN ZU! TYPISCH FÜR VIREN!
¦ Sie haben die Datei MEMSCAN manipuliert, deshalb ist die
Checksumme verändert worden.
¦ Sie haben nicht alle Dateien mit kopiert (s. o.), oder auf dem
Datenträger sind Informationen verloren gegangen (Bits umgekippt).
¦ Verwenden Sie die Option /NOCHECKCRC um diese Überprüfung zu umgehen!
Bitte die ENTER-Taste zum Fortsetzen drücken...
8. Other/Misc
If you want to obtain the full versions of my antivirus software, please start the program REGISTER.COM, and an order form will be printed.
By the way: MemScan is compressed from 380 KB to currently 87 KB EXE + 183 KB overlay!
9. Reviews/Awards
https://www.windows11downloads.com/win11-memscan/ (MemScan 23.5)
10. What’s new?
Version Changes
#######################################################################
3.00 Parts of MemScan were swapped out to the overlay
file MEMSCAN.OVR, therefore MEMSCAN needs 50 KB less
working memory. Added checksum tester.
3.10 Extended 'Am I There' Virus test.
3.17 Program does not wait any more for key stroke
if NO virus was found!
3.33 Number of detected viruses: approx. 3.000!
3.36 The package now includes HMS.COM.
3.50 Live Bait Test to detect
unknown file viruses.
3.53 New ChkPC version (Hare & Boot-437)
3.55 50 new viruses, i. e. CriCri & Grief.
3.98 4180 viruses. QMS, TestBoot & HMS were
considerably enhanced. The Live Bait
Test was considerably enhanced.
4.xx New Viruses.
5.0.1 Completely redesigned version. Program in English!
5.1.0 Added Stealth Live Goat Test.
5.6 /NOPATHCOMPANION, /NOLIVEBAIT
5.7 /NoMem
6.0 Win32 Live Bait Test
6.2.7 /NoWin32Test, /NoStealthTest, DOKU revised
6.3.1 This English documentation added
6.5.5 /NoHMA fixes, A20-Gate/HMA fixes
6.6.8 Tons of new viruses due to F_Mirc Linux porting
9.5.5 adapted to run with DosEMU (Linux)
9.5.8 30.08.2017 - Ported this documentation to ASCIIDOC
10.1.5 22.01.2018 - new viruses
23.5 April 2023 - new viruses
30.0 June 2024 - new viruses, maintenance release
11. BANNERWARE from ROSE SWE
This program may be freely copied and passed on. It is considered as so- called Bannerware. I only request the following declarations to be kept:
-
©opyright by ROSE SWE, Ralph Roth (the so-called Banner)
-
sale and/or industrial transmitting of the programs is forbidden. No commercial transmitting without ours hard-copy consent!
-
the programs MUST distributed free and/or passed on against a small copying-charge (Shareware trader) (max. EUR 10,--).
-
the program/documentation must not be changed!
-
the program package must be passed on complete and unchanged!
Trademarks of other companies mentioned in this documentation and package appear for identification purposes only and are property of their respective companies.
NOTICE TO USER: You should read the following terms and conditions carefully before using this software. Your use of this software indicates your full acceptance of this license agreement and warranty. BY INSTALLING THIS SOFTWARE YOU ACCEPT ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT.
The SOFTWARE is owned and copyrighted by ROSE SWE. Your license confers no title or ownership in the SOFTWARE and should not be construed as a sale of any right in the SOFTWARE.
No Warranty. The Software is being delivered to you AS IS and ROSE SWE makes no warranty as to its use or performance. ROSE SWE AND ITS SUPPLIERS DO NOT AND CANNOT WARRANT THE PERFORMANCE OR RESULTS YOU MAY OBTAIN BY USING THE SOFTWARE OR DOCUMENTATION. ROSE SWE AND ITS SUPPLIERS MAKE NO WARRANTIES, EXPRESS OR IMPLIED, AS TO NON INFRINGEMENT OF THIRD PARTY RIGHTS, MERCHANTABILITY, OR FITNESS FOR ANY PARTICULAR PURPOSE. IN NO EVENT WILL ROSE SWE OR ITS SUPPLIERS BE LIABLE TO YOU FOR ANY CONSEQUENTIAL, INCIDENTAL OR SPECIAL DAMAGES, INCLUDING ANY LOST PROFITS OR LOST SAVINGS, EVEN IF AN ROSE SWE REPRESENTATIVE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY THIRD PARTY.
In short: This software is provided as-is, without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. If you do NOT agree simply do NOT install and use this software!
12. Copyright
(C)opyright by (ALL RIGHTS RESERVED!)
__________ ________ ____________________ ___________ _____________
\______ \\_____ \ / _____/\_ _____/ / _____/ \ / \_ _____/
| _/ / | \ \_____ \ | __)_ \_____ \\ \/\/ /| __)_
| | \/ | \/ \ | \ / \\ / | \
|____|_ /\_______ /_______ //_______ / /_______ / \__/\ / /_______ /
\/ \/ \/ \/ \/ \/ \/
-------------------------------------=-----------------------------------
ROSE SWE See ROSEBBS.TXT for
Dipl.-Ing. Ralph Roth full address, FAX and PGP keys.
http://rose.rult.at
rose_swe@hotmail.com All Rights Reserved!
-------------------------------------=-----------------------------------
|
|
Initial Translation by ez-web Digital Services, ezweb@gmx.net in 03/2002 |
Computer Viruses and Malware - A Short Overview
A computer virus is a piece of code (software) that is installed on a computer either by a hacker, by another compromised computer (replication), malicious attachments/mails or a website (drive-by infection). It performs functions that the computer owner does not authorize and does not want.
Viruses are sometimes also referred to as malware. This is usually where they have adverse effects on the computer user, such as logging each keystroke (through a keylogger), audio recording or snapshots of each screen.
Such infection can lead to identity theft, endangerment of bank or purchase card data or loss of confidential data. It is more likely to occur on home computers that are normally not as security managed as corporate computers.
1. Malware
Malware, or malicious software, is a generic term for a variety of malicious or intrusive software, including computer viruses, worms, Trojans, ransomware (ransoms), spyware, adware, scareware and other malicious programs. It can take the form of executable code, scripts, active content and other software. Malware is defined by its malicious intent, which violates the requirements of the computer user - and therefore does not include software that causes unintentional damage due to a defect.
Programs officially delivered by companies can be considered malware if they secretly violate the interests of the computer user.
2. (Computer) Virus
A computer virus is a type of malicious software program ("malware") that, when executed, replicates itself by modifying other computer programs and appending or inserting its own code. When this replication succeeds, the affected programs are then said to be "infected" with a computer virus.
The term "virus" is also commonly, but erroneously, used to refer to other types of malware. "Malware" encompasses computer viruses along with many other forms of malicious software, such as computer "worms", ransomware, spyware, adware, Trojan horses, keyloggers, rootkits, bootkits, malicious Browser Helper Object (BHOs) and other malicious software. The majority of active malware threats are actually Trojan horse programs or computer worms rather than classic computer viruses.
Roughly you can distinguished between - Memory resident (fast) infecting viruses and - Direct action viruses
2.1. Direct Action Viruses
Direct action viruses are a type of malware that infect individual files on a computer, rather than the boot sector or Master Boot Record (MBR). They are called "direct action" viruses because they are executed each time a specific file is opened or executed, which allows the virus to infect other files on the computer.
Some of the simpler computer viruses do not actively manifest themselves in computer memory. The very first file infector viruses on the IBM PC, such as Virdem and Vienna, belong to this category. As a rule, direct viruses do not spread quickly and are not easily spread in the wild.
Direct action viruses load themselves into computer memory with the host program. Once they have taken control, they search for new objects to infect by searching for new files. For this very reason, one of the most common types of computer viruses is the direct action infector. This type of virus can be created relatively easily by the attacker in binary or scripting languages on a variety of platforms.
Direct action viruses typically use a FindFirst, FindNext sequence to search for a number of victim applications to attack. Typically, such viruses only infect a few files when executed, but some viruses infect everything at once, enumerating all the directories for victims.
Direct action viruses typically spread by attaching themselves to executable files, such as .exe, .com, or .bat files. When an infected file is executed, the virus infects other files on the computer and may also cause other malicious activity.
2.2. (Computer) Boot Virus
Boot viruses are the oldest known computer viruses. They were the most common type of virus until 1995, but are now extinct. Today, there are almost no boot sector viruses anymore because BIOS and operating systems usually have well-functioning software or hardware protection.
A boot virus is a computer virus that becomes active when the computer starts (boots) before the operating system (DOS, Linux or Windows) is fully loaded. Boot sector viruses take advantage of the fact that the boot sector is always loaded first. On floppy disks, the virus is at least partially in the boot sector, so even floppy disks with no files on them can be infected. On hard disks, the virus infects the master boot record (MBR) or logical boot sector.
A boot sector virus infects the boot sector of floppy disks and the master boot record (MBR) of a hard drive. The boot sector is the first physical part of a floppy disk and is a sector (512 bytes). The boot sector is used by boot floppies to boot from the floppy. When a user tries to boot from an infected boot floppy, or leaves an infected floppy in the floppy drive when the computer starts up, the BIOS accesses this sector and executes it with the appropriate BIOS boot setting. The virus then attempts to infect the hard disk’s MBR every time the computer is started. When an infected computer is started, the MBR, which is normally responsible for recognising the different partitions on the hard drive, is loaded. Once loaded, the virus remains in memory and monitors access to floppy disks. When a floppy disc is inserted into a computer infected with a boot sector virus, the virus infects the boot sector of the floppy disc.
Known boot viruses include the Form virus, Parity Boot and Boot-437.
2.3. Multipartite Virus
A multipartite virus is a computer virus that infects and spreads in multiple ways. The term was introduced to describe the first viruses that included DOS executable files and PC BIOS boot sector virus code, where both parts are viral themselves. Prior to the discovery of the first of these, viruses were categorized as either file infectors or boot infectors. Because of the multiple vectors for the spread of infection, these viruses could spread faster than a boot or file infector alone.
The first virus that infected COM files and boot sectors, Ghostball (more a dropper than a real multipartite virus), was discovered by Fridrik Skulason in October 1989. Another early example of a multi-part virus was Flip, Frodo, Delwin and Tequila. Tequila for example could infect both DOS EXE files and the MBR (master boot sector) of hard disks.
3. Trojan horses
A Trojan horse is a program that does something undocumented which the programmer intended, but that users would not accept if they knew about it. By some definitions, a virus is a particular case of a Trojan horse, namely, one which is able to spread to other programs (i.e., it turns them into Trojans too). According to others, a virus that does not do any deliberate damage (other than merely replicating) is not a Trojan. Finally, despite the definitions, many people use the term "Trojan" to refer only to a non-replicating malicious program.
4. Ramsomware
Ransomware is a particularly invasive form of malware that hijacks a victim’s data or device and holds it hostage (or makes false claims of illegal activity, pornography use, or suggests a system is already infected with viruses) until a sum of money is paid to secure its release. Ransomware has been around since about 1989, in the form of the DOS-AIDS Trojan (also known as PC Cyborg), which encrypted files on a hard drive and then demanded a payment of $189 to unlock them. The ransom is usually paid nowadays in cryptocurrencies such as bitcoin, monero, etc., as this allows anonymity and is difficult to trace. Attackers may also set a deadline for payment, threatening to delete or release the encrypted data and files if the ransom is not paid; this deadline is set to limit the response time and force the victim to choose the payment option. Ransomware has become a significant and global threat in recent years. It is important to note that paying the ransom is no guarantee that the victim’s data and system access will be restored or that sensitive data will not be leaked. Some attackers do not even provide the key or demand additional payments. According to Statista, only 54 per cent of organisations regained access to their data or systems after the first payment in 2021. Paying the ransom also encourages attackers to continue their malicious activities. In addition, the vulnerability still exists and can be exploited by another criminal group.
What are the steps in a ransomware attack? This depends on the level of sophistication. In most cases, the process is automated, but in some cases targeting large organisations, criminal groups will spend more time preparing to ensure they can successfully force the organisation to pay.
-
Gaining access - A ransomware attack usually starts with the attacker gaining access to the victim’s computer or network through methods such as phishing emails, downloading infected software or exploiting network vulnerabilities.
-
Spread - Once the attacker has access to a system on the internal network, they will attempt to spread the malware. In simple attacks, propagation depends on the sophistication of the malware and is automatic. In more targeted attacks, the malware goes home and leaves the attacker looking for ways to spread further and take control of more systems.
-
Emergence and hostage taking - When the algorithm deems it appropriate, in the case of an automated attack or a criminal organisation, the systems are blocked and the data encrypted. In most cases, a message appears on some of the victim’s computers demanding a ransom to restore access to the data and/or systems.
5. Malicious Mining Software (Crypto-Miner)
Starting in 2018 Malware authors are increasingly relying on malicious mining software. This year for the first time there have been more infections of this type than with ransomware. More and more online criminals seem to turn their backs on ransomware and rely on crypto-miner. They secretly dig crypto money on infected computers - Monero is particularly popular. This is obviously extremely lucrative, as the latest figures show.
Reasons for the turnaround? If a ransomware/Trojan strikes and encrypts data from victims, they usually have to pay a ransom in the form of bitcoins. This is an obstacle that not every victim can or will take. Crypto-miner, on the other hand, only needs to infect computers. Afterwards, they dig in secret without any sacrifices and make silently sure that they bring the authors big profits - and not too short when you look at the exploding prices of different crypto currencies.
Nowadays even commercial antivirus software tries to use the user computer when idle for mining. So this kind of software is both a malware scanner and malware itself :-(
6. Greyware
Grayware (or greyware) is a general term sometimes used as a classification for applications that behave in a way that is annoying or unwanted, but less serious or problematic than malware. Grayware includes spyware, adware, dialers, joke programs, remote access tools and any other unwanted files and programs other than viruses that are designed to affect the performance of computers. The term has been in use since at least September 2004.
Grayware refers to applications or files that are not classified as viruses or Trojans, but can still affect the performance of computers on the user’s network and pose significant security risks to the user’s business. Grayware often performs a number of unwanted actions, such as annoying users with pop-up windows, tracking user habits and unnecessarily exposing the computer to attacks.
6.1. Scam
"Scam is a term used to describe a fraudulent scheme or deception in which someone is tricked into giving away money or personal information. Scams can take many different forms, such as phishing scams, investment scams, lottery scams and technical support scams, to name a few.
Phishing scams are attempts to trick people into revealing sensitive information, such as passwords or credit card numbers, by posing as a trustworthy entity. Investment scams persuade people to invest money in a bogus business or financial scheme with the promise of high returns. Lottery scams are messages informing people that they have won a large sum of money in a lottery, but asking them to pay a small fee or provide personal information to claim the prize. Tech support scams are attempts to trick people into paying for unnecessary computer support services by pretending to be from a reputable tech company.
Scammers often use persuasion and urgency to get people to hand over money or personal information. It is important to be wary of unsolicited messages or offers, and to independently verify the legitimacy of any request for personal information or money. You can protect yourself against fraud by being aware of common scams, being wary of unsolicited messages or offers, and never giving out personal information or money without verifying the identity of the recipient.
6.2. Adware
Adware is software that displays advertising banners in web browsers such as Chrome, Internet Explorer and Mozilla Firefox. Although it is not classified as malware, many users find adware invasive. Adware programs often have undesirable effects on a system, such as annoying pop-up ads and general degradation of network connection or system performance. Adware programs are usually installed as separate programs bundled with certain free software from websites. Many users inadvertently agree to install adware by accepting the End User License Agreement (EULA) of the free software. Adware is also often installed together with spyware programs. Both programs benefit from each other’s features - spyware programs profile users' Internet behavior, while adware programs display targeted advertisements that correspond to the collected user profile.
6.3. Spyware
Spyware is a type of computer virus that hides on your computer or mobile device, records your private data and sends that information back to whoever created it or monitors it. The tricky thing about spyware, and what separates it from the growing threat of ransomware is the fact that, spyware is designed to both install discretely and operate silently in the background.
Spyware is software that installs components on a computer to record browsing habits (primarily for marketing purposes). Spyware sends this information to its creator or to other interested parties when the computer is online. Spyware is often downloaded along with other components that are referred to as "free downloads" or "freeware" without informing the user about their existence or asking for permission to install them. The information that spyware components collect can include user’s keystrokes (keylogging), which means that private information such as login names, passwords and credit card numbers can be stolen. Spyware collects data, such as account names, passwords, credit card numbers and other confidential information, and transmits it to third parties.
7. Backdoors
A point of access to a hidden program/system. Backdoors are usually intentionally created by a programmer for debugging or maintenance purposes, but if compromised, they can pose a security risk to unauthorized users or software, allowing access and causing damage. Malware often installs Backdoors on compromised systems!
8. Botnets
A bot is a programs that run automated tasks over the Internet. Botnets are collection of bots that run autonomously and automatically. Typically they perform repetitive tasks at a much higher rate than a human is capable of. They can be used for malicious purposes, such as denial of service attacks or infecting other computers. An infected computer is called a bot or zombie.
9. Macro viruses
A macro is a piece of code that can be embedded in a data file. A macro virus is thus a virus that exists as a macro attached to a data file. In most respects, macro viruses are like all other viruses. The main difference is that they are attached to data files (i.e., documents) rather than executable programs. Document-based viruses are, and will likely continue to be, more prevalent than any other type of virus.
10. Worms
Worms are very similar to viruses in that they are computer programs that replicate functional copies of themselves (usually to other computer systems via network connections) and often, but not always, contain some functionality that will interfere with the normal use of a computer or a program. Unlike viruses, however, worms exist as separate entities; they do not attach themselves to other files or programs. Because of their similarity to viruses, worms also are often referred to as viruses.
11. Protestware
In March 2022, a developer of node-ipc was caught adding malicious code to the popular open source package that deleted files on computers in Russia and Belarus. This was part of a protest that angered many users and raised concerns about the security of free and open source software. The node-ipc update is just one example of what some researchers call protestware. Most protest programs related to the Russian invasion of Ukraine simply display anti-war and pro-Ukrainian messages. However, in at least one project, virus-like code was added that aimed to cripple computers in Russia and Belarus. This led to criticism and accusations of causing collateral damage. But there are also examples of protest in the open source scene. Observers of the scene so far found about two dozen software projects that inserted "code against war."
Open-source programs can be modified and viewed by anyone, making them more transparent - and, at least in this case, more vulnerable to sabotage. The protestware event highlights some of the risks that arise when legions of volunteer developers create the code that is critical to running hundreds or thousands of other applications. Some open source software automatically downloads and integrates new versions, and even for those that don’t, the vast amount of code often makes manual review infeasible. This means that an update by a single person can mess up an untold number of downstream applications. In that sense, this can be considered a "game changer."
Russia’s largest bank has asked its customers to stop updating its software because it is under threat from "protestware". In response to the threat, Russian state-owned bank Sberbank even advised its Russian customers to manually check the source code of the software they need - a security measure that is not feasible for most users. "We urge users to stop updating software and developers to tighten monitoring when using external code," Sberbank said, according to Russian media and cybersecurity firms.
12. Stealth viruses
What is a stealth virus? A stealth virus is one that, while active, hides the modifications it has made to files or boot records. It usually achieves this by monitoring the system functions used to read files or sectors from storage media and forging the results of calls to such functions. This means that programs that try to read infected files or sectors see the original, uninfected form instead of the actual, infected form. Thus the virus’s modifications may go undetected by antivirus programs. However, in order to do this, the virus must be resident in memory when the antivirus program is executed, and the antivirus program may be able to detect its presence.
The very first DOS virus, Brain, a boot-sector infector for example monitored physical disk input/output and redirected any attempt to read a Brain-infected boot sector to the disk area where the original boot sector was stored.
12.1. File stealth viruses
In addition to hiding the boot information, DOS file stealth viruses attack .com and .exe files when opened or copied, and hide the file size changes from the DIR command. The major problem arises when you try to use the CHKDSK/F command and there appears to be a difference in the reported files size and the apparent size. CHKDSK assumes this is the result of some cross-linked files and attempts to repair the damage. The result is the destruction of the files involved.
12.2. Full stealth viruses
With a full stealth virus, all normal calls to file locations are cached, while the virus subtracts its own length so that the system appears clean.
12.3. Countermeasures against Stealth Viruses?
You need a clean system so that no virus is present to distort the results of system status checks. Thus you should start the system from a trusted, clean, bootable diskette before you attempt any virus checking.
13. Encryption
One method of evading malware detection is to use simple encryption to encipher (encode) the body of the malware, leaving only the encryption module and a static cryptographic key in clear text which does not change from one infection to the next.
13.1. What is a polymorphic virus?
A polymorphic virus is one that produces varied but operational copies of itself. This strategy assumes that virus scanners will not be able to detect all instances of the virus. One method of evading scan-string driven virus detectors is self-encryption with a variable key. Polymorphic code was the first technique that posed a serious threat to virus scanners.
More sophisticated polymorphic viruses (e.g., V2P6) vary the sequences of instructions in their variants by interspersing the decryption instructions with "noise" instructions (e.g., a No OPeration instruction (NOP), or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g., Subtract A from A, and Move 0 to A). A simple-minded, scan-string based virus scanner would not be able to reliably identify all variants of this sort of virus; in this case, a sophisticated scanning engine has to be constructed after thorough research into the particular virus.
One of the most sophisticated forms of polymorphism used so far is the Mutation Engine (MtE) or the Trident Polymorph Engine (TPE), which comes in the form of an object module. With such mutation engines, any virus can be made polymorphic by adding certain (API) calls to its assembler source code and linking to the mutation-engine and provided random-number generator modules.
The advent of polymorphic viruses has rendered virus scanning an increasingly difficult and expensive endeavor; adding more and more search strings to simple scanners will not adequately deal with these viruses.
14. What is an armored virus?
Armored viruses use special tricks to make the tracing, disassembling, and understanding of their code more difficult. A good example is the Whale virus. An armored virus uses various techniques to evade detection, such as encrypting its code, obfuscating its code, and using anti-debugging and anti-tampering methods.
Armored viruses pose a serious threat because they can be used to perform malicious activities such as stealing sensitive information, altering or corrupting data, and slowing performance without being detected. They can also be used as part of more complex attacks, such as advanced persistent threats (APTs), to maintain a foothold on a target network over an extended period of time.
15. What is Phishing/Vishing?
Phishing and vishing are types of scams used to steal sensitive information such as passwords, credit card numbers and other personal data.
Phishing is a type of scam that tricks people into providing sensitive information through fake emails or websites that appear to be from a reputable source, such as a bank or a well-known company. The goal of phishing scams is to trick people into revealing personal information, such as passwords or credit card numbers, by posing as a trustworthy entity.
Vishing, short for voice phishing, is a type of phishing scam where people are tricked into revealing sensitive information over the phone. In vishing scams, scammers often pretend to be from a bank, government agency or technology company and use persuasive techniques to get people to reveal sensitive information.
Both phishing and vishing scams are becoming increasingly sophisticated and it is important to be wary of unsolicited emails or phone calls. To protect yourself from these types of scams, never provide sensitive information in response to an unsolicited request and independently verify the identity of the recipient before providing any personal information.
16. Best Practices
Ransomware attacks can be extremely damaging and complex, and the timeframe for action is very limited. The best way to deal with them is to avoid them in the first place, and use mechanisms to prevent and mitigate their impact. The best way to prevent a malware attack is to follow good operational and security practices, such as
-
Keep all software and operating systems up to date.
-
Use anti-virus and anti-malware software on desktop systems.
-
Regularly scan for vulnerabilities and comply with security policies, the key is to do this regularly.
-
The best way to do this is to automate it so that it does not become a problem and can be integrated as part of the deployment process.
-
Ensure that the software supply chain is properly secured. From an attacker’s perspective, attacking the supply chain may be the easiest way to reach most, if not all, of an organisation’s systems.
-
Implement proactive measures and adopt a zero-trust policy. This applies to containers as well as traditional environments.
-
Implement password validation best practices, such as avoiding common words and using long phrases that are easier for humans to remember but harder for machines to crack.
-
Educate staff on basic security principles, such as being wary of suspicious emails, recognising suspicious links and managing data to avoid storing critical data in unsecured locations.
-
Perform regular backups and always keep a cold backup in a separate physical location with no network access. Ensure that recovery procedures are tested regularly.
-
Automate the provisioning of your infrastructure so that you can restore your systems quickly - time is money.
-
Have a disaster recovery plan in place and ensure it is tested regularly.
17. Links / Pointers
18. Some very old DOS viruses that were very widespread in the past
18.1. Cascade
Cascade virus (also known as Herbstlaub in Germany) is a well-known DOS computer virus that is a memory-resident virus written in assembly language. Cascade was widely spread in the 1980s and early 1990s. It infected DOS .COM files and caused the text on the screen to cascade down and form a pile at the bottom of the screen. It was notable for the fact that it used an encryption algorithm to avoid detection. However, it could be seen that the size of the infected files increased by 1701 or 1704 bytes. In response, IBM developed its own anti-virus software.
When a file infected with Cascade is introduced into a system and executed, the virus checks the BIOS for the string "COPR. IBM", an IBM copyright notice in the BIOS. If it finds the string, it tries to stop there, but fails, and the virus becomes memory resident. Every time a .COM file is executed, the virus starts infecting it. It replaces the first three bytes of the new host file with code that references the virus code. The virus places the original first three bytes of the host into its own code.
Cascade’s payload is executed when an infected file is executed between October 1 and December 31, 1988. It causes characters on a DOS screen to randomly drop down in a pile of numbers and letters. Variants can also cause noise.
The virus has a number of variants. Cascade-17Y4, which is believed to have originated in Yugoslavia, is almost identical to the most common 1704-byte variant. One byte has been changed, probably by a random "mutation". However, this has resulted in a "bug" in the virus. Another mutated variant is also known - it infects the same file over and over again.
18.2. Jerusalem
Jerusalem is a DOS virus which was first detected in Jerusalem in October 1987. Its origin is uncertain, as it was thought to have originated in Israel, but evidence from 1991 suggests that it may have originated in Italy. As of 1993, Jerusalem was still in the wild and many variants had been created. The last reported case of Jerusalem was in 1995, almost 8 years after its discovery. The virus has gone by many names, some referring to its possible origin and its Friday the 13th payload date. Jerusalem was initially very common (for a virus at the time) and spawned a large number of variants. However, since the advent of Windows, these DOS interrupts are no longer used, so Jerusalem and its variants have become obsolete.
Once infected, the Jerusalem virus becomes memory resident (using 2kb of memory) and then infects every executable file that is run, except for COMMAND.COM. COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. EXE files grow between 1,808 and 1,823 bytes each time they are infected. The virus re-infects .EXE files each time they are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because multiple overlays follow the real .EXE file in the same file. Sometimes .EXE files are infected by mistake, so that the programme fails to run when it is run.
The virus code itself hooks into interrupt processing and other low level DOS services. For example, code in the virus suppresses the printing of console messages if, for example, the virus is not able to infect a file on a read-only device such as a floppy disk. One of the clues that a computer is infected is the mis-capitalization of the well-known message "Bad command or file name" as "Bad Command or file name".
The program contains one destructive payload that is set to go off on Friday the 13th, all years but not in 1987. On that date, the virus deletes every program file that was executed. Jerusalem is also known as BlackBox because of a black box it displays during the payload sequence. If the system is in text mode, Jerusalem creates a small black rectangle from row 5, column 5 to row 16, column 16. The rectangle is scrolled up by two lines.
As a result of the virus hooking into the low-level timer interrupt, PC-XT systems slow down to one fifth of their normal speeds 30 minutes after the virus has installed itself. The slowdown is less noticeable on faster machines. The virus contains code that enters a processing loop each time the processor’s timer tick is activated.
Symptoms also include spontaneous disconnection of workstations from networks and creation of large printer spooling files. Disconnections occur since Jerusalem uses the interrupt 21h low-level DOS functions that Novell Netware and other networking implementations required to hook into the file system.
Over the years that Jerusalem spread, many virus coders created variants of the virus, making Jerusalem one of the largest families of viruses ever created. It even includes many sub-variants and a few sub-sub-variants. Most variants are unimaginative, simply changing the payload date, text displayed or even nothing at all. Some variants contain fixes for the bugs of the original.
Jerusalem.1013 Jerusalem.1024 Jerusalem.1234 Jerusalem.1237 Jerusalem.1238 Jerusalem.1241 Jerusalem.1244 Jerusalem.1264 Jerusalem.1291 Jerusalem.1329 Jerusalem.1347 Jerusalem.1348 Jerusalem.1349 Jerusalem.1353 Jerusalem.1356 Jerusalem.1361 Jerusalem.1363 Jerusalem.1364 Jerusalem.1390 Jerusalem.1399 Jerusalem.1408 Jerusalem.1427 Jerusalem.1446 Jerusalem.1448 Jerusalem.1455 Jerusalem.1459 Jerusalem.1477 Jerusalem.1478 Jerusalem.1487 Jerusalem.1488 Jerusalem.1489 Jerusalem.1500 Jerusalem.1503 Jerusalem.1504 Jerusalem.1511 Jerusalem.1518 Jerusalem.1521 Jerusalem.1522 Jerusalem.1523 Jerusalem.1524 Jerusalem.1525 Jerusalem.1526 Jerusalem.1530 Jerusalem.1533 Jerusalem.1536 Jerusalem.1548 Jerusalem.1552 Jerusalem.1558 Jerusalem.1562 Jerusalem.1568 Jerusalem.1570 Jerusalem.1587 Jerusalem.1589 Jerusalem.1591 Jerusalem.1596 Jerusalem.1598 Jerusalem.1605 Jerusalem.1607 Jerusalem.1624 Jerusalem.1631 Jerusalem.1639 Jerusalem.1640 Jerusalem.1653 Jerusalem.1664 Jerusalem.1682 Jerusalem.1692 Jerusalem.1715 Jerusalem.1716 Jerusalem.1720 Jerusalem.1721 Jerusalem.1728 Jerusalem.1733 Jerusalem.1735 Jerusalem.1747 Jerusalem.1756 Jerusalem.1765 Jerusalem.1767 Jerusalem.1768 Jerusalem.1783 Jerusalem.1792 Jerusalem.1807 Jerusalem.1808 Jerusalem.1813 Jerusalem.1824 Jerusalem.1845 Jerusalem.1884 Jerusalem.1888 Jerusalem.1899 Jerusalem.1960 Jerusalem.1968 Jerusalem.1970 Jerusalem.1975 Jerusalem.1984 Jerusalem.1991 Jerusalem.2000 Jerusalem.2012 Jerusalem.2027 Jerusalem.2053 Jerusalem.2064 Jerusalem.2080 Jerusalem.2082 Jerusalem.2083 Jerusalem.2116 Jerusalem.2126 Jerusalem.2128 Jerusalem.2132 Jerusalem.2187 Jerusalem.2208 Jerusalem.2223 Jerusalem.2224 Jerusalem.2272 Jerusalem.2291 Jerusalem.2350 Jerusalem.2358 Jerusalem.2368 Jerusalem.2389 Jerusalem.2437 Jerusalem.2465 Jerusalem.2472 Jerusalem.2490 Jerusalem.2576 Jerusalem.2758 Jerusalem.2880 Jerusalem.2886 Jerusalem.3887 Jerusalem.4112 Jerusalem.5120 Jerusalem.641 Jerusalem.662 Jerusalem.679 Jerusalem.878 Jerusalem.880 Jerusalem.986 Jerusalem.A Jerusalem.CVEX Jerusalem.Curse Jerusalem.June11_T3Scan Jerusalem.Plastique Jerusalem.Roger Jerusalem.a Jerusalem.com Jerusalem.sURIV_3
18.3. Stoned
Stoned is a very large family of boot sector viruses on the DOS platform that started in early 1988. Prominent members of this family include the infamous Michelangelo virus, which caused great panic in the early 1990s, and the Angelina virus from 1994, which resurfaced on infected laptops in 2007. The Stoned virus was allegedly programmed by a student at the University of Wellington in New Zealand.
When the computer boots from an infected hard drive, Stoned becomes resident in memory. When booting from a disk other than the hard disk, it checks the master boot record of the hard disk and infects it if it is clean. When infecting a floppy disk, Stoned moves the master boot record to sector 11 and places itself in sector 0. When infecting the hard disk, it moves the master boot record to page 0, cyl. 0, sector 7 and places itself in page 0, cyl. 0, sector 1. It infects only 360-kilobyte 5.25-inch floppy disks and hard disks in the original variant.
Once in memory, the virus infects the master boot records of all accessed floppy disks. It cannot reinfect the hard disk. Even if the virus is removed from the Master Boot Record while it is in memory, it will not attempt to reinfect the hard disk.
There is a 1 in 8 chance that Stoned will release its payload while booting, causing the infected computer to beep and display the message:
Your PC is now stoned! LEGALIZE MARIJUANA!
Michelangelo was the first computer virus to attract much media attention. It caused a great deal of panic, but very little actual damage. Michaelangelo infected only a few thousand computers, making it an example of media hype.
The hype began in January 1992, when one computer manufacturer accidentally shipped 500 computers infected with the virus, and on the same day another announced that it would ship computers with anti-virus software pre-installed. This coincidence aroused the interest of the press. United Press International interviewed the International Partnership Against Computer Terrorism and the president of the antivirus company, John McAfee, and reported that hundreds of thousands of computers may be destroyed by the virus. Data recovery consultant Martin Tibor captured the interest of the press with quotes such as "I find virus disasters everywhere" and "I see victims of viruses all the time."
In the weeks leading up to the payload’s release date, newspapers began reporting on the "local impact". Although some news outlets reported on the hysteria rather than the virus, few did anything to stop the hysteria (e.g., by talking to real experts). A significant number of computer users bought antivirus software.
/* End of Document */