User`s guide

ManualsBrandsAMSTRAD ManualsComputer equipmentPC-ECD

/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted

by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.

VIRUS BULLETINPage 12 August 1991

Companion Viruses

Companion viruses exploit the DOS property that given two

programs with the same name but different extensions, the

operating system will execute a COM file in preference to an

EXE file. A companion virus creates a COM file for every

EXE file it ‘infects’. The COM file is usually marked ‘hidden’

and contains the virus code, which also executes the EXE file.

Companion viruses do not spread widely in practice, since the

DOS COPY command does not copy ‘hidden’ files.

VIRUS BEHAVIOUR AFTER INFECTION OF THE PC

Memory-Resident Viruses

Memory-resident viruses install themselves into memory as

Terminate and Stay Resident (TSR) process when an infected

program is executed. They will normally intercept one or

more interrupts and infect other executables when certain

conditions are fulfilled (e.g. when the user attempts to execute

an application (Cascade) or when the user accesses a drive

(Brain).

Switching the PC off will clear the virus from memory

(though not from disk); warm bootstrapping with Ctrl-Alt-Del

may not, as some viruses such as Yale and Joshi intercept and

survive this process.

Non-Memory-Resident Viruses

Non-memory-resident viruses are active only when an

infected application is executed. They execute their code

completely at that stage and do not remain in memory. Other

executables are generally infected only when an infected

program is executed (e.g. Vienna or Datacrime).

The infectiousness of non-memory-resident viruses is just as

high, if not higher, than that of memory-resident viruses. They

are also more difficult to spot, since they do not change the

interrupt table or the amount of available memory, and their

infectious behaviour can be more unpredictable.

PATHOLOGY OF A VIRUS INFECTION ON

NETWARE

Due to NetWare’s excellent emulation of physical DOS disks,

many DOS viruses in existence today are able to attack

NetWare drives.

The main difference between NetWare and local workstation

drives is that NetWare does not allow individual sector

addressing either through the normal DOS interrupts 25H and

26H or the BIOS interrupt 13H.

This excludes the possibility of pure boot sector viruses

infecting the network, but does not, of course, exclude

parasitic, multi-partite and companion viruses, all of which

can spread freely on a badly protected network.

Virus Entry Into the Network

A virus will usually enter a network via the user workstation.

In a typical scenario, the user infects his workstation by

executing an infected application (parasitic or multi-partite) or

by booting from an infected disk (multi-partite viruses). The

virus becomes memory-resident and will typically try to infect

any application which is run, or any drive which is accessed.

NET3 and IPX, which are normally kept on the workstation,

may already be memory-resident at this stage.

On accessing the network the user executes LOGIN.EXE,

stored on the file-server, which opens access to the allotted

file areas on the file-server. If LOGIN.EXE itself, or any other

executables, are unprotected (see page 18), they will become

infected. Any user executing an infected application will have

his workstation infected, which, in turn, will spread the

infection.

On a typical active network, infection can spread onto most

workstations within minutes. An infected LOGIN.EXE, or any

program executed by the system login script, causes user

workstations to become infected whenever any user logs into

the network.

JERUSALEM INFECTION ON NETWARE 2.12

The above scenario has been demonstrated by intentionally

infecting a workstation with the Jerusalem virus and then

executing LOGIN on the file-server running NetWare 2.12.

Only (R/O) attributes by logging in as a supervisor. Jerusalem

(like most parasitic viruses) sets the R/O attribute to Read/

Write (R/W), infects the file and resets the attribute to R/O.

After LOGIN.EXE has been infected, any workstation logging

into the network will become infected. Any EXE or COM file

residing on the file-server will likewise be infected whenever

executed by the supervisor.

A Jerusalem infection is easy to spot because of virus side-

effects, which include system slow-down and the appearance

of a black ‘window’ on the screen some 30 minutes after

infection. Infected EXE files keep growing by 1808 bytes

every time they are executed from a workstation infected with

the virus; this does not happen with COM files.

NETWARE 3.11 SECURITY MECHANISMS

NetWare 3.11 provides four different aspects of network

security: the login procedure, trustee rights, inherited rights

mask and file/directory attributes.

➤ The login procedure requires all users to identify them-

selves by a username and a password.

➤ Trustee rights are granted to each user by means of trustee

assignments and allow each user various actions such as

reading from files, writing to files, creating files etc.