******************************************************************************
                                                                          PT-7
 							          January 1990
******************************************************************************


1.  Product Description:  CHKSUM is a public domain program to compute the 16
bit cyclic redundancy check (CRC) for any file and to compare the computed CRC
for a file with a specified one.  The author, Bob Taylor, proposes to use the
program as a means to assign a signature to a file and to detect changes to
that signature which may indicate a viral infection or some other type of
unauthorized or unexpected change.

2.  Product Acquisition:  CHKSUM is available on several public bulletin
boards.  It resides in the following path on the Directorate of Information
Management host simtel20 at White Sands Missile Range:  pd1:<msdos.trojan-pro>
chksum.arc.1.  The author provides the following address for comments:  Bob
Taylor, 8602 Woodlake Drive, Richmond, VA  23229.

3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, Directorate of
Information Management, White Sands Missile Range, NM  88002-5030, DSN 258-7548
or DDN:  cmcdonal@wsmr-emh03.army.mil.

4.  Product Test:

    a.  I obtained a copy of CHKSUM in September 1989 from the MS-DOS
repository
on the Internet host simtel20.  The repository manager obtained the copy from
a reliable source.

    b.  I ran the current version of VIRUSCAN against the CHKSUM.EXE with
negative results for the detection of any known viral signatures.

    c.  I examined the CHKSUM.EXE program with "nu" from NORTON Utilities and
saw nothing unusual or suspicious.

    d.  The execution of the program is very simple.  The syntax <chksum
filename> results in a CRC for the specific file.  The CRC is in both hex and
decimal form.  

    e.  Once a user computes the CRC for a file, he or she has several options
to utilize the results to detect any change to this signature.  The author
suggests that the computed CRC be placed in one's autoexec.bat file so that
every time the system boots there is an automatic comparison of the stored CRC
against the CRC of the on-line file.  He provides a clear example of the
autoexec.bat entry.  If the CRCs do not match, then the program provides the
user with an audible and visible screen warning message.  I tested this feature
which worked as advertised.  There is an option (-s) which will "silence" the
print warning message and then set the DOS ERRORLEVEL to 1.  At this point the
user can customize the response in the autoexec.bat by "IF ERRORLEVEL 1 GOTO
(USER SPECIFIED ACTION)".

    f.  There are additional strategies which one might use.  For example, I 
created a batch file of CRCs and then executed that batch file.  I changed
files
included in the batch file to determine if CHKSUM would detect the activity.  I

also deleted files included in the batch file.  In all cases CHKSUM detected
the change or file deletion and provided a warning message.  

    g.  Another approach might be to compute the CRCs and store the results
"off-line" to guard even further against potential modifications to the
signatures.  

5.  Product Advantages:

    a.  The program works as advertised.

    b.  The program is "free" and easy to use.

    c.  The author provides source code with the program.

6.  Product Disadvantages:

    a.  The program computes a 16 bit cyclic redundancy check.   There are many
commentators who recommend a 32 bit CRC value.

    b.  The user must know how to edit an autoexec.bat file or how to create a
batch file to effectively use the program.   The unfortunate reality is that
there are users who do not have such knowledge.  

7.  Comments:

    I have now looked at three programs which compute "signatures" for
files:  (1)  Data Physician (commercial product, reference PT-4); (2)  Virus
Checker (shareware product, reference PT-6); and (3) CHKSUM (public domain).
Each program operates on the assumption that it can detect changes to that
signature and that such changes may be virus related.  

    All three programs use the word "checksum", but each uses it in a
slightly different way.  In fact, a computer "expert" has lectured me that
there is a real difference between a "checksum" and a "CRC computation."  A
"checksum" is a number calculated based on the contents of a file.  For
example, one method of calculation might represent the 8 bit sum of the numeric
equivalents of each character (e.g., an ANSI uppercase "A" has the numeric
equivalent of 65).  A "CRC computation" represents either a 16 bit or 32 bit
computation which applies the values of the file in sequence against a
polynomial expression.  Any CRC polynomial is more robust than a simple
"checksum" because a checksum cannot detect out-of-order bytes.  It should also
be more difficult to defeat a CRC computation versus a simple checksum.  The
INTERNET is alive with discussions on the protection of CRC polynomials and
"checksums" in general for those who might wish to pursue the topic in detail.

    The bottom line is that "signature" protection of files can provide a
significant security advantage.  If one uses "checksums" or "CRC computations",
one has increased the problem for the virus writer or for the malicious
programmer in general.  How substantial the "increase" may be a secondary
concern depending upon the user's particular operating environment.

[The opinions expressed in this evaluation are those of the author, and should
not be taken as representing official Department of Army positions or a
commercial endorsement.]

				       2


======================================================================