COMPUTER VIRUSES AND ANTI-VIRUS WARFARE ... - adamas.ai
COMPUTER VIRUSES AND ANTI-VIRUS WARFARE ... - adamas.ai
COMPUTER VIRUSES AND ANTI-VIRUS WARFARE ... - adamas.ai
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>COMPUTER</strong> <strong><strong>VIRUS</strong>ES</strong><br />
<strong>AND</strong> <strong>ANTI</strong>-<strong>VIRUS</strong> <strong>WARFARE</strong><br />
Second Revised Edition
<strong>COMPUTER</strong> <strong><strong>VIRUS</strong>ES</strong><br />
<strong>AND</strong> <strong>ANTI</strong>-<strong>VIRUS</strong> <strong>WARFARE</strong><br />
Second Revised Edition<br />
JAN HRUSKA<br />
Technical Director, SOPHOS Limited,<br />
Abingdon, Oxfordshire<br />
ELLIS HORWOOD<br />
NEW YORK LONDON TORONTO SYDNEY TOKYO SINGAPORE
First published in 1992 by<br />
ELLIS HORWOOD LIMITED<br />
Market Cross House, Cooper Street,<br />
Chichester, West Sussex, P019 1EB, England<br />
A division of<br />
Simon & Schuster International Group<br />
A Paramount Communications Company<br />
© Ellis Horwood Limited, 1992<br />
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or<br />
transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording or<br />
otherwise, without the prior permission, in writing, of the publisher<br />
Printed and bound in Great Brit<strong>ai</strong>n<br />
by Hartnolls, Bodmin<br />
British Library Cataloguing in Publication Data<br />
A catalogue record for this book is av<strong>ai</strong>lable from the British Library<br />
ISBN 0-13-036377-4 Pbk<br />
Library of Congress Cataloging-in-Publication Data<br />
Av<strong>ai</strong>lable from the publisher
TABLE OF CONTENTS<br />
PREFACE <strong>AND</strong> ACKNOWLEDGEMENTS 13<br />
CHAPTER 1 AN OVERVIEW OF THREATS TO <strong>COMPUTER</strong><br />
SYSTEMS 17<br />
1.1 TROJAN HORSES . 18<br />
1.1.1 TROJAN EXAMPLE 1: BATCH FILES 18<br />
1.1.2 TROJAN EXAMPLE 2: ANSI. SYS 19<br />
1.1.3 TROJAN EXAMPLE 3: THE AIDS DISK THROUGH THE POST 20<br />
1.2 LOGIC BOMBS 23<br />
1.3 <strong><strong>VIRUS</strong>ES</strong> 24<br />
1.4 WORMS 25<br />
1.4.1 WORM EXAMPLE 1: CHRISTMAS TREE ON IBM VM 26<br />
1.4.2 WORM EXAMPLE 2: INTERNET WORM ON UNIX 26<br />
1.4.3 WORM EXAMPLE 3: SPAN WORM ON VAX/VMS 26<br />
CHAPTER 2 HOW CAN A <strong>VIRUS</strong> PENETRATE A<br />
<strong>COMPUTER</strong>? 29<br />
2.1 HOW DOES AN INFECTION HAPPEN? 30<br />
2.2 EXECUTABLE PATH 32<br />
2.3 <strong>VIRUS</strong> CARRIER MEDIA 35<br />
2.3.1 FLOPPY DISKS 35<br />
2.3.2 REMOVABLE HARD DISKS 36<br />
2.3.3 MAGNETIC TAPE CARTRIDGES 36
6 TABLE OF CONTENTS<br />
2.3.4 OTHER STORAGE MEDIA 36<br />
2.3.5 NETWORKS 36<br />
2.3.6 MODEMS 36<br />
2.4 <strong>VIRUS</strong> INFILTRATION ROUTES <strong>AND</strong> METHODS 36<br />
2.4.1 PIRATED SOFTWARE 36<br />
2.4.2 BULLETIN BOARDS (BBS) 37<br />
2.4.3 SHAREWARE 37<br />
2.4.4 PUBLIC DOMAIN SOFTWARE ... 38<br />
2.4.5 SHARED PCS (PC AT HOME) 39<br />
2.4.6 FLOPPY DISKS SUPPLIED BY <strong>COMPUTER</strong> MAGAZINES 39<br />
2.4.7 SERVICE ENGINEERS 39<br />
2.4.8 SHRINK-WRAPPED SOFTWARE 40<br />
CHAPTER 3 <strong>VIRUS</strong> STRUCTURE 41<br />
3.1 <strong>VIRUS</strong> TYPES 42<br />
3.1.1 BOOTSTRAP SECTOR <strong><strong>VIRUS</strong>ES</strong> 42<br />
3.1.2 PARASITIC <strong><strong>VIRUS</strong>ES</strong> 44<br />
3.1.3 MULTI-PARTITE <strong><strong>VIRUS</strong>ES</strong> 46<br />
3.1.4 COMPANION <strong><strong>VIRUS</strong>ES</strong> 46<br />
3.1.5 LINK <strong><strong>VIRUS</strong>ES</strong> 47<br />
3.2 <strong>VIRUS</strong> BEHAVIOUR AFTER GAINING CONTROL 49<br />
3.2.1 MEMORY-RESIDENT <strong><strong>VIRUS</strong>ES</strong> 49<br />
3.2.2 NON-MEMORY-RESIDENT <strong><strong>VIRUS</strong>ES</strong> 49<br />
3.2.3 HYBRIDS 49<br />
3.3 <strong>VIRUS</strong> HIDING MECHANISMS 49<br />
3.3.1 ENCRYPTION 49<br />
3.3.2 INTERRUPT INTERCEPTION: STEALTH <strong><strong>VIRUS</strong>ES</strong> 51<br />
3.3.3 BINARY <strong><strong>VIRUS</strong>ES</strong> 52<br />
3.3.4 <strong><strong>VIRUS</strong>ES</strong> WHICH INFECT THE FIRST CLUSTER OF THE DATA<br />
AREA 54<br />
3.3.5 SPARSE INFECTION: THE UNSCANNABLE <strong>VIRUS</strong> 54<br />
3.3.6 HIGH LEVEL LANGUAGE <strong><strong>VIRUS</strong>ES</strong> 55<br />
3.4 <strong>VIRUS</strong> SIDE-EFFECTS 55<br />
CHAPTER 4 <strong>VIRUS</strong> FACTS <strong>AND</strong> FICTION 57<br />
4.1 THE NUMBERS GAME 57<br />
4.1 HOW ARE <strong>VIRUS</strong> ATTACKS DISCOVERED 59<br />
4.2 <strong><strong>VIRUS</strong>ES</strong> <strong>AND</strong> THE CALENDAR 59<br />
4.3 CAN <strong><strong>VIRUS</strong>ES</strong> CAUSE HARDWARE DAMAGE 60<br />
4.4 MODEM <strong>VIRUS</strong>, CMOS <strong>VIRUS</strong> <strong>AND</strong> OTHER NONSENSE 61<br />
CHAPTER 5 WHO WRITES <strong><strong>VIRUS</strong>ES</strong>? 63<br />
5.1 <strong>VIRUS</strong> WRITERS' PROFILE 63<br />
5.1.1 HACKERS 64
7 TABLE OF CONTENTS<br />
5.1.2 FREAKS 64<br />
5.1.3 UNIVERSITY STUDENTS 65<br />
5.1.4 EMPLOYEES 65<br />
5.1.5 <strong>COMPUTER</strong> CLUBS 65<br />
5.1.6TERRORIST ORGANISATIONS 66<br />
5.2 DISSECTION OF A CAPTURED <strong>VIRUS</strong> 66<br />
5.2.1 <strong>VIRUS</strong> DISASSEMBLY 66<br />
5.3 FORENSIC EVIDENCE 69<br />
5.3.1 WHICH ASSEMBLER? 69<br />
5.3.2 ILLEGAL INSTRUCTIONS 69<br />
5.3.3 PROGRAMMING STYLE 69<br />
5.3.4 LANGUAGE <strong>AND</strong> SPELLING 70<br />
5.3.5 PLACE <strong>AND</strong> TIME OF FIRST DETECTION 70<br />
5.3.6 ANCESTORS 71<br />
5.4 <strong>VIRUS</strong> MUTATIONS 71<br />
5.4.1 CHANGING <strong>VIRUS</strong> SIDE-EFFECTS 71<br />
5.4.2 <strong>VIRUS</strong> 'IMPROVEMENTS' 72<br />
5.4.3 MUTATIONS TO FOOL PATTERN-CHECKING PROGRAMS 72<br />
5.4.4 NEW <strong><strong>VIRUS</strong>ES</strong> 74<br />
5.5 <strong>VIRUS</strong> EXCHANGE BULLETIN BOARDS 74<br />
CHAPTER 6 <strong>ANTI</strong>-<strong>VIRUS</strong> PROCEDURES - FIVE<br />
COUNTERMEASURES 75<br />
6.1 PREPARATION 76<br />
6.1.1 REGULAR <strong>AND</strong> SOUND BACKUPS 76<br />
6.1.2 WRITE-PROTECTED SYSTEM FLOPPY DISK 76<br />
6.1.3 CONTINGENCY PLAN 77<br />
6.2 PREVENTION 77<br />
6.2.1 CREATING USER AWARENESS 77<br />
6.2.2 HYGIENE RULES 78<br />
6.2.3 ACCESS CONTROL 79<br />
6.2.4 DIRTY PC 79<br />
6.2.5 QUAR<strong>ANTI</strong>NE PC 80<br />
6.3 DETECTION 80<br />
6.3.1 'STRANGE' OCCURRENCES 80<br />
6.3.2 <strong>ANTI</strong>-<strong>VIRUS</strong> SOFTWARE 80<br />
6.3.3 CONFIRMING THAT THE <strong>VIRUS</strong> IS NOT A MUTATION 80<br />
6.4 CONTAINMENT 81<br />
6.4.1 NETWORK ACCESS 82<br />
6.4.2 DISK INTERCHANGE 82<br />
6.4.3 WRITE-PROTECTTABS 82<br />
6.5 RECOVERY 83<br />
6.5.1 CLEANING HARD DISKS 83<br />
6.5.2 CLEANING FLOPPY DISKS 84
8 TABLE OF CONTENTS<br />
6.5.3 REINFECTION 84<br />
6.5.4 RECOVERY FROM <strong>VIRUS</strong> SIDE-EFFECTS 84<br />
6.5.3 OTHER POINTS 85<br />
CHAPTER 7 <strong>ANTI</strong>-<strong>VIRUS</strong> SOFTWARE 87<br />
7.1 <strong>ANTI</strong>-<strong>VIRUS</strong> SOFTWARE TYPES 88<br />
7.1.1 SCANNING SOFTWARE (<strong>VIRUS</strong>-SPECIFIC) 88<br />
7.1.2 CHECKSUMMING SOFTWARE (<strong>VIRUS</strong> NON-SPECIFIC) 88<br />
7.1.3 MONITORING SOFTWARE (<strong>VIRUS</strong>-SPECIFIC) 89<br />
7.1.4 MONITORING SOFTWARE (<strong>VIRUS</strong> NON-SPECIFIC) 90<br />
7.1.5 'INOCULATION' SOFTWARE (<strong>VIRUS</strong>-SPECIFIC) 91<br />
7.1.6 INTEGRITY SHELLS (<strong>VIRUS</strong> NON-SPECIFIC) 91<br />
7.1.7 DISINFECTION SOFTWARE (<strong>VIRUS</strong>-SPECIFIC) 91<br />
7.1.8 <strong>VIRUS</strong> REMOVAL SOFTWARE (<strong>VIRUS</strong> NON-SPECIFIC) 92<br />
7.2 TESTING <strong>ANTI</strong>-<strong>VIRUS</strong> PRODUCTS 92<br />
7.3 FALSE POSITIVES <strong>AND</strong> FALSE NEGATIVES 93<br />
7.3.1 <strong>VIRUS</strong>-SCANNING SOFTWARE 93<br />
7.3.2 CHECKSUMMING SOFTWARE 94<br />
7.3.3 <strong>VIRUS</strong> NON-SPECIFIC MONITORING SOFTWARE 94<br />
7.3.4 <strong>VIRUS</strong>-SPECIFIC MONITORING SOFTWARE 95<br />
7.4 SUMMARY OF <strong>ANTI</strong>-<strong>VIRUS</strong> SOFTWARE 95<br />
CHAPTER 8 <strong><strong>VIRUS</strong>ES</strong> <strong>AND</strong> NETWORKS . 97<br />
8.1 PATHOLOGY OF A <strong>VIRUS</strong> INFECTION ON NETWARE 97<br />
8.1.1 <strong>VIRUS</strong> ENTRY INTO THE NETWORK 98<br />
8.1.2 PRACTICAL TRIAL - JERUSALEM ON NETWARE 2.12 98<br />
8.2 NETWARE 3.11 SECURITY MECHANISMS 98<br />
8.3 NETWARE3.il PRACTICAL EXPERIMENTS 99<br />
8.3.1 PARASITIC <strong><strong>VIRUS</strong>ES</strong> 99<br />
8.3.1.1 Default NetWare 3.11 Security 100<br />
8.3.1.2 Rights Set to Read-only 100<br />
8.3.1.3 File Attributes Set to Read-only 100<br />
8.3.1.4 File Attributes Set to Execute-only 100<br />
8.3.1.5 Running Under Supervisor Mode 101<br />
8.3.2 BOOT SECTOR <strong><strong>VIRUS</strong>ES</strong> 101<br />
8.3.3 MULTI-PARTITE <strong><strong>VIRUS</strong>ES</strong> 101<br />
8.4 NETWARE 3.11-SPECIFIC <strong><strong>VIRUS</strong>ES</strong> 101<br />
8.4.1 FIRST NOVELL '<strong>VIRUS</strong>' 101<br />
8.4.2 JON DAVID'S FALSE ALARM 102<br />
8.4.3 NETWARE <strong>VIRUS</strong> FROM THE NETHERL<strong>AND</strong>S 102<br />
8.4.3.1 Virus Structure 102<br />
8.4.3.2 Practical Trials on NetWare 286 103<br />
8.4.3.3 Practical Trials on NetWare 3.11 103<br />
8.5 IMPLICATIONS OF STEALTH <strong><strong>VIRUS</strong>ES</strong> ON NETWARE 3.11 103
9 TABLE OF CONTENTS<br />
8.6 PRACTICAL <strong>ANTI</strong>-<strong>VIRUS</strong> MEASURES FOR NETWARE 3.11 NETWORK<br />
ADMINISTRATORS 103<br />
8.6.1 DISKLESS WORKSTATIONS 103<br />
8.6.2 REMOTE BOOTSTRAP ROMS 104<br />
8.6.3 ENHANCED ACCESS CONTROL 104<br />
8.6.4 <strong>ANTI</strong>-<strong>VIRUS</strong> SOFTWARE 104<br />
8.6.5 TWO IDS FOR NETWORK SUPERVISORS 105<br />
8.6.6 SECURE ACCESSING OF NETWARE 3.11 105<br />
8.6.7 TIGHTENING NETWARE 3.11 SECURITY 105<br />
8.6.8 CONCLUSIONS 106<br />
8.6.8.1 NetWare 3.11 Administration 106<br />
8.6.8.2 NetWare 3.11 Virus Infections 106<br />
8.6.8.3 Other Points 106<br />
APPENDIX A BIBLIOGRAPHY <strong>AND</strong> OTHER SOURCES OF<br />
INFORMATION 107<br />
A. 1 BOOKS ON <strong><strong>VIRUS</strong>ES</strong> <strong>AND</strong> DATA SECURITY 107<br />
A.2 PERIODICALS ON <strong><strong>VIRUS</strong>ES</strong> <strong>AND</strong> DATA SECURITY 108<br />
A.3 ELECTRONIC BULLETIN BOARDS CARRYING <strong>VIRUS</strong>-RELATED<br />
DISCUSSIONS 109<br />
A.4 <strong>VIRUS</strong> INFORMATION AVAILABLE ON DISK 109<br />
A.5 <strong>VIRUS</strong> TRAINING VIDEOS 109<br />
A.6 OTHER USEFUL BOOKS 110<br />
APPENDIX B 'SEARCH': <strong>VIRUS</strong>-SPECIFIC DETECTION<br />
PROGRAM Ill<br />
B.l DESCRIPTION OF 'SEARCH' 112<br />
B.2 COMPILING 'SEARCH' 112<br />
B.3 'SEARCH' CODE IN 'C' 113<br />
B.4 SEARCH CODE IN ASSEMBLY LANGUAGE 122<br />
APPENDIX C 'FINGER': <strong>VIRUS</strong> NON-SPECIFIC DETECTION<br />
PROGRAM 125<br />
C.l DESCRIPTION OF FINGER 125<br />
C.2 COMPILING 'FINGER' 126<br />
C.3 FINGER CODE IN 'C' 127<br />
APPENDIX D <strong>ANTI</strong>-<strong>VIRUS</strong> SOFTWARE<br />
MANUFACTURERS 135<br />
NOTES ON TELEPHONE <strong>AND</strong> FAX NUMBERS 135<br />
APPENDIX E GLOSSARY OF TERMS 139
10 TABLE OF CONTENTS<br />
APPENDIX F <strong>VIRUS</strong> HUNTER'S CHECKLIST 153<br />
APPENDIX G KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 155<br />
G.l <strong>VIRUS</strong> NAMES <strong>AND</strong> ALIASES 155<br />
G.2 <strong>VIRUS</strong> HEX PATTERNS 156<br />
G.3 IBM-PC <strong><strong>VIRUS</strong>ES</strong> 157<br />
G.4 TROJAN HORSES 220<br />
INDEX
To Bozena Bozicek-Ferrari
PREFACE <strong>AND</strong><br />
ACKNOWLEDGEMENTS<br />
PREFACE TO THE FIRST EDITION<br />
Good God! What a genius I had when I wrote that book!<br />
Jonathan Swift, Of The Tale of A Tub<br />
This book is about computer viruses which occur on IBM-PC/XT/AT/PS2 and compatible<br />
machines running PC-DOS. It does not attempt to deal in any depth with viruses on other<br />
machines or operating systems, like the Apple Macintosh or Xenix, although most of the<br />
defences and investigative techniques are similar.<br />
The subject of computer viruses is treated from scratch, but basic familiarity with the<br />
structure of the 8086 family of microprocessors and their assembly language is assumed.<br />
The book provides a framework for discussing a wide variety of virus-related issues:<br />
• How can a virus penetrate a computer ?<br />
• What does a virus consist of?<br />
• How complicated is it to write a virus ?<br />
• Who writes viruses ?<br />
• How does one protect ag<strong>ai</strong>nst viruses ?<br />
• How effective is anti-virus software ?
14 PREFACE<br />
Apart from procedural advice on how to fight the virus problem, the book also cont<strong>ai</strong>ns<br />
the source code of two anti-virus programs: a pattern checker {SEARCH) and a<br />
fingerprinting program (FINGER). Both are written in 'C' (with a few lines of assembly<br />
language) and can be used as practical anti-virus tools. For those readers who prefer to<br />
buy software, rather than write it, there is also a list of manufacturers of anti-virus<br />
software.<br />
A glossary of computer security-related terms is included.<br />
Names such as IBM, Microsoft and PC-DOS, are trademarks, and any name should be<br />
assumed to be a trademark unless stated otherwise. Throughout the book, references are<br />
made to DOS. Unless stated otherwise, this means Microsoft's MS-DOS (PC-DOS)<br />
running on the IBM-PC and compatible personal computers.<br />
The book was created using the Runoff text processing package, typeset by Aldus<br />
Pagemaker on a Compaq 386/20 and printed on a. Hewlett-Packard Laser Jet-IID.<br />
I am grateful to several people for their help. In alphabetical order Sophie Cannin, for<br />
her continuing support and stoic patience; Petra Duffield, who proof-read the text;<br />
David Ferbrache, who supplied reference material from Virus-L bulletin board; Joe<br />
Hirst, whose p<strong>ai</strong>nstaking disassemblies of PC viruses have revealed so much; Keith<br />
Jackson, who made several suggestions; Richard Jacobs, who wrote the majority of the<br />
software featured in the book; Peter Lammer, who wrote parts of the text; Karen<br />
Richardson, who wrote the section 'Creating User Awareness'; Alan Wear, who gave<br />
advice on the psychiatric aspects of virus writing; Edward Wilding, who made several<br />
suggestions; and all the others who have attended my talks and seminars over the past two<br />
years, asked questions and taught me so much.<br />
Oxford, Christmas 1989<br />
PREFACE TO THE SECOND EDITION<br />
J. H.<br />
The unexpectedly favourable reception enjoyed by the first edition of this book took me<br />
by surprise. As the field of computer viruses is evolving at an extremely rapid pace, the<br />
second edition will be out of date almost as soon as it is published. However, cert<strong>ai</strong>n basic<br />
principles of anti-virus warfare rem<strong>ai</strong>n valid regardless of the technical developments of<br />
virus code, and it is those that I hope will be of most value to the reader. Nevertheless, in<br />
order to try and keep the book as technically up to date as is humanely possible, I have<br />
gone through the whole manuscript and made a l<strong>ai</strong>ge number of refinements, corrections<br />
and additions.<br />
A whole new chapter on viruses on networks has been added, in order to reflect the rapid<br />
increase in the use of networks, the increased sophistication of new viruses which are<br />
network-aware and the increase in the corresponding need for security measures.
PREFACE 15<br />
All appendices have been updated: this includes the rapidly varying list of anti-virus<br />
software manufacturers as well as the expanding bibliography. Some terminology has<br />
also been updated to reflect de-facto usage amongst the virus experts and PC users.<br />
The book is now m<strong>ai</strong>nt<strong>ai</strong>ned in Aldus Pagemaker 4 format on a Compaq 386/33L and<br />
printed on a Hewlett-Packard LaserJet-IIISi.<br />
I wish to thank the many readers who have sent me comments and helpful criticisms. In<br />
addition, this book would not have been possible without the continuing anti-virus<br />
research efforts at Sophos and the Virus Bulletin. In particular, I am grateful to Richard<br />
Jacobs and James Beckett for the technical intelligence, Petra Duffield for keeping<br />
various lists up to date and FridrikSkulason and Jim Bates for their technical analyses.<br />
Special mention is due of Joe Hirst, who has been a source of unf<strong>ai</strong>ling encouragement<br />
as well as introducing me to the mysteries of EBCDIC, and Keith Jackson for his input<br />
to the glossary of terms as well as his helpful comments. Peter Lammcr and Julie<br />
Hollins proofread the manuscript and made a number of suggestions. My gratitude also<br />
goes to Sophie and Zulu Cannin who could not care less about computer viruses, as well<br />
as to all the virus researchers with whom I have exchanged ideas and virus collections<br />
over the last few years.<br />
Oxford, July 1992<br />
J. H.
1<br />
AN OVERVIEW OF THREATS TO<br />
<strong>COMPUTER</strong> SYSTEMS<br />
'You threaten us, fellow? Do your worst,<br />
Blow your pipe there till you burst!'<br />
Robert Browning, 'The Pied Piper of Hamelin'<br />
When the possibility of computer viruses was first mentioned in the scientific papers<br />
published in 1984, nobody took it seriously. It did not take long before the first widescale<br />
computer virus infection swept the United States in 1986. This virus infection (by<br />
the Br<strong>ai</strong>n virus) caused a media sensation, but not an outrage. People were genuinely<br />
fascinated by the novel concept of a computer virus but few saw its full dangerous<br />
potential. To some people it was not even clear whether computer viruses occurred<br />
accidentally or whether they were deliberately written.<br />
One or two reputable computer experts went as far as stating publicly that the existence<br />
of a computer virus was completely impossible, and even if it was possible, it would not<br />
last very long.<br />
Little did they know! To date thousands of businesses have suffered from virus<br />
contamination. Unlike older viruses (1986/87 vintage) which would place a silly message<br />
or a bouncing ball on the screen, many new viruses are highly destructive, programmed<br />
to corrupt and destroy data. As viral infections become more and more widespread, the<br />
damage to data is increasing at an alarming pace.
18 CHAPTER 1<br />
The virus danger is here to stay. In most of the world it has reached epidemic proportions<br />
and the number of viruses seems to continue doubling approximately every 9 months,<br />
reaching about 1500 in June 1992.<br />
Computer viruses are only one of the many possible forms of attack on computer<br />
systems; other common forms are Trojan horses and logic bombs, but since they often<br />
occur together, their analysis is important in the context of this book. For example, a virus<br />
will almost cert<strong>ai</strong>nly be introduced into a computer system without the explicit consent<br />
of the system owner. It will be hidden in the boot sector of a floppy disk or attached to a<br />
legitimate program. The infected disk and the infected program are Trojan horses used to<br />
introduce virus code surreptitiously into a computer system. Likewise, most viruses<br />
incorporate side-effects which trigger only when cert<strong>ai</strong>n conditions are fulfilled. The<br />
mechanism which does the triggerring is a logic bomb.<br />
1.1 TROJAN HORSES<br />
A Trojan horse is a program which performs services beyond those stated in its<br />
specifications. These effects can be (and often are) malicious. An example of a Trojan<br />
horse is the program ARC513 found on some bulletin boards which pretends to be an<br />
improved version of the legitimate data compression utility ARC. In reality, it deletes the<br />
file specified for compression.<br />
A list cont<strong>ai</strong>ning the names of known Trojan horses was started some time ago and was<br />
called 'The Dirty Dozen'. Unfortunately, as it is easy to rename a program, or to write a<br />
new Trojan, the list grew rapidly and now cont<strong>ai</strong>ns hundreds of names. It is av<strong>ai</strong>lable on<br />
some bulletin boards, but no such list can ever be complete.<br />
Apart from the fact that Trojan horses can be stand-alone programs, the term is also used<br />
to describe any item which surreptitiously introduces malicious code into a computer<br />
system. This can be a floppy disk with virus code hidden in a bootstrap sector or a<br />
program with a virus attached to it.<br />
1.1.1 TROJAN EXAMPLE 1: BATCH FILES<br />
The following short batch file, called 'SEX.BAT' is an example of a very simple Trojan<br />
horse. DO NOT try this out, as it deletes all files in the hard disk root directory. It is<br />
however worth understanding how it works:<br />
DEL
AN OVERVIEW OF THREATS TO <strong>COMPUTER</strong> SYSTEMS 19<br />
This is an example of a very simple Trojan horse; much greater damage can be caused by<br />
skilled, malicious programmers.<br />
1.1.2 TROJAN EXAMPLE 2: ANSI.SYS<br />
The traditional Trojan horse is a program which needs to be executed intentionally in<br />
order to cause damage. However, it is possible to activate a Trojan horse unwittingly<br />
simply by using the DOS command 'TYPE' to display the contents of a text file which<br />
cont<strong>ai</strong>ns embedded escape sequences. These escape sequences are intercepted by the<br />
ANSI.SYS driver, which is loaded by a command in the CONFIG.SYS file on many<br />
PCs, and used by some legitimate software. The Trojan horse writer will often redefine<br />
one or more keys on the keyboard. Redefining 'A' as 'S' and 'Q' as 'W' may cause some<br />
confusion, but redefining'd' as 'DEL *.DAT' could have more serious consequences.<br />
This is very easily done. If the following sequence<br />
ESC[100;"DEL *.DAT";13p<br />
(where ESC is the Escape character, hexadecimal IB) is incorporated in the file<br />
README which an unsuspecting user is invited to TYPE, every time that he presses 'd',<br />
the keystroke will be expanded by ANSI.SYS to 'DEL *.DAT' followed by a carriage<br />
return. Much more devious schemes can be devised, for example substituting'd' with<br />
'FORMAT C:' and 'n' as 'y' followed by 'Enter'. If the user types'd' at the command<br />
line, this will be expanded into 'FORMAT C:'. The FORMAT program will prompt the<br />
user with<br />
Warning! All data on drive C: will be lost.<br />
Proceed (Y/N)?<br />
When the poor user sees that, the instinctive reaction will be to type 'n' as quickly as<br />
possible; ANSI.SYS will substitute this with 'y' and the data on the hard disk stands a<br />
good chance of being lost (nevertheless, utilities exist which allow 'unformatting' of<br />
hard disks which have been formatted accidentally).<br />
Bulletin board operators normally scan all messages for escape sequences, in order to<br />
prevent unsuspecting readers of messages from picking up this type of Trojan, while<br />
VAX/VMS MAIL converts escape characters to printable characters in order to prevent<br />
this type of attack.<br />
The easiest way to combat this type of Trojan attack on PCs is to eliminate the statement<br />
DEVICE=ANSI.SYS<br />
from the CONFIG.SYS file. Many applications today do not use ANSI.SYS escape<br />
sequences to output to the screen but call the BIOS routines directly. There are also<br />
ANSI.SYS drivers av<strong>ai</strong>lable which do not allow the redefinition of keyboard codes.
20 CHAPTER 1<br />
1.1.3 TROJAN EXAMPLE 3: THE AIDS DISK THROUGH THE POST<br />
On 11th December 1989 some twenty thousand envelopes were posted in London,<br />
cont<strong>ai</strong>ning a 5 1/4" floppy disk marked "AIDS Information Version 2.00" (Fig. 1.1) and<br />
an instruction leaflet (Fig. 1.2). The recipient was encouraged to insert the disk and<br />
install the package. On the reverse of the leaflet (Fig. 1.3), in very small print, was the<br />
'License Agreement' which requested the user to send US$ 189 or US$378 for using the<br />
software (two types of 'license'). The Agreement threatened unspecified action if that fee<br />
was not p<strong>ai</strong>d ('Most serious consequences of your f<strong>ai</strong>lure to abide by the terms of this<br />
license agreement: your conscience may haunt you for the rest of your life; you will owe<br />
compensation..!).<br />
Once an unsuspecting user installed the package, the program printed an 'invoice' giving<br />
the address in Panama to which payment should be sent: "PC Cyborg Corporation, P.O.<br />
Box 87-17-44, Panama 7, Panama". The AIDS package poses as a legitimate program<br />
giving information on AIDS and assessing the user's risk group after asking him/her to<br />
fill in a questionn<strong>ai</strong>re.<br />
However, the installation procedure makes modifications to the AUTOEXEC.BAT file,<br />
with the effect that every time AUTOEXEC.BAT is executed, a counter in a hidden file is<br />
incremented. When this has happened a random number of times (around 90) the damage<br />
sequence is activated. The user is instructed to w<strong>ai</strong>t, while most of the names of the files<br />
Fig. 1.1 - The AIDS information disk
AN OVERVIEW OF THREATS TO <strong>COMPUTER</strong> SYSTEMS 21<br />
AIDS Information • Introductory Diskette<br />
Please find enclosed a computer diskette cont<strong>ai</strong>ning health information on the disease<br />
AIDS. The information is provided in the form of an interactive computer program. It is<br />
easy to use. Here is how it works:<br />
• The program provides you with infonnation about AIDS and asks you questions<br />
• You reply by choosing the most appropriate answer shown on the screen<br />
• The program then provides you with a confidential report on your risk of exposure to<br />
AIDS<br />
• The program provides recommendations to you, based on the life history information<br />
that you have provided, about practical steps that you can take to reduce your risk of<br />
getting AIDS<br />
• The piugiam gives you the opportunity to make comments and ask questions that you<br />
may have about AIDS<br />
• This progiau is designed specially to help: members of (he public who ire concerned<br />
about AIDS and medical professionals.<br />
Instructions<br />
This software is designed for use with IBM* PC/XT* microcomputers and with all other<br />
truly compatible microcomputers. Your computer must have a hard disk drive C, MS-<br />
DOS* version 2.0 or higher, and a minimum of 256K RAM. First read and assent to the<br />
limited warranty and to the liccnse agreement on the reverse. [If you use this diskette, you<br />
will have to pay the mandatory software leasing fee(s).] Then do the following:<br />
Step 1: Start your comber (with diskette drive A empty).<br />
Step 2: Once die computer is running, insert the Introductory Diskette into drive A.<br />
Step 3: At the C> prompt of your root directory type: A.INST ALL and then press ENTER.<br />
Installation proceeds automatically from that point. It takes only a few minutes.<br />
Step 4: When the installation is completed, you will be given easy-to-follow messages by<br />
the computer. Respond accordingly.<br />
Step S: When you want to use the program, type the word AIDS at the C> prompt in the<br />
root directory and press ENTER.<br />
Fig. 1.2 - The AIDS information disk instruction leaflet (reproducing the original<br />
poor print quality)<br />
on the hard disk are encrypted (scrambled) and marked 'Hidden'. The only non-hidden<br />
file cont<strong>ai</strong>ns the following message:<br />
If you are reading this message, then your software lease<br />
from PC Cyborg Corporation has expired. Renew the software<br />
lease before using this computer ag<strong>ai</strong>n. Warning: do not<br />
attempt to use this computer until you have renewed your<br />
software lease. Use the information below for renewal.<br />
Dear Customer:<br />
It is time to pay for your software lease from PC Cyborg Corporation.<br />
Complete the INVOICE and attach payment for the lease option of your choice.<br />
If you don't use the printed INVOICE, then be sure to refer to the important<br />
reference numbers below in all correspondence. In return you will receive:<br />
- a renewal software package with easy-to-follow, complete instructions;<br />
- an automatic, self-installing diskette that anyone can apply in minutes.
22 CHAPTER 1<br />
mm.ClfCCyWiC..,.—Ii.W<br />
I ill (il<br />
i iiniiiK ••! ii hi -ir.nii 'ff i. ••» • f ii i-ii-jii n f i «.i in—)• i<br />
ll I . . - f a — | - i |<br />
IU«)
1.2 LOGIC BOMBS<br />
AN OVERVIEW OF THREATS TO <strong>COMPUTER</strong> SYSTEMS 23<br />
A logic bomb is a programming IF statement which causes the execution of some<br />
program code when a cert<strong>ai</strong>n condition is fulfilled (Fig. 1.4). The condition can be time,<br />
the presence or absence of data such as a name etc. A hypothetical example of a logic<br />
bomb would be a maliciously modified copy of a spreadsheet which zeroed a particular<br />
cell every Tuesday between 10 and 11 a.m., but otherwise did not reveal its presence. The<br />
results would be very confusing and difficult to trace.<br />
Logic bombs are frequently found in the more sophisticated cases of computer crime. A<br />
recent case involved a systems programmer who was m<strong>ai</strong>nt<strong>ai</strong>ning a payroll package. He<br />
decided to 'ensure' his continuing employment by introducing a short sequence of<br />
instructions which checked whether his name was in the payroll file. If it was, nothing<br />
would happen. But if it was not (as a result of him being fired), files would be deleted and<br />
other damage would occur. He was fired, and the logic bomb triggered the destruction.<br />
Only after having been promised reinstatement by the employer did he agree to point out<br />
the logic bomb in the code. He was not prosecuted.<br />
Another example of a logic bomb happened at IBM. At 7:30 a.m. on 11th April 1980 all<br />
IBM 4341s ceased to operate. The problem was eventually traced to a logic bomb<br />
triggered on that date, which was placed in software by a disgruntled employee.<br />
Logic bombs are often found in viruses, where the payload (which produces the sideeffects)<br />
is triggered when a cert<strong>ai</strong>n condition is met. For example, the Cascade virus<br />
produces its side-effects only between 1st October 1988 and 31st December 1988. The<br />
Michelangelo virus trashes disks on 6th March of any year. The Italian virus puts the<br />
bouncing ball on the screen only if a disk access is made during a 1 -second interval every<br />
30 minutes. The delay due to the logic bomb allows the virus to spread unnoticed, and<br />
show its side-effects after it has reproduced extensively.<br />
Yes<br />
Payload<br />
Fig. 1.4 - Logic bomb program flow
24 CHAPTER 1<br />
1.3 <strong><strong>VIRUS</strong>ES</strong><br />
Fig. 1.5 - Missile delivering a warhead<br />
A computer virus is best defined as computer code which has four characteristics:<br />
1. Self-replication: Viruses make copies of themselves, spreading across floppy disks,<br />
computer systems and networks. This similarity with their biological counterparts<br />
has given viruses their name. Self-replication is a unique virus characteristic which<br />
distinguishes viruses from other computer programs.<br />
2. Executable path: For a virus to do anything, it must be executed. Viruses are<br />
designed in such a way that this can occur without any user intervention whatsoever:<br />
for example, the user accidentally bootstraps the PC while an infected floppy disk is<br />
in drive A or he executes an infected program. This characteristic is very important to<br />
bear in mind in a number of circumstances:<br />
• When dealing with a virus attack<br />
• When formulating anti-virus strategy<br />
• When studying virus behaviour<br />
3. Side-effects: Viruses do not normally consist only of self-replicating code; they also<br />
cont<strong>ai</strong>n code which produces side-effects or a 'payload' which is released when a<br />
predetermined set of conditions is fulfilled. It is easy to program the payload sideeffects<br />
to be malicious. Some viruses do not cont<strong>ai</strong>n any side-effects.<br />
4. Disguise: The successful spread of a virus depends on how long it can replicate<br />
unnoticed before its presence is made known by the activation of side-effects.<br />
Replicating longevity is achieved through two methods of disguise - encryption
AN OVERVIEW OF THREATS TO <strong>COMPUTER</strong> SYSTEMS 25<br />
(scrambling) and interrupt interception. These are described in Section 3.3: Virus<br />
Hiding Mechanisms.<br />
This tactic is probably the most fascinating virus characteristic since it is remarkably<br />
similar to the way that biological viruses (and bacteria) operate. If a human gets<br />
infected with a virus, there will be a time delay called incubation during which he<br />
will not exhibit any symptoms of the disease, but will nevertheless be infectious to<br />
other humans. Since there are no recognisable outside indicators of his impending<br />
disease, other human beings will not have any reason to avoid contact, thereby<br />
facilitating the transmission of the virus and its long term spread. It is remarkable<br />
that computer viruses and biological viruses, despite having so distinctly different<br />
structure, employ very similar techniques in order to ensure survival.<br />
The analogy between virus characteristics and those of a missile have been pointed out by<br />
Fred Cohen. A missile (Fig. 1.5) cont<strong>ai</strong>ns a warhead (conventional, chemical, nuclear<br />
etc.) and the means of delivering that warhead over a distance. The warhead is the<br />
equivalent of a virus payload, while the propulsion mechanism is the equivalent of the<br />
virus self-replicating code.<br />
The above characteristics are discussed in greater det<strong>ai</strong>l in later chapters. For examples of<br />
viruses see Chapter 4: Common IBM PC viruses.<br />
1.4 WORMS<br />
Worms are similar to viruses, but replicate in their entirety, creating exact copies of<br />
themselves, without needing a 'carrier' program. Worms are normally found on computer<br />
networks and multi-user computers, and use inter-computer or inter-user communications<br />
as the transmission medium.<br />
A<br />
VERY<br />
HAPPY<br />
CHRISTMAS<br />
<strong>AND</strong><br />
BEST WISHES<br />
FOR THE NEXT<br />
YEAR<br />
Fig. 1.6 - Christmas tree worm output
26 CHAPTER 1<br />
1.4.1 WORM EXAMPLE 1: CHRISTMAS TREE ON IBM VM<br />
Probably the best known m<strong>ai</strong>nframe worm was the Christmas Tree worm which spread<br />
widely on BITNET, the European Academic Research Network (EARN) and IBM's<br />
internal network. It was launched on 9th December 1987 and, amongst other effects,<br />
paralysed the IBM worldwide network on 11th December 1987.<br />
The Christmas Tree worm is written in REXX and can spread on VM/CMS installations.<br />
The program is a combination of a Trojan horse and a ch<strong>ai</strong>n letter. When run, it draws a<br />
Christmas tree on screen (Fig. 1.6), sends itself to all the user's correspondents in the user<br />
files NAMES and NETLOG and then deletes itself.<br />
The source code of this worm was published in R. Burger's book Computer Viruses: A<br />
High Tech disease as well as being av<strong>ai</strong>lable from a number of sources. The worm has<br />
since then reappeared several times in both its original form and modified versions.<br />
1.4.2 WORM EXAMPLE 2: INTERNET WORM ON UNIX<br />
A number of widely publicised worm attacks have occurred on Unix systems. The most<br />
widely reported attack was the Internet worm which struck the US DARPA Internet<br />
computer network on 2nd November 1988. The worm was released by Robert T. Morris,<br />
a Cornell University student, on a public access machine at MIT (prep.<strong>ai</strong>.mit.edu). The<br />
worm replicated by exploiting a number of bugs in the Unix operating systemrunning on<br />
VAX and Sun Microsystems hardware, including a bug in sendm<strong>ai</strong>l (an electronic m<strong>ai</strong>l<br />
program) and in fingerd (a program for getting det<strong>ai</strong>ls of who is logged in). Stanford<br />
University, Massachusetts Institute of Technology, the University of Maryland and<br />
Berkeley University were infected within 5 hours of the worm being released. The NASA<br />
Research Institute at Ames and the Lawrence Livermore National Laboratory were also<br />
infected, as well as some 6000 other computer systems. The UK was unaffected.<br />
The worm consisted of some 4000 lines of 'C' code and once it was analysed, the<br />
specialists distributed bug fixes to sendm<strong>ai</strong>l and fingerd, which prevented further<br />
spreading. From the decompilation, it appears that the worm was not malicious. It did,<br />
however, cause the overloading of infected systems.<br />
1.4.3 WORM EXAMPLE 3: SPAN WORM ON VAX/VMS<br />
On 16th October 1989 VAX/VMS computers on the SPAN network were attacked by a<br />
worm. The worm propagated via DECnet protocols and if it discovered that it was<br />
running with system privileges, it changed the system announcement message to that<br />
shown in Fig. 1.7.<br />
The worm also changed the DECNET account password to a random string and m<strong>ai</strong>led<br />
the information on the password to the user GEMPAK on SPAN node 6.59. If the worm<br />
had system privileges, it disabled m<strong>ai</strong>l to the SYSTEM account and modified the system<br />
login command procedure to appear to delete all files (it didn't actually do it). The worm<br />
then proceeded to access other systems by picking node numbers at random and used the
AN OVERVIEW OF THREATS TO <strong>COMPUTER</strong> SYSTEMS<br />
WORMS A G A I N S T NUCLEAR K I L L E R S<br />
\_ _ /<br />
\ \ \ /\ // //\\ I \ \ II I I / / /<br />
\ \ \ / \ / / / /_\ \ I l\ \ I I II// /<br />
\ \ \/ /\ \/ / / \ I I \ M I I I \ \ /<br />
\_\ /_\ / / / \ \ I I \ I I I l_\ \_/<br />
\ /<br />
\ /<br />
\ Your System Has Been Officially WANKed /<br />
\ /<br />
You talk of times of peace for all, and then prepare for war.<br />
Fig. 1.7 - WANK worm logon message<br />
PHONE command to get a list of active users on the remote system. After accessing the<br />
R1GHTSLIST fde, it attempted to access the remote system using the list of users found,<br />
to which it added a list of 81 standard users coded into the worm. It penetrated accounts<br />
where passwords were the same as the name of the account or were null.<br />
The worm then looked for an account which had access to SYSUAF.DAT. If such an<br />
account was found, the worm copied itself to that account and started executing. Within<br />
a very short time, the Computer Emergency Response Team (CERT) in the USA<br />
(telephone 412-268-7090) issued a warning and a corrective response.<br />
This was the second well-known virus attack on DECNET: the first (HI.COM) was<br />
released on 22nd December 1988 from a European HEPNET node, probably originating<br />
at the Institute of Physics at the University of Neuchatel in Switzerland.<br />
27
2<br />
HOW CAN A <strong>VIRUS</strong> PENETRATE A<br />
<strong>COMPUTER</strong>?<br />
He has the gift of quiet.<br />
John Le Carr§<br />
There is nothing magic about the way a virus penetrates a computer. The methods of<br />
entry are well understood and taking them into account when using a PC is the first step<br />
towards combating the virus threat.<br />
By far the most important point to realise is that the only way that a virus can infect a<br />
computer is as a result of the virus code being executed. Viruses are designed in such a<br />
way that the act of executing them is surreptitious and occurs without the knowledge (or<br />
consent) of the user. In practice this may mean accidentally bootstrapping a PC from an<br />
infected floppy disk (thereby executing the contents of the boot sector) or executing a<br />
program which has a virus attached to it.<br />
Any medium which can be used for storing or transmitting data is potentially a virus<br />
carrier. It is entirely dependent on the media characteristics as to what type of virus it will<br />
be able to carry. This is analysed in det<strong>ai</strong>l in Section 2.3: Virus Carrier Media, while virus<br />
types are discussed in Section 3.1: Virus Types. Cert<strong>ai</strong>n user actions have been shown to<br />
carry a high risk of infection: this is discussed in Section 2.4: Virus Infiltration Routes<br />
and Methods.
30 CHAPTER 2<br />
2.1 HOW DOES AN INFECTION HAPPEN?<br />
It is very important to distinguish between a virus being active in RAM (Random Access<br />
Memory) and an infected medium.<br />
The virus becomes active in RAM when virus code is executed. This active state is<br />
cleared by switching off the PC. On the other hand most media infected with a virus will<br />
carry the virus even after power f<strong>ai</strong>lure. This is illustrated in the first four blocks of<br />
Fig. 2.1.<br />
For example, if a PC becomes infected with the Italian virus by bootstrapping from an<br />
infected floppy disk, the virus will a) become active in RAM and b) infect the hard disk.<br />
If the power is switched off, the virus will disappear from RAM, but not from the hard<br />
disk. When the power is switched on and the PC bootstrapped (started) from the hard<br />
disk, the virus will become active in RAM.<br />
Blocks 5 and 6 of Fig. 2.1 demonstrate how the infection spreads onto further floppy<br />
disks, while blocks 7 and 8 show that correct bootstrapping can ensure that the virus is<br />
not active in memory while anti-virus actions (such as scanning for viruses) are<br />
performed.<br />
RAM<br />
®Hard disk<br />
4<br />
PC<br />
1. In an uninfected PC both the RAM and<br />
the hard disk are free from infection. An<br />
infected floppy disk is introduced into the<br />
floppy disk drive.<br />
(Tf :> shows infected items<br />
2. When an infected program from the<br />
floppy disk is run, the hard disk becomes<br />
infected and the virus becomes active in<br />
RAM.<br />
3. If power is now switched off, the hard<br />
disk rem<strong>ai</strong>ns infected while the contents of<br />
RAM (including the virus) are lost.
HOW CAN A <strong>VIRUS</strong> PENETRATE A <strong>COMPUTER</strong>? 31<br />
4. When the PC is switched back on and<br />
bootstrapped from the (infected) hard disk,<br />
the virus becomes active in RAM once<br />
ag<strong>ai</strong>n.<br />
5. If an unprotected, clean floppy disk is<br />
then used...<br />
6.... it immediately becomes infected. Any<br />
unprotected floppy disk which is used in<br />
this PC while the virus is active becomes<br />
infected.<br />
7. If power is now switched off, the hard<br />
disk once ag<strong>ai</strong>n rem<strong>ai</strong>ns infected, while the<br />
contents of the RAM (including the virus)<br />
are lost.<br />
8. The virus can be kept inactive by<br />
switching the PC back on with a clean<br />
write-protected system disk in the floppy<br />
disk drive. Despite the fact that the hard<br />
disk rem<strong>ai</strong>ns infected, the virus is not active<br />
in RAM. Anti-virus actions can commence.<br />
Fig. 2.1 - Infecting a PC and disks
32 CHAPTER 1<br />
2.2 EXECUTABLE PATH<br />
In order to penetrate a computer, a virus must be given a chance to execute. Since<br />
executable objects on a PC are known, all possible virus attack points can be listed. By<br />
making sure that only legitimate, virus-free code is executed, one can protect the system<br />
from infection.<br />
In addition to the obvious executable files such as COM and EXE programs, any file<br />
which cont<strong>ai</strong>ns executable code should be treated as a potential virus carrier. This<br />
includes files with interpreted BASIC commands, spreadsheet macros etc.<br />
On a PC, the attack points are most easily listed by analysing the steps which are<br />
performed when the PC is bootstrapped, either by switching it on, or by performing a socalled<br />
'warm boot' (pressing the Ctrl, Alt and Del keys simultaneously).<br />
The normal PC bootstrapping sequence is shown in Fig. 2.2 and consists ofthe following<br />
steps:<br />
1. When the computer is switched on, or a warm boot is performed (Ctrl-Alt-Del), a PC<br />
first executes the program held in its ROM (Read Only Memory). The ROM<br />
program usually tests whether the first floppy drive (A:) cont<strong>ai</strong>ns a disk. If it does,<br />
the PC loads into memory a short program stored in the first sector on the disk (the<br />
Bootstrap Sector), and starts executing it. If the disk is not a 'system' disk, this<br />
program displays the message 'Non-system disk', or similar, and w<strong>ai</strong>ts for the user<br />
to insert a 'system' disk. If the first floppy drive does not cont<strong>ai</strong>n a disk, the PC will<br />
bootstrap from the first hard disk by loading the first physical sector (sector 1,<br />
head 0, track 0) into memory and executing it. This is the master boot sector, which<br />
in turn loads and executes the first sector of the 'active partition'. This is the DOS<br />
boot sector which is similar in function to the bootstrap sector on a floppy disk. The<br />
bootstrap process then proceeds in a similar way to bootstrapping from a floppy disk.<br />
On IBM-AT computers, the system will also access the CMOS memory prior to<br />
performing this step. Various system parameters in CMOS memory can be set up<br />
(usually using the SETUP utility supplied with the PC).<br />
2. The program in the DOS boot sector reads the operating system (DOS) from disk<br />
into memory and transfers control to it. DOS is cont<strong>ai</strong>ned in the first two files found<br />
in the root directory, which are usually called IO.SYS and MSDOS.SYS, although<br />
different names such as IBMBIO.SYS and IBMDOS.SYS are also used.<br />
3. The file CONFIG.SYS is then consulted. This is a text file which describes the<br />
desired configuration of the system (file buffer allocation, device drivers etc.).<br />
Device drivers like ANSI.SYS are loaded into memory at this stage.<br />
4. DOS then loads COMM<strong>AND</strong>.COM and executes it. COMM<strong>AND</strong>.COM is a COM<br />
file which processes commands such as DIR, TYPE etc. Note that COMM<strong>AND</strong>.COM<br />
is a default command line processor supplied by Microsoft, but DOS allows other<br />
command line processors such as 4DOS.COM to be used.
HOW CAN A <strong>VIRUS</strong> PENETRATE A <strong>COMPUTER</strong>? 33<br />
5. A special batch file (AUTOEXEC.BAT) is then executed, thus completing the<br />
bootstrapping procedure. If no AUTOEXEC.BAT file is found, the system prompts<br />
the user for date and time.<br />
6. The user is then presented with the system prompt and the system aw<strong>ai</strong>ts user<br />
commands. Any command is either an internal DOS command, the name of a COM<br />
file, the name of an EXE file, or the name of a BAT file. The system will search for<br />
these files in the current subdirectory as well as all subdirectories specified in the<br />
PATH command and execute the first one it finds. The order of precedence is shown<br />
in Fig. 2.3. Programs can also load executable overlay files (OVL) as and when<br />
needed. Overlay files usually have extensions such as OVL, OV1. OV2 etc.<br />
Fig. 2.2 - Bootstrapping sequence
34 CHAPTER 1<br />
Precedence of command execution:<br />
1. Internal commands (DIR, TYPE)<br />
2. COM file<br />
3. EXE file<br />
4. BAT file<br />
For example, if a directory cont<strong>ai</strong>ns files DIR.COM and DIR.EXE and the user<br />
enters DIR, COMM<strong>AND</strong>.COM will execute the internal DIR command. If the<br />
directory cont<strong>ai</strong>ns files ABC.COM, ABC.EXE and ABC.BAT and the user enters<br />
ABC, COMM<strong>AND</strong>.COM will execute ABC.COM in preference to ABC.EXE and<br />
ABC.BAT.<br />
Fig. 2.3 - The order of precedence of commands entered at the command line<br />
7. Applications often use macros which are, in effect, executable code. This can take<br />
the form of interpreted BASIC commands, spreadsheet macros, word-processing<br />
macros and so on.<br />
In order for an item to be susceptible to infection, it must be both executable and<br />
modifiable. The following items satisfy these two conditions:<br />
1. Master boot sector - viruses such as New Zealand and Joshi attack the master boot<br />
sector.<br />
2. DOS boot sector - viruses such as the Italian and Mistake attack the DOS boot<br />
sector.<br />
3. DOS files IO.SYS and MSDOS.SYS - possible attack points, although to date no<br />
viruses infect either file. CONFIG.SYS is a text file, and cannot cont<strong>ai</strong>n a virus, but<br />
it could easily load and execute any virus written as a device driver.<br />
4. Device drivers, SYS files such as ANSI.SYS, RAMDRIVE.SYS - possible attack<br />
points, although to date no known viruses infect them.<br />
5. COMM<strong>AND</strong>.COM - at least one virus {Lehigh) targets this file specifically.<br />
6. AUTOEXEC.BAT - a possible attack point, though normally affected by Trojan<br />
horses rather than viruses.<br />
7. Applications - EXE and COM files - many viruses attack these files. Overlay files<br />
(normally OVL, OVR, OV1 etc) can also become infected.
HOW CAN A <strong>VIRUS</strong> PENETRATE A <strong>COMPUTER</strong>? 35<br />
8. Files with macros - no viruses, other than experimental ones, have been shown to<br />
attack these files.<br />
In practice, the two requirements for an item to be susceptible to infection (i.e. that it is<br />
executable and modifiable) are supplemented by another de facto condition: the item<br />
must also be exchanged often enough between PCs. This reduces the above list of items<br />
at risk to master boot sectors, DOS boot sectors and COM and EXE executable files.<br />
Viruses which infect master or DOS boot sectors are known as boot sector viruses,<br />
viruses which infect COM and EXE files are known as parasitic viruses, while viruses<br />
which infect both master or DOS boot sectors as well as COM and EXE files are known<br />
as multi-partite viruses. The other two types of viruses (companion viruses and link<br />
viruses) use different techniques which is discussed in greater det<strong>ai</strong>l in Section 3.1: Virus<br />
Types.<br />
To keep the system free from viruses the user must make sine that the code cont<strong>ai</strong>ned<br />
within the items at risk rem<strong>ai</strong>ns virus-free and uncorrupted. Unfortunately, this is harder<br />
than it seems.<br />
2.3 <strong>VIRUS</strong> CARRIER MEDIA<br />
Any medium which can be used for the transmission or storage of executable code is a<br />
potential carrier of parasitic and multi-partite viruses, while any medium which can be<br />
used to bootstrap the PC is a potential carrier of boot sector and multi-partite viruses.<br />
The PC becomes infected with a parasitic or a multi-partite virus when the user executes<br />
an infected program. The PC becomes infected with a boot sector or a multi-partite virus<br />
when the user bootstraps the PC from an infected medium.<br />
2.3.1 FLOPPY DISKS<br />
Floppy disks are the most common medium for information exchange. They are used for<br />
distributing programs or exchanging information between PCs. They can act as carriers<br />
of parasitic viruses which hide in any executable on the disk, of bootstrap sector viruses,<br />
which hide in the bootstrap sector of the disk or of multi-partite viruses which can hide<br />
both in the bootstrap sector and any executable.<br />
Executing an infected program or bootstrapping from an infected disk need not be a<br />
conscious action on the part of the user. For example, a PC will become infected<br />
automatically if it is bootstrapped from a disk infected with a boot sector virus. Note that<br />
the floppy disk need not be a system disk! This can happen quite easily if a floppy is left<br />
overnight in a PC which is then switched on in the morning. The PC can also become<br />
infected if a short power f<strong>ai</strong>lure occurs while the machine is unattended with floppy disk<br />
in the drive. When the user returns to the PC he will probably not notice that the PC has<br />
been bootstrapped in his absence.
36 CHAPTER 1<br />
2.3.2 REMOVABLE HARD DISKS<br />
Removable hard disks are becoming more popular in secure systems where the mass<br />
storage device has to be locked away physically when the PC is not attended. However, as<br />
they can be moved from one PC to another, they can act as carriers of both parasitic<br />
viruses, boot sector viruses and multi-partite viruses.<br />
2.3.3 MAGNETIC TAPE CARTRIDGES<br />
Magnetic tape cartridges are normally used for storing PC backups. The PC cannot be<br />
booted from them, and as such they can only carry parasitic or multi-partite viruses.<br />
2.3.4 OTHER STORAGE MEDIA<br />
There are several other storage media used with PCs (Bernoulli drives, optical disks, 1/2"<br />
magnetic tapes etc.). As a rule, if the medium can be used to bootstrap the PC, it<br />
should be considered capable of carrying bootstrap sector viruses, multi-partite<br />
viruses, as well as parasitic viruses. If the medium cannot be used to bootstrap the<br />
PC, it can only carry parasitic and multi-partite viruses.<br />
2.3.5 NETWORKS<br />
PC networks provide a means for rapid exchange of information. They are also an<br />
excellent propagation medium for viruses and as such present a major security risk. They<br />
are treated in det<strong>ai</strong>l in Chapter 8: Viruses and Networks.<br />
2.3.6 MODEMS<br />
Modems offer the PC a means of communicating with other PCs, normally via an<br />
intermediate storage facility such as bulletin board or electronic m<strong>ai</strong>l servers. If these<br />
offer the facility to upload and download executable images, they can act as carriers of<br />
parasitic and multi-partite viruses. Bootstrap sector viruses cannot be transmitted<br />
unwittingly via modems.<br />
2.4 <strong>VIRUS</strong> INFILTRATION ROUTES <strong>AND</strong> METHODS<br />
Some user actions have been shown to carry a high risk of leading to infection. The<br />
following list of routes and methods of virus infiltration has been assembled by analysing<br />
real-life cases in which organisations and individuals became infected. The results of the<br />
Dataquest survey of 602 North American companies with 300 or more PCs in Fig. 2.4<br />
shows the sources of infections in large organisations; the proportions are probably not<br />
true for all PC users.<br />
2.4.1 PIRATED SOFTWARE<br />
It is easy to copy software and in most countries it is illegal to do so. But unless it is done<br />
on a large scale, the risk of prosecution at the moment is much smaller than the risk of
HOW CAN A <strong>VIRUS</strong> PENETRATE A <strong>COMPUTER</strong>? 37<br />
PC at home<br />
Bulletin board<br />
Sales demonstration<br />
Service engineer<br />
Shrink wrapped<br />
Other download<br />
Inter-company disk<br />
Purposefully planted<br />
Disk from client<br />
Disk from school<br />
Came with PC<br />
Disk from consultant<br />
Disk from LAN manager<br />
Unknown / unwilling<br />
7% 1<br />
6%<br />
6%<br />
f3%<br />
~Jz%<br />
Tl%<br />
" 1%<br />
" 1%<br />
" 1%<br />
' 1%<br />
" 1%<br />
" 1%<br />
29%<br />
43%<br />
Fig. 2.4 - Sources of infection; from Dataquest survey, October 1991<br />
contracting a virus infection. Games are probably the most commonly pirated software<br />
and they tend to move between PC users at a far greater speed than 'serious' pirated<br />
software. For this reason, they are also most prone to picking up a parasitic virus on the<br />
way.<br />
2.4.2 BULLETIN BOARDS (BBS)<br />
Bulletin boards normally provide a means of downloading and uploading software which<br />
is classified either as 'public dom<strong>ai</strong>n' (free for all) or 'shareware' (copy freely, but pay if<br />
you use it). Most reputable boards are run under the close supervision of the S YSOP, the<br />
SYStem OPerator, who is at great p<strong>ai</strong>ns to ensure the integrity of the software av<strong>ai</strong>lable<br />
from the bulletin board as well as the absence ofTrojan horses (see Section 1.1.2: Trojan<br />
Example 2: ANSI.SYS).<br />
Unfortunately, it is almost impossible to analyse all traffic on a bulletin board manually<br />
and many SYSOPs resort to automatic virus scanning of any uploaded executables. This<br />
is cert<strong>ai</strong>nly better than nothing, but becomes ineffective if the software is distributed<br />
'packed' using some non-standard dynamic packing utility (see also Section 7.1.2:<br />
Scanning software).<br />
Bulletin boards are very useful for exchanging information and opinions. Their use<br />
should be confined to that and they should not be used for downloading software<br />
which was uploaded by other users.<br />
There have been a significant number of cases of virus-infected software being uploaded<br />
onto public bulletin boards, including a bulletin board used to distribute market-leading<br />
anti-virus software.<br />
2.4.3 SHAREWARE<br />
Shareware is an attractive concept developed in the USA. The software carries the<br />
traditional copyright, but all users are encouraged to copy it and pass it on to others. If
38 CHAPTER 1<br />
Software<br />
author's<br />
PC<br />
• J - L r O<br />
Infected!<br />
V<br />
'Tj<br />
Your PC<br />
Fig. 2.5 - Unsafe software distribution. An infected user's PC will propagate the<br />
infection to all downstream recipients of the software.<br />
anybody ends up using it, he is under moral obligation to send a small sum (usually<br />
US$20 to US$50) to the author. The attraction lies in the fact that one ends up trying the<br />
software before paying for it. Market forces help to ensure the distribution and survival of<br />
good software and the eventual demise of rubbish. Unfortunately, shareware distribution<br />
is not without problems. Although most authors send 'the latest version' once payment<br />
has been received, users often end up trying (and using) the original version obt<strong>ai</strong>ned<br />
from a friend of a friend of a friend. By the time one receives 'the latest version', the<br />
computer may be infected many times over with any viruses the original software picked<br />
up on the way (Fig. 2.5).<br />
Some companies distribute shareware through catalogues, guaranteeing 'the latest version'<br />
when shareware is purchased. Obviously, this is better than the 'friend of a friend of a<br />
friend' method, and the company has a vested interest in distributing uncontaminated<br />
software. Many shareware packages now include a checksum program and a list of<br />
correct checksums for all files supplied with the package. As long as the checksum<br />
program is not infected and the checksumming algorithm is cryptographically strong,<br />
this provides an assurance of file integrity (see Section 7.1.2: Checksumming Software).<br />
Shareware is nevertheless a cheap way of obt<strong>ai</strong>ning software, some of which is of<br />
excellent quality.<br />
2.4.4 PUBLIC DOMAIN SOFTWARE<br />
Unlike shareware, public dom<strong>ai</strong>n software is completely free for anybody to use.<br />
Unfortunately, it suffers from the same distribution risks as shareware, with the added<br />
disadvantage that there is often nobody to supply 'the latest version'.<br />
There are a number of notable exceptions to the above, such as the Kermit communications<br />
package, which is fully supported by Columbia University in New York, USA. Anybody<br />
can obt<strong>ai</strong>n the latest version in return for a fee to cover administration costs.
HOW CAN A <strong>VIRUS</strong> PENETRATE A <strong>COMPUTER</strong>? 39<br />
2.4.5 SHARED PCS (PC AT HOME)<br />
A surprisingly large number of infections in business PCs occur through the use of home<br />
computers for company work. The companies concerned usually have sound anti-virus<br />
security measures in place, but still suffer virus attacks by overlooking this loophole.<br />
In one case known to the author an executive's 14-year old son used his father's home PC<br />
to play games obt<strong>ai</strong>ned from the school playground (unbeknown to his father). The<br />
executive, having brought home a report to finish, unwittingly took an infected disk back<br />
to work the next morning and in turn, infected his office PCs with the New Zealand virus.<br />
His son was out of favour for some time, but the company learned a valuable lesson.<br />
2.4.6 FLOPPY DISKS SUPPLIED BY <strong>COMPUTER</strong> MAGAZINES<br />
Some computer magazines supply floppy disks cont<strong>ai</strong>ning free software. On a number of<br />
occasions such disks have been found to carry virus code, for example:<br />
• PC Today Vol 4 No 4, Database Publications, August 1990, Disk Killer (only the boot<br />
sector cont<strong>ai</strong>ned the virus code while the rest of the virus was overwritten and<br />
ineffective), 40,000 copies<br />
• PC-WORLD Benelux, 9thNovember 1990, IDG Communications, Cascade, 16,000<br />
copies<br />
• Archimedes World, February 1992, Argus Specialist Publications, Module (Archimedes<br />
virus), 15,000 copies<br />
• PC Fun, January 1992, MC Publications, New Zealand, 20,000 copies<br />
The major problem with such events is the number of infected disks involved and the<br />
resulting wide spread of the virus. Any software and disks obt<strong>ai</strong>ned from magazines<br />
should be used with utmost care and any 'Virus Checked' labels found on such disks<br />
treated with scepticism.<br />
2.4.7 SERVICE ENGINEERS<br />
Service engineers are often a great source of the latest games, diagnostics and similar<br />
software. Seeing five or ten customers a day, they are an effective propagation medium<br />
for any copy able software.<br />
In one case in 1988 a service engineer on a visit to a government organisation in England<br />
demonstrated an entert<strong>ai</strong>ning program called 'MUSHROOM'. Everyone wanted to run<br />
MUSHROOM. Unfortunately, that copy ofMUSHROOM.COM had been infected with<br />
the Cascade virus, which in turn spread to many PCs in the organisation and triggerred<br />
on 1 st October of that year. The engineer eventually examined the original source of the<br />
program and discovered that it was not infected. The infection was picked up along the<br />
way, probably on one of the customers' computers.
40 CHAPTER 1<br />
Much can be done to prevent viruses from infiltrating organisations through this route.<br />
All diagnostic disks used by service engineers should be write-protected, or, alternatively,<br />
the customer should have aset of his own write-protected disks. Service engineers should<br />
resist the temptation to distribute software, which is not only dangerous, but also often<br />
illegal.<br />
At least one large computer company has expressly prohibited its service engineers from<br />
carrying any floppy disks. All disks used on the customers' PCs, including diagnostics,<br />
must either already be in the possession of the user or come shrink-wrapped from the<br />
factory. More and more computer m<strong>ai</strong>ntenance companies are equipping their engineers<br />
with virus-scanning software, which allows them to determine quickly whether a problem<br />
is due to a virus or something else.<br />
2.4.8 SHRINK-WRAPPED SOFTWARE<br />
Shrink-wrapped software normally refers to commercial software packages which come<br />
in a shrink-wrapped sealed cont<strong>ai</strong>ner - usually for legislative purposes rather than antivirus<br />
measures. Many manufacturers state that by breaking the seal, the user implicitly<br />
agrees to abide by the licencing terms and conditions. There is also a good chance that the<br />
software has not been tampered with from the time it left the manufacturing plant.<br />
There have however been several cases of viruses distributed on shrink-wrapped disks,<br />
for example:<br />
• Zinc Software's Interface Library, 20th November 1991, Form<br />
' Focus 2the MAX VGA card software, December 1991, Michelangelo, 1,000 copies<br />
• Novell's NetWare Encyclopedia, 11th December 1991, Nolnt, 3,800 copies<br />
• Intel's Version 3.01 of LANSpool 286 and 386, 6th March 1992, Michelangelo, 830<br />
copies<br />
Apart from disks being infected at source, there have been a number of cases where<br />
dealers opened shrink-wrapped software, loaded it onto their (already infected) machines<br />
for demonstration purposes and resealed the package before offering it for sale. The virus<br />
was thus found on seemingly shrink-wrapped disks and the real reason for infection did<br />
not emerge until after an investigation by the software manufacturer. Many such<br />
incidents could be prevented if all manufacturers delivered software on permanently<br />
write-protected floppy disks.<br />
Although there is always a chance that shrink-wrapped software will cont<strong>ai</strong>n a virus, the<br />
probability, in practice, is still small. The reasons for this are twofold: Companies<br />
marketing shrink-wrapped software have a large investment in their products and a lot to<br />
lose from bad publicity should the products prove to be virus carriers. They also provide<br />
stringent QA procedures, which <strong>ai</strong>m to ensure the integrity of the software leaving the<br />
factory. The result is atraceable step-by-step software development process in a controlled<br />
environment, which is a basis for efficient anti-virus measures.
3<br />
<strong>VIRUS</strong> STRUCTURE<br />
Now, what I want is Facts...Facts alone are wanted in life.<br />
Charles Dickens, 'Hard Times'<br />
A virus is a purposefully written computer program which consists of two parts:<br />
Self-replicating code and the 'payload', which produces side-effects (Fig. 3.1). In a<br />
typical PC virus, the replicating code may be between 400 and 2000 bytes long, while the<br />
size of the payload will depend on the side-effects. Typically this is a few hundred bytes.<br />
Before infecting an executable, most viruses try to determine whether they have already<br />
infected it, by testing for some infection signature. If the signature (sometimes also<br />
referred to as "virus marker") is there, the executable is already infected and it will not<br />
be reinfected. The signature can have various forms. Some viruses use a sequence of<br />
characters such as 'sURIV' (VIRUs spelt backwards) in a fixed position, some test the<br />
file size for divisibility by a number, others test whether the number of seconds in the file<br />
datestamp is set to 62. At least one virus (Jerusalem) does not test correctly for its own<br />
signature, which results in reinfections and thus unlimited growth of executable images.<br />
Self-replicating code Payload<br />
Fig. 3.1 Virus structure
42 CHAPTER 1<br />
The side-effects of a virus are limited only by the imagination of the virus author and can<br />
range from annoyance to serious vandalism.<br />
3.1 <strong>VIRUS</strong> TYPES<br />
Viruses can be divided into five categories: Bootstrap sector viruses, Parasitic viruses,<br />
Multi-partite viruses, Companion viruses and Link viruses. The distinction between<br />
these categories is somewhat blurred; for example, companion and link viruses could be<br />
assumed to be special cases of parasitic viruses.<br />
3.1.1 BOOTSTRAP SECTOR <strong><strong>VIRUS</strong>ES</strong><br />
Bootstrap sector viruses modify the contents of either the master bootstrap sector or the<br />
DOS bootstrap sector, depending on the virus and type of disk, usually replacing the<br />
legitimate contents with their own version. The original version of the modified sector is<br />
normally stored somewhere else on the disk, so that on bootstrapping, the virus version<br />
will be executed first. This normally loads the rem<strong>ai</strong>nder of the virus code into memory,<br />
followed by the execution of the original version of the bootstrap sector (Fig. 3.2). From<br />
then on, the virus generally rem<strong>ai</strong>ns memory-resident until the computer is switched off.<br />
Bootstrap sector viruses are spread through physical exchange of any media which can<br />
be used for bootstrapping (in most cases by physical exchange of floppy disks). As a<br />
consequence, they spread comparatively slowly. Nevertheless, one often finds Trojan<br />
horse programs whose only function is to infect the boot sector of the PC and start the<br />
infection. Known as 'droppers' they allow the spread of boot sector viruses via bulletin<br />
boards, thereby vastly increasing the spreading potential and the speed with which the<br />
virus can spread over large distances.<br />
A PC becomes infected with a boot sector virus only if the user (accidentally) bootstraps<br />
from an infected disk. It is completely safe to insert an infected disk into the drive and<br />
copy data from it (using the COPY command). The PC will not become infected unless<br />
it is booted while an infected disk is in drive A. However, the DISKCOPY command<br />
should not be used as this is an image copier which will copy the virus code as well.<br />
Examples of bootstrap sector viruses include Br<strong>ai</strong>n (floppy disk bootstrap sector only),<br />
Italian (DOS bootstrap sector) and New Zealand (master bootstrap sector).<br />
The mechanism of a bootstrap sector virus normally uses three distinct components:<br />
1. the bootstrap sector - replaced with an infected version; this is where the virus<br />
g<strong>ai</strong>ns access.<br />
2. one previously unused sector - for storing the original bootstrap sector.<br />
3. a number of previously unused sectors - where the bulk ofthe virus code is stored.<br />
There are a number of bootstrap sector viruses which do not store the original bootstrap<br />
sector anywhere else (e.g. SVC 6.0).
<strong>VIRUS</strong> STRUCTURE 43<br />
The mechanism for acquiring unused sectors varies from virus to virus. Some viruses<br />
such as Form and Disk Killer look for unused clusters in the disk's File Allocation Table<br />
(FAT) and when found, label them as 'bad'. This prevents the operating system from<br />
allocating these clusters to files and possibly overwriting the virus code. Other viruses<br />
such as New Zealand use part of the hard disk which is not normally used by the<br />
operating system (Sector 2, Head 0, Track 0 onwards). New Zealand stores the original<br />
boot sector into Sector 7, Head 0, Track 0 on hard disks. On floppy disks, the virus adopts<br />
a different strategy and stores the original boot sector into Sector 3, Head 1, Track 0, both<br />
of which can cause serious loss of data on some disks.<br />
Other examples of requisitioning space include using track 40 on 360K floppy disks<br />
{Den Zuk) and decreasing the size of the first partition on the hard disk (Tequila).<br />
Jump<br />
Fig. 3.2a Uninfected disk<br />
Fig. 3.2b Infected disk
44 CHAPTER 1<br />
It is important to realise that all boot sector viruses modify the bootstrap sector in some<br />
way, and it is the only item one needs to examine for signs of infection. The place where<br />
the rest of the virus code is stored is not of much practical interest, except, perhaps, when<br />
trying to find the original bootstrap sector in order to copy it back and 'disinfect' the disk.<br />
3.1.2 PARASITIC <strong><strong>VIRUS</strong>ES</strong><br />
Parasitic viruses modify the contents of COM and/or EXE files. They append themselves<br />
to the file, leaving the bulk of the program intact (Fig. 3.3). The execution flow is hence<br />
diverted in such a way that virus code executes first. Once the virus code has executed,<br />
the execution flow passes to the original program which, in most cases, executes<br />
normally. The extra execution time due to the virus is usually not perceptible to the user.<br />
Some viruses append themselves to the end of the original file, some prepend themselves<br />
in front of the file, some do both and some insert themselves in the middle of the file.<br />
Parasitic viruses spread through any medium which can be used for storage or<br />
transmission of executable code such as floppy disks, tapes, networks etc. The infection<br />
will generally spread if an infected program is executed.<br />
It is of crucial importance to the virus that its code is executed before the infected<br />
program. The virus runs at the same privilege level as the original program and once<br />
running, can do anything: replicate, install itself into memory, release the side effects etc.<br />
4<br />
Program Uninfected program<br />
• Program Virus < i<br />
Virus Program<br />
Fig. 3.3 Program infection with a parasitic virus<br />
4<br />
Program infected at<br />
the end<br />
Program infected at<br />
the beginning
C:\<strong>VIRUS</strong>>dir<br />
Volume in drive C has no label<br />
Directory of C:\<strong>VIRUS</strong><br />
<strong>VIRUS</strong> STRUCTURE 45<br />
8-01-88 12 :01a<br />
8-01-88 12 :01a<br />
ALTER COM 2725 12-26-83 12 :51a<br />
WHEREIS COM (640) 9-03-86 3 : 4 8p<br />
4 File(s) 19&36224 bytes free<br />
C: \<strong>VIRUS</strong>>alter \<br />
Infect the PC by<br />
executing an infected<br />
application<br />
You must specify a path. \ Output from alter<br />
C:><strong>VIRUS</strong>>whereis \ Infect another<br />
COM file<br />
C:><strong>VIRUS</strong>>dir<br />
Volume in drive C has no label Note size increase<br />
Directory of C:\<strong>VIRUS</strong> by 1701 bytes and<br />
no change of date /<br />
8-01-8^ 12 :01a time<br />
8-pa
46 CHAPTER 1<br />
3.1.3 MULTI-PARTITE <strong><strong>VIRUS</strong>ES</strong><br />
A comparatively recent development has been the emergence of viruses which exhibit<br />
the characteristics of both bootstrap sector and parasitic viruses. Viruses such as Flip<br />
infect COM and EXE fdes (like parasitic viruses) as well as the master boot sector (like<br />
boot sector viruses). By exploiting 'the best of both worlds' their chances of replication<br />
are much higher than if they were to use only one method (Fig. 3.5). It is not surprising<br />
that comparatively few multi-partite viruses in existence today account for a<br />
disproportionately large number of infections.<br />
Multi-partite viruses are spread through physical exchange of any media which can be<br />
used for bootstrapping (in most cases physical exchange of floppy disks) as well as<br />
through any medium which can be used for storage or transmission of executable<br />
code such as disks, tapes and networks. The virus will become active if the PC is<br />
bootstrapped from an infected disk or if an infected program is executed.<br />
Most multi-partite viruses such as Flip are fully multi-partite, which means that a PC<br />
infected by bootstrapping from an infected disk will infect other disks as well as<br />
executables, while a PC infected by executing an infected file will infect other executables<br />
as well as disks. Some multi-partite viruses are only partially multi-partite; for example,<br />
Spanish Telecom in EXE and COM files will infect other EXE and COM files as well as<br />
the boot sectors, while the same virus in a boot sector will only infect other boot sectors.<br />
The speed of propagation of multi-partite viruses is similar to that of parasitic viruses as<br />
they can be uploaded easily onto bulletin boards and thus spread over great distances<br />
very quickly.<br />
3.1.4 COMPANION <strong><strong>VIRUS</strong>ES</strong><br />
Companion viruses exploit the MS-DOS property that if two programs with the same<br />
name exist in a directory, the operating system will execute a COM file in preference to<br />
an EXE file.<br />
Jump to the rest of<br />
virus code<br />
Fig. 3.5 - Disk infected with a multi-partite virus
WS<br />
(ws<br />
Volume in drive C has no label<br />
Director<br />
<strong>VIRUS</strong> STRUCTURE 47<br />
4 File(s) 51335168 bytes free<br />
Fig. 3.6 - Companion virus infection<br />
File carrying<br />
companion virus<br />
code<br />
A companion virus creates a COM file with the same name as the EXE file it 'infects',<br />
storing its own virus code in the COM file. When a user types in the program name, the<br />
operating system executes the COM file, which executes the virus code and, in turn,<br />
loads and executes the EXE file. The virus makes no change at all to the contents of the<br />
'infected' EXE file.<br />
The directory listing in Fig. 3.6 shows an unsophisticated companion virus which has<br />
infected WS.EXE by creating WS.COM. More sophisticated companion viruses label<br />
the companion COM file with the DOS 'hidden' attribute, which means that they will not<br />
be shown in directory listings. This, however, is also a n<strong>ai</strong>l in the coffin of such viruses,<br />
since the DOS COPY command does not copy hidden files and the virus is thus denying<br />
itself the prime means of propagation: copying of executable files by users.<br />
Companion viruses are spread through any medium which can be used for storage or<br />
transmission of executable code (but see above comment on hidden files). The virus<br />
will become active if one of its COM programs is executed.<br />
It is unlikely that companion viruses will form a major threat in the future.<br />
3.1.5 LINK <strong><strong>VIRUS</strong>ES</strong><br />
Link viruses work by linking the first cluster pointer of the directory entry of every<br />
executable file to a single cluster cont<strong>ai</strong>ning the virus code. The original number of the<br />
first cluster is saved in the unused part of the directory entry (Fig. 3.7).<br />
Link viruses are spread through any medium which can be used for storage or<br />
transmission of executable code. A PC will become infected if an infected program is<br />
executed.<br />
As of August 1992, the only link virus in the wild was DIR II, which first appeared in mid<br />
1991 and has since become remarkably widespread.
Directory entries<br />
WS.COM<br />
FPRT.EXE-<br />
RUNOFF.EXE-<br />
Pointers to'<br />
first cluster of<br />
each file<br />
45 CHAPTER 1<br />
Disk data<br />
area<br />
clusters<br />
Fig. 3.7a - Directory entries in an uninfected system<br />
Directory entries<br />
WS.COM<br />
FPRT.EXE<br />
RUNOFF.EXE—hH<br />
Pointers to first clustcr of each<br />
file now all point to virus<br />
code. Original pointers are<br />
stored in the unused parts of<br />
directory entries and are<br />
av<strong>ai</strong>lable to the virus.<br />
Disk data<br />
area<br />
clusters<br />
Virus code<br />
Fig. 3.7b - Directory entries in a system infected with a link vims
<strong>VIRUS</strong> STRUCTURE 49<br />
3.2 <strong>VIRUS</strong> BEHAVIOUR AFTER GAINING CONTROL<br />
3.2.1 MEMORY-RESIDENT <strong><strong>VIRUS</strong>ES</strong><br />
Memory-resident viruses install themselves into memory as Terminate and Stay Resident<br />
(TSR) processes when they g<strong>ai</strong>n control. They will normally intercept one or more<br />
interrupts and infect other objects when cert<strong>ai</strong>n conditions are fulfilled (e.g. when the<br />
user attempts to execute an application (Cascade) or when the user accesses a drive<br />
(Br<strong>ai</strong>n)). Switching the PC off will clear the virus from memory; warm bootstrapping<br />
with Ctrl-Alt-Del may not, as some viruses such as Yale intercept the Ctrl-Alt-Del<br />
interrupt and survive the warm boot.<br />
3.2.2 NON-MEMORY-RESIDENT <strong><strong>VIRUS</strong>ES</strong><br />
Non-memory-resident viruses are active only when an infected application is executed.<br />
They execute their code completely at that stage and do not rem<strong>ai</strong>n in memory. Other<br />
executables are generally infected only when an infected program is executed (e.g.<br />
Vienna or Datacrime).<br />
Although this approach may seem less infectious than one used by memory-resident<br />
viruses, the infectiousness of these viruses is in practice just as high, if not higher, than<br />
that of the memory-resident viruses. They are also more difficult to spot, since they do<br />
not change the interrupt table or the amount of av<strong>ai</strong>lable memory, and their infectious<br />
behaviour can be more unpredictable.<br />
3.2.3 HYBRIDS<br />
Some viruses use a combination of these two methods. The Typo virus, for example,<br />
infects executables on invocation of an infected program, but also leaves a small TSR<br />
element in memory after infection. The TSR section cont<strong>ai</strong>ns the payload, while the<br />
I non-resident portion of the virus cont<strong>ai</strong>ns the replication code. In other hybrid viruses<br />
these functions might be allocated differently.<br />
3.3 <strong>VIRUS</strong> HIDING MECHANISMS<br />
Viruses often place obstacles in the path of anyone trying to find or eradicate them. Two<br />
mechanisms are commonly used: encryption and interrupt interception.<br />
3.3.1 ENCRYPTION<br />
Encryption or scrambling of the virus code is used by some viruses in order to make them<br />
appear different in each infected application. This is designed to make the extraction of a<br />
fixed search pattern more difficult, since the majority of the virus code changes on every<br />
infection (Fig. 3.8). Before the virus code can be executed, it must be decrypted in order<br />
to become a meaningful sequence of instructions. The decryption routine must be in
50 CHAPTER 1<br />
Carrier program Virus<br />
Program 1 DE 2BAD4DAD458BE 1<br />
Program 2 DE FAFA1B1B1783E 1<br />
Program 3 DE BAA692F1F1BAD |<br />
Fig. 3.8 Three programs infected with an identical encrypted virus<br />
pl<strong>ai</strong>ntext (unencrypted) form and it usually cont<strong>ai</strong>ns about ten or twenty bytes which are<br />
identical and common to every infected executable (Shown as 'DE' in Fig. 3.8). An<br />
encrypted virus will look identical only when it uses the same encryption key to encrypt<br />
its code.<br />
Although encryption algorithms in current viruses are simple and the keys are str<strong>ai</strong>ghtforward<br />
(Cascade's decryption routine is shown in Fig. 3.9), the possibilities for introducing<br />
complications are practically endless. For example, a virus can use two stages of<br />
encryption, where the key for encrypting the second stage is stored in an encrypted form<br />
in the first stage. Such 'refinements' make disassembly of the virus more difficult and<br />
even viruses encrypted using simple techniques can be tricky to disassemble.<br />
One of the techniques increasingly commonly used by virus writers is to make the virus<br />
vary the decryption routine between infections. These viruses are known as polymorphic.<br />
Since there is no code which rem<strong>ai</strong>ns the same between infections, it is impossible to<br />
extract a fixed hexadecimal pattern. This somewhat complicates the search and an<br />
algorithmic approach has to be used; the virus scanner is told about a number of virus<br />
lea<br />
mov<br />
ag<strong>ai</strong>n: xor<br />
xor<br />
inc<br />
dec<br />
jnz<br />
si,[bx+start_of_virus]<br />
sp,virus_length<br />
[si],si ; first xor<br />
[si],sp ; second xor<br />
si<br />
sp<br />
ag<strong>ai</strong>n loop until finished<br />
Fig. 3.9 - Cascade decryption routine
<strong>VIRUS</strong> STRUCTURE 51<br />
characteristics such as infective length, bytes which do not change between infections<br />
and so on, which are used to recognise virus-infected code.<br />
The trend of writing polymorphic viruses seems to have been started by one Mark<br />
Washburn in the US with his 'experimental' virus 1260. This was followed by a number<br />
of creations in the V2Pn series ( V2P2, V2P6 etc.), all of which were written as a direct<br />
challenge to anti-virus software manufacturers. It is interesting that Mark Washburn<br />
views himself as a 'good guy' who is helping anti-virus research.<br />
A recent development in polymorphic viruses is the development of the Mutation Engine<br />
by a virus-writer (or possibly a group) calling him/itself Dark Avenger. This 'toolkit'<br />
allows a quick transformation of any normal virus into a polymorphic one, saving<br />
programming effort. Dark Avenger and his associates posted the object code of the<br />
Mutation Engine on a number of bulletin boards with det<strong>ai</strong>led instruction on how it<br />
should be used. They even valiantly offer technical support to budding virus writers via<br />
a virus-exchange bulletin board in Sofia, Bulgaria. The document accompaning the<br />
toolkit states that it is copyright ©1991 Crazy Soft, Inc and is written by Mad Maniac.<br />
3.3.2 INTERRUPT INTERCEPTION: STEALTH <strong><strong>VIRUS</strong>ES</strong><br />
Interrupt interception can be used very successfully to hide the presence of a virus<br />
actively once it has g<strong>ai</strong>ned control of the PC.<br />
DOS applications use software interrupts to communicate with the operating system in a<br />
portable way. The jump addresses are stored in the interrupt table located at the beginning<br />
of memory (Fig. 3.10). This is set up by the operating system to point to the correct<br />
addresses depending of the version of DOS. When an application issues an interrupt, a<br />
jump occurs to a predetermined address. If a virus changes one or more of these<br />
addresses, any jumps to the operating system can be routed via the virus, which can then<br />
decide what to do with a particular request (Fig. 3.11). The fact that such modification of<br />
Interrupt FFH<br />
Interrupt 02H<br />
Interrupt 01H<br />
Interrupt 00H<br />
RAM address 003FCH<br />
RAM address 00008H<br />
RAM address 00004H<br />
RAM address 00000H<br />
Fig. 3.10 Interrupt table<br />
Each interrupt cont<strong>ai</strong>ns:<br />
Code Segment (CS) base<br />
address (16 bits)<br />
Instruction Pointer (IP)<br />
offset (16 bits)
52 CHAPTER 1<br />
the interrupt table is possible has led to the emergence of 'stealth' viruses, which are<br />
characterised by a highly effective ability to hide themselves.<br />
For example, if the Br<strong>ai</strong>n virus is active in memory and an application requests the<br />
operating system to read from disk the contents of the boot sector (the hiding place of<br />
Br<strong>ai</strong>n), the virus will return the contents of what the legitimate boot sector would cont<strong>ai</strong>n,<br />
instead ofthe actual contents. Br<strong>ai</strong>n achieves this by modifying ('hooking itself into') the<br />
interrupt table.<br />
Several other viruses use this stealth technique. For example, 4K intercepts some 18<br />
functions of the DOS interrupt 21H, including Find First Matching File (11H), Find Next<br />
Matching File (12H), Open File (3DH) and Close File (3EH). Amongst other things, the<br />
virus will subtract 4096 from any infected file length displayed by the DIR command. It<br />
goes much further: it will 'disinfect' any infected file if an application tries to read from<br />
it, only to reinfect it on closing the file. A virus scanner or a checksummer will therefore<br />
not discover 4K in infected files if the virus is active in memory.<br />
Joshi is another stealth virus which hides the contents of an infected boot sector by<br />
intercepting ROM BIOS disk services interrupt 13H and returning the contents of the<br />
original boot sector if a disk read is attempted. The virus also intercepts the keyboard<br />
interrupt 9H, traps Ctrl-Alt-Del (warm boot) and survives it. Correct anti-virus<br />
bootstrapping, which includes switching the power off and booting from a clean, writeprotected<br />
floppy, has never been more important than today.<br />
3.3.3 BINARY <strong><strong>VIRUS</strong>ES</strong><br />
Binary viruses are a special case of encrypted viruses. A virus carries the replicating<br />
code in full, but only half of the payload. Only when the 'other half' virus is encountered<br />
DOS<br />
Application<br />
Interrupt vector<br />
DOS<br />
Virus<br />
Application<br />
Interrupt vector<br />
Fig. 3.11 Interrupt routing before and after the virus g<strong>ai</strong>ns control
Replicating code of virus 1<br />
Replicating code<br />
Replicating code of virus 2<br />
<strong>VIRUS</strong> STRUCTURE 53<br />
\ Payload part 1<br />
Fig. 3.12 Binary virus - two parts combining to get a meaningful payload<br />
(which carries the other half of the payload), the combination of the two payloads<br />
produces meaningful code which can be executed (Fig. 3.12). The combining could be<br />
done by performing an exclusive-or (XOR) operation on the two halves. In a binary<br />
virus, the payload cannot be analysed unless the researcher has access to both halves of<br />
the virus.<br />
Although the concept of binary viruses has been discussed by researchers, it has not been<br />
seen in any viruses to date. The only case in which this concept may have been<br />
incorporated is the dBASE virus. As part of the payload, the original virus cont<strong>ai</strong>ns the<br />
following sequence:<br />
CLI<br />
MOV AX, 3<br />
LABEL: MOV CX,100H<br />
MOV DX, 0<br />
MOV DS, DX<br />
XOR BX, BX<br />
PUSH AX<br />
INT 3H<br />
INT 3H<br />
POP AX<br />
INC AX<br />
CMP AL,1AH<br />
JL LABEL<br />
; Set count<br />
; Page 0 RAM<br />
; Segment 0<br />
; Offset 0<br />
; Save the count<br />
.<br />
; Restore count<br />
; Next<br />
; Reached 26 ?<br />
; Go ag<strong>ai</strong>n<br />
; Continue
54 CHAPTER 1<br />
This sequence does not do much unless either of the following happens:<br />
1. An'otherhalf'virus changes the two INT 3H instructions (which assemble as 1 byte<br />
each = 2 bytes) into one INT 26H instruction (which assembles as 2 bytes)<br />
2. An 'other half' virus changes the interrupt table so that interrupt 3H points to<br />
interrupt 26H<br />
If either of the above happens, the payload becomes destructive. On triggering, the<br />
(modified) virus will overwrite the fust 256 sectors of each drive from D to Z, using the<br />
Absolute Disk Write interrupt 26H.<br />
The virus patterns for dBASE shown in Appendix G reflect the above possibility. The<br />
standard dBASE pattern is the one found in the seen and disassembled virus, while the<br />
dBASE destroy pattern is the pattern in the so far unseen (destructive) virus. Although<br />
this is one explanation for the dBASE mystery, other possibilities are that the seen version<br />
is the pre-release, non-destructive version, which could easily be modified into a<br />
destructive one, or alternatively that someone has 'disarmed' a copy of the destructive<br />
virus.<br />
3.3.4 <strong><strong>VIRUS</strong>ES</strong> WHICH INFECT THE FIRST CLUSTER OF THE DATA AREA<br />
This hiding technique has been discussed on a number of bulletin boards in Bulgaria. As<br />
of June 1992 no such viruses have appeared, but this technique could be used by virus<br />
writers in the future. It is based on copying the first cluster of the data area (which is the<br />
first cluster of the first file in the root directory) into an unused cluster, modifying the<br />
first root directory file entry to point to that cluster, and then copying the virus code into<br />
the first cluster of the data area. The hiding mechanism of such a virus is based on the fact<br />
that in older versions of DOS the system files are assumed by the bootstrap code to be<br />
stored in this location, and are loaded without reference to the normal directory/FAT<br />
mechanism, whereas most scanners will examine that file as a file, relying on DOS to<br />
open it and read it. Since DOS relies on information in the root directory, a scanner is not<br />
going to see the data loaded during bootstrapping.<br />
This technique does not work under DOS 5 as the bootstrapping is performed differently.<br />
3.3.5 SPARSE INFECTION: THE UNSCANNABLE <strong>VIRUS</strong><br />
There has been much speculation as to whether it is possible to write a virus which would<br />
not be detectable by scanners (see Chapter 7: Anti-virus software). A completely<br />
polymorphic virus which infects sparsely, seems to fit the bill.<br />
Such a virus would assume that a common characteristic, such as the number of minutes<br />
in the file's time stamp being greater than 30, signifies that the file is infected. It would<br />
therefore only infect 50% of all files, leaving the other 50% untouched (the ones with<br />
minute stamp greater than 30). After infection it would set the time stamp value of the<br />
infected files to a value greater than 30. A scanner would not be able to discover its
<strong>VIRUS</strong> STRUCTURE 55<br />
presence in infected fdes, other than labelling vast numbers of fdes as potentially<br />
infected (the ones with the minute stamp less than or equal to 30). And then somebody<br />
will write a virus which infects only if the number of minutes in the time stamp is greater<br />
than 30 ...<br />
3.3.6 HIGH LEVEL LANGUAGE <strong><strong>VIRUS</strong>ES</strong><br />
Most viruses are written in assembly language. The m<strong>ai</strong>n advantage for the virus author<br />
is that he can 'reach into the machine' to a much greater extent than is possible when<br />
using a high-level language. Furthermore, the code is smaller and more efficient, both of<br />
which contribute to increased difficulty in discovering the virus. However, high level<br />
languages do offer a number of advantages which favour virus spread.<br />
Burger's Computer Viruses - a High Tech Disease cont<strong>ai</strong>ns a number of viruses written in<br />
Compiled Basic and Pascal. Recently a number of viruses have been discovered in the<br />
wild which were originally written in Turbo-Pascal and C. For example: Jocker, an<br />
overwriting virus from Poland, probably written in Pascal; Kamikaze, an overwriting<br />
virus from Bulgaria written in Turbo-Pascal; Sentinel, written in Turbo-Pascal; TPworm,<br />
a 'companion' virus written in C.<br />
All of these viruses are large (between 4000 and 12000 bytes) and comparatively slow<br />
when executed. Their binary image depends not only on the compiler used to create them,<br />
but also on the state of various optimisation levels used during compilation. Supposing<br />
that there are some 20 C compilers for DOS in existence, and each offers 6 possible<br />
optimisations and/or memory models, a single piece of virus source code in a high level<br />
language could quite easily be transformed into 1280 different binary images. If only ten<br />
such viruses are written using polymorphic techniques (self-modifying and encrypting),<br />
virus scanners would soon start creaking under the str<strong>ai</strong>n.<br />
Furthermore, the extraction of a reliable pattern is difficult in compiled viruses, since<br />
similar segments of code appear in other legitimate programs compiled with the same<br />
compiler. Excessive false positives invariably result if the pattern is not chosen extremely<br />
carefully.<br />
3.4 <strong>VIRUS</strong> SIDE-EFFECTS<br />
Virus side-effects (or the virus 'payload') are normally the first indication to the user that<br />
his PC is infected. Not surprisingly, they are also the part which is most interesting to the<br />
majority of users.<br />
They are normally the easiest part of the virus to program. They are also the easiest part<br />
to change (see Section 5.4: Virus Mutations). There have been several examples of<br />
mutated viruses having had their side-effects completely changed from the original (e.g.<br />
Cascade-format and Cascade).<br />
Virus side-effects range from annoyance (such as the bouncing ball in Italian) and data<br />
modification (like the Dark Avenger virus) to data destruction (Michelangelo). The
56 CHAPTER 3<br />
side-effects are completely open to the imagination of the programmer. With the current<br />
practice to rely on backups ag<strong>ai</strong>nst virus-caused damage to data, the most serious threat<br />
are viruses which cause gradual and random data corruption. By the time that a user<br />
realises that corruption has been taking place, all his backups could already be corrupted.<br />
When the first viruses appeared, their side-effects were on the whole confined to<br />
annoyance, which prompted several people to treat all viruses as innocuous, and as<br />
dangerous as a pet cat. Unfortunately, recent viruses are more like hungry tigers; fine<br />
behind bars in a zoo, but rather less so in the wild.
4<br />
<strong>VIRUS</strong> FACTS <strong>AND</strong> FICTION<br />
4.1 THE NUMBERS GAME<br />
But are they all horrid, are you sure they are all horrid?<br />
Jane Austen, 'Northanger Abbey'<br />
In August 1992 there were between 1500 and 2000 viruses known to the research<br />
community, of which only about 50 were causing real problems in the wild. Just like<br />
biological viruses, some computer viruses are more common than others. Their spread<br />
will depend on factors such as their type, the length of time in the wild, method of<br />
replication, amount of stealth employed etc.<br />
Figs. 4.1 to 4.3 show the worldwide attack statistics reported to Sophos over three<br />
6-month periods. Two virus characteristics seem to determine the spread of any particular<br />
virus: its capability to infect the boot sector and the age of the virus. For example, in the<br />
first 6 months of 1992, over 80% of virus infections were due to viruses which infect boot<br />
sectors (pure boot sector viruses and multi-partite viruses), while Cascade (a comparatively<br />
old parasitic virus) accounted for almost 7% of the infections. The older the virus, the<br />
more chance it has to spread. The wide spread of boot sector viruses is probably due to<br />
the fact that floppy disks are exchanged on a large scale, with PC users being unaware<br />
that non-system disks can carry a virus.<br />
The increase in stealth, multi-partite viruses Tequila and Spanish Telecom from the<br />
second half of 1991 to the first half of 1992 should also be noted.
58 CHAPTER 1<br />
It is also interesting that in the first half of 1992 only 36 viruses were responsible for all<br />
the attacks reported to Sophos, despite the fact that there were some 1700 viruses known<br />
to the research community (see also Appendix G: Known IBM-PC viruses). Almost all of<br />
the reported cases involved a few PCs, but a number of large-scale attacks (100+ PCs)<br />
were also reported. These usually involved file servers and were in a majority of cases<br />
attributable to poor use of network security features (see Chapter 8: Viruses and<br />
Networks).<br />
19 other viruses<br />
Joshi<br />
Yankee<br />
4K<br />
Jerusalem<br />
Vacsina<br />
Dark Avenger<br />
Cascade<br />
New Zealand<br />
4.2%<br />
5.1%<br />
5.1%<br />
5.1%<br />
6.0%<br />
8.6%<br />
8.6%<br />
28.2%<br />
29.1%<br />
Fig. 4.1 - Virus reports from 1st January 1991 to 30th June 1991 (117 reports)<br />
19 other viruses 26.6%<br />
Jerusalem 3.9%<br />
Michelangelo 4.4%<br />
Spanish Telecom 4.4%<br />
Joshi 5.5%<br />
Cascade 5.5%<br />
Tequila 8.8%<br />
Form 16.6%<br />
New Zealand 24.3%<br />
Fig. 4.2 - Virus reports from 1st July 1991 to 31st December 1991 (181 reports)<br />
28 other viruses<br />
Joshi<br />
1575<br />
Michelangelo<br />
Spanish Telecom<br />
Cascade<br />
Tequila<br />
New Zealand<br />
Form<br />
2.4%<br />
12.6%<br />
4.1%<br />
5.6%<br />
6.8% 1<br />
10.0%<br />
20.9%<br />
21.8%<br />
Fig. 4.3 - Virus reports from 1st January 1992 to 30th June 1992 (340 reports)
<strong>VIRUS</strong> FACTS <strong>AND</strong> FICTION 59<br />
4.1 HOW ARE <strong>VIRUS</strong> ATTACKS DISCOVERED<br />
In the overwhelming majority of reported cases, users discover a virus when they first<br />
use anti-virus software.<br />
Nevertheless, in a surprisingly large number of cases users discover a virus by observing<br />
something unusual. In one case the user was running a very large application which could<br />
just fit into the av<strong>ai</strong>lable memory. The alarm bells were triggered when that application<br />
f<strong>ai</strong>led to load (due to an infection by 4K). In another instance, the user suspected a virus<br />
when a poem was displayed on his screen and subsequent attempts to access the hard disk<br />
proved futile. Maltese Amoeba was the culprit.<br />
Security experts often find themselves in a situation when they have to distinguish<br />
between hardware malfunction and a real virus attack. As this more often than not<br />
happens over the telephone, the diagnosis is not easy. Depending on the user's 'virusliteracy',<br />
common PC problems may regularly be attributed to viruses. Indeed, some of<br />
the side-effects exhibited by viruses such as Nomenklatura closely resemble hardware<br />
f<strong>ai</strong>lure and are very difficult to distinguish.<br />
Most virus help-desk personnel develop a 'nose' as to what problems are likely to be due<br />
to hardware or software and to distinguish them from virus symptoms. One of the best<br />
indicators of a virus attack is the repetition of the same symptoms across several PCs of<br />
several makes and configurations, e.g. when every PC which is switched on f<strong>ai</strong>ls (this<br />
actually happened on 6th March 1992 when about 100 PCs were switched on before a<br />
mass infection by Michelangelo was suspected).<br />
Not all mass-reproduced symptoms are necessarily due to a virus. In one particular case<br />
a disk drive connector suffered from an intermittent fault, which caused intermittent data<br />
corruption. As a result, some programs on that PC became corrupted and stopped<br />
working. When copied to other PCs, exactly the same symptoms were observed, and a<br />
virus infections was suspected. It took a while to establish positively that no virus was<br />
involved.<br />
4.2 <strong><strong>VIRUS</strong>ES</strong> <strong>AND</strong> THE CALENDAR<br />
It is frequently the case that PC users become 'virus-aware' when a well-known date<br />
approaches, e.g. 6th March (Michelangelo) or any Friday which is also the 13th day of<br />
the month (Jerusalem). As more and more viruses appear, the 'virus calendar' gets fuller<br />
and fuller. Frequent 'advice' which is av<strong>ai</strong>lable in those circumstances is to advance the<br />
system clock by one day. One of the most ironic cases when such advice proved fatal,<br />
involved a PC user who advanced his clock on Thursday, 12th December 1991 in order to<br />
avoid Friday, 13th. He then forgot to set the clock back and switched on his PC on 5th<br />
March 1992, intending to set the date forward in order to avoid Michelangelo. This<br />
triggered the virus and he lost his hard disk.<br />
Fig. 4.4 shows some of the viruses which trigger on particular dates and their side effects<br />
and further emphasizes the point that calendar watching is inadvisable. Combatting<br />
viruses is a day-in day-out job.
60 CHAPTER 1<br />
Virus name Activation date Side effect<br />
5120 after 1 Jun 92 terminates infected programs<br />
4K 22 Sept hangs PC<br />
Cascade 1 Oct-31 Dec 88 displays falling characters<br />
Cascade Format 1 Oct-31 Dec not '93 formats disk<br />
Casino 15 Jan, Apr, Aug destroys FAT if game lost<br />
Christmas Japan 25 Dec displays message<br />
ChristmasTree 19 Dec displays message<br />
Datacrime 13 Oct formats disk/displays message<br />
Dec24th 24 Dec displays message<br />
Durban Sat 14 overwrites first 100 sectors<br />
Faust 13 th day of month displays message, hangs PC<br />
Form 18th day of month produces key clicks<br />
Frogs Alley 5th day of month overwrites FAT and root directory<br />
Hybrid Fri 13 after '91 formats disk<br />
Jerusalem Fri 13 deletes programs when run<br />
Joshi 5 Jan displays message<br />
July 13 th 13 Jul unknown<br />
Kennedy 6Jun, 18Nov, 22Nov displays message<br />
Maltese Amoeba 1 Nov, 15 Mar overwrites 120 sectors<br />
Michelangelo Mar 6 formats disk<br />
Monxla 13 th day of month damages programs<br />
PcVrsDs Mon 23rd not'90 formats disk<br />
Pretoria Junl6 damages root directory<br />
South African Fri 13 deletes programs when run<br />
Suriv Apr 1 displays message<br />
T<strong>ai</strong>wan 8th day of month overwrites FAT<br />
Tenbyte 1 Sep corrupts data written to disk<br />
Thursday 12 Thu 12 displays message<br />
Traceback 28 Dec displays falling characters<br />
Violator 15 Aug unknown<br />
XA1 1 Apr overwrites boot sector<br />
Fig. 4.4 - Activation dates of some viruses<br />
4.3 CAN <strong><strong>VIRUS</strong>ES</strong> CAUSE HARDWARE DAMAGE<br />
This is a perennial question asked by PC users. The answer is yes, but it depends on the<br />
type and configuration of the hardware. For example, some graphics boards are prone to<br />
damage if programmed incorrectly, while setting the right byte in the bootstrap sector to<br />
the value 0 makes the hard disk drive unusable and moderately difficult for a layman to<br />
rep<strong>ai</strong>r. On the other hand, the hardware design of standard PCs is such that it is<br />
impossible to damage individual components through software (unlike one of the early<br />
home PCs which could burn an on-board chip through bad programming).
<strong>VIRUS</strong> FACTS <strong>AND</strong> FICTION 61<br />
One of the recent childish attempts to cause damage was found in a virus which stops<br />
memory refresh, which causes the loss of data in RAM, but no lasting damage.<br />
4.4 MODEM <strong>VIRUS</strong>, CMOS <strong>VIRUS</strong> <strong>AND</strong> OTHER NONSENSE<br />
From time to time (usually near 1 st April of any year) news appear about one or other<br />
improbable form of virus structure and behaviour. Examples abound:<br />
• Modem virus hoax which began in 1988 with a message from one 'Mike RoChenle'<br />
on a bulletin board which warned about a 'virus which distributes itself on the modem<br />
sub-carrier present in all modems operating at 2400 baud or more'.<br />
• M<strong>ai</strong>ns virus hoax 1988, probably a parody of the modem virus, started by 'Robert<br />
Morris m' (Robert Morris was the author of the Internet worm, See Section 1.4.2:<br />
Internet Worm on Unix). This virus was supposed to ride on the 'powerline 60Hz<br />
subcarrier and attack virtually any computer system'.<br />
• CMOS virus, the sighting of which is cl<strong>ai</strong>med from time to time by 'experts' who<br />
ought to know better. CMOS cont<strong>ai</strong>ns information on the configuration of a PC<br />
(usually about 40 bytes), but no executable code. As such, it can be affected by a<br />
virus, but not infected. Some confusion may arise from the fact that some portable<br />
PCs have the whole of RAM implemented in non-volatile CMOS technology which<br />
can, of course, become infected in the same way as the standard volatile RAM.<br />
• Viruses invading washing machine controllers, nuclear missile controllers etc. There<br />
have been several reports of such 'viruses'. By definition, a closed environment such<br />
as the one present in almost all microcontrollers where there is no exchange of<br />
executable code, is not at risk from virus infections.<br />
• A printer virus which is supposed to reside in the printer memory and jump back into<br />
the PC at the first opportune moment. A few reports referred to viruses residing in<br />
inkjet printer heads.<br />
• Other barely believable cases, for example a report by ABC News in January 1992<br />
that NSA laboratories at Fort George Meade in Maryland managed to implant a<br />
'virus' into Iraqi m<strong>ai</strong>nframe computer which subsequently wreaked havoc on the Ir<strong>ai</strong><br />
<strong>ai</strong>r defence network (Virus Bulletin, February 1992).
5<br />
WHO WRITES <strong><strong>VIRUS</strong>ES</strong>?<br />
5.1 <strong>VIRUS</strong> WRITERS' PROFILE<br />
Only the insane take themselves quite seriously.<br />
Sir Thomas Beecham<br />
It is not easy to establish the origins of a virus, and it is rare to find any firm clues in the<br />
virus code. One notable exception is the Br<strong>ai</strong>n virus which has a name, address and<br />
telephone number embedded in the bootstrap sector (Fig. 5.1). Br<strong>ai</strong>n was written by the<br />
owners of the computer shop 'Br<strong>ai</strong>n Computer Services' in Lahore, Pakistan. Similarly,<br />
the Tequila virus cont<strong>ai</strong>ns the address of the authors (two teenage Swiss brothers).<br />
It is very common for virus writers to hide their true identity under a pseudonym (Dark<br />
Avenger, Betaboys, RockSteady, Bad Guy etc). Nevertheless, there are individuals who<br />
have publicly stated their involvement in virus writing, for example Mark Washburn,<br />
Patrick Toulme and Mark Ludwig, who quite openly participate in anti-virus conferences<br />
discuss virus-related subjects on commercial bulletin boards etc. Almost invariably they<br />
plead the right of free speech and seem convinced that their virus-writing efforts<br />
contribute to general anti-virus research.<br />
The few such cases of known virus writers do not provide sufficient statistical evidence<br />
from which to draw a firm profile of a virus writer. It is nevertheless possible to identify<br />
a number of groups as potential (high likelihood) originators of viruses. It is also<br />
interesting to analyse their motivation from the psychiatric point of view.
64 CHAPTER 1<br />
000000 fa e9 4a 01 34 12 00 05 08 00 01 00 00 00 00 20 ..J.4.. .<br />
OOOOIO 20 20 20 20 .10 20 57 65 6c 63 6f 6d 65 20 74 6f We Icome to<br />
000020 20 74 68 65 20 44 75 6e 67 65 6f 6e 20 20 20 20 the Dun geon<br />
000030 20 2 0 20 20 20 20 20 20 20 20 20 20 20 20 20 20<br />
000040 20 20 20 20 20 20 20 20 20 20 20 20 20 2 0 20 20<br />
000050 20 28 63 29 20 31 39 38 36 20 •5 2 61 73 69 74 20 (C) 198 6 Bastt<br />
000060<br />
000070<br />
26 20 41 6d fca 61 64 20<br />
64 2e 20 20 20 20 2 0 20<br />
28 70 76 74 29 20 4c 74<br />
20 20 20 20 20 20 20 20<br />
s Amjad (pvt 1 Jjfc<br />
1. j<br />
000080 20 42 52 41 49 4e 20 43 4f 4d 50 55 54 45 52 20 B3AIN C OMPUTER<br />
000090<br />
OOOOaO<br />
53 45 52 56 49 43 45 53<br />
5a 4 i 4d 20 42 4c 4f 43<br />
2e 2e 37 33 30 20 4e 49<br />
4b 20 41 4c 4 c 41 4d 41<br />
SERVICES ..730 NT<br />
zm BLOC K ALLAMA<br />
OOOObO 20 49 51 42 41 4c 20 54 4f 57 4e 20 20 20 20 20 iSBAi T OWN<br />
OOOOcO 20 2 0 20 20 20 20 20 20 20 20 20 4c 41 48 4 f 52 LAHOR<br />
OOOOdO 45 2d 50 41 4b 49 53 54 41 4e 2e 2e 50 48 4 f 4e E-PAKTST AN..PHON<br />
OOOOeO 45 20 3a 34 33 30 37 39 31 2c 34 3 4 33 32 34 38 E :43079 1,4 4 324 5<br />
OOOOfO 2c 32 38 30 35 33 30 2e 20 20 2 0 20 20 20 20 20 ,280530.<br />
000100 20 20 42 65 77 61 72 65 20 6f 66 2 0 74 68 69 73 Beware of this<br />
000110 20 56 49 52 55 53 2e 2e 2e 2e 2e 43 6f 6e 74 61 <strong>VIRUS</strong>.. ...Conta<br />
000120 63 74 20 75 73 20 66 6f 72 20 7 6 61 63 63 69 6e ct us fo r vaccin<br />
000130 61 74 69 6f 6e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e ation...<br />
000140<br />
000150<br />
000160<br />
2e 2e 2e 2e 20 24 23 40<br />
Be d8 8e dO be 00 fO fb<br />
07 7c 89 Oe Ca 7 c e8 57<br />
25 24 40 21 21 20 8c c8<br />
aO 06 7c a2 09 7c 8b Oe<br />
00 b9 05 00 bb 00 7e e8<br />
$*e %$@!! ..<br />
. . 1 . . 1 . .<br />
. 1 . . . 1 .w<br />
000170 2a 00 s8 4b 00 81 C 3 00 02 e2 f 4 al 13 04 2d 07<br />
000180<br />
000190<br />
OOOlaO<br />
OOOlbO<br />
OOOlcO<br />
OOOldO<br />
OOOleO<br />
OOOlfO<br />
00 a3 13 04 bl 06 d3 eO<br />
b9 04 10 fc £3 a4 06 bB<br />
00 51 8a 36 09 7c b2 00<br />
13 73 09 b4 00 cd 13 59<br />
aO Oa 7c fe cO a2 Oa 7c<br />
01 aO 09 7c fe CO a2 09<br />
7c 00 fe 06 Ob 7c c3 00<br />
f 4 al 82 be c3 12 00 7e<br />
8e cO be 00 7c fcf 00 00<br />
00 02 50 cb 51 5 3 b9 04<br />
8b Oe Oa 7c b8 01 02 cd<br />
e2 e7 cd 18 59 Sb 59 c3<br />
3c Oa 75 la c6 06 Oa 7c<br />
7c 3c 02 7 5 09 Cb 06 09<br />
00 00 00 32 e3 23 4d 59<br />
12 cd 21 a2 3c 5f Oc 05<br />
. . . . 1 . . .<br />
..P.QS..<br />
• Q.6. 1 . .<br />
• S Y . . . . Y (Y.<br />
..1 1
WHO WRITES <strong><strong>VIRUS</strong>ES</strong>? 65<br />
a poisoned jar of baby-food on a supermarket shelf. He delivers his potion, leaves and is<br />
untraced, and in his absence the victim falls.<br />
Freaks may sometimes include a message in the virus e.g. 'Your PC is now Stoned!' and<br />
'LEGALISE MARIJUANA' in the New Zealand virus, and 'Bloody! Jun. 4, 1989' in<br />
Beijing, which is probably a reference to the Tianamen Square massacre. There may be<br />
some overlap between freaks and politically motivated terrorists.<br />
5.1.3 UNIVERSITY STUDENTS<br />
Most universities offer free, often uncontrolled, computer facilities to students. Illegal<br />
software copying is widespread, and it is no coincidence that most campuses have had<br />
problems with large-scale virus outbreaks. These are not necessarily caused by locally<br />
developed viruses. The technical ability necessary to write a virus is however within the<br />
reach of a first-year computer science student, who may see such a project as an<br />
intellectual challenge.<br />
Students are not only a potential source of PC viruses, but also a potential source of<br />
malicious code for minicomputers and m<strong>ai</strong>nframes. Whereas average members of the<br />
public can buy a cheap PC comparatively easily, they cannot (yet) buy an IBM System<br />
370 or a DEC VAX. Most students have access to minis and m<strong>ai</strong>nframes, and experience<br />
so far has shown that a large proportion of malicious code written for those computers<br />
(m<strong>ai</strong>nly worms) has its origins in academia.<br />
5.1.4 EMPLOYEES<br />
Companies normally perceive disgruntled employees as a major security risk. Although<br />
a computer-literate employee could write a virus from scratch, it is more likely that he<br />
would either implant an existing virus into his organisation's PCs or modify a virus,<br />
perhaps to target his organisation in a specific way.<br />
Readiness to cause damage by programming has already been shown by numerous cases<br />
of logic bombs placed by disgruntled employees into computer systems.<br />
The motive for an employee writing and/or implanting a virus is often vindictiveness.<br />
There is, however, not a great deal of difference between revenge and extortion. The<br />
disgruntled employee may harbour a genuine grievance. The extortionist's desire for<br />
revenge is deeper (possibly subconscious) and he himself may not understand it.<br />
Vindictiveness may accompany a strong sense of morality or moral duty making a<br />
disgruntled employee, in some peoples' eyes (above all his own), a freedom fighter (cf.<br />
'Terrorist Organisations').<br />
5.1.5 <strong>COMPUTER</strong> CLUBS<br />
Some computer clubs have been very active in providing their members with information<br />
on how to write viruses. For example the Chaos Computer Club (CCC) in Hamburg,<br />
West Germany, has produced a 'Virus Construction Set' for the Atari ST, which allows
66 CHAPTER 1<br />
the construction of customised viruses and the selection of virus effects from a menu. A<br />
much less sophisticated tool has appeared for IBM PCs (VCS) and was probably written<br />
by the members of the same organisation.<br />
Other clubs have a history of creating viruses. The Swiss Crackers Association (SCA),<br />
for example, released a virus for the Amiga which displays<br />
Something wonderful has happened. Your Amiga is alive...<br />
Members of clubs usually have shared values and ideals. It is quite possible that real<br />
troublemakers will not join computer clubs; clubs are for the insecure, who g<strong>ai</strong>n a sense<br />
of security through sharing.<br />
5.1.6 TERRORIST ORGANISATIONS<br />
Evidence that terrorist organisations are involved in virus-writing is scarce. Nevertheless,<br />
organisations such as the Italian Red Brigades specifically include destruction of<br />
computer systems as an objective in their manifestos. This could be done by means other<br />
than the traditional use of explosives.<br />
It has been asserted that the Jerusalem virus was written by sympathisers of the PLO, but<br />
several authoritative researchers dispute this. The only evidence linking the virus with<br />
the PLO is the trigger date (Friday 13th), which coincided with the last day of the<br />
existence of the Palestinian state. Jerusalem-IRA is a mutation which cont<strong>ai</strong>ns a long list<br />
of encrypted names, together with texts such as '.. died for Ireland' and '.. is still a<br />
political hostage'.<br />
Terrorists are fanatics, for whom nothing else matters. They may have been indoctrinated<br />
from an early age and are loyal to a group which holds them (in return) in very high<br />
regard. They are, in their own eyes, modern-day martyrs.<br />
5.2 DISSECTION OF A CAPTURED <strong>VIRUS</strong><br />
Once a virus has been discovered, a user's first instinct is often to eradicate all occurrences<br />
of it. However, one should always endeavour to 'capture' a virus sample for analysis, as<br />
this can be helpful to other sites infected with the same virus.<br />
Even if the virus is not completely analysed immediately, a hexadecimal pattern can<br />
often be extracted in a comparatively short time, which helps to detect occurrences of the<br />
same virus elsewhere. Full analysis of a virus will invariably involve its full disassembly,<br />
i.e. reverse engineering its binary code into commented and understood source code.<br />
5.2.1 <strong>VIRUS</strong> DISASSEMBLY<br />
Sometimes virus disassembly can be simplified by commercially av<strong>ai</strong>lable disassemblers<br />
such as SOURCER (V Communications), but in many cases the very best tool is<br />
DEBUG, a powerful utility supplied as a part of DOS. DEBUG is comparatively simple
WHO WRITES <strong><strong>VIRUS</strong>ES</strong>? 67<br />
to use and has a number of functions which make it suitable for the job. It can read disk<br />
sectors and fdes, disassemble areas of memory and single-step through a program.<br />
Disassembling a virus is an iterative process which includes discovering first which parts<br />
of the virus are data areas (and thus not to be disassembled) and which are instructions.<br />
Once that has been done, the output of DEBUG can be redirected to a file which will<br />
cont<strong>ai</strong>n the disassembled virus. Take as an example a hypothetical simple virus in the file<br />
VIR.COM, which has been analysed with DEBUG and which has a JMP 11 OH instruction<br />
as the first 3 bytes, followed by 13 bytes of data, followed by code from 11 OH to 432H.<br />
It is useful to build up the sequence of DEBUG commands in a file, to avoid re-typing<br />
them continuously. The file INSTR could cont<strong>ai</strong>n the following DEBUG instructions:<br />
u 100 102 ; Disassemble locations 100 to 102<br />
D 103 10F ; Dump locations 103 10F<br />
U 110 432 ; Disassemble locations 110 to 432<br />
Q 7 Quit<br />
DEBUG would then be invoked with the command<br />
DEBUG VIR.COM VIR.ASM<br />
which instructs it to read input from the file INSTR and output to file VIR. ASM which<br />
wall cont<strong>ai</strong>n the disassembly ofVIR.COM.<br />
U 100 102 will disassemble the first 3 bytes, D 103 1 OF will 'dump' 13 bytes of data in<br />
hexadecimal, while U 110 432 will disassemble instructions between addresses 110 and<br />
432 Hex.<br />
Disassembly of boot sector viruses can be slightly more complicated, as they normally<br />
occupy more sectors than just the boot sector. The boot sector has to be analysed first in<br />
order to discover which other sectors the virus uses. The principle of redirecting DEBUG<br />
input and output can be used in the same way as for parasitic viruses.<br />
For example, to load the boot sector of drive A (drive 0) into memory, use the DEBUG<br />
instruction<br />
L CS:100 0 0 1<br />
This will load the contents of the boot sector into memory starting at location 100 relative<br />
to the code segment (CS).<br />
If a virus uses disk areas not accessible by DEBUG (for example the master boot sector<br />
in New Zealand), the best approach is to write a small assembly language program (using<br />
DEBUG) to issue the appropriate BIOS interrupt(s) and read in the disk area in question.<br />
This can be written out to a file (using DEBUG ag<strong>ai</strong>n), or analysed directly. The program<br />
shown in Fig. 5.2 entered into DEBUG with the A (Assemble) command starting at<br />
location 100 will read the hard disk master boot sector into memory by using the BIOS<br />
interrupt 13H, service 02. This service requires that ES:BX points to the memory<br />
location where the contents of the sector will be stored (in this example ES is set to the<br />
same value as DS) and BX is set to 800H in the current data segment.
68 CHAPTER 8<br />
MOV AX,DS<br />
MOV ES,AX Set ES<br />
MOV AX,0201 Service 02H, 1 sector<br />
MOV CX,0001 Track 0, sector 1<br />
MOV DX,0080 Head 0, drive 80<br />
MOV BX,0800 Set in combination with ES<br />
INT 13 BIOS<br />
JMP 10E Halt here<br />
Fig. S.2 - Assembly program which reads the master boot sector of the first hard disk<br />
Typing G 10E will execute the program, placing the breakpoint at location 10E (JMP<br />
10E). Location DS:0800 can now be either Dumped or Unassembled (D 0800 or U<br />
0800).<br />
An alternative method of reading in boot sector viruses for disassembly is to use a disk<br />
editing tool such as the Norton Utilities or PC Tools and copy the contents of the required<br />
object into a DOS file. The contents of the fde can then be loaded into DEBUG for<br />
analysis.<br />
Encrypted viruses present a slighdy greater challenge to the researcher, as they have to be<br />
decrypted before being disassembled. This is sometimes quite tricky, since the virus<br />
writer may have used anti-DEBUG measures. Taking Cascade as an example, the<br />
decryption routine makes use of the Stack Pointer (SP). If the DEBUG breakpoint<br />
facility is used, the stack pointer must be valid and have at least 6 bytes av<strong>ai</strong>lable.<br />
Likewise, the target address will be modified by DEBUG to cause an INT 3H (one byte<br />
CC Hex instruction will be inserted there). Cascade uses SP, making it more difficult to<br />
use the breakpoint facility. Placing a breakpoint in the first encrypted instruction does<br />
not work, since the decryption routine in Cascade will decrypt the INT 3H instruction,<br />
producing a garbage byte. Analysing an encrypted virus is guaranteed to make one<br />
familiar with DEBUG.<br />
Once the disassembled virus has been written out to a file (like VTR.ASM in the above<br />
example) the real fun begins. Analysis of the assembly code will reveal how the virus<br />
works, what it does and how it propagates. One should normally have av<strong>ai</strong>lable good PC<br />
documentation, which includes lists of interrupts (the New Peter Norton Programmer's<br />
Guide to the IBM PC & PS/2 or The MS-DOS Encyclopedia are suitable). One then works<br />
one's way p<strong>ai</strong>nstakingly through the disassembly, documenting instructions, interrupts<br />
and memory locations. The picture will soon start to emerge. The replicating part of the<br />
virus will be isolated as well as its payload. Any payload trigger conditions should be<br />
analysed very carefully, as these are easy to misinterpret (Does it trigger on 12th or 13th<br />
day of the month? Is it 12 decimal or 12 hexadecimal i.e. the 18th day?).
WHO WRITES <strong><strong>VIRUS</strong>ES</strong>? 69<br />
Once the disassembly has been finished (or even before doing it) one can usually extract<br />
a hexadecimal pattern which can be used to search for the virus. 16 bytes are normally<br />
sufficient, provided that the pattern is chosen carefully so that it represents a f<strong>ai</strong>rly<br />
unique set of instructions, unlikely to be found in other executables. Treat the disassembly<br />
as a confidential document and do not distribute it carelessly.<br />
5.3 FORENSIC EVIDENCE<br />
Every virus cont<strong>ai</strong>ns forensic evidence which can be used to trace its origin. Is it a<br />
derivative of another virus? Does it cont<strong>ai</strong>n any interesting messages? Does it use a new<br />
replicating technique? Which software tools were used to write it?<br />
5.3.1 WHICH ASSEMBLER?<br />
There are different ways of assembling 8086 family instructions, which produce identical<br />
results when executed. For example<br />
XCHG BX,AX<br />
could be assembled as 93 Hex, 87D8 Hex or 87C3 Hex. The result of the execution would<br />
be the same.<br />
For example, when the Yale virus was analysed, it was discovered that it had been<br />
assembled with the A86 assembler and not Microsoft's MASM.<br />
5.3.2 ILLEGAL INSTRUCTIONS<br />
Some viruses cont<strong>ai</strong>n instructions which are either not documented or not allowed by the<br />
target processor. Such instructions may execute correctly on the 8086 family processors,<br />
but will be trapped as illegal by the 80286 or 80386 processors.<br />
There are several examples of this. The Italian virus uses the instruction<br />
MOV CS,AX<br />
(8EC8 Hex), which is executed properly by the 8086 processor, but trapped as an illegal<br />
instruction on 80286 and 80386 processors. Similarly, Yale uses the instruction<br />
POP CS<br />
(OF Hex), which executes correctly on an 8086, but is trapped as illegal on 80286 and<br />
80386 processors.<br />
5.3.3 PROGRAMMING STYLE<br />
Faced with the same programming task, ten programmers will program it in ten different<br />
ways. This is especially true in assembly language, in which most PC viruses are written.<br />
PUSHing registers in a particular order onto the stack, using SHORT in JMP forward<br />
instructions, and other such constructs can all form a distinctive 'handwriting' of a
70 CHAPTER 8<br />
programmer. Although this is difficult to quantify, looking at several programs written by<br />
the same person will give the researcher a feeling of deja vu.<br />
Some time ago there was a debate on one of the bulletin boards as to whether the dBASE<br />
and Typo viruses were written by the same person. The programming style is cert<strong>ai</strong>nly<br />
very similar; for example both viruses use an identical but unusual method to transfer<br />
control to the original program:<br />
MOV AX,100H<br />
JMP AX<br />
There are also notable differences, such as the code used to modify interrupt 21H. The<br />
dBASE virus is 'well behaved' and uses DOS INT 21H functions 35H and 25H, whereas<br />
Typo writes directly to memory.<br />
Making judgements about programming style requires experience in the programming<br />
language concerned.<br />
5.3.4 LANGUAGE <strong>AND</strong> SPELLING<br />
Viruses often have messages incorporated in the code and one can get strong clues to the<br />
country of origin of a virus by looking at the language (English, French, Icelandic),<br />
spelling (American-British), dates (Month-Day-Year or Day-Month-Year), ways of<br />
expressing oneself and so on.<br />
For example, Datacrime virus cont<strong>ai</strong>ns the statement<br />
RELEASED 1 MARCH 1989<br />
This was almost cert<strong>ai</strong>nly not written by an American (who would have put 'MARCH 1,<br />
1989') and quite probably not by a Briton either (who would have most likely written it as<br />
'1ST MARCH 1989'). An English-speaking European is a likely culprit. As another<br />
example, the Fu Manchu virus insults four politicians (Thatcher, Reagan, Botha and<br />
Waldheim). Calling someone 'ac***'is typically British and not used often in the USA.<br />
Another clue is offered by the positioning of the relevant strings within the virus. The<br />
Thatcher insult comes first, before Reagan, Botha or Waldheim. Would an American do<br />
that? Probably not.<br />
5.3.5 PLACE <strong>AND</strong> TIME OF FIRST DETECTION<br />
Place and time of first detection of a virus can offer powerful clues as to its origins. This<br />
was how the Italian virus was tracked to the Polytechnic of Turin and Jerusalem to the<br />
Hebrew University in Jerusalem.<br />
The speed of virus spread is usually much slower than most people expect. This means<br />
that the logging of occurrences is important, even with a significant margin of error in<br />
reporting the time of discovery. The place of discovery is more difficult to get wrong and<br />
can also be used in plotting the progress of a virus.
WHO WRITES <strong><strong>VIRUS</strong>ES</strong>? 71<br />
Electronic communications are making the plotting of the virus spread more difficult,<br />
since a user can contract a virus from a program downloaded from bulletin boards one<br />
mile away or 10,000 miles away equally easily. This is more common in the case of<br />
parasitic viruses than boot sector viruses, but the emergence of' droppers' and multi-partite<br />
viruses (see Section 3.1: Virus Types) has made the spread of boot sector infections much<br />
faster.<br />
5.3.6 ANCESTORS<br />
Sometimes it is possible to determine the predecessors of a virus, since the authors have<br />
copied the majority of the code to produce anew virus (as was the case with Fu Manchu,<br />
which is a derivative of Jerusalem, or Jerusalem itself, which is a final version of a<br />
succession of viruses starting with Suriv 1.01 and continuing with Suriv 2.01 and Suriv<br />
3.00). The authors) of the series even preserved 'backward compatibility', so that<br />
Jerusalem does not infect files already infected with Suriv 1.01, Suriv 2.01 or Suriv 3.00.<br />
The author of Fu Manchu (almost cert<strong>ai</strong>nly a different person) did not have to (or want<br />
to) support previous virus releases and this backward compatibility is absent from the Fu<br />
Manchu.<br />
5.4 <strong>VIRUS</strong> MUTATIONS<br />
Virus mutations occur when a captured virus is modified in some way. This is done by<br />
intentional assembly programming and is quite distinct from mutations of biological<br />
viruses, which occur by chance. Virus mutations are a major problem for anybody<br />
involved in anti-virus research since a complete virus analysis has to be performed on<br />
every mutation, multiplying the efforts many-fold.<br />
Mutating existing viruses seems to have become a favourite pastime for the would-be<br />
virus writers not blessed with sufficient intellect to write a virus from scratch. They<br />
realise that their activities put anti-virus software producers to immense research and<br />
sample-gathering effort, and they seem to revel in this. Comments found on various<br />
bulletin boards testify to that (see Fig. 5.3).<br />
5.4.1 CHANGING <strong>VIRUS</strong> SIDE-EFFECTS<br />
A typical virus has some 500 to 1000 instructions, most of which form the selfreplicating<br />
mechanism. Virus side-effects normally occupy only a small part of a virus,<br />
and are quite easy to change. It is relatively easy even for a mediocre programmer to<br />
modify an existing virus. The New Zealand virus has some 50 mutations, most of which<br />
involve simple changes to the original 'Your PC is now Stoned!' message.<br />
It is worth noting that the complete destruction of data on the hard disk can be<br />
programmed in only 5 assembler instructions and that modifying a known virus to do<br />
this can be done in a few minutes using DEBUG.
72 CHAPTER 8<br />
5.4.2 <strong>VIRUS</strong> 'IMPROVEMENTS'<br />
There are several examples of improvements and corrections made to viruses. The<br />
Cascade virus in its original form has an infective length of 1701 bytes. It also exists in<br />
a version which has an infective length of 17C4 bytes, which is a consequence of<br />
removing some superfluous branch instructions and introducing segment overrides.<br />
Whether that was done by the person who wrote the original is not known. The New<br />
Zealand virus exists in two m<strong>ai</strong>n versions, where the second is a reorganised and tidiedup<br />
version of the first.<br />
5.4.3 MUTATIONS TO FOOL PATTERN-CHECKING PROGRAMS<br />
Virus scanning software usually relies on searching for a pattern known to exist within a<br />
virus. If a maliciously inclined person wanted to release a version of the virus which<br />
would not be recognised by the pattern checker, he could either change the order of<br />
instructions which are not order-dependent or implement the same effect using different<br />
instructions.<br />
For example<br />
MOV AX,7F00H<br />
MOV BX,0<br />
within a virus could be switched around to read<br />
MOV BX, 0<br />
MOV AX,7F00H<br />
Any pattern checker relying on the pattern produced by the first sequence of instructions<br />
(B800 7FBB 0000) would not recognise the mutated sequence (BB00 00B8 007F).<br />
Parasite Virus Version 1.0<br />
October 1991<br />
Written by —»> Rock Steady
WHO WRITES <strong><strong>VIRUS</strong>ES</strong>? 73<br />
Aarrggghh. .So the "Average" Lamo user will know FAST something is<br />
fucking his system... and the BEST part is that SCAN can't find this<br />
virus! ! ! So the user better "TRY" to get rid of it before Monday!! !<br />
hehe...Anyways I put a "NICE" message in he virus CODES!!! READ IT!!!<br />
Take Pctools or Norton Utilities and VIEW the Virus and read my<br />
handy message at the end of the virus!!!<br />
Rock Steady's Notes<br />
Contact me if you can...Thru any of the [NukE] Site All over the WorlD!<br />
Basically in MonTreal (World Head Base) , other Montreal SiTes, Texas,<br />
California, Britsh Columbia!<br />
Tell me your views on the virus... and help spread my Latest Viruses! !!<br />
BTW: I'm not responsible for the Damage my virus "May" create! Because I<br />
DON'T SPREAD THEM! ! ! ALL YOU LAMERS DO! ! ! I just create them!<br />
- PeAcE -<br />
Rock steady<br />
.ft..*..*.*..*.*..*.*.*.*.*..*.*.*..*..*.*..*.*.*..*..*..*.*..*..*.*.*.*.*..*.*.<br />
Parasite Virus IIB<br />
Programmed by: Rock Steady<br />
Completed December 8th -<br />
Length 909 Bytes Undetectable from SCANV85-<br />
FEATURES: It's SMALL!!! It lost about 300 Bytes from the orignal<br />
Parasite. All Text were removed, but I did leave a header on the<br />
Virus. Anyhow it works about the sane as the first! Meaning it<br />
will infect all COMs 70% and 20% play machine gun noices and then<br />
10% will reboot the system! And on MONDAYS BOOM! You get your FAT<br />
Get formated on your hard Dirve C:! ooops!<br />
'IMPROVEMENTS: T scambled several linea that would of made it a<br />
clone to the FIRST ParaSitel Meaning if SCAN detect Parasite<br />
I it will NOT Detect Parasite II! Because on the Bytee which<br />
s. were scrambled all over the virus! And I improved a FAST end^<br />
BETTER way of infect ion. The Virus will NOW ALWAYS TRY TO INFECT<br />
COMM<strong>AND</strong>.COM! Anytime it is activated it will infect a COM and<br />
THEN CHECK TO SEE that COMM<strong>AND</strong>.COM is infected! if not it will<br />
be infected! So even after being cleaned out, if the user forgets<br />
JUST ONE FILE it will infect COMM<strong>AND</strong>.COM and boom the whole<br />
procedure starts AGAIN! even if files are HIDDEN or READ ONLY<br />
they will be infected!!! And dates are not changed! And NO<br />
MEMORY is taken up! the file will just increase by a mere 907<br />
Bytes... Anyhow enjoy!<br />
Comming Soon in a PC near you...<br />
AMILIA Virus (A .COM & .EXE 4 C0MM<strong>AND</strong>.C0M infector, Will)<br />
(be a TSR Virus! Deticated to no other but)<br />
(my Girl... She will hurt you so don't fuck)<br />
(with her... Yeah it will format the FAT or)<br />
(and create LOTS of bad shit...)<br />
(Expected Release Date Decemeber 24th, 1991)<br />
Hope you enjoy all my Viriis New & Old...<br />
Contact me in any NuKE Site BBS for any comments<br />
Or just to chat...<br />
Rock Steady<br />
-PeAcE-<br />
Fig. 5.3 - Sample text pulled down from a hackers' bulletin board
74 CHAPTER 8<br />
A significantly large number of individuals seem to be engaged in doing exactly that.<br />
Reverse-engineering a virus scanning program reveals the patterns for which the scanner<br />
is looking. Once that is known, it is easy to modify the virus so that the scanner does not<br />
detect it and release it into the wild.<br />
5.4.4 NEW <strong><strong>VIRUS</strong>ES</strong><br />
Sometimes the mutations of an existing virus will be so extensive that the new virus bears<br />
little resemblance to the original. Hex patterns extracted from the original are unlikely to<br />
be present in the new virus. Fu Manchu is, for example, such an extensive mutation of<br />
Jerusalem, that it is classed as a new virus. Vienna, which is probably the most<br />
extensively mutated virus of all, has several 'sons' which are known under different<br />
names.<br />
5.5 <strong>VIRUS</strong> EXCHANGE BULLETIN BOARDS<br />
Many hackers, freaks and other individuals engaged in computer-related misdeeds (such<br />
as virus writing), share and exchange information via bulletin boards. This has been a<br />
contributory factor for many PC users to regard all bulletin boards with great suspicion,<br />
which in most cases is not justified.<br />
Virus writing and virus spread is cert<strong>ai</strong>nly greatly helped by the wide av<strong>ai</strong>lability of<br />
cert<strong>ai</strong>n bulletin boards operated by individuals or small groups, which often carry<br />
discussions on virus techniques and provide virus samples. Furthermore, specialised<br />
'virus exchange' bulletin boards exist which either support a particular virus product<br />
(e.g. Dark Avenger s bulletin board in Sofia supporting the Mutation Engine, or the Hell<br />
Pit board in California supporting the Virus Creation Laboratory) or which operate on<br />
the principle that one must upload a new virus in order to be allowed to download the<br />
whole collection.<br />
Although the police in several countries have tried to close down virus exchange bulletin<br />
boards, this has so far been unsuccessful for a variety of reasons, which range from<br />
ineffective or non-existent legislation to the difficulty in obt<strong>ai</strong>ning intelligence on the<br />
exact bulletin board activity.
6<br />
<strong>ANTI</strong>-<strong>VIRUS</strong> PROCEDURES - FIVE<br />
COUNTERMEASURES<br />
Put your trust in God, my boys, and keep your powder dry.<br />
Valentine Blacker (1778-1823)<br />
The fight ag<strong>ai</strong>nst viruses involves the application of five countermeasures: Preparation,<br />
Prevention, Detection, Cont<strong>ai</strong>nment and Recovery. This 5-step approach can be<br />
applied to most security problems; for example, when trying to protect ag<strong>ai</strong>nst fire, one<br />
should:<br />
• Prepare for the possibility by purchasing and m<strong>ai</strong>nt<strong>ai</strong>ning fire extinguishers, tr<strong>ai</strong>ning<br />
the staff etc.<br />
• Prevent the fire from breaking out by minimising the use of naked flames, using nonflammable<br />
materials etc.<br />
• Detect the fire as early as possible by installing fire detectors, fire alarms etc.<br />
• Cont<strong>ai</strong>n any outbreak by making sure that fine doors are closed, using fire extinguishers<br />
etc.<br />
• Recover from the effects of the fire by restoring the functioning of the affected part of<br />
the organisation
76 CHAPTER 8<br />
6.1 PREPARATION<br />
The following subsections outline what should be done before a virus attack occurs.<br />
6.1.1 REGULAR <strong>AND</strong> SOUND BACKUPS<br />
It is important that backups of storage media are av<strong>ai</strong>lable. This is not only important in<br />
case of an attack by a destructive virus, but also in the case of any other f<strong>ai</strong>lure of a<br />
storage device. In case of data loss, the system can be restored as efficiently as possible.<br />
As part of the backup procedure, the master disks for all software (including the<br />
operating system) should be write-protected and stored in a place such as a fireproof<br />
safe. This will enable a speedy restoration of any infected executables.<br />
The backups should be sound, which means that there is little point in doing them unless<br />
the integrity of data is known to be intact at the time of doing the backup. They<br />
should also be tested at regular intervals by performing complete restorations of the<br />
system to ensure that the data can actually be restored.<br />
It should be borne in mind that some viruses such as Dark Avenger and Nomenklatura<br />
gradually corrupt data stored on disks. If an infection is not noticed for an extended<br />
period of time and backup media are reused, a situation can occur in which all copies of<br />
one or more fdes become corrupt and not restorable. The common strategy of reusing 3<br />
sets of media cyclically is not an ideal backup strategy. Media should be regularly<br />
archived, i.e. stored in a safe place and not reused. The frequency of archiving will<br />
depend on the type of data held on the PC; obviously, higher frequency requires more<br />
media storage.<br />
6.1.2 WRITE-PROTECTED SYSTEM FLOPPY DISK<br />
A write-protected system floppy disk should be prepared in advance and cont<strong>ai</strong>n all<br />
system fdes plus AUTOEXEC.BAT, CONFIG.SYS and any other system fdes or device<br />
drivers such as ANSI.SYS. Note that CONFIG.SYS normally refers to other fdes which<br />
are loaded into memory before the system is started, using statements such as<br />
'DEVICE=filename'. All these files should be copied onto the floppy disk, and<br />
CONFIG.SYS on the floppy should be modified, if necessary, to ensure that it refers to<br />
the files on the floppy disk, rather than the original copies on the hard disk.<br />
If a computer becomes infected, this disk can be used to bootstrap the computer cleanly.<br />
This will ensure that the computer can be examined through a 'clean' operating system,<br />
not giving the virus the chance to g<strong>ai</strong>n control and employ hiding techniques such as<br />
interrupt interception (see Section 3.3: Virus Hiding Mechanisms).<br />
This system disk must be write-protected; this is a hardware protection ag<strong>ai</strong>nst the<br />
modification of any information on the disk (see Section 6.4.3: Write-protect Tabs). No<br />
virus, or for that matter, any software, can write to a write-protected floppy disk on<br />
IBM-PCs and compatibles.
<strong>ANTI</strong>-<strong>VIRUS</strong> PROCEDURES - FIVE COUNTERMEASURES 77<br />
6.1.3 CONTINGENCY PLAN<br />
This plan, which will be put into action in case of a virus attack, is usually part of the<br />
overall organisational security contingency plan and should include information on the<br />
following topics:<br />
* People within the organisation responsible for dealing with the attack and their<br />
deputies<br />
* Consultant(s) outside the organisation who can be called in to help deal with the<br />
attack<br />
• Exact procedures for isolating infected disks, PCs and networks<br />
• Public Relations procedures to prevent unauthorised leaks about the attack spreading<br />
outside the organisation<br />
6.2 PREVENTION<br />
The need to communicate introduces a potential virus entry path into any secure<br />
environment. Application software has to be purchased or updated, new operating<br />
systems installed, disks interchanged. The higher the volume ofinbound traffic, the more<br />
opportunity a virus has of entering the environment.<br />
The suppliers of executable code are potentially the most prolific distributors of a virus.<br />
Most users assume that software received from reputable companies is virus-free and any<br />
anti-virus barriers will promptly be r<strong>ai</strong>sed when such an executable arrives on the<br />
doorstep. Fortunately, most software companies do realise their potential as sources of<br />
virus infection and take appropriate countermeasures.<br />
Practical techniques to prevent virus entry into an organisation include: creating user<br />
awareness, implementing hygiene rules, using access control, providing a 'dirty' PC<br />
and providing a quarantine PC.<br />
6.2.1 CREATING USER AWARENESS<br />
Creating user awareness is one of the most important factors within an effective virus<br />
prevention policy. Users must be made aware that execution of unauthorised software<br />
(such as demonstration disks and games) can lead to virus penetration and consequent<br />
losses to the oiganisation.<br />
The problems are similar to those faced by the Government in persuading drug addicts<br />
not to share needles. While most computer users do behave sensibly and obey the rules,<br />
there will always be some who go on playing illegally-copied games and other software<br />
on company computers and exposing the whole organisation to risk. As the AIDS disk<br />
scare showed, a number of people are happy to install anything on their PC, showing a<br />
blind trust in the creators of any software (see Section 1.1.3: The AIDS Disk Through the<br />
Post).
78 CHAPTER 8<br />
Strengthening awareness is a matter of commonsense: measures include the use of<br />
leaflets, posters, virus demonstrations, presentations, showing educational virus videos<br />
and so on.<br />
1 ' fS '.fYJ'- Via.'<br />
6.2.2 HYGIENE RULES<br />
The observance of hygiene rules is by far the most effective way of preventing a virus<br />
attack.<br />
Every executable item which is to run on a computer should be treated with suspicion. A<br />
set of rules should be designed to counteract the virus infiltration routes and methods<br />
outlined in Section 2.4 and could include the following:<br />
• Do not use pirated software. The practice is not only illegal in most countries but also<br />
carries a high risk of virus infection.<br />
• Do not use software 'pulled down' from bulletin boards. A plethora of bulletin boards<br />
offer free software for downloading, but in most cases little checking is done on these<br />
programs and their origins. Their potential for carrying a virus is high.<br />
• Do not use shareware. A copy of the shareware program you get may be the 1 Oth or the<br />
5 Oth copy and the risk of the program picking up a virus before it has reached you is<br />
significant.<br />
• Do not use public dom<strong>ai</strong>n software. Problems due to its distribution and the subsequent<br />
risk from viruses are similar to shareware.<br />
• Be careful when bringing in disks from home to your place of work. Does anybody<br />
else use your home PC when you are not there? This is currently a major cause of<br />
virus infections in a commercial environment.<br />
• Do not use programs supplied by computer magazines. They are not only potential<br />
virus carriers, but due to their often poor quality, can also cause unexpl<strong>ai</strong>ned crashes,<br />
conflicts and other problems.<br />
• Beware of diagnostic software used by service engineers. Ask them if they use antivirus<br />
software. Scan their disks for known viruses before allowing them to be used.<br />
• Use only programs from reputable manufacturers. A reputable manufacturer will<br />
implement anti-virus security procedures in order to ensure that its software is<br />
shipped virus-free. Software should be supplied on permanently write-protected<br />
disks, which greatly decreases the chances of a disk becoming infected after it has left<br />
the manufacturer's premises. Shrink-wrapping the software or placing the software in<br />
a sealed envelope should ensure that the purchaser is the first person to use that copy<br />
of the original disk. There have, nevertheless, been cases of dealers tampering with<br />
shrink-wrapped software.
<strong>ANTI</strong>-<strong>VIRUS</strong> PROCEDURES - FIVE COUNTERMEASURES 79<br />
6.2.3 ACCESS CONTROL<br />
Access control products can be deployed very effectively to prevent unauthorised use of<br />
computer resources, thereby decreasing the likelihood of virus infection. There is a wide<br />
variety of access control products av<strong>ai</strong>lable, ranging from the very secure to the<br />
completely useless. Complex products are not necessarily the most secure: used judiciously,<br />
good virus protection can be obt<strong>ai</strong>ned even from the simplest products.<br />
Note that it is not possible to guarantee the prevention of master boot sector viruses by<br />
using an access control product implemented purely in software, since the virus g<strong>ai</strong>ns<br />
control before the access control package.<br />
6.2.4 DIRTY PC<br />
A dirty PC is a physically isolated machine, not connected to networks, which can be<br />
used for trying out new software, playing games and essentially doing anything which<br />
would be dangerous to do on a machine used for day-to-day work.<br />
Employees should be encouraged to use a dirty PC to try out any 'non-work' software<br />
coming from outside, including demonstration disks and games. No company work<br />
should ever be done on that machine, and no disks used on the dirty PC should be used in<br />
any other computer. Anti-virus software should be run as often as possible to check this<br />
machine.<br />
This concept is a powerful tool ag<strong>ai</strong>nst viruses, although it can be difficult to 'sell' to<br />
management if budgets and resources are str<strong>ai</strong>ned. Furthermore, in some instances the<br />
provision of a dirty PC may be seen as a direct invitation and encouragement to PC users<br />
to bring doubtful disks into the organisation. The decision whether or not to use a dirty<br />
PC will depend on a number of factors.<br />
r Unauthorised<br />
disk entry not<br />
x allowed<br />
a<br />
Workstations can share disks inside the perimeter<br />
Authorised disk entry allowed<br />
after virus check<br />
Quarantine PC<br />
Fig. 6.1 - Quarantine PC used for checking all incoming disks
80 CHAPTER 8<br />
6.2.5 QUAR<strong>ANTI</strong>NE PC<br />
A quarantine PC is a stand-alone machine, not connected to networks and under careful<br />
configuration control. It is used only for running virus-scanning software (see Section<br />
7.1.3) to check all floppy disks coming into the organisation. It is similar in function to<br />
the barrier guard in military barracks. Only disks which have been cleared are allowed<br />
through (Fig. 6.1).<br />
Once the disks have been cleared, they can circulate freely within the organisation.<br />
Use of quarantine PCs is the backbone of the anti-virus strategy in many large organisations<br />
today. Its success depends largely on whether the organisation can enforce the checking<br />
of all incoming disks. Disk authorisation products exist which do not allow the use of<br />
floppy disks on company PCs until they have been checked and electronically labelled.<br />
6.3 DETECTION<br />
Should a virus nevertheless bypass the preventative measures and penetrate the<br />
organisation, there should exist a reliable way of detecting its presence before its sideeffects<br />
are triggered.<br />
6.3.1 'STRANGE' OCCURRENCES<br />
Sometimes users will notice 'strange' things happening, such as the executable fde sizes<br />
changing (Fig. 3.4) or the amount of av<strong>ai</strong>lable memory decreasing (Fig. 6.2). Programs<br />
may take longer to load than usual or a disk light might flash when it should not. All these<br />
occurrences could point to a virus attack, but they should not be relied upon for detecting<br />
virus presence. They depend too much on the subjective powers of observation of an<br />
individual to be usable in a reliable way.<br />
In one recent case of virus infection, the first symptom which was noticed was that a<br />
large application would not load any more. After investigating the problem, the 4K virus<br />
was discovered (4K decreases the size of the av<strong>ai</strong>lable memory by 6K).<br />
6.3.2 <strong>ANTI</strong>-<strong>VIRUS</strong> SOFTWARE<br />
This is discussed in det<strong>ai</strong>l in Chapter 7.<br />
6.3.3 CONFIRMING THAT THE <strong>VIRUS</strong> IS NOT A MUTATION<br />
If a virus has been detected, it must be verified whether it is a 'standard' version or a<br />
mutation. Most anti-virus software will only check a part of the virus and cannot be<br />
relied upon for spot-on identification.<br />
The final confirmation is best left to one of the companies or individuals specialising in<br />
virus research. In most cases the process is str<strong>ai</strong>ght-forward: two identical executables or<br />
disks are infected with a captured virus and with a previously analysed sample. A simple
<strong>ANTI</strong>-<strong>VIRUS</strong> PROCEDURES - FIVE COUNTERMEASURES 81<br />
comparison will reveal any differences. The process is somewhat more complicated<br />
when analysing an encrypting virus, in which case a full disassembly is normally<br />
required.<br />
6.4 CONTAINMENT<br />
Once a virus is detected, infected PCs and disks have to be identified and isolated. A<br />
contingency plan prepared in advance will be extremely valuable at the moment of virus<br />
discovery. A point-by-point checklist makes it more difficult to forget an important item<br />
in the general panic which sometimes follows a virus attack.<br />
C:\<strong>VIRUS</strong>>chkdsk<br />
21309440 bytes total disk space<br />
45056 bytes in 2 hidden files<br />
8192 bytes in 4 directories<br />
1644544 bytes in 97 user files<br />
19611648 bytes av<strong>ai</strong>lable on disk<br />
655360 bytes total memory<br />
(609072 bytes free<br />
c:\<strong>VIRUS</strong>>alter chkdsk<br />
Infect the PC with<br />
Cascade by<br />
executing an<br />
infected application<br />
21309440 bytes total disk space<br />
45056 bytes in 2 hidden files Note the decrease<br />
8192 bytes in 4 directories<br />
in free memory<br />
1644544 bytes in 97 user files<br />
size<br />
19611648 bytes av<strong>ai</strong>lable on dis<br />
655360 bytes total mei<br />
(606992 bytes tt&iPj<br />
Fig. 6.2 Free memory decreases when the PC is infected with Cascade
82 CHAPTER 8<br />
6.4.1 NETWORK ACCESS<br />
Depending on where on the network the virus has been discovered, the type of the<br />
network and the type of the virus, one may take the decision to disconnect the PCs<br />
physically from the network (see Chapter 8: Viruses and Networks).<br />
6.4.2 DISK INTERCHANGE<br />
Any unauthorised disk interchange between PCs should be temporarily suspended.<br />
Masking tape placed over floppy disk drive slots is a good physical indicator that disk<br />
drives should not be used.<br />
6.4.3 WRITE-PROTECT TABS<br />
All floppy disks which are not purposefully intended to be infected should be<br />
write-protected. On 5V4" disks (Fig. 6.3) the application of the write-protect tab prevents<br />
writing to the disk. On 3 V2" disks (Fig. 6.4) the appearance of a window on the sliding<br />
shutter signifies that the disk is write-protected.<br />
Write-protection on disks is a hardware function and no amount of software<br />
manipulation can persuade the hardware to change its mind and write to a writeprotected<br />
disk. The signal from the write-protect sensor (which can be mechanical or<br />
optical) is linked to the floppy disk controller chip and used as an input to a logical gate<br />
which blocks the WRITE signal. For example, on the TE AC FD-5 5 1.2M drive, the signal<br />
from the File Protect Sensor (FPT) is processed by the WRITE/ERASE logic in the<br />
control circuit LSI forming the WG signal as follows:<br />
WG=DSEL & IWG & FPT<br />
where DSEL is the Drive Select signal and IWG is the Write Gate input. WG is further<br />
processed by the Read/Write LSI which supplies the current to the Read/Write and Erase<br />
coils.<br />
Fig. 6.3a Write-unprotected 57/' disk Fig. 6.3b Write-protected 5V/' disk
<strong>ANTI</strong>-<strong>VIRUS</strong> PROCEDURES - FIVE COUNTERMEASURES 83<br />
High-density notch<br />
-Shutter closed<br />
High-density notch<br />
Shutter open<br />
Fig. 6.4a Write-unprotected 37," disk Fig. 6.4b Write-protected 3V," disk<br />
A word of caution: A number of (conflicting) reports have been published regarding the<br />
effectiveness or otherwise of silver (or black) write-protect tabs on 574" disks. On some<br />
older drives, which used a mirror under the floppy disk notch to reflect the light back to<br />
the photo-sensitive element next to the light source, placing a silver (or a shiny black)<br />
write-protect tab was the same as bringing the mirror closer to the light source, which<br />
made the drive believe that the disk was not write-protected. Unfortunately, some reports<br />
have wrongly indicated that matt tabs were the culprits, resulting in spectacular confusion.<br />
If in doubt, try copying a file onto a disk write-protected using a tab of your favourite<br />
colour. Matt black tabs are generally reliable.<br />
6.5 RECOVERY<br />
Recovery from a virus attack involves two m<strong>ai</strong>n stages:<br />
1. Elimination of the virus from the infected hard and floppy disks, and<br />
2. Recovery from any virus side-effects<br />
6.5.1 CLEANING HARD DISKS<br />
To eliminate the virus from an infected hard disk, the PC should be switched off and then<br />
bootstrapped from a write-protected system floppy disk (see Section 6.1: Preparation).<br />
Infected objects (bootstrap sectors, executables) should be identified and replaced with<br />
clean copies.<br />
Replacing infected executables is easy: delete the old copy using the DOS command<br />
'DEL' and 'COPY' the originals from the manufacturers' delivery disks. Using 'DEL'<br />
first is not really necessary, but it helps to avoid mistakes.
84 CHAPTER 8<br />
Replacing infected bootstrap sectors can be done with disk-editing tools such as Norton<br />
Utilities, PC Tools or Sophos Utilities, but if you are not absolutely cert<strong>ai</strong>n what you are<br />
doing, the 'brute force' approach is preferable. All files on the hard disk should be<br />
backed up first and the disk reformatted. For hard disks infected with DOS boot sector<br />
viruses such as the Italian, a DOS 'FORMAT' is sufficient, while for master boot sector<br />
viruses such as New Zealand and Jos hi, a low-level format should be performed. Data<br />
files should then be restored from the backups and the executables restored from the<br />
manufacturers' original disks.<br />
One must not forget that multi-partite viruses infect executables and the bootstrap<br />
sector, all of which need replacing with clean copies.<br />
Disinfection software (as oposed to Virus removal software, see Chapter 7: Anti-virus<br />
Software) is unreliable and should normally be avoided.<br />
In the process of eliminating the virus, do not forget to preserve a copy, on a clearly<br />
marked disk, for det<strong>ai</strong>led analysis.<br />
6.5.2 CLEANING FLOPPY DISKS<br />
To clear infected floppy disks, switch the PC off and bootstrap it from a write-protected<br />
system floppy disk. Back up any valuable data (not executables) from the infected floppy<br />
disk using the COPY command (not DISKCOPY). The disk can then be reformatted, e.g.<br />
FORMAT A:<br />
6.5 J REINFECTION<br />
Reinfection often occurs after the 'cleanup' has been completed, sometimes minutes<br />
after completion: all that is needed is one overlooked floppy disk. Although thoroughness<br />
will reduce the likelihood of reinfection, one should anticipate this possibility.<br />
6.5.4 RECOVERY FROM <strong>VIRUS</strong> SIDE-EFFECTS<br />
Recovery from virus side-effects depends on the virus. In the case of innocuous viruses<br />
such as Cascade, recovery from side-effects is not necessary, while in the case of a virus<br />
such as Michelangelo, recovery will involve the restoration of a complete hard disk from<br />
the most recent backups.<br />
The most important thing when recovering from virus side-effects is the existence of<br />
sound backups. Original executables should be kept on write-protected disks, so that<br />
any infected programs can easily be replaced by the original clean versions.<br />
Sometimes it is possible to recover data from disks damaged by a virus. This is a rather<br />
specialist task performed by commercial data recovery agencies and can be very<br />
expensive.
6.5.3 OTHER POINTS<br />
<strong>ANTI</strong>-<strong>VIRUS</strong> PROCEDURES - FIVE COUNTERMEASURES 85<br />
There are a few other things worth bearing in mind during recovery from a virus attack:<br />
• Discover and close the loopholes which allowed the virus to enter the organisation.<br />
• Inform any possible recipients of the infected disks outside the organisation that they<br />
may be affected by the virus.<br />
• Consider the implications to the organisation of the bad publicity.<br />
• In the UK, inform the Computer Crime Unit of New Scotland Yard in London about<br />
the attack (Tel 071 230 1177, Fax 071 831 8845).
7<br />
<strong>ANTI</strong>-<strong>VIRUS</strong> SOFTWARE<br />
I have too dearly bought, with price of mangled mind, thy worthless ware.<br />
Sir Philip Sidney, 'Desire'<br />
The exponential growth of the virus threat has been closely followed by a similar<br />
exponential growth of anti-virus software. PC users are faced with a bewildering choice<br />
when trying to pick the package which will be most effective ag<strong>ai</strong>nst something they<br />
have never seen, and do not particularly wish to see. How do they test it? What should<br />
they use and why? How much can they rely on evaluations in general-purpose computer<br />
journals?<br />
Virus non-specific Virus-specific<br />
Checksumming software Scanning software<br />
Monitoring software Monitoring software<br />
Integrity shells 'Inoculation' software<br />
Virus removal software Disinfection software<br />
Fig. 7.1 - Anti-virus software types
88 CHAPTER 8<br />
7.1 <strong>ANTI</strong>-<strong>VIRUS</strong> SOFTWARE TYPES<br />
The many anti-virus software packages on the market can be divided into two categories:<br />
Virus non-specific and Virus-specific. Each category can, in turn, be divided into four<br />
sub-categories, as shown in Fig. 7.1.<br />
7.1.1 SCANNING SOFTWARE (<strong>VIRUS</strong>-SPECIFIC)<br />
Description: A virus-scanning program searches for known viruses. When a new<br />
virus appears in the wild, it is analysed, and its characteristics recorded;<br />
this is normally a 16- to 24-byte pattern extracted from the virus. The<br />
scanning program will examine all executables on a disk, including the<br />
operating system and the bootstrap sectors), and compare their contents<br />
with its library of known virus characteristics.<br />
The program SEARCH in Appendix B is an example of a virus-specific<br />
scanning program, though the listing does not include the necessary<br />
patterns, which are in Appendix G: Known IBM-PC Viruses.<br />
Virus scanners are currently the most widely used type of anti-virus<br />
software.<br />
Advantages: The m<strong>ai</strong>n advantage of scanners is that they can be used for viruschecking<br />
of potentially infected media. Scanning software is especially<br />
useful for checking incoming floppy disks for the presence of known<br />
viruses.<br />
Scanners identify a virus by name, rather than just informing the user<br />
that something is amiss.<br />
Disadvantages: Scanning software can only discover viruses that it 'knows' about. It<br />
has to be updated continually, as new viruses appear, which is the m<strong>ai</strong>n<br />
problem with this type of software.<br />
7.1.2 CHECKSUMMING SOFTWARE (<strong>VIRUS</strong> NON-SPECIFIC)<br />
Description: Checksumming software relies on the detection of change to any<br />
executable on the system through the calculation of initial 'clean'<br />
checksums, followed by periodic recalculations in order to verify that<br />
the checksums have not changed. If a virus attacks an executable, it will<br />
have to change one or more bits, which will result in a completely<br />
different checksum (provided a strong checksumming algorithm is<br />
used).<br />
Checksumming is often referred to as 'fingerprinting'. The program<br />
FINGER in Appendix C is an example of virus non-specific software<br />
which produces cryptographic checksums.
<strong>ANTI</strong>-<strong>VIRUS</strong> SOFTWARE 89<br />
The method of performing the checksumming process (the<br />
checksumming algorithm) is very important. Three general approaches<br />
are possible: simple checksums, cyclic redundancy checks (CRCs)<br />
and cryptographic checksums. The results of the checksumming<br />
algorithm must not be easily reproducible (lest a virus should do this on<br />
infection, preventing its detection), which eliminates the first two.<br />
Cryptographic checksums are the only method which this sort of<br />
software should use.<br />
Advantages: The checksumming approach is the only known method which will<br />
detect all viruses, present and future, with absolute cert<strong>ai</strong>nty. This<br />
makes it inherently desirable as a long-term anti-virus strategy in any<br />
organisation.<br />
Disadvantages: This type of software is reactive rather than proactive, in that a virus<br />
attack will be detected after it happens. However regular use of such<br />
software will almost always find a virus before its side effects trigger.<br />
Checksumming software relies on the fact that the executables should<br />
be 'clean' (i.e. virus-free) before the initial checksumming is applied.<br />
This can be ensured by using virus-specific scanning software to check<br />
the system for the presence of any known viruses. The only case in<br />
which the checksumming will f<strong>ai</strong>l completely to pick up a virus infection<br />
on an infected system is if all infectable executables are infected when<br />
the checksums are calculated. If the system is partially infected when<br />
checksums are calculated, irregularities will still be discovered when<br />
the virus infects the next executable.<br />
7.1.3 MONITORING SOFTWARE (<strong>VIRUS</strong>-SPECIFIC)<br />
Description: Monitoring software (also called 'on-line' anti-virus software) installs<br />
itself as a memory-resident TSR (terminate-stay-resident) program.<br />
From then on, it intercepts various interrupts such as Load and Execute,<br />
File open etc. (Fig. 7.2). Whenever an application requests access to a<br />
file, the file is first examined for virus presence. The application is<br />
allowed to use the file only after it has been certified virus-free.<br />
In common with other TSR programs, virus-specific monitoring software<br />
should occupy as little conventional memory as possible. A virus<br />
description typically takes about 30 bytes, which means that a virus<br />
database cont<strong>ai</strong>ning 2000 viruses occupies 60K of memory. This is, of<br />
course, unacceptably large to store in conventional memory, so virusspecific<br />
monitoring software employs various tricks such as using<br />
extended or expanded memory.<br />
Advantages: Virus detection (if it happens) occurs in real time.
90 CHAPTER 8<br />
DOS<br />
Application<br />
Interrupt vector<br />
DOS<br />
Anti-virus software<br />
Application<br />
Interrupt vector<br />
Fig. 7.2 - Interrupt redirection by memory-resident anti-virus software<br />
Disadvantages: System slow-down can be considerable. As a process which is dependent<br />
on interrupt interception, this type ofprogram can be subverted. Occupies<br />
(often scarce) conventional memory. Compatibility problems with<br />
networks, utilities and other resident drivers and programs.<br />
7.1.4 MONITORING SOFTWARE (<strong>VIRUS</strong> NON-SPECIFIC)<br />
Description: Virus non-specific monitoring software is installed as aTSR program.<br />
It intercepts and monitors various interrupts, trying to detect 'virus<br />
activity'. 'Virus activity' is a set of actions that are commonly found in<br />
viruses such as writing to a boot sector, opening executable files for<br />
writing etc.<br />
Advantages: Virus detection (if it happens) occurs in real time.<br />
Disadvantages: There is no fixed 'set of rules' regarding what a virus should or should<br />
not do. As a result, false alarms can result from legitimate program<br />
activity which is misinterpreted by the anti-virus software (this in turn<br />
usually leads to users ignoring all warnings!). Conversely, any virus<br />
which does not comply with the monitoring program's concept of virus<br />
activity will be ignored. The monitoring activity also degrades system<br />
performance and can be incompatible with network software, cert<strong>ai</strong>n<br />
application programs and so on.<br />
The greatest drawback of memory-resident products, however, is that<br />
intelligent viruses such as 4K and The number of the Beast can bypass<br />
or disable them. The mechanism used by anti-virus software for
<strong>ANTI</strong>-<strong>VIRUS</strong> SOFTWARE 91<br />
intercepting disk reads and writes, i.e. to change the DOS interrupt<br />
table, is exactly that used by most viruses, and can be easily disabled.<br />
There are viruses which were designed to bypass specific monitoring<br />
software (eg. 8 Tunes which bypasses Flushot).<br />
7.1.5 'INOCULATION' SOFTWARE (<strong>VIRUS</strong>-SPECIFIC)<br />
Description: 'Inoculation' software attempts to label disks or executables in such a<br />
way that a particular virus will not infect them.<br />
Advantages: None<br />
Disadvantages: 'Inoculation' software introduces a virus signature into objects it wants<br />
to protect, leading the virus to believe that the object is already infected.<br />
Apart from the fact that such 'protection' can only be done ag<strong>ai</strong>nst one,<br />
or at most a few viruses, it is not a long term solution and can introduce<br />
a false sense of security as well as false virus alarms when scanning<br />
software is run. Some viruses such as Jerusalem cannot be 'inoculated'<br />
ag<strong>ai</strong>nst.<br />
This sort of software should not be used.<br />
7.1.6 INTEGRITY SHELLS (<strong>VIRUS</strong> NON-SPECIFIC)<br />
Description: The idea behind integrity shells is that a layer is added above the DOS<br />
command level, so that the shell 'filters-through' any request to execute<br />
a program. Before executing the program, the anti-virus part of the shell<br />
will perform on-line checksumming of the executable and compare it<br />
with the precomputed value. If the values do not agree, execution of the<br />
program will not be permitted.<br />
Advantages: An appealing concept which is more useful under operating systems<br />
such as Unix, VMS or OS/2, where inter-process separation is well<br />
defined through memory ownership and privileged instruction support<br />
in hardware and where the execution of a 'dangerous' instruction (in<br />
operating system terms), will cause the offending process to be<br />
suspended.<br />
Disadvantages: Integrity shells are impossible to implement in a secure way under DOS<br />
which does not distinguish between privileged and non-privileged<br />
instructions and any program can do anything, including bypassing the<br />
shell and rendering its protection useless.<br />
7.1.7 DISINFECTION SOFTWARE (<strong>VIRUS</strong>-SPECIFIC)<br />
Description: Disinfection software attempts to remove viruses from infected disks<br />
and infected programs in such a way as to restore the infected item to its<br />
previous state.
92 CHAPTER 8<br />
Advantages: This is an intuitive approach which can be used in clearing large-scale<br />
virus infections or the restoration of executables where masters are not<br />
av<strong>ai</strong>lable.<br />
Disadvantages: Disinfection is not something to be recommended, as it is not a str<strong>ai</strong>ghtforward<br />
operation in the majority of cases. Mistakes are possible, if not<br />
probable, since the differentiation between an already known virus and<br />
a mutation is extremely difficult. Eliminating just one byte too much in<br />
a program can have catastrophic consequences. It is much easier to<br />
replace the infected programs with manufacturers' originals.<br />
7.1.8 <strong>VIRUS</strong> REMOVAL SOFTWARE (<strong>VIRUS</strong> NON-SPECIFIC)<br />
Description: The simplest forms of virus removal software are the DOS DEL, SYS<br />
and FORMAT commands, as well as the low-level formatting procedure<br />
for hard disks. The DEL command deletes infected programs and the<br />
FORMAT command re-initialises infected floppy disks and DOS<br />
partitions of hard disks. The SYS command replaces DOS boot sectors<br />
and the operating system files. The low-level format completely reinitialises<br />
hard disks.<br />
Virus scanning software often provides automatic file deletion and boot<br />
sector immobilisation. This enables a reliable, quick and automatic<br />
removal of infected files and immobilisation of infected disks. Once<br />
infected items have been removed, they can be replaced with<br />
manufacturers' originals.<br />
Advantages: This is a fundamentally sound technique which should always be used<br />
in preference to disinfection.<br />
Disadvantages: Can be time-consuming, especially when a lot of executable files are<br />
infected.<br />
7.2 TESTING <strong>ANTI</strong>-<strong>VIRUS</strong> PRODUCTS<br />
It is strongly recommended that only tested anti-virus products are used. The testing<br />
should be done for usability as well as security.<br />
The user should test products for their usability, whereas the security aspect of testing is<br />
a rather specialist task which cannot be done by the average user. Most users have never<br />
encountered, nor have any desire to introduce highly infectious and harmful viruses into<br />
their system. They do not wish to risk their valuable data just in order to ascert<strong>ai</strong>n the<br />
effectiveness of anti-virus software. The testing of anti-virus software ag<strong>ai</strong>nst viruses<br />
should be done in a controlled environment, by experts.<br />
When comparing the effectiveness of virus-specific anti-virus software, users should<br />
always compare the tests on more than one virus collection. It is quite common that one<br />
product gets the best marks in one test, only to come last in a different test. This is almost
<strong>ANTI</strong>-<strong>VIRUS</strong> SOFTWARE 93<br />
always due to the use of different virus collections, although it can also be due to out-ofdate<br />
products being compared with up-to-date ones, or to the reviewer's incompetence.<br />
PC journals often carry comparative tests of PC software and hardware. When testing<br />
anti-virus software, each product is usually tested ag<strong>ai</strong>nst an exhaustive virus collection<br />
supplied by an anti-virus software manufacturer. Needless to say, the objectivity of<br />
such reviews is often poor, for two reasons: Firstly, it would be surprising if that<br />
manufacturer's product did not score 100% ag<strong>ai</strong>nst a collection of viruses with which the<br />
manufacturer is clearly familiar. Secondly, the collection will almost always cont<strong>ai</strong>n<br />
thousands of viruses, most of which are of academic interest only. Testing ag<strong>ai</strong>nst a large<br />
selection of viruses should not necessarily be the m<strong>ai</strong>n <strong>ai</strong>m of comparative reviews, since<br />
testing ag<strong>ai</strong>nst a well chosen sample of viruses found in the wild can reveal much more<br />
(see Section 4.1: The Numbers Game).<br />
The testing for usability should be done by the purchaser on his own typical hardware and<br />
software configuration.<br />
7.3 FALSE POSITIVES <strong>AND</strong> FALSE NEGATIVES<br />
There are two possible pitfalls when using virus-detection software: either the software<br />
detects a virus when there is no virus, or the software does not detect a virus when there<br />
is one. These are known respectively as false positive and false negative events.<br />
Both false positives and false negatives can occur in all types of virus-detection software<br />
under cert<strong>ai</strong>n conditions.<br />
7.3.1 <strong>VIRUS</strong>-SCANNING SOFTWARE<br />
There is a very small but finite chance that patterns or virus identification algorithms<br />
used by a virus scanner will match the contents of some uninfected and innocuous<br />
executable. Data in executable images is not completely random, and cert<strong>ai</strong>n sequences<br />
of instructions used in a virus can occur in a perfectly legitimate program. Patterns from<br />
viruses are normally chosen so as to be unlikely to occur in a legitimate program, but this<br />
is often difficult, especially if viruses are written in a high-level language.<br />
False negatives are a much more serious problem and can result from a particular virus<br />
characteristic not being included in the scanner used, or a characteristic of a virus being<br />
included incorrectly. It is of paramount importance to update virus-scanning software<br />
regularly, as well as to ensure that the software producer has appropriate access to the<br />
latest virus code and a good virus-analysis capabdity.<br />
Executables infected before compression and delivered in compressed form can also<br />
cause false negatives. Compression changes the appearance of any virus that may be<br />
attached to them in such a way that virus scanners cannot recognise the virus code. If<br />
static compression is used (PKZIP, ARC etc.) the executables should be decompressed<br />
before scanning. Dynamically compressed files (PKLTTE, LZEXE etc) are difficult to<br />
scan unless the scanner can decompress files while scanning; this is becoming more
94 CHAPTER 8<br />
difficult with the increasing number of compression products and algorithms. Alternatively,<br />
a dynamically compressed file can be run on a dirty PC and examined for infectious<br />
behaviour, such as changing of other executables or boot sectors. If a dynamically<br />
compressed file does carry a virus, any sacrificial executables on the dirty PC which<br />
become infected will be scannable in a normal way.<br />
Note that dynamically compressed fdes can be infected before compression or after<br />
compression. If they are infected before compression, a scanner is not likely to pick up<br />
the infection. If they are infected after compression, the infection should be detected.<br />
False negatives can also happen if an anti-virus scanner is used incorrectly. For example,<br />
if the PC is bootstrapped from a disk already infected with the 4K virus, the scanner will<br />
not detect it.<br />
7.3.2 CHECKSUMMING SOFTWARE<br />
False positives are a frequent occurence when using checksumming software. The reason<br />
for the alarm in most cases is not a virus attack, but a legitimate change in the machine<br />
configuration which has not been followed by a recalculation of checksums. This can be<br />
partly avoided by fingerprinting only those particular areas of the PC which rarely<br />
change but are executed often (operating system, utilities, editors, compilers etc). If a<br />
virus infects the PC, it will sooner or later also infect one of the commonly used utilities,<br />
which will be picked up by the checksumming software. Some executables introduce<br />
legitimate changes in their own contents, e.g. WIN.COM in Windows 3.1.<br />
False negatives are much rarer when using checksumming software than virus scanning<br />
software, and are almost always due to incorrect use of the software. If fingerprints are<br />
checked while the system is already infected with a stealth virus such as Jos hi or 4K, the<br />
infection will not be detected.<br />
Using a simple checksumming algorithm is an open invitation to virus writers to produce<br />
a virus which could engineer the changes in such a way that infected executables would<br />
appear clean. Cryptographic fingerprints combat this particular threat by making the task<br />
of engineering the changes intrinsically infeasible to accomplish in a realistic time span.<br />
7.3.3 <strong>VIRUS</strong> NON-SPECIFIC MONITORING SOFTWARE<br />
Virus non-specific monitoring software resides in memory and reports suspicious<br />
activities such as another process attempting to install itself in memory, writing to a boot<br />
sector and so on.<br />
False positives often occur when using this type of software, as some of the 'suspicious'<br />
activities trapped originate from legitimate software. Furthermore, when an unsophisticated<br />
user is presented with a flashing message such as<br />
Warning! Attempted write to drive 80 cylinder 0 head 0 sector 1<br />
Proceed (Y/N) ?
<strong>ANTI</strong>-<strong>VIRUS</strong> SOFTWARE 95<br />
he probably wishes to type in "I don't know" instead of giving a decisive yes/no answer.<br />
After seeing similar messages ten or twenty times a day, he is quite likely to ignore them<br />
and after a few days of annoyance, deinstall the virus-monitoring software.<br />
False negatives are a much more serious shortcoming of this type of software. There is no<br />
virus equivalent of the 10 commandments, and viruses do exploit weaknesses or bugs in<br />
the operating system and the anti-virus software. Several tricks have been used in<br />
practice. For example, the Icelandic-2 virus uses an undocumented feature of DOS to<br />
obt<strong>ai</strong>n the original value of the INT 21H vector and bypass any monitoring program.<br />
Another trick used by at least two viruses to infect files which have been protected<br />
ag<strong>ai</strong>nst being written to by a memory-resident module, is to open the fde in Read-Only<br />
mode and then modify the internal flag within DOS which changes access rights to Read-<br />
Write.<br />
7.3.4 <strong>VIRUS</strong>-SPECIFIC MONITORING SOFTWARE<br />
Virus-specific monitoring software suffers from false negative problems which are<br />
m<strong>ai</strong>nly due to the difficulties in keeping it up-to-date. False negatives can also be caused<br />
by the relatively easy subversion of the software by new viruses specifically targeted<br />
ag<strong>ai</strong>nst particular products.<br />
7.4 SUMMARY OF <strong>ANTI</strong>-<strong>VIRUS</strong> SOFTWARE<br />
In summary, the recommended long-term approach is to use virus non-specific<br />
checksumming software, based on cryptographic checksums. This will allow convenient<br />
everyday checking of system integrity, secure ag<strong>ai</strong>nst any present or future viruses. In<br />
addition, there are situations in which virus-specific scanning software can be useful,<br />
provided its limitations are clearly understood.<br />
Monitoring software is not recommended as it cannot be made effective ag<strong>ai</strong>nst all<br />
viruses and can lull the user into a false sense of security. The same applies to<br />
virus-disinfection and 'inoculation' software for similar reasons.<br />
The advantages of the non-memory-resident approach over memory-resident products<br />
are considerable. Above all, the operation can be made fully secure through both<br />
bootstrapping the computer and running the anti-virus software from a write-protected<br />
floppy disk. Furthermore there is no performance degradation or incompatibility with<br />
other software in normal operation, and anti-virus checks can be scheduled or integrated<br />
into other procedures as required.<br />
Possibly the greatest difficulty in using anti-virus software in a larger organisation is the<br />
enforcement of the agreed procedures. Deciding that all incoming floppy disks will be<br />
checked for viruses does not necessarily mean that all incoming disks will be checked.<br />
The enforcement can be helped by using a disk-authorisation product which will prevent<br />
unauthorised disks to be used. This functionality is provided by some access control<br />
products, and a number of dedicated packages are also av<strong>ai</strong>lable from anti-virus companies<br />
(see Appendix D: Anti-virus Software Manufacturers and Distributors).
8<br />
<strong><strong>VIRUS</strong>ES</strong> <strong>AND</strong> NETWORKS<br />
Something is rotten in the state of Denmark.<br />
William Shakespeare, 'Hamlet'<br />
The interchange of executables on non-networked PCs is almost exclusively done by<br />
floppy disks and is, as a consequence, relatively slow and physically controllable. PC<br />
networks allow high speed sharing of data and executables. This interchange is also much<br />
more difficult to control in practice, with hundreds of simultaneous users.<br />
The danger from a large scale virus attack in a non-netwoiked oiganisation is comparatively<br />
limited, if reliable virus-detection software is used. An attack is likely to be limited to a<br />
few PCs before it is spotted and disk interchange is stopped. The possibility of a large<br />
scale virus attack in a networked organisation is much greater and the chances of<br />
successful cont<strong>ai</strong>nment much smaller, if proper network security features are not used.<br />
This chapter concentrates on Novell NetWare and is based on a theoretical and practical<br />
study of virus behaviour under NetWare 3.11 and NetWare 286. Although the practical<br />
anti-virus measures described are specific to NetWare 3.11, much of it also applies to<br />
other network operating systems such as LAN Manager. It is assumed that the network<br />
will be using a dedicated file server.<br />
8.1 PATHOLOGY OF A <strong>VIRUS</strong> INFECTION ON NETWARE<br />
Due to the excellent emulation of physical DOS disks under NetWare, a large proportion<br />
of DOS viruses in existence today are able to attack NetWare drives.
98 CHAPTER 8<br />
The m<strong>ai</strong>n difference between NetWare and local workstation drives is that NetWare does<br />
not allow individual sector addressing either through the normal DOS interrupts 25H and<br />
26H or the BIOS interrupt 13H. This excludes the possibility of pure bootstrap sector<br />
viruses infecting the network, but does not, of course, exclude parasitic, multi-partite and<br />
companion viruses, all of which can spread freely on a badly protected network.<br />
8.1.1 <strong>VIRUS</strong> ENTRY INTO THE NETWORK<br />
The point of entry of a virus into a network is invariably the user workstation. In a typical<br />
scenario, the user infects his workstation by executing an infected application (parasitic<br />
or multi-partite) or bootstrapping from an infected disk (multi-partite viruses). The virus<br />
becomes memory resident and will typically try to infect any application which is run, or<br />
any drive which is accessed.<br />
NETX and IPX, which are normally kept on the workstation, may already be memoryresident<br />
at this stage.<br />
On accessing the network the user will execute LOGIN.EXE stored on the file server,<br />
which will open access to the allotted file areas on the file server. IfLOGIN.EXE itself<br />
or any other executables are unprotected (see Section 8.6: Practical Anti-virus Measures<br />
for NetWare 3.11 Administrators), they will become infected. Any user executing an<br />
infected application will have his workstation infected, which in turn will spread the<br />
infection further.<br />
On a typical active network, an infection can spread onto most workstations within<br />
minutes. An infected LOGIN.EXE, or any program executed by the system login script,<br />
can cause user workstations to become infected whenever a user logs into the network.<br />
8.1.2 PRACTICAL TRIAL - JERUSALEM ON NETWARE 2.12<br />
The above scenario has been demonstrated in practice by infecting a workstation with the<br />
Jerusalem virus and then executing LOGIN on the fileserver running NetWare 2.12. In<br />
this experiment LOGIN.EXE was purposefully left protected only by the Read-Only<br />
(R/O) attribute. Jerusalem (like most parasitic viruses) sets the R/O attribute to Read/Write<br />
(R/W), infects the file and then resets the attribute to R/O. After LOGIN.EXE has been<br />
infected, any workstation logging into the network will become infected (Fig 8.1). Any<br />
EXE or COM file residing on the file server will likewise become infected whenever<br />
executed by the supervisor.<br />
8.2 NETWARE 3.11 SECURITY MECHANISMS<br />
NetWare 3.11 provides four different aspects of network security: the login procedure,<br />
trustee rights, directory rights and file attributes.<br />
1. The login procedure requires all users to identify themselves by a usemame and a<br />
password.
Infected w orkstation...<br />
• •<br />
•<br />
l-<br />
1<br />
|.<br />
I<br />
- 1<br />
T<br />
<strong><strong>VIRUS</strong>ES</strong> <strong>AND</strong> NETWORKS 99<br />
osl |» C=]|<br />
III '<br />
•<br />
L H<br />
... infects LOGIN.EXE on the file server<br />
•<br />
-fijbGiH.Exej<br />
I",., -1 .<br />
B - i i<br />
r<br />
after which every workstation becomes infected as soon as a user logs in<br />
Fig. 8.1 - Large scale network infection through LOGIN.EXE<br />
2. Trustee rights are granted to each user by the 'network supervisor' and allow each<br />
user various actions such as reading from fdes, writing to files, creating files etc.<br />
3. Directory rights (read, write, open, close, delete, search) are set separately and can<br />
be used to limit the access to cert<strong>ai</strong>n directories such as those cont<strong>ai</strong>ning executables.<br />
4. File Attributes (read-only, read-write, share) can be set separately.<br />
Even if a user's PC becomes infected, the infection cannot spread to the file server if the<br />
security features are properly implemented.<br />
This security breaks down if the network supervisor's PC becomes infected. Care should<br />
be taken when setting network security features, as the appropriate features may not be<br />
enabled by default.<br />
8.3 NETWARE 3.11 PRACTICAL EXPERIMENTS<br />
An experimental network consisting of a dedicated file server (on a Compaq 486/25,310<br />
MByte hard disk, 4MByte RAM) and a workstation (Amstrad PC-ECD, 20 MByte hard<br />
disk, 640KByte RAM) was set up with default security parameters.<br />
8.3.1 PARASITIC <strong><strong>VIRUS</strong>ES</strong><br />
It was decided to investigate NetWare 3.1 l's resistance to attack with different levels of<br />
protection.
100 CHAPTER 8<br />
A workstation not logged in was infected with Jerusalem (memory-resident, parasitic<br />
virus). IPX was executed (and infected) and NET3 was executed (and infected). From<br />
then on, no COM or EXE file became infected when run; this applied to files held on<br />
floppy, hard or network drives. The interaction between the virus and NET3 appeared to<br />
prevent the virus from infecting other executables.<br />
If the sequence was reversed, i.e. if a clean workstation was loaded with IPX and NET3<br />
and then infected, the following error message was produced:<br />
Network Error on Server SERVER:Error receiving from network<br />
Abort, Retry?<br />
The same experiment was repeated with Cascade and Vacsina, and in both cases the<br />
viruses lost the ability to infect immediately after infecting NET3 .COM. Unlike Jerusalem,<br />
Cascade and Vacsina did not crash the workstation if loaded after IPX and NET3.<br />
The same trial was then done with 4K virus. The virus did infect IPX and NET3, did not<br />
crash the workstation and proceeded to be infectious in a normal way on floppy and hard<br />
disks, but not on the file server.<br />
The same experiment was then performed with the Eddie 2 virus. A clean workstation<br />
was logged into the network and an infected application executed from drive A. This<br />
virus successfully infected programs held on all drives, including the file server.<br />
The infectiousness of Eddie 2 was next tested with various NetWare 3.11 file attribute<br />
settings. Eddie 2 is a virus with limited stealth capability. It intercepts DIR's Find-First<br />
and Find-Next calls and displays the original file lengths. In order to establish whether or<br />
not a file is infected, a secure bootstrap has to be performed.<br />
8.3.1.1 Default NetWare 3.11 Security<br />
By default the users have full access rights to their home directory (created at the time of<br />
user creation) and no write-rights to any subdirectories cont<strong>ai</strong>ning executables. The virus<br />
could infect files in the user's own directory, irrespective of the setting of file read-only<br />
attributes, but could not infect any other files on the server.<br />
8.3.1.2 Rights Set to Read-only<br />
Eddie 2 f<strong>ai</strong>led to infect Tiles to which the user did not have 'effective rights' to write,<br />
irrespective of whether this right was denied at a directory or file level, or from the<br />
'Inherited Rights' mask.<br />
8.3.1.3 File Attributes Set to Read-only<br />
Eddie 2 succeeded in infecting files which had their file attributes set to read-only. This<br />
is the same R/O attribute used by DOS, set by Eddie 2 (and most other parasitic viruses)<br />
to R/W before infection and reset back to R/O after infection.<br />
8.3.1.4 File Attributes Set to Execute-only<br />
NetWare 3.11 allows file attributes to be set to execute-only and such files cannot be read<br />
even by the supervisor.
<strong><strong>VIRUS</strong>ES</strong> <strong>AND</strong> NETWORKS 101<br />
An Eddie 2-infected workstation was used to execute an execute-only fde as well as a fde<br />
marked read-only. Only the read-only file was infected.<br />
8.3.1.5 Running Under Supervisor Mode<br />
The supervisor has all rights to all directories and files. A clean workstation was used to<br />
log onto the network as the supervisor, and was then infected with Eddie 2.<br />
The virus was able to infect all files on the file server, except those marked as 'execute<br />
only'.<br />
8.3.2 BOOT SECTOR <strong><strong>VIRUS</strong>ES</strong><br />
Although boot sector viruses have no means of infecting a network drive (since it does<br />
not allow individual sector addressing), the experiment was nevertheless performed.<br />
A workstation was infected with the New Zealand virus, which infects the master boot<br />
sector on hard disks and the boot sector on floppy disks. The network was accessed<br />
(LOGIN followed by running of various applications, followed by LOGOUT).<br />
The workstation was cleared from the infection and the network connection was reestablished.<br />
The workstation hard disk and its memory, were examined for infection, and<br />
as expected, none was found.<br />
8.3.3 MULTI-PARTITE <strong><strong>VIRUS</strong>ES</strong><br />
A clean workstation was used to log into the file server. The workstation was infected<br />
with the multi-partite virus Flip. Files on the local fixed disk could be infected as usual,<br />
but when files on the file server were executed, DOS returned the message<br />
EXEC Error<br />
In general a multi-partite virus will infect files on a network drive in the same way as a<br />
parasitic virus, but in addition the virus will infect the boot sectors of disks attached to<br />
any workstation which them becomes infected.<br />
8.4 NETWARE 3.11-SPECIFIC <strong><strong>VIRUS</strong>ES</strong><br />
There are three cases to date of viruses reported to have been written specifically to<br />
circumvent NetWare security.<br />
8.4.1 FIRST NOVELL '<strong>VIRUS</strong>'<br />
In February 1990 there appeared an (unconfirmed) report of a 'Novell' virus which<br />
supposedly destroyed the Novell-specific file allocation table. The virus was s<strong>ai</strong>d to be<br />
capable of penetrating a file server from a workstation even if the latter was not logged on<br />
to the network. It was suggested that this might be possible by altering the NETSDOS. S YS<br />
program, using the C libraries released by Novell.
102 CHAPTER 8<br />
Novell Inc has not encountered this virus, nor has it received any reports of it. There do<br />
not seem to have been any further reports about this 'virus' apart from the Editorial in<br />
Virus Bulletin on February 1990.<br />
8.4.2 JON DAVID'S FALSE ALARM<br />
In July 1990 New York consultant Dr. Jon David released a report about a virus which he<br />
cl<strong>ai</strong>med to have observed propagating on a Novell LAN. Dr. David s<strong>ai</strong>d that the virus, a<br />
Jerusalem mutation, bypassed NetWare fde server write-protection and deleted<br />
write-protected fdes on the server.<br />
After a heated exchange in the press and the Virus-L bulletin board between Dr. David<br />
and Novell (at one point Novell was threatening to sue Dr. David), Novell confirmed that<br />
the virus was Jerusalem, that it did propagate on unprotected networks, but was denying<br />
the allegation that it bypassed NetWare security in any way.<br />
Dr. David refused to disassemble the virus himself or release his sample to anybody else<br />
for analysis, saying he preferred to observe the virus effects rather than analysing the<br />
virus structure.<br />
The universal conclusion seems to be that the virus was a standard copy of Jerusalem<br />
with no specific ability to subvert NetWare security. For more information see the<br />
Editorial, Virus Bulletin, December 1990.<br />
8.4.3 NETWARE <strong>VIRUS</strong> FROM THE NETHERL<strong>AND</strong>S<br />
In April 1991a virus called GP1 was received from the Netherlands which cont<strong>ai</strong>ned<br />
instructions to subvert NetWare security. Interestingly enough, the virus was received in<br />
source-code form. It is believed to have been developed in Leiden (the Netherlands) as a<br />
result of an unofficial challenge by a civil servant to a student.<br />
8.4.3.1 Virus Structure<br />
The virus is based on the Jerusalem virus, withNef Ware-specific instructions added to a<br />
disassembled version of Jerusalem. The virus is memory-resident but cont<strong>ai</strong>ns no stealth<br />
characteristics. The Novell network handler is accessed via a FAR JMP instead of a FAR<br />
CALL; analysis indicated that if the FAR JMP instruction was changed into the FAR<br />
CALL instruction, the virus would become fully functional.<br />
The virus is not infective unless it is run on a NetWare workstation. It intercepts four<br />
different INT 21H services, of which the most interesting is the Net Ware-specific service<br />
E3H. This is checked to see whether the subfunction requesting the service is a user<br />
LOGIN procedure. If it is, the LOGIN is executed under control of the virus and the<br />
return code is examined. If the LOGIN is successful, the virus sends a copy of the<br />
original login request block to socket number 2A9FH. This is suspected to be a broadcast<br />
message which could send det<strong>ai</strong>ls to a listening PC.
8.4.3.2 Practical Trials on NetWare 286<br />
<strong><strong>VIRUS</strong>ES</strong> <strong>AND</strong> NETWORKS 103<br />
The virus was assembled after changing the FAR JMP to FAR CALL instruction. An<br />
experimental network consisting of a dedicated fde server (on a Compaq 386/s, 80<br />
MByte hard disk) and a workstation (Amstrad PC-ECD, 20MByte hard disk) was set up<br />
with default security parameters.<br />
The virus replicated in the same way as Jerusalem (when NetWare was present), but no<br />
other effects could be observed.<br />
The background of this virus continues to be investigated and it does seem that the copy<br />
obt<strong>ai</strong>ned was an unfinished creation.<br />
8.4.3.3 Practical Trials on NetWare 3.11<br />
An experimental network consisting of a dedicated file server (on a Compaq 486/25,310<br />
MByte hard disk, 4MByte RAM) and a workstation (Amstrad PC-ECD, 20 MByte hard<br />
disk, 640KByte RAM) was set up with default security parameters.<br />
The virus was tried under NetWare 3.11 where it replicated without problems, unlike the<br />
standard Jerusalem which refuses to replicate under the same circumstances. After<br />
becoming memory-resident the virus infects other files, extending them by 1546 bytes.<br />
There were no other visible side-effects.<br />
8.5 IMPLICATIONS OF STEALTH <strong><strong>VIRUS</strong>ES</strong> ON NETWARE 3.11<br />
The m<strong>ai</strong>n problem of dealing with stealth viruses on any network is the difficulty in<br />
establishing a positively 'clean' work environment from which the cleanup can be<br />
attempted (see Sections 3.3: Virus Hiding Mechanisms and 8.6.6: Secure Accessing of<br />
NetWare?,.11).<br />
8.6 PRACTICAL <strong>ANTI</strong>-<strong>VIRUS</strong> MEASURES FOR NETWARE 3.11<br />
NETWORK ADMINISTRATORS<br />
8.6.1 DISKLESS WORKSTATIONS<br />
Diskless workstations are PCs in their own right, sometimes equipped with hard disks,<br />
but without any floppy disks. The reasoning is that if the user does not have the means of<br />
introducing floppy disks into the PC, he will also not have the opportunity of introducing<br />
a virus (or stealing data on a floppy).<br />
This no-floppies, no-virus reasoning holds only up to a cert<strong>ai</strong>n extent. It is quite true that<br />
diskless workstations will prevent accidental introduction of viruses onto the network.<br />
Malicious introduction of viruses is not prevented, as the virus code can be input through<br />
the keyboard using the DOS COPY command or DEBUG. The technique is described in
104 CHAPTER 8<br />
Burger's Computer Viruses - A High Tech Disease. Likewise, diskless workstations can<br />
still have modem and em<strong>ai</strong>l connections over which software can be downloaded from<br />
BBSs.<br />
Another disadvantage of diskless workstations is that the transfer of legitimate data by<br />
users is made much more difficult.<br />
The decision to use diskless workstations in an organisation is a major one. Associated<br />
costs and the impact on the efficiency of the organisation should be carefully considered.<br />
8.6.2 REMOTE BOOTSTRAP ROMS<br />
Most network cards can be fitted with a special Read Only Memory (ROM) chip which<br />
maps into the PC memory space and when executed on boot-up, reads the operating<br />
system and other associated files from the file server instead of from the local disk. Note<br />
that the PC will still try to bootstrap from floppy and hard disks first. If none are found,<br />
the bootstrapping will be performed remotely.<br />
There are several advantages in using remote bootstrap ROMs. Firstly, the technique<br />
diminishes the danger from bootstrap sector virus infection. Secondly, any updates to the<br />
operating system used are made much easier, since they can be done on the file server.<br />
The use of remote bootstrap ROMs is recommended for bootstrapping diskless<br />
workstations.<br />
8.6.3 ENHANCED ACCESS CONTROL<br />
Net Ware 3.11 provides very good access control features and utilities for the administration<br />
of users. In addition, a number of access control packages are av<strong>ai</strong>lable which front-end<br />
NetWare 3.11, providing even more sophisticated access control features and, perhaps,<br />
easier administration of users.<br />
8.6.4 <strong>ANTI</strong>-<strong>VIRUS</strong> SOFTWARE<br />
It is recommended that virus-specific software is installed on a file server for use on<br />
workstations; the problems of updating the master copy are minimal. The virus check of<br />
the server can be performed overnight, when the server workload is otherwise low. It is<br />
recommended that a separate workstation, bootstrapped in a secure way, is used to<br />
initiate the task. This workstation can also be used for backing up the network.<br />
It is recommended that virus non-specific software be used to fingerprint and check<br />
critical areas of the file server regularly. On NetWare 3.11 it is recommended that all<br />
executables in the \PUBLIC, \SYSTEM and \LOGIN subdirectories are fingerprinted. In<br />
addition, each system will have subdirectories cont<strong>ai</strong>ning applications software; these<br />
should be fingerprinted as well. Checking of the fingerprints is best done from a<br />
separate, securely booted workstation. This should be done before performing backups<br />
as well as at a specific time every night.
8.6.5 TWO IDS FOR NETWORK SUPERVISORS<br />
<strong><strong>VIRUS</strong>ES</strong> <strong>AND</strong> NETWORKS 105<br />
One of the weak points in any multi-user computer system is that one or more users must<br />
be given high privileges necessary for system administration. Unfortunately, these<br />
privileges are also assigned to a virus whenever it is in control of a workstation<br />
logged in as a network supervisor. In fact, the GP1 NetWare-specific virus seems to<br />
exploit exactly that feature by trying to capture the network supervisor password.<br />
One way of reducing the danger from virus penetration via this route is to reduce the time<br />
that network supervisors are logged in as network supervisors. They should ideally have<br />
two user IDs, one with all privileges and the other with privileges limited to read all<br />
areas. The use of the former should be limited to system administration functions.<br />
This is extremely important when checking the fde server for viruses while logged in as<br />
a network supervisor. If a workstation is infected with a 'fast infecting' virus which<br />
infects when a fde is opened (e.g. Nomeklatura, 4K or Dark Avenger), the checking will<br />
result in every executable becoming infected. The checking of file servers should<br />
always be done with the checking worksation logged in as a user with read (but not write)<br />
rights to all directories.<br />
8.6.6 SECURE ACCESSING OF NETWARE 3.11<br />
With the advent of stealth viruses, it is most important to guarantee a clean, virus-free<br />
environment on a workstation before running anti-virus software or investigating a<br />
virus-infected network.<br />
To access NetWare 3.11 securely, a normal DOS system disk should be prepared, which<br />
in addition to a correct version of DOS system files and COMM<strong>AND</strong>.COM also<br />
cont<strong>ai</strong>ns the following NetWare 3.11 fdes:<br />
IPX.COM<br />
NETX.EXE<br />
LOGIN.EXE<br />
MAP.EXE<br />
This floppy disk should be write-protected.<br />
To access the network, switch the workstation PC off, boot from the floppy disk and then<br />
run IPX first, followed by NETX (NET3 with DOS version 3, NET5 with DOS version<br />
5 etc.). Run LOGIN from the floppy disk using the '/S NUL' command line qualifier.<br />
This will prevent the execution of both system and user scripts:<br />
LOGIN /S NUL <br />
. 8.6.7 TIGHTENING NETWARE 3.11 SECURITY<br />
NetWare 3.11 allows the setting of fde attributes to execute-only. This prevents their<br />
modification orreading by any user, including the system supervisor - the only thing that<br />
he can do (apart from executing them) is to delete them. Setting the execute-only<br />
attributes has mixed blessings. On the one hand it prevents the modification of executables,
106 CHAPTER 8<br />
but on the other hand it makes them unreadable (and unverifiable) by anti-virus software,<br />
as well as preventing some software to run.<br />
Note that this attribute will offer protection ag<strong>ai</strong>nst viruses only until somebody writes<br />
a virus which targets this attribute. This is because it is an attribute rather than a<br />
right, and is akin to the Read-Only flag offering protection ag<strong>ai</strong>nst some early viruses.<br />
It is recommended that this attribute is not used and that instead 'write rights' are<br />
removed from directories cont<strong>ai</strong>ning executable files.<br />
8.6.8 CONCLUSIONS<br />
8.6.8.1 NetWare 3.11 Administration<br />
• Set Net Ware 3.11 directory and user rights correctly.<br />
• Do not rely on default NetWare 3.11 attribute settings.<br />
• Do not use NetWare 3.11 'execute only' attributes unless absolutely necessary.<br />
• Use secure bootstrap procedure before running anti-virus software.<br />
8.6.8.2 NetWare 3.11 Virus Infections<br />
• NetWare 3.11 seems to cause more memory-resident viruses to malfunction than<br />
NetWare 2.12.<br />
• Some memory-resident parasitic viruses interact with IPX and NETX losing the<br />
ability to infect. Some memory-resident parasitic viruses crash the workstation if IPX<br />
and NETX are already loaded when the virus-infected application is run.<br />
• Most parasitic viruses will infect NetWare 3.11 files protected with the Read-only<br />
attribute.<br />
• Parasitic viruses will not infect Net Ware 3.11 files when the user's effective rights do<br />
not include 'write' rights. The network supervisor has 'write' rights to all directories.<br />
• Parasitic viruses will not infect AtefJfare 3.11 files with the execute-only attribute set,<br />
regardless of the user. This, however, is not a foolproof protection ag<strong>ai</strong>nst future<br />
viruses.<br />
• Pure bootstrap sector viruses will not infect NetWare 3.11 drives.<br />
• Multi-partite viruses will infect unprotected NetWare 3.11 executables.<br />
• Parasitic and Multi-partite viruses will infect executables regardless of protection<br />
levels (execute-only files excepted) if the user is logged in as a supervisor.<br />
8.6.8.3 Other Points<br />
• Consider using diskless workstations.<br />
• Use remote bootstrap ROMs in the workstations.
A<br />
BIBLIOGRAPHY <strong>AND</strong> OTHER<br />
SOURCES OF INFORMATION<br />
A.l BOOKS ON <strong><strong>VIRUS</strong>ES</strong> <strong>AND</strong> DATA SECURITY<br />
Books and friends should be few but good.<br />
A Pathology of Computer Viruses, Ferbrache, D .,Springer-Verlag, 1992<br />
A Short Course on Computer Viruses, Cohen, FASP Press, 1991<br />
Computer Security Reference Book, Jackson, K., Hruska, J., Parker, D.,<br />
Butterworth-Heinemann, 1992<br />
Computer Security Solutions, Hruska, J., Jackson, K., Blackwells, 1990<br />
Computer Viruses, Peers, E., Ennis, C., Deloitte Haskins & Sells<br />
Computer Viruses, a High Tech Disease, Burger, RAbacus, 1988<br />
Computer Viruses and Data Protection, Burger, RAbacus, 1991<br />
Computer Viruses, What They Are, How They Work, and How to Avoid Them,<br />
Mayo, J. L., Windcrest, 1989<br />
Data & Computer Security, Dictionary of Standards Concepts and Terms,<br />
Longley, D., Sh<strong>ai</strong>n, M.,Macmillan, 1987<br />
Proverb
108 APPENDIX A<br />
Data Security Reference Guide 1991/92, SophosLtd., 1991<br />
Datapro Reports on Microcomputer Security, McGraw-Hill, continuously updated<br />
Dataquest Virus Survey, NCSA, 1991<br />
LAN Desktop Guide to Security NetWare Edition, Ed Sawicki, SAMS, 1992<br />
PC Viruses, Detection,Analysis and Cure, Solomon, A., Springer-Verlag, 1991<br />
Practical Unix Security, Garfmkel, S. and Spafford, G., O'Reilly & Associates Inc,<br />
1991<br />
The Complete Computer Virus Handbook, Frost, D., Beale, I., Frost, C., Price<br />
Waterhouse and Pitman, 1989<br />
The Computer Virus Crisis, Fites, P., Johnston, P., Kratz, M., Van Nostrand<br />
Reinhold, 1989<br />
The Computer Virus Handbook, Levin, R., Osborne/McGraw-Hill, 1990<br />
The Computer Virus Handbook, Highland, H. J., Elsevier Advanced<br />
Technology, 1990<br />
The Little Black Book of Computer Viruses, Ludwig, M., American Eagle<br />
Publications Inc., 1992<br />
Virus Bulletin 1991 International Conference Proceedings, Virus Bulletin, 1991<br />
A.2 PERIODICALS ON <strong><strong>VIRUS</strong>ES</strong> <strong>AND</strong> DATA SECURITY *<br />
Computer Fraud and Security Bulletin, Elsevier Advanced Technology, 256 Banbury<br />
Road, Oxford, OX2 7DH, UK, Tel +44 865 512242, Fax +44 865 310981<br />
Computer Law and Practice, Tolley Publishing Co Ltd, Tolley House, 2 Addiscombe<br />
Road, Croydon, CR9 5AF,UK,Tel +44 81 686 9141, Fax +44 81 686 3155<br />
The Computer Law and Security Report, Elsevier Advanced Technology, 256<br />
Banbury Road, Oxford, 0X2 7DH, UK, Tel +44 865 512242, Fax +44 865 310981<br />
Computers & Security, Elsevier Advanced Technology, 256 Banbury Road, Oxford,<br />
OX2 7DH, UK,Tel +44 865 512242, Fax +44 865 310981<br />
Datenschutz Berater, Prattweg 8,5024 Pulheim, Germany,Tel +49 2234 82227<br />
Information Security Monitor, Legal Studies and Services Publishing Ltd, 9-13 St.<br />
Andrew's Street, London, EC4A 3AE, UK,Tel +44 71 936 2016, Fax +44 71 936 2303<br />
Virus Bulletin, Virus Bulletin Ltd, 21 The Quadrant, Abingdon Science Park,<br />
Abingdon, OX14 3YS,UK,Tel +44 235 559933, Fax +44 235 559935<br />
* See Appendix D for notes on telephone numbers
BIBLIOGRAPHY <strong>AND</strong> OTHER SOURCES OF INFORMATION 109<br />
Virus News International, S&S International Ltd, Berkley Court, Mill Street,<br />
Berkhamsted, HP4 2HB, UK,Tel +44 442 877877, Fax +44 442 877882<br />
A.3 ELECTRONIC BULLETIN BOARDS CARRYING<br />
<strong>VIRUS</strong>-RELATED DISCUSSIONS<br />
BIX is abulletin board run by Byte magazine in the US. On-line subscription is possible<br />
on +1 617 861 9767 (full duplex, 8 bits, no parity, 1 stop bit or 7 bits, even parity, 1 stop<br />
bit). Hit the Return key, on login prompt enter bix and on Name? prompt enter bix.flatfee.<br />
Credit cards are accepted. Packet Switch Network (PSS) address is 310690157800. A<br />
number of virus-related conferences are going on; try law/virus and security/critters.<br />
CIX is a London-based bulletin board which carries regular discussions on a number of<br />
security-related topics, including viruses. To register, telephone +44 81 390 1255 (any<br />
modem speed up to 14.4 Kbaud). Payment by credit card is accepted.<br />
The author can be contacted via CIX (username husky). The source code of all software<br />
in this book can be downloaded from CIX: m<strong>ai</strong>l husky with your username.<br />
Virus-L is an archived moderated bulletin board system which carries virus-related<br />
information. It is av<strong>ai</strong>lable from a number of sites including certsei.cmu.edu (m<strong>ai</strong>nt<strong>ai</strong>ned<br />
by Ken Van Wyk) and pdsoft.lancs.ac.uk (m<strong>ai</strong>nt<strong>ai</strong>ned by Steve Jenkins and also<br />
av<strong>ai</strong>lable by direct dialup on +44 524 63414). For a complete list of sites see A Pathology<br />
of Computer Viruses by David Ferbrache.<br />
A.4 <strong>VIRUS</strong> INFORMATION AVAILABLE ON DISK *<br />
Virus information summary list (VSUM), monthly from Patricia Hoffman, USA,<br />
Tel +1 408 988 3733, Fax +1 408 246 3915<br />
PC Virus Index, Brian Clough, UK, Tel +44 273 773959, Fax +44 273 778570<br />
Note: most virus scanning software is supplied with virus information on disk.<br />
A.5 <strong>VIRUS</strong> TRAINING VIDEOS *<br />
PC's Under Attack, Mediamix, US A, Tel+1 908 277 0058, Fax+1 908 277 0119<br />
The Computer Virus and How to Conrol It, 23 min, James C.<br />
Shaeffer & Associates, US A, Tel +1 800 968 9527, Fax +1 313 741 9528<br />
Viruses on Personal Computers tr<strong>ai</strong>ning video, 30 min, Sophos Ltd, UK,<br />
Tel +44 235 559933, Fax +44 235 559935<br />
See Appendix D for notes on telephone numbers
110 APPENDIX A<br />
A.6 OTHER USEFUL BOOKS<br />
80386 Programmer's Reference Manual, Intel Corporation, 1986<br />
i APX 86,88 User's Manual, Intel Corporation, 1981<br />
Microsoft Macro Assembler 5.1, Microsoft, 1987<br />
Peter Norton Programmer's Guide to IBM PC & PS/2, Norton, P. and Wilton, R.,<br />
Micosoft Press, 1985<br />
Technical Reference for IBM Personal Computer AT, IBM, No. 6280070,1985<br />
Technical Reference for IBM Personal Computer XT, IBM, No. 6280089,1986<br />
The MS-DOS Encyclopedia, Duncan, R., Microsoft Press, 1988
B<br />
'SEARCH': <strong>VIRUS</strong>-SPECIFIC<br />
DETECTION PROGRAM<br />
They knew her by the pimple,<br />
the pimple on her nose.<br />
George Robey, 'Song: The Simple Pimple'<br />
This appendix cont<strong>ai</strong>ns the source code for a virus-specific detection program called<br />
SEARCH which scans the currently logged-in drive for the hexadecimal virus patterns<br />
read in from the fde SEARCH.PAT.<br />
Virus patterns have to be updated frequently with the latest virus patterns. Appendix G<br />
cont<strong>ai</strong>ns a list of virus hex patterns known in June 1992, which can and should be<br />
updated as often as possible. One of the m<strong>ai</strong>n public sources of virus patterns is the<br />
monthly journal Virus Bulletin, listed in Appendix A.<br />
Most self-modifying encrypting (i.e. polymorphic) viruses cannot be detected by using<br />
fixed search patterns. The only way to detect them is to use an algorithmic description of<br />
their characteristics; two possible approaches are 'hard coding' the chosen characteristics<br />
in a computer language such as 'C' or using a specialised virus-description interpreted<br />
language. Each such virus must be analysed completely before reliable detection is<br />
possible.<br />
The SEARCH program is not particularly robust in its error-handling, which had to be<br />
sacrificed for brevity. It is also not fast and it does not include any code for the detection<br />
of polymorphic viruses; enhancing all these shortcomings should prove a useful exercise<br />
for a competent 'C' programmer.
112 APPENDIX A<br />
B.l DESCRIPTION OF 'SEARCH'<br />
The SEARCH program is a virus-specific detection program which scans the currently<br />
logged-in drive for the presence of known viruses. The virus patterns are read in from the<br />
file SEARCH.PAT, which has to reside on the disk in the current drive.<br />
By default, SEARCH will scan COM, EXE, SYS and OVL files recursively (i.e. from<br />
the root directory downward, visiting every subdirectory in turn). In addition to that, it<br />
will also scan the DOS bootstrap sector 0, as well as the master bootstrap sector on the<br />
first hard disk (logical drive 80H). The user can specify file(s) to be scanned in the<br />
command line. For example, if you want to scan all BIN files instead of the default files,<br />
enter<br />
SEARCH *.BIN<br />
You can enter more than one file descriptor in the command line. For example<br />
SEARCH SUSPECT.BIN ONEMORE.BIN<br />
would search the files SUSPECT.BIN and ONEMORE.BIN for the presence of viruses.<br />
Virus patterns are read in from the file SEARCH.PAT. Any text between a semicolon (;)<br />
and the end of the line is ignored. Every pattern has a pattern name of up to 16 characters,<br />
followed by up to 16 bytes in hexadecimal. Spaces and TAB characters can be used for<br />
clarity. For example<br />
virus_l 3E 6B 78 78 00 90 ; This is a comment<br />
; The above is the pattern for Virus 1<br />
Virus_2 ab39 9823 278f fffe 890f<br />
defines two virus patterns: Virus_l and Virus_2, the first one consisting of 6 bytes and<br />
the second one of 10 bytes.<br />
Remember that SEARCH can only detect viruses about which it knows. You should make<br />
sure that SEARCH.PAT is kept up to date with the patterns of new and mutated viruses.<br />
B.2 COMPILING 'SEARCH'<br />
The majority of SEARCH'S code is written in 'C\ but some routines make BIOS and<br />
DOS calls and are written in assembly language. The 'C' code can be compiled by most<br />
compilers, but it has been tested only using Aztec C (Manx Software Systems Inc.). The<br />
assembly language routines assume that they will be called from Aztec C (small memory<br />
model) and if you are using a different compiler or a different memory model, you should<br />
first make sure that you use the correct calling procedure and preserve the right registers.<br />
Aztec C assumes that AX, BX, CX, and DX registers will not be preserved, whereas BP,<br />
SP, SI and DI will. Microsoft C, by way of contrast, assumes that SI, DI, BP, SS and DS<br />
will be preserved.
'FINGER' <strong>VIRUS</strong> NON-SPECIFIC DETECTION PROGRAM 113<br />
Some compiler libraries cont<strong>ai</strong>n the BIOS and DOS calling routines directly from C and<br />
so all of SEARCH can be written in C.<br />
Note that SEARCH'S assembly language routines are also used by the FINGER program<br />
presented in Appendix C.<br />
Some compilers (like Aztec) provide a 'make' facility similar to that of Unix. This<br />
simplifies the preparation of any software. The makefile for the SEARCH'S modules<br />
is:<br />
searchas.o: searchas.asm<br />
search.o: search.c<br />
SEARCH=search.o searchas.o<br />
search: search.exe<br />
secho search made<br />
search.exe: $(SEARCH)<br />
In $(SEARCH) -lc<br />
To compile SEARCH, type<br />
make search<br />
and the computer will do the rest.<br />
B.3 'SEARCH' CODE IN C'<br />
The C code for SEARCH should be entered into one fde called SEARCH.C. The<br />
FINGER program in Appendix C can be used to verify the correctness of the code. The<br />
fingerprint for SEARCH.C is 7A23B202 (remember to run FINGER with the -N<br />
option):<br />
FINGER -N SEARCH.C<br />
File SEARCH.C:<br />
/* This utility will search a system for known viruses<br />
«/<br />
linclude "libc.h"<br />
•include "fcntl.h"<br />
fdefine EOF (-1)<br />
•define FALSE (0)<br />
•define TRUE (!FALSE)<br />
• define NORMAL_EXIT 0<br />
•define ERROR_EXIT (-1)<br />
•define NO_ERROR 0<br />
•define ERROR (-2)<br />
•define BUFSIZE 2048*2 /* of buffi] «/
114 APPENDIX A<br />
• define MAX_BUFF 1024 /* used when fingerprinting absolute sectors */<br />
•define MAX_LINE 128<br />
tdefine MAXRECURSIVE 128<br />
•define SEARCH_PAT "SEARCH.PAT"<br />
tdefine MAX_ PATTERNS 256<br />
• define MAX_NAME 16<br />
tdefine MAX_PATTERN_LENGTH 16<br />
struct pattl<br />
char name[MAX_NAME]; /* name of the virus •/<br />
int bytes_in__pattern; /* how many bytes are in pattern */<br />
unsigned char pattern[MAX_PATTERN_LENGTH] ;<br />
) patterns[MAX_PATTERNS1;<br />
static int max_patterns=0;<br />
static int pattern_line=0;<br />
struct ms_dos_buff{<br />
char reserved[21]; /* for MS-DOS use on subsequent find_nexts */<br />
unsigned char attr; /* attribute found */<br />
unsigned int time;<br />
unsigned int date;<br />
unsigned int size_l; /* low size */<br />
unsigned int size_h; /* high size */<br />
char pname(13]; /* packed name */<br />
);<br />
struct(<br />
int drive;<br />
unsigned av<strong>ai</strong>lable_clusters;<br />
unsigned clusters_per_drive;<br />
unsigned bytes_per_sector;<br />
unsigned sectors_per_clueter;<br />
) disk_space;<br />
struct dir_list {<br />
char *dir_path_and_name;<br />
struct dir_list *next;<br />
) root;<br />
• define OVERLAP (MAX_PATTERN_LENGTH-1)<br />
static unsigned char buff [BUFSIZE+OVERLAP) ;<br />
static Int patterns_discovered=0;<br />
static int err=0;<br />
static long int total_bytes_searched=01;<br />
void nonrecursive_search_files() ;<br />
void recursive_search_files() ;<br />
void invert_pattern();<br />
void do_path():<br />
void complete_search_buf f ();<br />
void complete_search_file() ;<br />
void add_dir_to_list();<br />
void search_dos_boot_sector () ;<br />
void search_master_boot_sector();<br />
unsigned int getdosversion();<br />
unsigned int absread();<br />
unsigned int lowdiskread();<br />
void stradd();<br />
char *malloc();
m<strong>ai</strong>n(argc,argv)<br />
int argc;<br />
char *argv(];<br />
(<br />
register int i;<br />
'FINGER' <strong>VIRUS</strong> NON-SPECIFIC DETECTION PROGRAM<br />
if (read_patterns ()==ERROR) exit (ERROR_EXIT) ;<br />
if (max_patterns) printf ("Searching for %d patterns.\n",max_patterns);<br />
else(<br />
printf("You must specify patterns in SEARCH.PAT file\n");<br />
exit(ERROR_EXIT);<br />
)<br />
if(argc>l) for(i=l;i=0;j--)<br />
if(sIj)=='\\') break;<br />
i^getfirst (pattern, Oxf f e7, &buf); /• no Dir / Vol */<br />
for(;i==0;i=getnext())(<br />
strcpy(s+j+1/buf.pname);<br />
complete_search_file(s);<br />
)<br />
115
116 APPENDIX A<br />
void recursive_search_f iles(pattern)<br />
char pattern[);<br />
(<br />
char init_path(MAXRECURSIVE),descriptor|MAXRECURSIVEl;<br />
char local_path[MAXKECURSIVE) ;<br />
)<br />
strcpy(init_path,"\\");<br />
strcpy(descriptor,pattern);<br />
root.next=NULL;<br />
do_path(init_path,descriptor);<br />
while(find_dir(local_path)) do_path(loc<strong>ai</strong>_path,descriptor);<br />
void do_path(path,descriptor)<br />
char path[),descriptor();<br />
I<br />
register int i;<br />
char drive_and_path[MAXRECURSIVE),local_path[MAXRECURSIVE);<br />
struct ms_dos_buff buf;<br />
)<br />
strcpy(drive_and_path,path);<br />
if(drive_and_path[strlen(drive_and_path)—1]=='\\•J stradd(drive_and_path,<br />
else stradd(drive_and_path,"\\*.*");<br />
i=getfirst(drive_and_path,Oxffff,ibuf);<br />
for(;i==0;i=getnext())( /* collect directories */<br />
if(buf.attrsOxlO) { /* Dir •/<br />
if(!strcmp(buf.pname,•.•) II !strcmp(buf.pname,"..")) continue;<br />
strcpy(local_path,path);<br />
if(local_path[strlen(local_path)-1)!='\\•) stradd(local_path,"\\");<br />
stradd(local_path,buf.pname);<br />
add„dir_to_list(local_path);<br />
) /* ignore anything which is not a dir */<br />
1<br />
drive_and_path [strlen (drive_and_path)-3) = • \0 '; /* get rid of *.* •/<br />
if(descriptor[0]==•\\•) stradd(drive_and_path,descriptor+l);<br />
else stradd(drive_and_path,descriptor);<br />
i=getfirst(drive_and_path,Oxffe7,sbuf); /* ignore Dir/Vol */<br />
for(;i==0;i=getnext())(<br />
strcpy(local_path,path);<br />
if (local_path[strlen(local_path)-1 ] ! = 'W) stradd (local_path, "\\*) ;<br />
stradd(local_path,buf.pname);<br />
complete_search_f ile(local_path);<br />
)<br />
void add_dir_to_l ist (s)<br />
char s[];<br />
(<br />
struct dir_list »nextp;<br />
for(nextp = &root;nextp->next;nextp=nextp->next);<br />
if(nextp->next=(struct dir_list *) malloc(sizeof(root)))(<br />
nextp=nextp->next;<br />
if(nextp->dir_path_and_name=malloc((unsigned)(strlen(s)tl)))(<br />
strcpy(nextp->di r_path_and_name,s);<br />
nextp->next=NULL;<br />
return;<br />
) else!<br />
printf("Too many directories to store in memory\n H );<br />
exit(ERROR_EXIT);
'FINGER' <strong>VIRUS</strong> NON-SPECIFIC DETECTION PROGRAM 117<br />
><br />
) else(<br />
printf ("Too many di rectories\n") ;<br />
exit(ERROR_EXIT);<br />
><br />
void search_dos_boot_sector()<br />
(<br />
disk_space.drive=currentdisk()il; /* get current disk drive */<br />
bytesfree(&disk_space); /' will get drive parameters */<br />
printf("Checking DOS boot sector of drive tc:\n",disk.epaco.drive*'a'-1>:<br />
if(absread(disk_space.drive-l,buff,1,0))(<br />
printf ("Could not read DOS boot sector\n");<br />
err++;<br />
return;<br />
1<br />
complete_search_buff(0,buff,0,disk_space.bytes_per_sector-l);<br />
void search_jnaster_boot_sector ()<br />
(<br />
register int i;<br />
unsigned int drive,head,cylinder,sector;<br />
drive=0x80; /* first hard disk »/<br />
head=0;<br />
cylinder=0;<br />
sectoral; /* location of the master boot sector */<br />
printf ("Checking master boot sector of disk drive number %02x\n", drive) ;<br />
for < i=0;i
118 APPENDIX A<br />
switch(what)(<br />
case 0:<br />
printf("Virus '%s' found in DOS boot sector starting at the address<br />
%04x\n",patterns(i).name,j-k+1);<br />
break;<br />
case 1:<br />
printf("Virus '%s 1 found in master boot sector starting at the address<br />
%04x\n",patterns[i).name,j-k+1) ;<br />
break;<br />
)<br />
patterns_discovered*+;<br />
)<br />
)<br />
)<br />
void complete_search_file(f ile)<br />
char file[l;<br />
(<br />
register int k,i;<br />
static int j,fd,bytes_read,bytes_in_pattern;<br />
static int tot_bytes;<br />
static unsigned char 'pattern;<br />
static long int byte_number;<br />
printf("Checking %s\n",file);<br />
if((£d=open(file,0_RD0NLY))=.EOF)(<br />
printf("Could not open file %s\n",file);<br />
err++;<br />
return;<br />
)<br />
for (byte__number=01;;) (<br />
switch(bytes_read=read(fd,buff+OVERLAP,BUFSIZE))(<br />
ease 0: /• EOF */<br />
break;<br />
case -1:<br />
printf("Could not read file %s\n",file);<br />
err++;<br />
return;<br />
default:<br />
tot_bytes=bytes_read+0VERLAP;<br />
for(k=OVERLAP;k
continue;<br />
)<br />
break;<br />
)<br />
close(fd);<br />
)<br />
'FINGER' <strong>VIRUS</strong> NON-SPECIFIC DETECTION PROGRAM 119<br />
int find_dir(s) /» returns the directory name in s */<br />
char s ();<br />
(<br />
struct dir_list *nextp,*nextpp;<br />
if(root.next NULL) return FALSE;<br />
for(nextp - troot;nextp->next;nextp=nextp->next);<br />
strcpy(s,nextp->di r_pa t h_and_name);<br />
/* free space now */<br />
)<br />
free (nextp->dir„path_and_name);<br />
for(nextpp = Sroot;(nextpp->next)!=nextp;nextpp=nextpp->next);<br />
free((char •) (nextpp->next));<br />
nextpp->next = NULL;<br />
return TRUE;<br />
int read_patterns()<br />
{<br />
FILE *infp;<br />
char s[MAX_LINE] ;<br />
if((infp=fopen(SEARCH_PAT,-r"))==NULL) return NO_ERROR;<br />
for(;max_patterns
120 APPENDIX A<br />
I<br />
return ERROR;<br />
if {s [0) == ' ' I I s[0)== '\t •) (/* pattern has no name «/<br />
sprintf(pattp->name,"Noname %d",noname++);<br />
i = 0;<br />
) elsel /* get name of the pattern V<br />
for(i=0; inamelil=(sliJ=='_•?' ':s(i]);<br />
if(i==MAX_NAME)(<br />
printf("Name too long in '%s'\n",s);<br />
return ERROR;<br />
)<br />
pattp->name(i J = '\0' ;<br />
if(convert_string_to_pattern(pattp,s+i)==ERROR) return ERROR;<br />
return N0_ERR0R;<br />
int convert_string_to_pattern(pattp,s)<br />
struct patt *pattp;<br />
char s [J ;<br />
(<br />
register int i,j,c,sum;<br />
pattp->byt©s_in_pattern=0;<br />
for(i=j=sum=0;;)(<br />
for(;s[i] && {s[1]== 1 • I I s(i)=='\t•);i»+); /* ffnb */<br />
if (s [i]« ' \0' I I s [ i ]== '; ') {<br />
if (j==l) (<br />
pattp->pattern[pattp->bytes_in_pattern*+ J =sum;<br />
I<br />
if(pattp->bytes_in_patternbytes_in_pattern,pattp->pattern);<br />
return N0_ERR0R;<br />
!<br />
if(bytes_in_pattern>MAX_PATTERN_LENGTH)(<br />
printf("Pattern longer than %d bytes in 1 %s 1 \n",MAX_PATTERN_LENGTH,s);<br />
return ERROR;<br />
)<br />
)<br />
switchfj + + ) (<br />
case 0: /* first digit '/<br />
sum=c;<br />
break;<br />
case 1:<br />
sum=16*sum+c;<br />
pattp->pattern|pattp->bytes_in_pattern*i)=sum;<br />
j=0;<br />
break;<br />
)<br />
i + + ;
void invert_pattern(n,s)<br />
int n;<br />
unsigned char s[);<br />
(<br />
register int i,j,temp;<br />
)<br />
'FINGER' <strong>VIRUS</strong> NON-SPECIFIC DETECTION PROGRAM 115<br />
for(i=0,j=n-l;i<br />
switch(c){<br />
case '0' : return 0;<br />
case •1' : return 1;<br />
case '2' : return 2;<br />
case ' 3 • : return 3;<br />
case • 4 • : return 4 ;<br />
case •5-: return 5;<br />
case •6' : return 6;<br />
case •7 ' : return 7;<br />
case '8': return 8;<br />
case •9' : return 9;<br />
case ' a' : case 'A': return 10<br />
case •b' : case 'B': return 11<br />
case ' c' : case 'C': return 12<br />
case ' d • : case 'D': return 13<br />
case ' e' : case ' E' : return 14<br />
case 'f': case 'F 1 : return 15<br />
default: return (-1);<br />
)<br />
int fmaxgets(infp,s,roax)<br />
FILE *infp;<br />
char s 11 ;<br />
int max;<br />
(<br />
register int c, i;<br />
)<br />
for(i=0;c=agetc(infp);) switch(c)(<br />
case '\n' :<br />
s[il='\0';<br />
return i;<br />
case EOF:<br />
s[i]='\0';<br />
return i==0?EOF:i;<br />
default:<br />
s[i++l=c;<br />
if(i
122 APPENDIX A<br />
for(i=0;s[i]; i + t) switch(s[i))(<br />
case ' 1 :<br />
case '\t':<br />
cont inue;<br />
default:<br />
return FALSE;<br />
1<br />
return TRUE;<br />
void stradd(si,s2)<br />
char *sl,*s2;<br />
{<br />
£or(;»sl;) sl++;<br />
for(;*s2;) *sl + + = «s2++;<br />
*sl= 1 \0';<br />
B.4 SEARCH CODE IN ASSEMBLY LANGUAGE<br />
The assembly language code for SEARCH should be entered into one file called<br />
SEARCHAS.ASM. The FINGER program in Appendix C can be used to verify the<br />
correctness of the code. The fingerprint for SEARCHAS.ASM is CE60DF5F (remember<br />
to run FINGER with the -N option):<br />
FINGER -N SEARCHAS.ASM<br />
File SEARCHAS.ASM:<br />
codeseg segment word public<br />
dataseg segment byte public<br />
assume cs:codeseg,ds:dataseg,es:dataseg,ss:dataseg<br />
dataseg ends<br />
; functions for small model aztec c<br />
getflrst_:<br />
; set dma address<br />
; get first file<br />
getfer;<br />
getnext_:<br />
public<br />
mov<br />
mov<br />
mov<br />
int<br />
mov<br />
mov<br />
mov<br />
int<br />
mov<br />
ret<br />
public<br />
mov<br />
int<br />
getfirst_<br />
bx, sp<br />
dx,6[bx] ; dma block address<br />
ah,1AH<br />
21H<br />
dx,2[bx] ; pathname pointer<br />
cx,4fbx] ; search attributes<br />
ah,4EH<br />
21H<br />
getfer<br />
ax,0<br />
getnext_<br />
ah,4FH ; Function 4FH<br />
21H
getner:<br />
bytesfree_:<br />
absread_:<br />
; read now<br />
rdfer:<br />
lowdiskread_:<br />
; read now<br />
rdler:<br />
currentdisk^_:<br />
codeseg ends<br />
'FINGER' <strong>VIRUS</strong> NON-SPECIFIC DETECTION PROGRAM 123<br />
3C<br />
mov<br />
ret<br />
getner<br />
ax,0<br />
public bytesfree_<br />
mov<br />
push<br />
mov<br />
mov<br />
mov<br />
mov<br />
int<br />
mov<br />
mov<br />
mov<br />
mov<br />
Pop<br />
ret<br />
bx, sp<br />
bp<br />
bp,2[bx]<br />
dx, [bp)<br />
dh,0<br />
ah,36H<br />
21H<br />
2 [bp] ,bx<br />
4[bp],dx<br />
6[bp],cx<br />
8[bp),ax<br />
bp<br />
public absread_<br />
mov bx,sp<br />
push bp<br />
mov bp,bx<br />
mov<br />
mov<br />
mov<br />
mov<br />
int<br />
pop<br />
jc<br />
mov<br />
pop<br />
ret<br />
ax,2[bp]<br />
bx,4[bp]<br />
cx,6[bp]<br />
dx,8(bp)<br />
25H<br />
bx<br />
rdfer<br />
ax, 0<br />
bp<br />
public lowdiskread_<br />
mov bx,sp<br />
push bp<br />
mov bp,bx<br />
mov<br />
mov<br />
mov<br />
mov<br />
int<br />
jc<br />
mov<br />
pop<br />
ret<br />
dx,2[bp]<br />
bx, 4 [bpl<br />
cx,6[bp]<br />
ax,0201H<br />
13H<br />
rdler<br />
ax,0<br />
bp<br />
public currentdisk_<br />
mov ah,19H<br />
int 21H<br />
and ax, OFFH<br />
ret<br />
end<br />
pars address<br />
drive<br />
Function 36H<br />
av<strong>ai</strong>lable clusters<br />
clusters per drive<br />
bytes per sector<br />
sectors per cluster<br />
a copy<br />
drive<br />
dma block address<br />
number of sectors<br />
first sector number<br />
; pop flags<br />
head + drive<br />
dma block address<br />
cylinder + sector<br />
service 2, 1 sector only<br />
; result in al
c<br />
'FINGER': <strong>VIRUS</strong> NON-SPECIFIC<br />
DETECTION PROGRAM<br />
Very well, I can w<strong>ai</strong>t<br />
Arnold Schoenberg (when told that his violin concerto required a soloist with six<br />
fingers)<br />
This appendix cont<strong>ai</strong>ns the source code for a program called FINGER which produces<br />
cryptographic fingerprints for a fde or group of files.<br />
By fingerprinting the original executable and then subsequently verifying that the<br />
fingerprint has not changed, one can detect a virus attack on the executable.<br />
Although FINGER is quite usable as shown here, an average 'C' programmer can easily<br />
modify it to store the fingerprints into a file and check them automatically. The program<br />
could be improved further by giving it a facility to fingerprint the DOS and master boot<br />
sectors in order to discover boot sector viruses. Likewise, the speed of the DES (Data<br />
Encryption Standard) code is not very high and offers plenty of scope for optimisation.<br />
Another function of FINGER is to verify the correctness of the contents of source codes.<br />
C.1 DESCRIPTION OF FINGER<br />
FINGER is a program which produces cryptographic fingerprints for one file or a group<br />
of files. The fingerprint is produced using DES (Data Encryption Standard) in the mode<br />
described in ANSI standard X9.9.
126 APPENDIX A<br />
FINGER can be used to produce fingerprints of binary fdes (such as COM and EXE<br />
files) or text files. When fingerprinting binary files, it is important to fingerprint every<br />
single byte, but when fingerprinting text files, cert<strong>ai</strong>n (non-printable) characters can be<br />
skipped, without the meaning of the text changed in any way. For example, when entering<br />
the source code in C, one can type the TAB character or 8 blanks, without generally<br />
changing the meaning of the code. The only exceptions are quoted strings, where it is<br />
important to enter the blanks verbatim. When FINGER is fingerprinting files in the text<br />
mode, the -N command line argument can be specified to make it ignore any nonprintable<br />
or 'white space' characters.<br />
FINGER fingerprints files in binary mode by default. For example<br />
FINGER *.EXE<br />
will produce fingerprints for all EXE files in the current directory, for example<br />
Fingerprint of SEARCH.EXE is f44b8704<br />
Fingerprint of FINGER.EXE is dfbe5335<br />
To produce fingerprints of the files used to make FINGER, type<br />
FINGER -N FINGER.C DES.C<br />
and you should get the following output:<br />
Fingerprint of FINGER.C is f08f38fe<br />
Fingerprint of DES.C is leecc40f<br />
If you do not get that, the files with incorrect fingerprints have not been entered<br />
correctly. Note that both fingerprints will be wrong if the tables in DES.C have been<br />
entered incorrectly, even if FINGER.C is correct.<br />
C.2 COMPILING 'FINGER'<br />
The majority of FINGER'S code is written in 'C', but two routines call DOS and are<br />
written in assembly language. The 'C' code can be compiled by most compilers, but it<br />
has been tested only using Aztec C. The assembly language routines, which are the same<br />
as for SEARCH, assume that they will be called from Aztec C using the small memory<br />
model. If you are using a different compiler or a different memory model, make sure that<br />
you use the correct calling procedure and preserve any registers required by the compiler.<br />
Some compiler libraries cont<strong>ai</strong>n DOS calling routines directly from C, in which case all<br />
of FINGER can be written in C.<br />
Some compilers (like Aztec) provide a 'make' facility similar to that of Unix. This<br />
simplifies the preparation of any software. The makefile for FINGER is listed below:<br />
des.o: des.c<br />
searchas.o: searchas.asm<br />
finger.o: finger.c
'FINGER' <strong>VIRUS</strong> NON-SPECIFIC DETECTION PROGRAM 127<br />
FINGER=finger.o des.o searchas.o<br />
finger: finger.exe<br />
@echo finger made<br />
finger.exe: $(FINGER)<br />
In $(FINGER) -lc<br />
To compile FINGER, type<br />
make finger<br />
and the computer will do the rest.<br />
C.3 FINGER CODE EN 'C'<br />
The C code for FINGER is divided into two files called FINGER.C and DES.C. The file<br />
FINGER.C cont<strong>ai</strong>ns routines for file scanning, while the file DES.C cont<strong>ai</strong>ns an<br />
implementation of the Data Encryption Standard (DES), as defined in ANSI standard<br />
X3.92-1981. This is used for producing cryptographic checksums as defined in ANSI<br />
standard X9.9. Note that X3.92 does not define the way of numbering of bits in an 8-byte<br />
block passed to DES for encryption. This implementation uses the convention that the<br />
least significant bit in the first byte is bit 1 referred to by DES, most significant bit in the<br />
first byte is bit 8 referred to by DES, least significant bit in the second byte is bit 9<br />
referred to by DES etc.<br />
FINGER also uses some code in assembly language, which is the same as the code used<br />
for SEARCH and is cont<strong>ai</strong>ned in the file SEARCH. ASM. You only need to enter that file<br />
once.<br />
File FINGER.C:<br />
/» This program can be used to fingerprint any file<br />
•include "libc.h"<br />
struct ms_dos_buff{<br />
char reserved(21]; /* for MS-DOS use on subsequent find_nexts */<br />
unsigned char attr; /» attribute found */<br />
unsigned int time;<br />
unsigned int date;<br />
unsigned int size_l; /* low size */<br />
unsigned int size_h; /* high size */<br />
char pname [13); /* packed name */<br />
);<br />
• define SEARCH_MASK 0x07 /* DOS will return only files, not directories */<br />
•define EOF (-1)<br />
•define PARTEOF (-2)<br />
•define NOTEOF (0)<br />
•define FALSE (0)<br />
•define TRUE (!FALSE)
128 APPENDIX A<br />
void f ingerprint () ,des_illit () ,des_encrypt() ,expl<strong>ai</strong>n_command_line_arguments () ;<br />
static int only_printable=FALSE;<br />
m<strong>ai</strong>n(argc,argv)<br />
int argc;<br />
char *argv[);<br />
(<br />
register int i,j;<br />
static char keyl8]={<br />
0x01,0x23,0x45,0x67,0x89,Oxab,Oxcd,Oxef<br />
); /* this should be a uniquely chosen key when calculating your fingerprints */<br />
struct ms__dos_buff fcb;<br />
)<br />
des_init (key);<br />
if (argol) for(i=l;i
)<br />
'FINGER' <strong>VIRUS</strong> NON-SPECIFIC DETECTION PROGRAM 129<br />
case EOF:<br />
fclose(infp);<br />
printf("%02x%02x%02x%02x\n",out(0),out[1),out[2],out(3));<br />
return;<br />
case PARTEOF:<br />
for(i=0;i
130 APPENDIX A<br />
File DES.C:<br />
/*<br />
V<br />
This is the implementation of the Data Encryption<br />
static int keyout(17] [48] ;<br />
void des_init(),des_encrypt(),des_decrypt();<br />
static void 1shift(), cypher{);<br />
void des_init (key) /* Calculation of Keys */<br />
unsigned char "key;<br />
(<br />
unsigned char c[28],d[2B];<br />
static int pcl[56]=(<br />
57,49,41,33,25,17, 9, 1,58,50,42,34,26,18,<br />
10, 2,59,51,43,35,27,19,11, 3,60,52,44,36,<br />
63,55,47,39,31,23,15, 7,62,54,46,38,30,22,<br />
14, 6,61,53,45,37,29,21,13, 5,28,20,12, 4<br />
)<br />
)
'FINGER' <strong>VIRUS</strong> NON-SPECIFIC DETECTION PROGRAM<br />
static void cypher (r,cnt, fout)<br />
int *r, *fout;<br />
int cnt;<br />
(<br />
static int expand[48],b[81[61,sout[8),pin[48];<br />
register int i,j;<br />
static int n,row,col,sent;<br />
static int p(321=(<br />
16, 7,20,21,29,12,28,17, 1,15,23,26, 5,18,31,10,<br />
2, 8,24,14,32,27, 3, 9,19,13,30, 6,22,11, 4,25<br />
) ;<br />
static int e[481={<br />
32, 1, 2, 3, 4, 5, 4, 5, 6, 7, 8, 9,<br />
8, 9,10,11,12,13,12,13,14,15,16.17,<br />
16,17,18,19,20,21,20,21,22,23,24,25,<br />
24,25,26,27,28,29,28,29,30,31,32, 1<br />
static int s18][64)={<br />
14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7,<br />
0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8,<br />
4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0,<br />
15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13<br />
15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10,<br />
3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5,<br />
0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15,<br />
13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9<br />
10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8,<br />
13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1,<br />
13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7,<br />
1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12<br />
7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15,<br />
13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9,<br />
10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4,<br />
3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14<br />
2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9,<br />
14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6,<br />
4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14,<br />
11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3<br />
12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11,<br />
10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8,<br />
9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6,<br />
4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13<br />
4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1,<br />
13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6,<br />
1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2,<br />
6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12<br />
13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7,<br />
1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2,<br />
7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8,<br />
2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11
132 APPENDIX A<br />
for(i=0;i
'FINGER' <strong>VIRUS</strong> NON-SPECIFIC DETECTION PROGRAM 133<br />
void des.decrypt(input)<br />
/• this function is not used by FINGER, but is reproduced for completeness */<br />
unsigned char *input;<br />
{<br />
static unsigned char out[64 J;<br />
static int inputb[64],lr[64),1[32),r(32);<br />
static int fn[321;<br />
static int cnt,rtemp,n;<br />
register int i,j;<br />
)<br />
for(i=n=0;i
D<br />
<strong>ANTI</strong>-<strong>VIRUS</strong> SOFTWARE<br />
MANUFACTURERS<br />
NOTES ON TELEPHONE <strong>AND</strong> FAX NUMBERS<br />
The great Unwashed<br />
Henry Peter Brougham (1778-1868)<br />
All numbers are shown with the country code preceded by a plus sign (+), followed by the<br />
number. If dialling a number from the same country, omit the country code and prefix the<br />
area code with 0 (in most countries). For example, to dial the UKnumber 444 235 559933<br />
from the UK, dial 0235 559933.<br />
When dialling internationally, prefix each number with the international code. For<br />
example, to dial the Swiss number+41 1 234 5678 from the UK, dial 010 41 1 234 5678.<br />
To dial the above number from France, dial 19 41 1 234 5678.
136 APPENDIX A<br />
ASP (Advanced Software Protection), PO Box 81270, Pittsburgh, PA 15217, USA.<br />
Tel +1 412 422 4134, Fax+1 412 422 4135<br />
Bangkok Security Associates, PO Box 5-121, Bangkok 10500, Th<strong>ai</strong>land.<br />
Tel +66 2 25 1 2574, Fax +66 2 253 6868<br />
Brightwork Development International, 766 Shrewsbury Avenue, Bldg 2, Tinton<br />
Falls, New Jersey 07724, USA. Tel +1 908 530 0440, Fax +1 908 530 0622<br />
BRM Technologies Ltd., 67 Dereh Hahoresh, Ranot, Jerusalem, Israel.<br />
Tel +972 2 861092, Fax +972 2 867503<br />
Carmel Software Engineering, Hamachshev Ltd Hahistradrut Av 20, H<strong>ai</strong>fa, Israel<br />
POB 25055. Tel +972 4 416976, Fax +972 4 416979<br />
Central Point Software, 15220 NW Greenbrier Parkway, Suite 200, Beaverton,<br />
Oregon 97006, USA.Tel +1 503 690 8090, Fax +1 503 690 8083<br />
Certus, 6896 W Snowville Road, Brecksville, Ohio 44141, USA.<br />
Tel +1 216 546 1500,Fax +1 216 546 1450<br />
Clurwin Pty. Ltd., 73 Kensington Road, South Yarra, Victoria 3141, Australia.<br />
Tel +61 3 827 8002, Fax +61 3 826 2514<br />
Commcrypt Inc., 10000 Virginia Manor Road, Suite 300, Beltsville, MA 20705,<br />
USA. Tel+1 301 470 2500, Fax+1 301 470 2507<br />
ComNetco, 2475 Lamington Road, Bedminster, NJ 07921, USA.<br />
Tel +1 201 543 4060, Fax +1 201 781 7935<br />
Cybec Pty. Ltd., PO Box 82, Hampton, Victoria 3188, Australia. Tel +61 3 521 0655,<br />
Fax +61 3 521 0727<br />
Cybersoft, 210 West 12th Avenue, Conshohocken, PA 19428-1464, USA.<br />
Tel +1 215 825 4748, Fax +1 215 825 6785<br />
(DDI) Digital Despatch Inc., 55 Lakeland Shores, Lakeland, MN 55043, USA.<br />
Tel +1 612436 1000,Fax+1 612436 2085<br />
EliaShim Microcomputers Ltd., PO Box 8691, H<strong>ai</strong>fa 31086, Israel.<br />
Tel +972 4 516111, Fax +972 4 528613<br />
Enigma Logic Inc., 2151 Salvio Street, Ste. 301, Concord, CA 94520, USA.<br />
Tel+1 510 827 5707, Fax+1 510 827 2593<br />
ESaSS BV, PO Box 1380,6501 B J Nijmegen, The Netherlands. Tel +31 80 787881,<br />
Fax+31 80 789186<br />
Fifth Generation Systems Inc., 11200 Industriplex Blvd., Baton Rouge,<br />
LA 70809-4112, USA. Tel +1 504 291 7221, Fax+1 504 291 3268<br />
Frisk Software International, PO Box 7180,127 Reykjavik, Iceland.<br />
Tel +354 1 694749,Fax +354 1 128801
<strong>ANTI</strong>-<strong>VIRUS</strong> SOFTWARE MANUFACTURERS <strong>AND</strong> DISTRIBUTORS 137<br />
Hilgraeve Inc., Genesis Centre, 111 Conant Avenue, Suite A, Monroe, Michgan<br />
48161, USA. Tel+1 313 243 0576, Fax+1 313 243 0645<br />
IBM, TJ Watson Research Centre, PO Box 218, Route 134, Yorktown Heights,<br />
NY 10598, USA.Tel+1 914 945 3000, Fax+1 914 945 2141<br />
Intel Corp., 5200 N E Elam Young Parkway, Hillsborough, OR 97124, USA.<br />
Tel +1 503 629 7354, Fax +1 503 629 7227<br />
IP Technologies, 3710 South Susan, Suite 100, Santa Ana, CA 92704, USA.<br />
Tel +1 714 549 4284, Fax +1 714 549 5079<br />
Iris Software & Computers, 6 Hamavo Street, Givat<strong>ai</strong>m 53303, Israel.<br />
Tel+972 3 571 5319, Fax+972 3 318731<br />
Jerry Fitzgerald and Associates, 506 Barkentine Lane Redwood City,<br />
CA 94065-1128, USA.Tel+1 415 591 5676, Fax+1 415 593 9316<br />
Leprechaun Software Pty. Ltd., PO Box 184, Holland Park, Queensland 4121,<br />
Australia. Tel +61 7 343 8866, Fax +61 7 343 8733<br />
McAfee Associates, 4423 Cheeney St., Santa Clara, CA 95054, USA.<br />
Tel +1 408 988 3832, Fax +1 408 988 9727<br />
Microcom, Software Division, PO Box 51489, Durham, NC 27717, USA.<br />
Tel +1 919 490 1277,Fax+1 919 419 8312<br />
Orion Microsystems, PO Box 128, Pierrefords, Quebec H9H 4K8, Canada.<br />
Tel +1 514 626 9234<br />
Panda Systems, 801 Wilson Road, Wilmington, DE 19803, USA.<br />
Tel +1 302 764 4722, Fax+1 302 764 6186<br />
PC Enhancements Ltd., The Acorn Suite, Greenleaf House, Darkes Lane, Potters<br />
Bar, Hertfordshire EN6 1AE, UK. Tel +44 707 59016, Fax +44 707 55523<br />
PC Guardian, 118 Alto Street, San Rafael, CA 94901, USA. Tel +1 415 459 0190,<br />
Fax +1 415 459 1162<br />
PC Security Ltd., The Old Courthouse, Trinity Road, Marlow, SL7 3 AN, UK.<br />
Tel +44 628 890390, Fax +44 628 890116<br />
Ports of Trade, 6 Alcis Street, Newlands, Cape Town 7700, South Africa.<br />
Tel +27 21 686 8215, Fax +27 21 685 1807<br />
Prime Factors Inc., 1832 Orchard Street, Eugene, OR 97403, USA.<br />
Tel +1 503 345 4334, Fax+1 503 345 6818<br />
Qu<strong>ai</strong>d Software Ltd., 45 Charles Street East, 3rd Floor, Toronto, Ontario M4Y 1S2,<br />
Canada.Tel +1416 961 8243, Fax+1 519 942 3532
138 APPENDIX A<br />
Remarkable Products, 245 Pegasus Avenue, Northvale, NJ 07647, USA.<br />
Tel +1 201 784 0900, Fax +1 201 767 7463<br />
RG Software Systems, 6900 E. Camelback, Suite 630, Scottsdale, AZ 85251, USA.<br />
Tel +1 602 423 8000, Fax +1 602 423 8389<br />
RSA Data Security Inc., 10 Twin Dolphin Drive, Redwood City, CA 94065, USA.<br />
Tel +1 415 595 8782, Fax +1 415 595 1873<br />
Safetynet Inc., 14 Tower Drive, East Hanover, NJ 07936-3220, USA.<br />
Tel +1 908 851 0188, Fax+1 908 276 6575<br />
SA Software, 28 Denbigh Road, London, W13 8NH, UK. Tel +44 81 998 2351,<br />
Fax +44 81 998 7507<br />
S&S International Ltd., Berkley Court, Mill Street, Berkhampstead, Hertfordshire<br />
HP4 2HB, UK. Tel +44 442 877877, Fax +44 442 877882<br />
Software Concepts Design, PO Box 908, Margaretville, NY 12455, USA.<br />
Tel +1 607 326 4423, Fax +1 607 326 4424<br />
Software Services, Niederwiesstrasse 8, CH-5417 Untersiggenthal, Switzerland.<br />
Tel+41 56 281116, Fax+41 56 281116<br />
Sophco Inc., PO Box 7430, Boulder, CO 80306, USA. Tel+1 303 530 7759,<br />
Fax +1 303 530 7745<br />
Sophos Ltd., 21 The Quadrant, Abingdon Science Park, Abingdon, Oxfordshire,<br />
OX14 3YS,UK.Tfel +44 235 559933, Fax +44 235 559935<br />
Symantec Corporation, 10201 Torre Avenue, Cupertino, CA 95014-2132, USA.<br />
Tel +1 408 253 9600, Fax +1 310 829 0247<br />
Total Control, Unit 3, Station Yard, Hungerford, RG17 0DY, UK. Tel +44 488 685299,<br />
Fax +44 488 683288<br />
Trend Micro Devices Inc., 2421 W. 205th Street, Suite D-100, Torrance, CA 90501,<br />
USA. Tel+1 310 782 8190, Fax+1 310 328 5892<br />
V Communications Inc., 4320 Stevens Creek Blvd, Suite 275, San Jose, CA 95129,<br />
USA. Tel +1 408 296 4224, Fax +1 408 296 4441<br />
Visionsoft, Unit Ml 1, Enterprise 5, Five Lane Ends, Idle, Bradford, West Yorkshire<br />
BD10 8BW, UK Tel +44 274 610503, Fax +44 274 616010<br />
Worldwide Software Inc., 20 Exchange Place, 27th Floor, New York, NY 10005,<br />
USA. Tel+1 212 422 4100, Fax+1 212 422 1953
E<br />
GLOSSARY OF TERMS<br />
Access Control:<br />
Active Attack:<br />
Algorithm:<br />
ANSI:<br />
ASCII:<br />
Asymmetric Encryption:<br />
Audit Log:<br />
Audit Tr<strong>ai</strong>l:<br />
He s<strong>ai</strong>d true things, but called them by wrong names.<br />
Rupert Browning, 'Bishop Biougram's Apology'<br />
The process of ensuring that systems are only accessed<br />
by those authorised to do so, and only in a manner for<br />
which they have been authorised.<br />
An attack on a system which either injects false<br />
information into the system, or corrupts information<br />
already present on the system. See also passive attack.<br />
An algorithm is a set of rules which specifies a method<br />
of carrying out a task (eg. an encryption algorithm).<br />
American National Standards Institute is the<br />
organisation which issues standards in the US.<br />
American Standard Code for Information Interchange is<br />
the standard system for representing letters and symbols.<br />
Each letter or symbol is assigned a unique number<br />
between 0 and 127.<br />
Encryption which permits the key used for encryption to<br />
be different for the key used for decryption. RSA is the<br />
most widely used asymmetric encryption algorithm.<br />
The same as audit tr<strong>ai</strong>l.<br />
Audit tr<strong>ai</strong>ls provide a date and time stamped record of<br />
the usage of a system. They record what a computer was
140 APPENDIX A<br />
Authentication:<br />
Authorisation:<br />
Av<strong>ai</strong>lability:<br />
Back Door:<br />
Background Operation:<br />
Backup:<br />
Bad Sectors:<br />
.BAT:<br />
BBS:<br />
Bell-LaPadula Model:<br />
Biba Model:<br />
Binary:<br />
used for, allowing a security manager to monitor the<br />
actions of every user, and can help in establishing an<br />
alleged fraud or security violation.<br />
The process of assuring that data has come from its<br />
cl<strong>ai</strong>med source, or of corroborating the cl<strong>ai</strong>med identity<br />
of a communicating party.<br />
Determining whether a subject is trusted for a given<br />
purpose.<br />
The prevention of unauthorised withholding of<br />
information or resources.<br />
An undocumented means of bypassing the normal access<br />
control procedures of a computer system.<br />
The name applied to a program running in a multitasking<br />
environment over which the user has no direct control.<br />
A copy of computer data that is used to recreate data that<br />
has been lost, misl<strong>ai</strong>d, corrupted or erased.<br />
During formatting of MS-DOS disks, all sectors are<br />
checked for usability. Unusable sectors are labelled as<br />
bad and are not used by DOS. The rem<strong>ai</strong>ning areas can<br />
then still be used. Viruses sometimes label good sectors<br />
as bad to store their code outside the reach of the users<br />
and the operating system.<br />
The extension given to 'batch' fde names in MS-DOS. A<br />
batch fde cont<strong>ai</strong>ns a series of MS-DOS commands,<br />
which can be executed by using the name of the file as a<br />
command. AUTOEXEC.BAT is a special batch fde<br />
which is executed whenever a PC is switched on, and<br />
can be used to configure the PC to a user's requirements.<br />
Bulletin Board System; a computer with one or more<br />
modems attached which can be used remotely via the<br />
PSTN. Most bulletin boards act as repositories for<br />
downloadable software, and have electronic m<strong>ai</strong>l<br />
systems.<br />
An access security model couched in terms of subjects<br />
and objects. Information shall not flow to a lesser or<br />
non-comparable classification.<br />
An integrity model in which there can be no<br />
contamination by a less trusted or non-comparable<br />
subject or object.<br />
A number system with base 2. The binary digits (bits)<br />
are 0 and 1. Binary arithmetic is used by today's<br />
computers since the two digits can be represented with<br />
two electrical or magnetic states, for example the<br />
presence and absence of a current.
Biometrics:<br />
BIOS:<br />
Bit:<br />
Bit Copying:<br />
Block Cipher:<br />
Boot Protection:<br />
Boot sector Virus:<br />
Booting-up:<br />
Bootstrap Sector:<br />
Bootstrapping:<br />
Bug:<br />
Byte:<br />
GLOSSARY OF TERMS 141<br />
A technique for identifying a person by one of his<br />
personal characteristics eg. retina pattern, fingerprint<br />
etc.<br />
The Basic Input/Output System of MS-DOS which<br />
constitutes the lowest level of software which interfaces<br />
directly with the hardware of the microcomputer. The<br />
BIOS is usually stored in a ROM chip.<br />
The smallest unit of information. It can only have the<br />
value 0 or 1. The word 'bit' is derived from the initial<br />
and final letters of the phrase 'Binary Digit'.<br />
A technique for making a copy of a disk by reading all<br />
of the individual bits on each track of the disk, and<br />
making a direct copy of each track onto a new disk. A bit<br />
copying program has no knowledge of the file structure<br />
being used on a disk.<br />
A cipher which provides encryption and decryption by<br />
operating on a specified size of data block, eg. 64 bits.<br />
Method used to prevent bypassing security measures<br />
installed on a hard disk by bootstrapping a<br />
microcomputer from a floppy disk.<br />
A type of computer virus which subverts the initial<br />
stages of the bootstrapping process. A boot-sector virus<br />
attacks either the master bootstrap sector or the DOS<br />
bootstrap sector.<br />
A process carried out when a computer is fust switched<br />
on or reset, where the operating system software is<br />
loaded from disk (either hard disk or floppy disk).<br />
Part of the operating system which is first read into<br />
memory from disk when a PC is switched on (booted).<br />
The program stored in the bootstrap sector is then<br />
executed, which in turn loads the rest of the operating<br />
system into memory from the system files on disk.<br />
Means the same as Booting-up.<br />
A small electronic device used for covert eavesdropping.<br />
Different types are av<strong>ai</strong>lable to listen to voice<br />
conversations, data being transmitted across a network,<br />
or telephone lines. A fault in a computer program is also<br />
called a bug. The two meanings are entirely separate.<br />
A set of 8 bits which is the amount of information<br />
sufficient to store one character. It is usually the smallest<br />
individual unit that can be read from or written to<br />
memory.
142 APPENDIX A<br />
Cache:<br />
CBC:<br />
CCC:<br />
CCTA:<br />
CESG:<br />
CFB:<br />
Checksum:<br />
Cipher:<br />
Ciphertext:<br />
CMOS:<br />
.COM:<br />
Companion virus:<br />
Compiler:<br />
COMPSEC, COMPUSEC:<br />
Computer Crime:<br />
High-speed data storage used to hold data retrieved from<br />
a slow device. Using a cache increases the overall<br />
performance of a system.<br />
Cipher Block Ch<strong>ai</strong>ning, a mode of use of a block cipher.<br />
Chaos Computer Club, an infamous group of German<br />
hackers based in Hamburg, Germany.<br />
Central Computer and Telecommunications Agency, the<br />
UK Government agency responsible for computer<br />
purchases (amongst other duties).<br />
Communications-Electronics Security Group, a UK<br />
government COMPUSEC agency (CCTA is another).<br />
Cipher Feedback, a mode of use of a block cipher.<br />
A value calculated from item(s) of data which can be<br />
used by a recipient of the data to verify that the received<br />
data has not been altered. Usually 32 or 64 bits long.<br />
Encryption algorithm.<br />
A term used to describe text (or data) that has previously<br />
been encrypted; see encryption.<br />
Complementary Metal-Oxide Semiconductor is a<br />
technology used to manufacture chips which have very<br />
low power consumption. CMOS chips are used in<br />
battery-backed applications such as the time-of-day<br />
clock and for the non-volatile storage of parameters in<br />
IBM-ATs.<br />
The extension given to a type of executable fdes in MS-<br />
DOS. They are similar to EXE files, but can only cont<strong>ai</strong>n<br />
up to 64K of code and data. In operating systems other<br />
than DOS, the extension .COM can have a different<br />
significance.<br />
A virus which 'infects' EXE fdes by creating a COM<br />
file with the same name and cont<strong>ai</strong>ning the virus code.<br />
They exploit the PC-DOS property that if two programs<br />
with the same name exist, the operating system will<br />
execute a COM file in preference to an EXE file.<br />
A computer program which translates programs written<br />
in a high-level language that can be readily understood<br />
by humans, into low level instructions that can be<br />
executed by a computer's CPU.<br />
Often used abbreviations for COMPuter SECurity.<br />
This phrase has two meanings: Any crime mediated by<br />
a computer; or any crime that attacks a computer system<br />
as part of the process of committing the crime. The<br />
meaning used in any particular situation is context<br />
dependent, and not always clear.
Confidentiality:<br />
Conventional Memory:<br />
Co-processor:<br />
Copy Protection:<br />
CPU:<br />
CRC:<br />
Cryptanalysis:<br />
Cryptographic Checksum:<br />
Data Protection:<br />
Deciphering:<br />
Decryption:<br />
Decryption Key:<br />
DES:<br />
Device driver:<br />
Digital Signature:<br />
GLOSSARY OF TERMS 143<br />
The process of ensuring that data is not disclosed to<br />
those not authorised to see it. Also known as secrecy.<br />
The bytes of PC memory addressable by the 8086<br />
instruction set.<br />
Specialised computer hardware used in conjunction with<br />
a CPU to perform a specific task very efficiently eg.<br />
floating point arithmetic, matrix multiplication.<br />
A method which makes it difficult (if not impossible) to<br />
make copies of a computer program. Copy protection<br />
tries to prevent software theft.<br />
Central Processing Unit, the heart of every PC, the<br />
device which takes instructions from memory and<br />
executes them. In most PCs, the CPU is a single<br />
microprocessor.<br />
Cyclic Redundancy Check, a mathematical method for<br />
verifying the integrity of data. It is a form of checksum,<br />
based on the theory of maximum length polynomials.<br />
While more secure than a simple checksum, CRCs don't<br />
offer true cryptographic security. See cryptographic<br />
checksum.<br />
The study of an encryption system, often with the<br />
intention of detecting any weakness in the encryption<br />
algorithm.<br />
A checksum calculated by using a cryptographically<br />
based algorithm. It is impossible to 'engineer' changes<br />
to data in such a way as to leave a cryptographic<br />
checksum unchanged.<br />
A group of techniques used to preserve three desirable<br />
aspects of data: Confidentiality, Integrity and<br />
Av<strong>ai</strong>lability. Also a legal term with specific meaning<br />
(somewhat different to the above definition).<br />
Means the same as decrypting; see decryption.<br />
Decryption is the process of transforming ciphertext<br />
back into pl<strong>ai</strong>ntext. It is the reverse of encryption,<br />
see key.<br />
Data Encryption Standard, an algorithm for encrypting<br />
or decrypting 64 bits of data using a 56 bit key. DES is<br />
widely used in the financial world.<br />
A program used to 'handle' a hardware device such as a<br />
screen, disk, keyboard etc. This allows the operating<br />
system to use the device without knowing specifically<br />
how the device performs a particular task.<br />
A means of protecting a message from denial of<br />
origination by the sender, usually involving the use of
144 APPENDIX A<br />
Diskless Node:<br />
Diskless Workstation:<br />
Dongle:<br />
DOS:<br />
DOS bootstrap sector:<br />
Downloading:<br />
EAROM:<br />
ECB:<br />
EEPROM:<br />
Electronic M<strong>ai</strong>l:<br />
Enciphering:<br />
Encryption:<br />
Encryption Key:<br />
EPROM:<br />
.EXE:<br />
Exhaustive Key Search:<br />
Expanded Memory:<br />
asymmetric encryption to produce an encrypted message<br />
or a cryptographic checkfunction.<br />
See diskless workstation.<br />
A PC which does not cont<strong>ai</strong>n a floppy disk drive and is<br />
connected to a network.<br />
A hardware security product which must be plugged into<br />
a computer system before a particular application<br />
program will execute. A dongle <strong>ai</strong>ms to prevent illegal<br />
copying of a computer program.<br />
Disk Operating System. See MS-DOS and PC-DOS.<br />
The bootstrap sector which loads the BIOS and DOS<br />
into PC RAM and starts their execution. Common point<br />
of attack by boot sector viruses.<br />
A process where data is transferred electronically from a<br />
'host' computer to an intelligent terminal or PC.<br />
Electrically Alterable Read Only Memory, a particular<br />
type of EEPROM, in which individual bytes can be<br />
altered by electrical pulses.<br />
Electronic Codebook, a mode of use of a block cipher.<br />
Electrically Erasable Programmable Read Only Memory,<br />
a non-volatile memory which can be written to and read<br />
from many times. It is erased by an electrical pulse.<br />
EEPROMs are used for storing data which does not<br />
change frequently eg. setup parameters.<br />
Messages exchanged over a computer communications<br />
network.<br />
Means the same as encrypting; see encryption.<br />
A process of disguising information so that it cannot be<br />
understood by an unauthorised person,<br />
see Key.<br />
Electrically Programmable Read Only Memory, a nonvolatile<br />
memory which can be programmed (written to)<br />
once, and read from many times. Most types of EPROM<br />
can be erased by exposure to ultra-violet light. EPROMs<br />
are used for storing data which is unlikely to be changed.<br />
The extension given to executable fdes in MS-DOS.<br />
These are similar to .COM fdes, but can cont<strong>ai</strong>n more<br />
than 64K of code and data.<br />
Finding out which key was actually used by an<br />
encryption system by testing all possible keys in turn.<br />
PC memory which conforms to the industry standard<br />
specification EMS (Expanded Memory Specification),<br />
and enables the CPU to access more than 640K of<br />
memory.
GLOSSARY OF TERMS 145<br />
Extended Memory: Memory in PCs which lies above 1 MByte in a 80286<br />
(or above) machine.<br />
FAT: File Allocation Table, a mnemonic term used by the MS-<br />
DOS operating system (and others) to describe the part<br />
of a disk which cont<strong>ai</strong>ns information describing the<br />
physical location on the disk of the ch<strong>ai</strong>ns of clusters<br />
forming the files stored on that disk.<br />
File Compression: The compacting of a file through the process of recoding<br />
its bit structure into a shorter form. File compression<br />
must be reversible.<br />
File Encryption: The transformation of a file's contents (in pl<strong>ai</strong>n text) into<br />
an unintelligible form by means of some form of<br />
cryptographic system or manipulation.<br />
File Integrity: Techniques used to provide 'safe' backup files for<br />
recovery purposes in the event that critical files have<br />
become contaminated through some accidental or<br />
intentional mechanism (eg. computer virus attack).<br />
File Labelling: The classifying of the sensitivity level of a file either by<br />
external (visible outside marking) or internal (magnetic<br />
coding of the header label) coding, or by a combination<br />
of these two methods.<br />
File Server:<br />
A central data repository for a computer network, which<br />
may provide other centralised services such as shared<br />
printer control.<br />
Firmware:<br />
Jargon for a computer program stored in a non-volatile<br />
memory such as an EPROM or an EEPROM.<br />
Floppy Disks:<br />
Interchangeable magnetic disks which are used to store<br />
computer data. Usual formats are 3.5" and 5.25" disks,<br />
and capacities of the order of 1 Mbyte.<br />
Hacker:<br />
An individual whose interests, motivated for benign or<br />
malicious reasons, concern 'breaking into' computer<br />
systems. The word hacker is also used to denote<br />
someone who produces prodigious amounts of software.<br />
The two meanings are completely distinct, and often<br />
confused.<br />
Hard disk:<br />
A hermetically sealed magnetic disk, generally fixed<br />
within a computer, which is used to store data. Hard disk<br />
capacity is of the order of 10 Mbytes to 1 Gbyte.<br />
Hardware:<br />
Any component of a computer system that has physical<br />
form. It is a term used to draw a distinction between the<br />
computer itself (hardware), and the programs which are<br />
executed on the computer (software).
146 APPENDIX A<br />
Hash Function:<br />
Hashing:<br />
Hexadecimal:<br />
IC:<br />
ID:<br />
Integrity:<br />
internet:<br />
interrupt:<br />
I/O port:<br />
ISO:<br />
IV:<br />
K:<br />
Key;<br />
Key Management:<br />
A function which maps a set of variable size data into<br />
objects of a single size. Widely used for fast searching.<br />
The process of calculating a hash function.<br />
A system of counting using number base 16. The<br />
numbers 10 to 15 are represented by the characters 'A'<br />
through 'F' respectively. Hexadecimal is often<br />
abbreviated to hex. Each hex digit is equivalent to four<br />
bits (half a byte) of information.<br />
Integrated Circuit, an electronic device cont<strong>ai</strong>ning many<br />
discrete electronic components such as transistors,<br />
resistors and the wire links which interconnect them. ICs<br />
are usually made in very large numbers and in<br />
miniaturised form, on a common base or substrate of<br />
silicon.<br />
An identification code, username, identification card or<br />
an identification token.<br />
A security protection <strong>ai</strong>med at ensuring that data cannot<br />
be deleted, modified, duplicated or forged without<br />
detection.<br />
One of the largest world-wide networks for the<br />
transmission of electronic m<strong>ai</strong>l messages.<br />
A mechanism by which a process can attract the<br />
immediate attention of the CPU, usually in order to serve<br />
an urgent request from an external device. Interrupt table<br />
on 8086 microprocessors occupies the bottom IK of<br />
RAM.<br />
A computer communicates with the outside world<br />
through Input/Output (I/O) ports. Examples are the RS-<br />
232 serial port and printer ports on a PC.<br />
International Organisation for Standardisation, the<br />
worldwide federation of international standards bodies.<br />
Initialisation Variable, a value used to initialise modes of<br />
use of cert<strong>ai</strong>n block ciphers.<br />
Shorthand for a thousand (1000), but in computing it is<br />
often used to mean 1024 (2 10 , approximately 1000). For<br />
example, 64K or 64 Kbytes refers to 64* 1024 (= 65536)<br />
bytes.<br />
When used in the context of encryption, a series of<br />
numbers which are used by an encryption algorithm to<br />
transform pl<strong>ai</strong>ntext data into encrypted (ciphertext) data,<br />
and vice versa. Confusingly, key can also refer to a<br />
physical token which gives access to a system.<br />
The process of securely generating, transporting, storing<br />
and destroying encryption keys.
LAN:<br />
Letter Bomb:<br />
Link virus:<br />
Logic Bomb:<br />
M:<br />
MAC:<br />
M<strong>ai</strong>nframe:<br />
Master bootstrap sector:<br />
Menu-driven:<br />
Message Authentication:<br />
Message Digest:<br />
Microprocessor:<br />
Minicomputer:<br />
MIPS:<br />
Mirroring:<br />
GLOSSARY OF TERMS 147<br />
Local Area Network, a data communications network<br />
covering a limited area (up to several kilometres in<br />
radius) with moderate to high data transmission speeds.<br />
A logic bomb cont<strong>ai</strong>ned in electronic m<strong>ai</strong>l, which will<br />
trigger when the m<strong>ai</strong>l is read.<br />
A virus which subverts directory entries to point to the<br />
virus code.<br />
A program modification which causes damage when<br />
triggered by some condition such as the date, or the<br />
presence or absence of data eg. a name.<br />
Shorthand for a million (1000000), but in computing it is<br />
often used to mean 1048576 (2 20 , approximately one<br />
million). For example, 1M or 1 Mbyte refers to 1048576<br />
bytes.<br />
Message Authentication Code, a cryptographic<br />
checksum for a message. Unlike a digital signature, a<br />
MAC requires knowledge of a secret key for<br />
verification.<br />
Large computer systems, often occupying purpose-built<br />
facilities, used for IT applications requiring extremely<br />
fast processing speeds or large quantities of data. Typical<br />
processing speeds are of the order of 100 MIPS.<br />
The first physical sector on the hard disk (sector 1, head<br />
0, track 0) which is loaded and executed when the PC is<br />
bootstrapped. It cont<strong>ai</strong>ns the partition table as well as the<br />
code to load and execute the bootstrap sector of the<br />
'active' partition. Common point of attack by boot sector<br />
viruses.<br />
Software which presents the user with a fixed 'menu' of<br />
command choices, often requiring only a single key or<br />
mouse button depression to select the required option.<br />
The process of calculating and then subsequently<br />
verifying a message authentication code.<br />
Same as hash function.<br />
An integrated circuit which condense the essential<br />
elements of a computer's CPU into a single device.<br />
A fixed, generally multi-user, computer designed for use<br />
as a communal information processing system. Typical<br />
processing speeds are between 10 and 100 MIPS.<br />
Millions of instructions per second.<br />
A technique where data is written to two (or more) disks<br />
simultaneously, with the intention of enabling data<br />
retrieval even when one of the disks f<strong>ai</strong>ls.
148 APPENDIX A<br />
Modem:<br />
Mouse:<br />
MS-DOS:<br />
Multi-partite virus:<br />
Multitasking:<br />
Non-volatile Memory:<br />
OFB:<br />
Off-site Backup:<br />
One-way Function:<br />
Operating System:<br />
Optical Disk:<br />
OS/2:<br />
OSI:<br />
.OVL:<br />
A MOdulator/DEModulator is a device which translates<br />
digital computer data into a form suitable for<br />
transmission over an analogue telecommunications path<br />
such as a telephone line, radio channel or satellite link.<br />
A data input device which, when moved by hand on the<br />
surface of a desk, conveys the direction and amount of<br />
movement to a computer. A mouse is commonly<br />
equipped with one, two or three press-buttons to actuate<br />
commands on the computer.<br />
The Disk Operating System sold by Microsoft. It is the<br />
most common microcomputer system in the world, and<br />
operates on the IBM PC. See PC-DOS.<br />
A virus which infects both boot sectors and executable<br />
fdes, thus exhibiting the characteristics of both boot<br />
sector viruses and parasitic viruses.<br />
The ability of a computer to divide its processing time<br />
amongst several different tasks. Although most<br />
computers cont<strong>ai</strong>n only one CPU, they can switch<br />
between operations so quickly that several processes<br />
appear to run simultaneously.<br />
Integrated circuits which ret<strong>ai</strong>n their content when their<br />
normal power source is switched off. The m<strong>ai</strong>n types are<br />
ROM, EPROM, EEPROM and battery backed CMOS<br />
RAM.<br />
Output Feedback, a mode of use of a block cipher.<br />
A backup stored at a geographically remote location.<br />
A function that can readily be calculated, but whose<br />
inverse is very difficult to calculate.<br />
The computer program which performs basic<br />
housekeeping functions such as m<strong>ai</strong>nt<strong>ai</strong>ning lists of fdes,<br />
running programs etc. PC operating systems include<br />
MS-DOS and OS/2, while minicomputer and m<strong>ai</strong>nframe<br />
operating systems include Unix, VMS and MVS.<br />
A storage device using a laser to record and read data<br />
from a rotating disk.<br />
An operating system for 80286+ based IBM<br />
compatibles. It allows true multitasking.<br />
Open Systems Interconnection, a set of standards<br />
defining the protocols for communication between open<br />
(non-proprietary) systems.<br />
The extension commonly given to overlay files in MS-<br />
DOS. Overlay files are used with large programs which<br />
cannot fit into RAM: parts of the program are loaded as
Parasitic Virus:<br />
Partition Table:<br />
Passive Attack:<br />
Password:<br />
PC:<br />
PC-DOS:<br />
Peripheral:<br />
Peripheral Access Control:<br />
Pest Program:<br />
Pl<strong>ai</strong>ntext:<br />
Polymorphic virus:<br />
Port Access Control:<br />
Processor:<br />
GLOSSARY OF TERMS 149<br />
and when needed. Overlay files can have any extension<br />
and not just .OVL.<br />
A computer virus which attaches itself to another<br />
computer program, and is activated when that program is<br />
executed. A parasitic virus can append itself to either the<br />
beginning or the end of a program, or it can overwrite<br />
part of the program.<br />
A 64-bit table found inside the master bootstrap sector<br />
on hard disks which cont<strong>ai</strong>ns information about the<br />
starting and ending of up to four partitions on the hard<br />
disk. The partition table also cont<strong>ai</strong>ns information on the<br />
type of the partion, eg. DOS partition, UNIX partition<br />
etc.<br />
An attack on a system which extracts information and<br />
makes use of it, but never injects false information or<br />
corrupts any information (which would be an active<br />
attack).<br />
Sequences of characters which allow users access to a<br />
system. Although they are supposed to be unique,<br />
experience has shown that most people's choices are<br />
highly insecure. Humans tend to choose short words<br />
such as names, which are easy to guess.<br />
Personal Computer, a desktop or portable single-user<br />
computer usually comprising a CPU, memory, screen,<br />
keyboard, and disk drive(s). PC has become synonymous<br />
with IBM compatible computer, even though this<br />
definition is not strictly correct.<br />
Microcomputer operating system originally used by IBM<br />
for its PCs. It is functionally identical to MS-DOS.<br />
External device connected to a computer. Examples<br />
include printers, plotters, disk drives, external modems,<br />
and a mouse.<br />
Technique to restrict the use of cert<strong>ai</strong>n computer<br />
peripherals to authorised users.<br />
A collective term for programs with deleterious and<br />
generally unanticipated side effects eg. Trojan horses,<br />
logic bombs, viruses, and malicious worms.<br />
Data before it has been enciphered. The opposite of<br />
ciphertext.<br />
Self-modifying encrypting virus.<br />
Restricting the use of computer data ports to authorised<br />
users only.<br />
A unit of hardware that is capable of executing<br />
instructions cont<strong>ai</strong>ned in a computer program.
150<br />
Program:<br />
Proprietary Encryption<br />
Algorithm:<br />
PS/2:<br />
Public Dom<strong>ai</strong>n:<br />
RAM:<br />
Reverse-engi neeri ng:<br />
ROM:<br />
RS-232:<br />
Scrambling:<br />
Secret Key:<br />
Security:<br />
Security Policy:<br />
Security Server:<br />
APPENDIX A<br />
A precise sequence of instructions that specifies what<br />
action a computer should perform. 'Software' is often<br />
used to describe a computer program.<br />
An encryption algorithm designed to a proprietary (and<br />
usually secret) specification.<br />
A series of computers from IBM designed to replace the<br />
PC/XT/AT range. All models, except model 30, support<br />
the 'microchannel architecture'. Cards designed for the<br />
IBM PC/XT/AT are not compatible with PS/2 machines.<br />
Two totally distinct meanings exist: the area which is<br />
outside government security arrangements; or something<br />
which is neither subject to copyright nor a trademark.<br />
Random Access Memory, volatile memory which can be<br />
written to, and read from, at high speed. It is normal to<br />
load programs from disk into RAM, and then to execute<br />
them. The operating system takes care of the allocation<br />
of RAM to executing programs.<br />
The process of deducing how something works without<br />
having access to the design det<strong>ai</strong>ls.<br />
Read Only Memory, a form of non-volatile memory in a<br />
computer. Data is embedded into a ROM during<br />
manufacture. A ROM is usually used to store the startup<br />
software which is executed by a PC on power up (see<br />
bootstrapping).<br />
The most widely used standard for serial data<br />
communication. The speed of communication is<br />
measured in baud.<br />
Encryption.<br />
Encryption key that must not be disclosed. If it is<br />
revealed, the security offered by the encryption<br />
algorithm is compromised. Not all encryption keys have<br />
to be kept secret, eg. public keys in asymmetric<br />
encryption.<br />
Protection ag<strong>ai</strong>nst unwanted behaviour. The most widely<br />
used definition of (computer) security is security =<br />
confidentiality + integrity + av<strong>ai</strong>lability.<br />
A security policy is the set of rules, principles and<br />
practices that determine how security is implemented in<br />
an organisation. It must m<strong>ai</strong>nt<strong>ai</strong>n the principles of the<br />
organisation's general security policy.<br />
A special LAN station which runs software that monitors<br />
LAN usage, and controls access independently of the<br />
LAN operating system.
Server:<br />
Smart Disk:<br />
Software:<br />
Spoofing:<br />
Stealth virus:<br />
Stream Cipher:<br />
Symmetric Algorithm:<br />
.SYS:<br />
Terminal:<br />
Time Bomb:<br />
Timeout:<br />
Token:<br />
Trapdoor:<br />
Trojan Horse:<br />
TSR:<br />
UNIX:<br />
GLOSSARY OF TERMS 151<br />
See file server and security server.<br />
A device in the shape of a 3.5" floppy disk which<br />
cont<strong>ai</strong>ns a microprocessor and memory. It can be read<br />
from and written to in a standard floppy disk drive.<br />
See program.<br />
Pretending to be someone or something else (eg.<br />
entering someone else's password).<br />
A virus which hides its presence from the PC user and<br />
anti-virus programs, usually by trapping interrupt<br />
services.<br />
A cipher which provides encryption and decryption by<br />
operating on continuous stream of data, without<br />
imposing limits on the length of the data.<br />
An algorithm in which the key used for encryption is<br />
identical to the key used for decryption. DES is the best<br />
known symmetric encryption algorithm.<br />
The extension given to system file names in MS-DOS.<br />
An example is the file CONFIG.SYS which sets up<br />
various configuration parameters for the operating<br />
system on power-up.<br />
A device which consists of a VDU and keyboard. It<br />
allows a user to interact with a computer.<br />
A logic bomb set to trigger at a particular time.<br />
A logical access control feature which automatically<br />
logs-off users of terminals which do not exhibit signs of<br />
activity for a cert<strong>ai</strong>n duration of time.<br />
A physical object, sometimes cont<strong>ai</strong>ning sophisticated<br />
electronics, which is required to g<strong>ai</strong>n access to a system.<br />
Some tokens cont<strong>ai</strong>n a microprocessor, and are called<br />
intelligent tokens, or smart cards.<br />
A hidden flaw in a system mechanism that can be<br />
triggered to circumvent the system's security.<br />
A computer program whose execution would result in<br />
undesired side effects, generally unanticipated by the<br />
user. The Trojan horse program may otherwise give the<br />
appearance of providing normal functionality.<br />
Terminate and Stay Resident, a term used to describe an<br />
MS-DOS programs which rem<strong>ai</strong>ns in memory after<br />
being executed. A TSR can be re-activated either by a<br />
specific sequence of keystrokes, or at some specific<br />
time, or by some specific signal from an I/O port.<br />
UNIX is a multi-user operating system, developed by<br />
AT&T. Several versions of UNIX exist, which do not all<br />
achieve compatibility with each other.
152 APPENDIX A<br />
Uploading:<br />
UPS:<br />
VDU:<br />
Virus:<br />
Virus signature:<br />
WAN:<br />
Workstation:<br />
Worm:<br />
Worm Attack:<br />
XOR:<br />
The process of transferring data from a remote computer<br />
to a central host.<br />
Uninterruptible Power Supply, a device which detects<br />
m<strong>ai</strong>ns f<strong>ai</strong>lure and provides power from an internal<br />
battery supply for a limited period.<br />
Visual Display Unit, a computer peripheral which<br />
displays text and/or graphics on a television screen.<br />
Sometimes explicitly referred to as a computer virus, a<br />
program which makes copies of itself in such a way as to<br />
'infect' parts of the operating system and/or application<br />
programs. See boot-sector virus and parasitic virus.<br />
An identifier recognised by the virus as meaning 'this<br />
item is already infected, do not reinfect'. It can take<br />
different forms such as the text 'sURJV' at the beginning<br />
of the file, the size of the file divisible by a number or<br />
the number of seconds in the date stamp set to 62. Some<br />
viruses do not recognise their signatures correctly.<br />
Wide Area Network, a set of computers that<br />
communicate with each other over long distances.<br />
An ill-defined term used to describe a powerful single<br />
user, high performance, minicomputer or<br />
microcomputer, which is used by individuals for tasks<br />
involving intensive processing, perhaps CAD or<br />
simulation.<br />
A program that distributes multiple copies of itself<br />
within a system or across a distributed system.<br />
Interference by a program that is acting beyond normally<br />
expected behaviour, perhaps exploiting security<br />
vulnerabilities or causing denials of service. See worm.<br />
An abbreviation of the logical operation known as<br />
Exclusive-or. An exclusive-or function is defined as<br />
having the value true when either of the input conditions<br />
(but not both) is true.
F<br />
<strong>VIRUS</strong> HUNTER'S CHECKLIST<br />
It is very strange, and very melancholy, that the paucity of<br />
human pleasures should persuade us ever to call hunting one of them.<br />
Samuel Johnson (1709-84), 'Johnsonian Miscellanies'<br />
You have been asked to check all PCs on a site for a possible virus attack. You grab your<br />
bag, which cont<strong>ai</strong>ns all the tools necessary to deal with the problem, and head for the site.<br />
What should the bag cont<strong>ai</strong>n?<br />
• Software for IBM-PC virus investigation. This will include not only virus-detection<br />
software but also software tools for investigating a virus attack and recovering from<br />
it:<br />
• An up-to-date copy of a good, trusted virus scanner. You should not use copies<br />
which are more than two months old.<br />
• One or more supplementary virus scanners by other manufacturers.<br />
• A disk editing tool. Useful for disk investigations, displaying interrupts and<br />
recovering from boot sector virus infections.<br />
• A cryptographic checksumming package for investigating an attack by a virus<br />
unknown to your scanners.<br />
• Sacrificial 'GOAT' programs which can be infected on purpose in order to<br />
observe virus behaviour.<br />
• Diagnostic software for distinguishing a potential hardware problem from a<br />
virus problem. This is usually dependent on the hardware used and may be<br />
best obt<strong>ai</strong>ned on site. Virus-scan and write-protect this software before using<br />
it.
154 APPENDIX A<br />
• DEBUG, for the adventurous who wish to disassemble the virus in situ.<br />
• Manuals for all the above software as well as a DOS manual.<br />
• Software for Apple Macintosh virus investigation. You will need a completely<br />
different set of tools and procedures to check Apple Macintosh PCs, although the<br />
same principles apply.<br />
• Secure bootstrapping means and procedures.<br />
With the advent of stealth viruses, it is most important to guarantee a clean,<br />
virus-free environment on a workstation, before running anti-virus software<br />
or investigating a virus-infected network.<br />
Bootstrapping stand-alone PCs:<br />
• Correct version(s) of DOS on write-protected 3 V2" and 5\" disks. Compaq<br />
DOS 3.31 or DOS 5.00 are able to boot machines with hard disks running any<br />
current version of DOS. Ensure that DOS disks are write-protected. Switch<br />
the PC off, insert a boot disk in drive A and then switch it back on.<br />
Bootstrapping a PC in order to check a network:<br />
• A DOS system disk which also cont<strong>ai</strong>ns all executables needed to set up the<br />
network connection, as well as log onto the network. For example, on Novell<br />
NetWare 3.11 you will need a DOS system disk with IPX.COM, NETX.EXE,<br />
LOGIN.EXE and MAP.EXE. Perform a secure boot of the PC as described<br />
above, then run LOGIN from the floppy disk including the 7S NUL' command<br />
line qualifier to prevent the execution of both system and user login scripts:<br />
LOGIN /S NUL <br />
• Pre-formatted disks (3 '/2" both densities, 5'/4" both densities) for preserving any<br />
virus samples and general use. You can encounter a variety of floppy drives on a site<br />
and you should not use high density disks in low density drives (or vice-versa) as<br />
the information will not be recorded reliably.<br />
• Write-protect tabs. Write-protecting a disk is a hardware barrier to any writing<br />
operations. Write-protect any disks to which you do not wish to write to.<br />
• Floppy disk labels, 'Virus infected' labels, 'Disk free from known viruses' labels.<br />
• An up-to-date printout of known viruses and their symptoms.<br />
• Education materials. You may be required to give a short presentation on virus<br />
prevention to PC users on the site. A video is an excellent tool for conveying the<br />
message in a short time. Furthermore, as a virus specialist, you must stay in touch<br />
with the latest developments in the virus field. Make sure that your subscription to<br />
a journal such as Virus Bulletin is current.<br />
• Date of next visit. It is best to strike while the iron is hot. After you have finished the<br />
investigation, make an appointment for your next visit. Be prepared to catch any reinfection<br />
at an early stage.<br />
• Virus attack reporting forms.<br />
• Contact telephone and fax numbers for the technical support for your virus<br />
scanners.
G<br />
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong><br />
G.l <strong>VIRUS</strong> NAMES <strong>AND</strong> ALIASES<br />
For in much wisdom is much ghef: and he that increaseth<br />
knowledge increases sorrow.<br />
Bible: Ecclesiastes<br />
When a researcher investigates a virus he has not seen before, one of his first problems is<br />
to establish whether the virus is one already known. Since that can take time, he may<br />
decide on a name for the virus before announcing the find. The result of this is that<br />
multiple names for the same virus are common, and when a 'new' virus is reported, it is<br />
often only a known virus with a new name.<br />
Some researchers, furthermore, feel an irresistible urge to call parasitic viruses by a<br />
number, which is their infective length (the increase in the length of the infected<br />
executable). This can be very confusing since one virus can have several infective lengths<br />
(.Jerusalem has an infective length of 1813 bytes for COM files and 1808 bytes for EXE<br />
files), and completely different viruses can have identical infective lengths QoothAgiplan<br />
and Zero Bug have an infective length of 1536 bytes).<br />
There have been a number of attempts at standardising on virus names, for example the<br />
Lotus virus numbering standard (Virus Bulletin, October 1991), the US National Institute<br />
of Standards and Technology (NCSA Anti-Virus Products Developers Conference<br />
Proceedings, Washington DC, November 1991), a joint NCSA committee {Virus Bulletin,
156 APPENDIX A<br />
February 1992). So far none have succeeded and it seems that the speed of new<br />
developments in the virus field will be likely to defy any such attempts in the future.<br />
If you discover a new virus at some stage in the future, please do not rush to give it a<br />
name. First check whether the virus is already known and only if not, christen it with<br />
something suitable, which is preferably not its infective length. Names of viruses are<br />
related either to virus side-effects (eg. Cascade), to strings embedded in the virus (eg.<br />
Suriv) or to the name chosen by the author and included in the virus (eg. Nomenklatura<br />
and Datacrime). For further guidance refer to Virus Bulletin, February 1992 (see<br />
Appendix A: Bibliography).<br />
G.2 <strong>VIRUS</strong> HEX PATTERNS<br />
One common way of testing executable files for viruses is to search for code or data<br />
patterns known to occur in these particular viruses. These patterns are normally represented<br />
as hexadecimal digits and referred to as 'hex patterns'.<br />
This section cont<strong>ai</strong>ns short descriptions and hexadecimal patterns of viruses seen by June<br />
1992. This list is m<strong>ai</strong>nt<strong>ai</strong>ned from various sources, including Virus Bulletin's technical<br />
editor Fridrik Skulason and is copyright ©Virus Bulletin. Information of this kind will<br />
invariably be out of date by the time it is published in a book. The reader is urged to treat<br />
it only as a sample of what viruses could be around and to find up-to-date information in<br />
one of the journals or bulletin boards listed in Appendix A.<br />
The hexadecimal (hex) patterns in the table are normally from 10 to 16 bytes long, and<br />
there is a small but finite chance that one of these patterns will be found in some<br />
uninfected and innocuous executable. Data in executable images is not completely<br />
random, and cert<strong>ai</strong>n sequences of instructions used in a virus can occur in a perfectly<br />
legitimate program. The pattern from a virus is normally chosen so as to be unlikely to<br />
occur in a legitimate program, but there is a chance that this may happen. For more<br />
information on extracting virus patterns see Section 5.2: Dissection of a Captured Virus.<br />
If a pattern-checking program, such as SEARCH in Appendix B, reports apattern match,<br />
it means that a virus may have been found. If the alarm turns out to be false, it is known<br />
as a 'false positive', which is one of the m<strong>ai</strong>n problems with poorly tested anti-virus<br />
software. All patterns shown in this table have been tested for false positives ag<strong>ai</strong>nst<br />
about 100 MBytes of executables.<br />
Each entry in the table consists of the virus group name in bold, its aliases and the virus<br />
type (see Fig. G. 1 for type codes). This is followed by a short description (if av<strong>ai</strong>lable)<br />
and a 10 to 16 byte hex pattern. An entry in the form '(VB Mar 92)' indicates that further<br />
information on the virus can be found in the appropriate issue of Virus Bulletin.
Type codes:<br />
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 157<br />
C = Infects COM files<br />
E = Infects EXE files<br />
D = Infects DOS boot sector (Logical sector 0 on disk)<br />
L = Link virus<br />
M = Infects master boot sector (Track 0, head 0, sector 1 on disk)<br />
N = Not memory-resident after infection<br />
R = Memory-resident after infection<br />
P = Companion virus<br />
G.3 IBM-PC <strong><strong>VIRUS</strong>ES</strong><br />
Fig. G.l - Virus type codes<br />
8 Tunes - CER: The virus probably originates in Germany and infects COM and EXE<br />
files. The length of the virus code is 1971 bytes. When triggered, it will play one of eight<br />
different tunes. The virus attempts to deactivate two anti-virus programs: Bombsquad<br />
and Flushot+.<br />
8 Tunes 33F6 B9DA 03F3 A550 BB23 0353 CB8E DOBC<br />
10 past 3 - CR: A 748 byte virus which is aw<strong>ai</strong>ting analysis.<br />
10 past 3 B840 008E D8A1 1300 B106 D3E0 2D00 088E<br />
191 - CN: A very simple virus with no side effects.<br />
191 8BD7 B902 00B4 3FCD 2181 3D07 0874 DF33<br />
268-Plus - CN: When this virus is run it will infect all COM files in the current directory<br />
increasing the first one by 268 bytes, the second by 269 bytes, the third by 270 bytes and<br />
so on. The virus is encrypted and is aw<strong>ai</strong>ting analysis.<br />
268-Plus 8EC1 0650 BE00 0156 31FF B90B 01F3 A4BD<br />
200 - CN: This small virus does nothing but replicate. When an infected program is run,<br />
it will infect all COM files in the root directory of drive C.<br />
200 33D2 B800 42CD 218B CEB4 40CD 212E 8B0E<br />
337 - CR: A small, simple virus which does nothing but replicate.<br />
377 5FBF 0001 578B CC2B CEF3 A433 F633 FF33<br />
432 - C?: Virus aw<strong>ai</strong>ting disassembly.<br />
432 50CB 8CC8 8ED8 E806 00E8 D900 E904 0106<br />
483 - CER: This virus does not work properly, as infected programs will never run. As<br />
this could be fixed by a minor correction, a search pattern for the current version is<br />
provided.<br />
483 0256 5AB9 1800 F614 46E2 FBCD 215E 81BC
158 APPENDIX A<br />
535A - CN: A mutation of the Vienna virus. Second generation copies do not appear to<br />
replicate.<br />
53SA ACB9 0080 F2AE B904 00AC AE75 EEE2 FA5E<br />
555 - CER: A compact 555 byte virus aw<strong>ai</strong>ting analysis. It does not seem to do anything<br />
apart from replicating.<br />
555 5B58 072E FF2E 0500 813E 1200 4D5A 7406<br />
656 - CN: Triggers on 14th of any month except January or on any day in April.<br />
Overwrites first 80 sectors of drive C.<br />
656 ACB9 0070 F2AE B904 00AC AE75 EEE2 FA5E<br />
757 - CR: This virus displays a 'Bouncing-Ball' effect on the screen.<br />
757 B907 00FC F3A4 585B 9DB8 0001 5350 CB9C<br />
765 - ER: This virus is probably an older version of the '905' virus. Aw<strong>ai</strong>ting analysis.<br />
765 53B4 368E 4602 8B76 0A26 8A14 80EA 40CD<br />
777 Revenge - CR: After three infected files have been run, the virus displays the text<br />
'*** 777-Revenge AttackerVl.01 ***'and then trashes drivesC andD. (VB Mar 92)<br />
111 Revenge B8FF FF33 C9CD 2183 F906 7243 B856 0250<br />
800 - CR: Infective length is 800 bytes. The virus code is written into a random location<br />
in the infected file. Like Number of the Beast, it uses an undocumented DOS function to<br />
obt<strong>ai</strong>n the original INT 13H address, and instead of intercepting INT 21H, it intercepts<br />
INT 2AH, function 82H. The virus is encrypted. (VB June 90)<br />
800 B981 0151 AD33 D0E2 FB59 3115 4747 E2FA<br />
864 - CN: This virus adds 864 bytes in front of the files it infects. Aw<strong>ai</strong>ting analysis.<br />
864 B04D B449 B742 473A 2575 153A 7D01 7510<br />
905 - ER: A Bulgarian virus, still aw<strong>ai</strong>ting analysis.<br />
905 488E C08E D880 3E00 005A 7415 0306 0300<br />
907 - CR: An encrypted 907 byte virus, aw<strong>ai</strong>ting analysis.<br />
907 83C7 0353 2EFF B55D 04BB DE03 B97F 0058<br />
928 - CER: Virus aw<strong>ai</strong>ting disassembly.<br />
928 E9AD 00B8 BBBB CD21 3D69 6974 03E8 3500<br />
1024PrScr - CR: This virus increases the length of infected programs by 1024 bytes. The<br />
m<strong>ai</strong>n side-effect is to perform a Print Screen function at different times.<br />
1024PrScr 8CC0 488E C026 A103 002D 8000 26A3 0300<br />
1028 - CER: Virus is 1028 bytes long. Aw<strong>ai</strong>ting analysis.<br />
1028 0606 005E 561E 0E33 FF8E DFC5 0684 002E<br />
1067 - CR: This virus is closely related to the Ambulance virus, but is still aw<strong>ai</strong>ting<br />
analysis.<br />
1067 018A 5405 8816 0001 B42A CD21 F6C2 0175<br />
1077 - CER: This 1077 byte virus infects COM and EXE files, but is unable to infect<br />
EXE files larger than 64K.<br />
1077 4E01 EACD 21C3 B44F CD21 C351 33C0 3B86
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 159<br />
1226 - CR: This Bulgarian virus is related to Phoenix, Proud and Evil. As in the case of<br />
its relatives, no search pattern is possible.<br />
1260, V2P1 - CN: Virus infects COM files extending them by 1260 bytes. The first 39<br />
bytes cont<strong>ai</strong>n code used to decrypt the rest of the virus. A variable number of short<br />
(irrelevant) instructions are added between the decoding instructions at random in an<br />
attempt to prevent virus scanners from using identification strings. An infected file has<br />
the seconds field set to 62. No search pattern is possible. (VB Mar 90)<br />
1355 - CR?: 1355 byte virus, not yet analysed.<br />
1355 8B04 8ED8 BE00 00B0 2EB4 803A 0475 1BB0<br />
1575 - CER: The only side-effect of this virus is that a caterpillar (grasshopper?) moves<br />
from the top left-hand part of the screen turning text yellow. This display happens if the<br />
virus is already memory-resident and an infected program is run and the memoryresident<br />
virus has not infected since it became resident and is at least 3 months old.<br />
Infected files grow by 1575-1593 bytes. The date and time of last file modification are<br />
not saved. {VB Oct 91).<br />
1575 D087 ECBE 3C01 BF00 00B9 1000 FCF2 A4E9<br />
1600 - CER: A 1600 byte Bulgarian virus, reported to be written by the same author as<br />
the Nina, Terror and Anti-Pascal viruses. Many infected programs, including<br />
COMM<strong>AND</strong>.COM will f<strong>ai</strong>l to execute when infected.<br />
1600 8B35 8936 0001 8B75 0289 3602 01C7 4514<br />
1876 - CER: This 1876 byte virus is probably of Polish origin. Not yet analysed.<br />
1876 8ECO 33FF 33C0 B9FF 7FFC F2AE 26F6 05FF<br />
1963A - CER: A Bulgarian virus, which does not increase the size of the files it infects.<br />
Aw<strong>ai</strong>ting analysis.<br />
1963A B820 12BB 0500 CD2F 534B 4B26 881D B816<br />
2100 - CER: This is a Bulgarian virus, related to the Eddie and Eddie-2 viruses and<br />
cont<strong>ai</strong>ns extensive segments of code in common with both. The pattern for Eddie-2 can<br />
be found within this virus, but they can easily be differentiated on the basis of length,<br />
(iVB Aug 91)<br />
2144 - CER: A 2144 byte Russian virus which may totally disable the hard disk when it<br />
activates. A computer with a disabled disk cannot be rebooted from a system floppy disk<br />
without disconnecting the hard disk.<br />
3445 - CER: This 3445 byte encrypted virus has not been fully analysed, but infected<br />
programs often f<strong>ai</strong>l to execute.<br />
3445 D2BB 1000 F7E3 03C1 83D2 00F7 F359 50B8<br />
4870 Overwriting - EN: A strange overwriting virus which spreads in LZEXE-packed<br />
format. It is not possible to select a search pattern from the code portion of the virus.<br />
5120 - CEN: This virus is 5120 bytes long. When an infected program is run, it will<br />
search recursively for EXE and COM fdes to infect. Infected programs will terminate<br />
with an 'Access denied' message after 1 st June 1992. Parts of the virus seem to have been<br />
written in compiled BASIC.<br />
5120 40B1 04D3 E88C DB03 C305 1000 8ED8 8C06
160 APPENDIX A<br />
5792 - EN: Similar to the RNA2 and Halloween viruses and written in some high-level<br />
language (C or Pascal), this virus adds 5792 bytes in front of infected files.<br />
5792 8DBE 00FF 1657 8DBE 5CE8 1657 B8A0 1650<br />
7808 - CNR: A clumsy virus with an infectious length of 7808 bytes written in a high<br />
level language. Infection occurs both by directory search and on load and execute.<br />
Aw<strong>ai</strong>ting analysis.<br />
7808 31C0 A354 04C7 06E6 4201 00EB 04FF 06E6<br />
16850 - PN: This large (16850 byte) companion virus seems to be written in Turbo<br />
Pascal. Because of the high chance of false positives, it is recommended that search<br />
patterns should not be used to detect it. To get rid of the virus, simply remove all hidden<br />
16850 byte COM files corresponding to EXE files in the same directory.<br />
4K, 4096, Frodo, IDF, Israeli Defence Forces - CER: Infective length is 4096 bytes. The<br />
virus may occasionally cause damage to files, as it manipulates the number of av<strong>ai</strong>lable<br />
clusters, which results in crosslinked files. If the virus is resident in memory, it disguises<br />
itself from detection by pattern-searching or checksumming programs. Infected systems<br />
hang on 22nd September. (VB May 90, Nov 90)<br />
4K E808 0BE8 D00A E89A 0AE8 F60A E8B4 0A53<br />
Ada - CR: A 2600 byte virus, reported to have originated in Argentina. Not fully<br />
analysed.<br />
Ada 4802 0074 0F80 FC41 741B 80FC 1374 163D<br />
Advent - CEN: An old 2764 byte mutation of Syslock, which is detected by the Syslock<br />
pattern. This virus activates in December and plays a Christmas tune.<br />
Agiplan - CR: Infective length is 1536. The virus attaches itself to the beginning of COM<br />
files. Agiplan has only occurred on one site and may be extinct.<br />
Agiplan E9CC 0390 9090 9090 9C50 31C0 2E38 26DA<br />
AIDS - CN: Not to be confused with the AIDS Trojan, this virus overwrites COM files<br />
and is about 12K long. When an infected program is executed, the virus displays 'Your<br />
computer now has AIDS' and halts the system.<br />
AIDS 0600 AE42 6E4C 7203 4600 0004 00A0 1000<br />
AIDS II - PN: A companion virus, 8064 bytes long, which displays a message when it<br />
activates. To locate and remove the virus, search for COM files corresponding to EXE<br />
files, but marked 'Hidden' and located in the same subdirectory and delete them.<br />
AIDS II 5589 E581 EC02 02BF CA05 0E57 BF3E 011E<br />
Aircop - DR: Virus displays the blinking message' .Red State, Germ offensing -Aircop'<br />
after infecting every eighth floppy disk. Originated in T<strong>ai</strong>wan. ( VB Feb 91).<br />
Aircop 32E4 CD16 CD12 33C0 CD13 0E07 BB00 02B9<br />
Aircop 2 - DR: Does not infect hard disks. Aw<strong>ai</strong>ting analysis.<br />
Aircop 2 32E4 CD16 33C0 CD13 0E07 BB00 02B9 0600<br />
Akuku - CER: 889 byte virus, probably written by the same author as the Hybrid virus.<br />
Akuku E800 005E 8BD6 81C6 2A01 BF00 01A5 A481
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 161<br />
Alabama - ER: Infective length is 1560 bytes. May cause execution of wrong files and<br />
FAT corruption.<br />
Alabama 803D C673 0726 C605 CF4P EBFO 26FF 0603<br />
Alabama 2 - ER: Slightly modified version of the original virus, but detected by the<br />
Alabama pattern.<br />
Albania - CN: This is a group of 4 viruses, which all cont<strong>ai</strong>n the word Albania, but they<br />
are believed to be written in Bulgaria. The mutations are 429, 506, 575 and 606 bytes<br />
long.<br />
Albania 83F9 0074 0C80 7CFE 3B74 06AA E803 000E<br />
Albania-429 83F9 0074 0826 807D FE00 7405 41AA E80F<br />
Ambulance, RedX - CN: The major effect of this virus is to display amoving ambulance<br />
with the sound of a siren. The virus is 796 bytes long.<br />
Ambulance 0001 8A07 8805 8B47 0189 4501 FFE7 C3E8<br />
Ambulance-B - CN: A 796 byte virus, just like the original, but with a few insignificant<br />
modifications.<br />
Ambulance-B 0001 8A07 8805 8B47 0189 4501 FFE7 CBE8<br />
Amoeba - CER: Virus adds 1392 bytes to the length of the infected files. It does not have<br />
any known side-effects.<br />
Amoeba CF9C 502E A107 0140 2EA3 0701 3D00 1072<br />
Amstrad - CN: Adds 847 bytes to the front of any COM file in the current directory. The<br />
rest cont<strong>ai</strong>ns an advertisment for Amstrad computers. (VB June 90). Cancer is a740 byte<br />
long mutation, which infects the same files repeatedly. These viruses are members of the<br />
Pixel family.<br />
Amstrad C706 0E01 0000 2E8C 0610 012E FF2E 0E01<br />
Amstrad-852 - CN: Almost identical to the original 847 byte version, with only a text<br />
string changed.<br />
Amstrad-877 - CN: This mutation is 877 bytes long, and detected by the 'Amstrad'<br />
pattern.<br />
Anthrax - MCER: An interesting, multi-partite virus from Bulgaria, which infects the<br />
master boot sector, as well as executable files. Infected files usually grow by 1000-1200<br />
bytes.<br />
Anthrax 0E1F 832E 1304 02CD 12B1 06D3 E08E C0BF<br />
AntiCAD, Plastique - CER: This is a family of 7 viruses from T<strong>ai</strong>wan, based on the<br />
Jerusalem virus, but considerably modified. This group includes a 2900 byte mutation, a<br />
3012 byte mutation and four 4096 byte mutations. Two of these four are known as<br />
'Invader' and one as 'HM2'. The four 4096 byte mutations will also infect the boot<br />
sector. The Plastique virus triggers when ACAD.EXE (the AUTOCAD program) is<br />
executed. Drives A and B are checked for the presence of a disk which, if found, has head<br />
0 of all tracks overwritten with random data. An 'explosion' routine (speaker noise<br />
generated every 4.5 minutes) then commences. The first and second hard disks are<br />
overwritten on all heads and tracks. (VB Apr 92)<br />
AntiCAD (1) B840 4BCD 213D 7856 7512 B841 4BBF 0001<br />
AntiCAD (2) C08E D8A1 1304 B106 D3E0 8ED8 33F6 8B44
162 APPENDIX A<br />
AntiCAD 2576 - CER: A mutation of the AntiCAD series from T<strong>ai</strong>wan. This 2576 byte<br />
mutation is closely related to the 2900 byte mutation.<br />
AntiCAD 2576 595B 5807 1F9C 2EFF 1E3B 001E 07B4 49CD<br />
AntiCAD/Plastique 3004 - CER: Very closely related to the 3012 byte mutation of<br />
Plastique. The virus cont<strong>ai</strong>ns the text string 'COBOL' and is detected by the AntiCAD (1)<br />
pattern.<br />
AntiCAD 3088 - CER: The latest member of the AntiCAD/Plastique family. It is 3088<br />
bytes long, and is detected by the same pattern as the 2576 byte version.<br />
Anti-Faggot - ?: Virus sample f<strong>ai</strong>led to replicate. Cont<strong>ai</strong>ns destructive code and the text<br />
'Drive Fucked Up by the Anti-Faggot Virus!' plus a few other sentences in broken<br />
English. Aw<strong>ai</strong>ting analysis.<br />
Anti-Faggot 803E DE03 0174 0F80 3EDE 0302 740C 803E<br />
Antimon - CN: This 1450 byte virus has also been named Pandaflu, because it is targeted<br />
ag<strong>ai</strong>nst Flushot and some programs from Panda software.<br />
Antimon 83C2 102B D033 C9B8 0042 CD21 BA00 01B9<br />
Anti-Pascal (1) - CN: Two Bulgarian viruses 529 and 605 bytes long which add their<br />
code in front of infected programs. They are targeted ag<strong>ai</strong>nst Turbo-Pascal, and delete<br />
.PAS and .BAK files.<br />
Anti-Pascal (1) D1E0 D1E0 80E4 0380 C402 8AC4 8BD8 32FF<br />
Anti-Pascal (2) - CN: A second group of Bulgarian viruses written by the author of Anti-<br />
Pascal (1) viruses. There are three viruses which belong to this group and their infective<br />
lengths are 400,440 and 480 bytes. They are structurally different from Anti-Pascal (1)<br />
since they add their code to the end of infected fdes. The side-effects are similar since<br />
they may delete .PAS, .BAK and .BAT files.<br />
Anti-Pascal (2) 21BE 0001 5A58 FFE6 50B4 0E8A D0CD 2158<br />
Anto - CN: A small virus, only 129 bytes long, which does nothing other than replicate.<br />
Anto B800 425A 87CF CD21 B440 5A87 CFCD 21B4<br />
apilapil - CER: An encrypted virus with an infective length of 1731 bytes. If the date is<br />
the first of any month on or after year 1992, it overwrites the first 11 sectors of first 4<br />
heads and first 14 tracks with garbage. It cont<strong>ai</strong>ns the text' E.U.P.M. 1991'.<br />
apilapil 2E8C 0601 008C C88E D8B9 A006 BF03 002E<br />
Apocalypse - CER: Slight mutation of the Jerusalem virus. Detected by the Jerusalem-<br />
USA pattern.<br />
Apocalypse II - CER: Slight mutation of the Eddie-2000 virus. Detected by the Dark<br />
Avenger pattern.<br />
Arab, 834 - CR: Aw<strong>ai</strong>ting analysis.<br />
Arab 3D00 4B75 368B EC8B 7600 8B7E 028C C98E<br />
Arf - CN: A 1000 byte mutation of the Violator virus. Will display 'Arf Arf! Got you!'<br />
when it activates. Detected by the 'Violator' pattern.
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 163<br />
Armagedon - CR: A 1079 byte virus from Greece, which interferes with the serial port.<br />
It will produce control strings for Hayes-compatible modems, dialling number 081 -141<br />
(speaking clock in Crete). Virus name is spelt with a single'd'.<br />
Armagedon 018C CBEA 0000 0000 8BC8 8EDB BE00 01BF<br />
AT - CR: This is a f<strong>ai</strong>rly old group of viruses, but they only work on '286 processors and<br />
above. They have no significant effects.<br />
AT-144 0042 33C9 CDB4 B440 8D54 FFB1 0389 2CCD<br />
AT-149 33C9 33D2 CD21 B440 8D54 FFB1 0389 2CCD<br />
AT-132 B800 428B CACD E5B4 40B2 2DB1 0389 2CCD<br />
Attention - CR: A Russian, 394 byte virus. The virus has some code in common with the<br />
'Best Wishes' virus, which is possibly written by the same author. Infective length is 393<br />
bytes and only fdes longer than 786 bytes are infected. Disk writing is done by outputting<br />
directly to hardware via port 3F2H.<br />
Attention B000 8BDA B501 433A 0775 FB4B 4B81 275F<br />
Australian 403 - CR: Destructive, overwriting 403 byte virus which has no side-effects<br />
other than destroying the programs it infects.<br />
Australian 403 8C06 5B01 8CC8 8ED8 B821 25BA 9401 CD21<br />
Azusa - MR: A short boot sector virus, which may damage data on diskettes larger than<br />
360K. When it activates, it will disable COM1: and LPT1:. (VB April 91).<br />
Azusa B908 27BA 0001 CD13 72F1 0E07 B801 02BB<br />
Backtime - CR: A 528 byte virus which is aw<strong>ai</strong>ting analysis.<br />
Backtime 2125 CD21 8CC8 8ED8 8EC0 58BB 0001 53C3<br />
Bad boy - CR: A 1001 byte virus, which may have been written by the same author as the<br />
'Boys' virus, but is structurally different. Aw<strong>ai</strong>ting analysis.<br />
Bad boy 0175 0383 C302 5351 8B07 8B4F 108B D830<br />
Bandit - EN: This 2653 byte virus is detected by the 'Old Yankee' pattern. Aw<strong>ai</strong>ting<br />
analysis.<br />
Bebe - CN: A Russian, 1004 byte virus.<br />
Bebe B104 D3EB 240F 3C00 7401 4389 1E0C 00C7<br />
Beijing, Bloody! - MR: A primitive 512-byte virus. On 129th boot and every sixth boot<br />
thereafter, the virus displays the message 'Bloody! Jun. 4,1989'. The virus is believed to<br />
be a protest ag<strong>ai</strong>nst the Tianamen Square massacre. (VB Feb 91).<br />
Beijing 80FC 0272 0D80 FC04 7308 80FA 8073 03E8<br />
Best Wishes - CR: A1024 byte Russian virus cont<strong>ai</strong>ning the message 'This programm...<br />
With Best Wishes!'. Many programs, including COMM<strong>AND</strong>.COM will not work<br />
properly if infected with this virus.<br />
Best Wishes 4C00 268C 1E4E 0007 1FB8 0400 8BF5 81EE<br />
Best Wishes-970 - CER: This virus is detected by the search pattern for the Attention<br />
virus, but not the pattern for the Best Wishes-1024 virus, which may indicate a common<br />
author (or a close relationship). This mutation is generally not able to infect EXE files<br />
properly.
164 APPENDIX A<br />
Beware, Monday 1st - CN: This 442 byte virus activates on the first day of the month,<br />
provided it is Monday, and then overwrites the first track of diskettes in drive A. It<br />
cont<strong>ai</strong>ns the text 'BEWARE ME - 0.01, Copr (c) DarkGraveSoft - Moscow 1990'.<br />
Beware C3B4 3ECD 21C3 8DB5 8402 57B9 3100 8BFE<br />
Big Joke - CN: A Norwegian virus aw<strong>ai</strong>ting full disassembly. Infectious length is 1068<br />
bytes. Cont<strong>ai</strong>ns text: 'At last ALIVE!!!!! I guess your computer is infected by the Big<br />
Joke Virus. Release 4/4-91 Lucky you, this is the kind version. Be more careful while<br />
duplicating in the future. The Big Joke Virus, killer version, will strike harder. The Big<br />
Joke rules forever'.<br />
Big Joke 8BE8 83C5 030E 588E D88E C08D 7643 BF00<br />
Black Monday - CER: This virus was first isolated in Fiji, but may have been written<br />
elsewhere. It adds 1055 bytes to infected files. The name is derived from the message<br />
'Black Monday 2/3/90 KV KL MAL'. Infected EXE files cannot be disinfected, as the<br />
virus will overwrite a few bytes at the end of the file.<br />
Black Monday 8B36 0101 81C6 0501 8B04 8B5C 02A3 0001<br />
Black Monday-Borderline - CR: This virus is detected by the Black Monday pattern,<br />
but it appears to be an older mutation, as it lacks the ability to infect EXE files. It is also<br />
shorter, only 781 bytes.<br />
Black Wizard - EN: A mutation of the 'Old Yankee' virus, and detected by the pattern for<br />
that virus. This mutation is 2051 bytes long and plays a different tune than the original<br />
virus, but is otherwise similar.<br />
Blinker - CR: A 512 byte mutation of Backtime, and detected by the pattern for that<br />
virus. This also applies to a496 byte mutation which was made av<strong>ai</strong>lable as 'Joker'.<br />
Black Jec - CN: A family of small viruses, which are aw<strong>ai</strong>ting analysis. The following<br />
mutations are known: Bljec-3 (231), Bljec-4 (247), Bljec-5 (267), Bljec-6 (270), Bljec-7<br />
(287), Bljec-8 (358) and Bljec-9 (369). Four new mutations of this virus have been found,<br />
but they are all detected by the original pattern. The differences seem to be caused by the<br />
fact that a different assembler has been used to assemble the source code.<br />
Black Jec B980 00BE 7FFF BF80 OOF3 A4B8 F3A4 A3F9<br />
Black Jec-4B, 6B, 8B - CN: A group of viruses 252,281 and 363 bytes long and very<br />
similar to the mutations Bljec-4,6 and 8. They are functionally identical and detected as<br />
Black Jec (Bljec).<br />
Black Jec-Digital F/X - CN: This 440 byte mutation is extremely badly written. It starts<br />
with a block of text, which will totally crash on most PCs. However, the virus may work<br />
on some '386 machines. Detected with the Black Jec (Bljec) pattern.<br />
Blood - CN: A simple virus from Natal, South Africa The 418 byte virus does nothing of<br />
interest, apart from replicating.<br />
Blood 1E0E 1FB4 19CD 2150 B202 B40E CD21 B41A<br />
BNB, Beast-N-Black - CN: This 429 byte virus might be re-classified as a Vienna<br />
mutation. It cont<strong>ai</strong>ns the text 'Beware the Beast-N-Black'.<br />
BNB FC8B F283 C619 BF00 01B9 0300 F3A4 8BF2
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 165<br />
Bob - CN: This 718 byte virus seems rather badly written. It overwrites the first 698 bytes<br />
of files, storing the overwritten code at the end. The virus activates in January 1993, but<br />
its exact effects have not been fully determined.<br />
Bob 81F9 C907 7206 80FE 0175 0145 B200 BEOO<br />
Boojum - ER: A simple 334 byte virus which does nothing but replicate.<br />
Boojum 1E06 06B8 2135 CD21 09DB 7433 2E89 1E18<br />
Boys - CN: A 500 byte virus cont<strong>ai</strong>ning the text 'The good and the bad boys'. Aw<strong>ai</strong>ting<br />
analysis.<br />
Boys BE01 01AD 0503 0050 8BF0 BF00 01B9 0500<br />
Br<strong>ai</strong>n, Ashar, Shoe - DR: Consists of a bootstrap sector and 3 clusters (6 sectors) marked<br />
as bad in the FAT. The first of these cont<strong>ai</strong>ns the original boot sector. In its original<br />
version it only infects 360K floppy disks and occupies 7K of RAM. It creates a label '(c)<br />
Br<strong>ai</strong>n' on an infected disk. There is a variation which creates a label '(c) ashar'.<br />
Br<strong>ai</strong>n FBA0 067C A209 7C8B 0E07 7C89 0E0A 7CE8<br />
Br<strong>ai</strong>ny - CR: A 1531 byte virus of Bulgarian origin, which appears to do nothing but<br />
replicate. It is rather interesting from a technical point of view, as it may insert itself into<br />
the middle of another program, without modifying the program's starting instructions.<br />
Br<strong>ai</strong>ny uses a simple 'byte-swap' encryption.<br />
Br<strong>ai</strong>ny 1B90 8BEC 0E1F BC34 OOFC AD86 C489 44FE<br />
Brunswick, Stoned 16 - MR: Infects first fixed drive and floppy drives A and B. On<br />
floppy disks the original boot sector is stored in head 1 cylinder 0 sector 3 and may cause<br />
directory corruption. On hard disks the original boot sector is stored in head 0, track 0<br />
sector 16.<br />
Brunswick D4FF E8E7 FF74 252E C606 2901 00B8 0103<br />
Bulgarian 123 - CN: A simple 123 byte virus from Bulgaria, which does nothing but<br />
replicate. It may infect the same file over and over.<br />
Bulgarian 123 B103 8D54 F4B4 40CD 21B4 3ECD 21B4 4FCD<br />
Burger - CN: Just like the 405 virus, this primitive 560 byte virus overwrites infected<br />
files, which makes it easily detectable. Several mutations with slightly different lengths<br />
are known.<br />
Burger 1 B447 0401 508A D08D 3646 02CD 2158 B40E<br />
Burger 2 CD21 B43E CD21 2E8B 1E00 E081 FB90 9074<br />
Burger 382 - CN: Simple overwriting virus from T<strong>ai</strong>wan which overwrites part of the<br />
program.<br />
Burger 382 B417 8D16 5502 CD21 3CFF 7514 B42C CD21<br />
Burger 405 - CN: Infects one COM fde (on a different disk) each time an infected<br />
program is run by overwriting the first 405 bytes. If the length of the file is less than 405<br />
bytes, it will be increased to 405. The virus only infects the current directory and does not<br />
recognise previously infected files.<br />
Burger 405 26A2 4902 26A2 4B02 26A2 8B02 50B4 19CD
166 APPENDIX A<br />
Burger-Pirate - CN: This 609 byte overwriting virus is a simple modification of the<br />
original Burger virus, with a text message added at the end, which indicates the virus is<br />
written in Portugal.<br />
Burger-Pirate B800 002E A371 032E A3F9 022E A2FB 02B4<br />
Burghofer - CR: A simple 525 byte virus from Switzerland, which appears to do nothing<br />
of interest.<br />
Burghofer B448 CD21 5B48 8EC0 FA26 C706 0100 0000<br />
Cadkill - CR: Aw<strong>ai</strong>ting analysis. Infectious length is 1163 bytes. A mutation with an<br />
infectious length of2367 bytes exists.<br />
Cadkill E800 005B 5056 B4CB CD21 3C07 7535 81C3<br />
Cannabis - DR: A Dutch boot sector virus, which cont<strong>ai</strong>ns the text 'Hey man, I don't<br />
wanna work. I'm too stoned right now.' The virus is very badly written and just barely<br />
qualifies being classified as a virus.<br />
Cannabis B810 008E D8A1 1303 4848 A313 031F B106<br />
Capt<strong>ai</strong>n Trips - CER: A mutation of Jerusalem, of the same length as the original (1808/<br />
1813 bytes), but with numerous minor modifications. Most of them appear intended to<br />
invalidate the signature strings used by various scanners.<br />
Capt<strong>ai</strong>n Trips B842 0150 EAFC 0300 008C C88E D0BC 0007<br />
CARA - CR: A 1025 byte virus. Aw<strong>ai</strong>ting analysis.<br />
CARA 812E 0200 C000 B44A BB00 B0CD 2181 EBC0<br />
Carioca - CR: This virus adds 951 bytes to the end of infected programs, but it has not<br />
been analysed yet.<br />
Carioca 01FC F3A4 B800 0150 C32E 8B1E 0301 81C3<br />
Cascade, Fall, Russian, H<strong>ai</strong>lstorm - CR: This encrypted virus attaches itself to the end of<br />
COM files, increasing their length by 1701 or 1704 bytes. The encryption key includes<br />
the length of the infected program, so infected files of different lengths will look<br />
different. After infection it becomes memory-resident and infects every COM file<br />
executed, including COMM<strong>AND</strong>.COM. The original version will produce a 'falling<br />
characters' display if the system date is between 1 st October and 31 st December 1988.<br />
The formatting version will format the hard disk on any day between 1st October and<br />
31st December of any year except 1993. Both activations occur a random time after<br />
infection with a maximum of 5 minutes. (VB Sept 89)<br />
Cascade (1) 01 0F8D B74D 01BC 8206 3134 3124 464C 75F8<br />
Cascade (1) 04 0F8D B74D 01BC 8506 3134 3124 464C 75F8<br />
Cascade (1) Y4 FA8B CDE8 0000 5B81 EB31 012E F687 2A01<br />
Cascade format 0F8D B74D 01BC 8506 3134 3124 464C 77F8<br />
Cascade-1621 - CR: This Cascade mutation has the encryption routine changed.<br />
Cascade-1621 FAE8 0000 5B81 EB07 0183 BF01 0100 740E<br />
Cascade-1661 - CR: A rewritten version of the Cascade virus. It has been modified in<br />
several ways, changing the activation date to December of any year other than 1980 and<br />
1990.<br />
Cascade-1661 012E F684 9301 0174 0F8D BCB6 01BC 5A06
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 167<br />
Cascade 1701-F - CR: Very closely related to the 1701 -A mutation, but the encryption<br />
routine has been changed.<br />
Cascade 1701-F 012E F687 2A01 0174 0F8D B74D 01BA 8206<br />
Cascade-1701-S - CR: A minor modification of the Cascade virus, with the encryption<br />
routine changed, probably to bypass some scanner. Reported to be written in Sweden.<br />
Cascade 1701-S FA8B ECE8 0000 5B81 EB31 01F6 872A 0101<br />
Cascade-1706 - CR: This mutation seems to be based on the 1704 byte mutation, but it<br />
has been changed and reassembled.<br />
Cascade-1706 3001 F687 2901 0174 0F8D B74B 01BC 8806<br />
Cascade Y1 - CR: A mutation of Cascade.<br />
Cascade Y1 FA89 E5E8 0000 5B81 EB31 012E F687 2A01<br />
Cascade YAP - CR: A mutation of Cascade with a slightly modified encryption routine.<br />
Cascade YAP 0F8D B74D 01BC 8206 3124 3134 464C 75F8<br />
Casino - CR: Virus infects COM files smaller than 62905 bytes and when triggered it<br />
destroys the FAT and then offers to play the Jackpot game. If you win, it reconstructs the<br />
FAT, while if you lose, the machine hangs. The virus triggers on 15th January, 15th April<br />
and 15th August of any year. (VB Mar 91)<br />
Casino 594B 7504 B866 06CF 80FC 1174 0880 FC12<br />
Casper - CN: This virus was written by Mark Washburn and uses the same encryption<br />
method as the 1260 virus. The infective length is 1200 bytes. The virus sets the seconds<br />
field to 62. The source code for this virus has been widely circulated and it includes a<br />
'manipulation task' (payload) which will format cylinder 0 of the hard disk. No search<br />
pattern is possible.<br />
CAZ - CER: 1204 byte virus. Not yet analysed.<br />
CAZ 8BEC 7207 8366 0AFE EB08 9083 4E0A 01EB<br />
CAZ-1159 - CER: Similar to the 1204 byte version, and detected with the same pattern.<br />
CB 1530 - CER: This 1530 byte virus is detected by the 'Dark Avenger' pattern.<br />
Cemetery - ER: A 1417 byte mutation of the Murphy virus. Detected by the Murphy 2<br />
pattern.<br />
Checksum - CR: Version 1.00 of this Russian virus is 1233 bytes long and version 1.01<br />
is 1232 bytes long, with only minor differences. As the name implies, the virus calculates<br />
a checksum for itself, and if changed it will not activate. The virus is designed to replace<br />
older versions of itself.<br />
Checksum 832E 0300 4F83 2E02 004F 0BC9 740B 508C<br />
Chinese Fish - MR?: This boot sector virus has not been fully analysed, because at the<br />
moment only a part of the virus code (the boot sector) is av<strong>ai</strong>lable.<br />
Chinese Fish 7CB9 0B00 FCAC 2680 3D00 7400 268A 058A<br />
Christmas in Japan - CN: A 600 byte virus from T<strong>ai</strong>wan, which will activate on 25th<br />
December, and display the message 'A merry Christmas to you'.<br />
Christmas Japan 32E4 CF8A 1446 80F2 FE74 06B4 06CD 21EB
168 APPENDIX A<br />
Christmas Tree, Father Christmas, Choinka - CN: This is a Polish 1881 byte version of<br />
the Vienna virus, which only activates from 19th December to the end of the year and<br />
displays a 'Merry Christmas' message. Damage to files has been reported, but not<br />
confirmed. This virus is also detected by the Vienna (4) string.<br />
Christmas Tree CD21 81FA 130C 7308 81FA 0101 7202 EBOE<br />
Christmas Violator-CN: A 5302 byte mutation of the Violator virus.<br />
Xmas Violator 11AC B900 80F2 AEB9 0400 ACAE 7BED E2FA<br />
Cinderella - CR: The name of this 390 byte virus is derived from the text 'clnDeReL.la'<br />
cont<strong>ai</strong>ned within the virus. After a cert<strong>ai</strong>n number of keystrokes, the virus creates a<br />
hidden file, and jumps to a location in ROM, which caused a cold-boot on a test machine.<br />
Cinderella FA0E 1FBE 8A03 BF90 00AD 8905 AD89 4502<br />
Close - ER: This 656 byte virus may damage either C:\IO.SYS or C:\IBMBIO.COM,<br />
making the hard disk unbootable.<br />
Close FE0F 1F83 2C31 1E8B CE36 FE07 0726 836C<br />
Cookie - CER: This 2232 byte virus may display the message 'I want a COOKIE!', and<br />
w<strong>ai</strong>t for input from the user. It is closely related to the Syslock/Macho/Advent viruses,<br />
and is identified by the Syslock string.<br />
Cookie - CEN: This virus is not related to the 'Cookie' mutations of the 'Japanese<br />
Christmas' and 'Syslock' families, but it is large and was compiled with one of the<br />
Borland compilers. As the name indicates, the virus demands a cookie, but has not been<br />
analysed, because of its size. Two mutations are known, 7360 and 7392 bytes long.<br />
Cookie-7392 BFD6 3E1E 57BF 4820 1E57 B8E0 1C50 BF5A<br />
Cookie-7360 BFE2 3E1E 57BF 4820 1E57 B8C0 1C50 BF66<br />
Copmpl - CER: This is a 1111 (COM) or 1114 (EXE) byte Polish mutation of the Akuku<br />
virus. The name is derived from the following text, which can be found inside the virus<br />
'Sorry, I'm copmpletly dead'. The only effect of the virus is to play a tune.<br />
Copmpl 80E6 0F8A D680 FA00 7407 80FA 0B76 06B2<br />
Copyright - CN: A 1193 byte virus from East Europe, which cont<strong>ai</strong>ns a fake Award<br />
BIOS copyright message. Aw<strong>ai</strong>ting analysis.<br />
Copyright AB4A 75F2 E2EA 33C0 CD16 B800 06B7 0733<br />
Cossiga - EN: This is a family of two viruses, an 883 byte version, which is clearly older<br />
and more primitive, and a 1361 byte mutation which cont<strong>ai</strong>ns the string 'FRIENDS OF<br />
MAIS and CLAUDIA SAHIFFER'. Not yet analysed.<br />
Cossiga 8BC1 83E1 0FBB 1000 2BD9 53F8 8B55 1C03<br />
Friends 5158 83E1 0FBB 1000 2BD9 53F8 8B55 1C03<br />
Crazy Eddie - CER: A 2721 byte virus which has not been fully analysed.<br />
Crazy Eddie 0653 B803 01CF 813C 4D5A 7404 813C 5A4D<br />
Crazy Imp - CR: A 1445 byte virus, which is very stealthy. It was received from Minsk.<br />
Tt uses several tricks to hide from debuggers but has no effects other than replication.<br />
Crazy Imp B413 CD2F 33C0 8ED8 832E 1304 048C C88E
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 169<br />
Creeper - CR: There seems to be some confusion regarding the 'Creeper' name, as<br />
various 'Creeper' viruses have been reported, and their descriptions do not match at all.<br />
This one is 475 bytes long, and is found at the beginning of COM files.<br />
Creeper OEOE 071F C3CD 2050 2D00 4B74 2658 3DFF<br />
Creeper-252 - CR: Similar to the mutation reported earlier.<br />
Creeper-252 C6FE C60E 07CD 2750 2D00 4B74 2558 3DFF<br />
Crew, 2480 - CR: This virus only spreads if the year is set to 1988, so it is not a serious<br />
threat. It is rather long, 2480 bytes, but has not been analysed yet. This virus first<br />
appeared in Finland. Two versions exist.<br />
Crew 81C6 0301 01C6 B904 008C C88E C08E D8BF<br />
Criminal - CN: Cont<strong>ai</strong>ns an encrypted message in bad English which urges the user to<br />
turn himself in for illegal copying. Not fully analysed, but suspected ofbeing destructive.<br />
Criminal C604 E989 4401 C744 03FF 20B4 42B0 008B<br />
CSL, Microelephant - CR: A 381 byte virus from Eastern Europe, which cont<strong>ai</strong>ns the<br />
text '26.07.91 .Pre-released Microelephant by CSL'. This virus does nothing but replicate.<br />
CSL E800 0058 2D04 0051 521E 068B F005 9200<br />
CSL-V4 - CR: A 517 byte mutation of the CSL (or Microelephant) virus reported in the<br />
December edition and probably written by the same author. Not yet analysed. The CSL-<br />
V5 is another new mutation of the same virus, but it is only 457 bytes long.<br />
CSL-V4 5152 1E06 8BF0 0590 008B D88C C88E D8BF<br />
CSL-V5 5152 1E06 8BF0 0592 008B D88C C88E D8BF<br />
CZ2986 - CER: This Czechoslovak virus reported by Pavel Baudis of ALWIL software<br />
is based upon Old Yankee. It infects files on load and execute request and if the<br />
NetWare LOGIN.EXE is executed, the virus collects the ID and password information.<br />
It m<strong>ai</strong>nt<strong>ai</strong>ns a list of the 15 most recent p<strong>ai</strong>rs in encrypted form.<br />
CZ2986 9074 13EB 3090 BF6F 09E8 3300 AA3C 6F90<br />
Dada - ER: A Russian virus which cont<strong>ai</strong>ns the text 'da,da' - Russian for 'yes, yes'.<br />
Aw<strong>ai</strong>ting analysis.<br />
Dada CB50 8CC0 2603 0603 0040 8EC0 58C3 33C0<br />
Damage - CER: Two related viruses 1063 and 1110 bytes long which cause 'Sector not<br />
found' errors by reformatting selected areas of disks. Detected by the 'Diamond' pattern.<br />
Danish Tiny-251 - CN: This virus seems to be derived from the 163 byte mutation, but is<br />
not particularly interesting.<br />
Danish-251 8BFA B903 00CD 2180 3DE9 7407 B44F EBDC<br />
Danish Tiny-Brenda: This 256 byte virus is similar to the 251 byte version, but the<br />
effects are different - when an infected program is run, it may occasionally display the<br />
text '(C) '92, Stingray/VIPER Luv, Brenda'.<br />
Danish-Brenda 8BD7 B902 0090 B43F CD21 813D 0708 74DD<br />
Danish Tiny-Stigmata - CN: A 1000 byte version, with a considerable part of the virus'<br />
body taken up by a greeting to various virus writers and anti-virus developers.<br />
Danish-Stigmata 5053 5156 8B9C EB04 81C6 5C01 B98D 0390
170 APPENDIX A<br />
Dark Avenger, Eddie - CER: The virus infects when a file is opened and closed as well<br />
as when it is executed. This means that a virus-scanning program will cause it to infect<br />
every program scanned. Infective length is 1800 bytes. It only infects if a program is at<br />
least 1775 bytes long and it may overwrite data sectors with garbage. There is a mutation<br />
which extends the file by 2000 bytes. (VB Feb 90)<br />
Dark Avenger A4A5 8B26 0600 33DB 53FF 64F5 E800 005E<br />
Darklord - CER: A mutation of the Terror virus, this 921 byte virus cont<strong>ai</strong>ns the string<br />
'Dark Lord, 1 summon thee! MANOWAR'. Aw<strong>ai</strong>ting further analysis.<br />
Darklord 8EC0 488E D88B 1E03 008 3EB6 503C 326A3<br />
Darth Vader - CR: A family of small viruses, probably from Bulgaria. Some of the 4<br />
known mutations cont<strong>ai</strong>n code which will only work on '286 and above. Aw<strong>ai</strong>ting<br />
analysis.<br />
Darth Vader B820 12CD 2F26 8A1D B816 12CD 2F<br />
Datacrime - CN: The virus attaches itself to the end of a COM file, increasing its length<br />
by 1168 or 1280 bytes. On execution of an infected program, the virus searches through<br />
the full directory structure of drives C, D, A and B for an uninfected COM file which will<br />
be infected. Files with 7th letter D will be ignored (including COMM<strong>AND</strong>.COM). If the<br />
date is on or after 13th October of any year, the first 9 tracks of the hard disk will be<br />
formatted after displaying the message: 'DATACRIME <strong>VIRUS</strong>', 'RELEASED: 1 MARCH<br />
1989'. This message is stored in an encrypted form in the virus. (VB Aug 89)<br />
Datacrime (1) 3601 0183 EE03 8BC6 3D00 0075 03E9 0201<br />
Datacrime (2) 3601 0183 EE03 8BC6 3D00 0075 03E9 FE00<br />
Datacrime II - CEN: This encrypted virus attaches itself to the end of a COM or EXE<br />
file, increasing their length by 1514 bytes. The virus searches through the full directory<br />
structure of drives C, A and B for an uninfected COM or EXE file. It ignores any file if<br />
the second letter is B. If the date is on or after 13 th October of any year, but not a Monday,<br />
a low level format of the first 9 tracks will be done on the hard disk after displaying the<br />
message: 'DATACRIME II <strong>VIRUS</strong>' which is stored in an encrypted form. Datacrime IIB<br />
displays the message '* DATACRIME *'. (VB Aug 90)<br />
Datacrime II 2E8A 072E C605 2232 C2D0 CA2E 8807 432E<br />
Datacrime IIB 2BCB 2E8A 0732 C2D0 CA2E 8807 43E2 F3<br />
Datalock - CER: The name of this 920 byte virus is included at the end of infected<br />
programs, but its effects are not known yet.<br />
Datalock C31E A12C 0050 8CD8 488E D881 2E03 0080<br />
Day/10 - CN: This 674 byte virus was made av<strong>ai</strong>lable to virus researchers under the name<br />
of 'Numlock', but that is just the name of the original sample. The effects of the virus<br />
have nothing to do with the NumLock key - instead it will overwrite the first 80 sectors<br />
on the hard disk if the date of the month is divisible by 10.<br />
Day/10 8E06 2C00 B900 10FC 33FF B050 F2AE 7518<br />
dBASE - CR: Transposes bytes in dBASE (DBF) files. Creates the hidden file BUGS.DAT<br />
in the root directory of drive C and generates errors if the absolute difference between the<br />
month of creation ofBUGS.DAT and the current month is greater than or equal to 3.
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 171<br />
Infective length is 1864 bytes. The destroy version destroys drives D to Z when the<br />
trigger point is reached. (VB Dec 89)<br />
dBASE 50B8 OAFB CD21 3DFB 0A74 02EB 8A56 E800<br />
dBASE destroy B900 01BA 0000 8EDA 33DB 50CD 2658 403C<br />
DBF Blank - CER: This virus w<strong>ai</strong>ts for a dBASE (DBF) fde to be opened and returns a<br />
blank record once every 20 disk reads. Only one DBF file is affected at a time. Infective<br />
length is 1075 bytes.<br />
DBF Blank F3A4 C38C C02E 0344 1A05 1000 502E FF74<br />
December 24th - ER: A mutation of the Icelandic (3) virus. It will infect one out of every<br />
10 EXE files run, which grow by 848-863 bytes. If an infected file is run on December<br />
24th, it will stop any other program from running and display the message 'Gledileg jol'<br />
(Merry Christmas in Icelandic).<br />
December 24th C606 7E03 FEB4 5290 CD21 2E8C 0645 0326<br />
December 28th, Spanish April - CR?: Aw<strong>ai</strong>ting analysis.<br />
December 28th B44A CD21 8BD4 B41A CD21 B42A CD21 32C0<br />
Dedicated, Fear - CN: Two viruses which use the Mutation engine. No search pattern is<br />
possible.<br />
Deicide - CN: A primitive 666 byte overwriting virus. When it activates, it will wipe out<br />
the first 80 sectors on drive C. According to a message inside the virus, it is written by a<br />
person named Glenn Benton.<br />
Deicide 3C00 7502 FEC0 FEC0 3C03 7516 B002 BB00<br />
Delyrium-l 638, Move - CER: A virus by Cracker Jack detected by the HIV pattern.<br />
Demolition - CR: A 1585 encrypted virus which cont<strong>ai</strong>ns destructive code, as well as<br />
various text messages.<br />
Demolition E800 005B 8D77 178A 04D0 E09C 81C6 0106<br />
Demon - CN: A primitive 272 byte overwriting virus, written by the person calling<br />
himself 'Cracker Jack'.<br />
Demon 02EB 02EB EFB4 2ACD 213C 0274 04B4 4CCD<br />
Den Zuk, Search - DR: The majority of the virus is stored in a specially formatted track<br />
40, head 0, sectors 33 to 41. When Ctrl-Alt-Del is pressed, the virus intercepts it and<br />
displays 'DEN ZUK' sliding in from the sides of the screen. This does not happen if<br />
KEYBUK or KEYB is installed. Den Zuk will remove Br<strong>ai</strong>n and Ohio and replace them<br />
with copies of itself.<br />
Den Zuk (1) FA8C C88E D88E DOBC 00F0 FBE8 2600 33C0<br />
Den Zuk (2) FA8C C88E D88E DOBC 00F0 FBB8 787C S0C3<br />
Destructor - CER: A 1150 byte Bulgarian virus cont<strong>ai</strong>ning the string 'DESTRUCTOR<br />
V4.00 (c) 1990 by ATA'.<br />
Destructor 5255 FBCB 3D00 4B74 1980 FC3D 740F 80FC<br />
Devil's Dance - CR: A simple virus which infects COM files, adding 951 bytes at the end<br />
of infected files. The virus is believed to have originated in Sp<strong>ai</strong>n or Mexico. It monitors<br />
the keyboard and will destroy the FAT after 5000 keystrokes.<br />
Devil's Dance B800 0150 8CC8 8ED8 8EC0 C306 B821 35CD
172 APPENDIX A<br />
Dewdz - CN: This 601 byte virus adds itself in front of the files it infects. When it<br />
activates it will display the text 'Kewl Dewdz!' in the middle of the screen.<br />
Dewdz 434B 7409 B44F CD21 72BA 4B75 F7B4 2FCD<br />
Diabolik - CER: A 1171 byte mutation of the Murphy virus. Detected by the Murphy 2<br />
pattern.<br />
Diamond, 1024 - CER: A Bulgarian virus, possibly written by the person calling himself<br />
'Dark Avenger'. This virus may be an earlier version of the Dark Avenger virus. No sideeffects<br />
or activation dates have been found. Diamond-B is a minor mutation.<br />
Diamond 00B4 40CD 2172 043B C174 01F9 C39C 0EE8<br />
Diamond-1173, David - CER: A modification of the Diamond-B virus, produced by<br />
inserting NOP instructions and making other minor changes. Cont<strong>ai</strong>ns errors which will<br />
generally cause infected COM files to crash. Detected by the 'Diamond' pattern.<br />
Dir - CR: A 691 byte Bulgarian virus, which only infects files when the DIR command<br />
is issued. No other effects have been found.<br />
Dir CD26 0E1F 580E 1FBE 0001 56C3 0E0E 1F07<br />
DIR-II - LCER: A new type of 'link' virus from Bulgaria. It is 1024 bytes long and it<br />
infects executable files by linking a single cluster cont<strong>ai</strong>ning virus code with the starting<br />
cluster of each file in the directory entry. The original cluster number is saved encrypted<br />
in the unused part of the directory entry. The virus does not have any side-effects.<br />
(TBNov91)<br />
DIR-II BC00 06FF 06EB 0431 C98E D9C5 06C1 0005<br />
DIR-II-1 - LCER: 1\vo new mutations of this virus have appeared. The pattern will<br />
detect all three mutations.<br />
DIR-II-l 26FF 77FE 26C5 1F8B 4015 3D70 0075 1091<br />
Discom - CR: A 2053 byte mutation of the Jerusalem virus. Aw<strong>ai</strong>ting analysis.<br />
Discom 57CD 2172 1F8B F18B FAB8 0242 B9FF FFBA<br />
Diskjeb - CER: A disk-corrupting virus with an infective length of 1435 bytes (COM)<br />
and 1419 bytes (EXE). Only infects COM files longer than 1000 bytes and EXE files<br />
longer than 1024 bytes. In October, November and December disk writes will be<br />
intercepted and corrupted. A possible mutation of the Tenbyte virus.<br />
Diskjeb 5351 061E 9C8C C88E D8E8 5D00 803E 4903<br />
Diskspoiler, 1308 - CN: A 1308 byte Russian virus, which uses very simple encryption.<br />
The virus searches the FAT for free clusters and marks them as bad, slowly eating up the<br />
entire disk.<br />
Diskspoiler E800 005E 8BFE B90B 0580 750E FF90 47E2<br />
Disk Killer, Ogre - DR: The virus infects floppy and hard disks and if the computer is left<br />
on for more than 48 hours, it will encrypt the contents of the bootable disk partition. The<br />
infection of a disk occurs by intercepting a disk read - INT 13H function 2. When the<br />
virus triggers, it displays the message 'Disk Killer — Version 1.00 by Ogre Software,<br />
04/01/1989. Warning!! Don't turn off the power or remove the diskette while Disk Killer
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 173<br />
is Processing!'. A mutation (Disk Killer 2) assembled with a different assembler has been<br />
found. (VB Jan 90)<br />
Disk Killer 2EA1 1304 2D08 002E A313 04B1 06D3 E08E<br />
Disk Killer 2 7423 2E3A 16F4 0175 EE2E 3A36 F501 75E7<br />
DM-310 - CR: Probably an older and more primitive version of the DM-400 virus. It<br />
does not seem to do anything but replicate.<br />
DM-310 F7C1 FEFF 7405 B801 43CD 63C3 E800 005D<br />
DM-330 - CR: This encrypted virus cont<strong>ai</strong>ns text stating that it is version 1.05 ofthe DM<br />
virus, but it is considerably different from the earlier versions. Only a partial search<br />
string (which includes wildcards) is possible.<br />
DM-400 - CR: This 400 byte virus does not seem to do anything but replicate. It cont<strong>ai</strong>ns<br />
the text'(C)l990 DM'.<br />
DM-400 80FC 4B74 3380 FC56 7419 FE04 80FC 3D74<br />
DM-400 (1.01) - CR: A slightly improved version of the DM-400 virus, with extra<br />
encryption. It is also 400 bytes long. The virus corrupts fdes that fit the *.TP? pattern -<br />
overwriting the first 8 bytes.<br />
DM-400 1.01 56B9 2401 3024 46E2 FB5E C3E8 0100 CF5D<br />
Do-nothing - CR: A badly-written virus from Israel that assumes a 640K system.<br />
Do nothing 8CCA 8EDA BA00 988E C2F3 A41E B800 008E<br />
Doom2 - CER: This 1252 byte virus is not always able to infect files. The machine hangs<br />
immediately after a fde is infected.<br />
Doom2 803E 0A01 4574 052E 033E 0301 2E30 0547<br />
Doom II-B - CER: This mutation of Doom-2 has not been able to replicate under test<br />
conditions - infected programs hang or overwrite the FAT and root directory on drive C.<br />
Version B uses the same encryption method as the other known mutation.<br />
Doom-II-B 803E 0901 4574 052E 033E 0301 2E30 0547<br />
Dot Killer - CN: This 944 byte Polish virus will remove all dots (.) from the screen when<br />
they are typed. The effect can be disabled by typing a caret ' A \ Seconds field is set to 62.<br />
Files set to Read-Only will not be infected.<br />
Dot Killer 582E A301 0158 2EA2 0001 B800 01FF E0B8<br />
Durban, Saturday 14th - CER: Adds 669 bytes to the end of infected files. On any<br />
Saturday 14th the first 100 logical sectors of drives C, then B and then A are overwritten.<br />
Durban B911 00A4 E2FD B4DE CD21 80FC DF74 47C6<br />
Dutch Tiny-99 - CN: One of the smallest viruses which do not infect by overwriting<br />
existing files. It does nothing but replicate.<br />
Dutch Tiny-99 93B4 3FCD 2180 3C4D 741D B002 E820 0097<br />
Dutch Tiny-124 - CR: Another small virus from the Netherlands, probably written by the<br />
same author as the previous one. Rather badly written and crashes on cert<strong>ai</strong>n types of<br />
hardware.<br />
Dutch 124 930E 1FB4 3FCD 218B F280 3C4D 741C B002
174 APPENDIX A<br />
Dutch Tiny-126 - CR: This virus from the Netherlands is an attempt to create the<br />
smallest resident virus, but it has no effect other than replicating. Detected by the Dutch<br />
124 pattern.<br />
Dyslexia, Solano - CR: Virus adds 1991 bytes in front of the infected file and 9 bytes at<br />
the end. Occasionally transposes two adjacent characters on the screen.<br />
Dyslexia B4C0 CD21 3D34 1275 0E2E 8B0E 0301 1E07<br />
Eddie-2,651 - CER: A non-destructive virus from Bulgaria. It marks infected files with<br />
a value of 62 in the seconds field of the timestamp, which makes them immune from<br />
infection by Vienna or Zero Bug. Infected files grow by 651 bytes, but this will not be<br />
seen if a DIR command is used - the virus intercepts the find-first and find-next<br />
functions, returning the correct (uninfected) length. (VB June 90)<br />
Eddie-2 D3E8 408C D103 C18C D949 8EC1 BF02 00BA<br />
Eddie-1801 - CER: A minor mutation of the Dark Avenger virus, one byte longer and<br />
detected by the same pattern.<br />
E.D.V. - DR: E.D.V marks infected disks with 'EV' at the end of the boot sector and<br />
stores the original boot sector code in the last sector of the last track on 360K disks, just<br />
like the Yale virus. Program crashes and data loss have been reported on infected<br />
systems.<br />
E.D.V. 0C01 5083 EC04 B800 01CF B601 B908 2751<br />
Eliza - CN: This 1193/1194 byte virus works very badly. It damages EXE files, instead<br />
of infecting them, and second-generation copies of the virus will normally not work.<br />
Eliza FFEO 5E81 C600 01BF 0001 5951 56AC AAE2<br />
EMF - CN: This 404 byte virus conatins the text 'Screaming Fist', but is quite different<br />
from the Screamer virus. It may have been written by the same author. Not fully analysed.<br />
EMF E810 00B4 408B D583 EA03 B993 01CD 21E8<br />
Enemy - CER: This virus is difficult to detect, as its length is variable, and it uses a selfmodifying<br />
encryption routine. The virus includes the text 'I am a stranger in a strange<br />
land'. No effects have been found.<br />
Enigma - ER: A mutation of the 'Old Yankee' virus, cl<strong>ai</strong>ming to have been written by the<br />
same author as HI V It is 1624 bytes long, and is detected by the Old Yankee pattern.<br />
Enola - CER: A 1864 byte virus, probably of Russian origin, but not yet analysed.<br />
Enola FF74 081F 8ED8 B800 0150 C38C C805 1000<br />
Erasmus - CER: A 1682 byte version of the Murphy virus. Detected by the HIV pattern.<br />
ETC - CN: A 700 byte virus, cont<strong>ai</strong>ning the text 'Virus, (c) ETC'. Aw<strong>ai</strong>ting analysis.<br />
ETC 8B16 0201 83C2 33CD 2172 CD89 D68B 043D<br />
Europe '92 - CR: This 421 byte virus will only activate if the year is set to 1992, when it<br />
will display the message 'Europe/92 4EVER!'<br />
Europe '92 B450 CD21 8CD8 488E D8C6 0600 005A 891E<br />
Europe '92-424 - CR: Three bytes longer than the original mutation, but very similar,<br />
and detected with the same pattern.
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 175<br />
Even Beeper - EN: This companion virus is highly unusual. It creates a COM file for<br />
every EXE file it 'infects'. The COM files are structurally EXE files, written in a highlevel-language,<br />
but their length is variable, and they have been compressed with LZEXE.<br />
As a result it is impractical to use a signature to detect infected files.<br />
Evil - CR: This is a close relative of the Bulgarian Phoenix virus, but is shorter, 1701<br />
bytes instead of 1704. It uses the same encryption method, which makes the extraction of<br />
a search pattern impossible.<br />
Evil Empire - MR: Virus infects Master Boot Sector and relocates original boot sector to<br />
Sector 6, Head 0, Track 0. Virus displays a text message questioning the United States'<br />
involvement in the recent Gulf War. (VB May 91)<br />
Evil Empire 734C 80FC 0275 4731 C08E D880 3E6C 0416<br />
Evil Empire B - MR: An encrypted mutation, probably written by the same author as<br />
Evil Empire.<br />
Evil Empire B 8CC8 8ED8 8EC0 BF05 00B9 9A01 FC8A 0504<br />
F-709 - CR: This 709 byte virus is reported to have originated either in Sweden or in<br />
Finland. It has not been fully analysed, but appears to do nothing but replicate.<br />
F-709 8BF2 33FF F3A5 068C C633 C08E C026 A184<br />
Faggot - ?: Virus sample f<strong>ai</strong>led to replicate. A mutation of the Anti-Faggot virus<br />
discovered by the same search pattern. Cont<strong>ai</strong>ns text 'Hi Guy! Nice to meet you! I am the<br />
little FAGGOT Virus' and some more obscenities.<br />
Fake-VirX - CN: A 233 byte virus from Finland which activates on any Friday the 13th,<br />
when it displays the message 'VirX 3/90'.<br />
Fake-VirX 408B D5B9 0600 CD21 B801 575A 59CD 21B4<br />
Faust, Spyer - CER: Infects on calling the Load-and-Execute function, but does not<br />
infect COMM<strong>AND</strong>.COM. On 13th day of every month the virus displays the message<br />
'Chaos!!! Another Masterpiece of Faust...' and the machine hangs. The virus also writes<br />
random garbage to disk. Infective length is 1184 bytes. (VB Feb 91)<br />
Faust B87A 0050 06B8 FD00 5026 C706 FD00 F3A4<br />
Feist - CER: A 670 byte Russian virus, aw<strong>ai</strong>ting analysis.<br />
Feist B10C D3E2 5233 D2B9 1000 F7F1 8BCA 5A03<br />
Fellowship - ER: This 1019 byte virus attaches itself to the end of EXE files, damaging<br />
them by overwriting the last 10 bytes or so. Other effects are being analysed.<br />
Fellowship BAF5 02E8 3A00 B60A E84A 00BA 1403 E82F<br />
FGT - CN: 651 bytes. Not yet analysed.<br />
Fichv 2.0 - CN: Very similar to the more common 903 byte mutation, but is only 896<br />
bytes long.<br />
Fichv 2.0 B801 35CD 218C 0629 0189 1E2B 01B8 0335<br />
Fichv 2.1 - CN: A 903 byte encrypted virus, which cont<strong>ai</strong>ns the text 'FICHV 2.1 vous a<br />
eu'. Aw<strong>ai</strong>ting analysis.<br />
Fichv B801 35CD 218C 0602 0189 1E04 01B8 0335
176 APPENDIX A<br />
Filler - DR: A Hungarian virus with unknown effects.<br />
Filler CD12 BB40 00F7 E32D 0010 8EC0 BAOO OOEB<br />
Finger - CER: A 1172 byte version of the Murphy virus. Detected by the Murphy-2<br />
pattern.<br />
Fingers 08/15 - CER: A 1322 byte virus which is aw<strong>ai</strong>ting analysis.<br />
Fingers 08/15 AE26 803D 0075 F847 4747 8BD7 1E2E 8C16<br />
Fish 6 - CER: A partial mutation of 4K having an infective length of 3584 bytes. The<br />
virus is encrypted and the decryption routine is so short that it is impossible to extract a<br />
hex pattern longer than 14 bytes. The virus seems to activate in 1991, but the exact effects<br />
are as yet unknown.<br />
Fish 6 E800 005B 81EB A90D B958 0D2E 8037<br />
Flash - CER: This 688 byte virus is aw<strong>ai</strong>ting analysis.<br />
Flash 005E 8BDE 81C3 0F00 B000 FAD5 0A88 07EB<br />
Flash-Gyorgy - CER: Like the Brenda and Milana viruses, this mutation of the Flash<br />
virus seems to be written by a lovesick virus author. In this case the message is 'I LOVE<br />
GYORGY'.<br />
Flash-Gyorgy 1E06 0E1F FCE8 0000 5E8B DE83 C30E B000<br />
Flip, Omicron - MCER: The primary effect of this 2343 byte virus is to 'flip' the screen<br />
by rotating it through 90 degrees on the second day of the month between 10:00 and<br />
10:59. The virus is encrypted and self-modifying. An infected file has the seconds field<br />
set to 62. No search pattern is possible for COM/EXE files. Search pattern will be found<br />
in the master boot sector. (VB Sept 90). Original MBS is stored in the first sector after the<br />
end of the partition as recorded in the partition table.<br />
Flip (boot) 33DB 33FF 8EC3 2629 0613 04CD 12B1 06D3<br />
Forger - EN: A 1000 byte virus which causes subtle corruption - occasionally modifying<br />
a byte on the disk.<br />
Forger 215A 520E 1F5F 0706 57B8 0000 B980 00F2<br />
Form - DR: A boot sector virus from Switzerland infecting hard disks and floppy disks.<br />
On the 18th day of every month the virus produces a noise when keys are pressed. The<br />
original boot sector is stored in the last physical sector of the hard disk. (VB Nov 91)<br />
Form D3E0 8EC0 33FF B9FF 00FC F3A5 06B8 9A00<br />
Formiche - CR. A 6258 byte virus, which uses almost the same encryption method as<br />
Cascade.<br />
Formiche 0F8D B74C 01BC D217 4631 3431 244C 75F8<br />
Freew-692 - CN: When this virus activates (in 1993), it overwrites programs with a<br />
trojan, that simply displays the message 'Program terminated normally.' when run. The<br />
virus is 692 bytes long.<br />
Freew-692 81F9 C907 7206 80FE 0175 0145 B41A BA03<br />
Frog's Alley - CR: A 15 00 byte virus, which infects program when the DIR command is<br />
issued, which makes it highly infectious. The virus activates on the 5th day of any month,<br />
overwriting the FAT and root directory.<br />
Frog's Alley 0105 0001 26A3 1500 268C 1E13 0026 C706
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 177<br />
Frogs B - CN: A very minor mutation of the earlier Frogs (Frog's Alley) virus detected by<br />
the same pattern.<br />
Fu Manchu - CER: The virus attaches itself to the beginning of a COM fde or to the end<br />
of an EXE fde. Infective length is 2086 bytes (COM) and 2080 (EXE). One in sixteen<br />
times on infection a timer is installed, which will trigger a display "The world will hear<br />
from me ag<strong>ai</strong>n' after a random number of half-hours (max. 7.5 hours). The machine then<br />
reboots. The same message is also displayed on pressing Ctrl-Alt-Del, but the virus does<br />
not survive the reboot. If the date is after 1st August 1989, the virus monitors the<br />
keyboard buffer and adds derogatory comments to the names of politicians (Thatcher,<br />
Reagan, Botha and Waldheim), overstrikes two four-letter words, and displays 'virus 3/<br />
10/88 - latest in the new fun line!' if 'Fu Manchu' is typed. All messages are encrypted.<br />
(VB July 89)<br />
Fu Manchu FCB4 E1CD 2180 FCE1 7316 80FC 0472 11B4<br />
F-word, USSR-417 - CR: A 417 byte virus, probably of Russian origin. The only text<br />
inside the virus is the message 'Fuck You'.<br />
F-word C3B4 3FCD 2129 C858 75DD FFEO B44 0 EBF3<br />
Generic - DR: Aw<strong>ai</strong>ting functioning sample for analysis.<br />
Generic 31C0 8ED8 A113 042D 0700 A313 04B1 06D3<br />
Gergana - CN: A simple 192 byte virus, which does nothing but replicate.<br />
Gergana FFEO 5E81 C600 01BF 0001 B9B6 OOF3 A4B8<br />
Gergana-222,300,450,512 - CN: Four new mutations of the Gergana virus, which are<br />
longer than the original, with improved error handling, and several minor modifications.<br />
Gergana-222 BF80 FFB9 3000 F3A4 E9C6 FD5E 81C6 0001<br />
Gergana-300 BF80 FFB9 3000 F3A4 E985 FD5E 81C6 0001<br />
Gergana-450 BF80 FFB9 3000 F3A4 E97E FD5E 81C6 0001<br />
Gergana-512 BA00 FAB4 3FCD 21C3 B900 02B4 40CD 21C3<br />
GhostBalls - CN: A str<strong>ai</strong>n of Vienna virus. Seconds field changed to 62, as in Vienna.<br />
Infective length is 2351 bytes and the virus attaches itself to the end of the file. When run,<br />
it will infect other COM fdes and try to place a modified copy of the Italian virus into the<br />
boot sector of drive A. This copy of the Italian runs on 286 machines but is non-infective.<br />
Virus cont<strong>ai</strong>ns text 'GhostBalls, Product of Iceland'.<br />
GhostBalls AE75 EDE2 FA5E 0789 BC16 008B FE81 C71F<br />
Gliss - CN: A German 'demonstration' virus - very obvious, and does nothing but<br />
replicate.<br />
Gliss 218B D85F 578B 45FC 0527 00BF 0401 8905<br />
Goblin - CER: A 1951 byte mutation of the Murphy virus. Detected by the HTV pattern.<br />
Gosia 8BD6 81C2 7001 B001 B900 OOB4 43CD 2172<br />
Gotcha - CER: Two related viruses from East Europe, 879 and 881 bytes long. They<br />
cont<strong>ai</strong>n the text 'GOTCHA!' at the end, but it is not known when (or if) this text is<br />
displayed.<br />
Gotcha 9C3D DADA 7428 80FC 3D74 0A3D 006C 7405<br />
Gotcha-C - CER: A 906 byte mutation of the Gotcha virus. Aw<strong>ai</strong>ting analysis.<br />
Gotcha-C 9C3D DADA 7458 5251 5350 5657 1E06 3DOO
178 APPENDIX A<br />
Gotcha-D - CER: The smallest member of the Gotcha family, 627 bytes long.<br />
Gotcha-D 9C3D DADA 742E 5251 5350 5657 1E06 80FC<br />
Got You - EN: A 3052 byte virus which cont<strong>ai</strong>ns code to overwrite critical portions of the<br />
hard disk. Not fully analysed.<br />
Got You 6C00 4000 C5AA FFF0 413A 0034 122A 2E2A<br />
GP1 - CER: This is a Dutch, Novell NetWare-oriented mutation of the Jerusalem virus.<br />
(VB June 91)<br />
GP1 B4F7 CD21 80FC F773 1380 FC03 072E 8E16<br />
Grapje!! - CEN: Aw<strong>ai</strong>ting analysis.<br />
Grapje!! E8F3 01E8 2801 E89C 02E8 E202 730E B90A<br />
Gremlin - CER: A 1146 byte 'Diamond' mutation detected by the same pattern.<br />
Grither - CN: A 774 byte mutation of Vienna, which is detected by the Vienna (2)<br />
pattern. When it activates, it overwrites part of the hard disk, including the beginning of<br />
drive C.<br />
Grune - CR: The name of this virus is derived from an encrypted text message, which<br />
refers to the Green party of Switzerland. Infected programs grow by 1241 bytes.<br />
Grune 3601 0026 C606 0000 4D5E 5681 C6D5 0483<br />
Guppy - CR: A very simple 152 byte virus. It does nothing but replicate, but many<br />
programs, including COMM<strong>AND</strong>.COM will f<strong>ai</strong>l to execute if infected.<br />
Guppy 521E B802 3DCD 2193 E800 005E 0E1F B43F<br />
Hafenstrasse - EN: An 809 byte virus, probably from Germany. Aw<strong>ai</strong>ting analysis..<br />
Hafenstrasse F607 FF74 1E8A 170A D274 0743 B402 CD21<br />
Hafenstrasse-791 - EN: Very similar to the original version, and detected with the same<br />
pattern.<br />
Hafenstrasse-1641 - CEN: Just like the 1689 byte mutation, this virus 'drops' the<br />
Ambulance virus. It is detected with the Hafenstrasse-Kilroy pattern.<br />
Hafenstrasse-1689 - EN: This 1689 byte updated version of the Hafenstrasse virus<br />
differs considerably from the original. It cont<strong>ai</strong>ns a copy of the Ambulance virus, which<br />
it will 'drop', infecting COM files, but the Hafenstrasse virus only infects EXE files.<br />
Detected by the pattern for the 809 byte mutation.<br />
H<strong>ai</strong>fa - CER: This virus from Israel uses self-modifying encryption. The length is around<br />
2350 bytes, but variable. No search pattern is possible.(KB Jan 92)<br />
Hallochcn - CER: A virus which reputedly originated in West Germany. It cont<strong>ai</strong>ns two<br />
text strings (o in Hallochen is character code 148 decimal): 'Hallochen !!!!!!, Here I'm..',<br />
'Activate Level 1..'. The virus will not infect 'old' files. If the value of the month or year<br />
fields in the time stamp is different from the current date, the file will not be infected.<br />
The virus will only infect files longer than 5000 bytes, increasing their length by 2011<br />
bytes. (VB Feb 92)<br />
Hallochen EB8C C903 D98E D3BC DB08 53BB 2E00 53CB<br />
Halloween - CEN: Aw<strong>ai</strong>ting analysis.<br />
Halloween 6F77 6565 6E55 89E5 B8B8 009A 4402 5701
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 179<br />
Harakiri - CEN: This 5488 byte high level language virus is not expected to become a<br />
real threat, as it is much too obvious - it simply overwrites files when infecting.<br />
Harakiri 5DC2 0400 052A 2E65 7865 015C 052A 2E63<br />
Hary Anto - CR: A 981 byte virus, which has not been analysed yet. Reported 'in the<br />
wild' in the UK.<br />
Hary Anto B904 00D3 E8BB 3E01 8907 40B9 0400 D3E0<br />
Helloween - CER: Despite the name similarity, this virus is totally unrelated to the<br />
Halloween virus. The name of this 1376 byte virus is derived from the string<br />
'HELLOWEEN', which is stored inside it in encrypted form.<br />
Helloween B440 EB02 B43F E815 0072 022B C'1C3 33C9<br />
Hey You-928 - CER: Unlike the 923 byte sample previously made av<strong>ai</strong>lable, this version<br />
is able to replicate without problems. Not yet analysed.<br />
Hey You 2181 F9C7 0772 1C80 FE02 7217 80FA 1972<br />
Hero - CER: A primitive 506 byte virus, which will not replicate beyond the first<br />
generation, as a programming error causes it to corrupt all programs it infects.<br />
Hero C0CF 80FC 4B74 2080 FC25 7516 3C80 7212<br />
Hero-394 - ER: Related to the 506 byte Hero virus, but does not damage the fdes it<br />
infects. Aw<strong>ai</strong>ting analysis.<br />
Hero-394 B98A 0133 C0BF 0002 0305 83C7 02E2 F929<br />
HH&H - CR: A 4091 byte encrypted virus, which cont<strong>ai</strong>ns the curious string 'HARD<br />
HIT & HEAVY HATE the HUMANS !!'. Not yet analysed.<br />
Hitchcock - CR: A 1247 byte virus. It activates a few minutes after an infected program<br />
is run, and starts playing the tune from the Hitchcock TV-series.<br />
Hitchcock 2BD0 4A45 03E8 8EC5 4526 8916 0300 2689<br />
HIV - CER: This virus is based on Murphy and cont<strong>ai</strong>ns a text message cl<strong>ai</strong>ming it was<br />
written by 'Cracker Jack' in Italy.<br />
HIV 2BC3 1BD1 7204 2906 0600 8BF7 33FF 0E1F<br />
Horror - CER: An encrypted, 2319 byte virus.<br />
Horror 8BFE 83C7 0AB9 4E04 2E8A 849D 042E 3005<br />
Horse, Hacker, Black horse - CER: A family of viruses probably from Bulgaria.<br />
Currently 8 different mutations are known, which can be divided into two groups, with a<br />
different pattern required for each group. Aw<strong>ai</strong>ting analysis. The first group cont<strong>ai</strong>ns<br />
Horse-1 (1154), Horse-2 (1158), Horse-2B (1160) and Horse-7 (1152). The second<br />
group of Horse viruses cont<strong>ai</strong>ns Horse-3 (1610), Horse-4 (1776), Horse-5 (1576) and<br />
Horse-6(1594).<br />
Horse (1) 00A3 0001 8B46 02A3 0201 B800 018C CAEB<br />
Horse (2) 570E 07B9 0800 F3A4 B02E AAB9 0300 F3A4<br />
Horse 8 - CER: No search pattern possible, virus aw<strong>ai</strong>ting analysis. Infective length is<br />
2248 bytes.<br />
Horse Boot - DR: Infects only floppy disks. Aw<strong>ai</strong>ting disassembly.<br />
Horse Boot 8F06 727D 8F06 747D 48A3 1304 B106 D3E0
180 APPENDIX A<br />
Horse Boot 2 - MR: This virus infects the Master boot sector and stores the original on<br />
track 0, head 0, sector 7, while on floppy disks it is kept on the track 39, head 1, sector 9.<br />
Horse Boot 2 FC29 C08E D8BD 007C FA8E D08B E5FB 5055<br />
Hungarian-473 - CR: Closely related to the Hungarian-482 virus, this 372 byte virus<br />
activates on June 13th and then overwrites the Master Boot Sector of the hard disk.<br />
Detected by the Hungarian-482 pattern.<br />
Hungarian-482 - CR: This 482 byte virus from Hungary activates on November 7th. If<br />
an infected program is run on that date it will display the string 'Format...' and proceed<br />
to format the hard disk.<br />
Hungarian-482 5603 F7AC 0AC0 740A D0E8 B40E B307 CD10<br />
Hy b rid - CN: A 13 06 byte encrypted mutation of the Vienna virus which marks infected<br />
files by setting the seconds field of the time stamp to 62. On any Friday the 13th after<br />
1991 the virus will format the hard disk. It may also overwrite files and cause reboots.<br />
Hybrid 81EE 7502 8BFE B9DE 01AC 34DE AA49 75F9<br />
Hydra - CN: A group of 9 viruses, which do nothing particularly interesting.<br />
Hydra (01) B43D B002 BA53 01B0 02CD 218B D806 1FB8<br />
Hydra (02) B43D B002 BA53 01CD 218B D806 1FB8 003F<br />
Hymn - CER: A Russian, 1865 byte virus related to the 'Eddie' (Dark Avenger) virus,<br />
and the 'Murphy' viruses.<br />
Hymn FF64 F500 07E8 0000 5E83 EE4C FC2E 81BC<br />
Icelandic, Saratoga - ER: The virus attaches itself at the end of an EXE file and after<br />
becoming memory-resident, it will infect only one in ten (one in two for the Icelandic (2)<br />
mutation) programs executed. When a program is infected, the disk is examined and if it<br />
has more than 20 MBytes, one cluster is marked as bad in the first copy of the FAT. There<br />
is a mutation which does not flag clusters. Version (1) will not infect the system unless<br />
INT 13H segment is 0700H or F000H, thus avoiding detection by anti-virus programs<br />
which hook into this interrupt. Version (3) does not flag clusters and bypasses all<br />
interrupt-checking programs.<br />
Icelandic (1) 2EC6 0687 020A 9050 5351 5256 1E8B DA43<br />
Icelandic (2) 2EC6 0679 0202 9050 5351 5256 1E8B DA43<br />
Icelandic (3) 2EC6 066F 020A 9050 5351 5256 1E8B DA43<br />
Illness - CR: This encrypted 1016 byte virus is probably of Polish origin. It cont<strong>ai</strong>ns the<br />
text 'WARNING : USE ONLY ORGINAL PROGRAMS DON A T COPY IT and now .. I<br />
AM ILL !!'.<br />
Illness BAF8 0383 EA20 33FF 3E8A 86F3 043E 2883<br />
Incom - CN: Aw<strong>ai</strong>ting disassembly.<br />
Incom 528B FA8B 4D02 8BDF 2BD9 83C3 1783 E92C<br />
INT 13 - CR: Overwriting, stealth virus which subverts DOS and BIOS. The virus is 512<br />
bytes long. Only selected COM files are infected during FCB find next function call.<br />
{VB Mar 91)<br />
INT 13 E200 50BF 4C00 5733 ED8E DDC4 1DBF 7402
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 181<br />
Interceptor-Vienna - CN: This mutation written by Cracker Jack is quite similar to the<br />
Monxla-B mutation. The search pattern can also be found in Monxla-B, but the viruses<br />
can be distinguished by different lengths.<br />
Interceptor B903 008B D683 C20D CD21 8B54 068B 4C04<br />
Internal - EN: Infective length is 1381 bytes. Virus cont<strong>ai</strong>ns the strings 'INTERNAL<br />
ERROR 02CH.', 'PLEASE CONTACT YOUR HARDWARE MANUFACTURER<br />
IMMEDIATELY 1'and 'DO NOT FORGET TO REPORT THE ERROR CODE !'.<br />
Internal 1E06 8CC8 8ED8 B840 008E COFC E858 0480<br />
Intruder - EN: This 1319 byte virus seems to delete infected fdes occasionally, and<br />
infected programs sometimes 'hang', but this seems to be due to sloppy programming.<br />
Two minor mutations are known, A and B, but both are detected with the same pattern.<br />
Intruder 5F32 COAA B001 0AC0 C35F 32C0 C3BA 0600<br />
Iraqui Warrior - CN: A 777 byte mutation ofVienna, where numerous NOP instructions<br />
have been added to avoid detection by current scanners.<br />
Iraqui Warrior BF00 0190 B903 OOF3 A490 8BF2 B430 90CD<br />
Iron M<strong>ai</strong>den - CN: A 636 byte virus, which cont<strong>ai</strong>ns the text 'IRON MAIDEN' near the<br />
end. It has not been fully analysed, but cont<strong>ai</strong>ns destructive code (INT 26H calls).<br />
Iron M<strong>ai</strong>den 2425 CD21 5F0E 1F8B 8557 02A3 0001 8AA5<br />
Italian, Pingpong, TUrin, Bouncing Ball, Vera Cruz - DR: The virus consists of a boot<br />
sector and one cluster marked as bad in the first copy of the FAT. The first sector in the<br />
marked cluster cont<strong>ai</strong>ns the rest of the virus while the second cont<strong>ai</strong>ns the original boot<br />
sector. It infects all disks which have at least two sectors per cluster and occupies 2K of<br />
RAM. It displays a single character 'bouncing ball' if there is a disk access during a onesecond<br />
interval in any multiple of 30 minutes on the system clock. The original version<br />
will hang when run on an 80286 or 80386 machine, but a new version has been reported<br />
which runs normally. If a warm boot (Ctrl-Alt-Del) is performed after the machine<br />
hangs, an uninfected disk will still become infected. (VB Nov 89)<br />
Italian-Gen B106 D3E0 2DC0 078E C0BE 007C 8BFE B900<br />
Italian 32E4 CD1A F6C6 7F75 0AF6 C2F0 7505 52E8<br />
Italian 803 - CEN: Extends the length ofCOMM<strong>AND</strong>.COM by 805 bytes. Aw<strong>ai</strong>ting<br />
analysis. Sample would not infect COM files other than COMM<strong>AND</strong>.COM. Italian 817<br />
mutation, recognised by the same pattern and also known as XDY overwrites the first<br />
200 sectors on logical drives Z to A on 13th February of any year after 13:00.<br />
Italian 803 7502 32C0 3CFF 7502 B001 5051 CD26 83C4<br />
Itavir - EN: When the virus activates, it will write random data to all I/O ports causing<br />
unpredictable behaviour such as screen flicker, hissing from the loudspeaker etc. Infective<br />
length is 3880 bytes.<br />
Itavir 83C4 025A 595B 5850 5351 52CD 2672 0D83<br />
Itti-191, Itti-99 - CN: A primitive overwriting virus, which displays the text 'EXEC<br />
f<strong>ai</strong>lure' when it has infected a program. The virus wdl not attempt infection if it
182 APPENDIX A<br />
determines that FluShot+ is active in memory. A related 99 byte virus also exists, but it<br />
does not check for the presence of Flushot+.<br />
Itti-99 998B CAB8 0042 CD21 B440 B963 00BA 0001<br />
Itti-191 7415 B44E B927 00BA 8C01 CD21 7215 E81D<br />
Jabberwocky - CER: An 812 byte virus, cont<strong>ai</strong>ning the text 'BEWARE THE<br />
JABBERWOCK'. Not yet analysed.<br />
Jabberwocky 0500 108E C0BE 0000 BF00 00B9 FFFF F3A4<br />
Jabberwocky-615 - CR: Detected by the Jabberwocky pattern.<br />
Japanese Christmas-Cookie - CN: This 653 byte mutation of the Japanese Christmas<br />
virus has been modified to display the messages 'Give me a Cookie' and 'Cookie'.<br />
Jap-Cookie 1B90 32E4 CF50 528A 1446 80F2 FE74 06B4<br />
JD - CR: A group of four semi-stealth viruses, 356, 392, 448 and 460 bytes long. In<br />
addition there are two shorter mutations, 158 and 276 bytes, with no stealth features. Not<br />
fully analysed, but do not appear to do anything but replicate.<br />
JD (1) 521E B813 35CD 2106 5304 11CD 2106 53B8<br />
JD (2) 5053 561E 068B F2B4 2FCD 21AC 3774 0383<br />
JD-158 5ABB 4300 8EDB 833D 3D74 08B4 25CD 21B1<br />
Jeff - CN: Just like the Klaeren virus, Jeff can not successfully infect files longer than<br />
4096 bytes. The virus is 812 bytes long, (not 814 as originally reported). When it<br />
activates it may overwrite sectors on the hard disk.<br />
Jeff B89B FF8E C0B9 3F00 33D2 32E4 8BD9 268A<br />
Jerusalem, PLO, Friday the 13th, Israeli - CER: The virus attaches itself to the beginning<br />
of a COM file or at the end of an EXE file. When an infected file is executed, the virus<br />
becomes memory-resident and will infect any COM or EXE program tun, except<br />
COMM<strong>AND</strong>.COM. COM files are infected only once, while EXE files are re-infected<br />
every time that they are run. Infective length is 1813 bytes (COM) and 1808 bytes (EXE).<br />
The virus finds the end of EXE files from the information in the file header, and if this is<br />
less than the actual file length, the virus will overwrite part of the file. After the system<br />
has been infected for 30 minutes, row 5 column 5 to row 16 column 16 on the screen are<br />
scrolled up two lines, creating a 'black window'. The system then slows down, due to a<br />
time-wasting loop installed on each timer interrupt. If the system is infected when the<br />
date is set to the 13th of any month which is also a Friday, every program run will be<br />
deleted. (VB July 89)<br />
Jerusalem mutations matching the following two search patterns:<br />
Jerusalem 03F7 2E8B 8D11 00CD 218C C805 1000 8ED0<br />
Jerusalem-USA FCB4 E0CD 2180 FCE0 7316 80FC 0372 11B4<br />
Anarkia: Virus signature is changed from 'sURTV' to 'ANARKIA'. Anarkia-B: Minor<br />
mutation of Anarkia. Carfield: 1508 bytes long. Frere Jacques: There are two mutations<br />
known as A and B which play the Frere Jacques tune on Fridays. Groen Links, GrLkDos:<br />
An 1888 byte mutation from The Netherlands. Every 30 minutes it plays the tune 'Stem<br />
op Groen Link' or 'Vote Green Left'. Jerusalem-1600/1605: A shortened mutation<br />
aw<strong>ai</strong>ting analysis. Jerusalem-Nemesis: A minor mutation of the original virus. Mendoza:
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 183<br />
A mutation of Anarkia. Messina: A very minor mutation. A-204, Payday, Puerto,<br />
Spanish and Jerusalem-G: Mutations.<br />
Jerusalem-1244 - CER: One of the shortest Jerusalem mutations, only 1244 bytes long.<br />
Jerusalem-1244 2638 05E0 F906 0E07 1F8B D7B8 004B 83C2<br />
Jcrusalem-1361 - CER: A stripped-down version of the Jerusalem virus, with all<br />
unnecessary code removed. Does not appear to do anything but replicate.<br />
Jerusalem-1361 218C C805 1000 8ED0 50B8 2F00 SOCB FC06<br />
Jerusalem-1735 - CER: A 1730/1735 byte mutation, which seems related to the 1767<br />
mutation. Not fully analysed. Detected by the Jerusalem Mummy pattern.<br />
JerusaIem-1767 - CER: This 1767 byte version cont<strong>ai</strong>ns the text '** INFECTED BY<br />
FRIDAY 13th **'. Aw<strong>ai</strong>ting analysis.<br />
Jerusalem-1767 7F33 C0F2 AF8B D783 C202 B800 4B06 1F0E<br />
Jerusalem-2187 - CER: Yet another Jerusalem mutation 2187/2189 bytes long. Detected<br />
by the Jerusalem Mummy pattern.<br />
Jerusalem Barcelona - CR?: Unlike most other members of the Jerusalem family, this<br />
1792 byte virus does not seem to infect EXE files. It is of Spanish origin, and seems to be<br />
politically motivated. Detected by the Jerusalem Mummy pattern.<br />
Jerusalem-Clipper - CER: A 1408/1413 byte mutation of Jerusalem. It will generally<br />
infect EXE fdes. No COM files were infected during testing, although the original<br />
sample was a COM file. Aw<strong>ai</strong>ting analysis.<br />
Jeru Clipper B87D 4BCD 213D 5456 7510 072E 8E16 1200<br />
Jerusalem-CNDER - CER: A minor mutation of the 1808/1813 byte standard version,<br />
with the self-recognition code changed from 'sURIV' to 'CNDER'. Detected with the<br />
Jerusalem-USA pattern.<br />
Jerusalem-Einstein - ER: An 878 byte rewritten mutation of the Jerusalem virus, which<br />
is not able to infect COM fdes. Aw<strong>ai</strong>ting analysis. (VB Jan 92)<br />
Einstein 7FF2 AE26 3805 E0F9 8BD7 83C2 0306 1F0E<br />
Jerusalem-IRA - CER: What primarily makes this mutation different from the standard<br />
one, is the inclusion of a long list of encrypted names, as well as texts like died for<br />
Ireland' and'.. is still a political hostage'. Detected by the Jerusalem Mummy pattern.<br />
Jerusalem-Miky - CER: A 2350 byte mutation of the Jerusalem virus, which is reported<br />
to have originated in Bolivia.<br />
Miky 7F32 C0F2 AE26 3805 E0F9 8BD7 83C2 038C<br />
Jerusalem Moctezuma - CER: A 2228 byte polymorphic mutation of the Jerusalem<br />
virus, which cont<strong>ai</strong>ns the text 'Moctezuma's Revenge'. Only a short search pattern is<br />
possible.<br />
Jeru Moctezuma 062E 8F06 0201 1E2E 8F06 0001 0E07 0E1F<br />
Jerusalem-Mummy - ER?: This 1489 byte mutation seems only able to infect EXE files.<br />
It cont<strong>ai</strong>ns an encrypted text string which cl<strong>ai</strong>ms it was written in the Kaohsiung Senior<br />
School. It has not been fully analysed. (VB May 92)<br />
Jer-Mummy 2638 05E0 F98B D783 C203 B800 4B06 1F0E
184 APPENDIX A<br />
Jerusalem Nov 30 - CER: This 2000 byte mutation activates on November 30th, instead<br />
of Friday the 13th.<br />
Jeru Nov 30 2638 05E0 F98B D783 C203 061F 0E07 BB30<br />
Jerusalem Sub Zero, Skism 11, Skisml 2 - CER: Three 1808/1813 byte non-remarkable<br />
mutations, which are detected by the Capt<strong>ai</strong>n Trips pattern.<br />
Jerusalem-T13 - CER: An 1807/1812 byte version of the Jerusalem virus. It is detected<br />
by the Suriv 3.00 pattern.<br />
Jerusalem-Tobacco - CER: This mutation is almost identical to the AntiCad-2900<br />
mutation, with little more than a few encrypted text strings changed. It is detected with<br />
the AntiCad-25 76 pattern.<br />
Jerusalem-Triple - CER: A patched minor mutation of the 1808/1813 byte standard<br />
version, with the self-recognition code changed and a few code patches. Another sample<br />
with the name 'Dragon' appeared, but it seems virtually identical. Detected with the<br />
Jerusalem-USA pattern.<br />
Jihuu - CN: A Finnish 621 byte virus, which may display various messages, depending<br />
on the current date and time.<br />
Jihuu 8BCA 83EF 0489 0D89 4502 B800 4233 C933<br />
Jo-Jo - CR: This is a non-encrypted version of Cascade with the encryption code patched<br />
out and a few other changes made.<br />
Jo-Jo B800 F08E C0BF 08E0 813D 434F 751B 817D<br />
Jocker - CN: An overwriting virus from Poland, written in some high-level language,<br />
probably Pascal.<br />
Jocker 89E5 81EC 0001 BF00 000E 57BF 401B 1E57<br />
Joker-01 - CR: A huge, 29233 byte virus of Polish origin.<br />
Joker-01 8CC2 4A8E C28C DA4A 8EDA 5A90 26A1 0300<br />
Joshi - MR: This virus from India displays the message 'Type 'Happy Birthday Joshi" on<br />
5th January of every year. Unless the user enters the text verbatim, the computer will<br />
hang. The virus traps disk reads and any program trying to discover it while the virus is<br />
active in memory, will not locate it. Survives warm boot. (VB Dec 90). Original MBS is<br />
stored in Head 0, Cylinder 0, Sector 9.<br />
Joshi 03F0 03F8 B979 012B C8FC F3A6 7510 8CC0<br />
July 13th - ER: This encrypted virus will activate on 13th July, but its exact effects have<br />
not yet been determined. It is 1201 bytes long.<br />
July 13th 2EA0 1200 3490 BE12 00B9 B104 2E30 0446<br />
Justice - CR: A 1242 byte virus which has not been fully analysed. Many computers<br />
'hang' after running an infected program.<br />
Justice 509F 83C4 089E 9C83 EC06 58CF 3CFF 7504<br />
Kalah - CR: This 3 90 byte virus is quite harmless - it does not have any effects other than<br />
possibly displaying 'VDV 91'.<br />
Kalah B43F CD21 8B0E 0000 2E3B 0E00 0175 0B8B
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 185<br />
Kamikaze - EN: This overwriting virus from Bulgaria is written in Turbo Pascal, and is<br />
f<strong>ai</strong>rly large, 4031 bytes. Like other similar viruses it is not a serious threat.<br />
Kamikaze 8AD0 A082 2230 E48B F888 9509 1080 3E82<br />
Karin, Redstar - CN: This German virus adds either 1090 or 1134 bytes to the programs<br />
it infects. It is mostly harmless, but will activate on October 23rd when it displays the<br />
message 'Karin hat GEBURTSTAG'.<br />
Karin BB00 0153 F3A4 BE00 F8BF 8000 B980 00F3<br />
Kemerovo - CN: A Russian, 257 byte virus. Some infected programs f<strong>ai</strong>l to execute<br />
properly, but no other effects are known.<br />
Kemerovo 0400 89C7 B904 00A4 E2FD 89D7 29D3 81EB<br />
Kemerovo-B - CN: Similar to the original Kemerovo virus, but appears to have been<br />
assembled with a different assembler. Does nothing of interest.<br />
Kemerovo-B 0400 8BF8 B904 00A4 E2FD 8BFA 2BDA 81EB<br />
Kennedy - CN: A simple COM infecting virus, probably originating from Sweden.<br />
When an infected fde is run, it will infect a single COM fde in the current directory,<br />
expanding it by 333 bytes at the end. The virus activates on three dates: 6th June, 18th<br />
November and 22nd November and displays the message 'Kennedy er dod - lange leve<br />
'The Dead Kennedys".<br />
Kennedy E817 0072 04B4 4FEB F38B C505 0301 FFEO<br />
Keyboard Bug - CER: This virus was received from Kiev, but has not yet been fully<br />
analysed. Analysis is complicated by the fact that the virus uses multiple layers of<br />
encryption, as well as other methods to hide from debuggers. The effects are unknown,<br />
but are assumed to be keyboard-related. The length has been reported as 1720, but the<br />
actual increase in length is variable.<br />
Keyboard Bug 1E53 2EFF B597 07BB 6E06 B928 0158 2E30<br />
Keydrop - DR: Infects only floppy disks. Aw<strong>ai</strong>ting disassembly.<br />
Keydrop AC0A C075 0832 E4CD 16CD 19EB DBB4 0EB7<br />
Keypress, Turku, Twins - CER: This virus was discovered at the same time in Finland,<br />
USSR and Bulgaria, which makes its origin somewhat uncert<strong>ai</strong>n. It will infect COM and<br />
EXE fdes, but the length of the virus code is different, 1232 and 1472 bytes, respectively.<br />
After being resident for some time the virus will interfere with the keyboard, causing<br />
keys to 'repeat'.<br />
Keypress 7405 C707 0100 F9F5 1FC3 F606 1801 0174<br />
Keypress-1228 - CER: Only slightly different from the 1232 byte mutation, but was<br />
discovered in Kansas. It is detected by the 'Keypress' pattern.<br />
Keypress-1744 - CER: Not fully analysed, but does not seem to be significantly different<br />
from the other mutations.<br />
Keypress-1744 3F02 7405 C707 0200 F9F5 1FC3 F606 1801<br />
Kiev - CR: Infected files grow by 483 bytes, but this increase is not visible when a DIR<br />
command is issued.<br />
Kiev 8BD3 81C2 FBFF 8BDF B440 CD21 5B72 0053
186 APPENDIX A<br />
Kit - CER: This virus has one serious 'bug' - it will re-infect the same file over and over.<br />
It is 23 84 bytes long, but has not been fully analysed. Cont<strong>ai</strong>ns the text 'Copyright 1991-<br />
1999. KIT <strong>VIRUS</strong> (version 2.0).'<br />
Kit 2EC5 1619 00B8 2425 CD21 071F 5F5E 5A59<br />
Klaeren - CER: This 974 byte virus cont<strong>ai</strong>ns a serious error, which prevents it from<br />
infecting successfully any file larger than 4096 bytes. This encrypted virus cont<strong>ai</strong>ns the<br />
text string 'Klaeren Ha, Ha!' (Klaeren: the name of a professor in the school where the<br />
virus was written.)<br />
Klaeren 5351 E800 005B 81EB AF03 B9A5 0380 37<br />
K0-407, Dodo-Pig, GIP - CR: Closely related to the Ko^08 virus. It cont<strong>ai</strong>ns the text<br />
'GIP\ There is yet another mutation, 408 bytes long, which cont<strong>ai</strong>ns the text 'Birdie<br />
Hop!' and is also detected with the same pattern.<br />
K0-407 B802 4233 C9BA FFFF CD21 508B D033 C9B8<br />
K0-408 - CR: 408 byte virus. Not yet analysed.<br />
K0-408 5B53 B802 4233 C9BA FFFF CD21 8BD0 33C9<br />
Korea, NJH - DR: A simple boot sector virus with no side-effects. It may cause damage<br />
to data, as the original boot sector is always written to sector 11. There are two versions,<br />
probably due to two different assemblers being used.<br />
Korea C08E D88E D0BC F0FF FBBB 1304 8B07 4848<br />
Kuku - CN: This 448 byte virus may either infect files in an ordinary way, or overwrite<br />
them with a small program, which will display the word 'Kuku!' on the screen when it is<br />
run.<br />
Kuku 241F 3C0A 750C B42C CD21 80E6 0775 E3BD<br />
Kylie - CER: A 2272 byte mutation of the Jerusalem virus, which plays a tune when it<br />
activates.<br />
Kylie E2FE C3E4 6124 FCE6 61C3 5357 4343 8B3E<br />
Lao Duong - ?: A boot sector virus from Th<strong>ai</strong>land aw<strong>ai</strong>ting analysis. It reportedly plays<br />
a Laotian funeral dirge when it activates.<br />
Lao Doung A34C 0006 1FF6 C280 7539 BB00 7EBA 8001<br />
Lazy - CR: A primitive 720 byte virus, which always occupies the same area in memory<br />
and may cause system crashes if a large program is run. The major effect of the virus is<br />
a slowdown of the computer.<br />
Lazy 1E84 0026 A186 008E C026 8B07 BB90 5029<br />
LBBCV-Timid - CN: Trivial virus published in the Little Black Book of Computer<br />
Viruses by Mark Ludwig. No side effects.<br />
LBBCV-Timid 2EFC FF09 00BA 2AFF B41A CD21 E83E 0075<br />
LBBCV-Intruder - EN: Trivial virus published in the Little Black Book of Computer<br />
Viruses by Mark Ludwig. No side effects.<br />
LBBCV-Intruder E867 0375 18E8 6B03 E86E 03E8 2600 7509<br />
LBBCV-Kilroy - DN: Trivial virus published in the Little Black Book of Computer<br />
Viruses by Mark Ludwig. No side effects.<br />
LBBCV-Kilroy 721A 813E FE06 55AA 7512 E8FE 00BA 8001
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 187<br />
LBBCV-Stealth - MR: Trivial virus published in the Little Black Book of Computer<br />
Viruses by Mark Ludwig. No side effects.<br />
LBBCV-Stealth FB80 FC02 740A 80FC 0374 3C2E FF2E 3070<br />
Leech - CR: A 1024 byte virus which has not been analysed yet. It uses self-modifying<br />
encryption, which makes the extraction of a usable pattern difficult.<br />
Leech FA1E 078B EC8B E681 C4E4 038C<br />
Leech live - CR: Aw<strong>ai</strong>ting analysis.<br />
Leech live 5E1E FA07 8BEC 8BE6 81C4 E403 8CC8 8CD1<br />
Lehigh - CR: The virus only infects COMM<strong>AND</strong>.COM. It is 555 bytes long and<br />
becomes memory-resident when the infected copy is run. If a disk is accessed which<br />
cont<strong>ai</strong>ns an uninfected COMM<strong>AND</strong>.COM, the copy is infected. A count of infection<br />
generation is kept inside the virus, and when it reaches 4 (or 10 in a mutated version), the<br />
current disk is trashed each time a disk is infected, provided that (a) the current disk is in<br />
either the A drive or B drive, (b) the disk just infected is in either the A drive or B drive<br />
and (c) the disk just infected is not the current one. The trashing is done by overwriting<br />
the first 32 sectors following the boot sector. Infection changes the date and time of<br />
COMM<strong>AND</strong>.COM.<br />
Lehigh 8B54 FC8B 44FE 8ED8 B844 25CD 2106 1F33<br />
Leningrad, Sovl, Sov2 - CN: Two viruses, 600 and 543 bytes long, first reported in<br />
Leningrad (now St. Petersburg), and probably written by the same author. The 600 byte<br />
mutation has not been analysed, but the other mutation will activate on any Friday the<br />
13th, and display the message 'That could be a crash, crash, crash!'.<br />
Leningrad-1 F3A4 E8D4 01E8 8C01 7303 E8C0 01E8 1900<br />
Leningrad-2 E80D 02E8 9801 3C00 740D E8B4 013C 0074<br />
Leprosy - CN: A 666 byte encrypted overwriting virus, similar to Leprosy-B but using a<br />
different encryption method.<br />
Leprosy 558B EC56 8B76 04EB 0480 2C0A 4680 3C00<br />
Leprosy-B - CER: A 666 byte overwriting virus, which is easdy detected, as infected<br />
programs do not run normally, but instead display a message announcing the virus.<br />
Leprosy-B 8A27 3226 0601 8827 4381 FBCB 037E F1C3<br />
Leprosy-Busted - CN: A primitive, encrypted, overwriting virus.<br />
Leprosy-Busted 8B0E 0B02 51E8 0F00 5BB9 3B02 BAOO 01B4<br />
Leprosy-C - E?: Aw<strong>ai</strong>ting disassembly.<br />
Leprosy-C 5633 F6E8 5100 OBCO 740A E818 0046 FE06<br />
Leprosy-C2 - CEN: A primitive 666 byte overwriting virus. When run, it displays the<br />
message 'Program to big to fit in memory'. This virus is floating around on virus BBSs<br />
under the name of 'Durango', but in fact it is just a minor mutation of the Leprosy-C<br />
virus.<br />
Leprosy-C2 53E8 1000 5B90 B99A 02BA 0001 B440 CD21<br />
Leprosy-D - CN: A 370 byte overwriting virus, derived fom one of the earlier mutations.<br />
Infected programs must be deleted.<br />
Leprosy-D B43B CD21 4683 FE03 7CE6 EBOO 5EC3 8B16
188 APPENDIX A<br />
Leprosy-Viper - CEN: This 840 byte mutation is similar to the Plague mutation, but it<br />
uses a slightly modified encryption algorithm. Just like the C2 mutation it is only found<br />
on virus BBSs, and is not a serious threat.<br />
Leprosy-Viper BB3A 018A 2732 2606 0188 2790 9090 4381<br />
Leszop - C?: Virus aw<strong>ai</strong>ting disassembly.<br />
Leszop 1FC7 060C 7C62 008C 060E 7CFB FF2E 0C7C<br />
Liberty - CEDR: A multi-partite virus from Indonesia with an infective length of 2857<br />
bytes. When triggered, the virus reformats track 0 on the hard disk. When exhibiting<br />
multi-partite behaviour, the virus only infects floppy disk boot sectors. (VB Oct 91)<br />
Liberty 0174 031F 595B 5053 5152 1E06 1E0E 1FE8<br />
Liberty-1 B931 2833 D2CD 1306 BB5C 0653 CB2E 803E<br />
Liberty 1186 - CR: Aw<strong>ai</strong>ting analysis. Not connected with the Liberty virus.<br />
Liberty 1186 A02E 01CD 2183 FBFF 7431 B403 33DB CD10<br />
Liberty-SSSSS - CR: This 1170 virus bears some resemblance to the Liberty virus, but<br />
might not be directly related. It is 1170 bytes long, but has not been fully analysed.<br />
Liberty-SSSSS FACD 21FA 0E1F B425 A02E 01BA FFFF 1F1E<br />
Little Brother - P: A 299 byte 'companion' virus, which does not seem fully finished.<br />
Little Brother 7418 5253 501E 063D 004B 7503 E810 0007<br />
Little Pieces - ER: A 1374 byte virus, which has not been fully analysed. It will<br />
occasionally clear the screen and display the message: 'One of these days I'm going to<br />
cut you into little pieces'.<br />
Little Pieces 9DCA 0200 33DB 8EDB C747 4C56 018C 4F4E<br />
Locker - CER: A 1642 byte mutation of the Murphy virus, written by Cracker Jack and<br />
detected by the HIV pattern. The virus has not been fully analysed yet, but under cert<strong>ai</strong>n<br />
circumstances it will ask the user for a password.<br />
Lozinsky - CR: A Russian, 1023 byte virus, which uses a simple encryption algorithm.<br />
Lozinsky FCBF 2000 03FE B9D0 032E 3005 47E2 FAB8<br />
Lozinsky-1018 - CER: Very closely related to the 1023 byte version.<br />
Lozinsky-1018 E800 005E 2E8A 44FC BF20 0003 FEB9 CB03<br />
LovcChild - CN: Infective length is 488 bytes. Cont<strong>ai</strong>ns strings 'v2 (c) Flu Systems (R)'<br />
and 'LoveChild in reward for software sealing.' [sic]. The virus trojanises cert<strong>ai</strong>n<br />
program files which, when trigerred, overwrite sectors 1-16, heads 0-3 on every track of<br />
the first hard disk with garbage. (VB Feb 91)<br />
LoveChild 33C0 8EC0 E800 005E 8BEE BFE0 01FC 2681<br />
LoveChild Trojn B901 00BA 8003 8BD9 B810 03CD 13FE CE79<br />
Lovechild-B3 - MR: This virus is probably written by the author of the Lovechild virus,<br />
but it is totally unrelated - very similar to the New Zealand virus.<br />
Lovechild-B3 33C0 8EC0 B801 028B DC2E 803E 047D 0074<br />
Lucifer - CER: A 1086 byte mutation of the Diamond virus. Detected by the Diamond<br />
pattern.
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 189<br />
Macedonia - CR: One of the few viruses which carry a political message - 'Macedonia<br />
To The Macedonians'. This 400 byte virus has no effects other than displaying this<br />
message.<br />
Macedonia 7527 E871 002E 8B04 2EA3 0001 2E8B 4402<br />
Macho - CEN: Swaps every string 'MicroSoft' with 'MachoSoft' on the hard disk.<br />
Searches 20 sectors at a time, storing the last sector searched in IBMNETIO.SYS which<br />
is marked hidden and system. After searching the last sector it starts ag<strong>ai</strong>n. This will only<br />
happen after 1 st January 1985 and if the environment variable <strong>VIRUS</strong> is not set to OFF<br />
Infective length is 3550 to 3560 bytes. Random directory search for uninfected files.<br />
Infects COMM<strong>AND</strong>.COM. This virus is closely related to Syslock. (VB May 91)<br />
Macho 5051 56BE 5900 B926 0890 D1E9 8AE1 8AC1<br />
Malaga - CERD: One of the relatively rare multi-partite viruses. It is 2610 bytes long,<br />
but in addition to infecting fdes it will also infect DOS boot sectors on diskettes and hard<br />
disks.<br />
Malaga 2D04 00A3 1304 B106 D3E0 2DC0 078E C08B<br />
Maltese Amoeba, Irish, Gr<strong>ai</strong>n of Sand - CER: A destructive virus which overwrites the<br />
first four sectors of tracks 0 to 29 of the hard disk and any diskette in the disk drive, if the<br />
date is 1st November or 15th March of any year. A psychedelic screen effect follows.<br />
When the machine is powered up, a fragment of a poem (The Auguries of Innocence) by<br />
William Blake (1745-1827) appears on the screen and the machine hangs. Infection<br />
happens at load-and-execute and file close. The virus employs selfmodifying encryption<br />
and no search pattern is possible. (VB Dec 91)<br />
Mannequin - CER: A 778 byte virus which has only one unusual effect - it intercepts<br />
INT 17H (the printer interrupt) and strips the top bit of any character sent to the printer.<br />
Mannequin 5251 5350 32C0 1E07 8BFA B941 00FC F2AE<br />
Magnitogorsk, 2560 - CER: This virus has not been fully analysed yet, but it cont<strong>ai</strong>ns a<br />
greeting to a Mr. Lozinsky, who seems to be the author of an anti-virus program.<br />
Magnitogorsk 2E8B 851F 003D FFFF 7413 BE3E 0003 F7B9<br />
Manuel - CR: This 957 byte virus cont<strong>ai</strong>ns the text: 'Soy un Manuel Virus de tipo C'. Not<br />
fully analysed.<br />
Manuel F9C3 A675 FBF8 C3FC 268A 25AC 3C00 741G<br />
Marauder - CN: This virus cont<strong>ai</strong>ns text which indicates it was written by the authors of<br />
the Phalcon and Skism viruses. It is polymorphic, and no simple search string is possible<br />
from the decryption routine. The virus is 860 bytes long.<br />
Marauder E800 005E 81EE 0E01 E805 00E9 8700<br />
Marauder-560 - CN: This seems to be an older and more primitive mutation of the<br />
Marauder virus. One significant difference is that the encryption routine is not polymorphic.<br />
Marauder-560 0056 5D81 C646 018B FEFC AD33 8619 01AB<br />
Mardi Bros - DR: The major effect of the virus is to change the volume label to 'Mardi<br />
Bros'. It is believed to be of French origin.<br />
Mardi Bros E08E C0BE 007C 31FF B900 14FC F3A4 06B8
190 APPENDIX A<br />
MG - CR: A simple, 500 byte Bulgarian virus.<br />
MG AA1F 1E07 585E 1EBB 0001 53CB 3D04 4B74<br />
MG-1A - CR: A minor mutation of the MG virus.<br />
MG-3 - CR: A 500 byte Bulgarian virus, reported to be written by the same author as the<br />
MG virus.<br />
MG-3 C43E 0600 B0EA 49F2 AE26 C43D 83EF DFEA<br />
MG-4 - CR: A 500 byte virus from Bulgaria, which is closely related to the MG-3 virus,<br />
and is detected by the same pattern..<br />
MGTU - CN: A simple, 273 byte Russian virus.<br />
MGTU 03F8 BE00 018B 0589 048B 4502 8944 02B8<br />
Michelangelo - MR: A mutation of the New Zealand virus, which will activate on March<br />
6th and overwrite the first 17 sectors on every track of the hard disk, heads 0 to 4. On<br />
360K floppies it will destroy sectors 1 to 9, heads 0 and 1, while on other floppies it will<br />
destroy the first 17 sectors of each track. Original MBS is stored in Head 0, Cylinder 0,<br />
Sector 7. (VB Jan 92)<br />
Michelangelo BE00 7C33 FFFC F3A4 2EFF 2E03 7C33 C08E<br />
Micro-128 - CR: This virus from Bulgaria is the smallest memory-resident virus known.<br />
It occupies part of the interrupt table and does nothing but replicate.<br />
Micro-128 7501 A5A4 31C0 8EC0 BF03 03B1 7DF3 A4AF<br />
Microbes - DR: An Indian virus the effects of which are not fully known, except that<br />
booting from an infected disk has been reported to cause some computers to 'hang'.<br />
Microbes 042D 0400 A313 04B1 06D3 E08E C006 C706<br />
Migram-1 - ER: A 1219 byte mutation of the Murphy virus. Detected by the Murphy 2<br />
pattern.<br />
Migram-2 - ER: A 1221 byte mutation of the Murphy virus. Detected by the HIV<br />
pattern.<br />
Milan Overwriting, BadGuy, Exterminator - CN: A group of primitive, overwriting<br />
viruses from Italy. Two mutations are known - BadGuy, which is 265 bytes long and does<br />
nothing but replicate and Exterminator which is 451 bytes long. When it activates, it<br />
overwrites the beginning of the hard disk, generally destroying the FAT and root<br />
directory of drive C.<br />
Exterminator 02EB E2B4 2ACD 213C 0174 03EB 2F90 C606<br />
BadGuy 02F.B D9B4 2ACD 213C 0174 11EB 1D90 071F<br />
Milana - CER; This 1160 byte virus cont<strong>ai</strong>ns various pieces of code which seem to have<br />
been copied from the Dark Avenger virus, so they should probably be classified as<br />
belonging to the same family. The name is derived from the string 'I Love Milana', but<br />
the effects are not fully known.<br />
Milana A4A5 1F8B 2606 0033 DB53 FFE0 BA10 00F7<br />
Milous, Cadkill - CER: This 1163 byte virus has not been fully analysed yet.<br />
Minimal-30 - CN: This virus is only 30 bytes long. When an infected program is run, it<br />
will overwrite the first file in the current directory.<br />
Minimal-30 3DBA 9E00 CD21 93B4 408B D68B CECD 21C3
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 191<br />
MinimaI-30-B - CN: This is practically the same virus as the Minimal-30 virus, but it has<br />
been assembled with a different assembler, which has produced a slight difference.<br />
Minimal-30-B 3DBA 9E00 CD21 93B4 4089 F28B CECD 21C3<br />
Minimal-45 - CN: This Bulgarian overwriting virus is only 45 bytes long. When ran, it<br />
will overwrite all COM files in the current directory with itself.<br />
Minimal-45 0001 B92D 00B4 40CD 21B4 3ECD 21B4 4FEB<br />
Minimal-46 - CN: A primitive overwriting virus which does nothing but replicate.<br />
Minimal-46 D8BA 0001 B12E B440 CD21 B43E CD21 B44F<br />
MIR - CER: A 1745 byte mutation of the Dark Avenger virus. The first generation<br />
sample cont<strong>ai</strong>ns the text 'M.I.R. *-*-*-* Sign of the time!', but it is corrupted in later<br />
generations. Detected by the 'Dark Avenger' pattern.<br />
Mirror - ER: The virus is 924 bytes long, but infected programs may grow by a<br />
maximum of 940 bytes. When the virus activates it reverses the contents of the screen,<br />
displaying a mirror image of what was there before.<br />
Mirror 8A07 2688 0743 E2F8 B821 2506 1FBA DC00<br />
Mistake, Typoboot - DR: Exchanges letters for phonetically similar ones (for example<br />
'C' & 'K') while they are being output to the printer. Reportedly written in Israel. A<br />
mutation of the Italian virus with about 35% of the code rewritten. The boot sector is<br />
almost identical to the Italian virus.<br />
Mistake 32E4 CD1A 80FE 0376 0A90 9090 9090 52E8<br />
MIX1 - ER: The virus infects only EXE fdes, attaching itself to the end. When an<br />
infected program is run, the virus will copy itself to the top of the free memory. Some<br />
programs may overwrite this area, causing the machine to crash. The virus traps printer<br />
and asynch interrupts and corrupts traffic by substituting characters. 50 minutes after<br />
infection, the virus alters the Num Lock and Caps Lock keyboard settings. 60 minutes<br />
after infection, a display similar to the Italian virus (bouncing ball display) will be<br />
produced. The virus will infect every tenth program run. Infected files always end in<br />
'MIX1' and the infective length of MIX1 is 1618 to 1633 bytes and MIX1-2 1636 to<br />
1651 bytes. (VB Dec 89)<br />
MIX1 B800 008E C026 803E 3C03 7775 095F 5E59<br />
MIX1-2 B800 008E C0BE 7103 268B 3E84 0083 C70A<br />
MIX2 - CER: This is a 2280 byte Israeli virus based on MIX1 but improved with the<br />
addition of encryption and COM file infection.<br />
MIX2 EE8C C803 C650 B826 0050 CB55 508C C0E8<br />
MLTI - CR: This 830 byte Russian virus cont<strong>ai</strong>ns the following text, which clearly refers<br />
to the Dark Avenger virus. 'Eddie die somewhere in time! This programm was written in<br />
the city ofProstokwashino (C) 1990 RED DIAVOLYATA Hello! MLTI!'<br />
MLTI 5B73 05B8 0001 50C3 83FC E072 F62E C747<br />
Mono-1063 - CR: A 1063 byte Polish virus, which deletes files when it activates,<br />
provided it is running on a machine with monochrome display.<br />
Mono FDF3 A406 E800 0059 83C1 0651 CB2E 8C4F
192 APPENDIX A<br />
Monkey - MR: Two viruses based on the New Zealand virus, which store the original<br />
boot sector encrypted making disinfection more difficult.<br />
Monkey-1 48A3 1304 B106 D3E0 0420 8EC0 C356 8BFB<br />
Monkey-2 48BF 1404 4F89 05B1 06D3 E004 208E C0C3<br />
Monxla, Time - CN: A 939 byte mutation of the Vienna virus, which activates on the 13 th<br />
day of any month and then damages programs, instead of just infecting them.<br />
Monxla 8B07 5B8E COBF 0000 5E56 83C6 1AAC B900<br />
Monxla-B - CN: This 535 byte virus is probably an older version of the Monxla virus. It<br />
ret<strong>ai</strong>ns code from the Vienna virus which deletes programs instead of infecting them 1 in<br />
every 8 times.<br />
Monxla-B 8994 1600 B42C CD21 80E6 0775 10B4 40B9<br />
Mosquito - ER: A 1024 byte virus aw<strong>ai</strong>ting analysis.<br />
Mosquito 5650 BE49 002E 8A24 2E32 261E 002E 8824<br />
Mosquito-Pisello - ER: 1024 bytes long, just like the original version, but not fully<br />
analysed.<br />
Mosquito-Piselo 5650 BE51 032E 8A24 2E32 265D 012E 8824<br />
Mosquito-Topo - ER: A 1536 byte mutation of the Mosquito virus. Aw<strong>ai</strong>ting analysis.<br />
Mosquito-Topo 5650 BE68 002E 8A24 2E32 263D 002E 8824<br />
MPS-OPC - CN: Three Polish viruses, 469, 640 and 654 bytes long. Not yet analysed.<br />
MPS-OPC 1.1 B447 CD21 5E8B FE81 C72D 0232 C0B9 4000<br />
MPS-OPC 3.1/3.2 0ADB 7441 B42C CD21 3ADA 7304 2AD3 EBF8<br />
MPS-OPC 4.01 - ER: This virus is probably written by the same author(s) as the other<br />
MPS-OPC viruses - a Mr. Marek Pande, according to reports from Poland. Structurally it<br />
is very different however, and belongs to a different virus family. Not yet analysed.<br />
MPS-OPC 4.01 CD27 A12C 008E D833 FF8B 0547 0BC0 75F9<br />
Mshark - CN: The name of this 373 byte virus is derived from the string '(C) Mshark-S<br />
v. 1.0'. This is a simple virus, with no effects other than possibly causing a reboot.<br />
Mshark 0103 D6CD 2132 DB56 81C6 5601 B914 00AC<br />
MSTU - CEN: This virus cont<strong>ai</strong>ns the text 'This program was written in MSTU,1990'<br />
Not fully analysed, but appears to do nothing of interest. Virus length is 532 bytes.<br />
MSTU BB16 0026 8B07 3DEB 55C3 5E8B C6B1 04D3<br />
MSTU-554 - CEN: Closely related to the 532 byte mutation and detected by the same<br />
pattern.<br />
Mule - CER: A 4112/4117 byte encrypted mutation of Jerusalem, which was first<br />
reported in Australia, but may have originated in Th<strong>ai</strong>land. Not yet analysed. Detected by<br />
the Jerusalem 1 pattern.<br />
Multiface, Portugese - CR: This is a 1441 byte virus from Portugal. It is reported to<br />
display multiple 'smileys' on the screen. (VB May 92)<br />
Multiface 8ED8 58C6 075A C747 0100 0089 4703 5B8D<br />
Munich - CN: Encrypted 2355 byte virus. Not yet analysed.
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 193<br />
Murphy - CER: Two versions exist. One produces a click from the loudspeaker when any<br />
DOS functions are called, while the other may produce a bouncing ball effect when the<br />
user enters ROM BASIC. The virus will only activate between 10:00 and 11:00 a.m.<br />
Murphy 1 1EE8 0000 B859 4BCD 2172 03E9 2801 5E56<br />
Murphy 2 1EE8 0000 B84D 4BCD 2172 03E9 2601 5E56<br />
Murphy-3 - CER: A 1284 byte mutation of Murphy detected by the 'HIV' pattern.<br />
Murphy-4 - CER: A 1480 byte mutation of Murphy detected by the 'Murphy 2' pattern.<br />
Murphy-Amilia - CER: This Canadian virus is based on the HIV mutation, and is only<br />
slightly modified. It is 1614 bytes long, and detected by the HIV pattern.<br />
Murphy-Bad Taste - CER?: This encrypted virus should be able to infect COM files, but<br />
during testing it only infected EXE files, unlike other Murphy mutations. It cont<strong>ai</strong>ns the<br />
text'Bad Taste Ltd. (C) 1991 by OdrowadTrow.....who amI???'This 1188 byte virus is<br />
detected by the pattern for Murphy-2, but only in EXE files.<br />
Murphy-Brothers - CER: A 2045 byte mutation of the Murphy virus, which cont<strong>ai</strong>ns the<br />
text 'Brothers in arm'. Detected by the HIV pattern. Not yet analysed.<br />
Murphy-Tormentor - CER?: This virus would actually only infect EXE files during<br />
testing, but it seems to cont<strong>ai</strong>n code to infect COM files too. Detected by the HIV<br />
pattern.<br />
Murphy-Tormentor-D - ER: This 1040 byte mutation is closely related to the Tormentor<br />
mutations. Detected with the HIV pattern.<br />
Music Bug - DR: Cont<strong>ai</strong>ns text strings 'MusicBug vl.06 MacroSoft Corop.' and '--<br />
Made in T<strong>ai</strong>wan --'. If a machine has been infected for more than 4 months, a random<br />
tune of 36 notes may be played (14% probability). (VB Nov 91)<br />
Music Bug 08FC F3A5 06B8 0002 50CB 5053 5152 2EA3<br />
Mutant - CN: Three mutations ofthis virus are known, of which two, 123 and 127 bytes<br />
long, are only able to infect small files correctly. This is ' corrected' in the third mutation,<br />
also 127 bytes long. The viruses have no interesting side-effects.<br />
Mutant C98B D1B8 0042 CD21 5972 065A 52B4 40CD<br />
Mutation Engine: Not a virus on its own, but provides an easy way of adding selfmodifying<br />
encrypting behaviour to an existing virus.<br />
Mutation Engine E8BE 0059 5EBF 5905 2BF9 5752 F3A4 595A<br />
New BadGuy, Milan Overwriting-208, Crackpot-208 - CN: A 208 byte mutation of the<br />
BadGuy virus by Cracker Jack, created by adding NOP instructions at various locations<br />
in the code. The only effect other than replication is to display a message on Mondays.<br />
New BadGuy 2E8A 1780 F243 90B4 02CD 2190 43FE C990<br />
New Zealand, Stoned, Marijuana - MR: The virus consists of a boot sector only. It infects<br />
all disks and occupies 2K of RAM. On floppy disks, logical sector 0 is infected, while on<br />
hard disks sector 1 head 0 track 0 (Master boot sector) is infected. The original boot<br />
sector is stored in track 0 head 1 sector 3 on a floppy disk and track 0 head 0 sector 2 on<br />
a hard disk. The boot sector cont<strong>ai</strong>ns two character strings: 'Your PC is now Stoned!' and<br />
'LEGALISE MARIJUANA' but only the former one is displayed, once in eight times,<br />
and only if booted from floppy disk. The version (2) stores the original boot sector at
194 APPENDIX A<br />
track 0 head 0 sector 7 on a hard disk. The second string is not transferred when a hard<br />
disk is infected. A mutation displays the message 'Your PC is now Sanded'. A mutation<br />
has been reported in Australia which also displays 'LEGALISE MARIJUANA'.<br />
(VB May 90)<br />
New Zealand (1) 0400 B801 020E 07BB 0002 B901 0033 D29C<br />
New Zealand (2) 0400 B801 020E 07BB 0002 33C9 8BD1 419C<br />
Nina - CR: Yet another small virus from Bulgaria. This one is 256 bytes long.<br />
Nina 03F7 B900 01F3 A458 1EBD 0001 55CB 5858<br />
Nines Complement - CR: This 705 byte virus interferes with printer operations,<br />
changing numbers 0 to 9,1 to 8 etc. (VB June 92)<br />
Nines Complemnt E800 005B BE11 0003 F3B9 AA02 89F7 AC30<br />
Nines Complement-776,706 - CR: Two new mutations have appeared, where the initial<br />
decryption routine has been modified, in order to bypass scanners detecting the original<br />
version.<br />
Nines Comp-766 E800 005B BE0E 0003 F3B9 F402 301C 46E2<br />
Nines Comp-706 E800 005D BE17 0001 EEB9 A502 89F7 8BDD<br />
NKOTB, Cover Girl - CN: A 723 byte overwriting virus, where most of the virus body<br />
cont<strong>ai</strong>ns a silly message.<br />
NKOTB BA00 01CD 21B4 3ECD 219F B908 00D3 C82B<br />
No Bock, 440 - CN: When this 440 byte virus activates, it displays the message 'No Bock<br />
today error. System Halted' and stops the system.<br />
No Bock A4 8B FDC3 B104 D3E0 0AC6 FECI D3E0 0AC2<br />
Nolnt, Stoned III - MR: Boot virus with no payload, infecting floppies in A and B as well<br />
as the hard disk. Infects when disk read is attempted, and returns the original boot sector<br />
when sector 1 is read. The original boot sector is stored in head 1 cylinder 0 sector 3 on<br />
diskettes and head 0 cylinder 0 sector 7 on hard disks.<br />
Nolnt 0175 2451 B907 00B8 0102 9C2E FF1E 0C01<br />
Nomenklatura - CER: Infective length is 1024 bytes, and only files longer than 1024<br />
bytes are infected. The virus infects on executing a program or opening a fde, which<br />
means that a virus scanning program will infect all files on the system if the virus is<br />
resident in memory. The virus scrambles the FAT on a random basis. (VB Dec 90)<br />
Nomenklatura B8AA 4BCD 2173 785E 5606 33C0 8ED8 C41E<br />
November 17th, 855 - CER: This virus activates on 17th November, trashing the<br />
beginning of the current drive. (VB June 92)<br />
November 17th CD21 80FE 0B75 1280 FA11 720D B419 CD21<br />
NTKC, C-23693 - CN: A 23693 byte mutation of Vienna, detected by the 'Vienna (4)'<br />
pattern.<br />
Numberl - CN: An old, simple, overwriting, Pascal virus, originally published in the<br />
'Computer Viruses - A High Tech Disease' book by Burger. Infective length depends on<br />
the compiler used, but 11980 and 12032 byte examples have been found in the wild.<br />
Numberl B800 0050 BFCC 031E B142 E8E8 FEB8 015C
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 195<br />
Numberl 2 - CN: Mutation of Burger's Pascal Numberl virus<br />
Number 1 2 B800 0050 BFCA 031E B142 E8E8 FEB8 015C<br />
Number of the Beast, 666, V512 - CR: An advanced virus from Bulgaria, only 512 bytes<br />
long. The length of the file does not appear to increase since the virus overwrites the first<br />
512 bytes of the programs it infects with itself, storing the original 512 bytes in the<br />
unused space of a disk cluster, after the logical end of file. (VB May 90, June 90)<br />
Number of Beast 5A52 0E07 0E1F 1EB0 5050 B43F CBCD 2172<br />
Number of Bea 1 B800 3DCD 2193 5A52 0E1F 1E07 B102 B43F<br />
Number of Bea E 1607 8BD6 B102 B43F CD21 8AD1 86CD BFFE<br />
Number of Bea F 5A52 0E1F 1E07 06B0 5050 B43F CBCD 2172<br />
NV71 - ER?: This virus has been reported elsewhere as ' 1840', but this name should be<br />
avoided, as the virus is only 1827 bytes long. It has also been reported to infect COM<br />
files, but this has not been confirmed.<br />
NV71 9CFA FC8C DA83 C210 2E01 1603 0033 C08E<br />
Ohio, Hacker - DR: Boot sector virus, which is an older version of Den Zuk and written<br />
by the same author.<br />
Ohio FAFA 8CC8 8ED8 8ED0 BC00 F0FB E845 0073<br />
Old Yankee - EN: This is the first of the viruses which play 'Yankee Doodle Dandy'. It<br />
only infects EXE files, increasing their length by 1961 bytes. When an infected program<br />
is run, it will infect a new file and then play the melody. ( VB June 90)<br />
Old Yankee 03F3 8CC0 8904 0E07 53B8 002F CD21 8BCB<br />
Omega - CN: A 440 byte virus, proably from Finland. When it activates it overwrites the<br />
beginning of the first two hard disks trashing the partition table.<br />
Omega B05C AA89 7E2E 83EC 15B9 1500 8BFC 8BF5<br />
Ontario - CER: A 512 byte encrypted virus. It uses self-modifying encryption, and a full<br />
16-byte search pattern cannot be extracted. The asterisks in the string indicate a byte<br />
which may change from one infected file to another.<br />
Ontario 8A84 E801 B9E8 01F6<br />
Orion - CR: Two simple viruses, probably from Bulgaria. They cont<strong>ai</strong>n the texts<br />
'Hello,boy! Im a new virus' and 'Orion system !'. The viruses, which are 262 and 365<br />
bytes long cont<strong>ai</strong>n one error - they cannot properly infect very short files.<br />
Orion AB33 C0AB 1616 1F07 8BC3 CB3D 004B 7406<br />
Oropax, Music virus - CR: The length of infected files increases between 2756 & 2806<br />
bytes and their length becomes divisible by 51. 5 minutes after infection, the virus plays<br />
three different tunes at 7-minute intervals. Does not infect COMM<strong>AND</strong>.COM.<br />
Oropax 06B8 E033 CD21 3CFF 7423 8CCE 8EC6 8B36<br />
Padded - CN: The most unusual feature of this 15 89 byte virus is that it is padded with a<br />
large block of zero bytes, which serve no apparent purpose.<br />
Padded BA00 00CD 215A 4AB4 40B9 0300 CD21 B802<br />
Paris, TCC - CEN: The virus will infect all EXE files in the current directory, when an<br />
infected file is run. Length is 4904 bytes.<br />
Paris 8CD8 03C3 8ED8 8EC0 8D3E 0301 B000 AAEB
196 APPENDIX A<br />
Parity - CN: A Bulgarian 441 byte virus which may emulate a memory f<strong>ai</strong>lure when an<br />
infected program is run, displaying the message 'PARITY CHECK 2' and halting the<br />
computer.<br />
Parity 40B9 B901 BAOO 0103 D7CD 21B8 0157 8B8D<br />
Path - CN: A 547 byte virus from East Europe, which searches the path for fdes to infect.<br />
Path B90D 0057 8A07 8805 4347 E2F8 C605 005F<br />
Pathhunt - EN: Even though this virus only infects EXE fdes, they are infected as if they<br />
were COM fdes - the first few bytes are overwritten with a jump to the virus body. Not<br />
yet analysed.<br />
Pathhunt 03FD 8A0D 2ED2 0F59 43E2 EEEB 1DBB 1A01<br />
PC-Flu - CR: This 802 byte virus was made av<strong>ai</strong>lable with the original commented<br />
source code from the author. It seems to be intended to bypass three specific anti-virus<br />
programs, Flushot, Vstop and Virblock, but this has not been tested. This virus is of<br />
Polish origin. (VB Jan 92)<br />
PC-Flu 501F BB00 0180 3FE9 7537 4380 3F15 7531<br />
PC-Flu-2 - CER: An improved 2112 byte mutation of PC-Flu, with several new features,<br />
such as self-modifying encryption. No simple search pattern is possible.<br />
PC-Flu mutations - CER: Several mutations of PC-Flu have now appeared. Just like the<br />
original virus, no search pattern is possible.<br />
PcVrsDs - CER: A destructive encrypted virus which deletes every fde opened and<br />
infects every file executed. It does not infect COMM<strong>AND</strong>.COM. A routine in the virus<br />
causes occasional typing errors by incrementing the ASCII value of the character typed<br />
by 1. On Monday 23rd of every month, except in 1990, it will format side 0 of the first 32<br />
tracks on the first fixed disk. (VB Apr 91)<br />
PcVrsDs 33DB BE1C 00B9 4F07 2E8A 9708 002E 0010<br />
Peach - CER: Yet another virus targeted ag<strong>ai</strong>nst anti-virus programs - in this case Central<br />
Point's Anti-Virus. This 887 byte virus cont<strong>ai</strong>ns the text 'No 2 Peach Garden'. (VB May 92)<br />
Peach 33C9 33D2 E851 FFB4 40B9 1800 8BD7 807D<br />
Pentagon - DR: The virus consists of a boot sector and two fdes. The sample obt<strong>ai</strong>ned<br />
does not work, but it cont<strong>ai</strong>ns the code which would survive a warm boot (Ctrl-Alt-Del).<br />
It could only infect 360K floppy disks, and will look for and remove Br<strong>ai</strong>n from any disk<br />
it infects. It occupies 5K of RAM.<br />
Pentagon 8CC8 8ED0 BC00 F08E D8FB BD44 7C81 7606<br />
Perfume - CR: The infected program will sometimes ask the user for input and not run<br />
unless the answer is 4711 (name of a perfume). In some cases the question is ' Bitte gebe<br />
den G-Virus Code ein', but in others the message has been erased. The virus will look for<br />
COMM<strong>AND</strong>.COM and infect it. Infective length is 765 bytes.<br />
Perfume FCBF 0000 F3A4 81EC 0004 06BF BAOO 57CB<br />
Perfume-731 - CR: A slight mutation of the Perfume virus, only 731 bytes long. This<br />
may well be an earlier mutation.<br />
Perfume-731 FCBF 0000 F3A4 81EC 0004 06BF BC00 57CB<br />
Pest - CER: A 1910 byte mutation of the Murphy virus. Detected by the HIV pattern.
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 197<br />
Phalcon, Cloud - CN: A 1117 byte virus, aw<strong>ai</strong>ting analysis. It cont<strong>ai</strong>ns a strange text<br />
message about a Bob Ross.<br />
Phalcon BE15 0103 3606 018A 24B9 2304 83C6 2D90<br />
Phalcon-Ministry - CN: Encrypted, 1168 byte mutation of the Phalcon virus.<br />
Phalco-Ministry BE15 0103 3606 018A 24B9 5504 81C6 2E00<br />
Phantom - CR: A 2201 bytes long virus, which has not yet been fully analysed. The virus<br />
cont<strong>ai</strong>ns an encrypted text message stating it was written in Hungary.<br />
Phantom CF8B FA1E 07B0 00B9 5000 FCF2 AE83 EF04<br />
Phenome - CER: A minor mutation of the Jerusalem virus 1808(1813) bytes long, just<br />
like the original. Detected by the Jerusalem-USA pattern.<br />
Phoenix, PI - CR: This Bulgarian virus is 1701 bytes long, but a mutation, 1704 bytes<br />
long, has also been reported. Despite the identical lengths, they are not related to the<br />
Cascade viruses. These viruses use an advanced encryption method, so that no search<br />
pattern is possible.<br />
Phoenix-2000 - CR: This is a polymorphic virus which cannot be detected with a simple<br />
search pattern. In addition to infecting COM files, it Trojanizes EXE files - overwriting<br />
them with code to trash a part of the hard disk. This Trojan can be detected with a pattern.<br />
Phoenix-Trojan B413 CD2F 06B0 F5E6 6033 C0E6 618E C093<br />
Piter - CR: A Russian, 529 byte virus.<br />
Piter 8E1E 2C00 33F6 AC0A 0475 FB83 C603 8BD6<br />
Pixel - CN: The Pixel viruses are practically identical to the Amstrad virus, although they<br />
are shorter: 345 and 299 bytes. No side-effects are noticeable until the 5th generation is<br />
reached, at which stage there is a 50 % chance that the following message will appear<br />
when an infected program is executed: 'Program sick error: Call doctor or buy PIXEL for<br />
cure description'. Several new mutations of the Pixel/Amstrad virus have been discovered,<br />
most of which are very similar to previous mutations, and are detectable by the 'Pixel'<br />
pattern. (VB June 90)<br />
Pixel (1) 0E1F 2501 0074 4CBA D801 B409 CD21 CD20<br />
Pixel (2) BA9E 00B8 023D CD21 8BD8 061F BA2B 01B9<br />
Pixel (3) 0001 0001 2E8C 1E02 018B C32E FF2E 0001<br />
Pixel-257, 275, 295, 283 - CN: detected by the 'Pixel (1)' pattern.<br />
Pixel-779, 837, 850, 854 - CN: detected by the 'Amstrad' pattern.<br />
Pixel-892 - CN: detected by the 'Pixel (3)' pattern.<br />
Pixel-897, 899A, 899B, 905 - CN: Four mutations, which are all detected by the<br />
Pixel-936 pattern. Cont<strong>ai</strong>n code to format track 1.<br />
Pixel-936 - CN: A 936 byte mutation of the Pixel/Amstrad virus.<br />
Pixel-936 C706 0001 0001 2E8C 1E02 012E FF2E 0001<br />
Pixel-Pixie 1.0 - CN: Closely related to the Pixel-936 virus, and detected with the same<br />
pattern.<br />
Pixel-Rosen - CN: The smallest member of the Pixel family, only 131 bytes long. Does<br />
nothing but replicate.<br />
Pixel-Rosen A433 FF06 57CB 1E07 BE83 01BF 0001 1E57
198 APPENDIX A<br />
Plague - CR: A simple 591 byte overwriting virus, based on the Leprosy virus.<br />
Plague 8A27 3226 0601 8827 4381 FB83 037E F1EB<br />
Pl<strong>ai</strong>ce - CR: 1129 bytes. Not yet analysed. One mutation of this virus exists, which has<br />
not yet been named, but the sample circulating in the anti-virus community is named<br />
1720C.COM. This is a variable-length, polymorphic mutation, with a base length of<br />
1701 bytes. It does not work properly on cert<strong>ai</strong>n types of hardware. No search string is<br />
possible for this mutation.<br />
Pl<strong>ai</strong>ce 0001 5033 C033 DB33 C933 D233 F633 FF33<br />
Plastique 521 - C?: Virus aw<strong>ai</strong>ting disassembly.<br />
Plastique 521 0681 002E 8C06 8500 2E8C 0689 008C C005<br />
Plovdiv, New Bulgarian 800 - CR: This virus is 800 bytes long, but the increase is hidden<br />
while the virus is active. It cont<strong>ai</strong>ns the text '(c) Damage inc.Ver 1.1,Plovdiv, 1991*, but<br />
has not been fully analysed yet.<br />
Plovdiv 80E2 1F80 FA1E 7506 2681 6F1D 2003 079D<br />
Plovdiv-1.3 - CR: This 1000 byte virus is related to the 800 byte Plovdiv virus.<br />
According to a text string inside the virus, it should be named 'Damage', but this name<br />
was rejected to avoid confusion with the Diamond/V 1024-derived 'Damage' virus. The<br />
virus is 'semi-stealth', hiding increases in fde length when it is active.<br />
Plovdiv 1.3 80E2 1F80 FA1E 7506 2681 6F1D E803 079D<br />
Plovdiv 1.3B - CR: 1000 bytes long, but only slightly different from the 1.3 mutation.<br />
Plovdiv 1.3B 80E2 1F80 FA1E 7506 2681 6F1D E803 075A<br />
Polimer - CN: A 512 byte Hungarian virus, which only displays the following message<br />
when an infected program is executed: 'Ale'jobbkazettaaPolimerkazettalVegyeezt!'<br />
Polimer 8CD8 0500 108E D8B4 40CD 218C D82D 0010<br />
Polish 217 - CR: A simple 217 byte virus from Poland, which does nothing but replicate.<br />
Polish 217-A is a minor mutation, probably changed to bypass some scanner.<br />
Polish 217 D201 BF00 01B9 0300 F3A4 5EB4 4EBA C901<br />
Polish Color - CN: A simple 376 byte Polish virus, which does nothing but replicate.<br />
Polish Color 56B9 0400 81C6 6D01 8CD8 8EC0 BF00 01F3<br />
Polish Minimal-45 - CN: This is a Polish attempt to create the world's smallest virus. As<br />
it overwrites the fdes it infects, they cannot be disinfected.<br />
Polish-45 023D CD21 8BD8 B440 BAOO 01B1 2DCD 21B4<br />
Polish Pixel - CN: Two Pixel mutations from Poland, which cont<strong>ai</strong>n crude self-modifying<br />
code. They are 457 and 550 bytes long, and detected by the Pixel (1) pattern.<br />
Possessed - CER: A 2438 byte virus (a 2446 byte mutation has been reported) which<br />
cont<strong>ai</strong>ns the text 'POSSESSED! Bwa! ha! ha! ha! ha! Author JonJon Gumba of AdU'.<br />
The virus is reported to delete files occasionally, after it has been resident for a while.<br />
Possessed 8BF2 83C6 028B DE80 3C5C 7506 8BDE 43EB<br />
Possessed-B - CER: A 2446 byte mutation of the Possessed virus, and detected by the<br />
pattern for that virus.
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 199<br />
Possessed-2443 - CER: This mutation is very similar to the other two known mutations,<br />
which are 2438 and 2446 bytes long, and detected with the same pattern as the original<br />
virus.<br />
Pregnant - CR: A 1199 byte encrypted virus, related to the 1024PrScr virus. It activates<br />
on Fridays, between 10 PM and 11 PM, making all infected fdes appear to be named<br />
PREGNANT.!!! if the DIR command is used. As the decryption routine is very short,<br />
only a 16 byte search pattern cont<strong>ai</strong>ning a wildcard is possible. The virus hides the<br />
increase in file length.<br />
Pretoria, June 16th - CN: Overwrites the first 879 bytes of infected files with a copy of<br />
itself and stores the original 879 bytes at the end of the file. When an infected program is<br />
executed, the virus searches the entire current drive for COM files to infect. On 16th June<br />
the execution of an infected file will cause all entries in the root directory to be changed<br />
to 'ZAPPED'. The virus is encrypted.<br />
Pretoria AC34 A5AA 4B75 F9C3 A11F 0150 A11D 01A3<br />
PrintScreen - DR: Occasionally performs a Print Screen (PrtSc) operation.<br />
Printscreen FA33 C08E DOBC 00F0 1E16 1FA1 1304 2D02<br />
Protecto - C?: Virus aw<strong>ai</strong>ting disassembly.<br />
Protecto 8BD6 83C2 4AB8 003D CD21 7303 EB39 908B<br />
Proud - CR: This 1302 byte virus is a member of a Bulgarian family of 4 viruses, which<br />
also includes 1226, Evil and Phoenix. As they all use the same encryption method, no<br />
search pattern is possible. (VB Dec 90)<br />
Prudents - EN: Infective length is 1205 bytes and the virus will destroy the last 32 bytes<br />
of any infected file. Activates during the first four days of May of every year, turning<br />
every write operation into a verify operation, which results in the loss of data.<br />
Prudents 0E07 BE4F 04B9 2300 5651 E87E 0359 5EE8<br />
Pslko - CER: A 1803 byte mutation of the Dark Avenger virus, and detected by the same<br />
pattern as the original.<br />
PSQR - CER: A mutation of Jerusalem with the signature changed to 'PSQR'. The<br />
infective length is 1715 (COM) and 1720 bytes (EXE).<br />
PSQR FCB8 0FFF CD21 3D01 0174 3B06 B8F1 35CD<br />
QMU-1513 - CR: This virus has not been analysed yet, but it appears to cont<strong>ai</strong>n an entire<br />
boot sector.<br />
QMU-1513 5053 8BDA B000 4338 0775 FBB8 4F4D 3947<br />
Quiet - CR: 2048 bytes long. Not yet analysed.<br />
Quiet A12C 008E COBB FFFF 4326 803F 0075 F926<br />
Rage - CR: Encrypted virus which overwrites sectors 0 through 225 of hard drives C to<br />
Z on the 13th of every month. Issues an 'are you there' call to test ifVIREXPC.COM is<br />
in memory and if present, restores control to the host program. (VB Oct 91)<br />
Rage B9FD 018A 2451 8AC8 D2C4 5988 24FE C046<br />
Rape - CR: Two viruses with the same primary effect of overwriting the first 256 sectors<br />
of each drive. The shorter is 500 bytes long, but the longer one, which is 747 bytes long
200 APPENDIX A<br />
has limited 'stealth-like' abilities: no increase in fde length is visible if the DIR<br />
command is given while the virus is active in memory.<br />
Rape B980 OOAC 3C61 7206 3C7A 7702 2C20 8844<br />
Rat - ER: This Bulgarian virus infects EXE fdes in a very unusual way by locating itself<br />
in the unused area between the header and the start of the program, preventing the<br />
increase in the fde size. Most EXE fdes are immune to the infection by this virus.<br />
Rat FCB8 2B35 CD21 8CDD 0E1F 012E 6A0A BE10<br />
Raub - C?: Virus aw<strong>ai</strong>ting disassembly.<br />
Raub A3DC 03E8 9FFB 8CC8 8EC0 E804 FBBA 3F01<br />
Raubkopi - CR: This virus adds 2219 bytes in front of COM fdes, but much of that is<br />
occupied by a text message in German, directed ag<strong>ai</strong>nst pirated software. The virus<br />
cont<strong>ai</strong>ns code to format the boot sector of the hard disk, but that code cont<strong>ai</strong>ns an error.<br />
Raubkopi 0500 013D 0002 7204 25FF 0142 B104 D3E8<br />
Revenge Attacker - CR: This virus produces a strange effect on some machines, as<br />
directories may appear corrupted, cont<strong>ai</strong>ning multiple copies of the same fde. The major<br />
effect of this virus is the destruction of all fdes on the disk. It is 1127 bytes long, and<br />
reported to have originated in the Philippines.<br />
Revenge Attacker 7510 4080 3F00 750A 4080 3F00 7504 F8E9<br />
RNA - CEN: Like many other large viruses, this one is written in some high-level<br />
language, and adds itself in front of the files it infects. Version 1 is 7296 bytes long, and<br />
version 2 is 7408 bytes long.<br />
RNA (1) 1E57 C43E F601 0657 B800 2050 BFFF 011E<br />
RNA (2) 1E57 C43E 0C02 0657 B8F0 1C50 BF19 021E<br />
Diamond-Rock Steady - CER: This 666 byte mutation has been modified considerably.<br />
A number of 'garbage' instructions have been added, probably to bypass some scanner.<br />
The major effect has been changed - the virus now attempts to format the hard disk on the<br />
13th of any month.<br />
Rock Steady BF00 0150 5857 5058 AB50 58A4 95C3 EB1C<br />
Russian Mirror - CR: This vicious virus from Russia trashes disks. Infective length is<br />
482 bytes.<br />
Russian Mirror E89D FF80 FC4B 7403 E9C4 002E FE0E 6400<br />
Rybka - CER: This is a mutation of one of the Vacsina (TP-series) viruses. It may infect<br />
the same file over and over, increasing its size by 1344 bytes each time. Detected by the<br />
Vacsina pattern.<br />
Saddam - CR: This virus extends the file length by 917 to 924 bytes. Displays the<br />
following string (which is stored encrypted) 'HEY SADAM LEAVE QUEIT BEFORE I<br />
COME' after 8 requests for INT 21H. Resides in the area of memory not labelled as used,<br />
so large programs will overwrite it.<br />
Saddam BB00 0153 5052 1E1E B800 008E D8A1 1304<br />
Sadist - EN: This 1434 byte virus does not seem to do anything but replicate.<br />
Sadist 2EC6 045C B908 0046 4526 8A46 002E 8804
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 201<br />
SBC - CER: A polymorphic 1024 byte virus, with full stealth abilities hiding file size<br />
increases as well as file changes when active. This virus is not just a laboratory virus - it<br />
is spreading in Canada and the US. No search pattern is possible.<br />
Scion, Doomsday One, Null Set - CN: Naming this virus is slightly difficult - it has been<br />
named 'Null Set', but this name is far from being obvious. The author named it<br />
'Doomsday One', but the name 'Scion' is recommended, derived from the text 'A scion<br />
to none' which it cont<strong>ai</strong>ns. It is 733 bytes long, and has not been fully analysed, but<br />
cont<strong>ai</strong>ns potentially destructive code (INT 26H calls). The virus is encrypted, and as the<br />
decryption routine is very short, only a partial search string is possible.<br />
Scott's Valley - CER: This virus is closely related to the Australian Slow virus, using an<br />
almost identical encryption method. It is somewhat longer, 2126 bytes.<br />
Scott's Valley E800 005E 8BDE 9090 81C6 3200 B912 082E<br />
Screamer - CER: A 711 byte virus, which cont<strong>ai</strong>ns the text 'Screaming Fist'. Not yet<br />
analysed.<br />
Screamer 89D7 B02E B9FF 00F2 AEE3 2889 FE26 AD25<br />
Screamer II, Screaming Fist II - CER: Probably written by the same person as wrote the<br />
Screamer (Screaming Fist) virus, but more 'advanced'. The virus is now 838 bytes long<br />
and includes limited polymorphic ability, but can nevertheless be detected with a string<br />
cont<strong>ai</strong>ning wildcards.<br />
Semtex - CR: Infects every COM file opened or executed. Aw<strong>ai</strong>ting analysis.<br />
Semtex 8B3E 8400 268B 1686 008E C226 813D 9C50<br />
Sentinel - CER: This virus is written in Turbo Pascal and is 4625 bytes long.<br />
Sentinel FCAD 2EA3 0001 AC2E A202 0189 EC5D B800<br />
Sentinel 3 - CER: Infection length is 5173 bytes, but the virus hides the increase by<br />
intercepting find-first / find-next function calls. Written in Turbo-Pascal in Bulgaria.<br />
Discovered by Sentinel-5 pattern.<br />
Sentinel 5 - CER: Infection length is 5402 bytes, but the virus hides the increase by<br />
intercepting find-first / find-next function calls. Written in Turbo-Pascal in Bulgaria.<br />
Sentinel-5 B803 12CD 2F1E 0731 C989 CF49 D1E9 B82E<br />
September 18th - CEN: This virus activates on September 18th, after 7:00 AM,<br />
overwriting the hard disk. Two mutations are known, 789 and 801 bytes long, but the<br />
virus adds 1-16 extra bytes to programs before infecting them. These viruses may be<br />
related to the StarDot virus. Detected by the Italian 803 pattern.<br />
Seventh son - CN: A 332 byte virus which cont<strong>ai</strong>ns the text 'Seventh son of a seventh<br />
son'. It seems to do nothing but replicate.<br />
Seventh son 1F5A B824 25CD 215A B801 33CD 210E 0E1F<br />
Seventh Son 350, Seventh Son 284 - CN: Two slightly modified versions of the 332 byte<br />
virus which are 350 and 284 bytes long.<br />
Seventh son 350 73F3 1F5A B824 25CD 215A B801 33CD 210E<br />
Seventh son 284 56A5 A55E B800 33CD 2152 9940 50CD 21B8
202 APPENDIX A<br />
Sex revolution - MR: Two versions are known and they both cont<strong>ai</strong>n the text 'EXPORT<br />
OF THE SEX REVOLUTION'. The virus is a mutation of the New Zealand virus and is<br />
detected by the New Zealand (2) pattern.<br />
Shadowbyte - CN: A 723 byte virus which is aw<strong>ai</strong>ting analysis.<br />
Shadowbyte 8B54 0183 C203 B442 CD21 89F2 83C2 03B9<br />
Shadowbyte-2 - CR: A 635 byte mutation of the Shadowbyte virus. When it activates it<br />
will format the beginning of the first hard disk in the system.<br />
Shadowbyte-2 B405 B280 B600 B500 B002 CD13 B405 B200<br />
Shake - CR: A primitive 476 byte virus which reinfects previously infected files.<br />
Infected programs sometimes reboot when executed. Occasionally, infected programs<br />
display the text 'Shake well before use !' when executed.<br />
Shake B803 42CD 213D 3412 7503 EB48 90B4 4ABB<br />
Shaker - CR: A mutation of Backtime, just like Blinker, and probably written by the<br />
same author. Produces a' shaky' screen when an infected program is run. Detected by the<br />
Backtime pattern.<br />
SHHS - CN: A 585 byte overwriting virus. Extremely unlikely to spread, but cont<strong>ai</strong>ns<br />
code to trash the hard disk.<br />
SHHS 01C3 BB3E 01A0 0601 0AC0 740B 3007 4302<br />
Shirley - ER: A 4096 byte virus, probably from Germany, which cont<strong>ai</strong>ns several long<br />
text messages, including the string 'IWANTSHIRLEY'. Aw<strong>ai</strong>ting analysis.<br />
Shirley B887 4BCD 213D 6366 7566 2EA1 0E0E 8CDB<br />
Shirley-Vivaldi - ER: This is a mutation of the Shirley virus, with the same infective<br />
length as the original, 4096 bytes. As it is rather long, and does not seem interesting at all,<br />
it has not yet been analysed. Detected by the Shirley pattern.<br />
Simulation - CN: This is a variable length, self-modifying encrypted virus, which adds<br />
around 1300 bytes to the files it infects. When it activates it displays a message<br />
announcing the infection or a message which is normally associated with a different<br />
virus, such as April 1st (Suriv 1), Frodo, Datacrime or Devil's Dance. No search pattern<br />
is possible.<br />
Sistor - CER: Two viruses from the USSR. The 2225 byte mutation triggers after 16:00,<br />
displaying a familiar bouncing-ball/falling letters effect. The later mutation has been<br />
improved somewhat - it is not as obvious, and includes code to bypass interrupt<br />
monitoring programs.<br />
Sistor-2225 5BFA 891E 7000 8C06 7200 FB33 C08E D8B8<br />
Sistor-2380 5B33 C089 1E70 008C 0672 0033 C08E D8B8<br />
Skism - CER: A1808/1813 byte minor mutation of Jerusalem. Detected by the Jerusalem-<br />
USA pattern.<br />
Slow - CER: This encrypted virus is a 1716 byte long mutation of the Jerusalem virus. It<br />
originates from Australia and its side-effect is reported to be a slow-down of the infected<br />
PC. No other side-effects are known, as the virus is aw<strong>ai</strong>ting analysis.<br />
Slow E800 005E 8BDE 9090 81C6 1B00 B990 062E
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 203<br />
Smack, Patricia - CER: A mutation of the HIV virus, cont<strong>ai</strong>ning a message for Patricia<br />
Hoffman. Two mutations are known, 1835 and 1841 bytes, both probably written by the<br />
same person, who calls himself 'Cracker Jack'. Both mutations can be detected by the<br />
HIV pattern.<br />
Smallv-115 - CN: A very small virus from Bulgaria. Does nothing of interest.<br />
Smallv-115 B802 3DCD 218B D8B9 0300 8BDS B43F CD21<br />
Smiley - CN: A 1983 byte virus which cont<strong>ai</strong>ns code to trash the hard disk. Not yet fully<br />
analysed.<br />
Smiley BB05 018B C881 E10F 00D1 E8D1 E8D1 E8D1<br />
Socha - CR: This 753 byte virus has not been fully analysed yet, but it cont<strong>ai</strong>ns code<br />
which will only be activated if the year is set to 1981.<br />
Socha COBF F5FF 268B 0547 4726 3305 4747 2633<br />
Something - CR: A 658 byte virus, which attaches itself in front of COM files. It has not<br />
been fully analysed, but appears destructive, cont<strong>ai</strong>ning code to delete files.<br />
Something 8BD8 B9FF FF1E 5233 D22E 8E1E 8303 B43F<br />
South African, Friday the 13th, Miami, Munich, Virus-B - CN: Infective length is 419<br />
bytes, but some reports suggest mutations with an infective length between 415 and 544<br />
bytes. Does not infect fdes with Read-Only flag set. Virus-B is a non-destructive<br />
mutation cont<strong>ai</strong>ning South African 2 pattern. COMM<strong>AND</strong>.COM is not infected. Every<br />
file run on a Friday 13th will be deleted.<br />
S African 1 1E8B ECC7 4610 0001 E800 0058 2DD7 00B1<br />
S African 2 1E8B ECC7 4610 0001 E800 0058 2D63 00B1<br />
South African 408 - CN: A 408 byte version of the South African virus, partially<br />
rewritten to foil scanners, but with no new effects.<br />
S African 408 1E8B ECC7 4610 0001 E800 0058 2D5A 0090<br />
South African 416 - CN: Yet another minor mutation. The following search pattern can<br />
be used to detect all known mutations of this virus.<br />
S African 416 FF36 0301 FF36 0501 B43F B903 00BA 0301<br />
South African 623 - CN: This mutation of the South African Friday the 13th virus was<br />
discovered in New Zealand. It will activate on any Friday the 13th, just like the original,<br />
and is detected by the same pattern.<br />
Spanish Telecom - MCER: This encrypted virus cont<strong>ai</strong>ns a message by 'Grupo<br />
Holokausto' demanding 'lower telephone tariff's, more services'. It procl<strong>ai</strong>ms to be an<br />
'Anti-CTNE' virus where CTNE is 'CompaniaTelefonica Nacional Espana'. A message<br />
in English states that the virus was programmed in Barcelona, Sp<strong>ai</strong>n. The master boot<br />
sector part of the virus counts the number of times the PC is rebooted and diggers after<br />
400 boots, overwriting all data on the first two fixed disks. This is a stealth virus: boot<br />
sector is substituted and the length of infected files subtracted. Original MBS is stored in<br />
Head 0, Cylinder 0, Sector 7. (VB Jan 91)<br />
Spanish Head 1 8B1D B200 83FB 0074 18BF 5500 B2<br />
Spanish Head 2 83ED 09BE 2001 03F5 FCB6<br />
Spanish Trojan BB00 7C33 C0FA 8ED0 8BE3 FB8E D8A1 1304
204 APPENDIX A<br />
Spanish Telecom 2 - MCER: A mutation of the Spanish Telecom virus. The virus is selfencrypting<br />
and modifying. No search pattern is possible.<br />
Spanz - CN: A 639 byte virus. All infected fdes end with 'INFECTED! * SPANZ *'.<br />
Virus searches the current directory followed by path for the first uninfected COM file.<br />
If the copy of the virus is more than 6 months old, the virus changes the volume label of<br />
the current disk to 'INFECTED!' if the test is performed in the first second of any<br />
minute. (VB Feb 92)<br />
Spanz 8D9C 7D03 0683 BC76 0300 7415 8B84 7403<br />
Sparse - CR: This virus is 3840 bytes long, but most of it cont<strong>ai</strong>ns zero byes. It has no<br />
interesting side-effects.<br />
Sparse FF0F CD21 50B4 3DB0 02CD 2189 C3B4 42B9<br />
Squawk - CER: An 852 byte virus from Asia is easy to discover, as an infected machine<br />
will produce a high-pitch sound.<br />
Squawk 4B8E DBA1 0100 0306 0300 3B06 1200 722F<br />
Squeaker - CER: A 1091 byte virus aw<strong>ai</strong>ting analysis.<br />
Squeaker 80FC 7F75 03B4 80CF 80FC 4B74 052E FF2E<br />
Staf - CN: A 2083 byte 'demonstration' virus, which seems to have no harmful effects.<br />
The virus cont<strong>ai</strong>ns the following text: Virus Demo Ver.: 1.1- Handle with care! By STAF<br />
(Tel.: (819)595-0787).<br />
Staf 89D3 33F6 8038 0074 0343 EBF8 C600 245A<br />
Stahlplatte - CR: This 750 byte virus is aw<strong>ai</strong>ting analysis.<br />
Stahlplatte 0E58 BB00 7F39 D872 03E9 4701 8EC3 BE00<br />
Stardot-600 - EN: This virus by be related to the 'September 18th' viruses. It is<br />
destructive, and will overwrite the beginning of each logical drive when activated.<br />
Stardot-600 32F6 B908 0033 DB51 B901 00D1 C250 CD26<br />
StinkFoot - CN: This virus from South Africa uses instructions which do not exist on<br />
8088/8086 and it will crash on such machines. It adds 259 bytes to the beginning offiles,<br />
and 995 bytes at the end.<br />
StinkFoot 600E 59BA 0400 B435 B024 CD21 061F 890F<br />
Striker 1 - CN: A 461 byte virus, which has not been analysed yet. It cont<strong>ai</strong>ns an error<br />
which causes incorrect infection of COM fdes shorter than 13 bytes.<br />
stiiKer 1 5A8B 4606 3 9C2 7403 42EB E840 8946 06AO<br />
Stupid-Profesor - CR: Almost identical to the SADAM mutation, but the text string has<br />
been changed to 'The Profesor is in town ag<strong>ai</strong>n'. Detected with the SADAM (Saddam)<br />
pattern.<br />
Subliminal - CR: This 1496 byte virus is probably an earlier version of the Dyslexia<br />
virus. When active, the virus will attempt to flash the message 'LOVE, REMEMBER' on<br />
the screen for a fraction of a second, which is too short to be easily noticed.<br />
Subliminal AE26 3805 E0F9 8BD7 83C2 0306 1F2E C706<br />
Sunday - CER: Variation of Jerusalem. Infective length is 1631 bytes (EXE) and 1636<br />
(COM). Activates on Sunday and displays message 'Today is SunDay! Why do you work
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 205<br />
so hard? All work and no play make you a dull boy.'. There are unconfirmed reports of<br />
FAT damage on infected systems.<br />
Sunday FCB4 FFCD 2180 FCFF 7315 80FC 0472 10B4<br />
Suomi - CN: A 1008 byte virus from Finland, which uses self-modifying encryption, like<br />
the 1260 virus. The virus seems to disinfect previously infected files under cert<strong>ai</strong>n<br />
conditions, but COMM<strong>AND</strong>.COM seems to rem<strong>ai</strong>n permanently infected. No harmful<br />
side-effects have been reported, but the virus is aw<strong>ai</strong>ting disassembly. No search pattern<br />
is possible.<br />
Suriv 1.01, April 1 st COM - CR: A precursor to Jerusalem infecting only COM files with<br />
the virus positioned at the beginning of the file. Infective length is 897 bytes. If the date<br />
is 1 st April, the virus will display 'APRIL 1 ST HA HA HA YOU HAVE A <strong>VIRUS</strong>' and<br />
the machine will lock. If the date is after 1st April 1988, the virus produces the message<br />
' YOU HAVE A <strong>VIRUS</strong> !!!' but the machine will not lock. The virus is memory resident<br />
and will not infect COMM<strong>AND</strong>.COM. (VB Aug 89)<br />
Suriv 1.01 0E1F B42A CD21 81F9 C407 721B 81FA 0104<br />
Suriv 1-Argentina - CR: This mutation of the April 1 st virus was reported in Argentina.<br />
It is 1249 bytes long, and may display messages on various dates which are of patriotic<br />
significance in Argentina.<br />
Suriv 1-Argenti 0E1F B42A CD21 81FA 1905 7415 81FA 1406<br />
Suriv 1-Anti-D - CR: This mutation of the Suriv 1 or 'April 1 st' virus was discovered in<br />
Argentina. It is 945 bytes long and interferes with the 'D' key on the keyboard.<br />
Suriv 1-Anti-D 0E1F C606 4801 00B4 2ACD 2181 F9C4 0772<br />
Suriv 1-Xuxa - CR: Yet another Suriv 1 mutation from Argentina. It is reported to play<br />
music between 5PM and 6PM. Infective length is 1413 bytes.<br />
Suriv 1-Xuxa 0E1F B42A CD21 81F9 C407 720D 81FA 0208<br />
Suriv 2.01, April 1 st EXE - ER: A precursor to Jerusalem infecting only EXE files with<br />
the virus positioned at the beginning ofthefile. Infective length is 1488 bytes. Ifthedate<br />
is 1 st April, the virus will display 'APRIL 1 ST HA HA HA YOU HAVE A <strong>VIRUS</strong>'. If the<br />
yearis 1980 (DOS default) or the day is Wednesday after IstApril 1988, the machine will<br />
lock one hour after infection. (VB Aug 89)<br />
Suriv 2.01 81F9 C407 7228 81FA 0104 7222 3C03 751E<br />
Suriv 3.00, Israeli - CER: An earlier version of Jerusalem infecting COM and EXE files<br />
and displaying the side-effects 30 seconds after infection instead of 30 minutes. Infective<br />
length is 1813 bytes (COM) and 1808 bytes (EXE). Program delete does not work.<br />
(VB Aug 89)<br />
Suriv 3.00 03F7 2E8B 8D15 00CD 218C C805 1000 8ED0<br />
Surrender, Jews - CER: A 513 byte Russian virus, cont<strong>ai</strong>ning the text 'Jews never<br />
surrender!'. Aw<strong>ai</strong>ting analysis.<br />
Surrender 061F B800 43CC 51B8 0143 33C9 CCB8 023D<br />
SVC-1740 - CER: This 1740 byte virus is closely related to the 1689 byte mutation (SVC<br />
4.0), and is detected by the same pattern.
206 APPENDIX A<br />
SVC 3.1 - CER: This 1064 byte virus is probably <strong>ai</strong>l older version of the SVC virus.<br />
SVC 3.1 C39D BA90 19CF 5A1F EBBD 33C0 8EC0 26C4<br />
SVC 4.0 - CER: A Russian, 1689 byte virus, cont<strong>ai</strong>ning the following message '(c) 1990<br />
by SVC,Vers. 4.0'. The virus attempts to avoid detection by the use of 'stealth' methods,<br />
so any increase in fde length is not visible while the virus is active in memory.<br />
SVC 4.0 7416 80FC 1174 0E80 FC12 7409 9D2E FF2E<br />
SVC 5.0 - CER: An improved version of the earlier SVC viruses, and fully 'stealth'.<br />
(VB Dec 91)<br />
SVC 5.0 5606 86E0 35FF FF8E C00E 1F33 FFB9 990B<br />
SVC 6.0 - MCER : A 4644 byte stealth multi-partite virus. The original Master Boot<br />
Sector is not stored anywhere. Virus code is copied to Sectors 1 to 11 ofTrack 0, Head 0.<br />
(KB Dec 91)<br />
SVC 6.0 33D2 B484 CD21 5E56 81FA 9019 750A 2E3A<br />
Sverdlov - CER: A Russian, 1962 byte virus, using a simple XOR-encryption.<br />
Sverdlov 2D00 03FE 2E30 0547 E2FA E800 005E 83EE<br />
Svir - EN: A simple 512 byte virus with no side-effects. Svir means 'music' in Bulgarian.<br />
Svir 33F6 4626 8B0C E302 EBF8 8BD6 83C2 04E8<br />
SVS - CR: This virus has been reported elsewhere as 'Terminator', but that name should<br />
be avoided, as it conflicts with the other Terminator viruses. It is 526 bytes long and<br />
activates on December 25th, when it displays the message 'TERMINATOR 1991. Made<br />
by SVS-009'.<br />
SVS B104 D3EB 83C3 11B4 4ACD 21D3 E34B 4B8B<br />
Swami, Guru, Bhaktivedanta - CER: A1250 byte 'Murphy' mutation cont<strong>ai</strong>ning the text<br />
'Bhaktivedanta Swami Prabhupada (1896-1977). Detected by the 'HIV' pattern.<br />
Swap - DR: Does not infect until ten minutes after boot. Creates one bad cluster on track<br />
39, sectors 6 & 7 (head unspecified). Uses 2K of RAM. Infects floppy disks only. Does<br />
not store the original boot sector anywhere. Virus creates a display similar to Cascade,<br />
but is transmitted via boot sector.<br />
Swap 31C0 CD13 B802 02B9 0627 BAOO 01BB 0020<br />
Swedish Disaster - MR: The name is derived from the text inside the virus. The virus is<br />
aw<strong>ai</strong>ting analysis.<br />
Swedish 0102 BB00 02B9 0100 2BD2 9C2E FF1E 0800<br />
Swiss-143 - CN: A simple 143 byte virus with no interesting effects.<br />
Swiss-14 3 B44F 8BD5 EBBC C646 0000 45C7 4600 0D00<br />
Sylvia - CN: The virus displays messages including 'This program is infected by a<br />
HARMLESS Text-Virus V2.1', 'You might get an <strong>ANTI</strong><strong>VIRUS</strong> program ' when an<br />
infected program is executed, but if the above text is tampered with, the (encrypted)<br />
messages 'FUCKYOU LAMER !!!!', 'system halted....$' will be displayed. The victim<br />
is told to send a 'funny postcard' to a genuine address of a Dutch woman called Sylvia.<br />
When an infected program is run, the virus will look for five COM fdes on drive C and<br />
the current drive. COMM<strong>AND</strong>.COM, IBMBIO.COM and IBMDOS.COM are not
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 207<br />
infected. The virus adds 1301 bytes to the beginning of the infected files and 31 bytes at<br />
the end.<br />
Sylvia CD21 EBFE C3A1 7002 A378 0233 C0A3 9E02<br />
Sylvia-2 - CN: This version of the Sylvia virus has been patched to avoid detection, but<br />
appears functionally equivalent to the Sylvia virus. It is 1332 bytes long, just as the<br />
original, and detected by the 'Sylvia' pattern.<br />
Sylvia B - CR: A rewritten version of the Sylvia virus, but of the same length. Detected<br />
by the Sylvia pattern.<br />
Sylvia Hong Kong - CN?: A message 'to help Hong Kong in 1997' is incorporated in<br />
this virus. Mutation of Sylvia but sample does not replicate.<br />
Sylvia-HK CD21 EBFE C3A1 8302 A38B 0233 C0A3 B102<br />
Syslock - CEN: This encrypted virus attaches itself to the end of a COM or an EXE file.<br />
Infective length is 3551 bytes. It infects a program one in four times when executed. Will<br />
not infect if the environment cont<strong>ai</strong>ns SYSLOCK=@.<br />
Syslock 8AE1 8AC1 3306 1400 3104 4646 E2F2 5E59<br />
Tabulero - ER: A 2048 byte virus, which bears some resemblance to the Jerusalem virus,<br />
but is not directly derived from it. Not yet analysed.<br />
Tabulero 2E8B 4702 2E89 052E 8B47 042E 8945 022E<br />
Tack - CN: A simple 449 byte virus, which may display the message 'Hello, I am virus'.<br />
The virus appends itself to the end of infected files, and overwrites the first six bytes, but<br />
only restores the first five, which may result in unpredictable behaviour of infected files.<br />
Tack 5850 0500 01A3 3C02 C706 3E02 FFE0 C606<br />
T<strong>ai</strong>wan - CN: The virus activates on the 8th day of every month and overwrites the FAT<br />
and the root directory of drives C and D. Two versions are known with different infection<br />
lengths: 708 and 743 bytes.<br />
T<strong>ai</strong>wan 07E4 210C 02E6 21FB B980 0033 F6BB 8000<br />
T<strong>ai</strong>wan (2) 07E4 210C 02E6 21FB B980 00BE 0000 BB80<br />
T<strong>ai</strong>wan-C - CN: A new 752 byte mutation of the T<strong>ai</strong>wan virus. The major effect is<br />
unchanged - destruction of the FAT and root directory on C: and D:<br />
T<strong>ai</strong>wan-C 0B00 33F6 BB80 008B 0050 4646 E2F9 FE06<br />
T<strong>ai</strong>wan-D - CN: Closely related to T<strong>ai</strong>wan-C, but only 677 bytes. It can be detected by<br />
the same search pattern.<br />
Tenbyte, Valert - CER: This virus was posted by accident to the V-ALERT electronic<br />
m<strong>ai</strong>l list recently. Adds 1554 bytes to infected files. Activates on 1 st September corrupting<br />
data written to disk.<br />
Tenbyte 1E0E 1F8D 36F7 04BF 0001 B920 00F3 A42E<br />
Tequila - EMR: An encrypted, multi-partite, self-modifying virus from Switzerland.<br />
Cont<strong>ai</strong>ns encrypted text 'Welcome to T.TEQUILA's latest production', 'Contact<br />
T.TEQUILA/P.o.Box 543/6312 St'hausen/Switzerland'. No pattern for infected files is<br />
possible, but the boot sector does not change. The original master boot sector is stored in<br />
the first sector after the end of the first partition, which is decreased by 6 sectors after<br />
infection. Displays a crude Mandelbrot set pattern on screen. (VB June 91). Original
208 APPENDIX A<br />
MBS is stored in the first sector after the end of the partition as recorded in the partition<br />
table.<br />
Tequila boot B82A 0250 B805 028B 0E30 7C41 8B16 327C<br />
Terminator 918 - CR: Overwrites original program. Aw<strong>ai</strong>ting analysis.<br />
Terminator 918 FA8C C88E D8C6 0678 0200 B435 B0FE CD21<br />
Terminator 1501 - CR: 1501 byte overwriting virus without any stealth features.<br />
Terminator 1501 FAB8 0000 8EC0 BB6C 0426 8B07 0538 00A3<br />
Terror - CER: This Bulgarian virus has not been analysed yet.<br />
Terror 2E8C 1E41 0550 B859 ECCD 213B E875 3E0E<br />
Testvirus B - CN: This 1000 byte virus is clearly written for demonstration purposes, as<br />
it asks the user if it should infect all COM fdes in the current directory or not. It has no<br />
harmful side-effects.<br />
Testvirus B 018A 1780 FA00 7501 C3CD 2143 E2F3 2EA1<br />
Thursday 12th - CER: An encrypted virus from Germany which triggers every Thursday<br />
12th, popping up window with a warning that the next day is Friday 13th. Calls itself<br />
VirCheck VI.2 (C)1991. Text includes 'thanks' to various virus researchers. Avoids<br />
infecting any files matching patterns 'SCAN', 'CLEAN', 'VIR', 'ARJ', 'FLU',<br />
'COMM<strong>AND</strong>'.<br />
Thursday 12th BE0F 01B9 5501 E8BD FFBE 6D02 B9D4 01E8<br />
Tic - CN: A simple 109 byte virus which does nothing but replicate.<br />
Tic B44E EB06 B43E CD21 B44F 0E1F CD21 B91E<br />
Timeslice, 2330 - CER: A 2330 byte virus, written in the USSR. It does not appear to do<br />
anything but replicate, but the infection mechanism is rather unusual, as the virus<br />
intercepts INT 28H and therefore infects at irregular intervals.<br />
Timeslice 1E8E C64E 8EDE C745 0108 0009 C975 0581<br />
Timid - CN: Two mutation ofthis 'Little Black Book' virus are now known - 305 and 306<br />
bytes long. Both are very obvious, but as the source code is av<strong>ai</strong>lable, they can easily be<br />
modified.<br />
Timid-306 8B16 FCFF 83C2 OOB9 3F00 B44E CD21 0AC0<br />
Timid-305 8B16 FCFF B93F 00B4 4ECD 210A C075 0BE8<br />
Tiny - CN: A mutation of the Kennedy virus only 163 bytes long. It has no side-effects<br />
other than replication. (VB Sept 90)<br />
Tiny 408D 94AB 01B9 0200 CD21 B43E CD21 FFE5<br />
Tiny DI - CN: Four new mutations of the family which was previously called Mutant.<br />
The viruses are 94, 101,108 and 110 bytes long and do nothing but replicate. Only the<br />
110 byte mutation works correctly - the shorter mutations are not able to infect most files<br />
correctly, but simply destroy them.<br />
Tiny DI (01) B802 3DCD 218B D806 1F8B D749 B43F CD21<br />
Tiny DI (02) B802 3DCD 218B D806 1F8B D733 C949 B43F<br />
Tiny Family - CR: This is a family of at least 10 Bulgarian viruses, which includes the<br />
shortest viruses now known. The viruses are not related to the Danish 'Tiny' virus, but
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 209<br />
just like it, they do nothing but replicate. The lengths of mutations range from 133 to 198<br />
bytes.<br />
Tiny Family (1) CD32 B43E CD32 071F 5F5A 595B 582E FF2E<br />
Tiny Family (2) 2687 85E0 FEAB E3F7 931E 07C3 3D00 4B75<br />
Tiny Family-Ghost - CR: This virus differs from the other members of the Tiny family<br />
in two ways. It is f<strong>ai</strong>rly long, 330 bytes, and it has one effect other than replicating - it will<br />
display the message 'This scan program can't find me I'm a GHOST in your machine!!',<br />
if it detects the execution of a virus scanner.<br />
Tiny-Ghost 9191 2687 85E0 FEAB E3F7 931E 07C3 3DOO<br />
Tokyo - EN: A 1258 byte virus, which is reported to have originated in Japan. It has not<br />
been fully analysed, but appears to do nothing interesting.<br />
Tokyo B42F CD21 8C06 0600 891E 0400 0E07 8D16<br />
Tony - CN: This 200 byte Bulgarian virus will only infect fdes with a name starting with<br />
'B' on the first day of any month. On the second day it will only infects files with a name<br />
beginning in 'C' and so on. The virus uses some curious undocumented features, but<br />
does nothing of particular interest.<br />
Tony CC8C C880 C410 8EC0 BE00 0133 FF8B CEF3<br />
TPworm - PN: A 'companion' virus written by the author of the Vacsina and Yankee<br />
Doodle viruses. The virus has been distributed in the form of 'C' source code. The<br />
infective length and hexadecimal patterns, hence, depend on the 'C' compiler used.<br />
TPWorm - EN: This Bulgarian virus was first made av<strong>ai</strong>lable in source form only, but<br />
now an executable has appeared as well. It is 12969 bytes long, but because of the<br />
unreliability of search patterns for HLL viruses (they would be invalidated if the code<br />
was compiled with a new compiler) no pattern can be used.<br />
Traceback, Spanish - CER: This virus attaches itself to the end of a COM or EXE file.<br />
Infective length is 3066 bytes. It becomes memory-resident when the first infected<br />
program is run and will infect any program run. If the date is 5th December or later, the<br />
virus will look for, and infect one COM or EXE file either in the current directory or the<br />
first one found, starting with the root directory. If the date is 28th December 198 8 or later,<br />
the virus produces a display similar to Cascade one hour after infection. If nothing is<br />
typed, the screen restores itself after one minute. This display will repeat every hour.<br />
Spanish is an earlier version with a reported infective length of 2930 or 3031 bytes.<br />
(VB Sept 89)<br />
Traceback B419 CD21 89B4 5101 8184 5101 8408 8C8C<br />
Spanish E829 06E8 E005 B419 CD21 8884 E300 E8CE<br />
Traceback-3029 - CER: This is the first new member of the Traceback family to appear.<br />
Not fully analysed, but does not appear to be significantly different from the other known<br />
mutations.<br />
Traceback-3029 B419 CD21 89B4 5101 8184 5101 5F08 8C8C<br />
Trackswap - DR: A small Bulgarian master boot sector virus, which is aw<strong>ai</strong>ting analysis.<br />
Trackswap FBA1 1304 48A3 1304 B106 D3E0 8EC0 06BD
210 APPENDIX A<br />
Traveller Virus - CER: A 1220 byte virus which infects COM (including<br />
COMM<strong>AND</strong>.COM) and EXE fdes. Infection is via Function 4Bh (LOAD <strong>AND</strong><br />
EXECUTE) and Function 36h (GET FREE SPACE). When a LOAD <strong>AND</strong> EXECUTE<br />
call is issued, a program and one other file in current directory are infected. When GET<br />
FREE SPACE request is issued (eg. by the DIR command) one fde in current directory is<br />
infected. Infection marker is the seconds field set to 62 and COM files will increase in<br />
size by 1220 bytes and EXE fdes by 1237 to 1251 bytes. The message '!!!!!!!-»<br />
Traveller (C) BUPT1991.4 Don't panic I'm harmless «-!!!!!!!' flashes bright and dim<br />
green on blue background on line 13 of the screen after 23 infections and thereafter every<br />
twentieth infection.<br />
Traveller A303 0029 1612 00A1 1200 8EC0 0E1F 8BDE<br />
Trilogy - ?: Virus aw<strong>ai</strong>ting disassembly.<br />
Trilogy 9C55 568C CD83 C50A 8DB6 F6FF 56BE 2601<br />
Trivial-30D - CN: Yet another attempt to create the smallest overwriting virus. Does<br />
nothing but replicate.<br />
Trivial-30D CD21 BA9E 00B8 013D CD21 938B D6B1 1EB4<br />
Trivial-38 - CN: Yet another 'minimalist' virus - does nothing but replicate by overwriting<br />
the beginning of other programs.<br />
Trivial-38 3DCD 2193 B126 BAOO 01B4 40CD 21B4 4FEB<br />
TriviaI-44 - CN: Yet another non-interesting overwriting virus from Bulgaria.<br />
Trivial-44 023D CD21 8BD8 B92C OOBA 0001 B440 CD21<br />
Trivial-Hastings - CN: This overwriting virus is 200 bytes long, but most of that code is<br />
taken up by a long text message. The virus does nothing but replicate.<br />
Hastings B802 3DBA F001 CD21 720C 8BD8 B440 B9C8<br />
Troi - CR: A very simple, 322 byte virus, which does nothing but replicate.<br />
Troi 0157 A5A4 C32A COCF 9C80 FCFC 7504 B0A5<br />
Tula-419 - CER: Probably a Russian virus. It is 419 bytes long and will only infect on<br />
machines with a colour display.<br />
Tula-419 B43F CD21 7225 BEA0 0FAC 3C4D 7505 AC3C<br />
Tumen - CR: Two mutations are known of this virus. Version 0.5 is 1663 bytes long and<br />
plays a tune when Ctrl-Alt-Del is pressed. Version 2.0 is 1092 bytes long, but has not<br />
been fully analysed.<br />
Tumen 8CC8 488E D881 2E03 0000 0181 2E12 00<br />
T\imen 1.2 - CR: A 1225 byte member of the Tumen family. Detected by the pattern for<br />
the other two mutations.<br />
TUQ, RPVS - CN: A simple virus from West Germany without side-effects. Infective<br />
length is 453 bytes.<br />
TUQ 5653 8CC8 8ED8 BE01 012E 8B04 0503 0157<br />
Turbo 448 - CR: A 448 byte Hungarian virus which will infect COM files when they are<br />
opened, for example by a virus scanner, but not when they are executed. The virus<br />
cont<strong>ai</strong>ns the text 'Udv minden nagytudasunak! Turbo @\<br />
Turbo 448 890E 0201 8CD8 8EC0 5958 BB00 01FF E3A1
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 211<br />
Turbo Kukac - CR: A 512 byte virus, which resembles the Turbo 448 virus, but is<br />
somewhat longer, 512 bytes. COMM<strong>AND</strong>.COM will crash, if infected with this virus.<br />
Turbo Kukac FFE3 8CD8 488E D8A1 0300 2D41 00A3 0300<br />
TV-730 - ER: A 730 byte virus, which has also been named 0ntario-730, but this name<br />
was rejected because the virus does not seem related to another virus named 'Ontario'.<br />
Not fully analysed, but cont<strong>ai</strong>ns code to trash the hard disk.<br />
TV-730 BF00 01B8 6E4B CD21 3D54 5675 0AC7 05EB<br />
Twin - ERP: Companion virus with no payload. Likely to crash where an infected file is<br />
larger than about 64K.<br />
Twin B810 FFCD 213C 0775 07E8 2500 B44C CD21<br />
Typo, Typo COM, Fumble - CR: Infects all COM files in the current directory on odd<br />
days of every month. If typing fast, substitutes keys with the ones adjacent on the<br />
keyboard. Infective length is 867 bytes. (VB Apr 90)<br />
Typo 5351 521E 0656 0E1F E800 005E 83EE 24FF<br />
USSR-311 - CN: A 311 byte virus, which does not seem to do anything else apart from<br />
replicating.<br />
USSR-311 8BF2 83C6 0203 C12D 0300 0500 0189 04B4<br />
USSR-492 - CR: A Bulgarian virus which has not been analysed. The only av<strong>ai</strong>lable<br />
sample seems to be corrupted.<br />
USSR-492 2E8B 1E01 0183 C303 B104 D3EB 8CD8 03C3<br />
USSR-516, Leapfrog - CR: This 516 byte Russian virus is the first virus which does not<br />
modify the beginning of the programs it infects, but places the jump to the virus code<br />
inside the host program.<br />
USSR-516 431E 53C5 1F46 5F07 8B07 3DFF FF75 F283<br />
USSR-600 - CR: An encrypted, 600 byte Russian virus.<br />
USSR-600 BE10 01B9 3200 8A24 80F4 DD88 2446 E2F6<br />
USSR-696 - CN: A 696 byte Russian virus aw<strong>ai</strong>ting analysis.<br />
USSR-696 3C00 7412 8CC8 B10F D3E0 3D00 8074 07BA<br />
USSR-707 - CR: A 707 byte Russian virus aw<strong>ai</strong>ting analysis<br />
USSR-707 83C3 0F33 C08E C033 F68C C040 3DFF OF76<br />
USSR-711 - CR: A 711 byte Russian virus aw<strong>ai</strong>ting analysis.<br />
USSR-711 C88E C08E D833 C08B F0BF 0000 BB00 01FF<br />
USSR-948 - CER: A Russian, 948 byte virus, which seems partially based on the Yankee<br />
virus.<br />
USSR-948 5051 56B9 FF00 FC8B F28A 0446 3C00 E0F9<br />
USSR-1049 - CER: A 1049 byte Russian virus aw<strong>ai</strong>ting analysis.<br />
USSR-1049 EB10 8CDA 83C2 102E 0316 2000 522E FF36<br />
USSR-1594 - EN: A 1594 byte virus which uses a selfmodifying algorithm. No fixed<br />
search pattern is possible.
212 APPENDIX A<br />
USSR-2144 - CER: A 2144 byte Russian virus, not yet analysed.<br />
USSR-2144 1E06 33C0 8ED8 FB2E 8B94 1000 EC34 03EE<br />
V-l - DCR: This virus is one of the first to infect both the boot sector and programs. It is<br />
1253 bytes long and destructive. When activated, it overwrites the disk with garbage.<br />
V-l 8ECO 26A1 1304 4848 503D 0001 7203 2D3E<br />
V2P2 - CN: This virus, written by Mark Washburn is closely related to the 1260 virus,<br />
but is more complicated. It will, for example, add a random number of 'garbage' bytes to<br />
the programs it infects, to make identification more difficult. No search pattern is<br />
possible.<br />
V2P6 - CN: This virus is written by the same author as 1260 and V2P2, but is longer and<br />
more complicated. It uses several different encryption methods, which makes it impossible<br />
to provide a search pattern.<br />
V472 - CR: A 472 byte virus, probably from Eastern Europe, which does nothing but<br />
replicate.<br />
V472 01D6 31DB 8EC3 BB84 0026 8B0F 890C 4646<br />
Vacsina - CER: Infective length is 1206 to 1221 bytes (COM) and 1338 to 1353 bytes<br />
(EXE). After successful infection of a COM file, a bell is sounded. Infects any fde loaded<br />
via INT 21H function 4BH (load and execute), i.e. COM, EXE, OVL and APP (GEM)<br />
files. Checks version number of itself (current is 5) and replaces with newer code. A<br />
member of the 'Bulgarian 50' (see Yankee). (VB June 90, May 92)<br />
Vacsina (1) 8CC8 8ED8 8EC0 8ED0 83C4 02B8 0000 502E<br />
Vacsina (2) E800 005B 2E89 47FB B800 008E C026 A1C5<br />
Vcomm - ER: This virus first increases the length of infected programs so that it<br />
becomes a multiple of 512 bytes. Then it adds 637 bytes to the end of the fde. The<br />
resident part will intercept any disk write and change it into a disk read.<br />
Vcomm 80FC 0375 04B4 02EB 0780 FC0B 7502 B40A<br />
VCS 1.0 - CN: A 1077 byte virus which will delete AUTOEXEC.BAT and CONFIG.SYS<br />
when it activates. Generated by a German program called 'Virus Construction Set'<br />
(VCS) which allows the incorporation of a user-specified message into the virus.<br />
VCS 1.0 89FE AC32 C4AA E2FA C35E 81EE 0301 56E8<br />
VCS-Manta - CN: A virus generated by the VCS program. Detected by the VCS 1.0<br />
pattern.<br />
VCS-VDV-853 - CN: This virus is detected by the same pattern as the VCS 1.0 virus, but<br />
is somewhat different; for example, it is only 853 bytes long. Not yet analysed.<br />
VFSI - CN: A simple 437 byte Bulgarian virus.<br />
VFSI 100E 1FB8 001A BA81 00CD 21BE 0001 FFE6<br />
Victor - CEN: A 2442 byte virus from the USSR which is aw<strong>ai</strong>ting disassembly. The only<br />
known damaging effect is the corruption of the FAT.<br />
Victor 8CC8 8BD8 B104 D3EE 03C6 50B8 D800 50CB<br />
Vienna, Austrian, Unesco, DOS62, Lisbon - CN: The virus infects the end of COM files.<br />
Infective length is 648 bytes. It looks through the current directory and the directories in<br />
the PATH for an uninfected COM fde. One fde in eight becomes overwritten. Seconds
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 213<br />
stamp of an infected file is set to 62. A number of mutations, shorter than the original, but<br />
functionally equivalent, have been reported in Bulgaria.<br />
Vienna-534B - CN: A member of the W13 group in the Vienna family - closely related to<br />
534A, and detected with the W13 pattern.<br />
Vienna-618 - CN: Detected with the Vienna (1) pattern.<br />
Vienna-621 - CN: This mutation is detected with the Vienna (4) pattern. It is similar to<br />
the original virus, but instead of overwriting programs with an instruction that resets the<br />
computer, it overwrites them with the instruction JMP C800:0000, which may cause a<br />
low-level format of the hard disk on cert<strong>ai</strong>n machines.<br />
Vienna-622 - CN: A new version of the Vienna virus from Bulgaria. It is detected by the<br />
Vienna (4) pattern.<br />
Vienna-625 - CN: A minor mutation of Vienna. Detected by the Vienna (4) pattern.<br />
Vienna-637 - CN: Very similar to the original version, and detected with the Vienna (1)<br />
pattern.<br />
Vienna (1)<br />
Vienna (2)<br />
Vienna (3)<br />
Vienna (4)<br />
Vienna (5)<br />
Vienna (6)<br />
Vienna-644 - CN: A 644 byte version of the Vienna virus, which does not infect<br />
programs every time it is run.<br />
Vienna-644 BFOO 01FC A5A5 A58B F252 B42C CD21 5A80<br />
Vienna-644B - CN: Very closely related to the original 648 byte mutation, but slightly<br />
shorter. Detected with the Vienna (1) pattern.<br />
Vienna-645 - CN: A 645 byte mutation of Vienna, detected by the Vienna (1) pattern.<br />
Vienna-645B - CN: Closely related to the Vienna-645 virus. Detected with the Ghostballs<br />
pattern.<br />
8BF2 83C6 0A90 BFOO 01B9<br />
FC8B F281 C60A 00BF 0001 B903 OOF3 A48B<br />
FC89 D683 C60A 90BF 0001 B903 00F3 A489<br />
FC8B F283 C60A BFOO 01B9 0300 F3A4 8BF2<br />
CD21 0E1F B41A BA80 00CD 2158 C3AC 3C3B<br />
8E1E 2C00 AC3C 3B74 093C 0074 03AA EBF4<br />
Vienna-656 - CN: A non-remarkable 656 byte mutation.<br />
Vienna-656 895C 018C 4403 07BA 6000 01F2 B41A CD2X<br />
Vienna-712 - CN: This mutation seems most closely related to the Dr Q. mutation, and<br />
just like it, it uses limited encryption. It is detected with the Vienna (4) and Dr Q.<br />
patterns.<br />
Vienna-726 - CN: A 726 byte mutation, detected by the Vienna (4) pattern.<br />
Vienna-733 - CN: An encrypted mutation of Vienna. It activates if an infected program<br />
is run on the second day of the month and produces a high-pitch sound.<br />
Vienna-733 89D6 81EE F201 89F7 B956 01FC ACFE COAA<br />
Vienna-776 - CN: A 776 byte mutation. Not fully analysed, but appears to do nothing of<br />
particular interest. One very similar 757 byte mutation has also been found.<br />
Vienna-776 B44E BADD 0003 D6B9 0300 CD21 EB04 B44F<br />
Vienna-757 B44E BA5B 0003 D6B9 0300 CD21 EB04 B44F
214 APPENDIX A<br />
Vienna-822 - CN: The effects of this mutation have not been fully determined, but seem<br />
to involve the boot sector. It is detected by the pattern for GhostBalls.<br />
Vienna-Betaboys - CN: This 679 byte mutation was written in Sweden, or possibly in<br />
Finland. It activates in February of any year, trashing the beginning of drives C, D and E.<br />
Betaboys 90AC B900 80F2 AEB9 04 00 ACAE 75EA E2FA<br />
Vienna-Dr. Q - CN: An 1161 byte mutation, which includes encryption of the data area.<br />
Not yet analysed.<br />
Vienna-Dr. Q 8E06 2C00 BF00 005E 5683 C61A ACB9 0080<br />
Vienna-Dr. Q1028 - CN: Very similar to the 1161 byte version and detected by the same<br />
search pattern. 1028 bytes long.<br />
Vienna-Infinity - CN: A 732 byte Vienna mutation, with only one unusual feature: it will<br />
not infect files if the PSQR virus is active in memory.<br />
Vienna-Infinity ACB9 0080 F2AE B904 00AC AE75 EDE2 FA5E<br />
Vienna-Kuzmitch - CN: An encrypted, variable-length mutation of the Vienna virus,<br />
which cont<strong>ai</strong>ns a block of text in Russian. The base length of the virus is 810 bytes. No<br />
simple search pattern is possible. Second-generation copies of this virus do not always<br />
seem able to replicate.<br />
Vienna-Mob 1 a - CN: A 1024 byte Canadian member of the Vienna family. Detected by<br />
the Parasite 2 pattern.<br />
Vienna-Parasite - CN: Yet another Vienna mutation of Canadian origin - 1132 bytes<br />
long. Version 2B of this virus is presumably written by the same author, but is only 903<br />
bytes long. Detected by the Parasite 2 pattern.<br />
Vienna-Parasite-2 - CN: 901 bytes, closely related to the Parasite and Parasite-2B<br />
mutations.<br />
Parasite 2 ACB9 0080 F2AE B904 00AC AE75 EDE2 FA5E<br />
Vienna-Polish 634 - CN: This modified version is detected by the Vienna (1) pattern.<br />
Vienna-Violator-B2 - CN: This 969 byte mutation is not new, and is not expected to<br />
become a serious threat, as it only works properly for a single generation - after that<br />
copies seem to be corrupted.<br />
Vienna-Viola-B2 90AC B900 80F2 AEB9 0400 ACAE 75ED E2FA<br />
Vienna-Viperize - CN: One more non-remarkable Vienna mutation - 934 bytes long.<br />
Vienna-Viperize FC8B F290 83C6 0A90 90BF 0001 90B9 0300<br />
Vindicator - CR: A 734 byte virus, which can be found at the beginning of infected files.<br />
Probably of Russian origin. Aw<strong>ai</strong>ting analysis.<br />
Vindicator FAB8 0010 F6E7 0500 B88E D831 F6B8 2000<br />
Violator - CN: This is an unsually long mutation of the Vienna virus. It is 1055 bytes long<br />
and it activates on 15th August. The virus is aw<strong>ai</strong>ting analysis. (VB Apr 91)<br />
Violator BF00 01F3 A48B F2B4 30CD 213C 0075 03E9<br />
Violator-B - CN: This 716 byte mutation is detected by the Violator pattern.<br />
VioIator-B3 - CN: An 843 byte virus, related to the Violator and Christmas Violator<br />
viruses, and probably written by the same authors.<br />
Violator-B3 803E D003 0274 0B80 3ED0 0303 7407 C3CD
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 215<br />
Violator-D - CN: Infectious length is 969 bytes. Aw<strong>ai</strong>ting analysis.<br />
Violator-D BFOO 01F3 A48B F2B4 30C6 0656 0401 90E8<br />
Violetta - CR: This 3 840 byte virus cont<strong>ai</strong>ns some of the least interesting pieces of code<br />
of any virus - it shows a remarkable lack of talent. Not fully analysed.<br />
Violetta B425 BOFF 061F 89DA CD21 0E1F B425 B021<br />
Violetta-1024 - CN: Probably just an earlier mutation of the Violetta virus. This mutation<br />
has also been reported as 'Thimble'. Detected by the Violetta pattern.<br />
Virdem - CN: This virus was published in the R. Burger book 'Computer Viruses - A<br />
High Tech Disease'. Originally intended as a demonstration virus, but now also found in<br />
the wild. Infective length is 1336 bytes. Two versions are known to exist with texts in<br />
English and German. (VB July 90)<br />
Virdem BE80 008D 3EBF 03B9 2000 F3A4 B800 0026<br />
Virdem-1 BE80 008D 3ED7 03B9 2000 F3A4 B800 0026<br />
Virdem-Gen 434B 7409 B44F CD21 72AC 4B75 F7B4 2FCD<br />
Virdem-792 - CN: A destructive mutation of the Virdem virus, which will overwrite the<br />
first 5 sectors on all disks when it activates.<br />
Virdem-792 431E 8CC0 8ED8 8BD3 B43B CD21 1FBE 5203<br />
Virdem-824 - CN: A new uninteresting member of the Virdem family. It can be detected<br />
by the same pattern found in all the other Virdem mutations.<br />
Virdem-family 83C3 1C26 C707 205C 431E 8CC0 8ED8 8BD3<br />
Virdem-1542 - CN: A longer mutation of the Virdem virus, but detected by the same<br />
pattern as the original.<br />
Virdem-Killer - CN: This mutation is closely related to the original Virdem virus. The<br />
length is unchanged at 1336 bytes, although some text strings have been altered. The<br />
virus is detected by the Virdem pattern.<br />
Virus 9 - CN: Infects all COM files in current directory and recursively back to root<br />
directory. Infected files cont<strong>ai</strong>n virus code at end of file but no link to the code. The virus<br />
will replicate only once. There are no side effects.<br />
Virus 9 3ECD 21B4 4FCD 2172 02EB B0B4 3BBA 7501<br />
Virus-90 - CN: The author of this virus is Patrick A. Toulme. He uploaded the virus to a<br />
number of Bulletin Boards, stating that the source was av<strong>ai</strong>lable for $20. When an<br />
infected program is run it will display the message 'Infected', infect a COM file in drive<br />
A and display the message 'Done'. Infective length is 857 bytes.<br />
Virus-90 558B 2E01 0181 C503 0133 C033 DBB9 0900<br />
Viros-101 - CN: This virus was written by the same author as Virus-90. The virus is<br />
encrypted and self-modifying. An infected fde has the seconds field set to 62. Will not<br />
infect if the first instruction in the file is not a 'JMP NEAR'. Infective length is 2560<br />
bytes, but COMM<strong>AND</strong>.COM length does not change. Aw<strong>ai</strong>ting disassembly.<br />
Virus-B - CN: 'Test virus' which was av<strong>ai</strong>lable as a restricted access file from the<br />
Interpath Corporation BBS in the USA. It is a mutation of the South African virus, with<br />
the destructive code of the original disabled. The identification pattern is the same as for<br />
the South African virus.
216 APPENDIX A<br />
Void Poem - CR: A strange virus, with a considerable portion of the 1825 byte virus body<br />
cont<strong>ai</strong>ning an encrypted poem. Not yet analysed.<br />
Void Poem OAEO B9CB 0430 2547 E2FB BAD5 04B8 0125<br />
Voronezh - CER: A Russian, 1600 byte virus, which overwrites the first 1600 bytes of<br />
the host, and moves the original code to the end, where it is written in encrypted form.<br />
Voronezh 3E89 078E C0BF 0001 BE00 015B 5301 DE0E<br />
Voronezh-370 - CR: This virus is closely related to the Voronezh and USSR-600 viruses,<br />
perhaps their common ancestor. It appears to do nothing but replicate.<br />
Voronezh-370 0500 018B F0BF 0001 FC8A 0434 BB88 0546<br />
Voronezh-Chemist-650 - CR: A 650 byte member of the Voronezh family, reported to<br />
have originated at the Moscow State University. It cont<strong>ai</strong>ns a text string in Russian which<br />
translates to 'The Chemist & the Elephant'. The virus activates if an infected program is<br />
run at xx:03 o'clock when it displays the message 'Video mode 80x25 not supported.'<br />
and switches to 40 column mode if possible.<br />
VoronezhChem650 0500 018B F0BF 0001 FC8A 0434 CC88 0546<br />
VP - CN: Cont<strong>ai</strong>ns a variable number (1 to 15) of NOPs at the beginning followed by 909<br />
bytes of virus code. When an infected program is run, the virus may attempt to locate,<br />
infect and execute another program.<br />
VP 0001 FCBF 0001 B910 00F2 A4B8 0001 FFEO<br />
Vriest - CN: This virus adds 1280 bytes in front of the COM fdes it infects. When it<br />
activates it will display 'Something's coming up ...', produce a high-pitched sound for a<br />
few seconds, and finally display 'Vriest of g greets Vic ear Moeli~'.<br />
Vriest B489 CD21 3D23 0174 32B8 2135 CD21 8C06<br />
WF 3.4 - CR: This Russian virus only works on some machines, but crashes on cert<strong>ai</strong>n<br />
types of hardware, such as IBM XT. Aw<strong>ai</strong>ting disassembly.<br />
WF 3.4 7606 81C3 0001 8BF3 FCF3 A41E BB00 0153<br />
Water Detect - CN: A destructive virus 621 bytes long. Displays 'Water detected ...'<br />
message on 1st of every month, destroys disk on Friday 13th.<br />
Water Detect B42A CD21 80FA 0175 03E9 A301 81F9 D007<br />
W13 - CN: A primitive group of viruses from Poland, based on the Vienna virus. They<br />
have no known side-effects and two versions which exist are 534 and 507 bytes long. The<br />
507-byte version has some bugs corrected.<br />
W13 8BD7 2BF9 83C7 0205 0301 03C1 8905 B440<br />
W13-C - CN: A minor modification of the 507-byte W13-B mutation. The only<br />
modification is that this mutation sets the month field to 12, not 13, which makes all fdes<br />
created in December immune to infection. Detected by the W13 pattern.<br />
W13-361 - CN: A member of the W13 group of Vienna-related viruses. It is detected by<br />
the W13 pattern, but does not function properly, as infected programs (second generation)<br />
will never run. A 377 byte mutation also exists, and it is able to replicate without<br />
problems.<br />
W13-REQ! -CN: This 494 byte member of the W13 group cont<strong>ai</strong>ns the text 'REQ ! Ltd<br />
(c) 18:41:22 3-1-1991'. It is of Polish origin, but has not been analysed yet.<br />
W13-REQ! 8B4F 1683 E11E 83F9 1E74 EC81 7F1A OOFA
Warner - ?: Aw<strong>ai</strong>ting analysis<br />
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 217<br />
Warrier B430 CD21 3D03 1E75 09B4 34CD 21BB 6014<br />
Warrior - EN: This virus adds 1012 bytes to any files it infects. It cont<strong>ai</strong>ns the following<br />
text: '...and justice to all! (US constitution) Dream over ... And the alone warrior is<br />
warrior. The powerful! WARRIOR!' Aw<strong>ai</strong>ting analysis.<br />
Warrior AC2C 8032 E403 F826 8035 01E2 F3B4 19CD<br />
We're here - CN: This 836 byte virus has not been fully analysed yet.<br />
We're here B905 00CD 21BF 8600 B090 B90F 00FC F3AA<br />
Westwood - CER: A 1824 byte mutation of the Jerusalem virus.<br />
Westwood 4D0F CD21 8CC8 0510 008E D0BC 1007 50B8<br />
Whale - CER: The infective length of this virus is 9216 bytes. The virus slows the system<br />
down by about 50% and uses dynamic decryption of parts of its code. Much of the code<br />
is dedicated to disabling DEBUG. Does not run on 8086-based computers. (VB Nov 90)<br />
Whale 00 56E8 0200 4569 5A0E 81EA A023 1FB9 D80B<br />
Whale 01 FDE8 0200 0E4F 5A0E 81EA A023 1FB9 D70B<br />
Whale 02 E828 008C CB53 8CDB 1F81 C361 DCE8 1EOO<br />
Whale 03 E829 008C CB53 8CDB 1F81 C361 DCE8 1F00<br />
Whale 04 E828 008C CB1E 8EDB 5B81 EB9F 23E8 1E00<br />
Whale 05 E801 00C3 BB61 DC59 01CB 0EB9 C411 1FFE<br />
Whale 06 E801 00C3 59BB 61DC 01CB 0EB9 C310 1FFE<br />
Whale 07 50E8 2A00 81C2 60DC B511 B1C3 87DA E8DF<br />
Whale 08 E82B 0087 D381 C361 DCB9 C311 E8E0 FFF6<br />
Whale 09 0E1F E8F8 FF81 C35D DCB9 cm 8B07 4343<br />
Whale OA 0E1F E8F7 FF81 EBA3 23B9 cm 8B17 4343<br />
Whale 0B 0EFD 1F58 E82B 0093 B9C3 1183 EB1E 8A17<br />
Whale OC 5B0E 1FE8 2B00 9383 EB1D B9C3 118A 0728<br />
Whale 0D 00D7 EBF6 5A81 EA9D 23F9 87DA B98A 2CF8<br />
Whale 0E EBF7 582D 9C23 93B9 2EDE 81F1 ABFD F617<br />
Whale OF 0EF8 1FE8 2300 B184 81 ED A123 8BDD B523<br />
Whale 10 0E1F E823 0081 EAA0 2389 D3B9 2384 86CD<br />
Whale 11 E8F1 FFB9 9F23 29CB 83E9 1AE8 1700 75FB<br />
Whale 12 E8F1 FFB8 9F23 29C3 B91A 0033 C8E8 1600<br />
Whale 13 E907 00FE 0743 E2FB EBE1 E822 00B9 8523<br />
Whale 14 0E1F EB13 E8E7 FFF8 75FA 585B 5955 FF3 6<br />
Whale 15 OE'IF EB15 E8E6 FF75 FB58 5BFB 59FF 3666<br />
Whale 16 E800 00EB 0D8B D058 8BD8 5891 FF16 6625<br />
Whale 17 E82F 00FF 1699 25EB F7B8 0200 81C3 61DD<br />
Whale 18 E82E 0059 FF16 9825 EBF6 B802 0081 C361<br />
Whale 19 E803 0040 33DE 0BF6 FEC7 5B81 EBA1 2383<br />
Whale 1A E802 0033 DE81 F676 185B 5E81 EB9F 23B9<br />
Whale IB E803 00BB 0156 5B81 EB9F 23B9 3489 B985<br />
Whale 1C E829 0081 EB9F 23B9 8723 49F9 4980 3710<br />
Whale ID E801 00F8 5B81 EB9F 23B5 23B1 85E8 1900<br />
Whale IE E800 000E 1F5B 81EB 9F23 B985 23FE 0F43<br />
Whale IF E800 009C 9D0E 5058 1F26 5B24 0581 EB9F<br />
Whale 20 E800 0095 930E 9395 1FFC 5B16 1781 EB9F
218 APPENDIX A<br />
Wisconsin, Death to Pascal - CR: This virus adds 815 bytes to the beginning of infected<br />
programs, and 10 bytes to their end. Infected programs may display the message 'Death<br />
to Pascal' and attempt to delete all .PAS files in the current directory.<br />
Wisconsin 8B0E 0601 BE08 018A 0434 FF88 0446 E2F7<br />
Witcode - ER: A 966 byte virus aw<strong>ai</strong>ting analysis.<br />
Witcode 83FB 0473 088C C048 8EC0 83C3 1026 8B77<br />
Wolfman - CER: A 2064 byte virus from T<strong>ai</strong>wan with unknown effects.<br />
Wolfman 8EC0 BE04 0026 837C FC00 7404 46EB F6EA<br />
Wonder - EN: An overwriting virus, 7424 bytes long, which appears to have been written<br />
in Borland C++. Not a serious threat, but not yet analysed.<br />
Wonder 83C4 0856 B800 1D50 B801 0050 FF76 04E8<br />
Words - CER: A series of 4 Polish viruses, 1069,1085,1387 and 1503 bytes long. The<br />
two longest mutations use self-modifying encryption, and no simple search pattern is<br />
possible. The other mutations can be detected by using a pattern.<br />
Words 8066 0EFE 5958 8BC1 5E5D 9DCF 528B D6B4<br />
Wordswap-1391, Wordswap-1485 - CER: Just as in the case of the 1387 and 1503 byte<br />
mutations, no search pattern is possible for these two mutations.<br />
WWT - CN: Very simple, overwriting viruses, with no side-effects other than replication.<br />
Two versions are known: WWT-01, which is 67 bytes long and WWT-02 with a length of<br />
125 bytes.<br />
WWT-01 B44E B901 00CD 2173 02EB 1EBA 9E00 B802<br />
WWT-02 B44E B901 00CD 2173 02EB 10E8 0F00 BA80<br />
XA1 - CN: The XA1 virus overwrites the first 1539 bytes of infected COM fdes with a<br />
copy of itself and stores the original code at the end of the file. On 1st April the boot<br />
sector will be overwritten, causing the computer to 'hang' on the next boot. The virus will<br />
also activate on 21st December and stay active until the end of the year. It wdl then<br />
display a Christmas tree and the text: 'Und er lebt doch noch: Der Tannenbaum! Frohe<br />
Weihnachten'.<br />
XA1 (1) B02C 8846 FF8B 7E00 884E FE8A 4EFF 000D<br />
XA1 (2) 0EE8 0000 FA8B EC58 32C0 8946 0281 4600<br />
Xabaras - CER: An encrypted, overwriting 1972 byte virus written by Cracker Jack. A<br />
mutation of the Leprosy virus.<br />
Xabaras 908A 2790 9090 9090 9090 3226 0601 9090<br />
XPEH - CER: Probably related to the Yankee virus, as it is detected by the Yankee<br />
pattern, but modified considerably. It is 4016 bytes long and of Eastern European origin.<br />
Not yet analysed.<br />
Yafo - CN: A 328 byte virus, which cont<strong>ai</strong>ns the text 'Maccabi Yafo Alufa !!!'.<br />
Yafo 03F5 BF80 00B9 8000 FCF3 A4C3 B802 3DCD<br />
Yale, Alameda, Merritt - DR: This virus consists of a boot sector and infects floppies in<br />
drive A only. It becomes memory-resident and occupies IK of RAM. The original boot<br />
sector is held in track 39 head 0 sector 8. The machine will hang if the virus is run on an<br />
80286 or 80386 machine. If a warm boot is performed after the machine hangs, an
KNOWN IBM-PC <strong><strong>VIRUS</strong>ES</strong> 219<br />
uninfected disk will still become infected. It cont<strong>ai</strong>ns code to format track 39 head 0, but<br />
this is not accessed. Survives a warm boot.<br />
Yale BB40 008E DBA1 1300 F7E3 2DE0 078E C00E<br />
Yankee - CER: This is a member of the 'Bulgarian 50' group of viruses, which consists<br />
of some 5 0 related versions, all written by the same person. Vacsina viruses belong to the<br />
same group. All the viruses in the group will remove infections by older versions, and the<br />
size varies from 1200 to 3500 bytes. The Yankee viruses will play the tune 'Yankee<br />
Doodle Dandy', either at 5:00 p.m. or when Ctrl-Alt-Del is pressed.<br />
Yankee 0000 7402 B603 520E 5143 CFE8 0000 5B81<br />
Yankee-1150 and Yankee-1205 - CER: Two closely related, stripped-down versions of<br />
the Yankee virus which do not play any music.<br />
Yankee-1150 CB5B 5383 EB44 C32E 80BF 0100 0074 0681<br />
Yankee-1202 CB5B 5383 EB45 C32E 80BF 0100 0074 0681<br />
Yankee-1905/1909 - CER: Also known as the '83', this mutation is slightly unusual in<br />
that EXE files grow by 1905 bytes, but the virus adds 1909 bytes to COM files. Detected<br />
with the Yankee pattern.<br />
Yankee-Login - CER: This 3045 byte mutation of the Yankee Doodle virus has been<br />
reported to operate as a password 'snatcher' on a network, and to cause irreversible<br />
damage to data. It does not seem to work on cert<strong>ai</strong>n types of hardware, including XTs<br />
with monochrome displays. At least four minor mutations have been reported, but they<br />
are virtually identical, and have the same length.<br />
Yankee-Login B440 EB02 B43F E809 0072 023B C1C3 32C0<br />
Yaunch, Wench - EN: A 2537 byte virus, which has not been analysed.<br />
Yaunch BE5C 012B DB8A 058A 2032 C488 0547 3BFA<br />
Yukon - CN: A simple, 151 byte overwriting virus. Does nothing else apart from<br />
displaying the message 'Divide overflow'.<br />
Yukon 01CD 218B D8B4 57B0 00CD 2151 52B4 40B9<br />
Zeleng - CER: Slightly modified mutation of the Dark Avenger virus. It is 1800 bytes<br />
long and detected by the Dark Avenger pattern.<br />
Zero Bug, Palette - CR: Infective length is 1536 bytes and the virus attaches itself to the<br />
beginning of COM files. The virus modifies the seconds field of the time stamp to 62<br />
(like Vienna). If the virus is active in memory and the DIR command is issued, the<br />
displayed length of infected files will be identical to that before the infection. When the<br />
virus activates, a 'smiley' (IBM ASCII character 1) may appear on the screen, and 'cat'<br />
all zeros found.<br />
Zero Bug 81C9 1FOO CD21 B43E CD21 5A1F 59B4 43B0<br />
Zero Hunt, Minnow - CR: A 416 byte overwriting virus, which will only infect a fde if<br />
it locates a sufficiently large block of zero bytes.<br />
Zero Hunt 521E B802 3DCD 2193 B43F 33C9 8ED9 41BA<br />
Zherkov-1882 - CER: A 1882 byte version of the Zherkov (formerly Lozinsky) virus. It<br />
uses a slightly more sophisticated encryption algorithm than the older mutations, and is<br />
able to infect EXE files. The 1958, 2968 and 2970 byte mutations are probably later
220 APPENDIX A<br />
versions. All the viruses are targeted ag<strong>ai</strong>nst the AIDSTEST program, a Russian antivirus<br />
program written by D. Lozinzky, deleting it if it is executed. The virus also attempts<br />
to corrupt data on diskettes in a unique way - it sets the byte at location 1 AH in the boot<br />
sector (Number of sides) to zero - causing the DIR command to produce a 'Division by<br />
zero' error. The larger viruses have slightly different effects - the 2968 and 2970 byte<br />
mutations display a large sign 'AIDSTEST' if no key is typed for 30 seconds, and then<br />
restore the screen on the next keystroke. 2970 mutation is detected by the 1915 pattern.<br />
Zherkov-1882 5051 061E E800 005E 2E8A 44F8 3C00 740F<br />
Zherkov-1915 5006 1EE8 0000 5E2E 8A44 F93C 0074 118B<br />
Zherkov-2968 5706 1EE8 0000 5E2E 8A44 F53C 0074 118B<br />
ZK-900 - CER: A 900 byte virus, which plays a simple tune at regular intervals after an<br />
infected program is rim.<br />
ZK-900 B44A 8CC1 418E C1CD 2172 49B4 484A 8BDA<br />
G.4 TROJAN HORSES<br />
AIDS Information Diskette: Widely distributed disk which is an extortion attempt.<br />
Installs multiple hidden directories and fdes, as well as AIDS.EXE in the m<strong>ai</strong>n directory<br />
and REMS.EXE in a hidden subdirectory ($ is the non-printing character FF Hexadecimal).<br />
(VB Jan 90)<br />
REM$.EXE<br />
AIDS.EXE<br />
4D5A 0C01 1E01 0515 6005 0D03 FFFF 3D21<br />
4D5A 1200 5201 411B E006 780C FFFF 992F<br />
Twelve Tricks: A Trojan replacing the DOS bootstrap sector with a dummy version.<br />
Damage includes corruption of the FAT and twelve effects which may be mistaken for<br />
hardware f<strong>ai</strong>lure.<br />
Twelve tricks BAB8 DBBE 6402 3194 4201 D1C2 4E79 F733
INDEX<br />
A<br />
access control 77,79, 104, 139<br />
active<br />
attack 139<br />
partition 32<br />
algorithm 139<br />
checksumming 38, 88, 89,94<br />
data compression 94<br />
encryption 50,188,211,219<br />
symmetric 151<br />
ANSI 139<br />
X9.9 125<br />
ANSI.SYS 19, 32,76<br />
anti-virus<br />
procedures 52, 78,97,103<br />
software 37,78, 79, 80, 87, 88, 94,95, 104,136,<br />
153, 156<br />
software testing 92<br />
strategy 24, 80, 89<br />
Apple Macintosh 154<br />
ARC 18,93<br />
ASCII 139<br />
asymmetric<br />
encryption 139<br />
audit<br />
log 139<br />
tr<strong>ai</strong>l 139<br />
authentication 140<br />
Little One! Oh, Little One!<br />
I am searching everywhere!<br />
James Stephens, 'The Snare'<br />
authorisation 140<br />
AUTOEXEC.BAT 20,33,34,76,212<br />
av<strong>ai</strong>lability 140<br />
B<br />
backdoor 140<br />
background operation 140<br />
backup 140<br />
as an anti-virus measure 36, 56,76, 84, 104<br />
off-site 148<br />
bad sectors 140,165,180,181,206<br />
BAT files 33,140,162<br />
Trojan horse 18<br />
BBS 18,19,46,51,71,78,140<br />
as a vims transmission medium 37,104<br />
source of test viruses 215<br />
transmission of boot sector viruses 42<br />
virus exchange 51,187,188<br />
BeU-LaPadula 140<br />
Biba model 140<br />
binary 140<br />
virus 52<br />
biometrics 141<br />
BIOS 141<br />
direct calls 19<br />
interrupt 67,98<br />
bit<br />
copying 141<br />
definition 141
222 INDEX<br />
block cipher 141<br />
boot protection 141<br />
boot sector<br />
definition 141<br />
DOS 32, 34, 35,42,84,144<br />
master 32, 34, 35, 42, 46,67, 84, 101, 147<br />
virus 18,29, 34, 35, 36, 39,42,44,46, 52,67,<br />
68,71,79, 84, 101,141<br />
bootstrapping 141<br />
accidental 29, 30,35,46,98<br />
secure 30,52,95,154<br />
bug 141<br />
bulletin board, see BBS<br />
byte 141<br />
c<br />
cache 142<br />
CBC 142<br />
CCC 65,142<br />
CCTA 142<br />
Central Computer and Telecommunications Agency,<br />
see CCTA<br />
CESG 142<br />
CFB 142<br />
ch<strong>ai</strong>n letter 26<br />
Chaos Computer Club, see CCC<br />
checksum<br />
cryptographic 88, 89,94, 95,143<br />
definition 142<br />
cipher 142<br />
block ch<strong>ai</strong>ning, see CBC<br />
feedback 142<br />
stream 151<br />
ciphertext 142<br />
CMOS 142<br />
memory on IBM ATs 32<br />
co-processor 143<br />
COM files 112,126,142<br />
as virus carriers 32, 34, 35,44,46<br />
Communications-Electronics Security Group,<br />
see CESG<br />
companion virus 35,47,98,142<br />
compiler 55,142,168,194,209<br />
COMPSEC 142<br />
COMPUSEC 142<br />
computer<br />
crime 142<br />
personal, see PC<br />
virus, see virus<br />
confidentiality 143<br />
CONFIG.SYS 19, 32, 34,76,212<br />
conventional memory 143<br />
copy protection 143<br />
CPU 143<br />
CRC 89,143<br />
cryptanalysis 143<br />
cryptographic<br />
checksum 88, 89,94,95,143<br />
checksumming software 88.94,95,153<br />
fingerprints 125<br />
cyclic redundancy check, see CRC<br />
D<br />
data<br />
compression 18,93<br />
encryption standard 143<br />
protection 143<br />
DEBUG 66,71,154,217<br />
deciphering 143<br />
decryption<br />
definition 143<br />
key 143<br />
routine in virus code 49, 50, 68<br />
DES<br />
definition 143<br />
implementation 125<br />
device driver 32, 34, 76, 143<br />
digital signature 143<br />
disk<br />
editor 68,153<br />
floppy 145<br />
hard 145<br />
mirroring 147<br />
operating system, see DOS<br />
optical 148<br />
smart 151<br />
diskless<br />
node 144<br />
workstation 103,104, 106,144<br />
dongle 144<br />
DOS<br />
bootstrap sector 32, 34, 35,42, 84, 112, 144<br />
definition 144<br />
internal command 33<br />
downloading 36, 37,71, 78,104, 144<br />
E<br />
EAROM 144<br />
ECB 144<br />
education<br />
anti-virus measures 78,109,154<br />
EEPROM 144<br />
electrically alterable read only memory, see EAROM<br />
electronic<br />
codebook, see ECB<br />
m<strong>ai</strong>l 26, 36,144,207<br />
enciphering 144<br />
encryption<br />
algorithm 50,188,211,219<br />
asymmetric 139<br />
definition 144<br />
key 144<br />
proprietary algorithm 150<br />
used by viruses 24,49<br />
EPROM 144<br />
exclusive-or 53,152<br />
EXE files 112,126,144<br />
as virus carriers 32, 34, 35,44,46<br />
exhaustive key search 144<br />
expanded memoty 89,144<br />
extended memory 89,145<br />
F<br />
FAT 145<br />
corruption 161, 167,171,173, 176, 190,194,<br />
205,207,212,220<br />
virus attack on Netware 101<br />
vitus labelling ofbad clusters 43,165,172, 180,<br />
181<br />
file<br />
allocation table, see FAT<br />
BAT 140<br />
COM 142<br />
compression 145<br />
encryption 145<br />
EXE 144
integrity 145<br />
labelling 145<br />
OVL 148<br />
server 145<br />
SYS 151<br />
FINGER 88,113,125<br />
firmware 145<br />
floppy disks 145<br />
H<br />
hacker 64,145<br />
hard disk 145<br />
hardware 145<br />
problem 153<br />
hash function 146<br />
hashing 146<br />
hexadecimal<br />
definition 146<br />
pattern 50, 66, 69,72, 74, 88, 156<br />
I<br />
I/O port 146,181<br />
IC 146<br />
ID 146,169<br />
identification code, see ID<br />
initialisation variable, see IV<br />
Input/Output port, see I/O port<br />
integrated circuit, see IC<br />
integrity<br />
definition 146<br />
of a system 95<br />
of files 38<br />
of the software 37, 40<br />
shell 91<br />
international dialling 135<br />
International Organisation for Standardisation,<br />
see ISO<br />
Internet 26,146<br />
interrupt 146,153<br />
interception 25, 49, 51, 52, 76, 89,90<br />
IPX 98,100,105,106,154<br />
ISO 146<br />
IV 146<br />
K<br />
KByte 146<br />
key<br />
definition 146<br />
management 146<br />
search 144<br />
secret 150<br />
L<br />
LAN 147<br />
Jerusalem virus infection 102<br />
Manager 97<br />
letterbomb 147<br />
link vims 35,42,47,147<br />
local area network, see LAN<br />
logic bomb 18,23,65,147<br />
LOGIN 98, 105, 154, 169<br />
Ludwig, Mark 63<br />
LZEXE 93, 159, 175<br />
M<br />
MAC 147<br />
INDEX 223<br />
Macintosh, Apple 154<br />
m<strong>ai</strong>nframe 147<br />
viruses 65<br />
worm 26<br />
MAP 105,154<br />
master bootstrap sector 32, 34, 35, 42, 46, 67, 84,<br />
101,147<br />
MByte 147<br />
memory<br />
conventional 143<br />
expanded 89,144<br />
extended 89,145<br />
non-volatile 148<br />
random access, see RAM<br />
read only, see ROM<br />
menu-driven 147<br />
message<br />
authentication 147<br />
authentication code, see MAC<br />
digest 147<br />
microprocessor 147<br />
minicomputer 147<br />
viruses 65<br />
MIPS 147<br />
mirroring 147<br />
modem 148<br />
boot sector vims transmission 36<br />
dialling vims 163<br />
vims infiltration route 104<br />
mouse 148<br />
MS-DOS 148,149<br />
multi-partite vims 35, 36, 46, 57, 84, 98, 101, 106,<br />
148<br />
multitasking 148<br />
Mutation Engine 51,171,193<br />
N<br />
NET3 98, 100,105, 106, 154<br />
NetWare 97, 169, 178<br />
286 97,98<br />
3.11 97,98,99,154<br />
Encyclopedia 40<br />
network<br />
local area, see LAN<br />
virus-infection 97,154<br />
wide area, see WAN<br />
noil-volatile mcmoiy 148<br />
Novell 154<br />
0<br />
OFB 148<br />
off-site backup 148<br />
one-way function 148<br />
Open Systems Interconnection, see OSI<br />
operating system 148<br />
optical disk 148<br />
OS/2 91,148<br />
OSI 148<br />
output feedback, see OFB<br />
OVL files 33,34,112,148<br />
P<br />
parasitic vims 35, 36,46,67,98, 101,149<br />
partition table 149, 176, 195,208<br />
passive attack 149<br />
password 149,188<br />
on NetWare 98<br />
snatching vims 105,169,219
224 INDEX<br />
PC 149<br />
PC-DOS 148,149<br />
peripheral<br />
access control 149<br />
definition 149<br />
pest program 149<br />
PKJLITE 93<br />
PK23P 93<br />
pl<strong>ai</strong>ntext 149<br />
polymorphic virus 50,51,54,55,111,149<br />
Popp, Dr. Joseph Lewis 22<br />
port access control 149<br />
processor 149<br />
program 150<br />
proprietary encryption algorithm 150<br />
PS/2 68,150<br />
public dom<strong>ai</strong>n 150<br />
software 37,38,78<br />
R<br />
RAM 150<br />
random access memory, see RAM<br />
read only memory, see ROM<br />
reverse-engineering 150<br />
ROM 150<br />
RS-232 150<br />
s<br />
scrambling 150<br />
SEARCH 88.111,156<br />
secret key 150<br />
secure bootstrapping 154<br />
of NetWare 100,106<br />
security<br />
definition 150<br />
policy 150<br />
server 150<br />
server 151<br />
smart disk 151<br />
software 151<br />
anti-virus manufacturers 136<br />
spoofing 151<br />
stealth virus 151<br />
stealth viruses 51,57,94, 100, 103, 105, 154<br />
stream cipher 151<br />
symmetric algorithm 151<br />
SYS files 34,112,151<br />
T<br />
telephone numbers<br />
international dialling 135<br />
terminal 151<br />
terminate and stay resident, sec TSR<br />
time bomb 151<br />
timeout 151<br />
token 151<br />
Toulme, Patrick 63<br />
trapdoor 151<br />
Trojan horse 18,26,34,151,220<br />
for extortion purposes 22<br />
in BAT files 18<br />
used for virus system penetration 18,42<br />
using ANSI.SYS 19,37<br />
TSR 151<br />
anti-virus software 89<br />
vims 49<br />
u<br />
uninterruptible power supply, see UPS<br />
Unix 91,151<br />
worm 26<br />
unknown virus 153<br />
uploading 36, 37, 46,152<br />
avirus 215<br />
UPS 152<br />
V<br />
VDU 152<br />
video on viruses 109,154<br />
virus<br />
active in memory 30, 49, 52, 182<br />
attack 153<br />
binary 52<br />
boot sector 18, 29, 34, 35, 36, 39,42,44, 46, 52,<br />
67,68,71,79, 84, 101, 141<br />
companion 35,47, 98, 142<br />
definition 152<br />
description language 111<br />
disguise 24<br />
education 109,154<br />
link 35,47,147<br />
memory-resident 49<br />
multi-partite 35, 36,46, 57, 84, 98, 101, 106,<br />
148<br />
naming 155<br />
non-specific software 88,90,94,95,104<br />
on m<strong>ai</strong>nframes 65<br />
on minicomputers 65<br />
parasitic 35, 36, 46, 67,98, 101, 149<br />
pattern 111<br />
polymorphic 50,51,54,55,111,149<br />
scanner 50,55,74,88,91,93,153<br />
signature 41,152<br />
specific software 88, 89, 92, 104, 111, 153<br />
stealth 51, 57,94,100, 103,105,151, 154<br />
unknown 153<br />
Vims Bulletin 102, 111, 155,156<br />
visual display unit, see VDU<br />
VMS 19,26,91<br />
W<br />
WAN 152<br />
Washburn, Mark 51,63<br />
wide area network, see WAN<br />
workstation 152<br />
worm<br />
attack 152<br />
Christmas Tree 26<br />
definition 152<br />
on Internet 26<br />
on SPAN network 26<br />
written by students 65<br />
write-protection 153,154<br />
as a hardware function 82<br />
for secure bootstrapping 52,76,83, 105<br />
of software masters 78<br />
use by service engineers 40<br />
X<br />
XOR 53,152
<strong>COMPUTER</strong> <strong><strong>VIRUS</strong>ES</strong> <strong>AND</strong> <strong>ANTI</strong>-<strong>VIRUS</strong> <strong>WARFARE</strong><br />
Second Revised Edition<br />
HRUSKA, Technical Director, SOPHOS Limited, Abingdon, Oxfordshire<br />
This second revised edition of this extremely popular book builds on the information<br />
provided in the first edition and includes much new and valuable material.<br />
Not only does the author analyse virus structure, looking at infection paths and common<br />
carriers, he also covers stealth viruses in considerable det<strong>ai</strong>l. Side effects and mutations are<br />
looked at, with practical suggestions made on the prevention of virus infection. Antivirus<br />
weapons (including virus detection products) are discussed, and a step-by-step<br />
approach to dealing with virus attack is outlined. A new chapter on network protection is also<br />
included.<br />
All appendices have been updated, and the book cont<strong>ai</strong>ns a list of anti-virus product<br />
manufacturers and two programs, written in C, for detecting viruses on IBM PCs.<br />
'if you read nothing else in this field, you must read Dr Hruska's book' - in<br />
essential reading for anyone who has, or is even worried<br />
about having, a bad case of viruses on their hands - Steve Boxer in PC User.<br />
Readership<br />
All microcomputer users, particularly those in business and industry. Computer scientists.<br />
Dr Jan Hruska is the Technical Director of Sophos Ltd. A graduate of Downing College,<br />
Cambridge, he g<strong>ai</strong>ned his doctorate at Magdalen College, Oxford, in 1984. he regularly<br />
speaks at computer security conferences and consults on a number of security aspects,<br />
including virus outbreaks. He is a co-author (with Dr Keith Jackson) of The PC Security Guide,<br />
published by Elsevier, Computer Security Solutions published by Blackwell, and Computer<br />
Security Reference Book, published by Butterworth-Heinemann. The first edition of<br />
Computer Viruses and Anti-Virus Warfare was published by Ellis Horwood Ltd in 1990.<br />
of related interest<br />
SECURITY MECHANISMS FOR <strong>COMPUTER</strong> NETWORKS<br />
SEAD MUFTIC, University of Sarajevo, Yugoslavia<br />
ELLIS HORWOOD