|
Where do viruses come from?
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Article 11741 (438 more) in comp.sys.ibm.pc:
From: [email protected] (Michael R. Volow)
Subject: Re: more on the FLUSHOT2.ARC anti-virus program
Summary: Who's making the viruses
Message-ID: <[email protected]>
Date: 11 Feb 88 14:13:05 GMT
References: <[email protected]>
Organization: UNC Educational Computing Service
Lines: 20
.
[stuff on anti-virus programs]
.
With all the news on virus and anti-virus programs, I have not
seen one posting about the possible sources of virus programs. I
mean, one can imagine about some malcontent hacker, covertly
aggressive programmer, complete with speculations about
destructive impulses. But seriously, are there other
possibilities. There must be some scuttlebutt in the programming
community(ies). If these are skillfully written programs, then
they are probably not the work of novices. Could some commercial
software concern be covertly interested in discouraging shareware?
Is geography (early reports from Leheigh, Pa.) be helpful in
figuring this out? Or is the existance of such programs just an
accepted part of the hacking scene, kind of an accepted "cold war"
between legitimate and fringe programmers?
.
Michael Volow, M.D.
Dept of Psychiatry, Durham VA Medical Center, Durham, N.C. 27705
919 286 0411 [email protected]
End of article 11741 (of 12092)--what next? [npq] 11775
.
Article 11775 (437 more) in comp.sys.ibm.pc:
From: [email protected] (Lee Fisher)
Subject: more on the FLUSHOT2.ARC anti-virus program
Message-ID: <[email protected]>
Date: 10 Feb 88 20:27:50 GMT
Organization: Microsoft Corp., Redmond, WA
Lines: 55
.
Here's another message from Ross Greenberg, author of the FLUSHOT2
program (anti-virus COMMAND.COM TSR). I'm forewarding his message
since he doesn't have usenet access.
.
> From Ross Greenberg, 2/8/88:
>
> Why didn't I include source code in FLUSHOT[2]?
>
Easy. I didn't want to make the ability to get around FLUSHOT all
that a simple matter. True, someone with a debugger can figure out
exactly what FLUSHOT does and can figure out how to get around it.
But the casual idiot (the one thinking of what a nifty virus or
trojan would be) isn't gonna take the extra time to create an eat-
the-FAT program which might already be protected against by
FLUSHOT. Keep 'em guessing, make 'em work for your disk! (BTW:
Your FAT is pretty well protected!)
.
Obviously, though, people are concerned about the FLUSHOT (or any
other program gotten through the net or from a BBS) program being
safe all unto itself. Sorry: I can only promise you that the
version on my own BBS is safe, as well as those from people like
Keith Peterson (hi, keith!).
.
What about bugs, like the one which seemed to have trashed at
least one hard disk out there? Well, they'll be fixed. FLUSHOT3
will be up soon, and should be a bit easier to use, and give some
better pointers as to what is going on when it intercepts a call
it 'feels' is a nasty one.
.
Feel free to contact my board at (212)-889-6438 at 24/12/3, N,8,1
to grab a fresh copy of FLUSHOT at anytime. If you find a bogus
copy running around: please let me know as soon as possible and
advise the sysop on whatever board you find it on! . - Lee
01001100 Lee Fisher, Microsoft Corp., Redmond, WA.
My opinions are my own, not those of my employer.
End of article 11775 (of 12092)--what next? [npq] .
Info-IBMPC Digest Mon, 8 Feb 88 Volume 7 : Issue 8
INFO-IBMPC BBS Phone Numbers: (213) 827-2635 and (213) 827-2515
.
Date: Wed, 27 Jan 88 13:22:27 +0200
From: Y. Radai <RADAI1%[email protected]>
Subject: Another PC Virus
Issue 74 of the Info-IBMPC digest contained a description of a
"virus" discovered at Lehigh University which destroys the
contents of disks after propagating itself to other disks four
times. Some of us here in Israel, never far behind other
countries in new achievements (good or bad), are suffering from
what appears to be a local strain of the virus. Since it may have
spread to other countries (or, for all we know, may have been im-
ported from abroad), I thought it would be a good idea to spread
the word around.
Our version, instead of inhabiting only COMMAND.COM, can infect
any ex-ecutable file. It works in two stages: When you execute
an infected EXE or COM file the first time after booting, the
virus captures interrupt 21h and inserts its own code. After this
has been done, whenever any EXE file is executed, the virus code
is written to the end of that file, increasing its size by 1808
bytes. COM files are also affected, but the 1808 bytes are
written to the beginning of the file, another 5 bytes (the string
"MsDos") are written to the end, and this extension occurs only
once.
The disease manifests itself in at least three ways: (1)
Because of this continual increase in the size of EXE files, such
programs eventually be-come too large to be loaded into memory or
there is insufficient room on the disk for further extension. (2)
After a certain interval of time (apparently 30 minutes after
infection of memory), delays are inserted so that execution of
programs slows down considerably. (The speed seems to be reduced
by a factor of 5 on ordinary PCs, but by a smaller factor on
faster models.) (3) After memory has been infected on a Friday
the 13th (the next such date being May 13, 1988), any COM or EXE
file which is executed on that date gets deleted. Moreover, it
may be that other files are also af-fected on that date; I'm still
checking this out.
(If this is correct, then use of Norton's UnErase or some similar
utility to restore files which are erased on that date will not be
sufficient.)
Note that this virus infects even read-only files, that it does
not change the date and time of the files which it infects, and
that while the virus cannot infect a write-protected diskette, you
get no clue that an at-tempt has been made by a "Write protect
error" message since the pos-sibility of writing is checked before
an actual attempt to write is made.
It is possible that the whole thing might not have been
discovered in time were it not for the fact that when the virus
code is present, an EXE file is increased in size *every* time it
is executed. This enlargement of EXE files on each execution is
apparently a bug; probably the intention was that it should grow
only once, as with COM files, and it is fortunate that the
continual growth of the EXE files enabled us to discover the virus
much sooner than otherwise.
From the above it follows that you can fairly easily detect
whether your files have become infected. Simply choose one of
your EXE files (preferably your most frequently executed one),
note its length, and ex-ecute it twice. If it does not grow, it
is not infected by this virus. If it does, the present file is
infected, and so, probably, are some of your other files.
(Another way of detecting this virus is to look for the string
"sUMsDos" in bytes 4-10 of COM files or about 1800 bytes before
the end of EXE files; however, this method is less reliable since
the string can be altered without attenuating the virus.)
If any of you have heard of this virus in your area, please let
me know; perhaps it is an import after all. (Please specify
dates; ours was noticed on Dec. 24 but presumably first infected
our disks much earlier.)
Fortunately, both an "antidote" and a "vaccine" have been
developed for this virus. The first program cures already
infected files by removing the virus code, while the second (a
RAM-resident program) prevents future in-fection of memory and
displays a message when there is any attempt to in-fect it. One
such pair of programs was written primarily by Yuval Rakavy, a
student in our Computer Science Dept.
In their present form these two programs are specific to this
particular virus; they will not help with any other, and of
course, the author of the present virus may develop a mutant
against which these two programs will be ineffective. On the
other hand, it is to the credit of our people that they were able
to come up with the above two programs within a relatively short
time.
My original intention was to put this software on some server
so that it could be available to all free of charge. However, the
powers that be have decreed that it may not be distributed outside
our university except under special circumstances, for example
that an epidemic of this virus actually exists at the requesting
site and that a formal request is sent to our head of computer
security by the management of the institution.
Incidentally, long before the appearance of this virus, I had
been using a software equivalent of a write-protect tab, i.e. a
program to prevent writing onto a hard disk, especially when
testing new software. It is called PROTECT, was written by Tom
Kihlken, and appeared in the Jan. 13, 1987 issue of PC Magazine; a
slightly amended version was submitted to the Info-IBMPC library.
Though I originally had my doubts, it turned out that it is
effective against this virus, although it wouldn't be too hard to
develop a virus or Trojan horse for which this would not be true.
(By the way, I notice in Issue 3 of the digest, which I received
only this morning, that the version of PROTECT.ASM in the Info-
IBMPC library has been replaced by another version submitted by R.
Kleinrensing. However, in one respect the new version seems to be
inferior: one should *not* write-protect all drives above C:
because that might prevent you from writing to a RAMdisk or an
auxiliary diskette drive.)
Of course, this is only the beginning. We can expect to see
many new viruses both here and abroad. In fact, two others have
already been dis-covered here. In both cases the target date is
April 1. One affects only COM files, while the other affects only
EXE files. What they do on that date is to display a "Ha ha"
message and lock up, forcing you to cold boot. Moreover (at least
in the EXE version), there is also a lockup one hour after
infection of memory on any day on which you use the default date
of 1-1-80. (These viruses may actually be older than the above-
described virus, but simply weren't noticed earlier since they
extend files only once.)
The author of the above-mentioned anti-viral software has now
extended his programs to combat these two viruses as well. At
present, he is con-centrating his efforts on developing broad-
spectrum programs, i.e. programs capable of detecting a wide
variety of viruses.
Just now (this will give you an idea of the speed at which
developments are proceeding here) I received notice of the
existence of an anti-viral program written by someone else, which
"checks executable files and reports whether they include code
which performs absolute writes to disk, disk for-matting, writes
to disk without updating the FAT, etc." (I haven't yet received
the program itself.)
Y. Radai
Computation Center
Hebrew University of Jerusalem
[email protected]
|
|
