1992
[Back to index] [Comments (0)]In early 1992, I noted that outbreaks of PC computer viruses although rare in the past were being reported on a more regular basis. Throughout the year, this trend continued with seventy-six PCs and approximately 400 floppies reported as being infected. These figures may appear small in comparison to the thousands of PCs and tens of thousands of disks within the community. However, at present there is no formal procedure for reporting computer virus outbreaks within Edinburgh University. The above figures therefore, are the infections which were reported to myself. (2) The dark figure, or unknown infections, however, cannot be dismissed. Although it is difficult to predict with any certainty how many infected PCs and disks remain undetected, it should be noted that many viruses can continue to spread for months before announcing their presence. It is therefore quite possible that a similar number of infections remain unreported.
Certainly these figures conceal the amount of time spent in identifying and cleaning up virus infections. Although the hours actually spent on-site can be quantified along with the downtime for the computers concerned, it is the effect this time would have had on an individuals or departments work if it had been employed in other areas which needs to be considered. Again this is more difficult to determine. From a technical-support point of view, it takes considerable study to begin to appreciate the different methods of infection and to establish procedures for tackling a virus outbreak. Given the nature of virus writing, this work is on-going in order to keep up to date with new developments. The increase in virus infections has certainly caused more work for support staff and for departments involved with eradicating viruses. All that can be safely concluded from this situation is that more productive use can be made of everyones time if it were not for the existence of computer viruses.
There are a number of readily identifiable factors which have contributed to this increase in reported virus infections.
An increase in the pool of infected objects generally within the PC world community.
An increase in the number of PCs within the University.
A greater willingness on the part of the existing user base to explore new programs and exchange information.
An increase in the use of anti-virus software.
I believe the last point the increased use of anti-virus software is probably the most significant here. As more PC users began to scan their disks on a regular basis throughout 1992, there was always the assumption that previously undetected viruses would be unearthed, infections which have in all probability been around for sometime. I believe this assumption proved to be correct. By the end of the year, ten different PC viruses had made an unwelcome appearance.
By the time I started to write this review, I had gathered together a wealth of material on each virus, coupled with numerous disassemblies from infected files. It was at this stage that I began to wonder whether this apparently random sample of ten viruses could provide a useful overview of PC viruses in general. (3) From my research I had drawn up a picture of those features which were typical of PC viruses. The majority of PC infections were caused by known viruses which had been around for some time. (4) These viruses, although written in a variety of different parts of the world, tended to use similar code and incorporate design flaws which had unintended side-effects. Their payloads were generally similar in construction and though usually not destructive, the trend was moving towards deliberate sabotage of files and programs. Many included bizarre messages and almost all were known by several different names. So how typical is the sample of viruses in relation to all known viruses which appeared at Edinburgh University in 1992? (5)
Table 1 provides a listing of the virus sample along with their date of origin. (6) Despite the increasing numbers of new viruses appearing in the wild, the majority of world-wide infections are caused by a handful of what Solomon describes as the classic viruses Stoned, Jerusalem and Cascade. (Solomon, 1991) Jerusalem and Cascade date from 1987 while Stoned dates from 1988. These viruses have managed to replicate themselves enough throughout the world that it is unlikely they will ever disappear. I would consider adding Vacsina, Yankee Doodle and Form to this list. This accounts for more than half our sample. The others are classified as common.
Table 1: Virus sample date of origin
| Date of origin | Virus Name |
|---|---|
| 1987 | Cascade; Jerusalem |
| 1988 | Stoned; Vacsina |
| 1989 | Yankee Doodle |
| 1990 | Form; Joshi |
| 1991 | Green Caterpillar; Noint; Tequila |
Usually a virus is discovered in the country of its origin. However, with the proliferation of networks it is quite feasible for a virus to be written in one country then made available for downloading within a host program. (7) If the host program is downloaded and executed on the other side of the world, and is not discovered for several months, its origin can be sufficiently obscured as to make tracing the original source almost impossible. However, to date known viruses have normally made their debut close to home, probably because their authors cannot resist watching their creations at work. Much has been made of the Bulgarian and Russian virus factories to the extent that we may be forgiven for believing that this is where viruses come from. (Bontchev, 1991; Clough & Mungo, 1992) Certainly many viruses have been produced in these countries though it must be stressed that they do not have a monopoly on virus writing. Of the viruses that reached Edinburgh, countries of origin include Bulgaria, Canada, India and New Zealand. Viruses have been written in a number of countries and our sample reflects this.
Table 2: Virus sample country of origin
| Country of Origin | Virus Name |
|---|---|
| Bulgaria | Vacsina, Yankee Doodle |
| Canada | Noint, Green Caterpillar |
| Austria | Cascade |
| India | Joshi |
| Israel | Jerusalem |
| New Zealand | Stoned |
| Switzerland | Form, Tequila |
Another feature PC viruses have in common is in the source code itself and our sample is no exception. (8) Noint has been plagiarised from Stoned, while Vacsina and Yankee Doodle are different versions of the same virus code. (9) Cascade and Green Caterpillar have around six variants each while Stoned, Vacsina and Yankee Doodle can lay claim to dozens of variants apiece. Recent postings on the Virus-L bulletin board note that there are in excess of a hundred variations of the Jerusalem virus. (10) Overall our sample of ten viruses can account for over two hundred similar virus strains scattered throughout the world.
However, it is quite common to find that in cases where different code has been utilised, the viruses are functionally the same. In this category Form and Joshi can be included with Stoned and Noint, though Form is more unusual as it only infects Boot Sectors on both hard and floppy disks. Although the displacement of the original disk sectors at the time of infection differ between these viruses, the basic principles remain the same. Cascade, Yankee Doodle and Jerusalem are typical memory-resident file infectors. When an infected file is executed, the virus goes memory-resident. From there, the next file run is infected with the virus. Virus programs can vary in the way they infect DOS executables. For instance, Cascade only infects COM files while Vacsina actually infects EXE files in two stages, first converting it to a COM file. Vacsina also differs in that only COM files contain the memory-resident code, resulting in EXE files not being infectious.
Green Caterpillar differs from the standard file-infectors, as it does not spread when an external executable is run. It only goes memory-resident and will then infect one EXE file and one COM file every time a DIR or a COPY command is issued. Tequila only infects EXE files once memory-resident. However, it also infects the partition sector which at the time was rare for a file infector.
Table 3: Virus sample classified by type
| Virus Classification * | Virus Name |
|---|---|
| Boot and partition sector virus | Joshi; Noint; Stoned |
| Boot sector virus | Form |
| File and partition sector virus | Tequila |
| File virus | Cascade; Yankee Doodle; Green Caterpillar; Jerusalem; Vacsina |
* All viruses classed as memory-resident
A typical feature of many viruses lies in the tendency of their authors to incorporate other features into existing code. Indeed, it is often possible to trace virus writing techniques through different viruses, as new methods become generally known. It should be noted that developments in virus code are usually instigated with the intention of evading detection from existing anti-virus software. (Ferbrache, 1992; Solomon, 1992) Our present sample also reflects this. The Noint virus although similar to Stoned incorporates stealth technology in an attempt to evade detection. (11) Joshi and Tequila also use this technique. The earliest known use of stealth can be found in a virus called Brain a boot sector infector from 1986, which also hid itself in sectors marked as bad. (Solomon, 1992) Both Joshi and Form use the similar technique of marking sectors as bad in an attempt to hide the viral code.
With the exception of Cascade and Tequila, the rest are very much standard viruses put together with no great skill. Cascade is of more interest as it was the first virus to use encryption techniques to evade detection. (Ferbrache, 1992) The only part of this virus which remains constant is the decryptor/loader which is used to decrypt the virus code. Scanning software actually looks to this part of the code in order to detect the virus. However, the next stage for virus authors was to vary the decryptor/loader which is essentially what Tequila does. Tequila although a file virus will infect the partition sector of the hard disk, ensuring that the next time the PC is booted from the hard disk, the virus will install itself in memory. It employs stealth in order to evade detection and is a prime example of what it known as a polymorphic virus. (12) At the time of its release it presented difficulties for those involved in writing scanners. (Solomon, 1992)
Bugs are another feature viruses have in common with one another. Not content with using existing code, most virus authors use the same programming errors and display the same sense of flawed logic which characterises much of the available code. Jerusalem fails to recognise EXE programs correctly, resulting in continual re-infection of files. In many cases it can also overwrite part of the executable, making disinfection impossible. Windows programs can also be corrupted. Vacsina corrupts EXE headers which can cause a variety of problems if infected programs are run. (13) Cascade attempts to identify a true IBM BIOS and if so is designed to terminate without infecting any files. This does not work and Cascade will infect true IBMs and clones alike. Stoned, Noint and Joshi can incorrectly infect the partition sector of some hard disks causing damage. Indeed, Stoned and many of its variants also fail to recognise different floppy media correctly, resulting in data corruption on infected disks. Form is also quite capable of destroying data at infection time. (14)
The majority of PC viruses use and re-use the same tricks and payloads, and our sample provides a good summary. Displaying messages or graphics, playing tunes or altering the screen display in some manner are old favourites of the virus authors. The individual payloads of our virus sample are listed in Table 4.
Table 4: Virus sample payloads
| Virus Name | Payload |
|---|---|
| Cascade | Screen display characters fall to bottom of screen |
| Form | Beep on keypress every 18th of month |
| Green Caterpillar | Caterpillar eats characters 2 months after infection |
| Jerusalem | Deletes files when executed on Friday 13th |
| Joshi | Displays 'Type Happy Birthday Joshi!' on January 5th |
| Noint | This virus has no payload. It only infects. |
| Tequila | Mandelbrot type graphic 3 months after infection |
| Stoned | Displays Your PC is now Stoned! |
| Yankee Doodle | Plays Yankee Doodle at 5pm |
| Vacsina | Beeps when a file is infected |
A common assumption is that PC viruses are only produced to destroy data. As Table 4 illustrates, only Jerusalem deletes executable files, and only on Friday the 13th (15). Provided a restorable backup is available this is quite easy to recover from. (16) This is not to say, however, that the rest of our sample are harmless. Often, PC viruses, due to shoddy programming, make assumptions about systems and configurations their authors know very little about. This can result in unintentional damage to an infected system. Furthermore, despite the fact that none of our sample can be classed as disk-killers, it must be stressed that such viruses do exist, although they are in a minority. Our sample is typical as far as payloads are concerned, with the exception of deliberate destruction of hard disk data. Nevertheless, regardless of their payloads, all viruses including those in our sample are capable of corrupting files and should be viewed as such. (Scobie, 1992)
We can see from Table 5 that the list of known viruses during 1992 could easily have read quite differently. The naming of viruses presents many problems for the researcher. This in turn can have serious consequences for those producing anti-virus software and for those involved in cleaning up after a virus infection. More damage can be done than the actual virus intended to perform if the virus is incorrectly identified and subsequently acted upon. It is crucial for the success of a clean-up operation that the virus is correctly identified.
Sometimes viruses include a name within the body of the virus and inevitably this becomes accepted as the virus spreads. Vacsina only contains the string VACSINA which makes naming very straightforward. Jerusalem contains the string sUMsDos which has been used as an alias, though not as popular as the location in which it was discovered. Joshi contains the string Type "Happy Birthday Joshi"!
Again this makes life easy for the virus researcher. The Form virus goes a stage further. (17)
The FORM-Virus sends greetings to every one whos reading this text. FORM doesnt destroy data! Dont panic! Fuckings go to Corinne.
Stoned contains two messages. Your PC is now Stoned! LEGALISE MARIJUANA!
The author of Tequila actually provides an address. (18)
Welcome to T.TEQUILAs latest production..Contact T.TEQUILA/ P.o.Box 543/6312 Sthausen/Switzerland..Loving thoughts to L.I.N.D.A.BEER and TEQUILA forever!
However, many viruses do not contain any text strings, and naming becomes more problematic. (19) In some cases the file length after infection is used. Jerusalem adds an extra 1813 bytes on to a file, hence the alias 1813. Cascade adds an extra 1701 bytes. However, with so many variations on existing code, viruses with different payloads may still add 1701 bytes or 1813 bytes to a file, making this naming scheme difficult to maintain with any degree of accuracy. Furthermore, such a scheme does not work for boot sector viruses. (Solomon, 1992)
Geographical location has been used to provide a suitable name for a virus. Probably the most well-known example is the New Zealand (Stoned) virus. Although this has worked in the past, the growth of networks as noted earlier can make this more problematic. Furthermore, as greater numbers of unrelated viruses are produced from similar locations this scheme falls down.
The trigger date has also been used to provide a suitable name for a virus. Probably the most famous example is Friday the 13th (Jerusalem). However, as more viruses compete for these days, such a scheme can result in further confusion. The same applies to the payload. Cascade, Yankee Doodle and Green Caterpillar are named after their characteristic effects. Such effects are easily incorporated into other viruses presenting the virus researcher with the problem of allocating a different name for a new virus which incorporates a similar payload. (20)
Table 5: Virus sample aliases
| Virus Name | Aliases |
|---|---|
| Cascade | 1701; Blackjack; Autumn; Second Austrian |
| Form | (None) |
| Green Caterpillar | 1575 |
| Jerusalem | 1813; Israeli; Friday the 13th; sUMsDos |
| Joshi | Joshua |
| Noint | Bloomington |
| Tequila | (None) |
| Stoned | New Zealand; Marijuana |
| Yankee Doodle | TP44VIR |
| Vacsina | (None) |
Probably the most important feature that these viruses have in common is that they can be detected and in most cases removed by currently available anti-virus software. However, this can only be done if the software is used correctly. Cold-booting from a clean write-protected floppy disk will ensure that all these viruses are detected. Eradication is more problematic however. Due to the bugs in Jerusalem resulting in multiple re-infection of EXE files, it is advisable to replace infected files from clean backups. This is the safest course of action for all file viruses. (Scobie, 1992) If no backups exist then there will be no option but to use a disinfectant. This may or may not be successful. As for boot and partition sector viruses the best defence is to maintain a clean copy of these sectors which can be used to restore an infected PC back to a clean state. There are public domain utilities to perform this task, and DOS v5.0 also provides the necessary tools for the job. Anti-virus software will attempt a clean-up of boot and partition infectors, though this is not always successful due to corruption caused by the virus itself.
Of the ten viruses in our sample, all are classified as common and have been around for some time. Despite having been written in different countries, they incorporate similar techniques in respect of their infection mechanisms and their payloads. Most have acquired several aliases and all have the potential to destroy data, either through careless programming or by design. I believe it is safe to say that of the ten PC viruses in our sample, none held any surprises. I was intrigued however, that an apparently random sample of ten viruses provided in effect a microcosm through which to view PC viruses in general.