Maximize
Bookmark

VX Heavens

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Edinburgh University PC Virus Review 1992

1992

1
[Back to index] [Comments (0)]

Introduction

In early 1992, I noted that outbreaks of PC computer viruses although rare in the past were being reported on a more regular basis. Throughout the year, this trend continued with seventy-six PCs and approximately 400 floppies reported as being infected. These figures may appear small in comparison to the thousands of PCs and tens of thousands of disks within the community. However, at present there is no formal procedure for reporting computer virus outbreaks within Edinburgh University. The above figures therefore, are the infections which were reported to myself. (2) The dark figure, or unknown infections, however, cannot be dismissed. Although it is difficult to predict with any certainty how many infected PCs and disks remain undetected, it should be noted that many viruses can continue to spread for months before announcing their presence. It is therefore quite possible that a similar number of infections remain unreported.

Certainly these figures conceal the amount of time spent in identifying and cleaning up virus infections. Although the hours actually spent on-site can be quantified along with the downtime for the computers concerned, it is the effect this time would have had on an individuals or departments work if it had been employed in other areas which needs to be considered. Again this is more difficult to determine. From a technical-support point of view, it takes considerable study to begin to appreciate the different methods of infection and to establish procedures for tackling a virus outbreak. Given the nature of virus writing, this work is on-going in order to keep up to date with new developments. The increase in virus infections has certainly caused more work for support staff and for departments involved with eradicating viruses. All that can be safely concluded from this situation is that more productive use can be made of everyones time if it were not for the existence of computer viruses.

There are a number of readily identifiable factors which have contributed to this increase in reported virus infections.

An increase in the pool of infected objects generally within the PC world community.

An increase in the number of PCs within the University.

A greater willingness on the part of the existing user base to explore new programs and exchange information.

An increase in the use of anti-virus software.

I believe the last point the increased use of anti-virus software is probably the most significant here. As more PC users began to scan their disks on a regular basis throughout 1992, there was always the assumption that previously undetected viruses would be unearthed, infections which have in all probability been around for sometime. I believe this assumption proved to be correct. By the end of the year, ten different PC viruses had made an unwelcome appearance.

By the time I started to write this review, I had gathered together a wealth of material on each virus, coupled with numerous disassemblies from infected files. It was at this stage that I began to wonder whether this apparently random sample of ten viruses could provide a useful overview of PC viruses in general. (3) From my research I had drawn up a picture of those features which were typical of PC viruses. The majority of PC infections were caused by known viruses which had been around for some time. (4) These viruses, although written in a variety of different parts of the world, tended to use similar code and incorporate design flaws which had unintended side-effects. Their payloads were generally similar in construction and though usually not destructive, the trend was moving towards deliberate sabotage of files and programs. Many included bizarre messages and almost all were known by several different names. So how typical is the sample of viruses in relation to all known viruses which appeared at Edinburgh University in 1992? (5)

The virus sample

Table 1 provides a listing of the virus sample along with their date of origin. (6) Despite the increasing numbers of new viruses appearing in the wild, the majority of world-wide infections are caused by a handful of what Solomon describes as the classic viruses Stoned, Jerusalem and Cascade. (Solomon, 1991) Jerusalem and Cascade date from 1987 while Stoned dates from 1988. These viruses have managed to replicate themselves enough throughout the world that it is unlikely they will ever disappear. I would consider adding Vacsina, Yankee Doodle and Form to this list. This accounts for more than half our sample. The others are classified as common.

Table 1: Virus sample date of origin

Date of originVirus Name
1987Cascade; Jerusalem
1988Stoned; Vacsina
1989Yankee Doodle
1990Form; Joshi
1991Green Caterpillar; Noint; Tequila

Country of origin

Usually a virus is discovered in the country of its origin. However, with the proliferation of networks it is quite feasible for a virus to be written in one country then made available for downloading within a host program. (7) If the host program is downloaded and executed on the other side of the world, and is not discovered for several months, its origin can be sufficiently obscured as to make tracing the original source almost impossible. However, to date known viruses have normally made their debut close to home, probably because their authors cannot resist watching their creations at work. Much has been made of the Bulgarian and Russian virus factories to the extent that we may be forgiven for believing that this is where viruses come from. (Bontchev, 1991; Clough & Mungo, 1992) Certainly many viruses have been produced in these countries though it must be stressed that they do not have a monopoly on virus writing. Of the viruses that reached Edinburgh, countries of origin include Bulgaria, Canada, India and New Zealand. Viruses have been written in a number of countries and our sample reflects this.

Table 2: Virus sample country of origin

Country of OriginVirus Name
BulgariaVacsina, Yankee Doodle
CanadaNoint, Green Caterpillar
AustriaCascade
IndiaJoshi
IsraelJerusalem
New ZealandStoned
SwitzerlandForm, Tequila

Variations on a theme

Another feature PC viruses have in common is in the source code itself and our sample is no exception. (8) Noint has been plagiarised from Stoned, while Vacsina and Yankee Doodle are different versions of the same virus code. (9) Cascade and Green Caterpillar have around six variants each while Stoned, Vacsina and Yankee Doodle can lay claim to dozens of variants apiece. Recent postings on the Virus-L bulletin board note that there are in excess of a hundred variations of the Jerusalem virus. (10) Overall our sample of ten viruses can account for over two hundred similar virus strains scattered throughout the world.

However, it is quite common to find that in cases where different code has been utilised, the viruses are functionally the same. In this category Form and Joshi can be included with Stoned and Noint, though Form is more unusual as it only infects Boot Sectors on both hard and floppy disks. Although the displacement of the original disk sectors at the time of infection differ between these viruses, the basic principles remain the same. Cascade, Yankee Doodle and Jerusalem are typical memory-resident file infectors. When an infected file is executed, the virus goes memory-resident. From there, the next file run is infected with the virus. Virus programs can vary in the way they infect DOS executables. For instance, Cascade only infects COM files while Vacsina actually infects EXE files in two stages, first converting it to a COM file. Vacsina also differs in that only COM files contain the memory-resident code, resulting in EXE files not being infectious.

Green Caterpillar differs from the standard file-infectors, as it does not spread when an external executable is run. It only goes memory-resident and will then infect one EXE file and one COM file every time a DIR or a COPY command is issued. Tequila only infects EXE files once memory-resident. However, it also infects the partition sector which at the time was rare for a file infector.

Table 3: Virus sample classified by type

Virus Classification *Virus Name
Boot and partition sector virusJoshi; Noint; Stoned
Boot sector virusForm
File and partition sector virusTequila
File virusCascade; Yankee Doodle; Green Caterpillar; Jerusalem; Vacsina

* All viruses classed as memory-resident

A typical feature of many viruses lies in the tendency of their authors to incorporate other features into existing code. Indeed, it is often possible to trace virus writing techniques through different viruses, as new methods become generally known. It should be noted that developments in virus code are usually instigated with the intention of evading detection from existing anti-virus software. (Ferbrache, 1992; Solomon, 1992) Our present sample also reflects this. The Noint virus although similar to Stoned incorporates stealth technology in an attempt to evade detection. (11) Joshi and Tequila also use this technique. The earliest known use of stealth can be found in a virus called Brain a boot sector infector from 1986, which also hid itself in sectors marked as bad. (Solomon, 1992) Both Joshi and Form use the similar technique of marking sectors as bad in an attempt to hide the viral code.

With the exception of Cascade and Tequila, the rest are very much standard viruses put together with no great skill. Cascade is of more interest as it was the first virus to use encryption techniques to evade detection. (Ferbrache, 1992) The only part of this virus which remains constant is the decryptor/loader which is used to decrypt the virus code. Scanning software actually looks to this part of the code in order to detect the virus. However, the next stage for virus authors was to vary the decryptor/loader which is essentially what Tequila does. Tequila although a file virus will infect the partition sector of the hard disk, ensuring that the next time the PC is booted from the hard disk, the virus will install itself in memory. It employs stealth in order to evade detection and is a prime example of what it known as a polymorphic virus. (12) At the time of its release it presented difficulties for those involved in writing scanners. (Solomon, 1992)

Bugs

Bugs are another feature viruses have in common with one another. Not content with using existing code, most virus authors use the same programming errors and display the same sense of flawed logic which characterises much of the available code. Jerusalem fails to recognise EXE programs correctly, resulting in continual re-infection of files. In many cases it can also overwrite part of the executable, making disinfection impossible. Windows programs can also be corrupted. Vacsina corrupts EXE headers which can cause a variety of problems if infected programs are run. (13) Cascade attempts to identify a true IBM BIOS and if so is designed to terminate without infecting any files. This does not work and Cascade will infect true IBMs and clones alike. Stoned, Noint and Joshi can incorrectly infect the partition sector of some hard disks causing damage. Indeed, Stoned and many of its variants also fail to recognise different floppy media correctly, resulting in data corruption on infected disks. Form is also quite capable of destroying data at infection time. (14)

Payloads

The majority of PC viruses use and re-use the same tricks and payloads, and our sample provides a good summary. Displaying messages or graphics, playing tunes or altering the screen display in some manner are old favourites of the virus authors. The individual payloads of our virus sample are listed in Table 4.

Table 4: Virus sample payloads

Virus NamePayload
CascadeScreen display characters fall to bottom of screen
FormBeep on keypress every 18th of month
Green CaterpillarCaterpillar eats characters 2 months after infection
JerusalemDeletes files when executed on Friday 13th
JoshiDisplays 'Type Happy Birthday Joshi!' on January 5th
NointThis virus has no payload. It only infects.
TequilaMandelbrot type graphic 3 months after infection
StonedDisplays Your PC is now Stoned!
Yankee DoodlePlays Yankee Doodle at 5pm
VacsinaBeeps when a file is infected

A common assumption is that PC viruses are only produced to destroy data. As Table 4 illustrates, only Jerusalem deletes executable files, and only on Friday the 13th (15). Provided a restorable backup is available this is quite easy to recover from. (16) This is not to say, however, that the rest of our sample are harmless. Often, PC viruses, due to shoddy programming, make assumptions about systems and configurations their authors know very little about. This can result in unintentional damage to an infected system. Furthermore, despite the fact that none of our sample can be classed as disk-killers, it must be stressed that such viruses do exist, although they are in a minority. Our sample is typical as far as payloads are concerned, with the exception of deliberate destruction of hard disk data. Nevertheless, regardless of their payloads, all viruses including those in our sample are capable of corrupting files and should be viewed as such. (Scobie, 1992)

The Name Game

We can see from Table 5 that the list of known viruses during 1992 could easily have read quite differently. The naming of viruses presents many problems for the researcher. This in turn can have serious consequences for those producing anti-virus software and for those involved in cleaning up after a virus infection. More damage can be done than the actual virus intended to perform if the virus is incorrectly identified and subsequently acted upon. It is crucial for the success of a clean-up operation that the virus is correctly identified.

Sometimes viruses include a name within the body of the virus and inevitably this becomes accepted as the virus spreads. Vacsina only contains the string VACSINA which makes naming very straightforward. Jerusalem contains the string sUMsDos which has been used as an alias, though not as popular as the location in which it was discovered. Joshi contains the string Type "Happy Birthday Joshi"!

Again this makes life easy for the virus researcher. The Form virus goes a stage further. (17)

The FORM-Virus sends greetings to every one whos reading this text. FORM doesnt destroy data! Dont panic! Fuckings go to Corinne.

Stoned contains two messages. Your PC is now Stoned! LEGALISE MARIJUANA!

The author of Tequila actually provides an address. (18)

Welcome to T.TEQUILAs latest production..Contact T.TEQUILA/ P.o.Box 543/6312 Sthausen/Switzerland..Loving thoughts to L.I.N.D.A.BEER and TEQUILA forever!

However, many viruses do not contain any text strings, and naming becomes more problematic. (19) In some cases the file length after infection is used. Jerusalem adds an extra 1813 bytes on to a file, hence the alias 1813. Cascade adds an extra 1701 bytes. However, with so many variations on existing code, viruses with different payloads may still add 1701 bytes or 1813 bytes to a file, making this naming scheme difficult to maintain with any degree of accuracy. Furthermore, such a scheme does not work for boot sector viruses. (Solomon, 1992)

Geographical location has been used to provide a suitable name for a virus. Probably the most well-known example is the New Zealand (Stoned) virus. Although this has worked in the past, the growth of networks as noted earlier can make this more problematic. Furthermore, as greater numbers of unrelated viruses are produced from similar locations this scheme falls down.

The trigger date has also been used to provide a suitable name for a virus. Probably the most famous example is Friday the 13th (Jerusalem). However, as more viruses compete for these days, such a scheme can result in further confusion. The same applies to the payload. Cascade, Yankee Doodle and Green Caterpillar are named after their characteristic effects. Such effects are easily incorporated into other viruses presenting the virus researcher with the problem of allocating a different name for a new virus which incorporates a similar payload. (20)

Table 5: Virus sample aliases

Virus NameAliases
Cascade1701; Blackjack; Autumn; Second Austrian
Form(None)
Green Caterpillar1575
Jerusalem1813; Israeli; Friday the 13th; sUMsDos
JoshiJoshua
NointBloomington
Tequila(None)
StonedNew Zealand; Marijuana
Yankee DoodleTP44VIR
Vacsina(None)

Seek and destroy

Probably the most important feature that these viruses have in common is that they can be detected and in most cases removed by currently available anti-virus software. However, this can only be done if the software is used correctly. Cold-booting from a clean write-protected floppy disk will ensure that all these viruses are detected. Eradication is more problematic however. Due to the bugs in Jerusalem resulting in multiple re-infection of EXE files, it is advisable to replace infected files from clean backups. This is the safest course of action for all file viruses. (Scobie, 1992) If no backups exist then there will be no option but to use a disinfectant. This may or may not be successful. As for boot and partition sector viruses the best defence is to maintain a clean copy of these sectors which can be used to restore an infected PC back to a clean state. There are public domain utilities to perform this task, and DOS v5.0 also provides the necessary tools for the job. Anti-virus software will attempt a clean-up of boot and partition infectors, though this is not always successful due to corruption caused by the virus itself.

Conclusion

Of the ten viruses in our sample, all are classified as common and have been around for some time. Despite having been written in different countries, they incorporate similar techniques in respect of their infection mechanisms and their payloads. Most have acquired several aliases and all have the potential to destroy data, either through careless programming or by design. I believe it is safe to say that of the ten PC viruses in our sample, none held any surprises. I was intrigued however, that an apparently random sample of ten viruses provided in effect a microcosm through which to view PC viruses in general.

Notes

  1. Since my employment with EUCS in April 1990, the only other virus outbreaks reported to me were Cascade in February 1991 (three PCs and a few floppies) and Stoned in November 1991 (20 PCs and approximately 100 floppies).
  2. Not all sites who discover virus infections report them to EUCS.
  3. Obviously this sample is not truly random. There are many factors which may have had some bearing on these ten viruses eventually appearing within Edinburgh University when they did. These include how common a virus is, its age, its infection mechanism, if it was distributed on commercial or public domain software, and if it was deliberately brought in and released into our own community. However, for the purposes of this paper, given that I had no influence on which viruses were reported to me the term random will suffice.
  4. FINDVIRU version 6.12, from Dr Solomons Anti-Virus Toolkit, with drivers dated 23/2/93 checks for 2534 viruses, trojans and variants.
  5. It is not my intention to provide a detailed analysis of the workings of each of the viruses in the sample. Such details have been adequately provided elsewhere and I refer the reader to the references at the end of this paper. The main features of each virus have been highlighted with a view to illustrating areas of commonality across the sample, which I believe provide an overview of PC viruses in general.
  6. The Stoned virus actually appeared in two different variants though the difference only amounted to the removal of the text string LEGALISE MARIJUANA! from within the body of the virus. Both variations are extremely widespread. The Marijuana variant was reported to me during early 1992. The variant missing this string was fairly common around the University towards the end of 1991. Note that it is often reported that the LEGALISE MARIJUANA string is displayed. This is in fact incorrect. The only message that is displayed is Your PC is now Stoned! and only when booting from an infected floppy.
  7. None of these viruses have been written specifically to infect across networks. However, some will quite happily infect files on a network drive from a workstation. Fortunately the use of int 21h by the Jerusalem variant ensures that it clashes with the NETX shell under Netware. Logging in from an infected workstation typically ends with the virus crashing the workstation, before infection of network files can be successfully completed. Cascade can also cause similar problems on Novell networks.
  8. It should be noted that there are many discrepancies in the literature describing PC viruses. This is due mainly to the large number of variations. Rumour, myth and general misinformation directly as a result of misunderstanding has also had its part to play.
  9. A great deal has been written about the origin of the Vacsina/Yankee Doodle virus strains. For the record, our sample has version 5 of Vacsina and version 44 of Yankee Doodle. The current literature on this particular topic provides a good indication of the claims and counter-claims of those involved in the anti-virus industry when attempting accurately to document virus development. For an entertaining description of the origins of the Vacsina virus see Clough & Mungo (1992). Bontchev (1991) provides the original source.
  10. VIRUS-L is a moderated, digested mail forum for discussing computer virus issues.
  11. Stealth is a term used to describe viruses which camouflage any changes they make from detection programs. Note that for this technique to work, the virus must be resident in memory. A scan from a cold, clean boot is sufficient to detect such a virus.
  12. Polymorphic is a term used to describe viruses which produce varied copies of themselves at the time of infection. Cascade is not considered polymorphic as its decryption code never changes. Viruses which use self-encryption with a variable key are termed polymorphic. This term is actually used to describe a number of techniques. However, a full description of these is outwith the scope of this paper.
  13. The Vacsina virus actually opens a temporary file during the infection routine with the filename VACSINA. It then closes it once infection has been completed without ever accessing it. This fact, along with the sounding of the bell character at infection, has led to speculation that the virus was still in the testing stage and escaped into the wild prematurely. Indeed, Vacsina does appear to be unfinished.
  14. The Form virus may overwrite occupied sectors at infection time as it moves the original boot sector. Indeed, most boot and partition sector viruses can cause data corruption in this manner.
  15. Note that Jerusalem has been hacked dozens of times and these variations can trigger on numerous dates.
  16. The issue of restorable backups needs to be reiterated. Once a known, clean backup has been produced, this should be stored and not overwritten. Too many people make the mistake of backing up over existing good backups. This is not a problem provided infected files are not being backed up. Jerusalem can destroy executables through bugs in the code of the virus. If these programs are backed up over existing good backups then by the time a virus infection is discovered the backups may be useless. Note that deleted files are recoverable provided the sectors they occupied are not written to.
  17. This message is stored in sectors marked as bad and is never displayed by the virus. There is no intentional destructive code though the virus can still overwrite occupied sectors when it deposits this message.
  18. This message is stored in encrypted form within the infected executable, and is never displayed by the virus. During analysis the plain text quoted here was located in the second last sector of the first active partition of the infected hard disk. The virus had in fact overwritten part of a data file which was occupying this sector prior to infection.
  19. Note that text strings can be, and indeed often are, changed within the body of the virus.
  20. The Computer Anti-Virus Research Organization (CARO) and the European Institute for Computer Anti-Virus Research (EICAR) have invested a great deal of time and effort into the classification of known virus strains. A semi-official standard has been produced known as the CARO Catalogue. However, not all anti-virus products adhere to this standard. Dr Solomons Anti-virus toolkit uses the CARO naming scheme, although variations are inevitable between the toolkit and other products which also use the CARO naming scheme, given the dozens of new virus strains appearing every month. Solomons FINDVIRU has an /EICAR switch which also outputs the EICAR code for viruses it identifies. This paper has adopted the common name by which the virus strains in the sample were identified using Solomons FINDVIRU version 6.12 with drivers dated 23/2/93.

Bibliography

[Back to index] [Comments (0)]
deenesitfrplruua