VX Heavens

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
Minimize
Bookmark

Edinburgh University PC Virus Review 1993

1993

[Back to index] [Comments (0)]

Introduction

Throughout 1993, PC computer viruses continued to make their presence felt at Edinburgh University. Last years review revolved around what generalisations could be drawn about PC viruses using the apparently random sample which were identified here. The following areas of reference were used: date of origin, country of origin, classification, payload and aliases. I concluded then that most infections were caused by common viruses from a variety of countries, which incorporated similar techniques in respect of their infection mechanisms and their payloads. Most had acquired several aliases and may destroy data either through careless programming or by design. (Scobie, 1993) This years review will compare the new sample along similar lines, in order to see whether such generalisations continue to provide a useful framework for the study of this phenomenon and whether this conclusion is valid for the latest influx of viruses.

Number of reported outbreaks

Table 1: Virus outbreaks

Virus Name 1991 1992 1993
Azusa - - 1
Brain.numbers86 - - 1
Cascade.1701 1 1 1
Dark Avenger 1800.a - - 1
Form.a - 10 14
Green Caterpillar.a - 2 1
Jerusalem.standard - 2 -
Joshi.standard - 1 1
Michelangelo.a - - 1
Noint.a - 1 1
Quox - - 2
Stoned.standard 1 3 1
Stoned.wd3 - - 1
Telefonica-Boot - - 3
Tequila - 1 2
V-Sign - - 1
Vacsina.05 - 2 -
XPEH4.4752 - - 1
Yankee Doodle.44.a - 1 -
Total 2 24 33

Table 1 lists the viruses which have been reported to date. (1) It is important to appreciate that these figures refer to the number of reported outbreaks and not the number of actual infections themselves. If a site reported the Form virus then that is classified as an outbreak regardless of how many PC's and disks were infected. (2)

Sixteen viruses were identified this year as opposed to ten last year, though out of the sixteen, five had been previously discovered during 1992 with Cascade.1701 and Stoned.standard having been reported in 1991. Only Jerusalem, Vacsina and Yankee Doodle went unreported in 1993. Of those viruses which were live during 1992 and 1993, Cascade.1701 and Green Caterpillar can be described as file viruses. Form, Stoned, Noint and Joshi are all boot sector infectors while Tequila, although transmitting via files, nevertheless infects the Master Boot Record of hard disks. Form is by far the most frequent virus reported, accounting for 42% of reports in 1992 and again in 1993. A total of nineteen viruses have been identified at Edinburgh University since 1991.

The trend over the last couple of years is quite clear. More viruses are being identified while the number of sites reporting virus infections is increasing. Why this has occurred is difficult to state with any certainty. However, there are a number of factors which may have influenced events. The last two years coincides with the uptake by the University of a site licence for Dr Solomons Anti-Virus Toolkit. (3) An increase in the number of viruses reported was expected as more of the community began to scan disks for the first time. This I feel accounts for the dramatic rise in reports over the 1991-92 period and possibly for the years 1992-93. Certainly there has been a large increase in the number of new PCs being installed around the University. Again I would expect to see an increase in virus reports as the community grows. Another contributing factor may lie in the fact that the pool of common viruses tends to increase from year to year. Finally, as primary contact for the Toolkit Site licence, the community has only begun to start logging virus infections with me over the last two years.

Unfortunately, the impact these factors have had on the present situation cannot be quantified. Whatever the reasons all that can be safely concluded is this: I believe these trends will continue and fully expect to see more previously undetected viruses come into Edinburgh coupled with an increase in the number of reported infections. To minimise the effects of this it is important that adequate precautions are taken beforehand. This means installing anti-virus software and keeping it upto date, scanning files regularly for known viruses and maintaining an emergency repair disk for your system. As long as anti-virus software is being used correctly viruses should be picked up as they come in, preventing them from causing too much damage and disruption.

The Virus Sample

Table 2 lists the 1993 sample along with their date of origin. This present review will concentrate on these nine new viruses. Details of those viruses which appeared last year but still continue to be reported in 1993, can be found in the 1992 review.

Interestingly the 1992 review listed three viruses which had only been discovered the year before. The same applies to this present sample, with Quox, V-Sign and the XPEH4 virus making an appearance within a year of being discovered in the wild. With the exception of the XPEH4 which is discussed below all these viruses can be classified as common.

Table 2: Virus sample date of origin

Date of origin Virus Name
1986 Brain
1987 Stoned.wd3
1989 Dark Avenger 1800
1991 Azusa; Michelangelo; Telefonica-Boot
1992 Quox; V-Sign; XPEH4.4752

Country of Origin

Table 3 lists the country of origin. (4) In keeping with the previous year a wide variety of countries are listed. Again origins can be difficult to determine. It is well established that Dark Avenger came from Sofia in Bulgaria and that Brain came from Pakistan. On the other hand Michelangelo may have come from Sweden or the Netherlands.

Table 3: Virus sample country of origin

Country of origin Virus Name
Bulgaria Dark Avenger 1800
Sweden or Netherlands Michelangelo
Turkey V-Sign
China (Hong Kong) Azusa
New Zealand (Wellington) Stoned.wd3
Pakistan Brain
Russia XPEH4.4752
Spain Telefonica-Boot
Thailand Quox

Variations on a Theme

The present sample indicates that virus authors use and re-use many of the same techniques. Table 4 indicates that of the nine new viruses detected in 1993, seven were boot sector infectors. This is a well established mechanism for infection and is still very effective today, despite being easy to avoid. Azusa, Michelangelo, V-Sign and Stoned.wd3 can all be traced back to the Stoned.standard virus. (5) Telefonica has links with the Fish6 and Frodo viruses - none of which have been reported here yet. (Emm, 1993) Indeed, Telefonica provides an interesting 'variation on a theme' but more on that later. The Brain - being the first PC virus - naturally produced numerous variants. Dark Avenger also has many variants, such is the willingness of virus authors to plagiarise each others work.

The use of stealth is much in evidence here. Brain developed the technique in 1986 and similar techniques are still being used six years later by Quox. Telefonica also employs stealth to avoid identification.

Given the predominance of boot sector infectors in 1993, it is hardly surprising that data was lost during these outbreaks. Such viruses will overwrite existing data at infection time and depending on how the disk has been partitioned, incorrectly infect to the extent of causing 'unintended problems'. Virus authors invariably do not have the skill nor the inclination to take into account the variety of different disk types available and make unwarranted assumptions about the target for infection.

Table 4: Virus sample classified by type

Boot and partition sector virus Azusa; Michelangelo; Quox; Stoned.wd3; Telefonica-Boot; V-Sign
Boot sector virus Brain
File virus Dark Avenger 1800; XPEH4.4752

Dark Avenger 1800

The Dark Avenger virus stands out on its own from the rest, not so much because it is a file virus, but rather because of the interest it generated when it was first discovered and for the imitations it spawned. The name of the virus has become synonymous with its author, who still remains unidentified. Basically this virus was the first of the 'fast infectors'. It could infect a file not only at load and execute, but also when opening for reading. If a file was copied then both the source and target would be infected. Changing an attribute would also infect that file. Any scanning software which could not detect the virus and was used on an infected system would result in every file on the disk becoming infected. (Bontchev, 1991; Solomon, 1991)

The virus was particularly vicious in its payload. After every 16 boots the virus would write to a random sector of the disk, the message

Eddie lives...somewhere in time!

overwriting any data or program file which may have previously existed at that location. However, no announcement was made of the fact. Users who had been backing up infected machines on a regular basis found that their backups themselves had become corrupt once the infection had been discovered.

BRAIN

The identification of the Brain virus was particularly interesting on a number of counts. Written in January 1986, it has the dubious distinction of being the oldest known PC virus. (6) In many respects it is a real museum piece not only for its age but because it is a rare occurence nowadays to discover a copy genuinely in the wild. (7) Brain is a boot sector virus, and in the original version identified here, does not infect hard disks. The infected floppy was brought in by a student from America on a five and quarter inch disk. The virus was discovered while attempting to transfer the data onto a three and a half inch disk. The machine being used was running Solomons guard program which detected the virus immediately. Yet another example of the usefulness of running anti-virus software on all departmental machines.

In keeping with virus culture its origins are partly surrounded in myth, but the accepted story is as follows. Brain was reputedly written by Basit and Amjad Farooq Alvi, from Lahore, Pakistan. (Ferbrache, 1992) Depending on the variant their names, address and telephone numbers are included in the virus and are located in plain text in the boot sector of all infected floppies. The brothers ran a software business, and anytime a foreigner purchased software they gave him an infected disk. Only locals were apparently given clean disks. (Ferbrache, 1992; Highland, 1988; Solomon, 1991)

Brain employs the use of stealth. When active, any attempt to examine the boot sector of an infected disk results in the original, uninfected sector being returned. The only payload was to change the volume label of floppy disks to (c) Brain. However, as with subsequent Boot Sector viruses, data already on the floppy could be overwritten as the disk became infected.

The wording in the virus varies. The copy identified here is different from that which appears in Solomons Encyclopaedia but is as described in Highlands articles published in Computers & Security in 1988.

XPEH4.4752

There was very little time to sit back and reflect on the fact that even old viruses such as Brain can still put in an appearance when you least expect it. For the very same week a new virus - XPEH4 - was reported. This virus could not have been more different. The Brain is easily detectable, has next to no payload, is only likely to overwrite a couple of K of data, is relatively easy to disassemble and has been written about extensively. The XPEH4 on the otherhand is an entirely different beast. Unlike Brain, at the time of identification, only the latest version of Solomons Anti-virus toolkit could detect the virus. (8) If the software was more than three months old then the virus would remain undetected. Secondly information on this virus was scarce. All the usual sources of information yielded very little to go on apart from the Hamburg catalogue which did include the XPEH strain. (9) Disassembly of the virus code, also proved very difficult.

Having establised that this virus was quite rare I contacted technical support at S & S International. They were surprised and concerned by the fact that this was the first report they had had on the XPEH4. (10)

At the time of writing there is very little information about the XPEH4.4752 virus which I sent to S & S International. Technical support confirmed that it was a virus but a proper disassembly would take time to complete. To date this has not been done. They did confirm that the virus originated in Russia and were in contact with experts in the field there. The problem facing anti-virus software developers is one of 'glut'. There are dozens of new viruses appearing every week and each one has to be disassembled to a point where the scanning software will detect it successfully. Full disassemblies of trivial viruses are simple to complete. Code such as the XPEH strain takes a lot of time and effort which is not always available on demand.

The lessons to be learnt from this outbreak are quite clear. It is vital that anti-virus software is kept upto date in order to give yourself the best possible chance from new viruses. (11)

Payloads

In keeping with last years sample, the viruses identified in 1993 employ similar payloads. Other than that very little can be said though overall these viruses are more destructive than last years.

Table 5: Virus sample payloads

Virus Name Payload
Azusa Disables LPT1: and COM1: ports
Brain Volume label of floppy disk changed to (c) Brain
Dark Avenger 1800 Overwrites a sector at random.
Michelangelo March 6th overwrites hard disk with garbage.
Quox This virus has no payload. It only infects.
Stoned.wd3 Displays 'Your PC is now Stoned!'
Telefonica-boot 400 boots overwrites hard disk with garbage. Displays message.
V-Sign Displays a block graphic Victory sign
XPEH4.4752 Overwrites .LEX, .TXT, .BAK files.

The Name Game

From table 6 we can see that the virus sample can be identified using a number of aliases.

Table 6: Virus sample aliases

Virus Name Aliases
Azusa Hong Kong
Brain Pakistani; Lahore; Ashar
Dark Avenger 1800 Eddie; Diana
Michelangelo March 6
Quox DiskInfect; Stealth 2
Telefonica-Boot Kampana-Boot; Campana
Stoned.wd3 New Zealand; Marijuana
V-Sign Cansu; Sigalit
XPEH4.4752 Micropox

As discussed previously, viruses often have many names which can lead to confusion when dealing with a possible virus infection. The Telefonica-Boot contains the string "Campana Anti-TELEFONICA (Barcelona)" This virus has caused much confusion. Basically there is a virus strain known as Campana or Telefonica which are standard boot sector infectors. This virus will not infect files. It is this virus that was discovered here at Edinburgh. For the sake of clarity this virus is referred to here as Telefonica-Boot. There is another virus strain however, known as Kampana, Telefonica or even Telecom which is a file infector. Emm (1993) refers to this as Telefonica-file. (12) This virus however, also installs the above-mentioned boot sector infector. The boot sector virus - Telefonica-Boot - is fairly common. Indeed, the file infector has not spread nearly as much as the boot sector virus. This means that more often than not, when the boot sector virus is discovered, it is idenitified on its own. The file virus is unlikely to be present. In Edinburgh this was the case. However, if the file virus is discovered then the boot sector virus will certainly be present.

The Brain started this trend of including messages within the virus itself. The Brain infected boot sector as identified here at Edinburgh contained the following:

	Welcome to the Dungeon
	(c) 1986 Basit & Amjad (pvt) Ltd.
	BRAIN COMPUTER SERVICES..730 NIZAM BLOCK ALLAMA IQBAL TOWN
	LAHORE-PAKISTAN..PHONE :430791,443248,280530.
	Beware of this VIRUS.....Contact us for vaccination........
	....... $#@%$@!! 

The Dark Avenger was named because of the following text included in the virus code:

	Eddie lives...somewhere in time!

	This program was written in the city of Sofia (C)
	1988-89 Dark Avenger

	Diana P.

This has led to the virus also being called Eddie and Diana. Only the "Eddie lives...somewhere in time!" string is used by the virus as discussed above.

Seek and Destroy

All the viruses identified in 1993 can be detected and in most cases removed by currently available anti-virus software. Clean-ups should only be attempted however after booting from a cold, clean source. Infected files should be deleted and replaced from clean backups whenever possible. If these do not exist then the only alternative will be to use a disinfection program. Success will depend on the contents of the original file and how the individual virus infects. (Scobie, 1992)

Conclusion

In keeping with the viruses identified in 1992 the present sample have originated from different parts of the world, use similar infection mechanisms and payloads, are known by numerous aliases and have the potential to destroy data, either by design or careless programming. At the time of writing in February 1994 there have been several new reports of virus outbreaks. Clearly the need to remain vigilant continues.

Footnotes

  1. In the 1992 Review I noted that there was no formal procedure for the reporting of virus outbreaks and the totals presented were based soley on what had been reported back to myself. This situation still stands. As with previous years I suspect that there are infections which are never reported back to the Computing Service. Under reporting tends to come about as users become more familiar with common infections such as Stoned and Form for example. Many of these outbreaks are often only reported months later in passing. By then it is really too late to include such reports as the details have become vague.
  2. If the same site reported the same virus more than once in the same week then this was taken to be the same outbreak.
  3. Given that the University has a site-licence for Solomons Anti-Virus Toolkit for PC's and this has been distributed widely, it is impossible to say how many copies are presently being used. Certainly more departments are using it than before. This licence allows any member of the University - staff and students - to use the software. This software is updated every three months. For a review of this software see Scobie in IT Forum Spring 1993.
  4. Table 3 provides the accepted orgins based on an analysis of the available literature. The Stoned.wd3 is a minor version of the Stoned.standard which was discussed in the 1992 review. The viruses are functionally the same but there are very few details available. Tables 2 and 3 include the original country of origin and date for Stoned.standard which originated in Wellington New Zealand in 1987. Stoned.wd3 is a variant and may or may not have come from New Zealand though most of the code was certainly written there.
  5. Despite their ancestry, these viruses do have subtle differences arising from the infection mechanism and how they leave the hard disk infected. When dealing with any virus always check available information and the infected disk itself rather than assume that because a virus is based on a common source it must behave in a certain way.
  6. Generally speaking the Brain is considered the earliest known virus. However, Solomon (1991) does conclude after careful analysis of a known variant called Ashar in which the boot sector message differs only slightly from Brain, that in fact Ashar predates the Brain virus. Solomon concludes that they are definitely two versions of the same virus, though Brain is more sophisticated, notably in the areas of encryption and its use of stealth and was therefore probably written after Ashar. However, it was Brain that became widespread and effectively kick-started the anti-virus industry.
  7. My interest in PC viruses dates back to 1988. Yet despite having dealt firsthand with the majority of the early or first generation viruses since then this was the first time that I had ever come across the Brain.
  8. The anti-virus software shipped with DOS 6 also failed to detect the XPEH4 as did the VIS utilities from Jim Bates. I contacted him and at his request sent a copy as he had not come across this virus. Jim Bates is a leading figure in the anti-virus industry and also works closely with the Computer Crime Unit at Scotland Yard.
  9. The Computer Virus Catalogue is produced by the Virus Test Centre, Faculty for Informatics, University of Hamburg and is available by anonymous FTP from ftp.informatik.uni-hamburg.de IP address 134.100.4.42 in directory: pub/virus/texts/catalog. Alternatively this source along with many others can be found in the guest account of Novell Netware fileserver UCS-ML0. Login as guest with no password and change to directory guest:pc\virus. This archive is available to PC's and Macintoshes on Edlan. Anonymous FTP access will be available mid 1994.
  10. They were also surprised by the fact that Brain had turned up the same week.
  11. Given the complexity of the XPEH4 virus I have been unable to complete a full disassembly. It does appear to be similar to XPEH descibed in the Hamburg catalogue of July 1992. However, until further information comes from S & S International this can only remain an assumption.
  12. Virus News International reported in April 1993 that the Telefonica-file virus had not been seen in the field. (Emm, 1993)

Bibliography

[Back to index] [Comments (0)]
deenesitfrplruua