1993
[Back to index] [Comments (0)]Throughout 1993, PC computer viruses continued to make their presence felt at Edinburgh University. Last years review revolved around what generalisations could be drawn about PC viruses using the apparently random sample which were identified here. The following areas of reference were used: date of origin, country of origin, classification, payload and aliases. I concluded then that most infections were caused by common viruses from a variety of countries, which incorporated similar techniques in respect of their infection mechanisms and their payloads. Most had acquired several aliases and may destroy data either through careless programming or by design. (Scobie, 1993) This years review will compare the new sample along similar lines, in order to see whether such generalisations continue to provide a useful framework for the study of this phenomenon and whether this conclusion is valid for the latest influx of viruses.
Table 1: Virus outbreaks
| Virus Name | 1991 | 1992 | 1993 |
|---|---|---|---|
| Azusa | - | - | 1 |
| Brain.numbers86 | - | - | 1 |
| Cascade.1701 | 1 | 1 | 1 |
| Dark Avenger 1800.a | - | - | 1 |
| Form.a | - | 10 | 14 |
| Green Caterpillar.a | - | 2 | 1 |
| Jerusalem.standard | - | 2 | - |
| Joshi.standard | - | 1 | 1 |
| Michelangelo.a | - | - | 1 |
| Noint.a | - | 1 | 1 |
| Quox | - | - | 2 |
| Stoned.standard | 1 | 3 | 1 |
| Stoned.wd3 | - | - | 1 |
| Telefonica-Boot | - | - | 3 |
| Tequila | - | 1 | 2 |
| V-Sign | - | - | 1 |
| Vacsina.05 | - | 2 | - |
| XPEH4.4752 | - | - | 1 |
| Yankee Doodle.44.a | - | 1 | - |
| Total | 2 | 24 | 33 |
Table 1 lists the viruses which have been reported to date. (1) It is important to appreciate that these figures refer to the number of reported outbreaks and not the number of actual infections themselves. If a site reported the Form virus then that is classified as an outbreak regardless of how many PC's and disks were infected. (2)
Sixteen viruses were identified this year as opposed to ten last year, though out of the sixteen, five had been previously discovered during 1992 with Cascade.1701 and Stoned.standard having been reported in 1991. Only Jerusalem, Vacsina and Yankee Doodle went unreported in 1993. Of those viruses which were live during 1992 and 1993, Cascade.1701 and Green Caterpillar can be described as file viruses. Form, Stoned, Noint and Joshi are all boot sector infectors while Tequila, although transmitting via files, nevertheless infects the Master Boot Record of hard disks. Form is by far the most frequent virus reported, accounting for 42% of reports in 1992 and again in 1993. A total of nineteen viruses have been identified at Edinburgh University since 1991.
The trend over the last couple of years is quite clear. More viruses are being identified while the number of sites reporting virus infections is increasing. Why this has occurred is difficult to state with any certainty. However, there are a number of factors which may have influenced events. The last two years coincides with the uptake by the University of a site licence for Dr Solomons Anti-Virus Toolkit. (3) An increase in the number of viruses reported was expected as more of the community began to scan disks for the first time. This I feel accounts for the dramatic rise in reports over the 1991-92 period and possibly for the years 1992-93. Certainly there has been a large increase in the number of new PCs being installed around the University. Again I would expect to see an increase in virus reports as the community grows. Another contributing factor may lie in the fact that the pool of common viruses tends to increase from year to year. Finally, as primary contact for the Toolkit Site licence, the community has only begun to start logging virus infections with me over the last two years.
Unfortunately, the impact these factors have had on the present situation cannot be quantified. Whatever the reasons all that can be safely concluded is this: I believe these trends will continue and fully expect to see more previously undetected viruses come into Edinburgh coupled with an increase in the number of reported infections. To minimise the effects of this it is important that adequate precautions are taken beforehand. This means installing anti-virus software and keeping it upto date, scanning files regularly for known viruses and maintaining an emergency repair disk for your system. As long as anti-virus software is being used correctly viruses should be picked up as they come in, preventing them from causing too much damage and disruption.
Table 2 lists the 1993 sample along with their date of origin. This present review will concentrate on these nine new viruses. Details of those viruses which appeared last year but still continue to be reported in 1993, can be found in the 1992 review.
Interestingly the 1992 review listed three viruses which had only been discovered the year before. The same applies to this present sample, with Quox, V-Sign and the XPEH4 virus making an appearance within a year of being discovered in the wild. With the exception of the XPEH4 which is discussed below all these viruses can be classified as common.
Table 2: Virus sample date of origin
| Date of origin | Virus Name |
|---|---|
| 1986 | Brain |
| 1987 | Stoned.wd3 |
| 1989 | Dark Avenger 1800 |
| 1991 | Azusa; Michelangelo; Telefonica-Boot |
| 1992 | Quox; V-Sign; XPEH4.4752 |
Table 3 lists the country of origin. (4) In keeping with the previous year a wide variety of countries are listed. Again origins can be difficult to determine. It is well established that Dark Avenger came from Sofia in Bulgaria and that Brain came from Pakistan. On the other hand Michelangelo may have come from Sweden or the Netherlands.
Table 3: Virus sample country of origin
| Country of origin | Virus Name |
|---|---|
| Bulgaria | Dark Avenger 1800 |
| Sweden or Netherlands | Michelangelo |
| Turkey | V-Sign |
| China (Hong Kong) | Azusa |
| New Zealand (Wellington) | Stoned.wd3 |
| Pakistan | Brain |
| Russia | XPEH4.4752 |
| Spain | Telefonica-Boot |
| Thailand | Quox |
The present sample indicates that virus authors use and re-use many of the same techniques. Table 4 indicates that of the nine new viruses detected in 1993, seven were boot sector infectors. This is a well established mechanism for infection and is still very effective today, despite being easy to avoid. Azusa, Michelangelo, V-Sign and Stoned.wd3 can all be traced back to the Stoned.standard virus. (5) Telefonica has links with the Fish6 and Frodo viruses - none of which have been reported here yet. (Emm, 1993) Indeed, Telefonica provides an interesting 'variation on a theme' but more on that later. The Brain - being the first PC virus - naturally produced numerous variants. Dark Avenger also has many variants, such is the willingness of virus authors to plagiarise each others work.
The use of stealth is much in evidence here. Brain developed the technique in 1986 and similar techniques are still being used six years later by Quox. Telefonica also employs stealth to avoid identification.
Given the predominance of boot sector infectors in 1993, it is hardly surprising that data was lost during these outbreaks. Such viruses will overwrite existing data at infection time and depending on how the disk has been partitioned, incorrectly infect to the extent of causing 'unintended problems'. Virus authors invariably do not have the skill nor the inclination to take into account the variety of different disk types available and make unwarranted assumptions about the target for infection.
Table 4: Virus sample classified by type
| Boot and partition sector virus | Azusa; Michelangelo; Quox; Stoned.wd3; Telefonica-Boot; V-Sign |
|---|---|
| Boot sector virus | Brain |
| File virus | Dark Avenger 1800; XPEH4.4752 |
The Dark Avenger virus stands out on its own from the rest, not so much because it is a file virus, but rather because of the interest it generated when it was first discovered and for the imitations it spawned. The name of the virus has become synonymous with its author, who still remains unidentified. Basically this virus was the first of the 'fast infectors'. It could infect a file not only at load and execute, but also when opening for reading. If a file was copied then both the source and target would be infected. Changing an attribute would also infect that file. Any scanning software which could not detect the virus and was used on an infected system would result in every file on the disk becoming infected. (Bontchev, 1991; Solomon, 1991)
The virus was particularly vicious in its payload. After every 16 boots the virus would write to a random sector of the disk, the message
Eddie lives...somewhere in time!
overwriting any data or program file which may have previously existed at that location. However, no announcement was made of the fact. Users who had been backing up infected machines on a regular basis found that their backups themselves had become corrupt once the infection had been discovered.
The identification of the Brain virus was particularly interesting on a number of counts. Written in January 1986, it has the dubious distinction of being the oldest known PC virus. (6) In many respects it is a real museum piece not only for its age but because it is a rare occurence nowadays to discover a copy genuinely in the wild. (7) Brain is a boot sector virus, and in the original version identified here, does not infect hard disks. The infected floppy was brought in by a student from America on a five and quarter inch disk. The virus was discovered while attempting to transfer the data onto a three and a half inch disk. The machine being used was running Solomons guard program which detected the virus immediately. Yet another example of the usefulness of running anti-virus software on all departmental machines.
In keeping with virus culture its origins are partly surrounded in myth, but the accepted story is as follows. Brain was reputedly written by Basit and Amjad Farooq Alvi, from Lahore, Pakistan. (Ferbrache, 1992) Depending on the variant their names, address and telephone numbers are included in the virus and are located in plain text in the boot sector of all infected floppies. The brothers ran a software business, and anytime a foreigner purchased software they gave him an infected disk. Only locals were apparently given clean disks. (Ferbrache, 1992; Highland, 1988; Solomon, 1991)
Brain employs the use of stealth. When active, any attempt to examine the boot sector of an infected disk results in the original, uninfected sector being returned. The only payload was to change the volume label of floppy disks to (c) Brain. However, as with subsequent Boot Sector viruses, data already on the floppy could be overwritten as the disk became infected.
The wording in the virus varies. The copy identified here is different from that which appears in Solomons Encyclopaedia but is as described in Highlands articles published in Computers & Security in 1988.
There was very little time to sit back and reflect on the fact that even old viruses such as Brain can still put in an appearance when you least expect it. For the very same week a new virus - XPEH4 - was reported. This virus could not have been more different. The Brain is easily detectable, has next to no payload, is only likely to overwrite a couple of K of data, is relatively easy to disassemble and has been written about extensively. The XPEH4 on the otherhand is an entirely different beast. Unlike Brain, at the time of identification, only the latest version of Solomons Anti-virus toolkit could detect the virus. (8) If the software was more than three months old then the virus would remain undetected. Secondly information on this virus was scarce. All the usual sources of information yielded very little to go on apart from the Hamburg catalogue which did include the XPEH strain. (9) Disassembly of the virus code, also proved very difficult.
Having establised that this virus was quite rare I contacted technical support at S & S International. They were surprised and concerned by the fact that this was the first report they had had on the XPEH4. (10)
At the time of writing there is very little information about the XPEH4.4752 virus which I sent to S & S International. Technical support confirmed that it was a virus but a proper disassembly would take time to complete. To date this has not been done. They did confirm that the virus originated in Russia and were in contact with experts in the field there. The problem facing anti-virus software developers is one of 'glut'. There are dozens of new viruses appearing every week and each one has to be disassembled to a point where the scanning software will detect it successfully. Full disassemblies of trivial viruses are simple to complete. Code such as the XPEH strain takes a lot of time and effort which is not always available on demand.
The lessons to be learnt from this outbreak are quite clear. It is vital that anti-virus software is kept upto date in order to give yourself the best possible chance from new viruses. (11)
In keeping with last years sample, the viruses identified in 1993 employ similar payloads. Other than that very little can be said though overall these viruses are more destructive than last years.
Table 5: Virus sample payloads
| Virus Name | Payload |
|---|---|
| Azusa | Disables LPT1: and COM1: ports |
| Brain | Volume label of floppy disk changed to (c) Brain |
| Dark Avenger 1800 | Overwrites a sector at random. |
| Michelangelo | March 6th overwrites hard disk with garbage. |
| Quox | This virus has no payload. It only infects. |
| Stoned.wd3 | Displays 'Your PC is now Stoned!' |
| Telefonica-boot | 400 boots overwrites hard disk with garbage. Displays message. |
| V-Sign | Displays a block graphic Victory sign |
| XPEH4.4752 | Overwrites .LEX, .TXT, .BAK files. |
From table 6 we can see that the virus sample can be identified using a number of aliases.
Table 6: Virus sample aliases
| Virus Name | Aliases |
|---|---|
| Azusa | Hong Kong |
| Brain | Pakistani; Lahore; Ashar |
| Dark Avenger 1800 | Eddie; Diana |
| Michelangelo | March 6 |
| Quox | DiskInfect; Stealth 2 |
| Telefonica-Boot | Kampana-Boot; Campana |
| Stoned.wd3 | New Zealand; Marijuana |
| V-Sign | Cansu; Sigalit |
| XPEH4.4752 | Micropox |
As discussed previously, viruses often have many names which can lead to confusion when dealing with a possible virus infection. The Telefonica-Boot contains the string "Campana Anti-TELEFONICA (Barcelona)" This virus has caused much confusion. Basically there is a virus strain known as Campana or Telefonica which are standard boot sector infectors. This virus will not infect files. It is this virus that was discovered here at Edinburgh. For the sake of clarity this virus is referred to here as Telefonica-Boot. There is another virus strain however, known as Kampana, Telefonica or even Telecom which is a file infector. Emm (1993) refers to this as Telefonica-file. (12) This virus however, also installs the above-mentioned boot sector infector. The boot sector virus - Telefonica-Boot - is fairly common. Indeed, the file infector has not spread nearly as much as the boot sector virus. This means that more often than not, when the boot sector virus is discovered, it is idenitified on its own. The file virus is unlikely to be present. In Edinburgh this was the case. However, if the file virus is discovered then the boot sector virus will certainly be present.
The Brain started this trend of including messages within the virus itself. The Brain infected boot sector as identified here at Edinburgh contained the following:
Welcome to the Dungeon (c) 1986 Basit & Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES..730 NIZAM BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN..PHONE :430791,443248,280530. Beware of this VIRUS.....Contact us for vaccination........ ....... $#@%$@!!
The Dark Avenger was named because of the following text included in the virus code:
Eddie lives...somewhere in time! This program was written in the city of Sofia (C) 1988-89 Dark Avenger Diana P.
This has led to the virus also being called Eddie and Diana. Only the "Eddie lives...somewhere in time!" string is used by the virus as discussed above.
All the viruses identified in 1993 can be detected and in most cases removed by currently available anti-virus software. Clean-ups should only be attempted however after booting from a cold, clean source. Infected files should be deleted and replaced from clean backups whenever possible. If these do not exist then the only alternative will be to use a disinfection program. Success will depend on the contents of the original file and how the individual virus infects. (Scobie, 1992)
In keeping with the viruses identified in 1992 the present sample have originated from different parts of the world, use similar infection mechanisms and payloads, are known by numerous aliases and have the potential to destroy data, either by design or careless programming. At the time of writing in February 1994 there have been several new reports of virus outbreaks. Clearly the need to remain vigilant continues.