1994
[Back to index] [Comments (0)]The 1993 Virus Review stated that I expected to see ...more previously undetected viruses come into Edinburgh coupled with an increase in the number of reported infections." (Scobie, 1993)
Looking back over 1994 this is exactly what happened. More new viruses appeared while reported infections were up on the previous year. The pros and cons of why there should be an increase were outlined in last years review so I refer the reader to that as I feel they are still valid for this present review.
The last two reviews have concerned themselves with features which are typical of the large majority of computer viruses. It is important to understand the basics of what computer viruses are about and I hope that the previous reviews provide a useful overview. This review departs from that format and concerns itself with some of my own observations on the virus situation as it is reported to me here at Edinburgh University. One or two other events of note are also featured and for good measure of couple of viruses are singled out for special mention. Next year, the review for 1995 will look back over the previous five years of viruses at Edinburgh and consider all the viruses reported to date.
1994 saw a 64% increase in reported infections from the previous year. (See Table 1) Fiftyfour reports in all, which was more than twice the number reported for 1992. With an average of one report a week for the entire year, you may be forgiven that viruses occupied a lot of my time. However, unlike previous years this was not the case. The userbase here at Edinburgh is now more aware of viruses and of anti-virus software. Hopefully these reviews and the Anti-Virus guidelines have helped in this respect. 1994 as far as I am concerned saw a more rational view being adopted. There is no longer the panic when a virus is discovered. Viruses are now being treated as simply a computer problem, something which I for one have always viewed them as such. I welcome the fact that many more of us are installing anti-virus software and are catching viruses as they come in. We are not going to stop viruses appearing. We can however stop them spreading. This is precisely what is happening. There were no reports this year of what can be considered major outbreaks.
Number of reported outbreaks
| Virus Name | 1991 | 1992 | 1993 | 1994 |
|---|---|---|---|---|
| Azusa | - | - | 1 | - |
| BackForm.a | - | - | - | 1 |
| Brain.numbers86 | - | - | 1 | - |
| Cascade.1701 | 1 | 1 | 1 | 4 |
| D3 | - | - | - | 4 |
| Dark Avenger 1800.a | - | - | 1 | - |
| Empire.Monkey.b | - | - | - | 5 |
| Flip.2153.a | - | - | - | 1 |
| Form.a | - | 10 | 14 | 17 |
| Green Caterpillar.a | - | 2 | 1 | 1 |
| Jerusalem.standard | - | 2 | - | - |
| Joshi.standard | - | 1 | 1 | - |
| Junki | - | - | - | 1 |
| Michelangelo.a | - | - | 1 | - |
| Noint.a | - | 1 | 1 | - |
| Nops.b | - | - | - | 1 |
| November 17.855 | - | - | - | 1 |
| Parity boot.b | - | - | - | 3 |
| Quox | - | - | 2 | 2 |
| Ripper | - | - | - | 6 |
| Stoned.standard | 1 | 3 | 1 | 2 |
| Stoned.wd3 | - | - | 1 | - |
| Stonehenge.b | - | - | - | 1 |
| Telefonica-Boot | - | - | 3 | 1 |
| Tequila.a | - | 1 | 2 | - |
| V-Sign.1f | - | - | 1 | 3 |
| Vacsina.05 | - | 2 | - | - |
| XPEH4.4752 | - | - | 1 | - |
| Yankee Doodle.44.a | - | 1 | - | - |
| Total | 2 | 24 | 33 | 54 |
1994 has been the year when our community has been getting on top of the virus situation. Will new viruses continue to appear? I believe yes. Will there be a further increase in the number of reported infections? I am not prepared to stick my neck out this time and say yes. Given the present level of reporting which comes from a select band of EUCS members and departmental computing officers I believe that there will be a leveling off and that the coming year will see about the same number of reported infections as this year. I do not expect to see a dramatic increase in the number of new viruses or reports based on the present levels of reporting. Since there is no official reporting mechanism in place I suspect that the numbers of those who report back on a regular basis will remain roughly the same. This group can only report so many infections and I believe this limit has been reached. Of course, it maybe that as a result of reading this review many more may start reporting virus infections. We will have to wait and see.
I accept that these reviews suffer from under-reporting. The Computer Virus Reviews are based solely on what has been reported to me, nothing else. I am confident that not all virus infections are reported back to Computing Services. I often hear of previously unreported infections when dealing with some other unrelated technical problem. However, by that time it is too late to include such outbreaks in these reviews as facts and figures are often vague by the time I hear about it. If you discover a virus then let me know.
Many sites have dealt successfully with outbreaks of FORM for example. They have seen the virus on a number of occassions, it is not a major problem so why bother to report it? Well, I believe reporting is useful in the event that a pattern should emerge. If a particular virus begins to appear on a regular basis at selected sites then this may be an indication of deliberate targetting. It may of course be simply someone moving from site to site with infected disks, unaware of the virus presence.
What can be said about the viruses that were reported in 1994? During the year a total of seventeen viruses were reported. Of these ten were new to Edinburgh. The remaining seven included a number of old favourites.
Table 2: Previously detected viruses 1994
| Virus Name |
|---|
| Cascade.1701 |
| Form.a |
| Green Caterpillar.a |
| Quox |
| Telefonica-Boot |
| Stoned.standard |
| V-Sign.1f |
Cascade and Stoned have been reported every year since 1991. Cascade however was reported four times this year. As expected FORM accounted for the most infections, 31%.
Of the new viruses reported this year there were none that were considered rare. As noted in the 1992 review, the naming of viruses has always been a source of confusion. This year the AntiEXE virus was orginally listed in Table 1 but this turned out to be another name for the D3 virus. Since it is listed as D3 in Solomons Virus Encyclopaedia - a new updated edition was published this year - then all reports are included under the D3 name.
Table 3: Previously undetected viruses 1994
| Virus Name |
|---|
| BackForm.a |
| D3 |
| Empire.Monkey.b |
| Flip.2153.a |
| Junki |
| Nops.b |
| November 17.855 |
| Parity boot.b |
| Ripper |
| Stonehenge.b |
The Monkey virus was of particular interest. Although a boot and partition sector virus this effort was different from those that had gone before. As long as the virus is active in memory the hard disk is accessible. This is due to the virus using stealth techniques and returning a normal partition table. Boot from a clean floppy and you discover that the virus has not preserved the partition table information in the MBR. You can only access your disk courtesy of the virus. Fortunately there is a program dedicated to the removal of this virus. Full details of the virus are included for those interested.
The Parity boot virus caused some confusion for those not running anti-virus software in the first instance. This virus as its payload produces a parity check error and hangs the computer. This led some to believe that there was a hardware problem. This goes to show that you should always check the machine for viruses before investigating at a lower level.
I have an update on the XPEH4 virus which was reported last year. At the time only the latest release of the Solomons Anti-Virus Toolkit detected the virus. Given its rarity S & S asked for a sample which I duly sent off. Although I had started my own disassembly of this virus I never completed it. This was by far the most difficult one I had encountered and since such tasks were carried outwith working hours - my job is networking - I never managed to find the time to get back to it. Fortunately, this virus now has an entry in the latest release of Dr Solomons Virus Encyclopaedia. It notes that ...this virus uses several layers of complex self-encryption and demonstrates certain anti-bugging techniques." (Solomon, 1994)
Now they tell me! If anyone is interested full details are contained in the Encyclopaedia.
During 1994, we took out a site licence for Solomons Anti-Virus Toolkit for Netware. This is an anti-virus solution for Novell Netware networks.
One other event in 1994 was the setting up of the Micro Facilities Team Web Server. This meant that the 1992 and 1993 reviews, previously only available on paper, could be published on the World Wide Web. Indeed, the 1994 review you are currently reading has been published on the Web. The use of the Web means that we can keep our site upto date with news of new versions of Solomons Anti-Virus Toolkit.
Despite the increase in reported infections, I believe that we do not have a virus problem at Edinburgh University. We have software in place, it is being used and viruses although continuing to come into the University are not spreading to the extent of causing major data loss or disruption to working practices. Viruses are of course a nuisance and the time spent dealing with them could be spent on other more worthwhile pursuits. At the moment at least the virus authors are not giving as cause for concern. We must always however remain on our guard.