1995
[Back to index] [Comments (0)]The 1994 Virus Review stated that, Next year, the review for 1995 will look back over the previous five years of viruses at Edinburgh and consider all the viruses reported to date". (Scobie, 1994)
As it turns out this is the subject of a separate article which can be obtained from http://mft.ucs.ed.ac.uk/pcvirus/vrev9195.htm This seems an appropriate thing to do, since I have maintained statistics for five years now.
The issue of under-reporting has been commented on in previous reviews. Indeed, the level of under-reporting that I have experienced over the years has I believe become more pronounced. Reports of virus infections are filtering their way back to me for inclusion but too often these are weeks after the event and details are too vague to list with any accuracy. Unfortunately I have never recorded these instances in order to gauge levels of under-reporting. However, I will do so during 1996. The Public Lab test machines which are constantly logged into the network for use by MFT often pick up broadcast messages of an infected disk detected on station 00X but detailed reports do not materialise. This is partly due to lack of time on the one hand and a greater awareness of PC viruses in general. I would expect under-reporting to increase as users become more confident in dealing with common viruses and this is not a bad thing. The whole point of the campaign is to get people to use anti-virus software and become proficient in its use. The lack of reported virus infections may indicate that progress is being made, that viruses are being stopped before they get completely out of hand. Then again, in some cases it may not. Whatever the reality, the levels of under-reporting coupled with the fact that current anti-virus software checks for the existence of over 7,000 viruses has led me to question the usefulness of such listings. Many in the field will argue that it is important to maintain a 'wild list', so the community will be aware of what is actually out there. I would agree with this but if the community is not prepared to make the effort in response to requests for reports then the usefulness of a 'wild list' is called into question.
I would like to say a big thankyou to all those who have diligently reported back over the years. If you continue to do so then I will still note them down and publish them here. I am particuarly interested in the Word Macro strains and of news of any Windows 95 specific viruses which may be appearing this year. It is to this area that I will be concentrating my energies on. To this end I have produced an article on where existing DOS based PC viruses fit in with Windows 95. This change of focus on my part should not be considered an indication that DOS based PC viruses are no longer a problem. It is just that I have other support requirements to contend with and these must take priority. As far as DOS based PC viruses are concerned there has been no real news to talk of. These viruses are still doing the usual things they have always done while the same rules of engagement apply. Such matters have been discussed at length in previous Virus Reviews and these should be consulted. There is very little I can add to this area than to say, if you are not running anti-virus software then get some. If you have upgraded to Windows 95 then read http:\\mft.ucs.ed.ac.uk\pcvirus\
The 1994 Review departed from the format of earlier years and this current review expands on this trend, providing information on broader issues as they affect the community here at Edinburgh. If you want information on the nuts and bolts of viruses then see the other reviews. There is little point in going over the same old ground again with this present review. With the notable developments embodied by the Concept Word virus discussed below, very little has changed in the PC virus world.
1995 saw a drop in the number of reported virus infections from 54 during 1994 to 35. Looking at Table 1, the most likely cause of such a drop has been in the very few reports of Form last year, perhaps indicating that at last this virus is slowly disappearing from our site. In relation to other reports Form has always been disproportionately represented in relation to other viruses, due to the lack of anti-virus measures and a number of mobile users with infected disks. I stated in the 1994 review that a levelling of would take place, with about the same number of reported infections. As it turned out the number of reports fell to that reported during 1993. I still believe the levelling of is taking place, though the size of the drop was surprising, even with the suspected levels of under-reporting. As for 1996, I will not be surprised if reports come in toatalling somewhere in the mid thirties.
Number of reported outbreaks
Table 1: Virus outbreaks
| Virus Name | 1991 | 1992 | 1993 | 1994 | 1995 |
|---|---|---|---|---|---|
| Angelina | - | - | - | - | 1 |
| Anticmos | - | - | - | - | 2 |
| Azusa | - | - | 1 | - | - |
| B1 | - | - | - | - | 1 |
| BackForm.a | - | - | - | 1 | - |
| Brain.numbers86 | - | - | 1 | - | - |
| Cascade.1701 | 1 | 1 | 1 | 4 | - |
| Concept | - | - | - | - | 1 |
| D3 | - | - | - | 4 | 5 |
| Dark Avenger 1800.a | - | - | 1 | - | - |
| Empire.Monkey.b | - | - | - | 5 | - |
| Flip.2153.a | - | - | - | 1 | - |
| Form.a | - | 10 | 14 | 17 | 4 |
| Green Caterpillar.a | - | 2 | 1 | 1 | - |
| Jerusalem.standard | - | 2 | - | - | - |
| Joshi.standard | - | 1 | 1 | - | - |
| Junki | - | - | - | 1 | 2 |
| Michelangelo.a | - | - | 1 | - | - |
| Nail | - | - | - | - | 1 |
| Noint.a | - | 1 | 1 | - | - |
| Nops.b | - | - | - | 1 | - |
| November 17.855 | - | - | - | 1 | - |
| NYB | - | - | - | - | 1 |
| NZI | - | - | - | - | 1 |
| Parity boot.b | - | - | - | 3 | 8 |
| Quox | - | - | 2 | 2 | - |
| Ripper | - | - | - | 6 | 1 |
| Sampo | - | - | - | - | 3 |
| Stoned.standard | 1 | 3 | 1 | 2 | - |
| Stoned.wd3 | - | - | 1 | - | - |
| Stonehenge.b | - | - | - | 1 | 1 |
| Sword.794 | - | - | - | - | 1 |
| Taipan | - | - | - | - | 1 |
| Telefonica-Boot | - | - | 3 | 1 | - |
| Tequila.a | - | 1 | 2 | - | - |
| Unashamed | - | - | - | - | 1 |
| V-Sign.1f | - | - | 1 | 3 | - |
| Vacsina.05 | - | 2 | - | - | - |
| XPEH4.4752 | - | - | 1 | - | - |
| Yankee Doodle.44.a | - | 1 | - | - | - |
| Total | 2 | 24 | 33 | 54 | 35 |
During 1995 a total of fifteen viruses were reported to me. Of these eleven were new to Edinburgh. With the notable exception of the Concept Word virus discussed below, there was nothing of major interest here.
Although there was no virus review in 1991, it has now been five years since the first viruses here at Edinburgh were reported to me. These were Cascade and Stoned. Funnily enough both failed to appear this year though a variant, Stonhenge.b did. Previously detected viruses are listed in Table 2 with those previously undetected listed in Table 3.
| Virus Name |
|---|
| D3 |
| Form.a |
| Junki |
| Parity boot.b |
| Ripper |
| Stonhenge.b |
Table 2:Previously detected viruses in 1995
| Virus Name |
|---|
| B1 |
| Concept - Word Macro |
| Nail |
| NYB |
| NZI |
| Sampo |
| Sword.794 |
| Taipan |
| Unashamed |
Table 3: Previously undetected viruses in 1995
The Parity boot.b virus was highlighted in the 1994 review. This virus actually had the most reported infections in 1995 with 8 reported outbreaks. As expected this is a boot sector virus, which are still by far the most common type of infectors.
During June a variant of the Sword.794 virus was discovered at Edinburgh University which was sent to Solomons for analysis. They faxed back with details of an extra driver which would correctly identify and remove this variant, reporting that "This is a slightly corrupted, but still infectious variant of Sword.794. The corruption affects the operation of infected COM files making them sterile and probably causing them to hang."
Fortunately there was only the one report of this virus.
I received many postings regarding a virus supposedly transmitted by e-mail. Known as the "Good Times" virus it has caused considerable confusion among users. Basically a rumour was started to the effect that a virus was being sent via e-mail, which would erase your hard disk. If you should receive an e-mail with "Good Times" in the header, you were advised to delete it without reading it, otherwise the virus would erase your disk.
With most 'urban legends' this hoax got completely out of hand, with users forwarding on warnings to newsgroups, creating their own versions of the story, deleting any mail with "Good Times" in the header, believing they have saved themselves from a virus attack.
The Computer Incident Advisory Capability (CIAC) published details of this hoax on December 8 1994, yet all through 1995 I receieved all sorts of mailings about this. As soon as you think you have heared the last of it, back it comes again, causing unnecessary panic and worry.
So what are the facts? You can send a virus via e-mail as an attachment to the message. You cannot however infect your disk by merely reading an e-mail message. Executing the attachment in some way may of course cause the virus to run. An example could be an infected .EXE sent as an attachment, the mailer dencodes it and then the user runs the program. This is something entirely different to this particular hoax.
Probably the most significant event in the virus field in 1995 was of the emergence the Concept Word virus. During August reports were received of a new type of virus which infects Word for Windows documents, making use of the high-level macro language Word Basic.
Microsoft described this as a 'prank macro' but the significance of this development should not be underestimated. This is the world's first multi-platform virus, being able to spread under Windows, Windows 95, Windows NT and Macintoshes. Its abiltity to infect data files successfully is also a first. Full details can be found at Solomons Site but the virus works as follows. In the event of an infected document being opened using Word the virus infects the default template which is usually NORMAL.DOT. An indication of this is the appearance of a dialogue box with the digit 1 in it. Several macros will also appear in your macro list. Existing macros with the same name will be overwritten at the time of infection. From there the act of saving new documents results in them being infected by the virus. Although this virus does not have a damaging payload the potential for someone to add their own via the macros is clearly obvious.
There was one report of the Concept Virus here at EUCS George Square, though the source of infection was never traced.
Since then other viruses infecting Word files have appeared. Solomons site has details of Colors and Nuclear.
An additional driver was made available for Solomons Anti-Virus Toolkit as soon as the virus was known about, with the ability to detect the virus built into subsequent releases.
Probably the event of 1995 was the long awaited launch of Windows 95. In the haste to upgrade many of you may have forgotten all about anti-virus protection. Solomons Anti-Virus Toolkit for Windows 95 has been released and at the time of writing EUCS is investigating a site licence. For further details on Windows 95 and PC viruses see http://mft.ucs.ed.ac.uk/pcvirus/
The 1994 Review concluded that we do not have a virus problem here at Edinburgh University. I believe that this is still the case. There have been no major outbreaks reported during 1995 and no major loss of data. This is good news. However, the Concept Word virus has given me cause for concern, as it is a new development, and one that has the potential to disrupt working practices considerably. New systems bring with them new problems and it seems new threats from virus authors. Keeping your anti-virus software relevant to your system and upto date will ensure that such developments in the virus field remain nothing more than a nuisance.
[Back to index] [Comments (0)]