VX Heavens

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
Minimize
Bookmark

Edinburgh University PC Virus Review 1996

1996

[Back to index] [Comments (0)]

Introduction

Its hard to believe but this is the 5th Edinburgh University PC Virus Review of the year. Rather than comment any further on that startling piece of news, lets see what been happening virus wise?

With the notable exception of the Word Macro viruses, the most often reported viruses in 1996 were the AntiExe virus and the Junkie virus. Our old friend Form is still making an appearance. There were several new viruses making their first appearance in Edinburgh including Natas, Leandro, Slomo, Grangrave, Angelina, CrazyBoot. The One Half virus was featured in Issue 2 of the Dr Solomons Virus Report. The Word viruses are reported as Word, Word Macro, Concept, Winword Concept and other variations in the many e-mails and telephone conversations throughout 1996. They were all of the type Concept and have all been included within the official name of WM.Concept. None of the other two dozen or so Macro viruses were reported.

Excluding the WM.Concept virus, 21 viruses were reported during 1996, covering a total of 50 incidents. Including Wm.Concept this makes a grand total of 22 viruses and 67 incidents. This is the highest recorded figure since I started writing these reviews back in 1992. Below is an upto date table featuring all viruses reported since these reviews began.

Word Macro Viruses

As expected the Word Macro viruses really made themselves felt this year and the University of Edinburgh was no exeption. The Hare virus alert had prompted many sites to remind people to scan for viruses. The result was the unearthing of dozens and dozens of copies of the Word Concept virus. This has become the most reported virus of all time at Edinburgh. There were 17 reported outbreaks during 1996. The issue of under reporting has been covered at length in previous Virus Reviews. Like Form, the macro viruses have become so commonplace, that many incidents are going unreported. I know this as a result of conversations with support staff after the event. More often than not such incidents do not get logged as details are often sketchy as to the when the outbreak occurred and to what extent machines were infected. The 17 outbreaks noted here were reported at the time they happened.

The under reporting is partly due to the fact that at present the Concept virus does not do any damage in so much as losing data is concerned. Given its trivial nature - and after all it is just another computer problem - many instances go unreported. Furthermore, there have been so many cases this year that reporting it hardly seems worthwhile. However, on the issue of damage, like all viruses it is a time waster and that is damage enough.

The 17 reports contain hundreds of instances of the Concept virus. I expect 1997 will be no different.

July 1996 saw the first working macro virus which infects Microsoft Excel spreadsheets. The virus has been named XM.Laroux. There have been no reports made to me of this virus here at the University of Edinburgh. It is important to be aware that not only word documents are at risk.

Grangrave.1150

June witnessed the arrival of the Grangrave.1150 virus. There is nothing unusual about the virus, but what is worth highlighting is the fact that at the time our current version of Solomons Toolkit for Windows 95 did not detect the virus. We receive updates every three months. During June our current version was 7.57. You needed version 7.60 to be able to detect the virus. Fortunately our DOS version was sitting at version 7.60. By simply copying over the drivers from this version into the Windows 95 installation, ensured our machines were protected. Two copies of the virus were reported to me. This incident helps to underline the need to maintain your anti-virus software at the latest revision levels. New viruses are appearing every week. With the ease that files can be tranferred from one network to another, the possibility of finding a virus that is so new your anti-virus software cannot detect is higher now that it has ever been. This case illustratres that it is not enough simply to rely on anti-virus software in isolation. Think about where you are downloading software from. Keep backups of important data.

Hare.7610

During August the media went into silly mode. Serious news reports on how on the 22nd August computers everywhere were going to stop due to a new virus on the Internet. Experts were being interviewed in Cyber Cafes of all places, users were filmed in front of computers doing whatever it is they do. Funnily there were no reports the next day of how we all got on without our hard disks. This was the biggest lot of nonsense since the Michelangelo hype of a few years back. The virus did exist - it was not a hoax. As to why the virus should capture the imagination of the media probably lies somewhere between a lack of knowledge of computer viruses generally among those who determime what news goes out and a shortage of news stories that week. During 1996, issue 2 of Dr Solomons Virus Report noted that there are currently 150-200 viruses appearing every month. The Hare virus was just one of many to be dealt with like anyother virus. As expected there were no reports of the Hare virus here at Edinburgh University.

Incidentally, the Hare virus is pronounced as in Hare Krsna, and not as in Rabbit.

Good Times, Not!

Despite the publicity surrounding the Good Times virus, and the details posted here detailing the hoax, reports are still coming in from well-intentioned individuals. 1996 was no exception with three separate episodes of several mailings to me about this new virus on the Internet.

Deeyenda Maddick Virus

This is an amusing one that was mailed to me. Like the Good Times it is a hoax. The name sounds phonetically like "The end of my dick", such is the standard of humour among the anoraks who produce such nonsense.

On the Solomons Web Site Graham Cluley has written an excellent paper on virus hoaxes and makes entertaining and informative reading for everyone.

PKZIP300.ZIP

I received several mailings concerning a trojanised version of PKZIP. According to an alert issued by Solomons, news of this broke in May 1995. PKZIP300.ZIP contains a formatting utility called PKZINST.EXE. Full details can be found on the Solomons web site. They conclude that it is extremely unlikely that you will ever come across this trojan. There have been no reports of it appearing at Edinburgh University.

Fame at last!

I discovered that the Solomons Web site has a pointer to these Virus Reviews which is rather nice since I have a pointer to theirs. Remember, these people are the real experts who do a terrific job. Check out their site.

And what of the future?

1996 has again been a busy year for support staff, without the added hassle of dealing with viruses. For many now, viruses do not present a technical problem but nevertheless add to the already heavy workload. My thanks again as always to those who are continuing to e-mail reports of successful cleanup operations.

My predictions for the future? Macro viruses are going to continue to feature strongly. New threats are going to appear from Java and ActiveX. Perhaps we should be warning users about the inherent dangers in not only downloading software from uknown sources, but also of casual browsing of untrusted hosts on the Web? Watch this space!

[Back to index] [Comments (0)]
deenesitfrplruua