VX Heavens

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
Minimize
Bookmark

Edinburgh University PC Virus Review 1997

1997

[Back to index] [Comments (0)]

INTRODUCTION

Those of you who have been following these reviews over the years will probably notice a subtle change in the title. Since 1992 when these annual virus reviews began, they have all appeared with the title PC Virus Review. This year the title has changed to Computer Virus Review. This in response to the phenomenon known as Macro Viruses which can infect across both PC and Macintosh platforms. As Macro virus infections now make up the large majority of all reports, it is not strictly correct to refer to them as PC viruses. Hence the change in name.

The growth of Macro viruses has prompted me to begin a reclassification of the viruses that have been reported throughout the year. Unlike previous years, these latest additions to what I like to refer to as 'the zoo', clearly break down into two separate groups. The first being what I now refer to as the 'DOS Classic' virus. These include Empire.Monkey, Parity and our old friend Form which is still making a couple of appearances a year.

The second group are the Macro viruses, the first of which appeared 'in the wild' in July 1995 with the WM/Concept virus. All the macro viruses are Word Macro viruses. The convention of using WM before the name is used here to denote a macro virus that has been written to infect Word documents. Macro viruses for Excel do exist and use the naming convention of XM/but none of these have been reported at Edinburgh University.

DOS Classic Viruses

Beijing; Burglar.1150; Empire.Monkey; Form.a; Junkie.mp.1027; NYB; Parity; Quandry; Ripper

Word Macro Viruses

WM/Bandung; WM/Cap; WM/Concept; WM/Divina; WM/Imposter; WM/Npad; WM/Wazzu; WM/Yaka.6

17 distinct viruses were reported during 1997. Of the viruses new to Edinburgh University, none of them fall into the category of 'DOS Classic'. Although Burglar.1150 was reported, this is in fact another name for the GranGrave.1150 virus which was featured for the first time last year in the 1996 Review. Last years reports of Word Macro viruses only included WM/Concept and their variants. This year we have seen seven other Word Macro viruses listed above. This makes a total of seven new viruses in 1997.

There were 9 DOS Classic viruses and 8 Word Macro Viruses reported in 1997. This is four down on the 1996 total of 21, but two more than that reported in 1995. There were 38 reports of infections that made their way back to myself. As always these reports include hundreds of infections. The number of reports are down on last year. This can probably be accounted for the interest generated by the Word Macro viruses which came appeared in a big way last year. As with the Form virus in previous years, after the novelty has worn off and familiarity creeps in, under-reporting tends to occur once sites are confident with the problem at hand. It becomes just another computer problem which as I maintained before is all it actually is.

WORD MACRO VIRUSES

In the 1996 review I noted that

The 17 reports contain hundreds of instances of the Concept virus. I expect 1997 will be no different.

A hint of the true extent of the macro virus problem emerged in June when I was called to deal with a large outbreak of the WM/Npad virus. On the first day of being called in I discovered just over 300 infections on the one NetWare fileserver volume. These were quickly disinfected. The next day a further scan revealed approximately 150 which were again disinfected. On day three, this number was reduced to around 70 and by the fourth day a volume scan indicated that the number of new infections was down to single figures. While this was going on the site in question was dealing with the workstations themselves ensuring that all workstations were installed with the latest version of Solomons Anti-Virus Toolkit. The same thing happened with another site in July, with a similar number of infections. However, this time it was with the WM/Concept virus. Strangely enough the first site only reported having the WM/Npad.gen virus while the second site only reported the WM/Concept virus.

An interesting side effect of the massive growth of Word Macro viruses and their direct impact on Edinburgh University is worth highlighting. Probably the biggest issue of 1997 was the number of reported virus infections where the current version of our anti-virus software was not detecting the virus itself. Many users reported unusual behaviour - all using Microsoft Word incidentally - in the belief that there was a virus present, yet the virus remained undetected using the software available. Updated drivers immediately solved the problem. This had only occurred for the first time during 1996 with the GranGrave virus and then only the once. However, as early as March 1997 this happened again with a number of macro viruses and in fact this phenomenon occured on a monthly basis during the latter half of the year. For example WM/Cap appeared here in June. The first reported instances of this virus anywhere in the world was four months earlier in February 1997. It did not take long to make its way to Edinburgh. October saw reports of the WM/Bandung virus that users were unable to cleanup. Similar reports emerged concerning the WM/Imposter virus. November saw the appearance of the WM/Yaka.6 which again proved problematic with the current versions of the software that was available. In heuristics mode it did believe it to be a virus of some description and fortunately disabled it but could not disinfect it. Extra drivers which are often posted by Solomons as a service to their customers did the trick within twenty four hours of the discovery.

It should be stressed that in many instances the user reports were genuine in relation to the versions of anti-virus software they were using. There were many cases when providing them with the latest version that we had sorted the problem. Anti-virus software is something that increasing numbers of people are running here at Edinburgh. However, it is not always being kept as up to date as it could be. In previous years this has not been a problem since new viruses did take the best part of a year if not longer to appear at our site and by that time the majority were running a version of the anti-virus software that could cope with such viruses. With the growth of the Internet and the use of e-mail, coupled with the ease of producing macro viruses and the dominance of the Windows platform and Word as a word processor, new viruses and their variants are appearing at our site within months of being originally written by the virus authors. In the light of this the three monthly update cycle for the anti-virus software was not sufficient. By the end of the year the decision had been made to switch to monthly updates beginning in the New Year. Despite the fact that no major data loss was being reported as a result of these so called 'harmless viruses' these outbreaks resulted in more money being spent to combat the problem.

If you are a member of Edinburgh University, whether staff or student, its worth pointing out that we have a site licence for Dr Solomons Anti-Virus Toolkit for the following workstation platforms: DOS, Windows 3.x, Windows 95, Windows NT, OS/2 and Apple Macintosh. Download details can be found at http://www.ucs.ed.ac.uk/Software/Solomons/

There is also a Novell NetWare NLM which provides automatic scanning, disinfection, and file access monitoring for use on the hundred plus Novell NetWare fileservers throughout the University. Novell NetWare system administrators need to contact the Micro Facilities Team, EUCS, Main Library Building, George Square for access details. Note that this software can only be installed and configured by Novell NetWare system administrators. There are versions for both NetWare 3.x and NetWare 4.x.

IT'S THE END OF THE WORLD (AS WE KNOW IT)

Fears that new virus causes Internet Chaos

So proclaimed The Scotsman newspaper on Thursday the 24th April 1997. Words of warning of a 'sinister new virus', 'a complex macro', 'fears are growing... of internet mayhem.. before the infection strikes' and 'Edinburgh University's senior computer officer, Garry Scobie, who has been investigating computer viruses for the past ten years...' was right in the thick of it! So what's the real story? Word was already out concerning the potential of a Word Macro Virus called ShareFun. This virus is apparently loosely based on WM/Wazzu. The interesting feature about this virus is that if Microsoft Mail is running on the infected computer, the virus attempts to send e-mail messages to three random addresses. These addresses are obtained from the local mail alias list.

The e-mail has the subject heading

You have got to see this!

Although the message itself does not contain any text, there is a file attachment with the name DOC1.DOC which is infected with the virus. If the user who receives this e-mail opens this document the virus then infects and if MS MSmail is on this computer the cycle continues. According to information I have since received Dr Solomons Software, ShareFun was found in the wild from USA in February 1997. Thanks to Samantha Gurr, Technical Support Specialist for this information and the above details on ShareFun.

Janice Burns, a reporter with the Scotsman, contacted the University for information and advice on an article due to be run and ended up with me doing a telephone interview. This was more nerve racking than it sounds. However, I think I said all the right things and I was very pleased with the result, especially in the light of many published reports that manage to get it so wrong when it comes to the issue of computer viruses. The headline was not my idea by the way, and despite what I've said in the past about sensational reporting, I can't help but like it.

HOAXES

Hoaxes were in abundance during 1997. In fact during January, as if to set the scene for the rest of the year, colleagues sent me parodies of the GoodTime virus hoax. January saw the Penpal Greetings hoax along with the Deeyenda Maddick hoax (one of my favourites). During March, the AOL4FREE did the rounds. September saw the Penpal Greetings hoax coming around again along with Join The Crew. Join the Crew then surfaced again in November as did Penpal Greetings again. As I noted in last years Review,

On the Solomons Web Site Graham Cluley has written an excellent paper on virus hoaxes and makes entertaining and informative reading for everyone.

However, I didn't include the appropriate url. This is the definitive work on virus hoaxes and it is well worth checking out at the following:

http://www.drsolomon.com/vircen/vanalyse/va005.html

IS THERE ANYBODY OUT THERE?

As a virus researcher I see not only the sharp end of virus infections but also the more bizarre side of life that constantly hangs around the zoo gates. I'm often asked for copies of viruses by complete strangers for some reason and indeed April was no exception. On the 6th I received the following request

Please send me some sites where I can download viruses (I collect them).

As if. There are in fact enough sites about if you look for them that such specimens can be downloaded without myself adding to them. The above user would no doubt be interested in the direct posting I received in May from the Digital Hackers' Alliance about a Virus CD-ROM Offer.

Hey, I was checking out you web site, and I thought you might be someone interested to know that the Digital Hackers' Alliance has once again made its entire virus archive of over 10,000 viruses available to the public. We've once again been burning the midnight oil over the CD-R to produce a limited number of new CD-ROMs. This CD-ROM is not only packed full with over 20 meg of viruses, but also comes with source code for over 1500 of the most famous viruses ever! Be one of our first 100 customers and recieve FREE of charge over 50 virus creation tools, including Virus Creation Lab (VCL) and PS-MPC! No where else in the world will you find a more complete collection. Anyway, if you want to find out more about the CD-ROM, including an (almost) complete listing of every virus on the CD, check out the Digital Hackers' Alliance web page at:

Hey, what am I going to do with 10,000 viruses! I mean seriously, what would I do with them? I wonder if the virus authors have given them permission and are receiving royalties. Just a thought!

On May the 6th the following arrived in my mailbox.

To Mr Scobie

I'm in year 11 at high school and I am doing my IT assignment on computer viruses. I was wondering if you could please e-mail me some information on viruses, it would be much appreciated. Thanks in advance?

Such postings will get a reply since a simple cut and paste of my browsers hotlist on anti-virus sites gives the inquirer enough info to be going on with.

Shortly before the Christmas holidays I just had time to read this:

To whom it may concern:

My name is <name removed> and I am in the 6th grade. I would like to know if you can help me my science fair project. I would like to know if you could send me e-mail or a diskette which is infected with one or more viruses. I have a computer that I would like to infect with a virus and see the results of the virus. Obviously, a virus that is easy to find and get rid of. Also, if you could, send or e-mail me information about viruses.

Full marks for trying I suppose. Given the ease by which Macro viruses can be produced I'm surprised to still receive such postings.

BITS AND BYTES

I concluded the 1996 Review

My predictions for the future? Macro viruses are going to continue to feature strongly. New threats are going to appear from Java and ActiveX.

Well Macro viruses certainly did. The comment on Active X has been a bit premature. However, as far as Java goes I was in e-mail contact in January with Mark LaDue who has done a tremendous amount of work in this area. Since this work is outwith the scope of this paper, do a web search for him if you are interested in reading the details.

January also saw me in e-mail contact with Padgett Peterson who was a real blast from the past as far as I was concerned. Suffice to say this man knows about viruses and computer security and has been down among the ones and zeros for many years. I had studied many reports of his about the workings of DOS and viruses and have learnt a lot from them. He has also written excellent tools which I have put to good use over the years. As a result of an investigation into macro viruses which I was conducting at the time, I contacted him requesting the use of some material he had gathered on the subject. The next day his wife Linda replied since Padgett was away on business. Turns out they had in fact visited Edinburgh so we chatted about that. Padgett replied the next day

No problem, just would appreciate attribution (have given up on ever being rich but will take glory 8*).

The glory is all yours Padgett.

April the 1st saw a report of an infected logout.exe program on a NetWare fileserver. The virus was burglar.1150 and naturally caused many infections. This was no April Fools however and caused problems for the site concerned. I cannot stress enough that those working with Supervisor privileges need to be doing so from known clean workstations when carrying out file updates or general server maintenance. Upto date anti-virus software would have detected this virus at the time.

During April Michael Lewis, the documentation manager & web master at sophos.com - who produce anti-virus software - mailed me out of the blue. Apparently Michael finished his MSc at the Dept of AI here at Edinburgh in Oct 1995 and was checking out other anti-virus sites.

During August I was invited onto the NT WinGuard Beta program. This involved testing out the latest code from Solomons and filling in the questionnaires. I have been on many beta programs for Solomons and still haven't received the free gift despite sending my results back. Maybe next year?

In November I was contacted by Ngozi Okolie, On-line Communications Administrator, Dr Solomon's Software. Readers of the 1996 Review will recall that here has been a link from their site to mine since 1996. Ngozi had mailed to offer the use of the Dr Solomons logo as a pointer to their site and duly mailed me the appropriate gif.

CONCLUSION

Predictions for the future? It's a safe bet that we are going to see more Word Macro virus infections. It would not surprise me if we see Excel macro viruses making their first appearance during 1998 though I would hope that they will remain comparatively rare in relation to the Word varieties. Hoaxes will certainly do their rounds again on more than one occasion. Certainly, 1998 will see a major overhaul of the Edinburgh University Computer Virus Technical Support Library as part of an on-going commitment to provide information on Computer Virus issues and to provide a focus for the whole subject within the University. In fact, on the virus front I'm confident that it will be business as usual.

[Back to index] [Comments (0)]
deenesitfrplruua