1998
[Back to index] [Comments (0)]1998 saw some major developments in the anti-virus field. The time lag between a virus being written and it showing up in Edinburgh is shortening; Dr Solomons - the anti-virus software we use here at the University of Edinburgh - was acquired by Network Associates. And a virus was discovered that could damage hardware and this time it was no hoax.
There were fifteen different viruses reported in 1998. Of the fifteen, eight were new to Edinburgh University. There were only three viruses that can be considered DOS Classics - Parity.b, Stoned.angelina and Phantom. The rest were Word Macro viruses except for Laroux which is an Excel Macro virus and WIN95/CIH.1003 which is a resident exe infector. Angelina and Parity.b are boot sector viruses while Phantom is a resident com file. There are now four distinct categories of viruses identified at Edinburgh University - DOS Classic, Word Macro, Excel Macro and what I describe as WIN32 file viruses.
Stoned.angelina; Parity.b; Phantom
WM/ABC; WM/Cap; WM/Concept; WM/Imposter.e; WM/NF; WM/Nottice; WM/Npad; WM/Razer; WM/Showoff; WM/Yaka.b;
XM/Laroux
WIN95/CIH.1003
Viruses new to the University of Edinburgh
WIN95/CIH.1003; XM/Laroux; WM/ABC; WM/NF; WM/Nottice; WM/Razer; WM/Showoff; Phantom.
The WIN95/CIH.1003 virus is of notable interest. It was first discovered in Taiwan in June 1998, and appeared here at Edinburgh in October. It infects Windows 95/98 executable files. The payload includes overwriting most of the hard disk. However, more serious is its attempts to overwrite the Flash BIOS chip of the machine. This will result in the infected computer being unable to boot. The Intel 430TX chipset for example is quoted as being vulnerable, though other Pentiums are at risk from this form of attack.
Stoned.angelina is a boot sector virus, the mechanisms of which have been discussed in previous virus reviews. This virus dates from November 1994 when it was reported in Finland. Stoned.angelina contains the following text:
Greetings for ANGELINA !!!/by Garfield/Zielona Gora
Apparently Zielona Gora is a town in Poland.
Phantom is a com file type virus. A full analysis of this virus is not currently available but according to DataFellows virus database it contains the folowing encrypted text:
The PHANTOM Was HERE - Sorry HI ROOKIE! I'm a THESEASE! I live in YOUR computer - sorry... Thanks to Brains in the Computer Siences! Copyright (c PHANTOM -- This virus was designed in the HUNGARIAN VIRUS DEVELOPING LABORATORY. (H.V.D.L.)v 1
This virus has the distinction of being the first working macro virus for Microsoft Excel for Windows, intercepting Excel's AutoOpen automacro. This virus does not have a payload. It will run under Windows 3.x, Windows 95 and NT but not on an Apple Macintosh. If a spreadsheet is infected, it will contain a hidden sheet named 'laroux'.
The hoax e-mail alert of a new virus is now an established feature of the anti-virus scene. Edinburgh University had its fair share of hoaxes again during 1998. In January and again in February "Join the Crew" did the rounds. March saw "Win a Holiday", which again appeared in July and again in November.
The 1997 review has details on hoaxes and where to find useful information on them.
http://mft.ucs.ed.ac.uk/pcvirus/vrev97.htm
As an aside, there are programs circulating which are real enough, but can be flagged as potential trojans by the anti-virus software. A joke program called Bonus was reported in February as potentially being a virus. I have no other details of this. A program called Ultra Cool was also flagged as a trojan - this is in fact a ScreenSaver and is classified as a joke program. I'm not clear as to why these are flagged but it could be because given their popularity and the fact they are freely downloadable, these programs could be targeted by virus authors. On the other hand it may just be down to the programming of the scanner. If you do come across these then treat with caution.
1998 was a difficult year as far as anti-virus strategies were concerned. The time between a new virus appearing in the wild and it making an appearance at Edinburgh is clearly shortening. I suspect this trend will continue over the coming year. Traditionally, with the notable exception of the XPEH and GranGrave viruses in previous years, they were usually a year old or more before they would show up in our community. The growth of Macro Viruses and the use of Word attachments in e-mail has contributed to viruses turning up within months of them being released. This puts pressure on the anti-virus software update process. The site moved to monthly updates which was a bit of an overhead as far as updating was concerned. At best the site was used to updating four times a year and for many users twice a year was the norm. Receiving an update every four weeks generated more work than expected. In order to ease the transition to monthly updates a mailing list was set up called drsolmons@lists.ed.ac.uk. This list was designed to disseminate information about anti-virus issues, the latest updates and installation/bug fixes. Subscribers can mail out to the list if they wish.
The Solomons ant-virus software began to appear on CD which presented the issue of distributing it to the site. The CD was mounted on a NetWare 4.11 server using Microtests Discport software. When this worked it worked well. Unfortunately the service suffered some disruption due to hardware problems on the CD tower (intermittent fault on one drive followed by another intermittent fault on another drive) and hardware problems with the fileserver itself which resulted in a new replacement server. The network connection was upgraded to 100MBs which helped performance. On top of this the interaction of the Discport software with the various Service Packs from Novell also caused intermittent problems which took time to sort out.
There were issues of educating the site to map root a drive to the root of the CD volume, otherwise a cd-rom not present error would be generated if using Windows 95/98. If using NT 4, the menu installation setup would not work due to a script error but only if you were also using Novell Client 32 on the workstation. The option to copy the toolkit to a local drive and then running setup locally got around that. I did discover that mounting the CD on a NetWare 5 system using Novell's NSS support did not produce the script error. However, it was not practical at that stage to change the delivery mechanism. I chatted with Solomons Technical Support about delivery issues but unfortunately the stance was that the CD was not designed to be delivered in this manner ie it was designed to be placed in a local drive and the setup run from there. Obviously not practical from our sites point of view.
Although access was available over the IPX/SPX protocol, there are sites that do not route this, but use TCP/IP instead. FTP access had to be provided to the Solomons CD and this was done via an NT gateway. A further complication was we had a site licence for the Macintosh anti-virus software, but this was not on the CD. This meant that we had to copy the disks to another location for delivery.
In March I produced a Solomons FAQ in order to help address some of the issues that were being faced in deploying this software. The FAQ is available from http://mft.ucs.ed.ac.uk/pcvirus/edunvfaq.htm
It includes information on how to get the Solomons software, installation issues and general information on viruses themselves.
The effect of having monthly updates, a new mailing list and an FAQ, resulted in a far greater take-up of the anti-virus software. More people were using it than ever before. This also had the knock-on effect of highlighting more problems with more computers during installation of the software. LAN driver problems in particular were highlighted with the loading of the Guard program itself resulting in General Protection Errors under Windows 95/98. Generally these problems were fixed with updated LAN drivers and if not updated versions of Guard. However, despite the above technical difficulties once users had been through the download procedure once, by and large the process ran smoothly enough.
In the 1997 Review I mentioned that I have been on many beta programs for Solomons and still haven't received the free gift despite sending my results back. Maybe next year?
Graham Cluley, Senior Technology Consultant for Dr Solomon's Anti-Virus Toolkit, mailed me in June,
Just read this on your website. I'm appalled!! Do you want to send me your snail mail details? I'll get a little something sent to you.
And sure enough a Dr Solomons Anti-Virus Expert T-Shirt turned up in a jiffy bag.
During July I was on the Beta program for version 8 of the Anti-Virus Toolkit. However, after sending off the results I never heard back (no free gift again). I imagine this was due to the announcement on the 9th of June that Network Associates had acquired Dr Solomons. This resulted in a merging of the various anti-virus technologies that Network Associates already had in McAfee VirusScan and its Total Virus Defence (TVD) suite.
What this will mean for the current anti-virus toolkit and for our site licence I do not know. I imagine that we will have a new interface to cope with and in all probability the distribution and installation of the new product line will differ from what we have become used to.
During October I received an e-mail from Tom Davis, Tom Davis, Acting Co-Security Officer, Indiana University, USA, Information Technology Security Office:
I have been looking through your computer virus web site FAQ at: http://mft.ucs.ed.ac.uk/pcvirus/edunvfaq.htm and have found some really good things. I'm in the process of setting up a virus section on Indiana University's Office web site, and I was wondering if you minded if we borrow some of the descriptions from your site, specifically "Section D: Virus Definitions". I'd hate to have to re-invent the wheel, especially since you've done such a nice job explaining them already.
This makes a nice change from the usual e-mails of "I'm looking for some viruses, please e-mail me some" that I receive every year. I e-mailed back saying it was fine with me and hopefully the site has found the information useful.
At the end of the 1997 Review I made some predictions for the future: It's a safe bet that we are going to see more Word Macro virus infections. It would not surprise me if we see Excel macro viruses making their first appearance during 1998 though I would hope that they will remain comparatively rare in relation to the Word varieties.
As predicted more Word Macro viruses including the first Excel Macro virus Laroux were detected within the University.
Hoaxes will certainly do their rounds again on more than one occasion.
Fairly safe prediction here. I'll make the same prediction for 1999. I would hope people are becoming wise to this type of alert and the excess traffic that can result from it.
1998 will see a major overhaul of the Edinburgh University Computer Virus Technical Support Library as part of an on-going commitment to provide information on Computer Virus issues and to provide a focus for the whole subject within the University.
There were certainly some changes in this area during 1998. Personally I feel there is still some way to go in this area.
Predictions for 1999? The same applies for the coming year as it did last year. I would add that I expect the time lag between new viruses being released into the wild and them arriving at Edinburgh University will shorten, perhaps to the point of weeks if not days in some instances. This means that maintaining upto date anti-virus software will become even more critical than it is today.
[Back to index] [Comments (0)]