F-PROT Professional Update Bulletins
F-PROT 2.07 Update Bulletin Copyright (c) 1993 F-Secure Ltd
CONTENTS BRIEFLY
--- New virus discoveries
--- Cinderella II
--- BootExe
--- F-PROT support informs: Common questions and answers
--- The sensational PROTO-T
--- Special Offer: A Computer Virus
--- Shortly
--- The new utility program, F-AUTO, automates virus checks
--- Do-it-yourself-Virus: Toolkit Programs
--- Construction Sets for Trojan Horses
--- Construction sets for viruses
--- Virus Construction Set
--- Virus Creation Laboratory
--- Phalcon/Skism Mass-Produced Code Generator
--- Phalcon/Skism Gý
--- Instant Virus Producer
--- GenVir
--- Utility-Program Libraries for Viruses
--- Mutation Engine
--- TridenT Polymorphic Engine
--- Situation in Sweden
--- Changes in F-PROT 2.07
--- Approaching Zero - More Information About Computer Crimes
This text may be freely used as long as the source is mentioned as
'Source: F-PROT 2.07 Update Bulletin Copyright (c) 1993 F-Secure Ltd.'
F-PROT 2.07 Update Bulletin
At the turn of the year it is often customary to take a look
at the past and foretell the future. It is appropriate to do
both in this first update bulletin of the year 1993.
In the year 1992 there was much talk about viruses. The
existence of viruses was brought home to most microcomputer
users by the Michelangelo-fever or by a first-hand
experience. At this time there are very few of those left
who claim the virus threat to be negligible.
The expanded awareness of viruses shows clearly in our
everyday work. When, just a year ago, even big companies
contacted our support every time a virus was observed,
nowadays our help is needed only with new or uncommonly
intractable viruses. The disinfection of Form infections has
become routine.
The reign of polymorphic viruses started in year 1992. All
kinds of self-encrypting viruses proliferated quickly with
the Dark Avenger's Mutation Engine (MtE) at their vanguard.
Besides polymorphic viruses, MtE represents another central
trend of 1992 - during the year, numerous toolkit programs
were developed to either facilitate the making of viruses or
make them more difficult to spot.
From the viewpoint of F-Secure Ltd and F-PROT, the year
1992 was a success. F-PROT consolidated its position as the
most technically advanced anti-virus software in business.
The technical development of the software was continuous, as
new versions came out, new features were added to the
program along with new viruses.
F-PROT had success also in the world at large. In the USA
F-PROT has become one of the most sought after anti-virus
programs, in Germany it is in a central position and in
Nordic countries its share of the markets has grown
steadily...
Virus protection is a rewarding area in the sense that
future can be foretold at least partly. Trends are
comparatively easy to observe.
We think that the trends for the year 1993 will be the
following:
o More and more viruses have been appearing in shorter and shorter
periods. We believe the growth rate will start to turn down.
More viruses will still be developed in even shorter periods of
time, but the growth rate will not increase as fast as before.
o There will be more polymorphic viruses.
o The amount of viruses that attack specific anti-virus
programs will increase.
o Toolkit programs for making viruses will grow more common
o Viruses for the Windows and OS/2 environments will
become more common.
o The first cross-platform viruses will appear.
New virus discoveries
Cinderella II
The Cinderella II virus stays active in memory and infects
almost all executed COM and EXE files, which consequently
grow 783 bytes in size. The virus does not change the time
stamp on the files it infects.
Cinderella II activates after it has infected one thousand
files. When this happens, the virus tries to destroy data on
the hard disk, but, due to a programming error, does not
necessarily succeed.
The virus apparently tries to execute the machine-language
command INT 13, AH=03h, which translates as an absolute disk
write. This write would have targeted sectors 1 to 8 of the
first read/write head on hard disk C. The main boot record
(MBR) and partition table are stored on this area.
The virus would have written its own code on the target.
Although it would have been unable to activate in the main
boot record, the change in the MBR would have prevented the
computer from booting. The virus is, however, unable to do
this.
The programming error apparently results because the virus
transfers the address value of its current code segment to
the ES register, so that the interrupt call would write its
own code on the boot sector.
The machine language of Intel processors does not include a
command which would transfer a value in the Code Segment
Register (CS) directly to the Extra Segment Register (ES).
Because of this, the virus has to use a somewhat more
complicated method to transfer the value. While doing so, it
manages to destroy the original value in the AH register.
The value remaining in the AH register is not determinable,
because it depends on how much available memory the computer
had at the time the virus became TSR. Thus the actual
interrupt call may do just about anything, including
crashing the computer or, indeed, writing rubbish on a
random area of the hard disk.
After the INT 13 call the virus prints the text "Cinderella
II<cr><lf>" over and over, eventually crashing the computer.
The aforementioned text has been encrypted by using the XOR
operation, so it cannot be seen directly when the virus code
is examined.
All in all, the Cinderella II virus is quite functional. The
author of this virus is not known, but he is suspected to be
from Finland. The know-how of Nordic virus writers seems to
be improving.
The signs of a Cinderella II infection are a reduction of
available memory, a slight slowness in starting programs and
a growth in the size of COM and EXE programs.
F-PROT finds the Cinderella II virus.
BootExe
The BootExe virus, also known as BFD, was found 20.11.1992
in the Helsinki University during a routine check. BootExe
is the world's smallest functional multipartition virus. It
infects both EXE programs and the boot sectors of disks and
diskettes.
Because of its small size, BootExe does not contain much in
the way functions. It only spreads. The virus was first
discovered in USA and the CIS countries, but its origin is
not known.
The functioning of this virus is somewhat out of the
ordinary; contrary to the functioning of most memory-
resident viruses, BootExe hijacks the BIOS interrupt 13h
instead of the DOS interrupt 21h. By doing so, the virus is
able to circumvent most of the memory-resident protection
programs. VIRSTOP, however, does stop BootExe.
The functioning of this virus is described in the following:
When a computer is booted from an infected diskette, BootExe
stays active in the upper part of DOS memory. The amount of
available memory is reduced by four kilobytes, and the virus
hijacks the interrupt 13h for its own use. After this,
BootExe infects the main boot record. In order to hide its
actions, the virus then executes the original boot sector
code. It does not succeed in this, however, if the diskette
in question is a 5.25" HD diskette.
While active in memory, the virus monitors the interrupt INT
13h. Whenever the interrupt function 02h (read sectors into
memory) is called, the virus takes action. It reads the
first requested sector into its own area and performs
numerous checks on it.
If the area in question turns out to be a boot sector, the
virus infects it. Thus every non-protected diskette gets
immediately infected when it is used in the computer. On the
other hand, if the sector begins with the letters MZ, the
virus assumes it to be the first sector of an EXE file.
Should this happen, the virus makes sure there are at least
453 unused bytes between the header and the actual code
area. Furthermore, the file size given in the header must be
less than 64 kilobytes - otherwise the virus will not infect
the file. The virus is picky, because its intention is to
change the file structure into that of a COM file, and COM
programs cannot exceed the size of 64 kilobytes.
If the sector in question meets the aforementioned
conditions, the virus changes the first two bytes of the
program into a jump command that points to the end of the
program's header. Then it adds its own code there. This
infection mechanism is very rare, in fact The Rat is
probably the only other virus to use a method similar to it.
As its end result, the size of infected files does not grow
at all.
It must be observed that after infection the programs are
structurally changed into COM files, although they still
have the EXE appendix. In spite of that, DOS is able to
execute them correctly.
The virus does not contain any kind of an activation
routine. There are no character strings inside the viral
code.
The presence of the BootExe virus is difficult to notice
without special tools, since the size of infected files does
not increase.
F-PROT finds the BootExe virus in both boot sectors and COM
and EXE files.
F-PROT support informs: Common questions and answers
Common questions on anti-virus topics will also be discussed
in the upcoming releases of F-PROT update bulletin.
If you have questions about information security or anti-
virus protection, contact your local F-PROT dealer. Support
can also be obtained from F-Secure on the phone number
+358-0-692 3622. E-mail questions can be sent directly to
Mikko Hyppönen, our representative on technical support;
internet: mikko.hypponen@compart.fi.
I had a Yankee (TP-44) infection in my computer, after which I removed
the virus from all infected files. Currently, when an anti-virus
program is executed directly after booting the computer, it finds the
virus in memory. It cannot, however, be found in any of the files. Now
where is the virus lurking?
There are a few alternatives:
1) The virus is a new variant that the anti-virus software
does not recognize. For example, its encryption can be
different from the original one, and the anti-virus program
recognizes the memory-resident, unencrypted program code.
Scan the hard disk with Heuristic Analysis.
2) The program has been packed after infection with a
packing program like PKLite or LZEXE. However, F-PROT
recognizes and extracts packed executable files generated by
the most common packing programs. Still, the packing program
could be a new and unrecognized one.
3) The most probable alternative is a virus "ghost". It is
generated when an infected program is replaced with a
shorter one when the file is still infected. Because the FAT
file system of DOS stores files in clusters of a certain
size, there is unused disk space at the end of almost every
file. This area is called slack.
Due to disk buffering these unused disk areas are also
loaded into memory together with actual programs. If parts
of the viral code remain in the unused area they are loaded,
too.
Consequently the anti-virus program finds the viral
signature in memory, even though the virus itself is not
active.
The slack areas can be erased by using, for example, the
"Wipe unused areas only"-function of the Norton Utilities'
programs Wipedisk or Wipeinfo. Sorting the disk with the
Compress of PC-Tools or Norton Speed Disk may also help. In
an extreme situation the alarm can be eliminated by taking
backups of all files, formatting the hard disk and returning
the files from backups.
When I was inspecting my hard disk, F-PROT reported "Error:
invalid program" of two files. Does this indicate the
presence of a virus?
The message means that the program has been damaged. Such
programs contain the header of EXE files, but the values in
it are faulty in some way. For example, the starting address
of the program may indicate a place outside the program's
memory area.
Most such programs are either truly damaged or they may also
be overlay-type programs. Overlay programs function despite
a faulty header, because the host program does not start the
execution of an overlay file in the address indicated by the
header, but in some other predetermined place.
Invalid program -check is performed because many viruses
damage programs while trying to infect them. In some cases
F-PROT is able to recognize the virus that has destroyed a
file. In such a case it reports "A program destroyed by the
Xxx virus".
For example, some variants of the Vienna virus family
regularly failed when trying to infect programs. A program
is not in its original state after this kind of an infection
because its starting code has been altered, but it does not
contain a single byte of actual viral code, either. Other
viruses like this are, among others, Breeder, ExeBug, Hydra,
Kamikaze, Kuku, LoveChild, Ninja and 99% - some of these
viruses destroy programs by overwriting a trojan on them.
Conventional anti-virus programs do not report such
destroyed files, because they do not contain virus
signature. However, during disinfection the user certainly
wants to find all programs altered by viruses, since after
an unsuccessful infection attempt the programs do not work
any more.
In any case: the F-PROT report "Invalid program" is not
necessarily caused by an abnormality or a virus infection.
During booting, my anti-virus program reported "A virus
active in the computer". I powered down the computer, but
now I cannot find any sign of a virus when I boot the
computer from a clean diskette and search the hard disk.
Furthermore, it looks like the anti-virus program is
inspecting only a part of the hard disk, because in the
final report it reports only a couple of programs as
checked. I use a disk packing program.
Stacker, SuperStor, XtraDisk and other such programs create
a new logical disk. These programs transfer the original
files to this disk and pack them into a form in which they
can only be read via the packing software's device driver.
Without this device driver the extra disk shows only as one
big file.
When such disk packing programs are used in a computer, and
it is booted from a diskette, the packing software's drivers
are not loaded. In this case F-PROT, or any other program,
is quite unable to read the files stored in the packed disk.
Clean copies of the device drivers the packing program
needs, together with a suitable CONFIG.SYS file, should be
copied on a panic diskette. The panic diskette is functional
if the computer can be booted from it so that all the
partitions on the hard disk are readable.
I received a diskette from my business accomplice. When I
searched the programs on it with my anti-virus software, it
reported "Vacsina Loader". What is the difference between
the Vacsina virus and the Vacsina Loader?
The Vacsina Loader is not an actual virus but an addition
made to an EXE file by the Vacsina virus.
Vacsina was one of the first file viruses capable of
infecting EXE programs in addition to COM programs. The
infection of EXE programs is considerably more difficult
because of their more complex structure. The author of the
Vacsina virus solved this problem simply: the virus changes
an EXE file's structure to that of a COM file, so that it
can use the same infection routine on programs of either
type.
The Vacsina virus stays resident in memory and activates
every time the user executes a program. The virus checks
whether the program starts with the letters "MZ". If this
happens to be the case, it adds an alteration routine of 132
bytes to the program. This routine is based on similar code
that can be found in the FORMAT and CHKDSK programs in
certain versions of DOS. The alteration routine takes care
that the program is correctly loaded into memory even though
its structure has been changed.
When the altered program is executed again, Vacsina can
infect the file normally.
So, when an anti-virus program reports the Vacsina Loader,
it means it has found EXE file to which the virus has added
a routine of 132 bytes. This routine is unable to spread
itself, and usually it does not hinder the functioning of a
program.
The reason why F-PROT reports the Vacsina Loader is that,
after a Vacsina infection, there are typically many files on
the hard disk which the virus has altered but not yet
infected. This way, the user can easily find all the
programs the virus has changed.
The text "VIRSTOP error" appears when programs are executed. Why?
VIRSTOP has been started by using the /DISK parameter, after
which the file VIRSTOP.EXE has been deleted from the hard
disk. This may also happen when VIRSTOP has been loaded from
a file server and the network connection has later been
disconnected.
If VIRSTOP.EXE is updated while the program is active with
the /DISK parameter on, the result is indefinite: the
program may print rubbish on the screen or even crash,
because its virus descriptions are updated "on the run".
I bought a new game called GunShip 2000. I scanned the
diskettes before installation, and F-PROT found a MtE
infection. What's happening here?
F-PROT gives a false report of a MtE infection when this
game is inspected. The alarm is given only if all the files
in the game are searched with F-PROT.
The alarm is given of the picture file BLK_CPIT.PIC, which,
as a data file, could not even contain a virus. In part this
alarm reflects the complexity of MtE-encrypted viruses - the
picture file happens to resemble the code created by MtE.
Generally speaking, the scanning of all files is not
considered worthwhile if the computer is not known to
contain a virus. This derives from the fact that searching
data files is slow and prone to false alarms.
File viruses may occasionally infect data files or programs
without the appendix of an executable file. The viruses can
not spread further from pure data files. A virus that
occasionally infects data files would also infect normal
program files, and would therefore be found from those,
also. Thus it is not likely to attain additional security by
searching all files.
The aforementioned false alarm is known and acknowledged,
but it was not deemed feasible to change the MtE -search
algorithm used by F-PROT because of a single incident caused
by a data file. The MtE search method currently used by
F-PROT is very good indeed: It has been tested on over a
million samples of MtE, and the success rate is one hundred
percent.
I checked the brand new PKZIP with the Norton Anti-Virus
program and it reported the Maltese Amoeba virus in the files. F-PROT,
however, does not find the virus. Doesn't F- PROT recognize this virus
at all?
Version 2 of the PKWare's packing program PKZIP was
published 4.11.1992, about year and a half behind schedule.
The great number of hack versions made people check the new
version, the version number 2.04c to be exact, very
carefully. Because of an unfortunate coincidence, Symantec
Norton Anti-Virus gave a false warning of the Maltese Amoeba
virus while checking the program. In other words, PKZIP
2.04c is clean. The use of the version 2.04c cannot be
recommended, however, because it contains many functional
errors, some of which are dangerous. A better alternative is
the version 2.04e that was published at the end of January.
It is worthwhile to know the origins of your programs. It is
quite probable that some malicious person infects PKZIP with
the Maltese Amoeba and then distributes it. NAV's false
alarm has been reported so widely that many people would
ignore a real warning.
F-PROT recognizes the Maltese Amoeba virus, also called the
Grain of Sand.
The sensational PROTO-T
A text file describing a new virus called PROTO-T was
distributed via electronic bulletin boards late in the year
1992. This text told about a virus of a new kind that was
threateningly spreading itself all over the world. The virus
was, among other things, claimed to be impossible to spot
and supposedly able to hide itself in the RAM memory of a
modem or a hard disk. This text and the things described in
it are pure invention, it would be technically impossible to
build a virus to match the description.
A virus cannot hide its code in the buffers of modems or
hard disks, because these memory areas are very small and
unprotected - in reality the virus code would be overwritten
almost immediately. In any case, part of the viral code
would have to be stored in normal DOS memory in order for a
virus to function. PC computers execute code that is located
in their core memory, and that code only.
It is possible to hide part of the viral code in the memory
of a VGA card. At least one known virus, Starship, does so,
but even in this case a part of the virus must be located in
the DOS memory, where it can be observed by normal means.
The text was apparently a practical joke that spread
uncommonly far. On the other hand, this joke inspired the
development of at least two new viruses. As rumors of PROTO-
T spread, some individuals decided to take advantage of its
reputation and wrote viruses that contained the text
"PROTO-T". Naturally enough, these viruses contained none of
the characteristics mentioned in the original description.
Special Offer: A Computer Virus
Computer viruses fascinate people. In fact, some people are
so fascinated that they are willing to pay money for them.
Computer viruses are not very easy to acquire. Only virus
hobbyists and anti-virus professionals have large
collections. Anti-virus people are generally unwilling to
give samples of their viruses to outsiders - understandably
enough, for it is difficult to bear the responsibility for a
virus that is not under one's direct control.
It is usually easy to get viruses from virus hobbyists or
collectors, but it may be quite difficult to contact them.
Few people boast of collecting viruses. There are, however,
those who see a marketing niche in viruses, and sell their
collections publicly.
It is difficult to estimate the number of virus buyers.
Probably, though, there are comparably many of those who
want a virus for experimentation, for inspection or for use
in acts of malice.
There are numerous examples of virus sales. The most brazen
example is probably "The Black Book of Computer Viruses",
which is sold together with an ordering card, with which it
is possible to order a virus diskette. A diskette containing
four viruses costs fifteen dollars. The book has proved to
be very popular, and its translations to several languages
are being planned at the moment. The French translation
(called C'est decide! J'‚cris mon virus) has apparently been
published already.
Viruses for sale -notes can often be find in all kinds of
underground computer publications. Among the classified
advertisements in the magazine 2600 - the Hacker Quarterly,
there are often notes which advertise sales of virus
collections. The prices vary between 15 and 50 dollars per
diskette. In this magazine there are also often notes sent
by collectors, who seek to contact others in the interests
of sample swapping.
The idea of selling viruses seems to attract many virus BBS
system operators - it is, after all, a way to pay off some
of the expenses of maintaining a BBS. The following message,
which had been left in the public area of the international
Fidonet message network, should serve as a good example of
this:
-----
Msg: 465 Reply to: -
To: All Date: 01-05-93
From: Aristotle Time: 11:39
Subject: Call now!
Hello all, does anyone want some viruses?
B L A C K A X i S B B S
( 8 0 4 ) 5 9 9 - X X X X
2 5 0 0 V i R U S E S - 6 5 0 A S M
T R O J A N S - L A B S
E T C . . .
The entire library is for sale to responsible individuals
whom are engaged in active research. No more HIGH DOLLAR
phone bills, upload / download ratios, or general hassles
from your constituents. Call for further details.
Responsible people only need inquire. Fools, wanna-be
anarchists, and other criminal minded folks, need not apply.
This is strictly legitimate...
ARiSToTLE...
--- SuperBBS 1.16-B (Eval)
* Origin: I don't know!!! The Vx BBS (804)599-xxxx
(1:xxx/xxx)
-----
Similar examples can also be found outside USA. Two of the
virus BBSs that operated in Finland have collected an
entrance fee to their virus areas.
At the end of January, the following message was mailed to
the alt.security area of the Internet message network. This
area has ordinarily been a forum for information-security
specialists:
-----
From: xxxx@xxxxxx.digex.com (Albatross)
Newsgroups: alt.security
Subject: Virus Programs ForSale (Virus,Trojan,etc)
Date: 21 Jan 1993 22:38:00 GMT
VIRUS'es FOR SALE
Have you every wanted to test out your virus Software to see
if Norton Anti-Virus or Mcafee's Virus scanners really work
and see if your blowing yor money or are you really
protecting your vital computer data?
Well now you can play with some of the most ruthless &
destructive virus'es known to man. See if the Dark Avenger
virus really can be detected by these money hungry anti-
virus software companies, or if you dollars are paying off.
Cost: $20.00 per disk
Contents: 10 Viri per disk
Disk 1: Disk 2:
1704 Virus Jerusalem Virus
AIDS Virus Jerusalem-B Virus
Cascade Virus Inject Jerusalem (undetectable)
Dark Avenger Joshi Virus
Elephant Virus Killer Virus
Friday The 13th Virus MobyZ Virus
Grither Virus Leprosy Virus
Iraqi Virus Kamasya Virus
Israeli Virus DSZ (Zmodem) Virus
Hawaii Virus CIA Virus
Disk 3: Disk 4:
Pakistan Virus Panic Virus
Phoenix Virus Psycho Virus
Rabid Virus Red Cross Virus
Schizo Trojan Stoned Virus
Sunday Virus Tequila Virus
Thor Virus Thrash Virus
Tiger Virus Tiny Virus (Strains A-F)
Tron Virus S-Cadet Virus
Razor Virus Spider Trojan
Sub-Zero Virus Stoned II Virus (Source Code)
Send Checks or Money Orders Too:
Anthony Xxxxxxx <- Make Checks Payable To
xxxx Xxxx Xxxxxxx
Xxxxx 101
Silver Spring, Maryland
20904
Include a letter or index card with the Check Noteing which
Disk Of virus Software you would like to receive. Please
Allow 1-2 weeks for shipping
NOTE: Use of These Virus with intent to Destroy Data is a
Violation of The Law. I will hold NO responsiblity for such
actions, if incidents are incurred.
-----
Most often the virus sellers want to emphasize that they are
not responsible for the viruses they sell or the harm done
with them. The selling of viruses seems not to be illegal in
itself in any country but the Great Britain.
In its December issue, the Micro Mart magazine published a
small advertisement that offered 350 viruses for sale. An
efficient unit operating in England, the New Scotland Yard's
Computer Crimes Unit that specializes in computer crimes,
raided the home of the male person who had sent the
advertisement. The man's hardware was confiscated and he
will be prosecuted under a law called the Computer Misuse
Act.
Also in this case the advertisement stressed that sold
viruses must not be misused and that the seller assumes no
liability for destruction caused by them. It remains to be
seen how the case is eventually judged.
In any case, the selling of computer viruses is in breach of
their authors' copyrights: few virus peddlers have the
original author's permission to sell them. On the other
hand, few virus writers will sue anybody for illegally
duplicating their products - products which have no other
function than to duplicate themselves!
Shortly
o The US virus groups Phalcon/Skism, NuKE and YAM have founded
their own private message network, VxNET. In this network,
particularly topics connected with virus development will be
discussed. The network will cover some countries, but apparently
not the Nordic ones.
o The ExeBug virus made in South Africa circumvents booting from a
clean diskette quite efficiently. The virus changes the
computer's setup information in the CMOS memory so that the
computer thinks it has no diskette drives. Thus the computer is
always booted from the hard disk and so loads the virus lurking
in the main boot record first into memory. The virus continues
the booting routine from the A drive, if needed, to make the
computer's functioning seem perfectly normal. It is difficult to
get to inspect an infected computer's hard disk without having
the virus active in memory.
o The Virus Bulletin magazine published a large review of
anti-virus programs in its January issue. F-PROT won the test by
having the best finding ability and coming fifth in speed. The
leading products in the field, all in all twenty different
anti-virus programs, were included in the comparison. For more
information contact Virus Bulletin Ltd, phone number +44-235-555
139.
o A new virus-writers' group, the ARCV, has been founded in
England. The name comes from the words "The Association of
Really Cruel Viruses". The group has proved to be very active,
if measured by the amount of viruses it has written. Thus far
the group has produced for about 20-30 different DOS viruses,
some of which have been technically quite advanced. Some of
these viruses have spread noticeably far - the group strives
actively to distribute them. In addition to this, the group
publishes an electronic magazine and, according to its own
announcement, designs viruses for Macintosh-, Amiga- and Atari
environments.
o At the end of January, another virus infecting only programs of
the Microsoft Windows environment was found. The new virus,
which has not yet been named, uses a new method of spreading
itself. When the virus infects an EXE program, it changes the
file's appendix to OVL and copies its own code on the disk with
the original name. When the program is executed, the virus
infects more files and then executes the original program. The
size of this new virus varies between 10 and 20 kilobytes.
The new utility program, F-AUTO, automates virus checks
A small utility program called F-AUTO.EXE has been included
on the F-PROT update diskettes. F-AUTO executes a freely
program that can be freely selected on user-determined
intervals. By using F-AUTO, it is possible to perform the
F-PROT check automatically on , say, every third day. To
accomplish this the following line is to be added to the
workstation's AUTOEXEC.BAT file:
F-AUTO.EXE /h 3 %COMSPEC% /E:1024 /C C:\F-PROT\FP.BAT
The parameter /h prevents F-AUTO from printing anything on
the screen, 3 is here the desired interval in days. The last
parameter on the line is the program that will be executed.
Because, in this example, the batch file FP.BAT will be
executed, it must be started by using the DOS command
interpreter. %COMSPEC% starts the command interpreter
regardless of its position on the disk or whether
COMMAND.COM, 4DOS.COM or NDOS.COM is in use. The commands
/E:1024 and /C are needed in order to execute the batch file
normally.
If the day parameter given to F-AUTO is 0, it will execute
the desired program when it itself is executed for the first
time in a day.
Contact your local F-PROT dealer for help in using FP.BAT
and F-AUTO.
Do-it-yourself-Virus: Toolkit Programs
For years, the virus writers have tried to prove their
technical skill by increasing the complexity of their
viruses.
In the interests of making the viral code more difficult to
interpret, encryption techniques, polymorphism and illegal
processor opcodes have been used. The viruses have been
programmed to hide their code in exotic places like the
lower memory, the computer's stack or the video memory.
The latest trend, however, seems to be the facilitation of
virus writing. Skillful virus tinkers have written virus-
designing programs whose purpose is to aid the process of
making viruses. At worst, the result may be a simple, menu-
controlled software which anybody can use. Not even a
rudimentary programming skill is needed, because these
programs produce ready-made, executable viruses, which
function according to their makers' wishes.
These programs can be divided in three different categories
in the following way:
1. Construction sets for Trojan Horses
2. Construction sets for viruses
3. Utility-program libraries for viruses
Construction Sets for Trojan Horses
Representatives of this first subclass are such programs as,
for example, the ViPER Trojan Horse Construction Set, the
TROG Trojan Maker and the Ansi Bomb Generator. The
functioning methods of the first two programs are the same:
the user is asked how he wants to name the program, and how
it should activate. A new COM or EXE file that destroys the
data on a hard disk is created according to these
instructions. The user can also define a text that is
printed on screen after the destruction.
The ViPER Trojan Horse Construction Set and the TROG Trojan
Maker are both capable of creating quite destructive Trojan
Horses, but they are not a serious threat as such. Trojan
Horses do not spread themselves.
Ansi Bomb Generator is a program that simplifies the making
of ANSI bombs. These are text files which redirect the
keyboard definitions. The bombs are activated when a user
examines the aforementioned text files with the DOS commands
TYPE or MORE. The bomb could, for example, change the space
bar's functioning so that pressing it will output first "DEL
*.COM" and then the pressing of the return key.
Ansi Bomb Generator is a menu-controlled program, and by
using it anybody can add destructive redirection codes
inside text files. Free-form texts can be written as a smoke
screen around harmful direction codes, and it is also
possible to insert a bomb inside an existing text.
The Ansi Bomb Generator is not a serious threat. Ansi bombs
are encountered quite rarely, and it is possible to protect
against them totally by leaving the device driver ANSI.SYS
uninstalled.
Construction sets for viruses
Programs, which enable anybody to create functional viruses
without a deeper knowledge of programming, are counted as
actual virus construction sets.
Virus Construction Set
Virus Construction Set, or VCS, published in 1990, was the
first program whose sole purpose was the creation of
viruses. VCS is of German make, and its authors have
announced themselves as Verband Deutscher Virenliebhaber,
which translates as "The German Association of Virus
Lovers".
As a program, the VCS is quite simple: the user is asked to
give the name of the text file the will be linked into the
virus and the number of generations after which the virus
should activate. After this, the program creates a file
called VIRUS.COM on the disk.
A created virus has a basic construction that is always the
same and easily recognizable. The virus infects other COM
files and activates after the predefined number of
infections. Then it overwrites the files C:\AUTOEXEC.BAT and
C:\CONFIG.SYS and prints the text that was linked to it when
it was made.
The viruses created by VCS contain one slightly advanced
feature: they check whether an anti-virus program called
FluShot Plus is active in memory and will not spread if that
is the case.
Both English and German versions of the Virus Construction
Set have been made.
The following variants of the viruses made by VCS are known:
Manta, Config, DarkSide, Post, Pussy, Ruf and VDV.853
Virus Creation Laboratory
Late in summer 1992 the next virus toolkit software was
published: the Virus Creation Laboratory or VCL. Behind VCL
stands the Nowhere Man, a member of the American group of
virus writers, NuKE.
VCL is quite a remarkable product: it features a colorful
graphical interface of nearly commercial quality with mouse
control and drop-down menus, it is installed with a separate
installation program and it is supplied with quite accurate
and well-written documentation. VCL also contains the ICO
and PIF files, with which it can be handily installed in the
Windows Program Manager.
It is possible to easily create several different kinds of
viruses with VCL. From the menus one can choose between a
COM file -infecting, a companion virus or an overwriting
one. In addition to those, Trojan Horses and Logical Bombs
can also be made with VCL.
The Virus Creation Laboratory is an application of
considerable versatility. By using it, it is possible to
define exact activation conditions for a virus made with it,
those being, for example, the date, time of the day, the
number of infected files, a computer's country code, the
version of DOS or the amount of available RAM.
VCL present many alternatives for the activation routine of
a virus or a Trojan Horse. Selections mentioned on the menu
are crashing the computer, a corruption of files, the
printing of a freely chosen text on the screen or printer,
the overwriting of whole disks and the playing of a music
sample that can be freely composed. In addition to this, the
user can add routines to the program's menu.
When a user has chosen the desired options, VCL creates the
assembler-language source code of a virus or a Trojan Horse
on the disk. The user can, if he so wishes, edit it still
further before compiling it into an executable form.
Despite its great versatility, VCL has not become very
popular among virus hobbyists. There are many reasons for
this, but the most important probably is that the majority
of anti-virus programs were able to find almost all the
viruses made by VCL soon after it had been published. In
fact, F-PROT recognized most of them even before VCL had
been analyzed at all.
The functionality of VCL at the hands of virus tinkers is
further reduced by the fact that it occasionally makes
viruses that do not work at all - most of the source codes
it creates cannot even be compiled with an assembler
compiler. The Nowhere Man has, however, announced that he is
working on a new version of the program - a possible VCL for
Windows is also speculated in the documentation of VCL 1.0.
There are many interesting details to be found in the
extensive documentation of VCL. Among other things, the
Nowhere Man forbids the makers of anti-virus software from
extracting search character strings from VCL or the viruses
made by it.
Known viruses made by VCL include Code_Zero, Code_Zero.652,
Diarrhea, Diarrhea6, Diarrhea6_Trojan, Diarrhea_II,
Diogenes, DM_92_Bios, Dome.1, Dome.2, Dome.3, Dome.4,
Donatello, Earth_Day, Earthquake, Enun, Heevahava, Kinison,
Kinnison.734, Mimic, Pearl_Harbour, YD2, YD2.B, Venom,
VMessiah, Yankee.A and Yankee.B
Phalcon/Skism Mass-Produced Code Generator
The American virus group competing with NuKE, Phalcon/Skism,
quickly answered the challenge of VCL and published its own
virus generator, the Phalcon/Skism Mass-Produced Code
Generator or PS-MPC. PS-MPC has been written by a member of
P/S known as the Dark Angel.
PS-MPC is considerably more functional than VCL, though not
as showy. PS-MPC does not feature a user interface for it is
used via an ASCII configuration file.
It is possible to make considerably advanced viruses with
the PS-MPC. It is capable of creating memory-resident
viruses which infect both COM- and EXE files. Furthermore,
the viruses can be provided with a versatile encryption
layer, which makes finding them a little more difficult.
PS-MPC does not add activation routines to the viruses it
creates as a default, but since it produces ready-made,
well-documented assembler source code, those can be later
added easily by even a novice programmer.
Altogether three different versions of PS-MPC were
published, after which the Dark Angel released the complete
C-language source code to be freely distributed.
On all accounts, PS-MPC is a more functional program than
VCL. The impressive list of known viruses made by it gives
testimony of the fact: 203, 644, 696, Abraxas, Anathema,
ARCV-1, ARCV-2, ARCV-3, ARCV-4, ARCV-5, ARCV-6, ARCV-7,
ARCV-8, ARCV-9, Clint, Crumble, Death 2, Eclypse, Joshua,
Kersplat, McWhale, Mimic-Den Zuk, Mimic-Jerusalem, Napolean,
No Wednesday, Page, Schrunch, Skeleton, Small_ARCV,
Small_EXE, Sunday Death, Swan_Song, Test, Tongue, Toys,
Walkabout, Warez d00d, Z10 and Zeppelin.
Phalcon/Skism Gý
It appears that the Dark Angel was not wholly satisfied with
the PS-MPC generator he had written, and so he published a
program called Phalcon/Skism Gý on the turn of the year
1993. The name derives from its creator's opinion that Gý is
a second-generation virus generator.
The functioning of Gý very much resembles that of PS-MPC.
They have certain notable differences, however: Gý will
create a different virus every time, even though the values
in the configuration file remain unchanged. Gý is also
supplied with a smallish file, G2.DAT, which contains the
actual intelligence of the program. The Dark Angel has
announced that he will supply update versions of this file,
which will completely change the functioning methods of the
program.
The doumentation of Gý tells of its features as follows:
FEATURES
The target audience of Gý includes both novice and advanced
programmers alike who wish to learn more about virus
programming. A revolutionary tool in virus generation, Gý
is both easy to use and unparalleled in performance. As a
code generator, it has a number of features including:
o Easy updates via data files.
o Accepts MPC-compliant configuration files.
o Different viruses may be generated from identical
configuration files.
o Small executable size, allowing for speed during load
and execution.
o Still no IDE - edit the configuration file in your
favorite editor and rapidly generate new code; no
need for lengthy wait while IDE loads, allowing you
to work faster and have results quicker. A definite
productivity bonus!
o Rapid generation of code, once again allowing for fast
results.
o Low memory requirements.
As a virus creation tool, it has the following features:
o Generates compact, easily modified, fully commented,
source code.
o COM/EXE infectors.
o Resident and nonresident viruses.
o Supports multiple, semi-polymorphic encryption
routines (full polymorphism coming soon).
o Easily upgraded when improvements are needed.
Clearly, Gý is the most advanced virus code generator
available today!
- -
So far, no viruses made by Gý are known, except for the demo
virus that is supplied with the package.
Instant Virus Producer
YAM (Youngsters Against McAfee), a group founded in the USA,
has contributed the Instant Virus Producer, or IVP, to the
competition for the best virus generator. IVP has not,
however, attracted popularity to speak of.
IVP does not feature the amount of functions VCL and PS-MPC
do, it cannot, for example, create memory-resident viruses.
In the same vein, the encryption algorithms of IVP are
really very simple in comparison with, let's say, PS-MPC. To
top it all, IVP frequently produces dysfunctional code.
Two versions of IVP have been published so far, the versions
1.0 and 1.7. According to an announcement by YAM, IVP 2.0
will challenge similar programs of all other groups.
Currently, only one virus made by IVP has been found, that
being Bubbles which infects COM and EXE files.
GenVir
Many rumors abound of the GenVir program, but at the time
this was written, no virus specialist had been able to
acquire a sample of it.
The rumor has it that GenVir is a completely commercial
software made in Netherlands. The program's maker announces
its purpose as "a package for the testing of anti-virus
software"
Utility-Program Libraries for Viruses
This subclass consists of object libraries which can be
linked to any file virus. The use of these libraries
requires programming skill and familiarity with assembler
programming, but it is not necessary for the user to
understand the functioning of the routines in order to use
them.
There are two known utility-program libraries. They are both
designed to create a complex encryption layer around viral
code.
Mutation Engine
The Mutation Engine, or MtE, is an encryption routine
library made by the Bulgarian virus writer Dark Avenger. MtE
was released into distribution early in 1992.
MtE is supplied with detailed instructions on its use. A
virus writer can fairly simply link MtE to his own virus. As
a result, the virus changes its outward appearance after
every infection, for MtE creates dynamically a new
encryption method and extraction routines for it.
All in all, MtE can create millions of different variants of
the same virus. Virus writers have used MtE with COM-, EXE-
and companion viruses.
Viruses using MtE include: Coffe_Shop, CryptLab, Dedicated,
Encroacher.A, Encroacher.B, Fear, Groove.A, Groove.B,
Insufficient.A, Insufficient.B, Insufficient.C, Pogue and
Questo
TridenT Polymorphic Engine
A rival for the MtE, the TridenT Polymorphic Engine, or TPE,
was found in December 1992. In practice, it is an object
library that mimics the functioning of MtE. The encryption
method, however, is completely different.
The man behind TPE is Masud Khafir, a member of "TridenT
Virus Research Group". The same person is suspected to be
responsible also for the first Windows-specific virus,
WinVir. There is no definite information to be had of the
group or even of its country of origin. The group has,
nevertheless, proved to be quite skillful. It is possible
that TPE is capable of even larger number of different
variations than MtE - which is a thing, however, that is
difficult to test in practice.
Two versions of TPE, 1.0 and 1.2, have been published. At
the moment one virus using TPE is known. This virus is
Giraffe, which infects COM and EXE files and which on random
Thursdays prints on the screen a marijuana leaf and the text
"Legalize Cannabis".
Situation in Sweden
The sysop of the Swedish BBS Computer Security Center ,
Mikael Winterkvist, and the CEO of the information security
corporation Virus Help Center Ab, Mikael Larsson, published
an electronic bulletin, the Svensk Hack Rapport, at the end
of October. The bulletin was a treatise on the virus
situation in Sweden.
What made this bulletin so noteworthy was that Winterkvist
and Larsson published the real names of the persons who
managed virus BBSs in Sweden. This caused a considerable
panic reaction in the Swedish underground circles. Among
other things, there were threats to sue the publishers for
slander.
The end result, however, was a success: at the end of
January no charges had been pressed, and most of the BBSs
that had been mentioned had terminated their operations.
The Svensk Hack Rapport had published the real names for the
sysops of the following BBSs: Swedish Virus Exchange BBS,
Swedish Virus Laboratory, Out Of Bounds, Fatal Future, Cross
Point, Digital Orgazm and Antarctica. Two most notorious
ones were probably Swedish Virus Laboratory, managed by a
person with the alias Tormentor, and Out Of Bounds, the
headquarters of the BetaBoys group.
Regardless of this, some BBSs continue their operations.
Otherwise the virus situation in Sweden has been very
peaceful of late - doubtless the Swedish Hack Rapport had a
hand in this. One new virus written in Sweden has been
found, though. It is known as Tyst, for it contains the
text: "Tyst för fan.. Jag spränger!". The functioning of
this virus is very simple, and it spreads by overwriting the
first part of COM and EXE files.
Changes in F-PROT 2.07
F-PROT can currently scan also diskettes in which the boot
sector parameters have been altered so that DOS can no
longer manage them. This kind of a diskette is still capable
of spreading boot sector viruses.
F-PROT's compatibility with OS/2:s HPSF disks has been
improved.
In some cases F-PROT would not disinfect the NoInt variant
of the Stoned virus. This has been taken care of.
No more "New variant of stoned" when scanning MBRs that have
been cleaned with FDISK /MBR.
VIRSTOP gives a help screen with the /? switch
Superstore partitions are now recognised when using /HARD
Version 2.06 would not always identify Stoned.NoInt
accurately, but occasionally as "New or modified variant of
Stoned", and refuse to disinfect it.
A few minor false positives were corrected:
"Uruguay" in a special version of COMMAND.COM, which is
included on IBM PS/2 model 80 diagnostic diskettes, and a
few other rare programs as well.
"Possibly a new variant of Darth Vader" in a Chinese
character set program named HANVGA.COM
"Power Pump (1)" in some compiled batch files.
Version 2.07 - new viruses:
The following 50 new viruses can now be detected and
removed:
_354
_377
_889
_1689
AT-140
Bit Addict
Bryansk
Chemnitz
Cinderella II
Cpw
Danish Tiny-310
Deicide II (Brotherhood and Commentator 2378)
Dismember
Dutch Tiny-117
Flash (Gyorgyi-695)
Gotcha-Legalize
Grunt-203
Ha!
Iper
Jerusalem-June 13th
Jerusalem II
Kalah-499
Keypress-1495
Little Brother (307, 349 and 361)
Loki
Malaise
Mr. Virus
Multi
Ncu Li
Proto-T (Civil War II and Proto-T)
PS-MPC (ARCV-4 and McWhale)
Storm
Suriv 1-B
Timemark-1060
VCL (Heevahava and Yankee-2)
Vienna (W13.450, W13.543, W13.679, 547, 598 and 600)
Wilbur
Wizard
Yankee-Casteggi
The following 33 new viruses can now be detected but not yet
removed:
ARCV (Anna, Scroll and Scythe)
EMF-625
Keypress-Chaos
Kode 4
Nygus-752
Shadow
Small EXE-Joshua
VCL (Diogenes and Mimic)
Vienna-New Generation
Witch
X-1
In addition, the following viruses created with the PS-MPC
toolkit can now be detected:
Abraxas
ARCV-1
ARCV-2.692
ARCV-3.693
ARCV-3
ARCV-5
ARCV-6
ARCV-7
ARCV-8
Eclypse
Kersplat
Mimic
Page
Schrunch
Small-ARCV
Swansong
Walkabout
Z10.702
Z10.704
The following 11 new viruses can now be detected but not
removed, only deleted. This is because they overwrite
infected files, or damage them irreversibly
_17690
4870 Overwriting-B
Burger-536
Deicide-B
Leprosy (736, 8101 and Seneca)
Ondra
Trivial (37, 42-B and Explode)
VCL DM-92
The following virus that could be detected but not removed
with earlier versions of F-PROT can now be disinfected:
Stoned.Empire.Monkey.A
The following virus have been renamed:
ZK-900 -> Npox-900
F-PROT now recognizes the new Tremor virus which has quickly
become more common in Germany. Tremor is a retrovirus which
aggressively attacks the products Central Point Anti-Virus
and Microsoft Anti-Virus. The virus is also heavily
polymorphic.
Approaching Zero - More Information About Computer Crimes
It may be hard for a person responsible for information
security to get an overall picture of actual computer
criminality. The new book Approaching Zero: Data Crime and
the Computer Underworld contains good general information of
the field.
The book has been co-written by Bryan Clough and Paul Mungo,
who live in Great Britain. The book is published in
hardcover edition and is approximately 240 pages long.
We wish to present our clients with the opportunity of
expanding their knowledge of computer crimes and so offer
this book at the price of XXXX. Those who order more than
one copy get the benefit of a 10% price reduction.
The orders can be sent to any distributor of F-PROT by mail
or by fax, The books are delivered via mail to customers.
The delivery time is four weeks.
The following excerpt is taken from the introduction at the
back of the book:
As our society becomes increasingly dependent on computers,
so we become ever more vulnerable to the misuse of
technology, whether for fraud, subversion, the theft of
sensitive information or for sinister military and espionage
operations.
In Approaching Zero Bryan Clough and Paul Mungo look at all
aspects of data crime. They investigate notorious hackers
and virus writers around the world, including:
o the Dark Avenger, a Bulgarian computer wizard whose
'Nomenklatura' virus broke through House of Commons security
October 1990
o the Italian virus laboratory which produces a new virus
every week
o the American 'Rabid Group' whose members are committed to
the widescale destruction of computer systems
In a frightening yet compelling account they show how
quickly we are all approaching zero - total computer
shutdown.
F-PROT 2.07 Update Bulletin Copyright (c) 1993 F-Secure Ltd
This text may be freely used as long as the source is mentioned as
'Source: F-PROT 2.07 Update Bulletin Copyright (c) 1993 F-Secure Ltd.'
This file may not be stored in a bbs that is offering viruses or
instructions on making them.
F-PROT Professional Support < f-prot@datafellows.fi >
.
.
|
|
