F-PROT Professional Update Bulletins
F-PROT 2.09 Update Bulletin
CONTENTS BRIEFLY
--- CONTENTS 3/93
--- A Period of Intense Development
--- Recent Virus Cases
--- A Virus from TV
--- Butterfly on the Networks
--- The _894 Virus
--- A Michelangelo Epidemic in the United States
--- F-PROT Support Advises: Common Questions and Answers
--- Batch File Viruses
--- Batman
--- Text Code
--- Case: The Batch Virus "BAT-Parasite" in Finland
--- Briefly Noted
--- Death Penalty for a Computer Felony
--- A 5000 Dollar Virus Competition
--- Viruses for Sale
--- Virus Writer Groups March Out
--- nVIR B for Macintosh in Finland
--- PC Viruses on Mac Diskettes
--- Changes to F-PROT in Version 2.09
--- VIRSTOP for Windows
--- New Viruses Recognized by F-PROT
--- F-PROT 2.09 -- Other Changes
This text may be freely used as long as the source is mentioned as
'Source: F-PROT 2.09 Update Bulletin Copyright (c) 1993 F-Secure Ltd.'
CONTENTS 3/93
Period of Intense Development
F-PROT Receives Status of "Very Important Product"
Recent Virus Cases
A Virus from TV
Michelangelo Epidemic in US
Butterfly on the Networks
The _894 Virus
Questions and Answers
Batch File Viruses
Briefly Noted
Virus Groups March Out
Changes in Version 2.09
VIRSTOP for Windows
New Viruses Recognized
A Period of Intense Development
F-PROT's development has remained vigorous throughout its history. New
viruses are continuously added into the program, and the new 2.09
version recognizes viruses we received notice of only a couple of days
before the update was to be published.
During this summer, the technical development of F-PROT is especially
strong and visible. The first tools for the Windows environment are
included in version 2.09. These tools contain interesting technical
solutions which cannot be found in other anti-virus products. An example
of this are the Windows features of VIRSTOP.
VIRSTOP automatically notices when Windows is started, and loads a
Windows device driver into memory. This driver interprets virus warnings
for the Windows environment and relays them to the user. Two programs
are thus contained one program file, and there is no need for a separate
Windows installation. The virus warnings are shown even if some Windows
start-up file is infected, because the solution employs a device driver.
We will continue the active development of the F-PROT product line.
Among other things, a checksumming application called F-CHECK will be
included in the next F-PROT update. F-CHECK contains two unique features
in addition to normal checksumming qualities. F-CHECK reports changes to
files and boot sectors like other checksumming programs, but it also
estimates which of these have been caused by viruses and which have not.
F-CHECK employs heuristic methods identical to those used by F-PROT in
its search for previously unknown viruses. F-CHECK can, in most cases,
also restore an altered file or boot sector.
The progress in sales and marketing has also been strong. F-Secure
Ltd's network of F-PROT dealers has grown rapidly, and new references to
big international companies have been added to previous ones.
At the moment, our dealer network extends to the following countries:
Sweden Användardata
Sweden Comma
Norway PDI-Gruppen
Denmark Control Data
Denmark Comma
Belgium DataRescue
Italy Symbolic
Spain EICS
Portugal EICS
Hong Kong Yui Kee Company Ltd.
Slovenia ABM d.o.o.
Czech SEA
Great Britain unpublished
France unpublished
We hope that our new products serve to make the F-PROT family a still
more user-friendly and extensive an anti-virus solution for your
purposes.
Recent Virus Cases
A Virus from TV
The Tremor virus, which was first spotted in Germany about half a year
ago, spread itself in the beginning of May in quite a peculiar fashion.
It was spread far and wide over Europe via the PRO-7 TV channel owned by
the German company Channel Videodat.
The PRO-7 channel, which reaches most parts of Europe via satellite or
cable TV, is used to distribute computer programs in addition to
broadcasting normal TV transmissions. These programs can be transferred
from the channel into a computer by using a special decoder. 60.000
computer users are estimated to receive data through the channel, but it
is not known how many of them caught the virus.
The virus research center of Karlsruhe University (Micro-BIT Virus
Center) contacted Channel Videodat about a week after the fateful
transmission, but at the time the company denied anything had happened.
The anti-virus program used by the company was found out to be unable to
spot Tremor, however, and a week-and-a-half later Channel Videodat began
to broadcast warnings and anti-virus programs to its viewers several
times a day.
The virus had infected, and spread with, the PKUNZIP.EXE program
transmitted together with a ZIP-packed anti-virus program. The program
had become infected in a Dsseldorf-based software shop which supplies
programs to Channel Videodat. The anti-virus program itself was
originally clean, but it was unable to detect the Tremor virus.
Tremor is a retrovirus designed to attack several different checker- and
anti-virus programs. It is a self-encrypting virus with great
polymorphic abilities, capable of creating billions of different-looking
copies of itself. Besides utilizing the usual random numbers, Tremor
takes advantage of the data in a computer when it changes its code. This
characteristic makes the virus hard to spot. Since Tremor's outlook
varies considerably from computer to computer, anti-virus experts have
difficulties in producing a good sample of the virus for testing.
The virus is very difficult to detect, especially so when it is in
memory, because it employs complex stealth virus techniques. In this
respect, Tremor is a remarkable virus. It can make it seem like no
additional code is present in infected files, even though its appearance
changes during every infection. No other virus can do the same.
When a Tremor-infected program is executed for the first time, the virus
decrypts its code and checks the date in the computer's clock. If more
than three months have passed since the original infection date, the
virus activates. If the time is not yet up, Tremor checks the operating
system's version number and, should the version be older than 3.30,
allows the execution of the host program to proceed normally.
If the operating system's version number is 3.30 or greater, the virus
searches the memory for a program using the interrupt 01h's function
30h. If the virus detects such a program, it allows the execution of the
host program to proceed normally and does not install itself into
memory. Most likely Tremor performs the check in order to avoid being
detected by some anti-virus program using the interrupt 01h.
After having checked the interrupt 01h, the virus installs itself into
memory. Tremor's way of installing itself into memory is unique; it
copies itself into extended- or high memory, if such memory areas are
available in the computer. If not, the virus installs itself into the
upper part of conventional memory.
After having performed all its checks, Tremor automatically infects the
command interpreter indicated by the COMSPEC environment variable.
Afterwards, the virus can always get into memory before most anti-virus
programs.
While active in memory, the virus is able to prevent several different
anti-virus applications from detecting itself. It monitors the
computer's functioning constantly and, should it detect certain checks
being made, either cancels them altogether or prevents them from
spotting itself. If Tremor discovers the presence of either Central
Point Anti-Virus or Microsoft Anti-Virus, it blocks the functioning of
their memory-resident parts. The virus can thereafter function without
either CPAV or MSAV noticing it.
The virus is capable of taking advantage of several different
procedures, such as the execution or copying of programs, to infect COM-
and EXE files. Tremor checks how a file's name begins before infecting
the file. If the name begins with the character combinations CH, ME, MI,
F2, F-, SY, SI or PM, the virus makes certain changes to memory to avoid
detection.
Tremor marks the infected files by adding one hundred years to the
file's date of modification. This addition is not readily noticeable,
because DOS usually displays only the last two numbers of the year in a
date. If the virus notices that some program is trying to read the file,
it changes the date back to normal and deletes its code from the file
before allowing it to be read.
The copies of infected files do not carry the infection if the copying
is done while the virus is active in memory, because Tremor removes its
code from the source files when they are read. Therefore, the only
likely situation in which the virus can infect a diskette is when a user
executes a program from a diskette that is not write-protected. Because
of this, Tremor spreads from one computer to another quite slowly.
The virus contains two separate activation routines. The first routine
shakes the picture on the screen for a moment, after which it jams the
computer. This happens only on very rare, random occasions.
The second activation routine hijacks the interrupt 15h. The interrupt
15h is quite rarely used, since the practically only applications to
take advantage of it are certain DOS multiprocessing environments, such
as DesqView. Some programs do, however, use INT 15h to set the processor
into protected mode. The activation routine is executed if another
program tries to use the interrupt 15h, after which Tremor clears the
screen and displays the text "T.R.E.M.O.R. was done by NEUROBASHER /
May-June '92, Germany, -MOMENT-OF-TERROR-IS-THE-BEGINNING-OF-LIFE-".
The sentence "Moment of terror is the beginning of life" has been
borrowed from FRONT 242, a Belgian techno/industrial band. The sentence
is printed on the inner envelope of their Front-By-Front album.
Neurobasher is one of their songs.
So far, Tremor is the only known polymorphic stealth virus.
F-PROT 2.09 is able to find and recognize the Tremor virus reliably even
if it has installed itself into memory.
Butterfly on the Networks
A new, formerly unknown virus slipped into worldwide circulation
together with the popular, shareware terminal program Telemate. Telemate
4.11 was published 17.6.1993, and the virus was not discovered before
the distribution of the program had begun. Telemate could be downloaded
from, for example, Compuserve. At the moment, there are probably
thousands of contaminated copies of the program all over the world.
The distribution package of Telemate 4.11, TM411-4.ZIP, contains a file
named VESA.EXE, which is a LHA-packed self-extracting archive. The
package contains VESA drivers for different video cards. The files
37VESA.COM and 67VESA.COM, which are meant for the OAK video card, are
both infected.
The infection was noticed in Finland in 21.06.1993, and the software's
manufacturer in Canada was notified immediately. Two days later, the
contaminated distribution packet was replaced by a clean one.
The virus in question functions quite simply, and it is only 302 bytes
in length. When an infected program is executed, the virus searches the
default directory for suitable victims. Depending on the availability of
such, the virus infects up to four files every time it is executed. The
virus does not do anything if it cannot find suitable victims, those
being COM files whose size is between 121 and 64768 bytes.
The virus places its code at the end of contaminated files. Although the
virus will not infect files protected with the Read-only attribute, it
is capable of infecting hidden and system files.
The virus performs three checks before infecting a file. First, it
checks whether the file begins with the command INT 20. After this, the
virus examines the fourth byte in the file. If it is 1 (the IBM ASCII
character for 1 is ), the virus assumes it has already infected the file
and refrains from reinfecting it. After checking the file itself, the
virus inspects its name. If the sixth and seventh letters in the file
name are `N' and `D', the virus concludes that the file in question is
the command interpreter COMMAND.COM, and does not infect it.
It is likely that the virus checks the beginning of files for the INT
20h command in order to avoid infecting bait files created by virus
researchers. As files which begin with this command will not do anything
except exit to DOS, they are often used by researchers. When a virus
infects such a simple file, the actual viral code is easy to study. The
creator of the virus has probably wanted to stop his virus from
infecting such baits in order to make the lifes of virus researches just
a little bit harder. It seems, however, that during the testing of the
virus it was modified to infect also files beginning with the interrupt
20h. For some reason, probably simple forgetfulness on the part of the
writer, this modification was never switched off, and the virus still
infects such files regardless of the test.
Although the virus usually leaves its victim's modification date
unchanged, it contains a bug which in some cases causes the date and
time of infected files to show the time of infection. This bug surfaces
if the directory the virus operates in contains several COM files, some
of which are suitable for infection and some of which are not. In some
cases, the same bug causes the virus to damage its victims. The size of
the damaged files is not changed, but their first four bytes are
replaced by a jump instruction inserted by the virus. The program cannot
be executed, because the virus has not been able to place its code at
the end of the victim file.
The virus contains routines which look like having been borrowed from
viruses created by using the VCL virus generator. It contains no
activation routines. Since the text `Goddamn Butterflies' was included
inside the viral code, the virus is temporarily named `Butterfly'. The
virus is closely related to the Proto-T.Civil_War family.
F-PROT 2.09 is able to detect and remove the virus reliably.
The _894 Virus
A new virus, infecting both COM and EXE files, was found in the
beginning of June in Italy. It seems that this virus has rapidly become
very common. The virus is very destructive.
Since the virus increases the size of contaminated files by 894 bytes,
it was temporarily dubbed _894. Despite the name, however, the virus
also adds up to 15 padding bytes to infected EXE files, so that the
resulting file length is evenly divisible by 16. The virus doesn't yet
have a final name.
The _894 virus is a self-encrypting virus which maintains two copies of
itself once it has installed itself into memory. Both copies are
initially unencrypted. The virus uses one in its functioning, while the
other is appended to infected executable files. At the time of
infection, the second copy is encrypted by using a key which is modified
during each infection. After an infection has been completed, _894
decrypts the second copy in order to use it further.
Upon execution, the virus inspects the interrupt handler for the
interrupt 21h. By checking where the pointer of interrupt 21h points,
the virus finds out whether it has already gone resident or not. If the
handler's offset is 13h, _894 assumes that a copy of the virus has
already been installed into memory and passes control to the original
program. Otherwise it will perform the installation at this stage,
reserving approximately 1840 bytes of memory for itself. After
installing itself, _894 checks the time and the operating system's
version number. If the operating system in use is older than DOS 4.0,
the virus will not infect any files in the computer. It won't perform
any infections in systems using newer versions of DOS, either, if the
seconds field of the time it acquired from the computer's clock contains
an odd number. This second-field check causes the virus to infect files
in a semi-random manner.
The virus checks files before infection to ascertain whether it has
already contaminated them. It deems an EXE file's status by analysing
it's header information. The second word of a COM-file contains a
similar marker.
_894 traps several subfunctions of the interrupt 21h. That way the virus
can infect all opened or executed programs. The virus is quite unusual
because it also infects programs when their file attributes are changed.
The virus even hooks the interrupt 21h/6Ch, which is seldom used for
opening files. The command interpreter of DOS (COMMAND.COM), however,
uses this function.
The virus does set certain conditions to its victims. It will not infect
any COM file smaller than 66 bytes or longer than 63488 bytes. If an EXE
file is longer than the value in its header indicates, it is also left
uncontaminated. By using this check, the virus ascertains it will not
try to infect files having internal overlays or EXE-files of the NE
format, such as Windows- and OS/2 EXE-files. The virus does not infect
EXE files packed with PKLITE or LZEXE. It is unclear why these packed
programs are not infected. They can be and are infected successfully by
most other file viruses.
When the virus is installed and active in memory, it intercepts all
calls to DOS write-file function. In one time out of sixteen, it will
cause damage by changing a random byte in the output buffer. This way
the virus can randomly corrupt all data created on the machine.
Programs, too, get corrupted when they are copied. If the virus is not
noticed in time, this sort of slow corruption can prove disastrous. The
virus performs special checks to make sure it doesn't corrupt its own
data when it uses the write function.
The virus does not contain any messages, nor does it advertise its
presence by musical or video effects. It is, therefore, quite difficult
to spot.
F-PROT 2.09 is able to detect and remove the _894 virus reliably.
A Michelangelo Epidemic in the United States
The world's largest case of an inter-company virus infection known up to
date occurred in the United States on March the 13th. The Michelangelo
virus infected approximately 20.000 computers in one corporation.
A program, which was to be distributed to users, was copied to diskettes
on a contaminated computer. All the 6.500 diskettes used in the copying
were infected. These diskettes were then distributed to users inside the
company. Due to the memory requirements of the program on the diskette,
users were instructed to boot their computers directly from these
diskettes. Since Michelangelo is a boot sector virus, it infected the
hard disks in all the computers during this booting. The virus infected
initially about 7.000 computers, but it was not detected until the
number of contaminated computers had reached approximately 20.000. The
company passed the infection to some of its partners also. The virus was
eventually removed with F-PROT.
At the time of the infection the company had no anti-virus software in
use. The entire incident could have been avoided if even a single anti-
virus program had been acquired and installed in the computer on which
the diskettes where copied.
Even though an infection involving 20.000 computers is a serious matter,
the situation could have been worse still. If the incident had happened
a week earlier, it would have coincided with Michelangelo's activation
day, in which case the virus would have wiped the hard disks empty
instead of just infecting them.
F-PROT Support Advises: Common Questions and Answers
If you have questions about information security or virus prevention,
contact your local F-PROT support. You can also reach F-Secure on
the number +358-0-692 3622, fax +358-0-670 156. Your written questions
can be addressed to: F-Secure Ltd., F-PROT Support, Wavulinintie 10,
SF 00210 HELSINKI, FINLAND. Questions sent by electronic mail can be
addressed directly to Mikko Hyppönen of F-PROT technical support
department; his Internet address is mikko.hypponen@compart.fi.
I use the Microsoft DOS 6.0 operating system. When I tried to remove the
Form virus with the command SYS C:, MS-DOS 6.0 announced `Cannot operate
on specified drive' and did not create a new boot record. What's wrong?
Microsoft DOS 6.0 includes a disk-packing program called
DoubleSpace. Normally, it addresses the original C disk as disk
H, and the correct command is therefore SYS H:.
The letter assigned to the original disk depends on the
installation, and it is therefore not necessarily H, but in any
case it comes after the letters assigned for the packed virtual
disks.
The DoubleSpace virtual disks do, in fact, have boot records,
but they contain only zeros. The packed disks do not need actual
boot records, since the operating system is loaded from an
unpacked area of the original disk during the booting.
I would like to take a back-up of my computer's Main Boot
Record, but DOS 6.0 no longer recognizes the MIRROR /PARTN
command. When I was using DOS 5.0, I could use that command to
store the contents of the Main Boot Record in a file. How do I
do that with DOS 6.0?
DOS 6.0 does not contain Mirror or any other program that can be
used to save the Main Boot Record. It is, therefore, worthwhile
to save the file MIRROR.EXE before upgrading to DOS 6.0, for,
unlike many other DOS auxiliary programs, Mirror does not check
the DOS version number when it is executed.
If DOS 6.0 has already been updated into your computer, you can
use a disk editor, such as Norton Utilities, to save the Main
Boot Record in a file.
The Main Boot Record of a hard disk contains the partition
table, where the information concerning the size and location of
logical DOS disks has been stored. The data on a hard disk is
difficult to restore should this information be destroyed, and
therefore, in order to cope with possible problems, a back-up of
the partition table should always be stored on a diskette.
While I was using the PC-Tools program, an icon looking like a gas pump
appeared on the Windows worktable. Under it was the text `NOT a bug! Do
NOT destroy!'. The icon remained on the screen for a couple of hours,
after which it disappeared by itself. I was unable to remove or
otherwise affect it. I used F-PROT to check my computer, but it did not
find any viruses. Is the gas pump caused by some virus? I use PC-Tools
for Windows 8.0.
The gas pump incident is not the effect of a virus, but of a
certain unusual feature of the Windows version of PC-Tools. The
part of the code which causes it was probably forgotten inside
the program while PC-Tools was still on the development stage.
This code activates under certain, so far unknown, conditions.
The text `NOT a bug! Do NOT destroy' is included in the
WNFSVT.EXE file of PC-Tools for Windows. Since the program's
maker, Central Point, has been informed of the matter, it is
likely that the gas pump will not trouble future versions of
PC-Tools.
A somewhat similar incident, the `Tough Luck/This Is Too Bad For
You' announcement given by the Microsoft Excel software, was
discussed in the F-PROT 2.06 Update Bulletin.
Interrupts are often mentioned in F-PROT Update Bulletins. What,
exactly, are interrupts, and what are they used for?
Programs can easily access the services of the operating system
and BIOS by taking advantage of interrupts.
When a program calls an interrupt, its normal functioning stops
while the computer executes the interrupt handler (= a program)
appropriate to the interrupt in question. The interrupt handler
performs them task assigned to it, after which the original
program resumes its execution.
In a DOS environment, new functions can easily be added to the
basic services of the operating system by using interrupt
handler routines. Programs using interrupt handler routines are
also considerably more compatible with each other than programs
applying direct device control.
There are both BIOS interrupts and program interrupts in a DOS
environment. BIOS interrupts are handled by a computer's BIOS
and program interrupts by the operating system. DOS is able to
use 256 different interrupts, most of which are not predefined.
Some applications use these undefined interrupts in their
functioning by first defining them themselves. An application
uses program interrupts when it accesses the operating system's
services, such as disk reads or writes.
Most of the program interrupt calls are, in fact, eventually
conveyed to the BIOS interrupt routines. If, for example, an
application calls the program interrupt service INT 21h/2Ah
which reads one character from the keyboard, DOS eventually
directs the call to the BIOS interrupt 16h which is a commonly
used low-level keyboard interrupt. DOS does, however, interpret
the values returned by the BIOS interrupt to a form that is more
readily understandable.
The lowest page of memory contains the interrupt vector table,
in which four bytes have been reserved for each interrupt.
Depending on whether the interrupt in question is a BIOS- or
program interrupt, these bytes contain a pointer to either BIOS
or RAM memory. The memory area the vector table points to
contains an interrupt handler for the corresponding interrupt.
When a program runs into an interrupt, the operating system uses
the interrupt vector table to find the corresponding interrupt
handler, to which it then relays the interrupt. In an operation
called hijacking, a virus may replace a pointer in the interrupt
vector table with an address that points to its own code. When
the virus has performed its task, such as infection, it conveys
the interrupt to its proper handler.
Viruses often use interrupt services to infect files, install
themselves into memory or activate.
Program- and BIOS interrupts must not be confused with device
interrupts (IRQs). These are completely hardware-based interrupt
calls the pheripherals (such as the serial port or the hard
disk) send to the CPU when they need processor time for their
own functioning .
I use VIRSTOP with the /DISK parameter on to save memory. I updated
VIRSTOP by copying the new files over old ones, after which I continued
working normally. After a while, however, the computer stopped
functioning . When it was rebooted, I did not experience any further
problems. Why did the problem arise in the first place?
When VIRSTOP is used with the /DISK parameter on, it reads the
search strings for viruses from the hard disk instead of memory.
This decreases VIRSTOP's memory requirement from the current 16
kilobytes to about 3 kilobytes. Programs, however, are a little
slower to start, because VIRSTOP must always read the search
strings on the hard disk before it can check a program prior to
its execution. When VIRSTOP is run with the /DISK parameter on ,
it marks up the address for the search strings, thus speeding up
checks by eliminating the need to search for the strings
separately every time.
If the /DISK parameter is in use while VIRSTOP is being updated,
the two copies of the program, one in memory and one on hard
disk, do not match, causing the VIRSTOP in memory to use a wrong
address when accessing the search strings. If such is the case,
the functioning of VIRSTOP is unpredictable; it may crash the
computer or otherwise function abnormally. The situation is
documented in the F-PROT Manual.
To ensure the reliability of VIRSTOP, the computer must be
rebooted after updating. Upon next execution, VIRSTOP will mark
up the address for the new search strings and function normally.
Rebooting is recommended even if the updating is performed by
using the Install function of F-PROT, in which case the computer
may be booted after exiting F-PROT.
The updating can be performed safely by using the network
updating system that can be had cost-free from either your local
F-PROT support or F-Secure Ltd.
Batch File Viruses
Usually virus writers strive to make their viruses as complex as
possible to prevent anti-virus programs from detecting them. Certain
writers, however, try to push their creations to the utmost limits of
simplicity. Some of them have wanted to create the smallest possible
virus -- at the moment, the smallest virus consists of just 25 bytes --
while others have taken advantage of DOS's relatively simple batch
language and written viruses infecting BAT files.
BAT viruses do not usually pose a serious threat due to their
simplicity. They are generally unable to spread quickly between
computers, so infections that do happen are normally limited to small
areas.
Ralf Burger published the world's first known BAT virus in his book Das
groáe Computerviren-Buch in 1987, calling it VR.BAT. VR.BAT did not,
however, function purely on DOS batch language, for it used also
machine-language code located in a separate file. Since the virus
destroyed its victim, it generally did not take long for a user to smell
something fishy.
Batman
A few other simple BAT viruses have been found since Burger's VR.BAT. At
the turn of the year, however, a batch file virus unlike any other BAT
virus previously encountered, called Batman, was discovered. What made
Batman stand apart from other BAT viruses was its ability to install
itself into memory. This is possible, since the Batman virus contains
binary-form machine language code inside the BAT listing.
@ECHO OFF
REM <binary code>
copy %0 b.com>nul
b.com
del b.com
rem <binary code>
In other words, the virus first renames itself as B.COM, after which it
executes this file as a normal COM program. This is made possible by the
fact that the capital-letter @ECHO OFF and REM commands at the beginning
of the file translate to machine language commands which have no bearing
on the functioning of the virus whatsoever.
Text Code
@ INC AX
E INC BP
C INC BX
H DEC AX
O DEC DI
<space>OF AND [BX+46],CL
F INC SI
<enter><next line>R OR AX,520A
E INC BP
M DEC BP
The first part of the binary code includes a jump command to the end
part of Batman's code. The end part contains the commands for installing
the virus into memory. Since Batman does not check memory before
installing itself, the virus reinstalls itself into memory every time an
infected file is executed. Little by little, it eats away the available
memory.
The virus monitors write operations to files while it is active in
memory. It checks the beginning of files every time they written to. If
the file in question starts with the command @ECHO, the virus judges it
to be a batch file and infects it. Since Batman makes no attempt to
check whether it has already infected a file, the same file can be
infected many times over. Moreover, if several copies of the virus have
installed themselves into memory, every single one of them infects the
batch files that are being written to.
Case: The Batch Virus "BAT-Parasite" in Finland
At the beginning of June, the F-PROT Support of F-Secure Ltd.
received a letter from Lahti, Finland, signed by a person using the
pseudonym Pelimies (Player). A diskette containing a virus that spreads
via BAT files was included in the letter. In the letter, the writer
explained that the virus had infested his and his friends' computers for
months, and that it had also infected the microcomputers of his school.
Closer examination proved the virus to be wholly functional, if somewhat
simple. It consists of BAT files, the joint length of which measures
1111 bytes. The virus conceals itself by hiding three of its four BAT
files by using the DOS command ATTRIB. One of its files, CHECK.BAT,
contains the following text in its beginning:
Copyright (c) 1993 damage program laboratory, Finland
Program PARASITE
This version is harmless voyager
The virus was duly named BAT-Parasite.
The virus spreads via diskettes. A contaminated diskette contains one
visible file, PELI.BAT (Peli is Finnish and means "game"), which, when
executed, copies itself and the hidden virus files to the \DOS directory
of the logical disk C. At the same time, BAT-Parasite renames the file
FORMAT.COM, giving it the name F.COM. A compensating file called
FORMAT.BAT has been included in the virus to prevent the user from
noticing the switch.
BAT-Parasite infects diskettes when they are formatted. When a user
tries to run the FORMAT program, the viral FORMAT.BAT file first
executes F.COM, using the command line switches the user has given.
Having done that, the CHECK.BAT file copies the viral files to the
diskette.
All the diskettes formatted in a contaminated computer contain the
visible file PELI.BAT and the three hidden viral files. The creator of
BAT-Parasite has relied on an enticing name to have people execute the
BAT file in their computers. When PELI.BAT is executed, the virus copies
itself from the diskette to the hard disk and displays the message:
ERROR, game not start
after which it terminates its execution.
The virus is unable to spread if a computer does not contain the
directory C:\DOS. The functioning of BAT-Parasite is also hindered, but
not completely blocked, by the lack of the programs ATTRIB and FORMAT.
Even though BAT-Parasite is not a serious threat, it can spread quite
unnoticed despite its simple structure. The virus can be removed by
simply deleting the files PELI.BAT, RESIDENT.BAT, CHECK.BAT and
FORMAT.BAT, and changing the name of F.COM back to FORMAT.COM.
Briefly Noted
Death Penalty for a Computer Felony
Death penalty has been carried out in China on a person who hacked his
way into a bank's computer system. In 1991, Shi Bao embezzled 192.000
dollars from the Agricultural Bank of China by using a computer. Shi Bao
was executed as a warning to would-be computer criminals.
A 5000 Dollar Virus Competition
In the beginning of summer, Digital Enterprises announced a virus
competition, the purpose of which was to prove the effectiveness of
Digital's V-Card Anti-Virus System against viruses. The following
message was sent to Internet's comp.virus conference area, where it
whipped up a lively discussion, particularly on the ethical questions
raised by such competitions.
DIGITAL ENTERPRISES IS CHALLENGING COMPUTER HACKERS to defeat
its anti- virus technology. The Gaithersburg, Md-based company
says virus experts have tried unsuccessfully for more than 2
years to defeat its V-Card Anti-Virus System. It's inviting
hackers to come to its headquarters through mid-July to try
their hand at loading a true virus (Trojan horses and bombs
don't count) onto the system. The computer must be rendered
non-bootable and files must be non-recoverable while V-Card is
operating. The company will reward the triumphant hacker with
$5000.
Viruses for Sale
On Tuesday the 15th of June, somebody sent the following message to
Internet's alt.security conference area from Canada.
--
From alt.security
From: (DSO)
Newsgroups: alt.security
Subject: Virus writing techniques exposed!
Date: 15 Jun 93 20:28:00 GMT
** MS-DOS Virus Research Kit (Advertisement) **
Virus author's know that ignorance and fear are the best weapons in
their arsenal. They shroud their efforts in hyperbole and propaganda,
how their next work will be the undoing of all PC-users everywhere.
Most, if not all, so called "anti-virus experts" are not privy to the
inside information on modern virus-writing techniques, thus leaving
PC-users unprotected until the next virus strikes. This need not be so.
Unknown to Phalcon/Skism and many other virus groups, some of their
members have contributed to one of the most complete virus research kits
ever assembled. Complete "how to" instructions by the infamous "Dark
Angel" and other authors, COMMENTED SOURCE CODE and disassemblies for
hundreds of virii, and a vast library of "read to go" compiled virii
(some still undetectable by current anti-virus software!) are included,
along with the infamous VIRUS CREATION LAB (and it's new upgrade
package!) and a collection of shareware ASM tools.
The entire kit is about 10MB, and is shipped PKZIP'ed on four 1.2MB
5.25" floppy disks. In our opinion, no PC-user should be without the
invaluable information contained in this kit.
Send 50$ U.S. funds or 75$ Canadian funds (postage included) to:
DSO Enterprises, ** *** **, ******* ***, ********, ******, Canada, ***.
U.S. Orders : Personal checks drawn on U.S. banks can NOT be accepted!
Canadians : Personal cheques drawn on Canadian banks will delay order!
Canadian price includes any applicable taxes; orders shipped
within Canada must be paid in Canadian funds (75$).
Overseas : Personal checks drawn on foreign banks can NOT be accepted!
Send in U.S. funds, please!
For fastest processing, send postal or bank money orders. Sorry, no COD's.
"IBM PC" Copyright International Business Machines
"MS-DOS" Copyright Microsoft
"PKZIP" Copyright Phil Katz
Any other references to trademarks are copyright whomever, with apologies.
*****************************************************************************
Please note that it is a violation of the terms of the contract under which
this kit is sold to redistribute or resell it in part or whole or to use
the contents for any purpose other than informational research. Violators
will be prosecuted for damages! We reserve the right to refuse orders.
*****************************************************************************
--
The previous attempt to peddle viruses in the alt.security area took
place in January this year, when a person called Albatross tried to sell
four different virus diskettes. The incident has been discussed at
greater length in F-PROT 2.07 Update Bulletin.
Virus Writer Groups March Out
Certain groups of virus writers have recently begun to make themselves
more conspicuous. The NuKE group, for example, has announced that it
intends to shift the focus of its efforts from normal computer users to
makers of anti-virus software. The group is also known to be setting up
a company called Nuke in the United States. The purpose of this company
is to protect NuKE's members.
Though NuKE was originally founded in Canada, it nowadays has members
also in the United States, Australia and Switzerland. The group
publishes a virus magazine called the NuKE Info Journal. It is spread
via BBSs and contains, among other things, instructions for virus
writing. Six issues of the magazine have been published so far. The
assumed leader of the group, known by the pseudonym `Rock Steady', has
announced that the issues will continue to come out at the approximate
rate of one in a month.
Another group of virus writers, the United States -based Phalcon/Skism,
has used the Internet network to introduce a system through which
anybody possessing an Internet address can acquire functional viruses
and material discussing virus writing. The group first revealed the
existence of its system in the underground CyberCrime International
message network, and after that Phalcon/Skism has actively taken
advantage of several different occasions to advertise it.
nVIR B for Macintosh in Finland
An epidemic of the old "B" variant of the nVIR virus was found in
Helsinki, Finland in May. The virus was identified with the Disinfectant
anti-virus utility.
The nVIR virus was first discovered in Europe in 1987. Two basic
variants of the virus, nVIR A and nVIR B, have been found so far, but it
is probable that an earlier strain of the virus has also existed at some
time. This variant, however, is currently extinct.
nVIR infects a system file and spreads to other files when they are
executed. nVIR contains a counter, in which it sets the value 1000 when
the virus infects a system file. The virus subtracts one from this
counter every time the computer is turned on, and two whenever an
infected file is executed. When the counter is reduced to zero, nVIR a
says `Don't Panic' at random times if MacinTalk is installed in the
system folder. If MacinTalk is not available, the virus beeps instead of
talking.
The virus may also be activated when the computer is turned on or when
an infected file is executed. The probability for activation is during
booting 1/16 and during the execution of an infected file 15/128. The
probability for the virus talking or beeping twice during the execution
of an infected file is 1/256.
Since nVIR B does not use MacinTalk, it can only beep occasionally when
its counter reaches zero. If this strain of the virus has infected a
computer, it beeps during booting with the probability of 1/8. When an
infected file is executed, the probability for a single beep is 7/32 and
for a double beep 1/64.
In the case nVIR A and nVIR B have both infected the same computer, the
strains are capable of combining their features and passing them on to
their offspring. The Disinfectant anti-virus software identifies such
viruses by both names. There are also different versions of the nVIR B
virus, such as Hpat, AIDS and MEV#, all of which function just like the
original nVIR B. Disinfectant recognizes them as nVIR B.
Disinfectant is available at your local F-PROT support.
PC Viruses on Mac Diskettes
In the beginning of the summer, F-Secure Ltd. received a Macintosh
diskette containing the Stoned.NoINT virus. The diskette had originally
been formatted on a Macintosh, but when it had afterwards been used in
an infected DOS computer, Stoned.NoINT had contaminated it just like an
ordinary DOS diskette. The diskette could be used normally in a
Macintosh environment even after the infection.
Even though Mac diskettes do not function in DOS computers, boot sector
viruses can still infect them. Mac diskettes that have accidentally been
used in a DOS computer can carry an infection as readily as common DOS
diskettes, and they must therefore be taken into account when an
infection is being removed.
The difference between Macintosh's and DOS's file systems may lead to
problems when Mac diskettes are being disinfected. It is, therefore,
sensible to only check the diskettes for viruses, and, if they are
infected, use a Macintosh to copy the files from the contaminated
diskettes to a clean storage device. The diskettes can thereafter be
formatted again.
Changes to F-PROT in Version 2.09
VIRSTOP for Windows
The VIRSTOP program included in F-PROT 2.09 has been altered to function
also under Windows. Like its counterpart that functions under DOS, the
Windows version is a memory-resident program that prevents viruses from
being executed and infecting the computer.
Since the Windows support has been built in the internal structure of
VIRSTOP, the program can be taken into use directly, without such
additional steps as installing it in Windows. VIRSTOP notices when
Windows is started, and automatically loads its Windows part into memory
as one of the Windows device driver routines. The VIRSTOP.EXE program
file contains the code for both Windows- and DOS parts of the program.
VIRSTOP does not need any other files to function.
A Windows DOS window should not be used to load VIRSTOP, or any other
TSR program, into memory. We recommend including VIRSTOP in the
computer's AUTOEXEC.BAT file.
When an attempt to execute an infected program is made from Windows,
VIRSTOP for Windows stops the execution and warns the user of an
infected file. If VIRSTOP's /BOOT parameter is on, a corresponding
warning is given of a diskette infected by a boot sector virus. The
program's functioning can be tested by executing the familiar F-TEST.COM
under Windows.
VIRSTOP for Windows displays the virus warnings in text mode. The
warning box can be exited by pressing Enter, after which the previous
program resumes its execution. VIRSTOP for Windows monitors also the DOS
windows opened from Windows.
If the keys Ctrl-Alt-Del are pressed, VIRSTOP for Windows cannot check
the boot sector of a diskette in drive A even if the /WARM switch is
turned on, because Windows interrupts the computer's functioning during
a warm boot. The /BOOT switch, which causes VIRSTOP to check the boot
sectors of all diskettes that are used in the computer, should therefore
always be used.
The Windows routines of VIRSTOP have been made very small in order to
save memory. The Windows support increases the memory requirement of
VIRSTOP's DOS part only by 112 bytes. The device driver loaded during
the Windows startup takes up approximately five kilobytes of Windows
memory. The Windows support of VIRSTOP can, if necessary, also be
switched off by using the command line parameter /NOWIN.
New Viruses Recognized by F-PROT
The following 202 new viruses can now be detected and also removed when
at all possible (Not always, since a few of them are primitive,
overwriting viruses). Some of these viruses could also be detected by
earlier versions, but they are now identified accurately.
_125 Fisher (1100) Porridge
_160 Fisher (2420) Print Monster
_195 Frajer Proto-T (Flagyll)
_205 Freak Proto-T (Lockjaw)
_225 Grunt (346) Proto-T (Number6)
_604 Grunt (427) PS-MPC (897)
_723 Grunt (473) PS-MPC (Arcv-9)
_894 Halley PS-MPC (Arcv.657.B)
Abraxas Hallo PS-MPC (Kouch)
Albanian Hamster Puke
Alpha HH&H.4093 Radyum (448)
Amt (3000) Hitchcock.1238 Radyum (519)
Amt (4000) Hoa Radyum (860)
Aragorn Ice9.Two Minutes Requires
Arcv (330) Infector (444) Russian Tiny (129)
Arcv (Ice250) Infector (624) Russian Tiny (132)
Ash (817) Infector (726) Russian Tiny (143)
Ash (1602) Infector (782) Russian Tiny (145)
Atas II (3213 Infector (933) Russian Tiny (146)
Atas II (3233) Infector (984) Russian Tiny (156)
Atas II (3321) Intrep (946) Screen
Australian Parasite (142) Intrep (1092) SillyCR (185)
Australian Parasite (147) Itti.Toxic SillyCR (189)
Australian Parasite (150) James SillyCR (212)
Australian Parasite (155) Jerusalem (Glory) Silly Ice (159)
Australian Parasite (162) Jerusalem (Unam) Silly Ice (199)
Australian Parasite (550) Jos Silly Ice (224)
Australian Parasite (615) Keypress.1232.C Skew
Backfont (472) Kot Sleepwalker
Backfont (896) Kudepsta Storm.1163
Bad Leprosy (Crawler) STSV.B
Barrotes Leprosy (Seneca.493) Talking Heads
Beer.3192 Leprosy (Surfer) Tankard (493)
Butterfly Lesson I.263 Tankard (556)
Cascade (1704.J) Little Girl.1004 Techno
Cascade (1704.H) Log Timid (431)
Cfsk Lovechild.2710 Timid (557)
Chang Loz Trivial (30.C)
Chcc LPToff Trivial (30.D)
Chr Luca Trivial (32)
Civil war (244) Lyceum.1888 Trivial (34)
Civil war (Navigator) Lythium Trivial (44.B)
Civil War II (599) Maffy.323 Trivial (68)
Civil War II (901) Malign (575) Trivial (71)
Code4-over Malign (630) Trivial (84)
Coffeshop Matura.632 Turn
Coib Meta.1103 Tver
Cossiga.883.B Metallica.1739 Ugur
Costeu Mithrandir Ungame
Cpxk Mr G. Uruk-Hai.427
Crazy Imp.1402 MX V3000
Cybertech.Star One Murphy.Delyrium.1780 VCL (384)
Cysta.2954 Nanita VCL (408)
Danish Tiny.Wild Thing Nazgul VCL (423)
Dark Avenger.1693 Naziphobia.A VCL (476)
Dead November 17th.855.B VCL (519)
Deicide II (Breeze) Omt VCL (562)
Deicide II (2570) Over.4032 VCL (Popoolar)
Denied Own Vengeance.613
Disdev Oxana (1436) Vienna.1239
Doomsday Oxana (1572) Voodoo
Dupacel Oxana (1670) Wanderer
Dutch Tiny (122) Oxana (1671) Wilbur (B)
Dutch Tiny (124B) Paramon Wilbur (C)
E-riluttanza PDP (822) Willow
End of PDP (1477) WWP
Experiment (416) PDP (1564) XAM
Experiment (755) Perfume.653 Yam.3599
Filehider.1067 Pick Youth.970
Filename Pitch Zaphod
Fish6.B Pojer.1919 Ziuck.1372
The following 43 new viruses can now be detected but not yet removed.
AntiExe Dir II (H) PS-MPC.Z10.662
Arcv (839) Dir II (K) Rape.Basilisk
Arcv (Benoit) Explosion Tchantches
Arcv (Joanna) Harm Terminator II
Arcv (More) Horror.1137 Tu
Arcv (Sandwich) Invisible man (2926) Ultimatum
Arcv (Scroll) Invisible man (3223) VCL (394)
Arcv (X-2) Maffy.478 VCL (Divide.A)
Arusiek MSJ VCL (Mimic)
Beer.3164 Naziphobia (B) VCL (Necro)
Black Jec.378 Naziphobia (C) Vienna.561
Chipshit No Frills.Dudley Yankee (XPEH.5648)
Civil War.561 Npox (609) Yankee (XPEH.5808)
Cysta Npox (1686)
Dir II (G) Npox (1800)
The following 5 viruses can now be disinfected.
Darth_Vader (3.A)
Darth_Vader (3.B)
Darth_Vader (3.C)
Horse.2248
PCBB.1141
F-PROT 2.09 -- Other Changes
Disinfection of boot sector viruses has been redesigned, and many boot
sector viruses (most of which were of the "laboratory-only" category)
that previously could only be detected can now be disinfected, also.
F-PROT 2.08 could not, in all cases, accurately identify Stoned.Azusa,
but that should be fixed now.
When VIRSTOP /COPY was used, it interfered with Quick Scan, causing
VIRSTOP, not F-PROT, to display a message about a file being infected.
This is now fixed.
Before, F-PROT would only remove one "layer" of certain encrypted
viruses capable of infecting the same file multiple times, such as
PCBB.1658, forcing the user to disinfect the file several times before
it was actually clean.
F-PROT will now always scan the main boot records (MBR) of hard disks
even if the disk contains no logical partitions.
The behaviour of the /NOFILE switch has been changed -- it now implies
/NOUSER (in files), /NOPACKED and /NOTROJAN as well.
A new exit code, 7, has been added: It indicates insufficient memory.
Previously F-PROT would return errorlevel 1 (general error) in such a
case.
F-PROT 2.09 Update Bulletin Copyright (c) 1993 F-Secure Ltd
This text may be freely used as long as the source is mentioned as
'Source: F-PROT 2.09 Update Bulletin Copyright (c) 1993 F-Secure Ltd.'
<*** End of File ***>
F-PROT Professional Support < f-prot@datafellows.fi >
.
.
|
|
