------------------------------ Date: 23 Jan 89 11:54:29 GMT (Mon) From: Alan Jay Subject: Known PC Viruses in the UK and their effects The article below summarises the viruses which have been known to affect IBM PCs and compatibles in the United Kingdom. It is written by Dr. Alan Solomon (drsolly@ibmpcug.CO.UK), the chairman of the IBM PC User Group in the UK and appears in the February 1989 issue of Connectivity, the newsletter of the User Group. This article is (C) Copyright 1989 The IBM PC User Group (UK). Permission is hereby granted to reproduce this article for non-profit purposes, provided this notice is retained. The Information Centre - PC Security by Dr Alan Solomon - ------------------------------------------------------- PCs are intrinsically very insecure. For many PCs, this might not matter; who cares if someone finds out that the menu for tomorrow is scrambled eggs? But increasingly, PCs are being used for critical applications, and either there is extremely important data on them, or else it is very important that they continue to run. Scrambled eggs are fine - scrambled FAT is not. Many people take backup for granted. Obviously, backups are done on a regular basis, but how do you know that you have something that is restorable? I'll be coming back to this in a subsequent article. For now, I want to update members on the virus front, because quite a lot has happened, and much of what you read in the press is distorted by the Chinese Whispers treatment. Virus facts and fiction - ----------------------- First, I have to say that the problems are very real. You have probably read in Computing that IBM has been infected by 1704 virus. Secondly, I must emphasise that viruses are still very, very rare on PCs, and many problems reported as viruses, are t he same old problems we always had. But they are getting commoner, and I am getting busier and busier in dealing with outbreaks. First, let me define some terms. A virus is a self-replicating program, that copies itself without the user realising that this is happening. A virus does not necessarily intend malicious damage. The main damage is always, always done by people's reactions, not by the viruses themselves. There is one virus around that has code in it for deleting files, and other viruses have unfortunate side-effects. But the main damage is usually done by someone panicking, and doing something extremely silly, because they don't know what is the correct procedure. Viruses - what's out there? =========================== Next - a list of the viruses that I know of so far, plus how to recognise them, and the intentional and unintentional damage done. Please remember, though, that most of these viruses have more than one variant, and it would be possible to write a virus that mimicked the action of an existing virus. So you mustn't assume that just because your symptoms match those given below, that you have the exact same virus. Also, the information given below is only a summary of all the information available, so please don't treat it as a full manual. Stoned. Every 32nd boot-up, you see ``Your computer is now stoned.'' The boot sectors of infected diskettes are obviously abnormal, and include that message. No intentional damage. Unintentional damage - trashes 1.2 Mb floppies if they have more than 32 files, trashes about 5% of hard disks. Brain. You see (c) Brain as a volume label on diskettes, and diskettes have 3k of bad sectors (the normal numbers are none at all, or 5k, or sometimes more). No known intentional damage. Unintentional damage - it slows down diskette accesses and causes time-outs, which can make some diskette drives unusable. Italian. Once every half hour, if you are accessing the disk, the bouncing dot is triggered. The dot bounces off the edges of the screen, and passes through any text, with replacement after it. Sometime, this doesn't work properly, and screen displays are messed up. Infected diskettes have 1k in bad sectors, infected hard disks have 2k (and other numbers of bad sectors are possible). No known intentional damage. Unintentional damage - the two copies of the FAT are left different; DOS might not like this. Attempts to infect diskettes slows them down, and some computers won't read floppies, due to time-outs. 1813 virus. Files grow by 1813 bytes (sometimes 1808), without changing their date and time or read/write/ hidden attributes. COMMAND.COM does not grow, to help it avoid detection. Many anti-virus products do little more than watch COMMAND.COM. Intentional damage - there is code in the virus for deleting each program that you run on every Friday 13th. Half an hour after the virus installs into memory, the computers slows down - a 4.77Mhz PC runs at about 1/5 normal speed. A small black window opens temporarily in the bottom left hand corner. Unintentional damage - .COM files grow once, taking up slightly more space. Also, .EXE files grow each time they are infected, and eventually will not load. 648 virus. .COM files grow by 648 bytes, without changing date/time or attributes. Intentional damage - one infected file in eight (at random) is changed in such a way that the program will not run. No known unintentional damage. 1701 virus. Files grow by 1701 bytes. This is a third generation virus - - the code is encrypted, to fool programs that search for viruses automatically, looking for code that is characteristic of viruses. This also meant that disassembling it took a bit longer than usual, but I've now finished the disassembly. Occasionally, 1701 triggers a ``hailstorm''. The characters on the screen behave as if the were pinned to the screen, and someone is removing the pins one at a time - it looks a bit like a hailstorm, and has suitable sound effects. In fact, it is a purely audio-visual effect - nothing is happening to your data. But most people seeing it, would be so alarmed that they would reach for the off switch, and switching a computer off in the middle of processing a database can cause big problems. IBM got infected recently by 1704 virus, which I believe is a slightly different version of 1701. They sent a letter to all customers that could conceivably have been infected - a very responsible thing to do. As you can see, there are an increasing number of viruses, and an increasing number of people affected. If you see any of these symptoms, you should do three things. 1. DON'T PANIC. That does more damage than anything else. Don't just start deleting and formatting - at least keep a specimen so that I can disassemble it. The flame thrower approach tends to destroy the evidence of how it got in (which could help the unfortunate person that inadvertently gave it to you) and without even fixing the problem. Don't let anyone else panic, either. 2. Make sure that everyone who knows about it, is told to keep their mouths shut. The press are desperately keen to find a big company that has been struck, and will have a field day. An immense amount of damage could be done to the company's name . If the company decides to tell the world, that's fine and noble, but the decision must be made at the highest possible level. 3. Seek expert advice. Do not attempt to deal with it yourself - unless you have already dealt with several cases before, a virus is outside your experience. In particular, the virus MUST be disassembled - - otherwise it could have many surprises. One of the biggest problems is in dealing with the diskettes. Every PC is accompanied by a vast cloud of diskettes, and at least some of these must be infected. Usually, less than 1% are infected (although in the case of a boot sector virus such as Brain, Italian or Stoned, anything up to 5% of diskettes could be infected before the virus is spotted), but the problem is to find them. If you leave even one infected diskette - well, it was almost certainly just one diskette that brought the problem in. My approach is to use a hopper-fed machine that can check 700 floppy diskettes per hour; the main alternative is to train sufficient operators to do it manually. How you treat infected disks and diskettes depends on the virus, and its modus operandi. I haven't yet seen a situation where it was necessary for anyone to lose any data, although the flame- thrower approach certainly can do damage. As if this wasn't bad enough, there are now a few more problems that I'm trying to fight. The first is too late - one magazine has published about 55% of the Italian virus, together with a useful plethora of technical information about how it works. I won't tell you which magazine, as I don't want things to get any worse, but many members will have seen the article, and I would suggest that you write to the editor to express your own opinions on the subject. The next problem is that a magazine has quoted someone as saying that he could write a virus that ``could put a software house out of business overnight''. I don't think that the magazine should have used that quote, and I hope that it doesn't give people ideas. But the third problem is the worst. I have a firm rule about never giving copies of a virus ``for experimental and research purposes'' to anyone (except, of course, if a company already has the virus then it doesn't matter). One could argue that this is tantamount to suppression of useful information (and this has been suggested to me). But obviously one should only give a virus to a responsible, technically capable person, and I'm frankly not very good at assessing this over the phone - I get many calls asking for viruses. So, since I can't be sure that the person asking is a suitable candidate, I have so far always refused. If a bona fide government department were to approach me, I would probably feel different, but that hasn't happened. One of the people who felt differently on this point, has obtained copies of Brain and Italian. He has said that he will give copies to anyone responsible person who asks him, for research purposes. I don't know how he will decide, but I hope and pray that he is better at judging character that I believe possible, and able to detect a plausible liar. He says that he is acting from the highest, noblest motive - freedom of information. I used to believe in freedom of information myself, so I can almost understand him. But I profoundly disagree with what he's doing, as the easiest way to write a virus, is to disassemble someone else's, and change it to do what you want. How to learn more - ----------------- The best way to keep up to date with virus developments is on Connect (01-863 6646 - 1200, N, 8, 1). There are a number of conferences devoted to viruses. This article was posted to Connect in conference connect.virus on January 10th and I will be posting further updates to this list of known viruses with their symptoms and effects as soon as I have details. One thing I have done is write a program for testing anti-virus products. This uses a few different methods for writing to the boot sector of floppy diskettes - TESTVACC is quite harmless, of course, but it is doing something that many viruses do. Many anti-virus products claim to be able to detect and/or prevent this sort of thing, so you install your anti-virus program, and then run TESTVACC. TESTVACC tries to write a simple message to the boot sector of the floppy disk, using four different methods, any of which could be used by a virus. I've tried several well-known anti-virus products, and although it detected the first two methods of writing to the boot sector, it didn't notice the third or fourth method. You can inspect the boot sector afterwards, using whatever disk sector editor you like, and draw your own conclusions. I'm making TESTVACC shareware, so it is available from the User Group Library. Also we hope to run a special series of workshops on viruses in the near future. If you would like to take part then please write to me at the User Group. This workshop will look at ways of reducing the risk of infection, what to do if you think you are infected and in the event of infection how to disinfect your systems. Submitted by: Alan Jay (alanj@ibmpcug.CO.UK), Editor, Connectivity, the newsletter of The IBM PC User Group, UK. - -- Alan Jay @ The IBM PC User Group, PO Box 360, Harrow HA1 4LQ ENGLAND Phone: +44 -1- 863 1191 Email: alanj@ibmpcug.CO.UK Path: ...!ukc!pyrltd!slxsys!ibmpcug!alanj Fax: +44 -1- 863 6095 Disclaimer: All statements made in good faith for information only. ------------------------------