

F-PROT 2.06 Update Bulletin

This material may be freely used by our customers as long as the
source is mentioned as 'Source: F-PROT 2.06 Update Bulletin - Copyright
(c) 1992 Data Fellows Ltd.'


The Contents of Update Bulletin 2.06

This is the third Update Bulletin translated to English. As people who
have seen the two earlier ones can see, lots of changes have been made.
The bulletin is constantly growing and handling more subjects. In this
issue we still have to concentrate on Finnish events. We hope to get
enough feedback from this issue to be able to report on infections and
other events from the other Nordic countries in our forthcoming
Bulletins.

- - -

In this issue we will report on several virus infections. In some the
virus may have been distributed within a commercial product, in another
the writers of the virus has probably been written by the students of
the educational organisation that had the infection and  sent their
virus to Data Fellows in a letter. In one case the infection covered
offices of the company in most Scandinavian countries. We also report on
virus bulletin boards, on a manual for writing viruses published
recently, on legislational aspects of viruses and the first Windows
specific virus.

- - - 

We would like to write a report on the legislation in Scandinavian
countries concerning spreading and writing viruses. We would be happy to
talk to or receive written material from people with knowledge in this
area. The results of this investigation will be reported in a
forthcoming Update Bulletin.

We will also welcome letters from people having personal experience on
viruses, reports on infections, articles to be published in the bulletin
and comments on anti-virus products. The publication of material sent to
us can not, however, be guaranteed.

- - -

Last but not least, we would like to thank Tapio Keihnen and Petteri
Jrvinen for their help in the production of this issue.

NoInt
Quit-1992
Joshi
Yankee (TP-44)
Danube
FORM off the shelf
Case: Budo-virus
The rise of new virus boards
School material for virus writers
Windows virus - a false alarm
WinVir - a true alarm
Watch out for fakes
Changes in F-PROT version 2.06
Report your virus observations
Appendix: The Family Tree of the Jerusalem-virus

A New Virus Naming Convention
1. Family names.
2. Group names.
3. Major variant name.
4. Minor variant name.

Creating an Anti-Virus Diskette for Emergency Situations
Viruses in Windows
The Structure of Windows Applications
The Execution of an Application and Interrupts
Kernel
The Functional Mechanisms of Viruses in Windows


F-PROT 2.06 Update Bulletin

Report your virus observations

Data Fellows Ltd follows the virus situation in Scandinavia actively and
maintains statistics on virus discoveries. Data Fellows Ltd is
especially interested in new viruses not previously found in
Scandinavia. In addition to this we, of course, appreciate notifications
concerning viruses that already are common here.

The purpose of collecting statistics on virus epidemics is two-fold:
o       We want to make sure that we know every detail of viruses that
        have a high probability of infecting computers used by our
        customers. An overwhelming majority of all infections are by
        viruses that have been discovered previously. By preparing
        technical analysis of all viruses found in Scandinavia it is
        possible to cover 99% of all technical aspects of virus
        epidemics in Scandinavia.

o       With reliable statistics we are able to analyse the speed and
        extent of epidemics caused by different viruses. This enables us
        to warn our customers of especially dangerous viruses.

NoInt

During this fall, a Scandinavian electronics company was plagued by a
tenacious infection caused by the NoInt virus. Many of the company's
Nordic offices contracted the infection via internal transactions. The
company's office in Helsinki was also contaminated, but the epidemic was
stopped at its initial stages following a routine check with F-PROT.

NoInt is a boot sector virus whose functioning is based on the old
Stoned virus - for this reason NoInt is also known as Stoned III. It
infects the boot sectors of diskettes and main boot sectors of hard
disks. Unlike the original Stoned, NoInt incorporates stealth-virus
characteristics.

On diskettes, the virus substitutes its own code for the original boot
sector, which it copies to the sectors reserved for directory
information. Thus data may be lost on an infected diskette if the root
directory contains a large number of files. After an infection the last
files on the directory listing are either completely missing or their
names have been changed to strings of arbitrary seeming characters. In
addition to this, NoInt can not "correctly" contaminate high density
diskettes and may cause random error situations during their use. When a
computer is booted from a NoInt-infected diskette, the virus remains
active in memory, thus reducing the available memory by 2048 bytes. The
reduction of memory can be noticed by using the commands MEM and CHKDSK.
The virus also reserves the interrupt 12h for its own use. The virus
infects the main boot sector of a hard disk every time a computer is
booted from a contaminated diskette. The original main boot sector is
transferred to the hard disk's sector 7.

NoInt is not a full stealth virus, but it can nevertheless prevent the
investigation of its code while it remains active in memory. When an
effort is made to read the boot sector of a contaminated disk, the virus
intercepts the read-request and returns read-errors. Thus the user is
given the impression that the disk under scrutiny is physically damaged.
The NoInt virus does not include other functions than replication.

F-PROT is able to locate and remove the NoInt virus.

Quit-1992

During last summer a new virus discovery was made in Finland. The
Quit-1992 virus was found during a routine check in a large
EDP-company's service department. The virus had infected one of the
computers brought in for repair. Quit-1992 is a dutch virus that was
first found on November 1990. Once activated, the virus stays active in
memory and infects all executed EXE and COM files. The virus reserves
560 bytes of memory and captures the interrupt 21h for itself.

The contaminated programs grow 555 bytes in size - the virus is also
known by the name Dutch-555. The dates of contaminated files are updated
during the infection to show the time of contraction. The changed size
of files can be noticed by examining the directory listing.

F-PROT is able to locate and remove the Quit-1992 virus.

Joshi

An electronics company in Vantaa, Finland fell victim to the Joshi virus
on October. This quite common boot sector virus was not, however, able
to spread itself widely in the company once the infection was noticed
with F-PROT. The techniques used by the Joshi virus are relatively
advanced, and it is able to hide itself while active in memory. The
contaminated boot sectors and partition tables cannot be investigated
with toolkit programs because the virus intercepts the read request and
returns an image of original, clean data to the scrutinizing program.

When a computer is booted, Joshi checks the current date. On the fifth
of January every year, the virus interrupts the boot sequence. Having
done this, it changes the screen to the 40 characters/row -mode and
prints the message "Type "Happy Birthday Joshi" !". The computer will
not continue the boot routine before the user has written the
aforementioned birthday congratulations to Joshi.

The virus does not contain destruction routines as such, but it may
cause problems while infecting 3,5" high density diskettes. Besides
this, the use of write-protected diskettes causes problems when Joshi
tries to infect them and fails because of the protection. That is to say
that, unlike many other advanced viruses, Joshi does not contain
routines for handling a critical disk error. The Joshi virus is able to
intercept the Ctrl-Alt-Del key combination, after which the computer
superficially seems to boot. The virus, however, stays active all the
time. It would be well to remember that when the removal of any kind of
infection is attempted, the computer must be booted from a clean,
protected systems diskette. In practice this means turning off the power
for a while.

F-PROT is able to recognize and remove Joshi.

Yankee (TP-44)

A big company in Tampere, Finland was ridden by a Yankee infection
during September and October. This bulgarian virus which infects COM and
EXE files managed to contaminate the company's LAN server. Due to the
LAN, the virus was able to spread very effectively between the
workstations. Around twenty computers were found to be contaminated when
the virus was discovered. The company had special difficulties in
completely exterminating the virus. The net and workstations had to be
cleaned with F-PROT time and again because the virus always popped up
again somewhere. Let it be mentioned that, due to the stringent virus
search, a number of diskettes contaminated by Stoned also turned up in
the company.

After the virus was discovered nearly three weeks passed before it could
be deemed finally subdued. It is probable that an employee had
contaminated a computer at home and so brought the virus repeatedly back
to the company. The Yankee virus family consists of about fifty viruses,
but the variant now discovered presents the most widely spread strain.
This version was first found in Finland as early as 1989.

Yankee (TP-44) stays resident in memory and contaminates all executed
COM and EXE programs. Besides this, on some days the virus plays the
song "Yankee Doodle" via the computer's speaker. The music starts a
couple of seconds before 5.00 pm., as if to honor the going-home time.

Despite its relative age, the Yankee-44 incorporates some noticeably
advanced features; the virus deletes its code from contaminated programs
when they are investigated with the DOS's DEBUG program. It has,
therefore, a primitive stealth-mechanism. The virus also checks for a
previous contamination of the victim program. If an older version of the
virus has infected the program, Yankee removes it and substitutes the
newer version. Yankee can also change the Ping-Pong virus in such a way
that it stops spreading after a hundred infections.

F-PROT is able to locate and remove all known Yankee-family viruses.

Danube

Jerusalem.AntiCAD.4096.Danube virus was found during September in the
Electrical Energy Systems Department of Tampere University of Technology
in Tampere, Finland.

Danube is a multipartition virus that contaminates both COM and EXE
files and disk boot sectors. The operating method of the virus varies
depending on whether the infection is contracted from a contaminated
program or a boot sector.

When a contaminated program is executed, the virus remains in memory as
a TSR (Terminate and Stay Resident). It reserves five kilobytes of
memory for itself.

The presence of the virus can be detected with the DOS's MEM /C command,
which reports that the executed program has remained in memory like a
normal TSR. After this, all executed COM and EXE files but COMMAND.COM
are contaminated. During the execution the virus also checks the boot
sector of the disk in question. If it has not been infected, the virus
writes its code there, too. When a computer is booted from an infected
disk (either a diskette or a hard disk), the virus goes resident in
memory even before DOS is loaded. The virus reduces the amount of DOS
base memory by five kilobytes. This can be verified with, for example,
the commands MEM and CHKDSK. When infecting a disk, the virus reserves
five sectors altogether for its own use - the location of these sectors
depends on the size of the disk.

The virus also contains some bugs. It cannot, for example, infect
360-kilobyte diskettes correctly. Besides this the virus corrupts
command line parameters given to a program.

The corruption of parameters is common to file viruses, and it occurs
because the viruses neglect to transfer the Disk Transfer Area (DTA) out
of the Program Segment Prefix (PSP), in which it's located by default.
PSP normally contains the parameters given from the command line. They
are overwritten when the virus initiates its disk operations. If
parameters given to a program do not seem to reach it, it should give
reason to check the computer for viruses.

Jerusalem.AntiCAD.4096.Danube is, at any rate, an example of the viral
evolution - it contains only a fraction of the original Jerusalem virus.
The first version of Jerusalem was written as early as 1986. 

The naming of viruses has become a real problem: different anti-virus
programs named the discovered virus by, among others, the following
names:

Invader
Plastique II
Jerusalem
Invader Related Virus
Jerusalem.AntiCAD.4096
Jerusalem Related Virus (VS)
AntiCAD (2)
Jeru-2187
Anticad 4.Danube virus
Plastique/Invader
Invader-4096
Jerusalem (AntiCad-4096-Danube)

An excerpt of the naming standard of the CARO (Computer Antivirus
Research Organisation) can be found at the end of this update bulletin.

FORM off the shelf

FORM is rapidly establishing itself as one of the most common viruses.
For example, up to the beginning of the year 1992, only a couple of
incidents involving FORM had happened in Finland, but after June nearly
twenty separate cases have been reported. The virus has, among other
places, been found in public-administration organizations and
universities in different parts of Finland. FORM has also quickly become
more common globally.

One of the reasons for this is suspected to be the contamination of a
large number of bulk-diskettes produced in Italy. Bulk-diskettes are
sold in large quantities to resellers, who name and repack them and then
sell them on. In addition to this, diskettes may also have been sold to
copying companies - thus the virus may also turn up on original
diskettes.

The contaminated diskettes were preformatted 3.5" HD-diskettes. It is
difficult to single out the virus diskettes because the buyers of
contaminated diskettes are not known, and neither are the names by which
they are being resold.

F-PROT is able to locate and remove the FORM virus.

Case: Budo-virus

Friday 9.10
2.00 pm.
A student from a Technological school in Helsinki calls Data Fellows
Ltd. He suspects that one of his diskettes has been contaminated. The
contaminating agent may possibly be a new and unknown virus.

The student suspects the source of infection to be the microcomputer
class in his school.

3.00 pm.
The representatives of Data Fellows Ltd try to contact persons
responsible for the school's microlabs. Nobody can, however, be reached
anymore - it is Friday afternoon.

4.00 pm.
A representative from Data Fellows fetches the sample diskette from the
student. On the basis of the student's description a new virus case
seems obvious.

5.00 pm.
The contaminated diskette is analysed. Suspicions are confirmed: the
programs on the diskette have been infected. The virus cannot be
identified by any anti- virus program. The heuristic analysis of F-PROT
2.05 reports of contaminated files: "This program will stay resident in
memory after execution".

Via data communication channels, the virus is immediately sent to Frisk
Software International, Iceland. FSI transfers the sample also to the
virus library of CARO, wherein other manufacturers of anti-virus
software can then retrieve it for use in their own investigations.

Sat 10.10 - Sun 11.10
The behavior of the virus is studied in Data fellows and the viral code
is dissembled in order to investigate its functioning. The code is found
to be very destructive.

The following discoveries were made about the viral functioning mechanism:

o       When a contaminated program is executed for the first time, the
        virus hijacks the clock- and keyboard interrupts for its own
        use. After that the virus remains in memory like a standard TSR
        program and reserves 2144 bytes of memory for itself. Having
        done that, the virus displays the message "Bad command or file
        name" and terminates its execution. The purpose of this is
        apparently to give the user the impression that he has written
        the name of a program incorrectly.
o       When the virus is already in memory, the contaminated programs
        only display the message "Run time error" and terminate
        execution. This means that contaminated programs can no longer
        be used.
o       The keyboard interrupt routine of the virus does nothing else
        but increases a counter located in the memory area of the
        program every time a key is pressed. After that the original
        routine is executed.
o       The clock interrupt routine activates 18 times in a second. The
        routine checks whether the keyboard interrupt counter is over
        20000. If it is not, the virus checks if three minutes have
        passed since its last activation.
o       At three-minute intervals the virus searches the current
        directory for the first COM file. If no COM files are to be
        found, it locates an EXE file.
o       The COM files are checked to verify that no previous infection
        exists. No such check is performed on EXE files.
o       The virus overwrites the first 890 bytes of the host program
        with its own code. In principle, after that the contaminated EXE
        programs are structurally changed to COM programs, but DOS
        executes them in spite of that. Because the virus truly destroys
        the first bytes of the contaminated programs, they must be
        destroyed and replaced with original ones. They can no longer be
        repaired.
o       When the limit of twenty thousand keystrokes has been passed,
        the virus initiates its destructive routines. It displays in the
        right bottom corner of the screen the message ' BUDO V1.2 THHV
        FIN' and overwrites critical areas on the hard disk. After that
        the virus goes into an eternal loop, writing random values on
        the computer's i/o-ports. The computer cannot be booted from the
        hard disk after the destruction.
o       The functioning principle of the virus is rather rare. It is
        typical for memory-resident viruses to infect all the executed
        programs. It is also puzzling that, while the authors had the
        skill to write a TSR-type virus which in its operation uses
        undocumented DOS calls, the infection routine of the virus is
        primitive, an overwriting one. The authors probably do have the
        skills necessary for the writing of a 'genuine' parasite virus.
        It is possible that they have never familiarised themselves with
        the functioning of any other virus
o       The viral code includes the text 'BUDO V1.2 THHV FINLAND'
        written in plain language. It also includes the same text
        encrypted with a simple subtraction algorithm. The encrypted
        text is displayed during the execution of the destruction
        routine. The reason for two similar texts has not been
        discovered.
o       Because the virus does not necessarily destroy the very program
        being executed at the time, it was able to spread quite
        unnoticed despite its penchant for overwriting.

It was decided to name the new virus Budo.

Mon 12.10
The manager of the school's microlab is contacted. During discussion
it's found out that the virus has probably resided in the school's
computers the whole autumn long.

It was suspected that the virus writer had been a pupil one, perhaps,
who had graduated in spring 1992 and wanted 'revenge'.

The effort to locate the virus was, as a temporary measure, based on
searching programs for the character string `BUDO V1.2' by using F-PROT
borrowed from another department.

The number of contaminated machines was estimated to be about forty. The
work and damage expenses caused by the virus were not estimated, but
they were likely to be significant.

Data Fellows supplied the school with an external search string in order
to prevent the virus from spreading wider.

Tue 13.10
F-PROT 2.05b beta 13 is completed. The program now recognizes also the
Budo virus. Beta-testing of the version is initiated.

Thu 15.10
While F-PROT is being tested, a program, DF-BUDO.EXE, with which it is
possible to locate the Budo virus in a contaminated machine, is written
in Data Fellows Ltd. The program was created as a safety measure, to
speed recovery should new Budo-epidemics arise.

Wed 28.10
An anonymous letter arrives in Data Fellows Ltd, the dispatchers of
which declare themselves to be the authors of the Budo virus. The letter
arrived in a brown envelope. "Budo 1.2, TH & HV" was given as the
dispatcher. The contents of the letter were as follows, with the marking
XXX signifying a place inked over with a marker. In the first one of
these, however, is probably written TEKUSSA (In the School of
Technology, an abbreviated form).

Hi!


     Here's a new computer virus for you. We did this virus in the Forssa
     XXXXXXX in April in a slight bender as a memorial for the world. We did
     put it into distribution in Helsinki. This for you to commemorate
     semiannual distribution. The newest F-PROT 2.05 and SCAN 8.7B95 do not
     recognize and respect this good friend of ours.

      ;---------------- VIRUS.ASM  VERSION 1.2 ---------------------
      ;--------- Written by THHV, 23. April 1992, Finland ---------

     -    includes the texts "BUDO V1.2 THHV FINLAND" and "FLOW LIKE A RIVER
          - STRIKE LIKE A THUNDER", which is not printed,"Run time error"
          which is printed if the program is already in memory (TSR interrupt
          27h) that is, if 0000:0180h is 66h, if not in memory "Bad command or
          file name" is printed.
     -    changes the interrupt vectors 8h (time) and 9h (keyboard) to point
          to its own code
     -    At three-minute intervals one COM file is located in the current
          directory, if the third character from the beginning is "M" or COM
          appendices are not found, one EXE will be located. At the beginning
          of the file (over it) 890 bytes will be written. If a writeprotected
          disk is in question, the DOS error message will be printed.
     -    Does not change file dates or attributes
     -    Does not infect files larger than 65280 bytes
     -    After keys have been pressed 20000 times, highlighted "BUDO V1.2
          THHV FIN" (coded) is printed on the screen buffer b800:0f78; areas
          of the c:-drive's FAT and an AT-machine's CMOS are written over and
          the machine is completely blocked.

0100  E9 D3 02 23 00 00 00 00-00 2A 2E 43 4F 4D 00 05   ...#.....*.COM..
0110  00 00 00 A0 7C 00 00 D1-18 00 00 00 00 00 00 00   ....|...........
0120  A5 FE 00 F0 9C 06 5F 0F-2A 2E 45 58 45 00 CD 0C   ......_.*.EXE...

[Part of the viral code omitted]

0440  1B 01 00 BA DD 07 CD 27-42 61 64 20 63 6F 6D 6D   .......'Bad comm
0450  61 6E 64 20 6F 72 20 66-69 6C 65 20 6E 61 6D 65   and or file name
0460  0D 0A 24

     Oh that we had a job so we wouldn't have to play with a compuuter.
     A new version is due on spring 1993.

     BUDO refers to the budo team XXXXXXXX, where we train regularly.

     RESPECTFULLY YOURS

     THHV

The authors of this letter probably do not know that the virus has been
found 'in the wild'. The technical description that explains the
functioning of the virus, contained in the letter, does not reveal any
new attributes for it, but it identifies that the writers are the
authors of the virus.

Thu 29.10
The school where the virus was originally found has declared its
intention to sue the authors.

The National Bureau of Investigation (Crime Police) has expressed its
interest in the case, but cannot initiate investigations before an
official request for it has been made. In Finland the crime belongs to a
category in which the plaintiff must press charges before legal action
can be taken.

Thu 29.10
A representative of Data Fellows holds a lecture on data security and
computer viruses in the Forssa School of Technology, where the virus
writers are supposed to be studying. This is a pure coincident, the
training occasion has been booked months earlier.

Although the virus writers are almost certainly present at the lecture,
they do not respond when the subject of the Budo-virus is brought up by
the speaker. The identity of the writers remains a mystery.

Summary

In Finland it is possible, under the Crime Law amended in 1991, to press
charges in cases involving viruses, but only against persons responsible
for the contamination of computers. There are no penalties for the
writing of viruses, but distributing them, wittingly or unwittingly, is
punishable. In addition to this the virus in question must cause harm or
destruction, but that is a universal attribute of all viruses.

It is possible, in this case, to sue the virus authors, if it can be
proved that they themselves have spread the virus in the school's
computers. In practice this calls for a confession - otherwise people
might easily be falsely accused. If the writers of the Budo virus are
identified and legal action is taken against them, it will set a
precedent in Finland. Even globally, trials concerning viruses are very
rare due to the fact that culprits seldom get caught. In many countries
the laws are, also, still inadequate.


The rise of new virus boards

During September two new BBS systems dealing in viruses were found in
Finland. Both were cases of pirate bulletin boards which had opened
special areas for virus exchange.

Behind both discovered boards operates a new conglomeration of Finnish
program pirates, the "Federation Of Free Traders", a.k.a. FOFT or
[F0FT], as the members call their group. The main activity of the group
is the importing of illegally copied software via modem connections. The
members avoid phone bills by misusing international phone credit cards
or rerouting phone lines - in practice, innocent bystanders have to pay
the bill.

FOFT consists of four members, all of whom are boys under twenty living
in or near Helsinki. They are known by their aliases Wiperson, Genesis,
Dr. Who and Excorcist. Three members of the group maintain their own
boards. Dr. Who's "Backstage" board contained a small-scale virus area
already in the beginning of the summer 1992, but he removed it quickly,
probably due to public attention.

The Ancient Olympos board maintained by Wiperson restricts user access
to the virus area. The entrance condition is the transfer of five new
viruses to the system - after that the user can freely retrieve viruses.

It seems that Genesis, for his part, freely admits all users to the
virus area of his board, the "Underground Connection". There are about
fifty users on the board. It is not known at the moment whether
"Underground Connection" has been discontinued or whether it has just
changed its phone number. The virus areas of both boards were apparently
quite new and did not contain large virus collections. Text files
concerning the writing of viruses were also found in large quantities on
both boards.

A board called Noble House continues its operation in Helsinki. The
board is rumored to contain over 400 MS-DOS viruses.

Both the Virus Creation Laboratory (VCL) and the Mutation Engine (MtE)
were freely distributed in Finnish underground boards during the end of
the summer. MtE was also found in many "private" boards that do not
maintain special virus areas.

Study Material for Virus Writers

Mark A. Ludwig of U.S. has published a book called "The Little Black
Book of Computer Viruses". The only purpose of the book seems to be the
teaching of novices to program MS-DOS viruses.

The book contains theory about the basics of viral functioning,
practical coding examples and the detailed listings of four different
viruses. The most eye-catching characteristic of the book is the
hypocrisy of its author. Ludwig justifies his book by the freedom of
speech and the rights of computer viruses to exist. On top of all the
writer does not seem to be in any way a qualified expert of his field:
the book contains many errors.

Four different viruses are discussed in the book: TIMID, INTRUDER,
KILROY and STEALTH. The viruses use different mechanisms of functioning
and are all written in assembler. The STEALTH virus is noticeably more
advanced than the others and it is suspected to have been written by
someone else. None of the book's viruses intentionally attempts to
destroy data.

Because the book is available to anyone, many new versions of the "Black
Book viruses" have appeared. Some of these are undoubtly destructive. A
coupon, with which it's possible to order the viruses on a diskette,is
distributed with the book. The price of the diskette is given as 15
dollars. An example of Mark A. Ludwig's hypocrisy is the following
excerpt, a foreword for the hex listing of the STEALTH virus:

        WARNING: The STEALTH virus is extremely contagious. Compile any
        of the following code at your own risk! If your system gets
        infected with STEALTH, I recommend that you take a floppy boot
        disk that you are certain is free from infection (borrow one
        from somebody else if you have to) and turn you computer on with
        it in your A: drive. Don't boot off your hard disk drive! Next,
        format your hard drive using your low level hard disk formatter
        (which should have come with your machine). Then run FDISK and
        FORMAT to restore your hard disk. Once you have a clean hard
        disk, format all floppy disks that may have been in your machine
        during the time it was infected. If there is any question about
        it, format it. This is the ONLY WAY you are going to get rid of
        the infection! In other words, unless you really know what
        you're doing, you're probably better off not trying to use this
        virus.

        So the following listings are provided FOR INFORMATIONAL
        PURPOSES ONLY!

        Here is the HEX listing for STEALTH:
        :10000000E9FD7A0000...

F-PROT recognises all the viruses in the book.

Windows virus - a false alarm

At the end of August one of our clients contacted us because of a
probable virus infection in Windows environment. When an Excel
spreadsheet was opened, a dialog appeared on the screen, gruffly
announcing: "Tough Luck, This is too bad for you". When the dialog was
aknowledged, the program crashed. The problems were characteristic of a
virus or a possible Windows-based joke program. Under closer scrutiny,
however, things proved to be otherwise.

The company was using Microsoft Excel 2.1d SF. It was noticed, when
examining different versions of Excel, that the aforementioned text was
to be found in every EXCEL.EXE of the version 2.1, in the middle of
program code. Microsoft Ireland was contacted on the case and the
problem was found out to be simply a dialog which had been forgotten
during the development of the program and which was displayed in case of
a certain fatal error in network environment. The error in question
evaded precise definition. In any case, the incident was not caused by a
virus but by a feature. This feature has been removed from the later
versions of Excel.

WinVir - a true alarm

Data Fellows Ltd has analysed the first Windows specific computer virus.
It recognizes the Windows NE files and uses direct action methods
against Windows applications. The virus does not infect normal DOS
applications. The virus sample was received from Sweden in the
September, 1992. The exact origin of the virus is not known. The results
of preliminary analysis are as follows:

o       The virus infects only Windows EXE files
o       The strings `Virus_for_Windows v1.4' and 'MK92' are embedded in
        the code
o       The virus infects only Windows applications. The infections are
        generated at the moment of executing an infected application.
o       As a result of the infection mechanisms used by the virus an
        infected file does not start with first double click but only
        with the second. The virus does not constitute a major threat to
        Windows users. It is not a very efficient infector and does not
        try to harm data.

The infection procedure:
1.	The virus is activated when an infected application is executed.
2.      The virus searches for a file suitable for infection from the
        default directory using MS-DOS Int 21h, AX=4E, 4F services
3.      If no targets can be found, the execution is finished with the
        call Int 21h, AX=4C00. The actual Windows application is not
        executed.
4.      If targets are found, they are opened one by one and the time
        stamps saved in memory.
5.	The MZ and NE headers are checked.
6.	Several values are checked from the NE header.
7.	The virus code is added in the middle of the application.
8.	The replaced code is moved to the end of the application.
9.      The CS:IP from the NE header is changed to point to the
        beginning of the viral code.
10.     The virus deletes its code from the original file and rebuilds
        it to a functional state,
11.	The execution is finished.

Other observations:
o       After the virus code is executed, the original application is
        not executed. This will seem as a failed double click. As the
        virus rebuilds the original file if it manages to infect a new
        file, the next attempt to execute the original application is
        successful.
o	The infected files grow with 854 bytes.
o       The infection does not change the time stamp of the target
        application file.
o	The virus is not encrypted or protected in any way.
o	No activation routines could be found.
o       The name of the infector application and the name of the
        infected file is saved in the virus code.

A more thorough glance at possible operation mechanisms of viruses running 
under Windows and OS/2 is included in this bulletin.

Watch out for fakes

PKware's PKZIP packing program is no doubt one of the most popular
shareware-programs. In spring 1992, PKware announced that it would
publish a new version of the program. The version number for the
upcoming version was given as 2.0. The publication of the program was,
however, delayed by technical problems, and some malicious persons began
to exploit people's impatience. In short notice a large number of s.c
"hack"-versions of the PKZIP program began turning up.

Most of these fake versions do nothing especially malevolent, but at
least a number of them are pure Trojan Horse programs and others contain
viral code. So far the following versions, at least, have been certified
as fakes:

PKZIP120
PKZIP110
PKZIP20B
PKZIP_V2
PKZ201
PKX201
PKZ202
PKZ210F
PKZIPV2
PKUNZIP.COM
PKZIP203
PKZIP221
PKZIP222
PKZ199B
PKZ305

The aforementioned files have been in distribution in electronic mails
around the world. The extensions of the files vary and can be either
EXE, ZIP or ARJ.

Changes in F-PROT version 2.06

Some false positives have been fixed, for example if BACKUP.EXE was
compressed with PKLITE, F-PROT 2.05 would report the "Stanco" virus.
Joke programs, such as BUGSRES.COM no longer increase the "Infected"
counter.

Version 2.05 did not always display the "Scanning memory" box.

Previous versions of the program were sometimes unable to remove the
Form virus from hard disks.

The /RENAME command-line switch was added, but using it is equivalent to
selecting "Action: Rename" in interactive mode. It is also possible to
use /AUTO together with /RENAME

The /NOWRAP switch can now be used with interactive mode, and the report
scrolled horizontally.

The /EXT= command-line switch was added to allow the user to determine
which file extensions to search.

Identification of infected .SYS files has been improved - previously
they were just reported as "New or modified variant of ...".

VIRSTOP did not stop compressed viruses such as Cvirus or Stanco. This
has now been added.

The report produced by F-PROT includes the volume labels of the disks
scanned.

If the user presses ESC or Ctrl-C during scanning, the program will ask
if it should stop scanning.

It is now possible to print the virus descriptions from the F-PROT's
internal database.

F-TEST will return an ERRORLEVEL of 1 if VIRSTOP is not installed. Thus
VIRSTOP's residency can be checked via batch files.

The following 115 new viruses can now be detected and removed by
F-PROT 2.06:

99%
_150
_552
_1480
_2617
Adolf
Alex-368
Alexander
Angarsk
Arriba
AT II (108, 114, 118, 122)
Backfont-821
Bebe-486
Checksum-1569
Clonewar
Cls
Code Zero
Copyright-1205
Creeper-425
Dark Avenger (1947, Outland, Ps!ko-C)
Dark End
Deicide II
Diamond-Rock Steady-B
Digger
Dima
DOShunt
Dr. Qumak II
Drop
Eastern Digital-B
Enola-2430
F-Soft (458, 563)
F-you (593, 635)
Filedate 11-537
Frodo-D
Geek
Hide and Seek
Highlander
Ice-9
Ieronim (512, 560)
Ieronim II (570, 600, 1581)
Int86
Ionkina (231, 2372)
Itti-Malmsey
Japanese Christmas (B,C, D)
Jerusalem (1984, Count, Pipi)
Keypress-1266
Kiss-Apache
KLF
Larry
Lippi
Lyceum (1788, 1832, 1975)
Matura
Meditation
Minsk Ghost
MSJ
Nazgul
No Frills
November 17th-880
Nygus
Pixel-748
Possessed-2446B
Press
Problem (734, 856, 863)
Protect-1196
Red Diavolyata-662
Reklama
Raubkopie-1888
Ryazan
Seacat
Semtex-B
Signs
Sistor-2630
SK (992, 1004, 1147)
SVC 6.0-4677
Timemark (1062, 1083)
Tumen-1.3
Ufa
Ungame
Vbasic-C
Vienna (Violator-C, W-13 458, 585, 643, 719, 849, 1000)
Virdem (Locked, Wonderful)
Walker
Yankee (Login-A, Penza-1210, 1256, 1371)

The following 10 new viruses can now be detected but not yet removed.

AstraSYS (498, 510, 521)
Cannabis-B
Como
Joshi-B
Necros
Otto-415
Yankee (2505, XPEH-5856)

The following 9 new viruses can now be detected but not removed, only
deleted. This is because they overwrite infected files, or damage them
irreversibly.

Budo
Burger-Twin Peaks
Gyro
Leprosy (FVHS and Wake)
Milan (Sabrina, Naziskin, Naziskin 2)
Trivial-31B

In addition, the V-Sign virus that could be detected but not removed
with earlier versions of F-PROT can now be disinfected.

The following viruses have been renamed or re-classified.
Cracky          ->      Tolbuhin (Cracky)
Fellowship	->	Better World
Fungus          ->      X-Fungus
Irus            ->      Virdem (Irus)
Mud             ->      BetaBoys
Reboot Patcher	->	Lomza
Slow            ->      Zerotime
Striker #1	->	Striker
Testvirus (B)	->	Testvirus-B
TH-IP           ->      Capital
Tiny Hunter	->	Squisher
USSR-1049	->	Yankee-1049

A New Virus Naming Convention

At the Anti-Virus Product Developers Conference organized by NCSA in
Washington in November 1992 a committee was formed with the objective of
reducing the confusion in virus naming. This committee consisted of
Fridrik Skulason (Virus Bulletin's technical editor) Alan Solomon (S&S
International) and Vesselin Bontchev (University of Hamburg).

The following naming convention was chosen:

The full name of a virus consists of up to four parts, desimited by
points ('.'). Any part may be missing, but at least one must be present.
The general format is

        Family_Name.Group_Name.Major_Variant.Minor_Variant

Each part is an identifier, constructed with the characters
[A-Za-z0-9_$%&!'`#-]. The non-alphanumeric characters are permitted, but
should be avoided.   The identifier is case-insensitive, but mixed-case
characters should be used for readability. Usage of underscore ('_')
(instead of space) is permitted, if it improves readability. Each part
is up to 20 characters long (in order to allow such monstriosities like
"Green_Caterpillar"), but shorter names should be used whenever
possible. However, if the shorter name is just an abbreviation of the
long name, it's better to use the long name.

1. Family names.
The Family_Name represents the family to which the virus belongs. Every
attempt is made to group the existing viruses into families, depending
on the structural similarities of the viruses, but we understand that a
formal definition of a family is impossible.

When selecting a Family_Name, the following guidelines must be applied:

"Must"
1) Do not use company names, brand names or names of living people,
   except where the virus is provably written by the person. Common
   first names are permissible, but be careful - avoid if possible. In
   particular, avoid names associated with the anti-virus world. If a
   virus claims to be written by a particular person or company do not
   believe it without further proof.
2) Do not use an existing Family_Name, unless the viruses belong to the
   same family.
3) Do not invent a new name if there is an existing, acceptable name.
4) Do not use obscene or offensive names.
5) Do not assume that just because an infected sample arrives with a
   particular name, that the virus has that name.
6) Avoid numeric Family_Names like V845. They should never be used as
   family names, as the members of the family may have different
   lengths. When a new virus appears and a new Family_Name must be
   selected for it, it is acceptable to us a temporary name like _1234,
   but this must be changed as soon as possible.

"Should"
1) Avoid Family_Names like Friday 13th, September 22nd. They should not
   be used as family names, as members of the family may have different
   activation dates.
2) Avoid geographic names which are based on the discovery site - the
   same virus might appear simultaneously in several different places.
3) If multiple acceptable names exist, select the original one, the one
   used by the majority of existing anti-virus programs or the more
   descriptive one.

"General"
1) All short (less than 60 bytes) overwriting viruses are grouped under
   a Family_Name, called Trivial.

2. Group names.

The Group_Name represents a major group of similar viruses in a virus
family, something like a sub-family. Examples are AntiCAD (a
distinguished clone of the Jerusalem family, containing numerous
variants), or 1704 (a group of several virus variants in the Cascade
family).

When selecting a Group_Name, the same guidelines as for a Family_Name
should be applied, except that numeric names are more permissible - but
only if the respective group of viruses is well known under this name.

3. Major variant name.

The major variant name is used to group viruses in a Group_Name, which
are very similar, and usually have one and the same infective length.
Again, the above guidelines are applied, with one major exception. The
Major_Variant is almost always a number, representing the infective
length, since it helps to distinguish that particular sub-group of
viruses. The infective length should be used as Major_Variant name
always when it is known. Exceptions of this rule are:

1) When the infective length is not known, because the viruses are not
   yet analyzed. In this case, consecutive numbers are used (1, 2, 3,
   etc.). This should be changed as soon as more information about the
   viruses becomes known.

2) When an alpha-numeric name of the virus sub-group already exists and
   is popular, or more descriptive.

4. Minor variant name.

Minor variants are viruses with the same infective length, with similar
structure and behaviour, but slightly different. Usually the minor
variants are different patches of one and the same virus.

When selecting a Minor_Variant name, usually consecutive letters of the
alphabet are used (A, B, C, etc...). However, this is not a very hard
restriction and longer names can be used as well, especially if the
virus is already known under this (longer) name, or if the name is more
descriptive than just a letter.


Creating an Anti-Virus Diskette for Emergency Situations
 	
To make it easier to recover from disk crashes, virus attacks or data
loss due to user error, a tool diskette should be created. The diskette
should include essential tools for disk repair, unformatting,
undeletion, virus searching and disinfecting.

Because so many tools are available, an almost endless variety of
emergency diskettes can be compiled. The simple diskette described below
is meant to be used in case of a suspected virus attack. Different
diskettes could be created to be used in other situations.

The diskette is first formatted as a system with the command

 C:\> FORMAT A:/S

and partition information of the hard disk is stored to the diskette
with the commands

  C:\> MIRROR /PARTN
  C:\> UNFORMAT /PARTN /L /TEST > A:PARTINFO.TXT

Note that MIRROR and UNFORMAT are available only in MS-DOS version 5.0
or greater.

MIRROR creates a file PARTNSAV.FIL to the diskette. This file contains
the partition info of the hard disk's logical DOS partitions and can be
written back to the hard disk with the command UNFORMAT /PARTN. The
PARTINFO.TXT file created by the UNFORMAT command contains information
of all the partitions of the hard disks. This information cannot be
recovered directly to the hard disk but it will be useful to an expert
if the hard disk becomes corrupted.

Additionally, the following files are copied to the diskette:

o       CHKDSK - for checking the integrity of disks
o	BACKUP and RESTORE or similar programs - to make backups
o	FDISK.EXE - for reconstructing the hard disk's main boot record
o	SYS.COM - for reconstructing the DOS boot record
o	UNFORMAT.EXE - to restore image data stored by MIRROR

and at least the following parts of F-PROT:

o       F-PROT.EXE
o	VIRSTOP.EXE
o	SIGN.DEF
o	ENGLISH.TX0
o	VIR-HELP.ENG
o	SETUP.F2

An AUTOEXEC.BAT file should also be created. An example of a suitable
AUTOEXEC.BAT is shown below

@ECHO OFF
A:\VIRSTOP
ECHO This is the anti-virus disk of Sturdy Ltd.
ECHO If you have any problems, contact Fred
ECHO at extension 4456.
ECHO Press ENTER to execute F-PROT.
PAUSE > NUL
A:\F-PROT

If special device drivers are needed for the system's storage devices,
they should be installed on the anti-virus diskette. This should be done
with e.g. hard disks packed with Stacker or SuperStor, disks formatted
with Disk Manager or similar products and some SCSI-drives.

It is also a good idea to write down the settings for the devices. These
settings are stored in so-called CMOS memory and can be viewed using a
setup program or the BIOS's built-in setup facility. Writing down the
settings is important as some viruses zap the CMOS or the computer's
battery can run down, wiping the settings from the CMOS. If the number
of computers is large, all settings should be written down computer by
computer and attached to the computer in question.

When the anti-virus diskette is formatted and all the necessary files
are copied, we recommend making sure that a computer can be booted from
it. If everything is in order, the main menu of F-PROT will pop up after
the booting sequence. In some cases, it may be a good idea to omit the
last line (A:\F-PROT) from the AUTOEXEC.BAT file of the diskette and run
F-PROT in command line mode, as this is considerably faster than running
the program in interactive mode from diskette.

We recommend setting Secure Scan and Disinfect/Query as defaults for
F-PROT on the anti-virus diskette. These settings usually yield the best
results in a crash recovery situation.

When the operation of the diskette has been verified and the defaults
are set, the diskette should be immediately write-protected. It should
be kept somewhere near the computer, so it will be readily available
when needed.


Viruses in Windows

It has taken surprisingly long for the first Windows specific viruses to
appear. The main reason for this is the difficulty of Windows
programming, which is much more demanding than DOS programming. In
addition, the Windows file structure is more complex than that of normal
DOS files. It will be, however, only a matter of time before virus
programmers gain sufficient knowledge on Windows programming. The first
Windows viruses have, in fact, already been found.

Windows is more vulnerable to viruses than OS/2 because the functional
parts of a DOS virus do not have to be modified for the virus to work
under Windows. Under OS/2, the code would have to be written practically
from scratch. The only parts of a DOS virus that have to be changed to
work under Windows are the infection mechanism and activation routine.

The Structure of Windows Applications

Windows and DOS programs have a different internal structure. Both begin
with MS-DOSs MZ header that enables DOS to read and execute the
program. In Windows applications, the MZ header consists of a short
reference to a routine that is run when the program is executed from
MS-DOS. ("This program requires Microsoft Windows") The header also
includes the disk address for the Windows header (NE header).

The Windows NE header (New Executable) is actually same as the one used
for OS/2 applications. The NE header does not have a set location in a
program file. Instead, its location is given in the MZ header.

Windows also supports other kinds of headers:
o	LE - linear executable (for instance. *.386 device drivers)
o	W3 - WIN386.EXE
o	PE - portable executable (Win32 ja NT)

A Windows application gives a virus better hiding places than DOS
applications. One example is ordinary dynamic libraries that can be
given any kind of file name extension. The files that can contain
executable code (and viruses on the side, of course) can no longer be
recognized by their extensions. In addition to the ordinary EXE files, a
virus can infect also font files or display drivers.

The Execution of an Application and Interrupts
Under Windows, the execution of an application is done by calling the
WinExec()-function. The function generates the following interrupt call:

INT 21h AH=4BH (EXEC)

The same interrupt is used in MS-DOS. An MS-DOS application that is
watching the interrupts does not see the interrupt, however. Instead the
following interrupt is seen:

INT 21h AH=3DH (OPEN)

What is the reason for this?

Windows is a DOS extender that functions in protected mode. It uses Int
21h calls in protected mode. Due to the fact that DOS can not execute
protected mode applications Windows DOS extender (WIN386.EXE or
DOSX.EXE) provides its own implementation of the EXEC. The EXEC of the
extender uses DOS file services to read an application to memory.

Kernel

The Windows environment is at its most vulnerable during the bootstrap
process. The Windows kernel does not have its own file management
functions and uses DOS services (Int 21h).

The kernel manages the Windows bootstrap even if it has an NE header. The 
process is as follows:
o	The execution of the stub code that is located in the MZ-header
o	The application file is opened (the kernel itself)
o	The NE address is retrieved from the MZ header
o	The correct start address is retrieved from the NE header (CS:IP)
o	The value 'OK' (4B4Fh) is written to the AX register
o	The CS:IP is pushed to the stack and a RETF is executed
o	BOOTSTRAP is executed
o	BOOTSTRAP executes the DPMI services
o       The old interrupt vectors are saved along with the DPMI
        exception vectors. The vectors are replaced with new ones that
        Windows will use.
o	The rest of the Windows system is loaded

The Functional Mechanisms of Viruses in Windows

It has taken a long time for the first Windows specific viruses to be
written. There have, however, been several DOS viruses that infect
Windows applications. The most probable result of such an infection is
that the Windows application can not be executed any more.

The reason for this is that the virus writer has not taken into account
the possibility of an abnormal header. Some of the more advanced viruses
have been able to infect the MS-DOS stub. The execution of a Windows
application infected with such a virus results in the activation of the
virus. This works only when an attempt has been made to execute the
Windows application from MS- DOS.

Even a virus of this kind would not spread under Windows. It would
function only in MS-DOS.

The writing of a direct action virus for Windows is technically more
challenging than writing a similar MS-DOS virus. Unfortunately, a
Windows virus can be built by modifying the infection mechanism of an
existing DOS virus. The structure of the NE header will have to be taken
into account, of course, which makes the programming of a Windows virus
a little more difficult. The first virus like this was found in
September 1992 (WinVir).

The programming of a Windows virus functioning as background process
(the equivalent of a DOS TSR) is much more difficult. The Windows memory
protection scheme makes it harder for programs to modify memory areas
reserved for other applications. Protections like this do not exist in
MS-DOS at the moment.

Memory protection gives no shelter against viruses because very few
virus writers have used techniques like this even in DOS.

A special development toolkit exists for the designing of device
drivers. DDK (Device Driver Kit) gives the programmer free reign in the
computer with no limitations. The most dangerous Windows viruses will
probably be written with the DDK.

The use of OLE (Object Linking and Embedding) generates interesting
possibilities on virus infection. With OLE it is possible to include
executable code in documents. This means that we will some day have to
check documents for viruses as well as programs.



Copyright (c) 1992 Data Fellows Ltd.
