`
`NOVEMBER 1995
`
`THE INTERNATIONAL PUBLICATION ON COMPUTER VIRUS PREVENTION, RECOGNITION AND REMOVAL
`
`Editor: Ian Whalley
`
`Assistant Editor: Megan Skinner
`
`Technical Editor: Jakub Kaminski
`
`Consulting Editors:
`Richard Ford, NCSA, USA
`Edward Wilding, Network Security, UK
`
`IN THIS ISSUE:
`
`(cid:149) Winword again. Following hot on the heels of our report on
`the first WordMacro virus comes an analysis of a second such
`virus, Nuclear: turn to p.8.
`
`(cid:149) A bluestocking conference. The VB team has just returned
`from Boston, where one of their most successful conferences
`ever took place. The full report begins on p.16.
`
`(cid:149) Detecting a new way. RG Software has released a new product
`which claims to detect any and all boot sector viruses. See how
`the product fared, from p.21.
`
`CONTENTS
`
`EDITORIAL
`I could tell you, but then I(cid:146)d have to kill you
`
`VIRUS PREVALENCE TABLE
`
`NEWS
`1. Shipping Viruses
`2. Big Fish, Little Fish
`
`IBM PC VIRUSES (UPDATE)
`
`INSIGHT
`Once a Researcher(cid:133)
`
`VIRUS ANALYSES
`1. A Nuclear Concept: Another Hit for MS(cid:160)Word
`2. Tai-Pan
`3. Dementia (cid:150) The File Thief
`
`FEATURE
`Revisiting the DOS Scanner Testing Protocol
`
`CONFERENCE REPORT
`VB 95 (cid:150) Reaching the World
`
`PRODUCT REVIEWS
`1. NetShield
`2. No.More #*!$ Viruses?
`
`END NOTES & NEWS
`
`2
`
`3
`
`3
`3
`
`4
`
`6
`
`8
`10
`12
`
`14
`
`16
`
`18
`21
`
`24
`
`VIRUS BULLETIN '1995 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OX14 3YS,
`England. Tel +44 1235 555139. /95/$0.00+2.50 No part of this publication may be reproduced, stored in a
`retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`Symantec 1048
`Symantec v. Finjan
`IPR2015-01892
`
`000001
`
`
`
`2 • VIRUS BULLETIN NOVEMBER 1995
`
`EDITORIAL
`
`I could tell you, but then I’d have to kill you
`
`Regular readers of this column will probably have noticed that I have a certain tendency to write about
`Microsoft with what may appear to be excessive frequency. Why should this be? Perhaps I bear some
`historic grudge against this company? Perhaps I was in line to rule the PC roost until that nice Mr Gates
`came along? Perhaps I am simply jealous of a man who, even back in 1990, was worth a cool three thou-
`sand million dollars? Well, no (cid:150) none of these are true. Honest.
`
`The concept of
`an NDA is anath-
`
`(cid:147)
`ema to this spirit(cid:148)
`
`The reason is, as the Chinese curse puts it, we live in interesting times. Not only that, these times are, like it
`or not, being driven by Microsoft. There is a lot happening. Windows 95 is now with us, bringing with it all
`its opportunities, and of late we have the intriguing new field of the macro virus opening up, currently
`centred around Microsoft Word. It is this latter which at present occupies my mind, and the minds of many
`others.
`
`The phenomenon of the macro virus is proving a tricky problem for anti-virus researchers. In principle,
`detection of such creatures is not a problem even for the conventional scanner. The DOS/Windows
`scanner is running outside the system under which the virus operates (Microsoft Word), so any attempts
`by such viruses at stealth will not work. The viruses are trivial both in terms of their functionality and in
`terms of their appearance within the binary document files.
`
`So, where does the problem lie? It lies with the information. Specifically, the information required to locate
`the macros within the document on disk. Without this, speedy and accurate searching for these new
`viruses is considerably harder; with it, it is possible for the scanner to go straight for the areas of the
`document in which the macros reside, and find them quickly and reliably.
`
`Obtaining documentation on this subject is not easy. Give it a try if you have a month to spare (cid:150) phone up
`your local Microsoft office and ask. It(cid:146)s great fun, if you like hold music. To be fair though, the goodies in
`this area have not been entirely withheld by the folks in Redmond. The format of modern document-types,
`such as Word, are non-trivial to say the least, and what the anti-virus industry wishes to do is not some-
`thing that could have been anticipated six months ago.
`
`Even after such information is obtained, there is a second problem. This, like so many, is concealed by an
`acronym (cid:150) NDA. Non-Disclosure Agreement. Such an agreement is a mechanism by which a company
`can keep its secrets, whilst still telling people whom they consider have a need to know.
`
`Suppose you are a large software house, and you want to commission my company to write a viewer for
`the files generated by your new wonder-product, WidgetDesignTM. At the same time, of course, you don(cid:146)t
`want any other companies to know what you will have to tell me, otherwise one of them may come up with
`WidgetHack, a cheaper, smaller, more efficient Widget creation tool which is file-for-file compatible with
`WidgetDesign. In this situation, you get me to sign an NDA. This states that I may not discuss the
`information I am obtaining, or insights gained directly from that information, with anyone outside of our
`two companies.
`
`This is an interesting concept to the normally voluble members of any programming community. Hackers,
`and I use the word in the traditional sense without implying negativity, are a talkative lot. They like to
`discuss what(cid:146)s being done and how to do things, and the anti-virus community is no exception. The
`concept of an NDA is anathema to this spirit, and to the oft-quoted (cid:145)information wants to be free(cid:146) ethic.
`Whilst this latter phrase is both over- and mis-used, it would nonetheless be nice to believe that it still has
`some substance.
`
`The anti-virus community is startling, above most others, for the level of technical cooperation which goes
`on within it (cid:150) clearly there are limits, but these are set higher than one might expect. All NDAs can do is to
`stick oars into this flow of communication. However, as we move into still more interesting times, the
`problem of NDAs and general lack of information is bound to reappear. It will be with different systems,
`even different companies, but inevitably it will happen again.
`
`VIRUS BULLETIN '1995 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OX14 3YS, England. Tel +44 1235 555139. /95/$0.00+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`000002
`
`
`
`NEWS
`
`Shipping Viruses
`This month has seen two more incidents coming to light of
`computer viruses being mass-shipped on floppy disks.
`
`The first came from Digital Equipment Corporation, and was
`given to delegates at the DECUS conference held in Dublin
`during the second week of September 1995. The disk, which
`contained white papers concerning Digital(cid:146)s product strategy,
`was discovered also to be carrying the Microsoft Word virus
`Concept [for an analysis, see VB, September 1995, p.8].
`
`Digital has since distributed to their customers both clean
`copies of the documents and the Microsoft Scan tool to remove
`the Concept virus. They are also offering a Software Hotline on
`+353 91 754029 (08:00(cid:150)16:00 UK time).
`
`VIRUS BULLETIN NOVEMBER 1995 • 3
`
`Prevalence Table - September 1995
`
`Virus
`
`AntiEXE
`
`Form
`
`Parity_Boot
`
`Ripper
`
`NYB
`
`Empire.Monkey.B
`
`Sampo
`
`AntiCMOS
`
`Concept
`
`Junkie
`
`EXEBug
`
`Telefonica
`
`Stoned.Angelina
`
`Cascade.1701
`
`Incidents
`
`(%) Reports
`
`35
`
`31
`
`26
`
`19
`
`15
`
`14
`
`14
`
`12
`
`12
`
`12
`
`10
`
`7
`
`6
`
`5
`
`12.4%
`
`11.0%
`
`9.2%
`
`6.7%
`
`5.3%
`
`5.0%
`
`5.0%
`
`4.3%
`
`4.3%
`
`4.3%
`
`3.5%
`
`2.5%
`
`2.2%
`
`1.8%
`
`In a separate incident, PC Magazine in the UK distributed the
`Sampo virus on diskettes which were sent out to advertise their
`(cid:145)Editor(cid:146)s Day(cid:146) at the end of October. This incident is made all the
`more ironic by the fact that, in the same month, the magazine
`published a review of anti-virus NLMs. PC Magazine has since
`shipped an alert, along with an anti-virus utility to detect and
`remove the virus, to recipients of the infected diskette z
`
`Big Fish, Little Fish
`McAfee Associates has announced the acquisition of two
`companies in the UK. The integration of Saber Software with
`McAfee has heralded plans for the launch of a dozen new
`products within the next year, and will culminate in a family of
`enterprise-enabled systems management tools for PC LANs.
`
`Bill Larson, President, CEO, and Chairman of McAfee, said: (cid:145)The
`combination of our companies and product lines will create a
`best-of-breed family of highly integrated point products and
`suites.(cid:146)
`
`Following the acquisition of Saber, McAfee has also announced
`the purchase of IPE, which was until now McAfee(cid:146)s exclusive
`agent in the UK.
`
`Peter Watkins, VP of International Operations at McAfee, had
`this to say of the deal: (cid:145)According to a recent report from IDC,
`McAfee has a 76% worldwide market share for desktop anti-
`virus software for our VirusScan and NetShield products. Now
`with a secure European base, we will be looking to expand our
`activities in Europe and establish McAfee as the vendor of
`choice for any user investing in quality network security
`products.(cid:146)
`
`IPE(cid:146)s subsidiary, International Data Security (IDS), will remain
`independent, and continue to market and sell the entire McAfee
`product range z
`
`Jumper.B
`
`Natas
`
`Manzon.1414
`
`She_Has
`
`Stoned.NoInt
`
`Barrotes
`
`Helloween
`
`Stoned.Manitoba
`
`Stoned.Michelangelo
`
`Stoned.Standard
`
`Byway
`
`V-Sign
`
`Other *
`
`Total
`
`5
`
`5
`
`4
`
`4
`
`4
`
`3
`
`3
`
`3
`
`3
`
`3
`
`2
`
`2
`
`23
`
`282
`
`1.8%
`
`1.8%
`
`1.4%
`
`1.4%
`
`1.4%
`
`1.1%
`
`1.1%
`
`1.1%
`
`1.1%
`
`1.1%
`
`0.7%
`
`0.7%
`
`8.2%
`
`100%
`
`* The Prevalence Table includes one report of each of the
`following viruses: Boot.437, BootEXE.451, Bye,
`Empire.Monkey.A, HideNowt.1741, Istanbul, Italian, Jackal,
`Jimi, Joshi, Leandro, Lixi, Print_Screen_Boot.A, Quicky.1376,
`Quox, SMEG:Pathogen, Stoned.Kiev, Stoned.NOP,
`Stop.1045, Tai-pan, Tequila, Urkel, UVscan.
`
`Stop Press
`Just as Virus Bulletin goes to press, there is more news
`breaking concerning Microsoft Word viruses. The latest such
`creation was posted to the Usenet newsgroup alt.comp.virus
`during October 1995, and has been named Colors by research-
`ers. It is non-destructive, the only trigger being to randomise
`the Windows colours. The remaining techniques used by the
`virus appear to be fairly standard, and it is encrypted (as is
`Nuclear) using the internal Word macro encryption technique z
`
`VIRUS BULLETIN '1995 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OX14 3YS, England. Tel +44 1235 555139. /95/$0.00+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`000003
`
`
`
`4 • VIRUS BULLETIN NOVEMBER 1995
`
`IBM PC VIRUSES (UPDATE)
`
`The following is a list of updates and amendments to the
`Virus Bulletin Table of Known IBM PC Viruses as of 21
`October 1995. Each entry consists of the virus name, its
`aliases (if any) and the virus type. This is followed by a
`short description (if available) and a 24-byte hexadecimal
`search pattern to detect the presence of the virus with a
`disk utility or a dedicated scanner which contains a user-
`updatable pattern library.
`
`Type Codes
`
`C Infects COM files
`
`D Infects DOS Boot Sector
`(logical sector 0 on disk)
`
`M Infects Master Boot Sector
`(Track 0, Head 0, Sector 1)
`
`N Not memory-resident
`
`E Infects EXE files
`
`P Companion virus
`
`L Link virus
`
`R Memory-resident after infection
`
`Army_Boots
`
`CK.777
`
`Crazy_Frog
`
`DigPar
`
`Ebola
`
`ExeHeader.265
`
`H8
`
`Horsa
`
`Kela
`
`Lady Death
`
`Leda
`
`Manzon
`
`Merci
`
`CR: An appending, 411-byte virus, which modifies the contents of AUTOEXEC.BAT. It contains the plaintext
`strings: (cid:145)C:\AUTOEXEC.BAT(cid:146) and (cid:145)@ECHO din mamma har paa sig arme stoevlar!(cid:146).
`
`B80D F0CD 2181 F90D F074 558C D848 8ED8 33FF 8EC7 803D 5A75
`Army_Boots
`CN: A prepending, 777-byte, direct infector, infecting three files at a time. It contains the encrypted text: (cid:145)The China
`Syndrome Version 1.00a Written by Crypt Keeper Well, I guess you found the sectors...You got a warning...This
`program was written in the city of Cincinnati. Non-destructive version -A- l8rd00d(cid:146).
`
`E8AA FFBB 0010 0E07 B44A CD21 0E07 BB00 10E8 D9FF A31C 00BB
`CK.777
`CER: An appending, encrypted, 1417-byte virus with the text: (cid:145)cRaZy fROG, (c)95 by iRASCiBLE(cid:146).
`
`8B96 6E05 2E8B 8670 052E 3114 2E31 4402 83C6 04E2 F4C3 E440
`Crazy_Frog
`CR: A polymorphic virus, about 1000 bytes long, which contains the text: (cid:145)The Digitised Parasite: Australian
`Parasite [AIH](cid:146) and (cid:145)Weiners XOR machine 1.0 (c) Australian Parasite [AIH] June 1994(cid:146). The pattern below detects
`the virus in memory only.
`
`B43F B903 00BA B503 CD21 89D6 81C2 9856 3914 746E B802 4233
`DigPar
`ER: A polymorphic, 3000-byte virus which often causes system crashes. It contains the text: (cid:145)Ebola virus 1.2!
`Extremly stealthmutating system! Technical infos: No way to detectFucked heuristicsGreets go to allvirus
`detelopinggroups in Brno ! Czech republic94(cid:146). It is not likely that we will see this virus spread widely. The template
`below detects it in memory.
`
`9C3D 004B 746A 80FC 4074 8D3D E4F7 7447 3D2F C974 4A80 FC4E
`Ebola
`ER: A stealth, 265-byte virus which inserts its code into EXE headers. The virus hooks Int 13h and infects files when
`they are read. It contains the text: (cid:145)[Dying_Oath] by Retro(cid:146).
`
`8B07 354D 5A74 1126 803F EB75 4426 817F 5CB4 0D74 2EE9 3900
`ExeHeader.265
`CR: A prepending, 1773-byte virus with stealth capabilities. It contains the plaintext strings: (cid:145)[H8YourNMES](cid:146) and
`(cid:145)xtf-ndivskavcommand(cid:146).
`
`B4FF CD21 C706 0601 EB01 0BC0 7507 EB01 80B4 FECD 21E8 4003
`H 8
`CN: An appending, 1185-byte direct infector which uses direct disk access (Int 25h/Int 26h).
`
`AA1E E800 0058 2D12 0033 D2B9 1000 F7F1 0BD2 7403 E98B 038C
`Horsa
`CER: An appending, stealth, 2018-byte virus. All infected files have their time stamps set to 62 seconds.
`
`B8FF FFCD 210E 1F8E C0BF 0001 8BF5 B9E8 03F3 A61F 0775 03E9
`Kela
`CER: A polymorphic, appending virus, approximately 2744 bytes long, containing the text: (cid:145)Lady Death: Dark Fiber
`[NuKE](cid:146) and (cid:145)Stainless Steel Armadillo(cid:146). The virus corrupts EXE and some COM files. The template below detects
`it in memory.
`
`39F0 5E75 263D DF2E 7504 B864 9FCF 569C 50BE 4A0A FC2E AC2A
`Lady Death
`CR: An appending, 820-byte virus with the following encrypted text (displayed from 6(cid:150)11 November): (cid:145)Masz
`wirusa LEDA (BDv3.0), (c) BD 27.V.1994(cid:146), (cid:145)PS Dzieki dla autora wirusa FLOOR 1153(cid:146).
`
`B8BD 57CD 2181 FB14 BD74 22B8 2135 CD21 895C 678C 4469 832E
`Leda
`CER: A polymorphic, appending virus, circa 1400 bytes long, which contains the text: (cid:145)MANZON (c)(cid:146). The
`template given detects it in memory.
`
`3DBA DC75 0590 908B D0CF FAFC 80FC 3E74 183D 004B 7403 E95E
`Manzon
`CO: An overwriting, 308-byte virus with the encrypted text: (cid:145).COM *.C* CHKLIST.MS ANTI-VIR.DAT(cid:146). When
`the virus infects a file it displays this message: (cid:145)Merci virus infected: <filename>(cid:146).
`
`Merci
`
`E803 00EB 3990 BE3E 018B FEB9 F600 AC32 0639 01AA E2F8 C3E8
`
`VIRUS BULLETIN '1995 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OX14 3YS, England. Tel +44 1235 555139. /95/$0.00+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`000004
`
`
`
`Mirage.1331
`
`Monica.885
`
`Multiplex.815
`
`NRLG.755
`
`NRLG.824
`
`NRLG.853
`
`NRLG.865
`
`NRLG.872
`
`NRLG.901
`
`NRLG.985
`
`NRLG.1007
`
`NRLG.1009
`
`NRLG.1038
`
`Oxan
`
`OpalSoft
`
`V.720
`
`XERAM
`
`VIRUS BULLETIN NOVEMBER 1995 • 5
`
`CER: A 1331-byte virus with stealth capabilities. It appends itself to EXE files, but prepends itself to COM files.
`The virus contains the plaintext strings: (cid:145)Mirage(cid:146) and (cid:145)\COMMAND.COM(cid:146). The time stamp of all infected files is
`set to 62 seconds.
`
`80FC FA75 4B5F 5F3C 0374 15BF 0001 5751 BE33 06B9 CCF9 F3A4
`Mirage.1331
`CR: An appending, encrypted, 885-byte virus which contains a dangerous payload. The virus sets and activates the
`CMOS password with the option to verify it at both CMOS setup and PC bootup. The new password is set to
`(cid:145)MONICA(cid:146).
`
`B929 0381 EE38 03E8 0100 155F 2E8A 052E 3004 46E2 FA58 5F59
`Monica.885
`CN: An appending, 815-byte, direct infector containing the plaintext strings: (cid:145)MULTiPLEX (c) 1994 Metal Militia\
`Immortal Riot, Sweden(cid:146), (cid:145)Somewhere, somehow, always :)*.com(cid:146), (cid:145)IRUSES(cid:146), (cid:145)ImRio(cid:146).
`
`E800 0058 2D0A 01E8 9502 E814 03E8 2402 B447 B200 568D 9CED
`Multiplex.815
`CR: An appending, stealth, encrypted, 755-byte virus; the shortest member of the NRLG family. It contains the
`text: (cid:145)[MuTaTiOn INTERRUPT] 1994 - Thanks to N.R.L.G. - 800 LIMO 1-800-972-7117(cid:146).
`
`F303 8DBE 3301 BA01 00F6 15FF 05F6 1547 47EB 0590 B44C CD21
`NRLG.755
`CR: An appending, encrypted, 824-byte virus with stealth capabilities. It contains the text: (cid:145)[MuTaTiOn
`INTERRUPT] 1994 - Thanks to N.R.L.G. -AZRAEL800 JEWELRY 1-800-346-7231(cid:146).
`
`BA01 0080 35E5 FF05 8135 E41B FF05 F715 802D 4F80 35AC 812D
`NRLG.824
`CR: An appending, stealth, encrypted, 853-byte virus containing the text: (cid:145)[MuTaTiOn INTERRUPT] 1994 -
`Thanks to N.R.L.G. - 800 SEAFOOD 1-800-472-0542(cid:146).
`
`5504 8DBE 3301 BA01 00F6 15FF 05F6 1547 47EB 0590 B44C CD21
`NRLG.853
`CR: An appending, stealth, encrypted, 865-byte virus with the text: (cid:145)[MuTaTiOn INTERRUPT] 1994 - Thanks to
`N.R.L.G. - 800 ROOMS 1-800-442-6633(cid:146).
`
`6104 8DBE 6001 BA01 0081 354C C581 2D95 CB80 2DA6 812D 98DB
`NRLG.865
`CR: An appending, encrypted, 872-byte virus which occasionally crashes the system. It contains the text: (cid:145)Nemesis
`1995 Gooberish(cid:146).
`
`6804 8DBE 4701 BA01 00F7 15F7 1581 3575 BE80 35D8 802D E880
`NRLG.872
`CR: An appending encrypted, 901-byte virus with stealth capabilities, which contains the text: (cid:145)[NuKE] N.R.L.G
`AZRAEL(cid:146) and (cid:145)Created by MuTaTiOn INTERRUPT! This Could Have Formatted Your Hard Disk! See +++rus
`Goobers! 1994(cid:146).
`
`8504 8DBE 5F01 BA01 0081 2D6D 1281 35FB 4CF7 1580 3501 8135
`NRLG.901
`CR: An appending, stealth, encrypted, 985-byte virus, which contains the text: (cid:145)[MuTaTiOn INTERRUPT] 1994 -
`Thanks to N.R.L.G. - 800 DRUGS 1-800-872-1626(cid:146).
`
`D904 8DBE 3301 BA01 00F6 15FF 05F6 1547 47EB 0590 B44C CD21
`NRLG.985
`CR: An appending, stealth, encrypted, 1007-byte virus. It contains the text: (cid:145)[MuTaTiOn INTERRUPT] 1994 -
`Thanks to N.R.L.G. - 800 NANNY 1-800-443-4411(cid:146).
`
`EF04 8DBE 3301 BA01 00F6 15FF 05F6 1547 47EB 0590 B44C CD21
`NRLG.1007
`CR: An appending, stealth, encrypted, 1009-byte virus. It contains the text: (cid:145)[MuTaTiOn INTERRUPT] 1994 -
`Thanks to N.R.L.G. - 800 FLOWER 1-800-878-1073(cid:146).
`
`F104 8DBE 3301 BA01 00F6 15FF 05F6 1547 47EB 0590 B44C CD21
`NRLG.1009
`CR: An appending, encrypted, 1038-byte virus with stealth capabilities. It contains the text: (cid:145)[NuKE] N.R.L.G.
`AZRAELi!(cid:146).
`
`0E05 8DBE 5901 BA01 0080 3578 802D 95F7 15FE 0581 053E 3DF7
`NRLG.1038
`CR: A simple, appending, 710-byte virus. On every twelfth day of February (12 February) it displays the text:
`(cid:145)Happy birthday Oxan !(cid:146). On any other afternoon, during the first 20 minutes of each hour, it displays the current
`version of DOS using the message: (cid:145)MS-DOS Version <current DOS version>(cid:146).
`
`FB9C 3D00 4B75 03E8 0B00 9DFA 2EFF 2E11 00EB 4011 0050 5351
`Oxan
`CN: An appending, 683-byte, direct fast infector. It contains the plaintext string: (cid:145)*.COM OpalSoft 10.3.1994 v1.1
`C:\(cid:146).
`
`C706 3C02 3412 CD19 B980 00BB 0000 8B87 8000 2E89 8129 FE43
`OpalSoft
`ER: An appending, 720-byte virus which marks all infected files with a time stamp of 62 seconds.
`
`B8FF FFCD 213D 0001 740B 545A 3BD4 7505 33F6 E825 0058 0510
`V.720
`CEN: An appending, encrypted, 1663-byte, direct, fast infector containing the text: (cid:145)N-XERAM(cid:146). It deletes the files
`\CHKLIST.MS, \SCANVAL.VAL, and \NCDTREE\NAV_._NO. The payload, which triggers on any Friday the
`13th, includes overwriting 255 sectors on a hard disk if the country code is France, US, Japan, Taiwan or Germany.
`
`XERAM
`
`B904 0333 F6A1 3E01 3104 4646 81FE 2E01 7504 81C6 7800 4975
`
`VIRUS BULLETIN '1995 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OX14 3YS, England. Tel +44 1235 555139. /95/$0.00+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`000005
`
`
`
`6 • VIRUS BULLETIN NOVEMBER 1995
`
`INSIGHT
`
`Once a Researcher…
`
`There is a farm in upstate New York which is avoided (cid:145)like the
`plague(cid:146) by strangers to the area: there are signs posted on the
`boundaries that warn of live viruses on the property. The farm is
`Virus Acres; it is owned by a man who enjoys a joke: Ross
`Greenberg.
`
`Despite the fact that he has kept a low profile lately, Greenberg
`is a familiar name to many virus researchers, and the author of
`Flushot+ and Virex PC. However, the former is now defunct,
`and the latter no longer one of the major players. So where has
`he been, and what has he been doing?
`
`Being There
`
`Chameleon is a word one could use to describe this man:
`change seems to be a constant in his life; from student to media
`person to programmer to anti-virus researcher, once more to
`programmer, and who knows where from here?
`
`He comes from what he calls a typical middle class, Long Island,
`Jewish background. His mother was a dental assistant; his
`father was an engineer who instilled in Greenberg a passion for
`seeing how things worked: (cid:145)My father made sure that, whatever
`I took apart, I put together again. I never got the opportunity of
`throwing things out,(cid:146) he recalled. (cid:145)It was (cid:147)Keep with it until you
`put it back together(cid:148) (cid:150) and I did!(cid:146)
`
`This practical childhood did not prepare him very well for a
`disappointing sojourn at university: (cid:145)I went to Stoneybrook,
`New York(cid:146)s state university, to study Physics, mathematics, and
`philosophy. I never did get around to graduating (cid:150) in 1978, my
`senior year, I looked around at what kind of job I could get, and
`saw that a physicist working at Brookhaven National Labs
`with 15 years of experience and two PhDs was worth about
`$17,000 a year. So, I took a job with MetroMedia TV, a local
`network, starting at that salary!(cid:146)
`
`Greenberg(cid:146)s responsibilities at MetroMedia lay in setting up PC
`to PC communications programs to coordinate radio and TV
`advertising, so the company could gauge how much money
`they were either making or losing: he stayed a mere eight
`months, going from there to private consultancy.
`
`(cid:145)Communications by that time had become a speciality of mine,(cid:146)
`he explained. (cid:145)There were few people around who could do it. If
`you had a spell at a thing, you became a specialist. I could
`charge top dollar, which was sort of fun!(cid:146)
`
`Flushot: Pluses and Minuses
`
`named Ken van Wyk. That note, which he put up on the Net,
`said that he was being attacked by (cid:150) I think he called it a virus; a
`Lehigh virus.
`
`(cid:145)I thought that this was really horrible, and that it would affect
`the on-line community adversely, so I put out a fix; a program
`called Flushot (cid:150) it was downloaded astoundingly quickly, and I
`started getting tech support calls. Then, as it became bigger, I
`put it out as shareware (cid:150) I think it cost $14.00 all-in (cid:150) and the
`next thing you know people are buying it, and making demands.
`That was in the mid-1980s.
`
`(cid:145)In those days,(cid:146) he said, (cid:145)there were no scanners. I created a
`behaviour blocker based on what I was told about the virus. I
`think McAfee was the first to produce a scanner. A fight soon
`broke out between the anti-virus people over scanners and
`behaviour blockers. The scanner won, for many reasons, but I
`think behaviour blockers are more effective. They fight the
`unknowns (cid:150) scanners do diddley-squat for unknowns!(cid:146)
`
`Virex PC
`
`Soon after, Greenberg was contacted by a company called HJC
`Software: they had a Macintosh anti-virus product called Virex
`which they wanted to develop for the PC, and believed
`Greenberg could do it. Dealings with HJC were, for Greenberg,
`less than ideal, and the company sold out to Microcom: (cid:145)They
`marketed it into the ground,(cid:146) he recalled. (cid:145)When I threatened to
`sue for breach of contract, they offloaded it onto Datawatch. I
`think they noticed Virex PC still had its head above ground, so
`pushed it down more.(cid:146)
`
`(cid:145)Anything I had to say about the product,(cid:146) he went on, (cid:145)was
`rejected by Microcom and Datawatch. They had a distinctive
`(cid:145)Not-invented-here(cid:146) paranoia which prevented them ever taking
`suggestions from me. So, Glenn (Jordan, formerly of
`Datawatch) and I would confer and figure out how he could
`present them in a manner more palatable to their paranoia. He
`did a wonderful job for Virex PC.(cid:146)
`
`Leaving the Rat-race
`
`Subsequent to this, Greenberg decided to distance himself both
`from Virex PC and the City, and moved to a farm in upstate New
`York. (cid:145)I haven(cid:146)t been doing much virus work,(cid:146) he said. (cid:145)I(cid:146)ve
`been developing telecommunications programs, in particular a
`shareware product, RamNet UUCP. It(cid:146)s a background program
`that talks to UUCP protocol. They came out commercially at
`$198.00, but I didn(cid:146)t like the idea of having to do the marketing
`and advertising, so I dropped the price to $49.00. Commercially,
`it(cid:146)s meeting my expectations (cid:150) and they are that I can retire in
`about a year!
`
`Gradually, Greenberg began to branch out into more general
`things, writing programs. He remembers a person who was beta
`testing one of his products sending him a note: (cid:145)(cid:133)from a fellow
`
`(cid:145)Since I haven(cid:146)t been so active in the anti-virus world,(cid:146) he went
`on, (cid:145)it(cid:146)s been interesting to see how short-term people(cid:146)s
`memories are. I(cid:146)ve been out of the picture for three years or so,
`
`VIRUS BULLETIN '1995 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OX14 3YS, England. Tel +44 1235 555139. /95/$0.00+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`000006
`
`
`
`VIRUS BULLETIN NOVEMBER 1995 • 7
`
`viruses, and with inciting others to do the same. Could a similar
`thing happen in the USA? (cid:145)There was one person, PhiberOptik,
`who was sent to jail,(cid:146) mused Greenberg. (cid:145)When he came out, he
`was a folk hero; everybody celebrated him because he didn(cid:146)t do
`anything (cid:147)all that bad(cid:148). So I don(cid:146)t know if prison is the right
`idea.
`
`(cid:145)Maybe a better punishment for that kind of person would be to
`forbid him ever using a computer again, or for a fixed period of
`time, and not to allow him to hold a job using computers(cid:133) I(cid:146)m
`not sure how it could be enforced, but being taken away from
`something he(cid:146)s addicted to would have more effect on the
`individual than being put in prison.(cid:146)
`
`Legal redress, he feels, has its place, but only if it is done in a
`very public way will it have any kind of prohibitive effect on
`virus writers: (cid:145)It(cid:146)s sad,(cid:146) he said. (cid:145)There(cid:146)s this thing called the On-
`line World, which I loved, and the virus writers were destroying
`it. It used to be if someone gave you a cool program you didn(cid:146)t
`have to worry about it (cid:133) now you do.(cid:146)
`
`The Next Act
`
`Greenberg thinks that the next new wave of viruses to hit will be
`OS-orientated; Windows 95 and OS/2 viruses which will take
`advantage of the holes in those operating systems. Indeed, he
`thinks the only surprising thing about the infamous Concept
`virus is that it took so long to be released.
`
`The future for detection software, he believes, will not lie much
`longer with scanners: (cid:145)The final solution,(cid:146) he stated, (cid:145)will be a
`hook in the operating system. Scanners will be very useful for
`uniquely identifying the virus, but I think they(cid:146)ll be used in
`conjunction with heuristics. There will also be integrity check-
`ing; things like that.(cid:146)
`
`He feels strongly about the fact that many smaller companies
`are being swallowed up by the giant conglomerates: (cid:145)Competi-
`tion is good. Seeing new and interesting technology disappear
`stinks. Companies are bought out,(cid:146) he explained, (cid:145)then the new
`owners don(cid:146)t want to develop the ideas further, and they are
`lost forever. Unfortunately, with the best product in the world, if
`it(cid:146)s not marketed well, it(cid:146)ll be lost. Only the bigger companies
`have the money to keep their products exposed out there every
`day. That(cid:146)s where shareware, used properly, can be the great
`equalizer.(cid:146)
`
`Although Greenberg is no longer disassembling viruses daily,
`he still takes an active interest in the anti-virus world, and is
`considering returning to the fray; however, he is somewhat put
`off by the antics of certain vendors, whom he sees as less than
`ethical in their tactics and methods.
`
`In the meantime, life goes on at Virus Acres: Greenberg(cid:146)s seven-
`year-old daughter has just acquired a brother ((cid:145)mother fine,
`child fine, father entirely exhausted!(cid:146) read the announcement).
`Whatever route Greenberg eventually decides to take, his
`expertise and enthusiasm will certainly help to make his task
`easier, and should he return to full-time virus research, his
`knowledge and ideas will be heartily welcomed.
`
`Ross Greenberg, author of Flushot, Virex PC, and
`RamNet(cid:160)UUCP: a man of diverse interests.
`
`and at VB 95, I noticed that some people hadn(cid:146)t heard of my
`products. All the CARO members know me, of course, but some
`of them don(cid:146)t know what I(cid:146)ve been doing.(cid:146)
`
`Carrots and Other Nourishment
`
`Greenberg is still, to an extent, an active member of CARO;
`though, as he stated, there is no membership per se: (cid:145)CARO,(cid:146) he
`asserted, (cid:145)is a group of people loosely affiliated who share
`common interests, involving computer viruses and beer
`drinking! I share my knowledge and expertise with fellow anti-
`virus people. This is what CARO is about. They are more active
`in the field than me, though (cid:150) when a new virus comes in, they
`jump on it straight away(cid:133) I do it when I get around to it. Often,
`when that time comes, it(cid:146)s been done!(cid:146)
`
`Greenberg sees no new techniques in virus writing: (cid:145)Polymor-
`phism was one(cid:133) Interrupt stripping was another(cid:133) Big deal!
`The first fifty viruses I tore apart were fascinating, each and
`every one of them. Of the next couple of hundred, some were
`mildly interesting, most were boring. The next thousand or so
`were pretty tedious. The ones that came later (cid:150) boy, I was glad I
`was out of the business. Someone had to tear them apart, and I
`didn(cid:146)t want to.(cid:146)
`
`Not a single virus, in his opinion, stands out as an exemplary
`piece of coding, though some he recalls for other reasons:
`(cid:145)DBase was interesting(cid:133) that was the first virus to screw
`around with data. Datacrime I remember because I was inter-
`viewed by five TV stations, and only one (cid:150) CNN (cid:150) had the guts
`to play what I(cid:146)d said; that it was a non-problem. I didn(cid:146)t get any
`airtime with the major networks,(cid:146) he related, (cid:145)because I wouldn(cid:146)t
`say the sky was falling. Unfortunately, media hype has made
`some vendors extraordinarily rich.(cid:146)
`
`The Legality of it All
`
`Here in the UK, a young man will soon appear in court for
`sentencing after having been charged with eleven offences
`under the Computer Misuse Act. He is charged with writing
`
`VIRUS BULLETIN '1995 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OX14 3YS, England. Tel +44 1235 555139. /95/$0.00+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`000007
`
`
`
`8 • VIRUS BULLETIN NOVEMBER 1995
`
`VIRUS ANALYSIS 1
`
`A Nuclear Concept: Another
`Hit for MS Word
`
`Vadim Bogdanov, Andrew Krukov
`
`The era of macro viruses which infect Word documents looks
`set to continue (c