ISSN 0956-9979
`
`NOVEMBER 1994
`
`THE INTERNATIONAL PUBLICATION ON COMPUTER VIRUS PREVENTION, RECOGNITION AND REMOVAL
`
`Editor: Richard Ford
`
`- - -
`
`-
`
`-
`
`-
`
`- - - - - -
`
`-
`
`CONTENTS
`
`Technical Editor: Fridrik Skulason
`
`Consulting Editor: Edward Wilding,
`Network Security Management, UK
`
`IN THIS ISSUE:
`
`• New infection techniques. The 3APA3A virus attacks
`the DOS system file IO.SYS in such a way that it cannot
`be detected by many current anti-virus programs. A full
`analysis of the technique and its implications is given on
`page 12.
`
`• How much of a problem? The NCC survey on
`breaches ofiT security has been collated and the parts
`relevant to virus attack extracted. What is the nature of
`the real virus problem, and how much does it cost? See
`p.l4 for the results.
`
`• LZR on pre-formatted diskettes. According to reports
`in Sweden and Finland, a large number of floppy disks
`have been distributed infected with the LZR virus. The
`full story is given on page 3.
`
`EDITORIAL
`The More the Merrier
`
`VIRUS PREVALENCE TABLE
`
`NEWS
`LZR Virus on Formatted Diskettes
`Virus Mutation Toolkit?
`
`IBM PC VIRUSES (UPDATE)
`
`INSIGHT
`Auerbach: Viruses Et Cetera
`
`VIRUS ANALYSES
`1. 3APA3A: The IO.SYS Hunter
`2. The Peanut Vendor
`
`TUTORIAL
`Virus Infection Techniques: Part 1
`
`FEATURE
`IT Security Breaches: The 1994 NCC Survey
`
`PRODUCT REVIEWS
`I. Sweeping the Boards
`2. EMD Armor Plus
`
`CONFERENC.E REPORT
`Compsec '94: Alive and Well
`
`END NOTES & NEWS
`
`2
`
`3
`
`3
`3
`
`4
`
`7
`
`9
`11
`
`12
`
`14
`
`17
`20
`
`23
`
`24
`
`VIRUS BULLETIN (\) 1994 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OXI 4 3YS,
`England. Tel. +44 (0)1235 555139. /94/$0.00+2.50 No part of this publication may be reproduced. stored m a
`retrieval syste m. or transmitted in any form without the prior written permission of the publishers.
`
`PALO ALTO NETWORKS Exhibit 1038 Page 1
`
`

`
`2 • VIRUS BULLETIN NOVEMBER 1994
`
`EDITORIAL
`
`l 'stray disks
`represent a large
`percentage of the
`time taken to check
`an office for
`viruses ' '
`
`The More the Merrier
`
`Virus Bulletin is in the process of moving offices- a job which requires much shifting of dusty
`boxes and reshuffling of paperwork. Like any move, the entire process has located many lost odds
`and ends which had dropped behind filing cabinets and printers (including several incriminating and
`amusing pictures, currently being held for a considerable ransom!).
`
`Among the many finds has been the occasional diskette, somewhat dog-eared after a five-year
`sojourn in an inaccessible comer, but still readable. Such disks are a goldmine of information on the
`early years of VB, and contain such gems as unedited copies of articles written in the magazine's
`first year, information on the Aids Diskette, and early editions ofF-Prot, Sweep and Dr Solomon's
`Anti-Virus Toolkit. All good fun, and an interesting glimpse into a little of the journal's history.
`
`As the office is being sorted and packed, the number of diskettes has grown. Many have Jess-than(cid:173)
`informative labels such as 'things' or 'Nov. 91 ' , and more are devoid of identification. The total
`number of diskettes recovered has been something of a surprise (and an unpleasant one at that), and
`highlights one of the less obvious IT problems which can be brought about by a change of site.
`
`Some of the software unearthed has not been used for years. Is it infected? What does it do? Nobody
`knows, although some of the filenames are intriguing. Fortunately, no matter how interested one
`might be in a disk's contents, Virus Bulletin has a very simple policy: untrusted diskettes are not put
`in 'clean' machines. No ifs, no exceptions. The way to examine the contents of the unknown
`diskettes is to write-protect them and cart them off to the quarantine machines used for virus
`checking and analysis.
`
`Although this cache of mystery diskettes has presented no threat to the security of the VB move, one
`suspects that in many companies, whatever the policy, user inquisitiveness (especially during the
`chaos of a move) may overcome usual caution. It is very easy to imagine picking up a disk and
`quickly checking its contents - it is then only a small step to running software stored on it.
`
`Above all else, such a scenario highlights the need to carry out a clean-up of a virus attack properly.
`This means scanning every diskette, old and new, after a virus outbreak, and doing one's best to
`ensure that all storage media are checked, not just those disks which 'happen to be around' during
`the clean-up operation. If this process is not completed thoroughly, the clean-up team will have
`plenty of opportunities to practice the procedure: the chances are that they will have to repeat the
`operation again and again until they finally do get it right. An infected diskette left mouldering in a
`desk drawer is a time bomb, waiting for an unwary user to trigger it.
`
`Cleaning up a large-scale virus outbreak is easier said than done. In order to stand any chance of
`doing a thorough job, the co-operation of the entire user community is required. This means that it is
`absolutely vital that users should not be afraid to bring out personal disks which have been used in
`company machines, as well as disks which they believe may be infected. In a company which adopts
`the ' hang ' em and flog 'em ' approach to computer security and IT use and abuse, carrying out a
`thorough clean-up operation could well be virtually impossible, as users may be afraid of submitting
`any non-company diskettes for checking. Should these diskettes be infected (as is likely in a major
`outbreak), the virus could be introduced unwittingly once the fuss had died down.
`
`The gradual build-up of old diskettes is a continual problem for any IT-intensive organisation.
`Disks, unlabelled and unscanned, can be found in every office; checking one' s own department (or
`even one ' s own desk) can be an eye-opening exercise. Such stray disks represent a large percentage
`of the time taken to check an office for viruses, and wherever possible should be eliminated . With
`most companies now using networks, there is little need for data to be transported around the office
`by foot - the network is quicker and cheaper. Users should be encouraged to use diskettes as
`infrequently as possible, as the more diskettes around, the more to scan ... Obvious, but often only
`·
`noticed when one has to check them all.
`
`VI RUS BU LLETIN 1!) 1994 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxforclshire, OXI4 3YS, England. Tel. +44 (0)1235 555139. /94/$0.00+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`PALO ALTO NETWORKS Exhibit 1038 Page 2
`
`

`
`VIRUS BULLETIN NOVEMBER 1994 • 3
`
`NEWS
`
`-
`
`Virus Prevalence Table - September 1994
`
`LZR Virus on Formatted Diskettes
`
`Virus
`
`Inc idents
`
`(%)Reports
`
`According to reports received from both Finland and
`Sweden, a large shipment of pre-formatted diskettes has
`been found to be infected with the LZR virus. The diskettes,
`apparently imported from China, are unbranded, and have
`been found principally in the Nordic countries. The Finnish
`anti-virus company Data Fellows has obtained unopened
`boxes of the diskettes and confirmed that they are infected.
`
`The shipment of 400,000 diskettes contains approximately
`20,000 which are infected. Of the shipment, 15% was sent to
`a Finnish company, PC Superstore, for resale.
`
`As soon as the virus was found on the diskettes, PC
`Superstore withdrew them from their shelves. The company
`has also placed a series of adverts in the largest Finnish
`newspapers, alerting buyers to the infection of the disks, and
`offering a special free version ofF-Prot to anyone who can
`show proof of purchase of the infected media. Commenting
`on the virus, PC SuperStore Product Manager Ismo Viitamo
`said: 'We have done the best we can to notifY everybody
`who bought the diskettes. They will be provided with a virus
`protection program which will detect and erase the virus,
`and all diskettes will be replaced if necessary. I am not sure
`whether we will sell pre-fonnatted disks in the future- we
`will only do so if we can come up with an extremely reliable
`method to guarantee their safety.'
`
`Attack of the Data Diddler
`
`LZR is a relatively simple boot-sector virus, which infects
`the Master Boot Sector (MBS) of the fixed disk, and the
`boot sector of floppy diskettes. The virus contains no stealth
`capabilities, and operates in a manner simi lar to most
`common MBS-infecting viruses.
`
`Form
`AntiEXE.A
`Stoned
`Stoned.!
`AntiCMOS
`Parity _Boot
`Stealth28oot
`Nolnt
`One_Half
`SMEG:Pathogen
`Tequila
`Angelina
`Attack_ Trojan
`Cascade.1704.G
`Jimi
`Junkie
`Keypress.1216
`NYB
`PrintScreen
`Ouox
`Trackswap
`V-Sign
`Yankee.2C
`
`Total
`
`25
`10
`6
`4
`3
`3
`3
`2
`2
`2
`2
`1
`1
`1
`1
`1
`1
`1
`1
`1
`1
`1
`1
`
`74
`
`Virus Mutation Toolkit?
`
`33.8%
`13.5%
`8.1%
`5.4%
`4 .1%
`4.1%
`4.1%
`2.7%
`2.7%
`2.7%
`2.7%
`1.4%
`1.4%
`1.4%
`1.4%
`1.4%
`1.4%
`1.4%
`1.4%
`1 .4%
`1.4%
`1 .4%
`1.4%
`
`100%
`
`When resident, the virus hooks lnt 13h, and infects on any
`read or write to the first two floppy diskettes. On an infected
`fixed disk, a copy of the original MBS is located at Track 0,
`Head 0, Sector 2.
`
`Among the binaries which showed up in the Technical
`Editor's E-mail in the last month was a collection of viruses,
`which seems to have been written by making slight changes
`to existing viruses using a virus-mutating tool.
`
`The virus has a particularly unpleasant trigger. When the
`virus intercepts any read or write to the disk, there is a one
`in lOOOOh chance (65,536) that the contents of the fixed disk
`will be overwritten. lfthi s trigger routine is not called, the
`virus then enters a second trigger, which has a one in 256
`chance of executing. This routine XORs a random byte in
`the read or write buffer with a random value, leading to
`gradual corruption of the data stored on the disk.
`
`As yet, Virus Bulletin has been unable to contact the
`manufacturer ofthe disks. There is, however, a disturbing
`possibility that more than the single 400,000-diskette
`shipment is infected: it is claimed that one of the disk
`formatting machines used by the disk's manufacturer
`contained an infected disk image when it was purchased I
`
`According to sources in the virus ' underground', several
`such programs are now under development. The most
`effective of these is reported to be able to create 2000 new
`viruses per hour.
`
`Although quite a few of the 177 vi ruses in the collection did
`not work properly, they may be just the first sign of what to
`expect in the near future.
`
`The development of sucti a tool would be genuine cause for
`concern among the anti-virus software community. Evety
`mutated virus, even one wh ich did not appear to work,
`would have to be analysed individually; the cost of this
`process would doubtless be passed on to the end-user, either
`as an increased price or poorer scanner performance I
`
`VIRUS BULLETIN ©1994 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OX14 3YS, England. Tel. +44 (0)1235 555139. /94/$0.00+2.50
`No part of this publication may be reproduced. stored in a retrieval system, or transmitted in any form without the prior writlen permission of the publishers.
`
`PALO ALTO NETWORKS Exhibit 1038 Page 3
`
`

`
`4 • VIRUS BULL ETIN NOVEMBER 1994
`
`IBM PC VIRUSES (UPDATE)
`
`The fo llowing is a list of updates and amendments to
`the Virus Bulletin Table of Known IBM PC Viruses as
`of21 October 1994. Each entry consists of the virus
`name, its aliases (if any) and the virus type. This is
`followed by a short description (if available) and a
`24-byte hexadecimal search pattern to detect the
`presence of the virus with a disk utility or a dedicated
`scanner which contains a user-updatable pattern library.
`
`Type Codes
`
`c
`
`[)
`
`E
`
`L
`
`lnlccl~ COM files
`
`Infects DOS Boot Sector
`(logical sector 0 on disk)
`
`M
`
`Infects Master Boot Sector
`(frack 0. Head 0. Sector I)
`
`N Not memory-resident
`
`Infects EXE files
`
`P Companion virus
`
`Link virus
`
`R Memory-resident afier infection
`
`Anti_Pascai-H.407
`
`CN: A minor, unremarkable variant, detected with the Anti-Pascal2 pattern.
`
`Ash.743
`
`A ustra I ian_ Par·asitc:
`
`CN: There are now ten new minor variants of this virus, which have been named Ash.743.B-K. All are
`detected with the Ash.743 pattern.
`
`CN, CR, CER: The Australian virus writer who calls himself ' Australian Parasite' has written a large
`number of viruses. The smallest are non-resident COM infectors. Most of the others are resident COM
`infectors, although some also infect EXE files. Some are encrypted, but they can all be detected with a
`simple searchstring. In one case a number of wildcards are necessary.
`B440 B176 B6FO CD21 B800 4233 C933 02CD 21B4 40B1 76FE C6CD
`Austr_Para.118
`Austr_Para . 122
`B440 B17A 51BA GAFF C021 B800 4233 C933 02CD 21B4 4059 BAOO
`B440 B198 B601 C021 B800 4233 0233 C9CD 21B4 40B6 01B1 04CD
`Austr_Para .152
`Austr_Para.153B
`B440 B199 B601 CD21 B800 4233 0233 C9CD 21B4 40B6 01B1 04CD
`B440 B19B B601 CD21 B800 4233 0233 C9CD 21B4 40B6 01B1 04CD
`Austr_Para.155
`Austr_Para.187
`B440 B9BB OOBA 0001 CD21 BSOO 4233 0233 C9CD 21B4 40B6 01B1
`B440 B907 OOBA 0001 CD21 B800 4233 0233 C9CD 21B4 40B6 01B1
`Austr_Para.215
`B440 B109 C021 B800 422B C92B 02CO 21B4 40B1 03B6 01CD 215A
`Austr_Para.217
`B440 B900 OOCO 21B8 0042 2BC9 2B02 C021 B440 B103 B601 CD21
`Austr_Para. 221
`Austr_Para.229
`B440 B9E5 OOCO 21B8 0042 2BC9 2B02 C021 B440 B103 B601 CD21
`B440 B910 01CD 21B8 0042 3302 33C9 C021 B440 B903 OOBA 0001
`Austr_Para . 272
`B440 B932 01CO 21B8 0042 3302 33C9 C021 B440 B904 OOBA 5E01
`Austr_Para . 306
`Austr_Para.338
`B440 B952 01BA 0001 C021 BSOO 4233 C933 02CD 21B9 0300 BAOO
`Austr_Para.369
`B440 B971 0180 9600 0152 C021 B800 4233 C933 02CD 21B4 40B9
`Austr_Para.377
`B440 B979 01BA 0000 C021 B800 4233 C933 02CD 21B9 0300 BAOO
`BO?? ??B8 ???? 809E 1201 B906 0131 0743 E2FB
`Austr_Para.440
`B440 B9E2 01CO 21B8 004 2 2B02 2BC9 C021 B440 B904 OOBA 7901
`Austr_Para . 482
`B440 BAOO 01B9 4C02 C021 B800 4233 0233 C9CD 21B4 40B9 0400
`Austr_Para.588
`B440 B94F 02BA 0001 C021 B800 4233 C933 02CD 210E OE1F 07BA
`Austr_Para.591
`B440 B97B 02BA 0001 C021 BBOO 4233 C933 02CD 21B4 40B9 0400
`Austr _Para. 635
`B440 B906 02CO 21B8 0042 3302 33C9 C021 B440 B903 OOBA 0001
`Austr_Para . 726
`B440 B9FA 02BA 0001 C021 B800 4233 0233 C9CO 21B4 40B9 0400
`Austr_Para.762
`B440 B910 03BA 0001 C021 B800 4233 C933 02CD 21B9 0300 BAOO
`Austr_Para.784
`Austr_Para . 1050
`7001 33C9 CD21 8B08 B440 B9BC 0280 968B 01CO 21B4 3ECO 21C3
`Austr_Para.l179
`B440 B99B 04BA 0001 CD21 B800 4233 C933 02CO 21C6 064A 025A
`Austr_Para .AMSV
`B440 B9BB 01BA 0001 C021 B800 4233 C933 02CO 21B4 40B9 0400
`Austr_Para.Comic
`B440 B92C 04BA 0001 C021 BBOO 4233 C933 02CD 21B4 40B9 0400
`Austr_Para.Gotter B440 B900 04BA 0001 C021 B800 4233 C933 02CO 21B4 40B9 0400
`Austr_Para.Lipo
`B440 B922 01BA 0001 CD21 B800 4233 C933 02CO 21B4 40B9 0400
`Austr_Para .VGA_Oemo 7001 33C9 C021 8B08 B440 B907 Oj;:80 9631 02CD 21B4 3ECD 21C3
`
`Big_ Bang
`
`CN: This virus has not been ful ly analysed, but seems to contain destructive code, as well as the text ' [Big
`Bang] (c) 1993 Evil Avatar'.
`
`Big_ Bang
`
`B95A 0180 9603 01B4 40CD 21B8 0042 2BC9 99CO 21B9 0300 8096
`
`Black_Jcc.247
`
`CN: There are now four new minor variants of this virus, which have been named Black_Jec.247.B-E.
`They are all detected with the Black_Jec (Bijec) pattern.
`
`VIRUS BU LLETIN <01994 Virus Bulletin Ltd, 21 T he Quadra nt, Abingdon, Oxfordshirc, OXI4 3YS, England. Tel. +44 (0)1235 5551 39. /94/$0.00+2.50
`No part of this publicati on may be reproduced , stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`PALO ALTO NETWORKS Exhibit 1038 Page 4
`
`

`
`VIRUS BULLETIN NOVEMBER 1994 • 5
`
`Bloody_ Warrior
`
`Burger.382.C
`
`Civil_ War.245
`
`HLL0.4742
`
`CER: A 1344-byte encrypted virus which contains a text message claiming it originated in Milan, Italy.
`Bloody Warrior
`ESOO 0058 FA2E 8177 3D?? ??90 OElF 8177 2A?? ??90 8177 2E??
`CN: Detected with the Virdem pattern.
`
`CN: Yet another variant from the person calling himself 'Dark Helmet' .
`Civil_War.245
`80El 2F80 F901 5974 4A51 523E 889E F401 843F 8903 OOBD 96EE
`EN: As with other HLL viruses, no search pattern is provided.
`
`Hungarian.Kiss. 1006
`
`CER: Very similar to the I 0 IS-byte variant originally reported as Kiss. Detected with the same pattern.
`
`Infector.847
`
`Iron
`
`IVP
`
`JD.158
`
`Jcrusalcm.I808.Rambo
`
`Jcrusalcm.AntiCad
`
`Lockjaw.887
`
`Lyccum.958
`
`Murphy.Migram.l221
`
`Npox.963
`
`Sandy.l392
`
`Screen+ 1.948.0
`
`STSV
`
`Sundevil. 762
`
`Taiwan.708.C
`
`Troi.C, Troi.D
`
`Triviai.Banana
`
`CN: There are two variants of this virus, A and B. Both are detected with the pattern given below.
`Infector.847
`A200 OlAO 8E03 2EA2 0101 AOBF 032E A202 018C C8A3 3D03 8980
`CN: A non-remarkable, 271-byte virus, which contains the text ' Iron Butterfly Vl.2 '
`B90F 0184 40CD 2188 0042 9933 C9CD 2188 8640 022D 0300 8986
`Iron
`CEN: There is one new IVP-generated virus this month: Sonic (CEN, 666).
`
`CR: There are now fifteen new minor variants of this virus, which have been named JD.158.B-P. All are
`detected with the pattern below. As it will also detect the original variant (now renamed to JD. l 58.A), the
`original search pattern should be discarded.
`JD . 158
`BEDB 833D 3D74 0884 25CD 21Bl 9EBE C30E 1FF3 A458 OE07 C3CD
`CER: In addition to changing the self-recognition string to 'Rambo', the author has made several minor
`changes to this virus, which invalidate existing search strings.
`Jer .Rambo
`2638 05EO F98B D783 C203 B800 4806 lFOE 0788 3500 OGlE 5350
`CER: There are six new viruses in this group, 3012.F and 4096.£-1.
`AntiCad.3012.F
`33CO BEDS A017 041F 240C 3COC 752E E460 247F 3C53 7526 2E81
`AntiCad . 4096 (gen)
`33CO BEDS A017 041F 240C 3COC 7534 E460 247F 3C53 752C 2EA1
`P: This 887-byte variant contains the text ' KenSON V- Lobo/435 BF! :)'.
`Lockjaw.887
`9C06 1E50 5352 3DOO 4875 03E8 OEOO 5A58 581F 079D 2EFF 2E77
`CER: A Russian 'stealth ' virus, which uses the ' 100-year' trick to mark infected files. It contains the text
`'HELLO HACKERS FROM MIREA'. Another similar 930-byte variant has also been found.
`Lyceum-gen
`3DOO 4874 OFSO FC3D 740A SOFC 4374 0580 FC56 7508 EBOB 0075
`ER: There are now eleven new minor variants of this virus, which have been named
`Murphy.Migram.l22l.B-L. They are aU detected with the HIV pattern.
`
`CER: There are now ten new minor variants of this virus, which have been named Npox.963.C-L. All are
`detected with the Npox pattern.
`
`ER: An encrypted virus, containing the text 'sandy beaches. bridges sinking into the sea. beautiful
`confusion. you're a fading memory'.
`Sandy.l392
`0050 5A2E 310C 03FE 4650 5A46 BCDA BlFE SFOS 7EEF 505A 505A
`CEN: Detected with the Screen+ I (948) pattern.
`
`CN: The five new minor variants of this virus have been named ST SV.C-G. All are detected with the
`STSV (previously ' 200') pattern.
`
`CR: There is not much to say about this one ... or maybe it is just that after the first few thousand, all
`viruses start to look the same.
`Sundevil.762
`8886 FC02 SECO 33FF 88F5 89FA 03F3 A433 COSE D888 FDOl A384
`
`CN: Detected with the Taiwan pattern.
`
`CR: Simi lar to the A and B variants. Detected with the Troi pa.ttern ..
`
`CN: The eleven new minor variants of this virus have been named Trivial.Banana.B-L. All are detected
`with the pattern below. As it will also detect the original variant (now renamed Trivial.Banana.A), the
`original search pattern shou ld be discarded.
`8801 43CD 2184 4FEB 87C3 ·2042 414E 414E 412C 2063 6F64 6564
`Trivial.8anana
`
`Vacsina.TP.25.B
`
`CER: A minor 1805 byte variant. Detected with the Vacsina- 1 pattern.
`
`VCL:
`
`This month, there are two non-encrypted variants, detected with the pattern published for VCL.VoCo: 535
`and Dial.600. There are also six VCL-generated 'companion ' viruses: 337, 389, 405, Nomem,
`Pearl_Harbour.931 and Taboo. Finally, there are four variants which are almost identical to older variants:
`Code_Zero.654, Donatello.83 1, Earthday.799 and Kinison .809.
`
`VIRUS BULLETIN <01994 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OXI4 JYS, Engla nd. Tel. +44 (0)1235 555139. /94/$0.00+2.50
`No part of this publication may be reproduced , stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`PALO ALTO NETWORKS Exhibit 1038 Page 5
`
`

`
`6 • VIRUS BULLETIN NOVEMBER 1994
`
`Vienna
`
`Vicnna.BNB
`
`Vicnna.561.B
`
`Vicnna.709
`
`Vicnna.680
`
`CN: Several unremarkable variants have been found, but are not detected with patterns already
`published. They are: 660, 662, 700.C, Feliz, Gipsy, It.457, Parasite.861, Violator.779 and W-13 .318.
`The Feliz variant contains the text 'Feliz Navidad! Feliz A o Nuevo! ' Also, two new encrypted variants
`are known, 833.8 and 1041.
`Vienna .660
`FC90 8BF2 83C6 OAB9 0400 BFOO 01F3 A48B F206 B42F CD21 9089
`Vienna.662
`8BD7 2BF9 83C7 0205 0301 03C1 8905 8BFA B440 2BD1 B996 02CD
`Vienna.700.C
`FC9 0 8BF2 83C6 OA90 B904 OOBF 0001 F3A4 8BF2 06B4 2FCD 2190
`Vienna . 833.B
`5153 SOBE ???? 2E8A 44FF 8BDE BlEB 5102 B98B 012E 3007 43E2
`Vienna.l041
`FC52 5E83 C60D 90B9 0001 515F B903 0057 F3A4 SF 52 SEES 1600
`Vienna. Feliz
`5D81 ED48 018D B646 03BF 0001 B903 OOFC F3A4 06B4 2FCD 2189
`Vienna.Gipsy
`FCB9 0300 BFOO 01F3 A48B FABA 1200 03D7 B41A CD21 32DB 83EA
`Vienna . It. 457
`5D81 ED30 018D B6Fl 02BF 0001 B903 OOFC F3A4 06B4 2FCD 2189
`Parasite . 861
`FCSB F283 C62A EB14 BASB 0003 D6B4 1ACD 2106 568E 062C OOBF
`Violator. 779
`FCSB F283 C668 BFOO 01B9 0300 F3A4 8BF2 BSOF FFCD 213D 0101
`Vienna . W-13. 318
`2BF9 0504 0103 Cl89 05B9 3E01 905F 8BD7 81EA 3401 B440 CD21
`
`CN: The eight new minor variants of this virus have been named Vienna.BNB.C-J. All are detected with
`the pattern below. As this pattern will also detect the A and B variants, the original search pattern should
`be discarded.
`Vienna.BNB
`
`F3A4 8BF2 B824 35CD 2106 53B8 2425 BAB6 0003 D6CD 211E 0706
`
`CN: This non-remarkable variant is detected with the Vienna-2, Ghostballs and Vienna.l239 patterns.
`Those patterns all detect a number of Vienna variants, and should not be relied on for identification.
`
`CN: Detected with the Dr. Q pattern.
`
`CN: Detected with the Violator pattern.
`
`Vicnna.Biack_lcc
`
`CN: A 742-byte virus. Detected with the Violator pattern.
`
`Vicnna.Choinka.C
`
`CN: Detected with the Vienna-4 pattern, just like the .A and .B variants.
`
`Vienna. W -13.534.K
`
`CN: Detected with the W-13 pattern.
`
`Vicnna.W-13.534.L
`
`CN: Detected with the W -13 pattern.
`
`Vicnna.W-13.539
`
`CN: Detected with the W -13 pattern.
`
`Virdcm.I336.Lockcd.B
`
`CN: Detected with the Virdem pattern.
`
`VLamiX
`
`XPH.1032
`
`Yam.3596
`
`ER: This 1 090-byte virus was distributed in a fake ARJ 3.0 package to BBS systems worldwide. Quite a
`few infections have been reported.
`VLamiX
`061E 8CC8 BEDS BF28 OOA1 5004 3105 83C7 02BA 5004 3BFA 72F4
`
`CER: Detected with the XPH.I 029 pattern.
`
`CR: Detected with the Yam.3599 pattern.
`
`Yankec_Doodlc.2167
`
`CER: Possibly related to the 'Login' group, but requiring further analysis.
`Yankee_Doodle.2167 7503 OCOl C3F6 C208 75F8 80FE 0377 F332 COC3 FCSB BlEB 2BOO
`
`YB
`
`YB.2277
`
`ZigZag.l27
`
`Zombie
`
`Zulu
`
`ZX-X
`
`CN: Two new variants from the virus author known as Kohntark.
`YB.425
`B802 3DCD 2193 B905 008D 9475 01B4 3FCD 2172 218B 8498 0105
`YB.426
`B802 3DCD 2193 B905 008D 9476 01B4 3FCD 2172 218B 8499 0105
`
`CN: This variant is much larger than the other YB viruses. Just like the previous virus, it contains the
`text ' YB-2 I KhOntark'.
`YB.2277
`B802 3D9C FF9C 6601 72E3 93B9 0500 8D94 5D01 B43F 9CFF 9C66
`
`CEN: A 127-byte overwriting virus that contains the text '*ZZ* v 1.0'.
`ZigZag.l27
`AACD 20BB 023D BA9E OOCD 2193 B43F B902 OOBA 6D01 CD21 813E
`
`CR: 747 bytes, contains the text ' Zombie- Danish woodoo hackers (14AUG91)'.
`Zombie
`9C3D 004B 740F 3D69 4B74 069D 2EFF 2E84 008B D89D CF2E C706
`
`CR: 1390 bytes, contains the text 'ZULU-GULA by Dr Mengele and Rudolf Hess'.
`Zulu
`9C3D 004B 7403 EB53 90 4E 8C16 1A01 2E89 261C 010E 17BC 0302
`
`ER: 600 bytes, contains the text 'ZX-X '.
`zx-x
`9C80 FC3D 7412 80FC 4374 OD80 FC56 7408 3DOO 4B74 03E9 3E01
`
`VIRUS BULLETIN ([;1994 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OX14 3YS, Engla nd. Tel. +44 (0)1235 555139./94/$0.00+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`PALO ALTO NETWORKS Exhibit 1038 Page 6
`
`

`
`INSIGHT
`
`-
`
`Auerbach: Viruses EtCetera
`Megan Palfrey
`
`The man: Tjark Auerbach, German anti-virus researcher and
`software developer. The compimy: H+BEDV, little known
`outside Germany, but highly regarded and holding a
`considerable proportion of the Gennan market. The product:
`AVScan, a consistent high-performer in VB comparative
`reviews. The series of VB interviews continues with an
`insight into the man, the work, and the product.
`
`How it Began
`
`Computing was not a real passion for Auerbach until after
`he left school. He was 20 years old, training to be a technical
`assistant in electronics, when he first came to grips with a
`Commodore PET-2001, which he describes as 'a lovely
`machine'. On completing that course, he went to a technical
`college to further his studies: 'I gave it up,' he said, 'after
`too many long nights in the computer room. One day I woke
`up and asked myself, "Is this really what you want to do?" lt
`was not. So, I got a job at a computer company.' The date?
`1984: the IBM-PC was just starting to appear in Germany.
`
`At that company, where he spent four years, Auerbach
`repaired and assembled PCs; his programming experience
`did not begin until the 80x86 machines appeared. He then
`returned to college to complete his interrupted training as a
`Government-approved technician. During this period, he
`founded H+BEDV, the company which was to become one
`of Germany's best-known names in anti-virus software.
`
`Virus Alert
`
`H+BEDV did not begin as anti-virus software specialists,
`but as software importers, dealing in such programs as
`386MAx, Super PC Quick, and PC Tools. This was a route
`which helped Auerbach gain expertise with various types of
`soft- and hardware: in offering customers technical support,
`he could see the problems they were having, and learned
`more about users' demands and requirements.
`
`I
`
`Auerbach's fi rst exposure to viruses was an accident: like
`many other users, his own system became infected. It was
`1987; the virus was Jerusalem. He was directed to a 'friend
`of a friend' for help, and between the two, the first Anti Vir
`program was born. Although not very well known else(cid:173)
`where, it has been a huge German success, and is currently
`undergo ing its fifth major revision.
`
`VIRUS BULLETIN NOVEMBER 1994 • 7
`
`-
`
`-
`
`of his 'ambitions ' is to find a good virus writer: ' I love well(cid:173)
`written viruses; it's incredible to see a virus which works.
`Bad viruses waste my time. If I get inside a virus and find
`out that it doesn ' t infect, I have to spend a long time
`disassembling it to find out why.'
`
`Fortunately, there are few 'good' virus authors. Even
`polymorphics pose only a limited threat to dedicated
`researchers: 'It took about two weeks to master the first MtE
`virus I encountered. When we met a TPE virus, it took us
`three days; now, an ordinary polymorphic will take about a
`day. They are no big deal .' Whoever programmed SMEG, in
`Auerbach's opinion, belongs to this category: he could have
`made the viruses generated more difficult to detect merely
`by putting more randomness in his further instructions.
`
`-
`
`"the concessions ... cannot
`compensate for the benefits of
`having a resident scanner''
`
`-
`
`-
`
`'
`
`The real threat, for Auerbach, is the 'two-legged' virus.
`Forgetting backups, formatting the hard disk- often the
`person sitting in front of the computer creates the greatest
`problems. Fear, he asserted, has the potential to make a
`catastrophe out of a minor incident: it is time to make the
`developer's approach to the user more accessible.
`
`Developmental Elements
`
`His role in H +BEDV is now less of a researcher, more of a
`Quality Assurance controller: it is he who tries out new
`·
`viruses as they come in; he who liaises with customers who
`have virus problems; he who ensures that their problems are
`solved with a maximum of expertise and a minimum of fuss.
`
`' Our usual turnaround time, from the moment someone logs
`on to the company's mailbox to the time when analysis is
`complete and a solution returned to the customer, is two to
`four hours. This doesn't always work, but we do our best. '
`
`The first step in this process is for Auerbach to try to make
`the virus replicate: if it does, it goes to one of his program(cid:173)
`mers. When it returns, Auerbach attempts to make it
`replicate onto 'real-world' files, files which would be on
`every user's machine: COMMAND.COM, WIN.COM,
`DISKCOPY, etc. Repairs are usually successful : 'Touch
`wood, we have only had one false repair; last year, with an
`incorrectly repaired Tremor virus.'
`
`Virus Authors
`
`Outward Bound
`
`Auerbach has never written, nor been tempted to write, a
`virus- ' But I get very itchy fingers when I see the rubbish
`that some ofthe virus writers push out! ' he commented. One
`
`H+BEDV's product is marketed only in Germany at present,
`but the company is already at work on a bilingual version,
`which is planned for the next major revision. There are some
`
`VIRUS BULLETIN <01994 Virus Bulletin Lid, 21 The Quadrant, Abingdon, Oxfordsh ire, OXI4 3YS, England. Tel. +44 (0)1235 555139. /94/$0.00+2.50
`No part of this publication may be reproduced , stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`PALO ALTO NETWORKS Exhibit 1038 Page 7
`
`

`
`8 • VIRUS BULLETIN NOVEMBER 1994
`
`Auerbach believes that anti-virus software must become more
`user-friendly: 'Have we seen the past only through our own
`glasses? Were we wearing our hats and not those of users?'
`
`problems, he conceded, although none of them are insur(cid:173)
`mountable. Mostly, they concern the manual: ' It's very dry
`material, but I want my customers to be able to relate to the
`company and the product, so I've put my own personal
`touch in it; footnotes where I write down my impressions.
`I'm not sure it would be possible to translate those- I'm
`very anxious about it.'
`
`The next major revision of H+BEDV's product is due for
`March 1995, to coincide with the German CeBit exhibition,
`which is attended by people from all over the world.
`
`The company plans to release an NLM by the end of 1994:
`like the stand-alone product, it will at first only be available
`in German, but it is being developed with an English(cid:173)
`language module as well.
`
`A Heuristic Future ...
`
`Auerbach, like many other anti-virus software developers, is
`exploring heuristics: he sees virus-non-specific detection as
`the road to the future . Indeed, AVScan already detects
`polymorphic viruses using generic detection. He has not, as
`yet, expended a great deal of effort to develop the heuristic
`side; this is planned for next year's major revision.
`
`'Everything done by software,' says Auerbach, 'can be
`undone by software. From a developer's standpoint,
`however, you have to draw borders; you must stop emulat(cid:173)
`ing the virus sometime. Virus writers already defeat some
`emulation engines. Emu lating and heuristics will stay
`around; they are part of the future.'
`
`He is also concerned that developers have been, until now,
`concerned primari ly with their own aims: 'Have we seen the
`past on ly through our own glasses? Were we wearing our
`hats and not those of users?' Anti-vi rus software in general,
`he opined, must become more user-friendly, despite re(cid:173)
`searchers who prefer mile-long command lines for each task.
`
`In common with some other developers, Auerbach has
`reservations about TSRs, believing that the concessions one
`must make in terms of memory util isation cannot com pen-
`
`sate for the benefits of having a resident scanner. However,
`having seen Sophos' lnterCheck (see p.18), he admits that
`TSRs can have a place in virus prevention.
`
`H+BEDVhas started work on a product which, though not
`memory-resident, will automatically scan every diskette
`inserted into the PC for boot sector viruses -these comprise
`about 85% of all viruses known in the wild. It will