`
`ISSN 0956-9979
`
`THE AUTHORITATIVE INTERNATIONAL PUBLICATION
`ON COMPUTER VIRUS PREVENTION,
`RECOGNITION AND REMOVAL
`
`Editor: Edward Wilding
`
`Technical Editor: Fridrik Skulason
`
`Editorial Advisors: Jim Bates, Bates Associates, UK, Phil Crewe, Fingerprint, UK, David Ferbrache, Defence Research Agency, UK, Ray Glath, RG Software
`Inc., USA, Hans Gliss, Datenschutz Berater, West Germany, Ross M. Greenberg, Software Concepts Design, USA, Dr. Harold Joseph Highland, Compulit
`Microcomputer Security Evaluation Laboratory, USA, Dr. Jan Hruska, Sophos, UK, Dr. Keith Jackson, Walsham Contracts, UK, Owen Keane, Barrister,
`UK, John Laws, Defence Research Agency, UK, David T. Lindsay, Digital Equipment Corporation, UK, Yisrael Radai, Hebrew University of Jerusalem,
`Israel, Martin Samociuk, Network Security Management, UK, John Sherwood, Sherwood Associates, UK, Prof. Eugene Spafford, Purdue University, USA,
`Dr. Peter Tippett, Certus International Corporation, USA, Dr. Ken Wong, PA Consulting Group, UK, Ken van Wyk, CERT, USA.
`
`CONTENTS
`
`GUEST EDITORIAL
`
`The Mother of All False Positives
`
`TECHNICAL NOTES
`
`KNOWN IBM PC VIRUSES
`(UPDATE)
`
`LETTERS
`
`STRATEGY & TACTICS
`
`2
`
`3
`
`5
`
`8
`
`Practical Virus Avoidance
`
`10
`
`CASE STUDY
`
`VIRUS ANALYSES
`
`1. Maltese Amoeba
`
`2. The SVC Series
`- The Latest Stealth Viruses
`
`PRODUCT REVIEW
`
`F-PROT
`
`PRODUCT UPDATE
`
`The Sophos Utilities
`
`BETA-TEST
`
`File Protector
`
`It Slipped Through The Net...
`
`13
`
`END-NOTES & NEWS
`
`15
`
`17
`
`21
`
`24
`
`25
`
`28
`
`VIRUS BULLETIN ©1991 Virus Bulletin Ltd, 21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England. Tel (+44) 235 555139.
`/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted
`by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.
`
`0001
`
`Blue Coat Systems - Exhibit 1050
`
`
`
`Page 2
`
`VIRUS BULLETIN
`
`December 1991
`
`GUEST EDITORIAL
`
`Steve R. White
`
`The Mother Of All False Positives
`
`In last month’s VB (November 1991), Virus Bulletin published
`a signature for the Gosia virus, a new virus which has not been
`seen in any actual infection incident. Shortly thereafter, VB
`discovered that the signature incorrectly identified
`COMMAND.COM from DOS 3.3 and above as being
`infected. VB’s signature gave a ‘false positive’ indication on
`this almost universal file. (See ‘Living Together - Without
`False Alarms!, VB, November 1991, pp. 19-20.)
`
`It could have happened to anyone. Indeed, it already has. Most
`anti-virus vendors have had false positive problems. To its
`credit, VB went out of its way to notify its subscribers and
`ward off potential problems. It warned people not to use the
`signature by telephone, FAX, e-mail and letter. Others have
`not been as forthcoming.
`
`False positives are a common occurrence in the anti-virus
`industry. But should they be? More precisely, should custom-
`ers resign themselves to periodic ‘virus outbreaks’ that turn
`out to be caused by faulty signatures in anti-virus programs? I
`don’t think so. It’s time to stop asking customers to do quality
`assurance for the anti-virus industry. It’s time for vendors to
`prevent their problems from becoming their customer’s
`problems.
`
`Like manic butterfly collectors, the industry has become
`obsessive about how many new specimens it can find. Never
`mind that most viruses it finds have never been seen in an
`actual incident. Never mind that many viruses are so buggy
`that we can’t make them spread even if we try. Advertising
`copy, as well as reviews of anti-virus software (including
`some of those conducted by VB), have concentrated on the
`quantity of viruses detected rather than the overall quality of
`the protection provided. We have, perhaps, lost track of the
`real problem - reducing the actual risk to which our customers
`are exposed.
`
`Anti-virus vendors can be more careful in a variety of ways.
`The obvious thing to do is to select signatures carefully.
`Longer signatures can provide a margin of safety, since a
`longer sequence of bytes is less likely to be found in an
`arbitrary program than is a shorter sequence. (See ‘Selecting
`and Testing Virus Patterns’, VB, September 1991, pp. 3-4.
`Note, however, that VB’s testing did not include false positive
`testing at this time!)
`
`we have been testing our signatures on a corpus of hundreds
`of megabytes of normal programs, written in dozens of
`languages, for some time now. (This simple step would have
`prevented VB’s Gosia problem. One hopes that VB, and
`everyone else, will introduce stringent testing of signatures in
`the future!)
`
`It is also important to write anti-virus programs in such a way
`as to avoid their being identified as infected by other anti-
`virus programs. Most vendors have already learned not to
`leave unaltered binary signatures in memory for just this
`reason. Most but not all. (See ‘Troublesome Concubines in the
`Anti-Virus Harem’, VB, November 1991, p. 18.)
`
`But even this is not enough. It’s not possible to have every
`program in the world in your corpus and new programs may
`be written in the future which cause false positive problems
`with today’s anti-virus software. What is needed is a way to
`characterize ‘normal’ programs and determine that a particular
`signature is unlikely to be found in them. Our lab has made
`good progress on this problem recently. When we received
`VB’s errant Gosia signature, our characterization programs
`identified it as very likely to be found in normal programs,
`even apart from COMMAND.COM.
`
`Another approach is to use verification programs, to certify
`that a virus is byte-by-byte identical to the virus indicated by
`the signature. (See ‘Virus Verification and Removal’, VB,
`November 1991, pp. 7-11.) This is a two-edged sword. It can
`eliminate false positives if a signature is mistakenly found in a
`normal program and that is useful. The downside of this
`approach, is that if anti-virus software only reports exact
`matches, it may miss new viruses that are small variants of
`existing viruses, which would be unfortunate.
`
`Beyond our individual actions, the industry can help encour-
`age higher quality in anti-virus software. Reviews should be
`expanded to include false positive testing. Customers should
`know which products have been prone to problems and what,
`if anything, the vendor has done to solve them. Vendors
`should reduce their reliance on the ‘numbers game’ in
`advertising. They should encourage customers to buy their
`product because it reduces the real risks, doesn’t cause new
`problems, and is easy to install, use and update.
`
`Finally, the industry should encourage an open discussion of
`what, exactly, it means to have a high quality anti-virus
`product, both to educate its customers and to raise its own
`consciousness.
`
`Yes, it could have happened to anyone. But let’s take this
`opportunity to ensure that it doesn’t continue to happen to our
`customers.
`
`Signatures should be carefully tested before they are released,
`on as large a corpus of uninfected programs as possible, to
`help reduce the incidence of obvious false positives. At IBM,
`
`[Steve White is Manager of IBM’s High Integrity Computing
`Laboratory based at the Thomas J. Watson Research Center,
`Yorktown Heights, New York.]
`
`VIRUS BULLETIN ©1991 Virus Bulletin Ltd, 21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England. Tel (+44) 235 555139.
`/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted
`by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.
`
`0002
`
`
`
`December 1991
`
`VIRUS BULLETIN
`
`Page 3
`
`TECHNICAL NOTES
`
`Gosia
`
`The identification string published for the Gosia virus in the
`November edition of VB turned out to be unusable, as it
`produced a false positive in a program which is found in
`virtually all MS-DOS machines, namely COMMAND.COM.
`
`An examination of the virus revealed that it contains a block
`of code which is copied from COMMAND.COM, but is not
`used by the virus. Unfortunately, last month’s string was
`selected from this area, which seemed a natural choice -
`containing rather unusual code, which was not thought likely
`to be found in any program at random.
`
`The following amended string should be used instead:
`
`Gosia
`
`8BD6 81C2 7001 B001 B900 00B4 43CD 2172
`358B D681 C270 01B0
`
`Form Disinfection
`
`In last month’s VB it was erroneously stated that the wide-
`spread Form virus (see the Prevalence Table overleaf)
`relocates the original DOS Boot Sector to the last sector of the
`active DOS partition. In fact, the virus relocates the DOS Boot
`Sector to the very last sector on disk: the virus code itself is
`stored in the first sector of the active DOS partition and the
`penultimate sector on disk.
`
`DOS Compatibility
`
`Hardened VB readers know that the magic object in detecting
`and removing computer viruses is the clean write-protected
`system diskette. However, it is important that DOS compat-
`ibility is considered when booting the PC.
`
`Machines must be booted from the same version of DOS (or a
`higher version of DOS) than is on the PC itself.
`
`Prior to DOS 4.xx, the operating system could only manage
`32 Megabyte partitions. DOS 4.xx (and upwards) introduced
`an expanded form of sector editing as well as the ability to
`handle volumes larger than 32 Megabytes. Thus booting a
`machine running DOS 4.xx from a DOS 3.xx system diskette
`can result in spurious results as the operating system attempts
`to contend with unmanageable partitions.
`
`There are a few exceptions to this rule - for instance the
`editor’s PC runs under Compaq DOS 3.31 which manages
`volumes larger than 32 Megabytes gracefully. The same is
`also true of Zenith DOS 3.30 and upwards.
`
`Spurious results can also be expected if, for example, a PC
`running DR-DOS from Digital Research is booted with a
`version of DOS from Microsoft or IBM etc.
`
`Smart Scanners Not So Brainy After All...
`
`Viruses generally modify the first instruction of the programs
`they infect, - some viruses add code at the front of COM files,
`others overwrite the beginning of programs, or modify the
`initial CS:IP instruction (in the case of .EXE files). All these
`types of modifications result in the first few instructions
`executed being different after infection than before.
`
`The new Brainy virus is an exception to this rule. It infects
`.COM files which start with a JMP instruction. This instruc-
`tion is not changed, but the virus code is inserted into the
`program at the target address of this JMP instruction.
`
`Brainy differs from the majority of .COM infectors in an
`important way - the virus code can be found anywhere in the
`file, so virus scanners which only search a small block
`(usually 2000-4000 bytes) at the beginning and end of
`programs will not find it. This is not a radical new develop-
`ment, as the Bulgarian 800 virus works in a similar way,
`although it overwrites the first 3 bytes with a JMP to the virus.
`
`It used to be possible to check for a virus infection simply by
`looking at the first instruction executed and a few bytes
`following it. These could then be compared with their original
`values, but Brainy invalidates this approach.
`
`One could envisage a virus which would combine features of
`Brainy (where no changes are introduced at the beginning or
`end of a file), and of the ‘Number of the Beast’ virus (where
`no visible increase in file length is apparent, even when the
`virus is not active in memory). Such a virus would render
`obsolete any checksumming program which only checked
`blocks at the beginning and end of a program, as well as
`verifying that the program size was unchanged. Some
`checksumming software available today provides exactly this
`method as a ‘Quick’ option, but although it is faster than
`checking the entire file it is not fool-proof.
`
`Correctly implemented cryptographic checksumming, by
`necessity, involves the creation of a checksum value of the
`entire executable image followed by a full comparison of that
`image on each and every subsequent check.
`
`Semi-Stealth Viruses
`
`The terms ‘Semi-Stealth’ and ‘Sub-Stealth’ have been used to
`describe those parasitic viruses which fulfil one of two
`essential stealth criteria: they change the length of infected
`programs and subsequently make the increase in file length
`‘disappear’ when a DIR command is issued.
`
`In stark contrast to those viruses which are fully stealth, semi-
`stealth viruses do not present a serious problem to anti-virus
`software developers, even when active in memory. A check-
`summing program will report that the infected program has
`been altered while a virus scanner is able to read and analyse
`the program without difficulty.
`
`VIRUS BULLETIN ©1991 Virus Bulletin Ltd, 21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England. Tel (+44) 235 555139.
`/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted
`by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.
`
`0003
`
`
`
`Page 4
`
`VIRUS BULLETIN
`
`December 1991
`
`8-10-16-24 Bytes and Climbing
`
`A few months ago an editorial decision was made to extend
`VB virus identification patterns from 16 bytes to 24 bytes.
`(Back in July 1989, it was thought sufficient to publish
`identification patterns of just 8-10 bytes!)
`
`Longer patterns have a lower chance of occurring by chance in
`a non-infected program and increasing the average length of
`the identification string will generally have the effect of
`reducing false positive indications. Using longer strings has
`some side-effects, not all of which are necessarily desirable.
`
`If long strings are used, it is not always possible to find
`‘generic’ patterns for an entire family of viruses - separate
`patterns may have to be used for each variant. Some manufac-
`turers of virus scanners actually prefer this, as the search
`patterns thus provide a primitive form of automatic variant
`identification. Other developers adopt a ‘scatter gun’ approach
`- patterns are selected in order to maximise the likelihood of
`detecting minor variants. The selection of longer patterns
`imposes certain limitations on the packages which employ the
`latter tactic - not least is the need to include more search
`patterns in the program’s search database than were previ-
`ously considered necessary.
`
`Another limiting factor of long search patterns is a consequent
`drop in the chances of detecting a new variant of a previously
`known virus. Primarily, this is because it might not be
`possible to isolate a long search pattern which does not
`contain absolute memory references. This problem can be
`partially resolved by using wildcards in place of any addresses
`or constants which might change.
`
`Virus Prevalence Tables
`
`The distinction between ‘lab’ viruses and those found in the
`wild has been apparent for some time now, but until recently
`there has been a dearth of information about the prevalence of
`different viruses.
`
`The following tables were produced from statistics collated by
`Virus Bulletin. Table 1 shows recorded virus infections during
`the period January 1st to October 31st 1991. Unfortunately,
`this information is incomplete, as careful recording of every
`virus incident was only implemented after the New Scotland
`Yard Computer Virus Strategy Group initiative in March of
`this year. Even following this initiative, incidents have gone
`unrecorded in the ‘fog of war’ - for instance the Spanish
`Telecom virus is much more widespread in the United
`Kingdom than table 1 indicates. This information in table 1 is
`also confused by the inclusion of non-UK reports which
`somewhat diminishes its regional accuracy.
`
`Table 2 provides more accurate and up-to-date data about
`virus prevalence in the United Kingdom. This shows incidents
`reported to VB during October 1991 and includes all verified
`reports of virus infection in the UK.
`
`Virus Prevalence Table 1
`
`This table shows the ten most prevalent viruses reported
`to Virus Bulletin between January and October 1991.
`
`Virus Name
`
`Reports
`
`Total Infections (%)
`
`New Zealand 2
`Form
`Cascade
`Tequila
`Joshi
`Dark Avenger
`Jerusalem
`4K
`Spanish Telecom
`Nomenklatura
`Yankee
`Other
`
`68
`23
`19
`18
`14
`14
`13
`12
`11
`8
`8
`57
`
`Total
`
`265
`
`25.66
`8.68
`7.17
`6.79
`5.28
`5.28
`4.91
`4.53
`4.15
`3.02
`3.02
`21.5
`
`100
`
`A table will feature in each future edition of VB showing the
`‘top ten’ viruses in the UK during the preceding month.
`
`As Mark Twain said ‘there are lies, damned lies and statistics’
`- the figures shown in these tables do not accurately portray
`the full extent of the problem in the UK as they do not include
`statistics from the myriad of other agencies involved in
`combating computer viruses.
`
`Virus Prevalence Table
`
`The following table is a break down of virus infections in
`the UK reported to Virus Bulletin during October 1991.
`
`Virus Name
`
`Reports
`
`Total Infections (%)
`
`Form
`New Zealand 2
`Joshi
`Tequila
`Spanish Telecom
`Michaelangelo
`Cascade
`4K
`Nomenklatura
`Jerusalem
`Flip
`
`9
`8
`5
`4
`4
`3
`2
`2
`1
`1
`1
`
`Total
`
`40
`
`22.5
`20
`12.5
`10
`10
`7.5
`5
`5
`2.5
`2.5
`2.5
`
`100
`
`VIRUS BULLETIN ©1991 Virus Bulletin Ltd, 21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England. Tel (+44) 235 555139.
`/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted
`by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.
`
`0004
`
`
`
`December 1991
`
`VIRUS BULLETIN
`
`Page 5
`
`KNOWN IBM PC VIRUSES (UPDATE)
`
`Updates and amendments to the Virus Bulletin Table of Known IBM PC Viruses as of 20th November 1991. Hexadecimal patterns
`may be used to detect the presence of a virus with a disk utility program, or preferably a dedicated virus scanner.
`
`Type Codes
`D = Infects DOS Boot Sector (logical sector 0 on disk)
`E = EXE files
`C = COM files
`N = Not memory-resident after infection
`M = Infects Master Boot Sector (Track 0, Head 0, Sector 1)
`R = Memory-resident after infection
`P = Companion virus L = Link virus
`
`Big Joke - CN: A harmless 1068 byte virus, which contains a long message, warning about a harmful variant soon to come.
`Big Joke
`558B EFCD 105D B9FF FF49 83F9 0075 FA46 59E2 DFE8 AA00 59E2
`Blinker - CR: A 512 byte variant of Backtime (q.v.) and detected by the pattern for that virus. This also applies to a 496 byte variant
`which was made available as ‘Joker’.
`
`Brainy - CR: A 1531 byte virus of Bulgarian origin, which appears to do nothing but replicate, but is interesting from a technical
`point of view because it may insert itself into the middle of another program, without modifying the program’s starting instructions.
`Brainy uses a simple ‘byte-swap’ encryption.
`Brainy
`1B90 8BEC 0E1F BC34 00FC AD86 C489 44FE 4444 81FC 0003 F272
`Cascade-1701-S - CR: A minor modification of the Cascade virus, with the encryption routine changed, probably to bypass some
`scanner. Reported to be written in Sweden.
`1701-S
`FA8B ECE8 0000 5B81 EB31 01F6 872A 0101 740F 8DB7 4D01 BC82
`CB 1530 - CER: This 1530 byte virus is detected by the previously published ‘Dark Avenger’ pattern.
`
`CSL, Microelephant - CR: A 381 byte virus from Eastern Europe, which contains the text ‘26.07.91.Pre-released Microelephant by
`CSL’. This virus does nothing but replicate.
`CSL
`A184 008B C8B8 9200 BB84 0089 07A1 8600 8BD0 8CC0 8947 028E
`Day/10 - CN: This 674 byte virus was made available to virus researchers under the name of ‘Numlock’, but that is just the name of
`the original sample. The effects of the virus have nothing to do with the NumLock key - instead it will overwrite the first 80 sectors
`on the hard disk which only happens if the date of the month is divisible by 10.
`Day/10
`8E06 2C00 B900 10FC 33FF B050 F2AE 7518 B641 2638 3575 F347
`DIR-II(1) - LCER: Two new variants of this virus, which was described last month, have now appeared. The following pattern will
`detect all three variants.
`DIR-II(1)
`26FF 77FE 26C5 1F8B 4015 3D70 0075 1091 C640 18FF 8B78 13C7
`F-709 - CR: This 709 byte virus is reported to have originated either in Sweden or in Finland. It has not been fully analysed, but
`appears to do nothing but replicate.
`F-709
`8BF2 33FF F3A5 068C C633 C08E C026 A184 0026 8B0E 8600 0726
`Gotcha-C - CER: A 906 byte variant of the Gotcha virus. Awaiting analysis.
`Gotcha-C
`9C3D DADA 7458 5251 5350 5657 1E06 3D00 6C74 4280 FC56 7426
`Haifa - CER: A variable-length, self-modifying, encrypted virus from Israel. No search string is possible. Currently being analysed.
`
`Hary Anto - CR: A 981 byte virus. Reported ‘in the wild’ in the UK. Currently being analysed.
`Hary Anto
`B904 00D3 E8BB 3E01 8907 40B9 0400 D3E0 505A 33C9 B800 428B
`Hey You-928 - CER: Unlike an earlier 923 byte sample, this version replicates. Awaiting analysis.
`Hey You
`2181 F9C7 0772 1C80 FE02 7217 80FA 1972 1233 C08E C026 F606
`Jabberwocky - CER: A 812 byte virus, containing the text ‘BEWARE THE JABBRWOCK’. Awaiting analysis.
`Jabberwocky
`0500 108E C0BE 0000 BF00 00B9 FFFF F3A4 1E07 89D6 BF00 01B9
`Jerusalem-Nemesis - CER: A minor mutation of the original virus. Detected by previously published Jerusalem-USA pattern.
`
`Lozinsky-1018 - CER: A close relative of the 1023 byte variant previously reported.
`Lozinsky-1018
`E800 005E 2E8A 44FC BF20 0003 FEB9 CB03 2E30 0547 E2FA B8DD
`
`VIRUS BULLETIN ©1991 Virus Bulletin Ltd, 21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England. Tel (+44) 235 555139.
`/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted
`by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.
`
`0005
`
`
`
`Page 6
`
`VIRUS BULLETIN
`
`December 1991
`
`Karin, Redstar - CN: This German virus adds either 1090 or 1134 bytes to the programs it infects. It is harmless, but will activate on
`October 23rd when it displays the message ‘Karin hat GEBURTSTAG’ (It’s Karin’s Birthday).
`Karin
`BB00 0153 F3A4 BE00 F8BF 8000 B980 00F3 A433 FF33 F633 C033
`Kuku - CN: This 448 byte virus may infect files in an ordinary way, or overwrite them with a small program, which will display the
`word ‘Kuku!’ on the screen when it is run.
`Kuku
`241F 3C0A 750C B42C CD21 80E6 0775 E3BD 0100 A11A FA3D C501
`Little Brother - P: A 299 byte ‘companion’ virus, which appears to be incomplete.
`Little Brother 7418 5253 501E 063D 004B 7503 E810 0007 1F58 5B5A 9D2E FF2E
`Maltese Amoeba, Irish, Grain of Sand - CER: A destructive virus which overwrites the first four sectors of tracks 0 to 29 of the hard
`disk, and any diskette in the disk drive, if the date is November 1st or March 15th (any year). A psychedelic screen effect follows.
`When the machine is powered up a fragment of a poem (Auguries of Innocence) by William Blake (1757-1827) appears on screen and
`the machine hangs. The virus employs self-modifying encryption. No search pattern is possible. (VB, Dec 91)
`
`Minimal-30-B: This is in most respects the same virus as the Minimal-30 reported earlier, but it has been assembled with a different
`assembler, which has produced minor differences. At only 30 bytes this is currently the smallest known virus.
`Minimal-30-B
`3DBA 9E00 CD21 93B4 4089 F28B CECD 21C3
`Mono-1063 - CR: A 1063 byte Polish virus, which deletes files when it activates if it is running on a PC with monochrome display.
`Mono
`FDF3 A406 E800 0059 83C1 0651 CB2E 8C4F 048D 4FF6 F3A4 2E8C
`MPS-OPC - CN: Three Polish viruses, 469, 640 and 654 bytes long. Awaiting analysis.
`MPS 1.1
`B447 CD21 5E8B FE81 C72D 0232 C0B9 4000 F2AE 4FC7 055C 00B9
`MPS 3.1
`0ADB 7441 B42C CD21 3ADA 7304 2AD3 EBF8 8ADA BA80 0203 D6B9
`MPS 3.2
`0ADB 7441 B42C CD21 3ADA 7304 2AD3 EBF8 8ADA BA8E 0203 D6B9
`MSTU - CEN: This virus contains the text ‘This program was written in MSTU,1990’ Awaiting analysis. Virus length is 532 bytes.
`MSTU
`BB16 0026 8B07 3DEB 55C3 5E8B C6B1 04D3 E805 6400 0E5B 03C3
`Pixel-897, 899A, 899B, 905 - CN: Four variants, which are all detected by the Pixel-936 pattern. Contains code to format track 1.
`
`Plovdiv-1.3 - CR: This 1000 byte virus is related to the 800 byte Plovdiv virus reported last month. According to a text string inside
`the virus, it should be named ‘Damage’, but this name was rejected to avoid confusion with the Diamond/V1024-derived Damage
`virus. The virus is ‘semi-stealth’, hiding increases in file length when it is active.
`Plovdiv 1.3
`80E2 1F80 FA1E 7506 2681 6F1D E803 079D 5A5B EB02 CD32 CA02
`Ps!ko - CER: A 1803 byte variant of the Eddie (Dark Avenger) virus, and detected by the same pattern as the original.
`
`QMU-1513 - CR: This virus has not been fully analysed yet, but it appears to contain an entire boot sector.
`QMU-1513
`5053 8BDA B000 4338 0775 FBB8 4F4D 3947 FE74 04F9 EB02 90F8
`Seventh son - CN: A 332 byte virus which contains the text ‘Seventh son of a seventh son’. It seems to do nothing but replicate.
`Seventh son
`1F5A B824 25CD 215A B801 33CD 210E 0E1F 07B8 0001 50C3 FCB8
`Shaker - CR: A variant of Backtime, similar to Blinker, and probably written by the same author. Produces a ‘shaky’ screen when an
`infected program is run. Detected by the Backtime pattern (q.v.).
`
`Simulation - CN: This is a variable length, self-modifying encrypted virus, which adds around 1300 bytes to the files it infects. When
`it activates it displays a message announcing the infection or an effect or message which is normally associated with a different virus,
`such as April 1st (Suriv 1), Frodo, Datacrime or Devil’s Dance. No effective search pattern is possible.
`
`Socha - CR: This 753 byte virus contains code which will only activate if the year is set to 1981. Awaiting analysis.
`Socha
`C0BF F5FF 268B 0547 4726 3305 4747 2633 0547 4726 3305 8D36
`South African-623 - CN: This variant of the South African virus was discovered in New Zealand. It will activate on any Friday the
`13th, just like the original, and is detected by the same pattern.
`
`Spanz - CN: A 639 byte virus, which does not seem to do anything but replicate. It contains the text ‘INFECTED! * SPANZ *’
`Spanz
`807D 043D 7506 83C7 051F EB0F B9FF 7F33 C0F2 AE80 3D00 75DB
`Squeaker - CER: A 1091 byte virus awaiting analysis.
`Squeaker
`80FC 7F75 03B4 80CF 80FC 4B74 052E FF2E 2C00 5053 521E 06E8
`StinkFoot - CN: This virus from South Africa uses instructions which do not exist on 8088/8086 and it will crash on such machines.
`It adds 259 bytes to the beginning of files, and 995 bytes at the end.
`StinkFoot
`600E 59BA 0400 B435 B024 CD21 061F 890F 8957 0261 071F C31E
`
`VIRUS BULLETIN ©1991 Virus Bulletin Ltd, 21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England. Tel (+44) 235 555139.
`/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted
`by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.
`
`0006
`
`
`
`December 1991
`
`VIRUS BULLETIN
`
`Page 7
`
`SVC 6.0 - MCER: A 4644 byte version of the SVC virus. This is a complex multipartite ‘stealth’ virus. (VB Dec 91)
`SVC 6.0
`8ED7 8BE3 FB06 5633 D2B4 84CD 215E 5681 FA90 1975 0A2E 3ABC
`Tony - CN: This 200 byte Bulgarian virus will only infect files with a name starting with ‘B’ on the first day of any month. On the
`second day it will only infects files with a name beginning in ‘C’ and so on. The virus uses some curious undocumented features.
`Tony
`CC8C C880 C410 8EC0 BE00 0133 FF8B CEF3 A4BA 0001 B41A CCB4
`V472 - CR: A 472 byte virus, probably from Eastern Europe, which does nothing but replicate.
`V472
`01D6 31DB 8EC3 BB84 0026 8B0F 890C 4646 4343 268B 0F89 0CBE
`Vienna-656 - CN: A non-remarkable 656 byte variant.
`Vienna-656
`895C 018C 4403 07BA 6000 01F2 B41A CD21 0656 8E06 2C00 BF00
`Vienna Dr. Q - CN: A 1161 byte variant, which includes encryption of the data area. Not yet analysed.
`Vienna Dr.Q
`8E06 2C00 BF00 005E 5683 C61A ACB9 0080 F2AE B904 00AC AE75
`Violator-B - CN: This 716 byte variant is detected by the Violator pattern.
`
`Violator-B3 - CN: An 843 byte virus, related to Violator and Christmas Violator and probably written by the same author(s).
`Violator-B3
`803E D003 0274 0B80 3ED0 0303 7407 C3CD 21C3 CD13 C3CD 26C3
`Virdem-1542 - CN: A longer variant of the Virdem virus, but detected by the same pattern as the original.
`
`W13-REQ! - CN: This 494 byte member of the W13 group contains the text ‘REQ ! Ltd (c) 18:41:22 3-I-1991’. It is of Polish origin.
`REQ
`8B4F 1683 E11E 83F9 1E74 EC81 7F1A 00FA 77E5 817F 1A10 0272
`
`Reported Only
`
`408 - CR: Does nothing but replicate.
`
`1661 - CR: 1661 bytes.
`
`1840 - CER: Adds 1838-1891 bytes to infected files. Contains the text ‘NV71.EXE’
`
`Cannabis: A Dutch boot sector virus.
`
`Caz - CER: 1204 bytes.
`
`Dutch Tiny - CER: A series of small viruses from The Netherlands.
`
`Got-You - EN: Adds 3052-3067 bytes to the programs it infects. Will only replicate the first half of the year, but activates in the
`second half, interfering with certain operations, such as printing over a network.
`
`Grapje - CN: A 1039 byte virus from the Netherlands.
`
`Hitchcock - CR: 1247 bytes. Plays music shortly after being installed.
`
`Lowercase - CN: 864 byte virus, which attempts to change ‘IBM’ to ‘ibm’. Probably the same virus as ‘864’ reported last month.
`
`Manta - CN: 1077 bytes. Based on the VCS virus.
`
`Miky - CER: A 2350 byte virus from Bolivia.
`
`Mini-97 - CN: The smallest known non-overwriting virus at only 97 bytes. It reportedly originated in The Netherlands.
`
`Newcom - CER: 3045-3060 bytes.
`
`Pathhunt - CEN: 1231 bytes.
`
`Pirate - CN: A 609 byte overwriting virus from Portugal.
`
`Poem - CR: Adds 1825-1888 bytes to infected files, which activates on December 21st, displays a poem and overwrites the beginning
`of the hard disk. Originated in South Africa.
`
`Pregnant - CR: A 1199 virus which may rename files to ‘PREGNANT’.
`
`Relzfu - CN: Alias for the Fake-VirX virus reported last month.
`
`Tokyo - ER: A 1258-1273 byte virus from Japan.
`
`Topo - ER: 1542-1552 bytes. Reported to be related to the Mosquito virus.
`
`VIRUS BULLETIN ©1991 Virus Bulletin Ltd, 21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England. Tel (+44) 235 555139.
`/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted
`by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.
`
`0007
`
`
`
`Page 8
`
`VIRUS BULLETIN
`
`December 1991
`
`LETTERS
`
`Dirty Rotten Scoundrels...
`
`18/10/91
`
`TO BE PUBLISHED IN FULL OR NOT AT ALL.
`
`re: Software Reviews
`
`Before I wrote my note about your software reviews (Septem-
`ber VB, p. 12) I carefully read the article, and also the
`‘Protocol’ in the April issue. I did not notice the hardware
`specifications on page 8, but this is not surprising, as the
`protocol does not refer to them, and you apparently do not
`regard them as part of it, as you always refer to ‘published in
`VB, April 1991, pp.6-7’. In your comment on my letter you
`waxed indignant (always the first line of defence of the
`scoundrel) and then quoted ‘all comparative tests should be
`done on the same machine with exactly the same file configu-
`ration’. However this statement contains the following gaping
`holes;
`
`i.
`
`It is not clear if this applies to all tests at any time, or only
`to a given series of tests.
`
`ii. The protocol itself does not specify which machine should
`be used.
`
`iii. The word ‘should’ implies a degree of flexibility; provided
`the reviewer does not live in Yorkshire, or provided the test
`was not done on a Sunday or what?
`
`iv. The review in question considered a single program, so
`presumably it was not a comparative test, so this clause did
`not apply?
`
`As Virus Bulletin is owned by an anti-viral software company
`its reviews will always be regarded with some suspicion. It
`can never establish a reputation for independence unless it
`convinces users that all products are treated in exactly the
`same way. To do this it is essential that you set up ironclad
`specification which has no terms like ‘should’ or ‘at least’,
`and which specifies that all tests are done on a specific
`machine, and a specific set of disks and that the arrangement
`of files on these are fully described. As an engineer I under-
`stand the word ‘specification’. I am not too sure what a
`‘Protocol’ is, but I have noticed that the word is used mainly
`by diplomats, and of course diplomacy is the art of appearing
`to co-operate with the enemy without committing yourself in
`any way.
`
`With Best Wishes,
`
`R