ISSN 0956-9979
`
`MAY 1996
`
`THE INTERNATIONAL PUBLICATION ON COMPUTER VIRUS PREVENTION, RECOGNITION AND REMOVAL
`
`Editor: Ian Whalley
`
`Assistant Editor: Megan Skinner
`
`Technical Editor: Jakub Kaminski
`
`Consulting Editors:
`Richard Ford, NCSA, USA
`Edward Wilding, Network Security, UK
`
`IN THIS ISSUE:
`
`• Defending the macros. One ofthe most publicised
`virus 'events' of last year was the appearance of macro
`viruses, which have now spread world-wide. Close
`behind it ran the vendors, with various fixes and cures.
`Who has what, and how do they perform? See p.lO for
`our evaluation.
`
`• How much does 'crying wolr cost? If there were a
`virus incident in your company, how much would it be
`li kely to cost? And if it were to be a false alarm, have you
`implemented adequate policies to be able to pinpoint it
`immediately? Turn to p.l6 for one company's experiences.
`
`• Making outlaws populat·? VB has just learned that the
`infamous Mark Ludwig has released an 'update' to his
`CD-ROM virus collection, first published some eighteen
`months ago. See News page (p.3) for more information.
`
`CONTENTS
`
`EDITORIAL
`Guarding Against Folly
`
`VIRUS PREVALENCE TABLE
`
`NEWS
`I. Wanted: A Fistful of Dollars
`2. Outlaws Revisited
`
`IBM PC VIRUSES (UPDATE)
`
`VIRUS ANALYSES
`1. SayNay: Making ltselfHeard
`2. Winlamer
`3. Waving the Flag
`
`COMPARATIVE REVIEW
`Macro Malarkey
`
`FEATURE
`Wacky Widgets, Wacky Costs: False Positives
`
`PRODUCT REVIEWS
`1. LANDesk Virus Protect vJ.O
`2. ThunderS YTE
`
`END NOTES & NEWS
`
`2
`
`3
`
`3
`3
`
`4
`
`6
`7
`9
`
`10
`
`16
`
`18
`21
`
`24
`
`VIRUS BULLETIN ©1996 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OXI4 3YS,
`England. Tel +44 1235 555139. /96/$0.00+2.50 No part of this publication may be reproduced, stored in a
`retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`BLUE COAT SYSTEMS - Exhibit 1004 Page 1
`
`

`
`2 ·VIRUS BULLETIN MAY 1996
`
`1 EDITORIAL
`
`-
`
`( ( the apparent
`lack of concern
`with which the
`issue was
`viewed . . . is more
`than slightly
`worrying''
`
`Guarding Against F oily
`
`Readers of VB will have noticed, over the last few years, the not-infrequent references to the
`methods and ethics of the distribution of virus code. Distribution of such code is something against
`which anti-virus people campaign, often falling foul of free-speech issues along the way. At the
`National Computer Security Association 's April conference, IV PC '96, the issues and their difficul(cid:173)
`ties were demonstrated in an uncomfortably close-to-home and pertinent fashion.
`
`At this, the international Virus Prevention Conforence, the NCSA offered delegates a ' book table',
`which featured the latest books on the virus problem and general computer security, in addition to
`old favourites - an excellent idea. The books were taken from those listed in the NCSA catalogue,
`and offered for sale at a discount on the normal prices.
`
`Amongst the titles was an unremarkable-looking work called Virus Detection and Elimination,
`written by a Dane, Rune Skardhamar. The title blended perfectly with all the other virus-related
`books on the stall; alas, its contents did not.
`
`I was advised, late in the conference, to take a look at the book, and went to the stall to browse. My
`initial impressions were poor- it is badly written, and contains numerous factual errors. Such
`statements as 'Remember, no infection can occur by simple scanning for viruses, provided the
`scanner is not itself infected' are inaccurate; indeed, downright dangerous. The crunch, however, is
`that amongst the usual low-grade virus and anti-virus information, the book offers virus code.
`Complete viruses - and this is where ethics become an issue ...
`
`Whilst it is true that at least some of the virus code presented in Skardhamar's book does not work,
`it is equally true that it can, with a minimum of effort, be made to produce a functioning virus.
`However, this is not the most significant issue. The point is this: if an organisation such as the
`NCSA, heavily involved as it purports to be in promoting a sensible attitude to distribution both of
`virus code and virus-writing manuals, can miss a book as obvious in its content as this, what hope is
`there for organisations with a less specific remit? How is a book-shop supposed to know that it
`would be a bad idea to sell such a title if the fact escaped even the NCSA 's notice?
`
`Or did it? The NCSA was told of the dubious nature of the book in question - to my knowledge,
`twice during JVPC'96. Some NCSA staff members were horrified (Mich Kabay, the NCSA 's Director
`of Education, foremost amongst them), and the book was at one point removed from the stall, only
`to be reinstated later in the conference. I am reliably informed that one NCSA staff member even
`used the stale argument: ' If we don't sell it, someone else will'. George Smith (author of the
`American Eagle Publications book The Virus Creation Labs, and producer of the Crypt newsletter)
`was one ofthe people to point out the book's contents during the course of the conference, yet it was
`still on sale at the very end of the conference, when I obtained my copy.
`
`Even this, however, was not all: the book had previously been reviewed by Smith, who described its
`contents in such a way as to leave no doubt that the book would be unsuitable for sale by the NCSA ,
`in an issue of the Crypt newsletter which was available well before the conference from the NCSA 's
`own CompuServe forum.
`
`By coincidence, whilst I was at the stall looking at the book, at the end of the conference, NCSA
`President Dr Peter Tippett walked past. I took the opp011unity to ask him whether he was aware that
`the book contained virus source code, to which he replied: ·what are they going to do, scan it in?'
`
`The NCSA is to be commended on having now removed the book from its catalogue and withdrawn
`it from sale; however, the apparent lack of concern with which the issue was viewed at the conference,
`and the initial reaction of the NCSA 's figurehead and spokesman, is more than slightly worrying.
`
`Juvenal's question, 'Quis custodiet ipsos custodes' (Who is to guard the guards themselves?) has ·
`never, alas, been more apt.
`
`VIRUS BULLETIN ©1996 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshirc, OX14 3YS, England. Tel +44 1235 555139./96/$0.00+2.50
`No pan of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior writt en permission of the publishers.
`
`BLUE COAT SYSTEMS - Exhibit 1004 Page 2
`
`

`
`VIRUS BULLETIN MAY 1996 • 3
`
`Prevalence Table- March 1996
`
`Virus
`
`Type
`
`Incidents Reports
`
`Macro
`Concept
`Form. A
`Boot
`Boot
`AntiEXE.A
`Boot
`Parity Boot. B
`Boot
`AntiCMOS.A
`Empire. Monkey. B Boot
`Multi
`Junkie
`Ripper
`Boot
`NYB
`Boot
`EXEBug
`Boot
`Sampo
`Boot
`Stoned.Angelina
`Boot
`Telefonica
`Multi
`WelcomB
`Boot
`File
`Manzon
`V-Sign
`Boot
`Boot
`Jumper.B
`Empire.Monkey.A
`Boot
`Stoned .Nolnt
`Boot
`Unashamed
`Boot
`Natas.4 744
`Multi
`Peter
`Boot
`Russian Flag
`Boot
`Stealth Boot. C
`Boot
`AntiC MOS. Lixi
`Boot
`Byway.A
`Link
`Da'Boys
`Boot
`Frodo.Frodo. A
`File
`Boot
`Quandary
`She Has
`Boot
`Stoned.Kiev
`Boot
`Taipan.438
`File
`Win.Tentacle
`File
`Other Il l
`
`91
`44
`41
`30
`27
`21
`18
`15
`12
`10
`10
`10
`10
`10
`9
`6
`5
`4
`4
`4
`3
`3
`3
`3
`2
`2
`2
`2
`2
`2
`2
`2
`2
`31
`
`20.6%
`10.0%
`9.3%
`6.8%
`6.1%
`4.8%
`4. 1%
`3.4%
`2.7%
`2.3%
`2.3%
`2.3%
`2.3%
`2. 3%
`2 0%
`1.4%
`1.1 %
`0.9%
`0.9%
`0.9%
`0.7%
`0.7%
`0.7%
`0.7%
`0.5%
`0.5%
`0.5%
`0.5%
`0. 5%
`0.5%
`0.5%
`0.5%
`0.5%
`7.0%
`
`Total
`
`442
`
`100.0%
`
`NEWS
`
`- -
`
`Wanted: A Fistful of Dollars
`
`Cheyenne Software inc has announced that on 15 April 1996
`the company's board of directors unanimously rejected what
`amounts to a hostile takeover bid from McAfee Associates.
`
`ReiJane Huai, Cheyenne 's President and CEO, had this to
`say: 'Cheyenne's Board of Directors and management are
`keenly focused on increasing shareholder value, and we
`have carefully considered McAfee 's request to discuss a
`merger between our two companies. However, we believe
`that the transaction proposed by McAfee is not in the best
`interest of Cheyenne's shareholders.
`
`'A transaction between McAfee and Cheyenne would likely
`be highly dilutive to Cheyenne shareholders, and its value
`would be dependent upon McAfee's ability to continue
`growth rates in its primary business- anti-virus software (cid:173)
`at their historical pace ... We are skeptical of McAfee's
`ability to maintain its current lofty valuation.'
`
`Huai said further: 'In rejecting the McAfee proposal,
`Cheyenne 's Board of Directors was advised by Broadview
`Associates LP, Cheyenne's investment banker, that the
`implied exchange ratio resulting from McAfee's $27.50
`stock-for-stock valuation is inadequate, from a financial
`point of view, to Cheyenne shareholders ...
`
`' Whi le we are committed to examining any and every option
`that will provide value to our shareholders, we will not
`allow Cheyenne to be snapped up by an opportunistic
`would-be predator at a discount to its true long-term value. '
`
`Cheyenne sees the timing of the bid as an attempt to exploit
`recent Cheyenne stock prices. Huai said: 'The valuation
`proposed by McAfee also fails to take into account the long(cid:173)
`term strengths of Cheyenne.'
`
`McAfee has taken over four other companies in the last two
`years [see also End Notes and News, p.24]. For information
`on Cheyenne, Tel +I 516 465 4000, or visit its Web site at
`http://www.cheyenne.com/. McAf ee can be contacted on Tel
`+ I 408 988 3832, or on the Web: http://www.mcafee.com/ I
`
`Outlaws Revisited
`
`Mark Ludwig' s now infamous American Eagle Publications
`has launched an updated version of their ' Outlaws of the
`Wild West ' CD. The new CD is said by its marketing blurb
`to contain 'nearly three times as much information as the
`first release'. The CD is also said to contain electronic
`editions of back issues of such American Eagle publications
`as C VDQ and The Underground Technology Review.
`
`! T11e Prevalence Table also includes one report of each of the
`following viruses. Anthrax, Boot.437. BootEXE.451 , Burglar.
`Cascade.l70l .a, Cruel. Diablo, OISk_Ki!ler. DiskWasller, OMV.
`FITW. Floss. Form.B, Helloween. lntAA. J&M. Ken+Desmond.
`MtE:Coffeshop. Overboot. Peacekeeper, Pl1x. Ouicky.1376.
`Screaming_Fist.l1.696, Screarning_F•st.650. SF2,
`Stoned.Stonehenge. Stoned.Swed•sll_Disaster.
`Stoned.W-BootA Trojector.l463, Urkel.
`Yankee_Doodle.TP.44.A.
`
`Virus Bulletin hopes to have more inf01mation on this new
`CD in a forthcoming issue, but urges readers not to buy this
`or any similar virus collections. for any purpose I
`----------------------------------------------------------------------------- ·-----
`VI RUS BULLETIN ©1 996 Virus Bulletin Ltd, 21 The Quadrant, Abingdon , Oxfurdsh ire, OX14 3YS, England. Tel +44 1235 555139. /96/$0.00+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any fo rm without the prior written permission of the publishers.
`
`BLUE COAT SYSTEMS - Exhibit 1004 Page 3
`
`

`
`4 ·VIRUS BULLETIN MAY 1996
`
`IBM PC VIRUSES (UPDAT~)
`
`- -
`
`The following is a list of updates and amendments to
`the Virus Bulletin Table of Known IBM PC Viruses as
`of 21 April 1996. Each entry consists of the virus name,
`its aliases (if any) and the virus type. This is followed
`by a short description (if available) and a 24-byte
`hexadecimal search pattern to detect the presence of the
`virus with a disk utility or a dedicated scanner which
`contains a user-updatable pattern library.
`
`Type Codes
`
`c
`D
`
`E
`
`L
`
`Infects COM Jiles
`
`Jnfects DOS Boot Sector
`(logical sector 0 on disk)
`
`1\l
`
`Infects Master Boot Sector
`(!"rack 0. Head 0, Sector 1)
`
`N Not memory-resident
`
`Infects EXE tiles
`
`P Companion virus
`
`Link virus
`
`R Memory-resident after infection
`
`, 4Seasons.l514
`
`Baby.l16
`
`Clonewar.551
`
`Dctic.ISI4
`
`llickup.1867
`
`HLLO.OJ.15788
`
`Hole.476
`
`Hue.482
`
`Ioe.239
`
`Koufidis.1648
`
`Major.1644
`
`Mand.I061
`
`NRLG.968
`
`CR: A stealth, prepending, 1514-byte virus which contains the plain-text strings: '*.dat', 'chklist.cps',
`'COMMAND' and the encrypted text:' * THE FOUR SEASONS VIRUS * (C) WET, PARIS 1991 *I
`HAD MUCH FUN WRITING THIS VIRUS, I HOPE YOU HAVE FUN WITH IT TOO!! * MES
`AMITIES A PATRICIA M., JE T'EMBRASSE TRES FORT ET JE PENSE A TOI *'.
`4Seasons.l514
`B877 67CD 213D 7386 7478 ESDE 03Al OF06 80FC 0475 10B4 OOB3
`PR: A 116-byte virus residing in low memory. It contains the plain-text strings 'COCC' and 'EXCC'.
`Baby.ll6
`B43C CD95 8BDS 1EB9 7400 B440 33ED 8EDD BAEO OlCD 95B4 3ECD
`P: A 551-byte virus which creates hidden, read-only files and contains the text: ' Beyond The rim of the
`star-light My love Is wand' ring in star-flight I know He' ll find in star-clustered reaches Love Strange love
`a star woman teaches. I know His journey ends never His star trek Will go on forever. But tell him While
`he wanders his starry sea Remember, remember me.' and ' [TrekWar] *.EXE'.
`Clonewar.551
`B43C CD21 723A 93B9 2702 BAOO 01B4 40CD 21B4 3ECD 21BA 5B02
`CER: An encrypted, appending, 1514-byte virus which contains the text 'C:\COMMAND.COM',
`' C:\(_Free _D.)' (the name of a created directory), and '[Friends] Virus V 1.00 Virus Deticadet To My
`ExFriends. Virus Written By LFree_D.] Made In ALBANIA.'.
`Detic .l 514
`B9AF 058B DE50 03Fl 2E8A 4701 2E30 0743 E2F6 5S2E 3004 EB12
`CER: A polymorphic, appending, 1867-byte virus which infects COM files only if they begin with a
`'JMP' instruction (E9h). It contains the string ' V3HWPTVTBA VISACN'. The virus code includes a
`procedure which formats the first hard disk.
`Hickup . lS 67
`SCCS 8ED8 SCS4 7 500 SECO S3C6 779 0 SBFF SBFE B9D4 06FC AC34
`EN: An overwriting, 15788-byte virus containing the text: 'O.J. Simpson in Guilty!' and ' cd\ * *.exe cd\
`cd\ * .exe rb+ rb wb %s ab rb rb'. A reliable search pattern for this virus is non-trivial.
`CR: A stealth, appending, 476-byte virus which resides in the Interrupt Vector Table. All infected files
`have their time-stamps set to 62 seconds, and every file has the text 'Asshole' located at the end of code.
`Hole.476
`B43F CDSB SBF2 SB04 32C4 3Cl7 740B B800 57CD 8BS3 FllF F6Cl
`CR: An appending, 482-byte virus which contains the plain-text strings: 'I am developing!!! ' and 'Tu
`Hue'. The latter is found at offset 0003h in all infected files.
`Hue.482
`B4CD CD21 3CDC 746B Al02 002D 3FOO A302 008E COBB F583 EE 03
`CO: An overwriting, 239-byte, direct infector which displays the message : ' Internal opcode error. '
`Ioe.239
`B440 B9EF OlSl E900 OlBA 0001 CD21 B43E CD21 47S3 FFOF 75CD
`CR: A stealth, encrypted, appending, 1648-byte virus containing the text: ' Koufidis Series (c), Distortion
`Utilities, Athens 92'. Since the virus keeps its code in memory encrypted, the template below, whilst
`identifying infected files, does not detect the virus in memory.
`Koufidis . l64S
`06EB 1490 2ESA 47FF 83C3 OB90 B94A 062E 2S07 43E2 FAC3 ??BB
`ER: An encrypted, appending, 1644-byte virus which contains the messages: 'The Major BBS Virus
`created by Major tomwn to DOS)', '\BBSV6\BBSAUDIT.DAT', '\BBSV6\BBSUSR.DAT', ' Puppet',
`'Image', 'Gnat' , ' Minion', ' Cindy ' and ' F' nor'.
`Major .1644
`028B C32B C603 FOSB CASB FBSl C730 OOS8 OD43 81FB 3B06 75DB
`CER: A stealth, appending, 1061-byte virus which avoids infecting fi les with the string '*MAND????' in
`their names. and EXE files with byte at offset OAh set to zero.
`C745 0352 OOB4 F3CD 21E3 2S56 06C6 4501 OS41 SECl OElF B911
`Mand.l061
`CR: A stealth. encrypted, 968-byte variant. It does not hide its presence in files of less than 1000 bytes.
`ESOO OOSB FC36 SB2D SlED 0301 2ESO 3E41 01B9 743B B9C8 04SD
`NRLG.96S
`
`VIRUS BULLETIN (0] 996 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordsh ire, OX14 3YS, Englund. Tel +44 1235 555139. /96/$0.00+2.50
`No pan of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior writt en permission of the publishers.
`
`BLUE COAT SYSTEMS - Exhibit 1004 Page 4
`
`

`
`NRLG.990
`
`Nado.838
`
`One_Half.3518
`
`PSMPC.227
`
`PSMPC.548
`
`I'SMPC.808
`
`Rainbow.2337
`
`Raveica.680
`
`Raveica.764
`
`SillyC.302
`
`Syndrome.l485
`
`Tet.409
`
`Tl-lll.890
`
`TV _Nova.665
`
`Vienna.480
`
`Vienna.X.629
`
`Voices.l900
`
`VIRUS BULLETIN MAY 1996 • 5
`
`CR: A stealth, encrypted, 990-byte virus containing the text: '(NuKE] N.R.L.G. AZRAEL'.
`NRLG. 990
`EBOO 0088 FC36 882D BlED 0301 2E80 3E4F 0189 7449 89DE 048D
`CR: A stealth, 838-byte variant [see VB, April 1996] which contains the text: 'anti-vir.dat' and ' [ Yitzak(cid:173)
`Rabin 1.00 (c) made by TorNado in Denmark'96]'. The stealth routine has the same bug as the original (cid:173)
`when the virus is active in memory, some clean files appear to be 838 bytes shorter.
`Nado.838
`3E88 961E 038D 8609 0089 6401 3114 4646 E2FA C3E8 0000 5D81
`CEMR: A stealth, multi-partite, 3518-byte variant containing the text: 'A20 Error ! ! ! Press any key to
`continue ... ' and '.COM.EXE SCAN CLEAN FINDVIRU GUARD NOD VSAFE MSA V CHKDSK'.
`One_Half.3518
`8859 5115 56C2 72F9 D4FF 88EO 8ED8 89C3 80C8 06FF 77FE FF37
`CN: An appending, 227-byte direct infector; infects three files at a time; contains the string: '*.com'.
`PSMPC.227
`8002 E852 0084 4089 E300 8D96 0301 CD21 8801 572E 888E FE01
`CEN: An encrypted, appending, 548-byte virus containing the text: '[MPC]', ' [Skeleton]', 'Deke' '*.exe'
`and '*.com'. All infected EXE files are marked with 'AD' at offset 00\0h. The virus uses two slightly
`different encryption schemes:
`PSMPC.548
`8FOA 018E ???? 2E81 04?? ??46 464F 75F6
`PSMPC.548
`8FOA 018E ???? 2E81 2C?? ??46 464F 75F6
`EN: An appending, 808-byte virus which marks all infected files with 'PH' at offset OOlOh from the
`beginning of the file header. Because of a bug in its code, the virus reinfects already infected programs. Its
`l/1///f\\\\\\\ NYC
`code contains a procedure to overwrite the hard disk, and includes the text: '!\ 11/f\\\\
`CrAzY NuTz PEaCE To Da JizzA'.
`GEN 1 by
`PSMPC. 808
`A904 5048 5A58 58E8 4EOO 0528 0383 D200 8109 50D3 E8D3 CAF9
`CEDMR: A multi-partite, 2337-byte variant of the Rainbow.2351 virus [see VB September 1995]. It
`contains the same strings: 'HiAnMiT- roy g biv' and '*4U2NV*'. The following template detects
`infected files and the virus active in memory.
`Rainbow. 2337
`EBOO 005E 83EE 0388 AD18 CD13 3DED DE75 450E 1F81 C65F 0781
`ER: An appending, 680-byte virus displays the text' Ha!Ha!!Ha!!! You Have The Raveica Virus Vl.3!'
`on 30 August. It contains a procedure to overwrite the hard disk.
`Raveica . 680
`891E AB02 8C06 AD02 8A80 0088 2125 CD21 OE1F BCCB 3E28 9EA6
`ER: An appending, 764-byte virus which contains the text displayed on 30 August: ' Ha!Ha! !Ha!!! Ai un
`virus! Pt. obtinerea devirusorului grabiti-va sa-l felicitati astazi pe Claudiu Raveica cu ocazia zilei de
`nastere Adresa:Str:Marasesti Bl:ll App:l5 Oras:Bacau Jud:Bacau Cod:5500'. The virus contains
`another message, located at the end of all infected files: 'Bing cu bang'.
`Raveica.764
`891E FF02 8C06 0103 8A7F 0088 2125 CD21 OE1F 8CC8 3E28 9EE8
`CN: An appending, 302-byte direct infector which infects three files at a time. It contains the text
`'* .COM','????????COM' and 'GB 1.4'. The virus is detected by the following template, but also by the
`string published in VB (August 1992) for the Ash virus.
`SillyC.302
`8D96 0801 892A 0184 40CD 2188 0042 9933 C9CD 2188 863D 0240
`CER: A stealth, encrypted, appending, 1485-byte virus containing the text: '[Syndrome virus (c) 1996 by
`The Nuker]'. It reinfects infected files, creating programs with multiple copies of the virus.
`Syndrome . 14 85
`E81E 0088 861F 012E 8986 OC01 8D86 3301 89CE 022E 8134 ????
`CN: An appending, 409-byte, direct, fast infector containing the plain-text strings: '*.com' and 'Just
`booted ... '. All infected files are marked with the string '383' located at offset 0003h.
`Tet. 409
`750F 807C 0438 7509 807C 0533 7503 E84A 9058 5380 02E8 8900
`CN: An appending, 890-byte, direct infector with the plain-text messages: ' [THU.Suicidai.Dream.A](c)
`1996 The Freak!fhe Hated UndergroundFrom the hypnotic spectre of wake I scream Locked in the depths
`of a Suicidal Dream', '.com *.zip anti-vir.dat', 'Bad command or file name', and ' Happy Birthday Freaky! '.
`THU . 890
`2E88 8EF9 032E 8886 3404 81C1 7D03 38C1 748E 2D03 002E 8986
`CR: An appending, 665-byte virus containing text displayed on the seventh day of every month: 'Virus
`TV N 0 V A Extrem ly a nt i heuristic system Technical infos: All is S H I T Greets go to all virus
`developing groups in Brno ! Czech republic96'.
`1V_Nova. 665
`E800 005E 81EE F601 8800 35CD 218D 9415 0288 0025 CD21 4088
`CN: A 480-byte direct infector which infects one file at a time. It contains the text: 'These days ... 19 nov
`I 988 - "LENIN"'.
`8440 88FA 28D1 89EO 01CD 2173 03EB 3A90 3DEO 0175 3488 0042
`Vienna. 480
`CN: 629-byte direct infector. All infected files have the character 'X' at the end of the code. The virus
`contains the text: ' *.COM' and ' PATH=' .
`Vienna .X. 629
`B975 0290 8BD6 81EA E601 CD21 7220 3D75 0290 751A B800 42B9
`CER: A polymorphic, I900-byte virus. It contains the strings: 'discharge' , 'sofia', command.com', you
`keep this love' , ' tuturutki', ' possessed'. and ' SUICIDAL TENDENCI ES' . It is polymorphic: the
`following template is the only one possible, but reliable detection requires more advanced techniques.
`Voices .1900
`EBOO 005B 89DC 0531 ??OD 9043 EBOO E2F7
`
`VIRUS BULLETIN ©1996 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OXI4 3YS, England. Tel +44 1235 555139./96/$0.00+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`BLUE COAT SYSTEMS - Exhibit 1004 Page 5
`
`

`
`6 ·VIRUS BULLETIN MAY 1996
`
`VIRUS ANALYSIS 1
`
`SayNay: Making Itself Heard
`Eugene Kaspersky
`
`The new viruses I see every day may be divided into three
`categories. First are the stupid viruses which are totally
`uninteresting and have no new ideas (but of course they can
`be fast infectors, and quite dangerous). Then come the
`monsters intended to bend the minds of anti-virus gurus: it
`seems that virus authors spend more time writing and
`debugging their techno-children than anti-virus vendors
`spend producing their detection and disinfection routines.
`The last category contains curious viruses that bring us new
`ideas - not always dangerous, but different.
`
`Looking at curious viruses is much more rewarding than
`looking at their destructive or polymorphic brethren. Sadly,
`the latter appear more often. Unfortunately, the answer to
`the question 'what's new in the virus field?' is usually 'ten
`or more very dangerous and polymorphic viruses'.
`
`But the box of curious viruses is not empty, and new ones
`are sometimes found within- the latest is Say Nay, a
`5115-byte virus which, whilst not intentionally destructive,
`is worthy of note as one of its two infection techniques is
`very unusual.
`
`COM File Infection
`
`There are no surprises in Say Nay's main infection routine.
`The virus infects only COM files, and infected files have a
`JMP instruction at the beginning: when such a file is
`executed, the JMP passes control to the virus code.
`
`When Say Nay receives control, it gets its offset through a
`standard method - it perfmms a CALL instruction, gets the
`stack pointer and takes the word from the top of the stack.
`
`Then the virus searches for COM files using the DOS
`functions FindFirst/Next by name (Int 21h, AH=4Eh, 4Fh)
`with the mask:
`
`* . co?
`
`and infects matching files in the current directory. During
`infection, the virus reads nine bytes from the file header by
`way of self-recognition, looks for the JD-string 'Say Nay'
`starting at the third byte. If this is not found, it writes its
`code to the end of the file, and overwrites the file header
`with a JMP VIRUS instruction followed by its string:
`
`E9 XX XX "SayNay"
`
`Whilst it infects, the virus gets and later restores the file's
`date and time stamp, and clears, but does not restore, the file
`attributes. There is nothing interesting, nothing strange, in
`this. It is just a very simple infection routine which occupies
`only about 200 bytes.
`
`-
`
`From the Source's Mouth ...
`
`The only point about SayNay which is interesting enough to
`make me write this article is the fact that it may drop its own
`source code into an ASM-file. I cannot remember any
`another virus which has an executable format (COM, EXE,
`SYS, etc) and can do this as well.
`
`To accomplish this, the virus contains its own encrypted
`source code (4633 bytes) within its body (this is why the
`virus is so long).
`
`The source code is only dropped by Say Nay if a user asks it
`to do so. Before passing control to the infection routine, the
`virus checks the command line arguments given to the host
`program by the user. If the first argument starts with 'NAY',
`the virus calls the dropper code.
`
`First, the trigger routine displays a message to a lucky user:
`Magic!
`; )
`
`Next it creates two files, called SA YNA Y.ASM and
`SA YNA Y .BAT. Then the trigger routine decrypts both its
`own source code from within the virus body, placing it in
`the .ASM file, and some batch file commands, which it
`places in the .BAT file.
`
`When this is compl.eted, SA YNA Y.BAT contains the
`commands:
`
`TAsm /M2 SayNay .Asm
`TLink /T SayNay.Obj
`Copy /B SayNay.Com+SayNay . Asm
`
`and SA YNA Y.ASM contains the 4633 bytes which make up
`the virus' source code.
`
`As a result, there are two new files in the current directory.
`The first contains the virus' source code; the latter, instruc(cid:173)
`tions on how to compile the source to bui ld the virus.
`
`When it is executed, the BAT file executes the Borland
`assembler and linker (if these are not present, the batch file
`will fail) to make ' intermediate' virus code which contains
`the binary code of the infection and the trigger routines, but
`not the source text.
`
`Then it appends the source text to binary code by using the
`COPY command. The resultant file (dropper) contains the
`virus code along with the source in a non-encrypted form.
`When executed, this dropper (called SA YNA Y.COM)
`encrypts this source before searching for and infecting any
`COM files.
`
`The cycle is now complete: the virus has produced its source
`code and the batch tile, the batch file has created the
`dropper, and the dropper then infects files with the same
`virus as the original.
`
`VIRUS BULLETIN 101996 Virus Bulletin Ltd, 21 The Quadrant, Al>ingdon, Oxfordshirc, OX14 3YS, England. Tel +44 1235 555139. /96/$0.00+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transm itted in any form without the prior written permission of the publishers.
`
`BLUE COAT SYSTEMS - Exhibit 1004 Page 6
`
`

`
`VIRUS BULLETIN MAY 1996 • 7
`
`VIRUS ANALYSIS 2
`
`-
`
`-
`
`Figure 1: Nuclear themes abound in recent viruses. Say Nay is
`the latest of these.
`
`The Text Strings
`
`The virus stores some text strings ' in clear' within its body :
`
`SayNay
`naysaynay.asm saynay.bat
`Magic!
`; )
`
`All other strings (BAT commands and ASM source code)
`are encrypted within the virus body. The BAT-commands
`are described above, and ASM text contains the header
`shown in Figure I above.
`
`Conclusions
`
`Say Nay is a curious little virus~ it could spread in the real
`world via its primary infection technique; that of directly
`infecting COM files. The secondary technique, however, is a
`different matter. As this is only activated when the user
`gives a specific command-line argument, in the real world
`this will not become an issue.
`
`SayNay
`
`Aliases:
`
`None known.
`
`Type:
`
`Non-memory-resident parasitic infector.
`
`Infection:
`
`COM files only.
`
`Self-recognition in Files:
`Compares six bytes at offset 3 in the file
`with the string 'SayNay'.
`
`Hex Pattern in Files:
`
`Trigger:
`
`Removal:
`
`FAEB 4F01 3E8B 6EOO BlED ODOl
`FBBD B697 02BF 0001 B909 OOF3
`A4BE 8100 8DBE 6E0 2
`
`Displays message. creates ASM and
`BAT files. See analysis for details.
`
`Under clean system conditions identify
`and replace infected files. Also look for
`and delete the files SA YNA Y ASM and
`SAYNAY.BAT.
`
`Winlamer
`Igor G Muttik
`
`It has now been some time since the appearance of the first
`polymorphic virus. These have led, perhaps unsurprisingly,
`to the development of polymorphic construction sets and
`engines, which are available as executables, linkable object
`files, and source code. It is a common occurrence to see a
`highly polymorphic virus based on an engine, or using its
`own generator: the very fact of their variability makes reliable
`detection difficult. Until the appearance of Winlamer, such
`viruses could infect only normal DOS executables. Why?
`
`The answer to this is twofold. Apart trom the obvious reason
`that it is more difficult for a virus to infect a Windows
`program than a COM file or a boot sector, under Windows,
`program code is write-protected, so a program cannot
`modifY itself, and self-encrypting code cannot exist at all.
`Therefore, at first sight, it may seem that the existence of a
`polymorphic virus under Windows would be impossible.
`Winlamer has overcome the problems involved, however,
`and has thus become the first polymorphic virus for Windows.
`
`Execution of the Infected File
`
`Winlamer is a direct-action (non-resident) virus, which
`infects NE-format programs. NE (New Executable) is the
`standard format for 16-bit Windows applications; almost all
`Windows 3. 1 executable files use it.
`
`When a Winlamer-infected file is executed, control passes to
`the decryption routine. Winlamer, like all polymorphic
`viruses, is encrypted: to get to the virus body, the polymorphic
`code must first decrypt it. This implies that the virus must be
`able to modifY its own code~ under Windows, remember,
`code is write-protected when the program takes control.
`
`To allow it to modify its host program, Winlamer uses a
`simple and obvious method: it issues an Application Program
`Interface call (DPMI/Windows API: Int 13h, AX=OOOAh),
`which duplicates the code segment selector to the AX
`register. Then the virus assigns the obtained value to a data
`segment selector (MOV DS,AX), meaning that for this data
`segment, no restriction to modify its contents remains.
`
`The API call is one of the first actions carried out by the
`polymorphic decryptor: it is concealed by meaningless
`garbage commands and is issued before the virus has
`decrypted itself. When it gets write access to the encrypted
`body, it begins decrypting itself, using a simple ' XOR [BX],
`KeyByte' instruction. The decryption loop follows the API
`call in the polymorphic decryptor.
`
`The virus body takes control on decryption. The contents of
`the DS register are restored, and Winlamer then issues a call
`to check whether DPMI is loaded (lnt 2Fh, AX= I686h).
`
`VIRUS BULLETIN ©1996 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OXI4 3YS, Engilwd. Tel +44 1235 555139./96/$0.00+2.50
`No pan of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`BLUE COAT SYSTEMS - Exhibit 1004 Page 7
`
`

`
`8 • VIRUS BULLETIN MAY 1996
`
`This might seem strange, as the virus has already used a
`DPMI service: Windows 3.1 has a built-in DPMI driver, so
`under all circumstances the DPMI driver should be avai lable.
`If the virus detects that DPMI is not responding, control
`passes to the host file. If the program is run under an artificial·
`environment (debugger/emulator), the virus will not replicate.
`
`Then the virus allocates memory and sets the necessary access
`rights (again using DPMI services). Its remaining actions are
`similar to those of normal direct-action DOS viruses: get
`DTA (Disk Transfer Area), get/save current directory, set
`the cutTent directoty to \WINDOWS, and issue FindFirst/
`FindNext (Int 21h, AH=4Eh,4Fh) calls until all available
`victims are infected. Winlamer does not check whether the
`WINDOWS directoty exists, so will not infect if the name of
`this directory was changed when Windows was installed.
`
`The virus seeks and infects all EXE files with the signature
`'NE' in the WINDOWS directory, but not those executables
`with other extensions (e.g. screensavers in SCR files). It
`tries to infect all NE-format files in the WINDOWS direc(cid:173)
`tory in one go- the time it takes to do this is very noticeable.
`When all victims are infected, control returns to the host file.
`
`Winlamer appends its body to the victim file and sets the
`nece