ISSN 0956-9979
`
`SEPTEMBER 1995
`
`THE INTERNATIONAL PUBLICATION ON COMPUTER VIRUS PREVENTION, RECOGNITION AND REMOVAL
`
`Editor: Ian Whalley
`
`Assistant Editor: Megan Palfrey
`
`Technical Editor: Jakub Kaminski
`
`Consulting Editors:
`Richard Ford, NCSA, USA
`Edward Wilding, Network Security, UK
`
`IN THIS ISSUE:
`
`• All the colours of the Rainbow. A new virus, Rain(cid:173)
`bow, has appeared which utilizes circular extended
`partitions. What does this mean for the user? See the
`analysis on p.12, and our tutorial on the subject on p.14.
`
`• Genus and species. A hoary problem for anti-virus
`researchers has always been the issue of virus naming.
`Great efforts are being made to standardise this process,
`and the first section of a two-part article by Dr David
`Hull (p.l5) clarifies what is involved.
`
`• Detecting a new way. Cheyenne Software is exploring
`pastures new; their latest product is lnocuLAN for
`Windows NT. How does this product compare with the
`others in this growing field? Turn to p.l8 to find out.
`
`I
`
`CONTENTS
`
`EDITORIAL
`When Techniques Jump Fences
`
`VIRUS PREVALENCE TABLE
`
`NEWS
`1. C+P+N+A+V = ?
`2. ESaSS and Reflex Announce Alliance
`3. VB '95: Boston on the Horizon
`
`IBM PC VIRUSES (UPDATE)
`
`INSIGHT
`Igor Grebert: Carpe Diem
`
`VIRUS ANALYSES
`I . What a (Winword.)Concept
`2. Byway: The Return ofDir_II
`3. Rainbow: To Envy or to Hate
`
`TUTORIAL
`Circular Extended Partitions: Round and Round
`with DOS
`
`FEATURE
`Computer Viruses: Naming and Classification
`
`PRODUCT REVIEWS
`I . JnocuLAN for NT
`2. IBM AntiVirus
`
`END NOTES & NEWS
`
`2
`
`3
`
`3
`3
`3
`
`4
`
`6
`
`8
`10
`12
`
`14
`
`15
`
`18
`21
`
`24
`
`VIRUS BULLETIN (()1995 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OXI4 3YS,
`England. Tel. +44 1235 555139. /95/$0.00+2.50 No part of thi s publication may be reproduced, stored in a
`retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`BLUE COAT SYSTEMS - Exhibit 1012 Page 1
`
`

`
`2 • VIRUS BULLETIN SEPTEMBER 1995
`
`EDITORIAL
`
`- - -
`
`-
`
`6 6 new techniques
`are few and far
`between, but, like
`buses, they travel
`in packs''
`
`When Techniques Jump Fences
`
`This month 's Virus Bulletin is perhaps not its usual self. Outwardly it appears the same, but inside,
`things are different, for it documents not one, but two new attack techniques which have appeared in
`recent weeks and months (see p.8 for an analysis of Winword. Concept, and pp.l2-14 for inf01mation
`on the Rainbow virus).
`
`This situation is somewhat analogous to the famous truism of waiting two hours for a bus, and then
`having three come along at once. New techniques are few and far between, but, like buses, they
`travel in packs.
`
`A fairly good working definition of the expression 'new technique' is one which forces anti-virus
`manufacturers to make some design change to their products. A new polymorphic file infector does
`not, these days, meet this criterion - the vast majority are very similar, contain nothing new, and
`(once the producers have updated the virus databases of their products) present no great problem.
`
`Both Winword.Concept and Rainbow meet this criterion, and so will (or should!) provoke some
`thought from anti-virus producers. Winword.Concept may induce concerns about whether or not to
`scan Microsoft Word files (.DOC and .DOT) - this in itself introduces a world of problems, as the
`formats of such files are non-obvious. However, Rainbow, which prevents a clean boot, appears to
`be the more awkward of the two.
`
`The concept of clean booting before attempting to remove viruses is so fundamental to the way the
`current systems work that a virus which consistently prevents it reliably is bound to cause problems.
`Rainbow does this on those versions of DOS which are most 'in the wild' (at least in the Western
`World)- MS-DOS v5 and above. It is quite within the realms of possibility that a site infected with
`such a virus would not have clean boot disks of a version earl ier than that.
`
`There is a world of difference between an anti-virus product stating that you must have a clean boot
`disk in order to clean up any infection, and that same product stating that you must have a variety of ·
`clean boot disks containing different versions of DOS to suit every occasion. The former is widely
`accepted, because this is how the system works - there is no real need for a product to deactivate a
`virus in memory, as a·clean boot has always been the simpler course. Although the latter is much
`more annoying, it is possible that it will be the way people have to move.
`
`In this, as much as in anything else, it is true to say that there is very little which is truly new. The
`concept of circular partition sectors (a Ia Rainbow) had already been described by the early 1990s,
`and the idea of a macro virus had been described (albeit in relation to Lotus 1-2-3) even before that.
`However, these techniques have now crossed the batTier dividing the world of research speculation
`from that of real viruses.
`
`It is interesting to note how long such a crossing has taken - the ideas have been knocked around for
`so long, and yet have taken this many years to reach the other side of the fence. Well, yes and no:
`the theories have no doubt been known amongst the virus writers tor almost exactly the same length
`of time as the researchers have known about them.
`
`Whether or not these particular techniques become prevalent in the wild (either by way of the
`viruses described here, or by other viruses, developed later, which use the same ideas) remains to be
`seen. However, it does seem highly probable that more viruses using these techniques will appear,
`and this will only serve to highlight the need for anti-virus developers to find ways to make their
`products deal with them.
`
`One thing is certain -jumping up and down and ,panicking about the end of the computing world as
`we know it is not going to help. Neither of these viruses, or their techniques spell doom for the
`anti-virus industry or modern comput ing; they simply mean we may have to think about some things
`slightly differently from now on.
`
`VIRUS BULLETIN IDI995 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshirc, OX14 3YS, England. Tel. +44 1235 555139. /95/$0.0(}+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`BLUE COAT SYSTEMS - Exhibit 1012 Page 2
`
`

`
`NEWS
`
`Speculation on the future of Central Point Anti-Virus has
`risen once again, with the imminent release of Microsoft 's
`Windows 95. Central Point Software was subsumed by the
`giant conglomerate Symantec Corporation last year, and
`ever since then, industry has been discussing whether or not
`CPA V would be incorporated into the current Symantec
`product, Norton Anti-Virus (NA V).
`
`Fraser Hutton, a spokesman for Symantec UK, has firmly
`denied the latest round of scuttlebutt, stating that all extant
`platforms of CPA V would, for the foreseeable future,
`continue to be maintained and supported. He did confirm,
`however, that the new Symantec anti-virus products for
`Windows NT and for Windows 95 would go under the name
`of Norton Anti-Virus, although they would incorporate some
`features currently specific to Central Point Anti-Virus.
`
`'Our corporate decision has been to continue to maintain
`and support Central Point Anti-Virus,' said Hutton. 'The
`product is very popular in the market-place, and has strong
`customer support. There are absolutely no plans to discon(cid:173)
`tinue its production.' I
`
`ESaSS and Reflex Announce Alliance
`Following the May agreement between Norman Data
`Defense Systems and the Dutch anti-virus software devel(cid:173)
`oper ESaSS BV (producers of the Thunder BYTE! anti-virus
`utilities), a further collaboration has been announced
`between the UK company Reflex Magnetics (producers of
`disknet, the security package) and ESaSS.
`
`With immediate effect, the two companies will integrate
`their development teams and pool their technology to build
`their next generation of anti-virus and security products.
`Each company, through the agreement, gains the right to
`market the new products throughout the world, with the
`exception of ' home territory' .
`
`In a press release, John Buckle, Managing Director of
`Reflex, said: ' By combining the technologies of the two
`companies, we are set to take the market by storm ...
`Through tighter integration of our joint technology, ESaSS
`and Reflex are set to become the definitive providers of PC
`security solutions.'
`
`Dick Geheniau, vice-president of ESaSS BV, commented:
`'This strategic alliance will translate our technological
`excellence into increased market share. This closer working
`relationship is just the beginning. Expect great things. '
`
`Further information on this alliance is avai lable from ESaSS
`BV (Dick Geheniau) on Tel +31 889 422282, or from Reflex
`Magnetics (Rae Sutton) on Tel +44 171 372 6666 I
`
`VIRUS BULLETIN SEPTEMBER 1995 • 3
`
`Virus Prevalence Table - July 1995
`
`--
`
`Virus
`
`Incidents
`
`(%)Reports
`
`Form
`Parity Boot
`NYB
`AntiEXE
`Sampo
`JackRipper
`Monkey.B
`AntiCMOS
`One Half
`Stoned .Angelina
`Junkie
`Vir esc
`Leandro
`Bupt
`Stoned. Manitoba
`Stoned. Standard
`• Other
`
`28
`23
`13
`10
`7
`7
`6
`5
`5
`5
`4
`4
`3
`2
`2
`2
`22
`
`Total
`
`148
`
`18.9%
`15.5%
`8.8%
`6.8%
`4.7%
`4.7%
`4.1%
`3.4%
`3.4%
`3.4%
`2.7%
`2.7%
`2.0%
`1.4%
`1.4%
`1.4%
`14.9%
`
`100%
`
`,. r
`Pl~<.lle :e T<~b'<llnd!Jdt3E: ana rei:Xlll ct gtJc" Oi
`Am o Soot <I 1
`aqQdi> 70
`rQIIo:wn
`112..1-ta&,
`vlnr
`1. Jar 11. K 1-a e LlR
`I? .<?SugA Flip :.tEl t.5q~ .P
`taned p:
`!uzy,,!!; N ~. 1'-l:DlJ. R
`P
`!:-:VII'·,
`'il:ICS!flt~J \I Si,9 . iilld MP
`ffflrm' T[CgJDI
`
`VB '95: Boston on the Horizon
`
`From 20-22 September 1995, the Fifth Annual Virus
`Bulletin Conference will be held at the Park Plaza Hotel in
`Boston, Massachusetts. This will be the first time this highly
`successful gathering has been held in the United States.
`
`The conference key-note speaker is the highly-acclaimed
`virus researcher, Dr Harold Highland. Many experts will
`address a wide range of issues, including the susceptibility
`of NetWare, Windows NT, Windows 95 and Unix to virus
`infection, viruses on the Internet and in a corporate environ(cid:173)
`ment, and heuristics.
`
`The two-and-a-half day conference will consist of three
`streams graded according to technical content, and will also
`feature an exhibition by security soft- and hardware vendors.
`The pa11ners' programme will feature a tour of the city, and
`visits to local sites of historical significance.
`
`The fee for the event is £595 (US$895), and VB subscribers
`qualify for a £50 discount. Information is avai lable from the
`conference manager, Petra Duffield, on:
`Tel +44 1235 555139. fax +44 1235 5318891
`
`VIRUS BULLETIN ©1995 Virus Bulletin Ltd, 21 The Qundrant, Abingdon, Oxfordshire, OXI4 3YS, England. Tel. +44 t235 555139. /95/$0.00+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior writt en permission of the publishers.
`
`BLUE COAT SYSTEMS - Exhibit 1012 Page 3
`
`

`
`4 ·VIRUS BULLETIN SEPTEMBER 1995
`
`IBM PC VIRUSES (UPDATE)
`
`- -
`
`_ _
`
`The following is a list of updates and amendments to
`the Virus Bulletin Table of Known IBM PC Viruses as
`of 21 August 1995. Each entry consists of the virus
`name, its aliases (if any) and the virus type. This is
`followed by a shot1 description (if available) and a
`24-byte hexadecimal search pattern to detect the
`presence of the virus with a disk utility or a dedicated
`scanner which contains a user-updatable pattern library.
`
`Type Codes
`
`c
`D
`
`E
`
`L
`
`Infects COM files
`
`ln1ects DOS Boot Sector
`(logical sector 0 on disk)
`
`M
`
`Infects Master Boot Sector
`(Track 0. Head 0. Sector I)
`
`N Not memory-resident
`
`Infects EXE files
`
`P Companion virus
`
`Link virus
`
`R Memory-resident after infection
`
`Amazon Queen.468
`
`Amazon Quccn.479
`
`Amazon Queen.SOO
`
`Baba.353
`
`Blue Nin e
`
`Breedcr.4026
`
`Diddler.91
`
`Diddler.I90
`
`Elaine.ll27
`
`Fistik
`
`Forget.l203
`
`Human Greed.666
`
`lstanbul.l349
`
`CER: An appending, 468-byte virus which installs itself in the Interrupt Vector Table. It contains the
`plain-text messages: 'Amazon Queen ... vl.O', 'WHY?' and 'LoRD ZerO'.
`Amazon Queen.46S
`ESOO 005D SlED 0300 OElF 06B4 ACCD 213C 3075 OB2E 3B9E D001
`CER: An appending, 479-byte variant with the text: 'Amazon Queen ... vl. l ','WHY?' and 'LoRD ZerO'.
`The first message may be displayed if an infected program is executed and the virus is active in memory.
`Amazon Queen.479
`OElF ESOO 005D SlED 0500 06B4 ACCD 213C 3075 132E 3B9E DBOl
`CER: An appending, 500-byte variant with the text: 'Amazon Queen ... v2.0', 'WHY?' and 'LoRD ZerO'.
`The first message may be displayed if an infected program is executed and the virus is active in memory.
`Amazon Queen.500
`SlED 0500 4444 06FF S6F2 01B4 ACCD 213C 3075 132E 3B9E FOOl
`CR: An appending, 353-byte variant, named after its 'Are you there?' call: AX=BABAh; Int 21h returns
`AX=FACCh. It contains the text '=>COMMAND.COM<='.
`Baba.353
`BFOO OlSl C646 01B9 0400 FCF3 A45E BSBA BACD 213D CCFA 7503
`CR: An appending 925-byte virus with stealth capabilities, which cpntains the plain-text message: 'Blue
`Nine Virus by Conzouler 1994'. Of the two known minor variants, 8 has 'NOP' instructions in its code.
`Blue Nine .A
`50B4 30B9 9A02 CD21 81F9 BCOl 7466 3C03 7262 SCC3 4B8E C326
`Blue Nine.B
`50B4 30B9 9A02 CD21 81F9 BCOl 7467 3C03 7263 8CC3 4B8E C326
`PR: An encrypted, 4206-byte companion virus which contains the encrypted text:
`'FileOOOO.OOO = \RENCODES.BRE'
`Breeder . 4206
`8D36 1F01 8BFE 8016 1F01 SDOE 7DOA 2BCA FCAC DOCS AAE2 FAE9
`CNO: A simple, overwriting, 91-byte virus which infects the first file in the current directory. It contains
`the text: '*.com Diddler 95 (newbee)'.
`Diddler . 91
`OACO 752D B002 BA9E OOB4 3DCD 2193 B95B OOBA 0001 B440 CD21
`CN: A simple, appending, 190-byte direct infector with the text: 'Diddler[Newbie) Evolved *.c?m'.
`Diddler.l90
`7242 B43F B903 0080 96BE 01CD 213E 80BE BE01 E974 2F3E 8BS6
`CER: An appending, 1127-byte virus which contains the text: 'Elaine 1.0 28 May 1994'. As a payload,
`the virus hooks lnt 13h (functions 03h, OBh). When active in memory, it may corrupt data in the write
`buffer (random changes to the first byte in the buffer).
`Elaine . 1127
`B813 35CD 2189 9C1B 008C 8410 OOB8 FE4B CD21 3Dll 1174 4DBS
`CER: An appending, 1280-byte (COM files) or 1536-byte (EXE files) virus containing the plain-text
`message ' Dnyalar Tat! ', displayed when the virus is active in memory and has infected five files.
`Fistik
`CF3D 004B 7405 2EFF 2E32 012E S03E 3101 0572 03E9 OC02 2E8C
`CER: An appending, 1203-byte virus which marks all infected files by putting the byte CCh at the end of
`programs. In .January I 995 it displays the (normally encrypted) message: 'Forget it, I'm lazy today!'.
`Forget.1203
`FCF3 A45E 1F06 B84D 0050 CBB8 43FD BB12 OOCD 213D 1256 741A
`ENO: An encrypted, overwriting, 666-byte virus which infects files on drive C. The long message
`included in the virus body begins: 'That is not dead .. .' and ends:' ... *** HUMAN GREED*** The
`answer of all evil on earth! Do You Belive? Farwell!'.
`BE2F 018B 1616 01B9 3301 2E31 1483 C602 E803 OOE2 F5C3 C386
`Human Greed. 666
`CER: An appending, 1349-byte virus containing the text: 'Anti-Yirus??Written in the city of Istanbul (c)
`1993' and 'Installed'.
`Istanbul . 1349
`
`3024 4675 04B8 3434 CF3D 004B 7402 EB6E 5156 5706 5053 521E
`
`VIRUS BU LLETIN <01995 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshirc, OXI4 3YS, England. Tel. +44 1235 555139. /95/$0.0(}+2.50
`No .part of thi s publication rnay be reproduced, stored in a retrieval system, or transmitted in any form without the prior written pennission of the publishers.
`
`BLUE COAT SYSTEMS - Exhibit 1012 Page 4
`
`

`
`John
`
`Mares me
`
`Milikk
`
`Ohla la.l960
`
`OS.840
`
`RiP
`
`SillyC.140
`
`SillyC.190
`
`SillyRC.212
`
`SillyRC.476
`
`Sofia.432
`
`Sofia.528
`
`Taurus.562
`
`TeaForTwo
`
`VCL.279
`
`VCL.316
`
`Virngcn.l535
`
`VIRUS BULLETIN SEPTEMBER 1995 • 5
`
`CN: Appending, 1962-byte, direct, fast infector. It displays at random two screens of information on John
`Buchanan (better known as Aristotle). Infected files start with the plain-text message: 'Ari is a NARC'.
`John
`818E 8A08 405A 7437 818E 8008 4172 742F 8802 4233 C933 02CD
`ER: An appending, 1062-byte, encrypted virus containing the text: 'Virus Maresme Show by XUTE !!!'.
`Maresme
`0003 F388 FE88 9711 0389 E603 AC32 C22A C2CD 01AA CD1C E2F4
`CR: An appending, I 020-byte virus with stealth capabilities, which corrupts the MBS. The virus
`remembers how often an infected file was executed and keeps the counter inside the MBS of the first hard
`disk. After 150 infections, it overwrites the boot procedure with its own code. When the system is next
`started, the text 'M IL I K K' appears in the centre of the screen. After a keystroke, the operating system
`is loaded as usual.
`E800 DOSE 88F4 FF81 EE46 04CD 2130 0800 7503 F972 180E lFOE
`Milikk
`CEN: An encrypted, appending, 1960-byte, direct infector which infects six files at a time (three COM,
`three EXE). 1t contains the encrypted text: 'Ohhhh La La! Mommmmy, they are teasing me again Shut up
`you little sonsuvbitches' and '*.MS *\'IR.DAT COMMAND'.
`Ohlala .1960
`8800 002E 8A04 2E30 8129 002E 8A81 2900 89FE 29C6 434E E2E8
`CR: An appending, 840-byte virus which marks all infected files with the string 'OS' placed at the end of
`programs. 1t contains only one ASCII string: 'c:\command.com'.
`OS.S40
`SOFC FF75 0384 FECF 3021 2575 OlCF 3000 4874 03E9 AA01 5053
`CR: An appending, 3214-byte virus with the plain-text messages: '>-[RiP)-<' and
`'RADICAL_iNVADiNG_pARASiTE (RiP)-ViRUS, iN 94/95 BY AeMISc, SAYZ Hi 2 U!'. When active
`in memory, the virus infects an executed COM file and one file in the current directory.
`RiP
`897F 008E SOOO F3A4 C38S S552 CD2F 3007 0375 03E9 F900 8F39
`CN: A simple, appending, 140-byte, fast direct infector. Unlikely to become common in the wild, since it
`spreads only under DOS 2.11 and when the Country Specifier is set to 2Eh (Sweden).
`SillyC.l40
`SlED 0701 S086 SCOl 8FOO 0157 A5A5 843S CD21 3C2E 7512 841A
`CN: A simple, appending, 190-byte virus which infects one file at a time. It contains the string: '*.COM'.
`SillyC .190
`A300 01SA 45FC A202 0184 1A81 C782 OOS8 07CD 21E4 4E33 C9Sl
`CR: A simple, appending, 212-byte virus which marks all infected files by setting the last byte to OEAh.
`Sil lyRC . 212
`ASA4 C330 7742 7501 CF30 004E 756C 5053 5152 lEES 8230 CD21
`CR: Appending, 476-byte virus, similar to SillyRC.212. It contains the plain-text messages: 'Subconsious
`virus- Conzouler IIR 1995' and 'Mina tankar r det sista som ni tar .. .'. It also hooks Int 08h and displays
`for a moment every seven seconds the text: 'LOVE LOVE LOVE LOVE LOVE LOVE LOVE LOVE'.
`SillyRC.476
`4F56 4530 7742 7501 CF30 004E 756C 5053 5152 lEES S230 CD21
`CR: An appending, 432-byte virus which installs itself in the Interrupt Vector Table. It contains the
`plain-text messages: 'This Virus is named after a very nice, clever and cute girl, Sofia', 'Sweden', and
`'LoRD ZerO'. The virus creates one hidden, 7-byte long file called 'SOFIA'.
`Sofia.432
`9CSO FC48 7438 30EE 8E74 1030 037S 7512 SOFF 1975 0081 FF4C
`CR: An appending, 528-byte variant of the Sofia.432. It resides in the same area, contains the same
`messages and creates an identical, hidden file. It intercepts two more functions (II h and 12h) of lnt 21 h.
`Sofia.528
`9C80 FCll 742C SOFC 1274 2780 FC4E 7473 308E 8E74 5530 0378
`CR: An appending, 562-byte virus containing the encrypted text: ' Happy New Year!' The message is
`displayed in January, every day between 2:30pm (14:30) and 3:00pm (15:00). The virus reinfects
`already-infected programs, files growing by 562 bytes with each new infection.
`Taurus.562
`8S21 258A C900 1E06 1FCO 211F 8F14 033E S803 4747 3E88 1847
`CR: An appending, 1024-byte virus containing the plain-text message 'T42 Tea for two!' at the end of
`infected programs. It was written as a multi-partite virus infecting DOS boot sectors on floppies and files.
`The copy investigated contains a minor bug, so the virus hooks lnt 13h, overwriting some sectors but
`making diskettes unbootable. The bug is easy to repair, so we will probably see a fix in the near future.
`TeaForTwo
`88FF 2501 E040 CD21 8425 OOE4 88FF FFCD 2181 E8SO 0084 2500
`CNP: A 279-byte companion virus containing the text: ' [VCL_MUT] The Pleasure 2 VirusEver have the
`pleasure?By eMplrE-X' .
`VCL. 279
`8903 0051 ESOS 0059 E2F9 5884 4CCD 218A 2C01 E807 OOC3 2A2E
`CNP: A 3 16-byte companion virus containing the text: '[VCL_MUT] The Pleasure 6 VirusEver have the
`pleasure?By eMpirE-X'.
`VCL . 316
`E903 0051 E80S 0059 E2F9 5884 4CCD 2155 S8EC S3EC 4084 4732
`CER: Polymorphic, appending, minor 1535-byte variant containing the encrypted text: '(c) 1993 Virogen
`ASeXual Virus vl.OO' . It can be detected in memory with the pattern for variant 1520 (see VB July 1995).
`
`VIRUS BULLETIN Vl995 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OXI4 3YS, England. Tel. +44 1235 555139. /95/$0.00+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written pennission of the publishers.
`
`BLUE COAT SYSTEMS - Exhibit 1012 Page 5
`
`

`
`6 • VIRUS BULLETIN SEPTEMBER 1995
`
`INSIGHT
`
`-
`
`Igor Grebert: Carpe Diem
`
`Igor Grebe11 belongs to a family whose interest in computers
`reaches back through two generations. He was born on the
`French Riviera, and grew up in Paris, though he travelled
`extensively in Europe and the USA. 'Most of my summers,'
`he said, 'were spent on the beaches around Cannes; sailing,
`windsurfing, or fishing for sea urchins.'
`
`Family involvement with computers stretches back to the
`1970s: 'My uncle and my father designed their own compu(cid:173)
`ter called ALVAN in the early 70s. My uncle, Alain Grebert,
`headed a team of engineers in Philadelphia: they designed a
`mini-computer around a new language they had developed.
`It was the first computer I ever programmed - I was eight.'
`
`This exposure led him to the TRSBO and the Apple: games
`held no interest for Grebert; he was driven to make ma(cid:173)
`chines do what he wanted. Later, Grebert studied at one of
`France's famous engineering schools, L 'Ecole Centrale de
`Paris, where he m~ored in Bio-technology. His special
`interest was brain simulation: ' In my opinion, there was
`something missing in the AI field then, and I wanted to
`understand better what it was.'
`
`Living in America
`
`Grebert fulfilled his military obligations doing research into
`pattern recognition through neural networks at Stanford
`University in the US: 'I was working with Boeing; playing
`with ideas on making planes land with an improved version
`of automatic pilots using neural network techniques.'
`
`A few years prior to this, he had met John McAfee, who was
`at the time working on a PC voice recognition board -
`Grebert was handling the application programming of the
`boards in France. This led eventually to a job offer, address(cid:173)
`ing user interface issues on the McAfee anti-virus product.
`
`'That was fun,' reminisced Grebert, 'but after a few weeks
`there, he challenged me with the Number_of_the_Beast
`virus, asking me to write a remover for it. That was the
`beginning of my involvement with PC viruses.'
`
`Then came 512: ' We call it the Stealth,' he said. 'It's kind of
`interesting to play with a stealth virus at first - I was pretty
`foolish that time; I was standing there and telling him, "No,
`John, it doesn 't infect, there is nothing, look at it!". That
`experience made me learn pretty quickly, and I've been
`learning constantly ever since.'
`
`He still remembers his first encounter with a customer virus
`problem, a Jerusalem variant which played Frere Jacques:
`' It triggered a reaction; it was a challenge. 512 was program(cid:173)
`ming; stuff) played with- suddenly, it was affecting
`
`customers, people, companies. It was only then I understood
`that what we were doing was helping - I mean, that company
`had nothing to do with viruses; it damaged all their backups;
`made them lose time. They didn't deserve all that.'
`
`The World of Viruses
`
`Grebert has not seen anything really new for over a year
`now: 'Every new virus we see today belongs to a category
`which already exists,' he explained. 'This is a contrast to
`previous years, which makes me think that virus authors are
`running out of ideas. I believe there will be little change for
`the next year or so. Then, probably, we will see a few new
`techniques, but I do not foresee anything radically different.'
`
`Grebert believes that no single anti-virus technique is
`sufficient to ensure a virus-free environment. Heuristics
`alone, he believes, will not allow for detection of existing
`viruses: 'This is why we offer multiple products, and use
`multiple technologies in our scanners. I believe that we have
`already integrated the best part of heuristics in our tools and
`in our scanner, and are now fine-tuning them constantly.'
`
`Heuristics, in his view, have merit, but one must be cautious
`as to how they are implemented - the inherent risk is false
`alarm. The future, he feels, is in the harmonious integration
`of techniques which allow reliable and generic detection of
`viruses. He sees the best answer to polymorphic viruses as
`improving virus-specific detection to enable their detection
`and identification: 'There are simple ways,' he stated, 'to
`handle these, which are time-effective, and reliable.'
`
`Ethically Speaking
`
`Grebert has definite opinions on virus-writing: 'There is a
`dilemma between preserving the right of expression and
`protection against crimes,' he said. ' One should be allowed
`to play with such ideas as self-replicating code, as long as
`the environment is strictly controlled, but no-one should be
`able to force me to run a program I do not want to run on my
`own machines. Between the two is a fine line which the
`legal system has yet to define satisfactorily.'
`
`The vety thought of virus-writing is alien to Grebet1 - his
`only contact with virus authors is through their creations. He
`has never created a self-replicating program, feeling his time
`is better spent doing other things: 'The idea of adding the
`ability to spread has never struck me as interesting,' he said.
`'If I have a message, I can use other means to convey it.'
`
`He professes himself disgusted by the amount of time,
`money, and effort the world has lost over viruses. and does
`his utmost to counter this, anticipating what the next threat
`might be, and preparing programs to handle them as soon as
`possible. 'To do this I do not need to write any such code,'
`he explained. ' I simply explore the OS internals.'
`
`VIRUS BULLETIN ID1995 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfo rdshire, OXI4 3YS, England. Tel. +44 1235 555139. /95/$0.00+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transmined in any form without the prior written permission of the publishers.
`
`BLUE COAT SYSTEMS - Exhibit 1012 Page 6
`
`

`
`VIRUS BULLETIN SEPTEMBER 1995 • 7
`
`In the Office
`
`Grebert is currently Manager of Research and Development
`at McAfee: ' One of many! ' he laughed. 'The anti-virus stuff
`is what I've been focusing on, butwe have network manage(cid:173)
`ment, we have utilities for Windows, we have a replacement
`for the shell program, and so on ... '
`
`Grebet1' s brief is to find better ways to handle viruses, or to
`automate the way in which they are processed: 'We retired
`the older version of our product, and are moving towards a
`new, more compatible version that goes across platfonns,
`that requires Jess work from the programmers,' he explained.
`'We don't have to rewrite the Windows or the OS/2 pm1s(cid:173)
`it's all integrated, and makes for a very easy-to-use develop(cid:173)
`ment platform. That was the challenge for our team.'
`
`There are still challenges, however - integrating his knowl(cid:173)
`edge of viruses to a point where the process of detection and
`removal is almost automatic: 'It's what we have to do! The
`scanner is the ultimate holder of the technology you've put
`together. We want the amount of work that has to happen to
`look at an ordinary virus to be no more than about an hour.
`
`'This is inside a development scheme: you receive the file,
`someone looks at it, another answers the customer: there's a
`whole process. The a~nount of work (granted the virus
`infects nicely) is a few hours, including removal. When it
`starts to use techniques which are a little hairier, you need a
`little more time - but I believe this too can be automated.'
`
`Inside Outside
`
`Though Grebert admits that he was once a ' pizza-and-coke'
`programmer who routinely worked 80 hours a week, he does
`now take time out: 'I enjoy going away. I've just come back
`from Lake Tahoe - it's only a few hours from the Bay, so it's
`somewhere to go for the weekend. When I travel on busi(cid:173)
`ness, I often end up spending the weekend in various cities.
`I like to windsurf- there are places here where I can do that.'
`
`There are still times when he has to work 'from sun-up to
`sun-down', but Grebert insists that this is not a healthy
`approach in the long tenn: ' You cannot do this for four or
`five years running and still keep your peace of mind.'
`
`Of course, as a Frenchman, one of Grebert's great pleasures
`in life is food, from sushi to hamburgers ('But you cannot
`eat hamburgers every day! ' he insisted). He enjoys cooking
`for himself and his fi·iends, and going out to good restau(cid:173)
`rants: 'There are good restaurants here,' he avowed. 'You
`just have to find them, and be ready to pay the money.'
`
`He does miss France, however; the good food and the
`cheese (this latter he finds difficult to obtain in the USA) -
`one day , he says, he will return, but not before his work at
`McAfee is finished. In the meantime, between skiing at Lake
`Tahoe, and having a house which, in his words, often
`resembles an international hotel with fi·iends from Australia,
`Japan, and Europe always around, Igor Grebert remains a
`man who seizes every day.
`
`Igor Grebert is a rarity for a vtrus researcher, having just as
`many interests outside work as in!
`
`Professional Growth
`
`Since 1989, Igor Grebert has worked at McAfee Associates,
`an organisation which has recently acquired many smaller
`companies. Grebert is quick to stress that acquisition played
`a much smaller role in the deals than development: 'McAfee
`is growing out of the anti-virus business towards network
`management,' he explained. 'Most of our installed base was
`in companies with ne~works; people trying to implement
`anti-virus policies had other problems to address - software
`distribution, application metering, remote desktop control.
`
`'There are many anti-virus companies around,' he contin(cid:173)
`ued. 'It is no longer easy to start a company with no interna(cid:173)
`tional presence, but new developers can still prove them(cid:173)
`selves. They have to do this in concert with existing compa(cid:173)
`nies, though, as the industry has grown so much. Writing an
`engine is sti ll fairly easy, and ideas can easily be imple(cid:173)
`mented and tested, but the package is more than the engine.
`
`'You have to support multiple platfonns, build interfaces,
`think network, and client/server. The same thing applies to
`people who want to write a new OS ... What was possible ten
`years ago is not today - but new oppot1unities are avai lable
`today that did not exist then. '
`
`Always, at the core of Grebet1's work, are viruses: ' I wanted
`to work on detection of the "weird" viruses, and ... I've
`always been obsessed with the idea of finding something
`that would allow me not to work any more. If you're a good
`programmer, you don't want to waste time, to do things two
`or three times. One thing you tty to do is to automate as
`much as you can, and to make your scanners as good as
`possible, so you just push a button to detect the latest virus.
`
`'The technology we had did not allow us to do that - we all
`have to change some time. What keeps me going at McAfee
`is the oppot1unity to change technology, and to redesign the
`scanner from the ground up. As John worked on making the
`company grow, he allowed me to take on technical leader(cid:173)
`ship; managing the anti-virus researchers and programmers.'
`
`VIRUS BULLETIN <01995 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshirc, OXI4 3YS, England.