VIRUS-L Digest Thursday, 27 Jul 1989 Volume 2 : Issue 162 Today's Topics: Saratoga and Icelandic viruses (PC) National virus research centres Ashar variant of Brain virus (PC) Robert T. Morris, Jr. indicted for Internet Worm --------------------------------------------------------------------------- Date: Thu, 27 Jul 89 09:55:50 -0000 From: David.J.Ferbrache Subject: Saratoga and Icelandic viruses (PC) Message forwarded for BCVRC, I have recently received copies of two viruses, referred to as the "Saratoga" virus and the "Icelandic" virus. They are clearly minor variants of the same program, and the evidence is that the Saratoga virus was observed and collected in California some months previous to the appearance of the Icelandic. For this reason I shall refer to the latter as the Icelandic variant of the Saratoga virus. The actual differences are three: 1. The Icelandic variant has five extra lines of code which check the segment of the Int 13H vector. The virus is only installed if this segment is that of the BIOS (0F000H) or of DOS (0700H). This is obviously an ill-considered addition as, if this vector had not been taken over by DOS, this test would preclude any machine with a hard disk (the target of the virus). 2. The four-byte signature on the Saratoga virus is "PooT". This has been changed to the hex string 18 44 19 5F in the variant. 3. The infection count has been changed from one in two to one in ten in the variant. The procedure of making the host program an exact number of paragraphs (divisible by sixteen) before infection is not unique to this virus, it is a normal and necessary characteristic of any virus which infects EXE files. The infective length of the virus is 642 bytes, or 656 for the variant, but this length will appear to vary because of the above-mentioned rounding up of the length of the host program. Although I can find no errors in the code to explain it, I have not been able to induce either version to mark a cluster as bad on a 32 meg hard disk. Joe Hirst British Computer Virus Research Centre 12 Guildford Street Brighton East Sussex BN1 3LS England Telephone: Domestic 0273-26105 International +44-273-26105 ------------------------------ Date: Thu, 27 Jul 89 09:56:25 -0000 From: David.J.Ferbrache Subject: National virus research centres Message forwarded for BCVRC, Virus Research Centres. There is a need for research centres in the computer virus field, organised on a national or sub-national basis and with international links with other such centres. These centres will: Collect and catalogue viruses. Disassemble and otherwise analyze viruses. Disseminate information and, where appropriate, viruses and disassemblies to other researchers nationally. Disseminate information, viruses and disassemblies to researchers at other centres internationally. Disseminate information from other centres where appropriate. Produce various support programs. It is recognised that many of the researchers associated with these centres will be writing anti-virus software commercially, but this should not preclude the free exchange of such information. Each centre must make its own decisions about funding and charges nationally, but it is not expected that centres will charge other centres. A complex international structure is unnecessary, all that is needed is that each centre: Recognise other centres. Respond positively to requests for information and samples from other centres. Take the initiative in distributing samples to other centres when new viruses or variations appear. Any individual or group who is interested in participating, either nationally or internationally, and who feels qualified to do so, is invited to contact the author. The British Computer Virus Research Centre. It was hoped that CoTRA (the Computer Threat Research Association) would fulfil the role as outlined above for Britain. This now seems unlikely and undesirable for a number of reasons which would be out of place in this document. Accordingly the British Computer Virus Research Centre has been founded. We intend to specialise in high quality virus disassemblies, and in virus simulation programs. The simulation programs make it possible to demonstrate the non-infective features of viruses without either infecting a machine or giving a virus to a possibly inexperienced user. Our aim will be to produce disassemblies which cannot be improved upon. In practical terms this is probably impossible, and we will never accept that any particular disassembly cannot be improved. We will always be interested to see disassemblies done by other researchers, but it is our practice to do our own disassembly first. >From time to time we will issue descriptive lists of viruses in our possession, and we welcome samples of viruses which are not on this lists, or differ in any way. Such samples should ideally consist of an infected file (for Parasitic viruses) or disk (for Boot viruses). Joe Hirst British Computer Virus Research Centre 12 Guildford Street Brighton East Sussex BN1 3LS England Telephone: Domestic 0273-26105 International +44-273-26105 ------------------------------ Date: Thu, 27 Jul 89 09:55:01 -0000 From: David.J.Ferbrache Subject: Ashar variant of Brain virus (PC) Message forwarded for the BCVRC, I have now had an opportunity to examine the version of Brain which Alan Solomon refers to as 'Ashar'. The differences are not sufficient to warrant a new name, and the further confusion (in an already confused field) that this would create. This IS Brain, but a version which creates a different label on a disk. Description of differences. The assumption is made in this description that the version which produces a label of ' (c) ashar ' is the changed version. This assumption has been made purely to aid description, although I hope to show that this is the more valid conclusion. The actual differences within the code are: 1. In three different places the code to initialise the disk sub-system is done before attempting to read or write instead of after an error has occurred. 2. The code to divert a read of the boot sector to the stored copy is no longer present. 3. The very complex routine to create the volume label is no longer present, and a much simpler routine is in its place which creates the label ' (c) ashar '. 4. The search of directory entry starts with the first entry and includes all of them, instead of starting with the third and not including the last two. 5. The search for free clusters starts with cluster 2 (the first) instead of with cluster 55. There are other differences, but these are trivial (e.g. a switch no longer exists). Other differences are in embedded but unreferenced text strings: 1. The primary text string on the boot sector is different in two places, although we already have other variations for one of these. This text string in the closest previous version read: DB 'Welcome to the Dungeon (c) 1986 D.C.L', 17H, '&' DB ' Amjads (pvt) Ltd VIRUS_SHOE RECORD v9.0 ' DB 'Dedicated to the dynamic memories of millions of' DB ' virus who are no longer with us today - Thanks ' DB 'GOODNESS!! BEWARE OF THE er..VIRUS : \thi' DB 's program is catching program follows after' DB ' these messeges..... $#@%$@!! ' The first two lines of this now read: DB 'Welcome to the Dungeon (c) 1986 ashar &' DB ' ashars (pvt) Ltd VIRUS_SHOE RECORD ' 2. In two different locations the string: DB '(c) 1986 Brain & Amjads (pvt) Ltd ' has been changed to: DB '(c) 1986 ashar & ashars (pvt) Ltd ' The locations are offset 202H and 355H, although the second offset becomes 305H in the modified version. 3. The string ' (c) Brain $' at offset 4A6H has been removed. Finally there are minor differences in unreferenced area which appear to be random rubbish (e.g. the area at the end of the first sector). Interpretation. It is fruitless to speculate about whether the 'VIRUS_SHOE' version or the 'telephone number' version is the earlier or original one. Even a confession by the author of the virus would now be suspect. Certainly the popular story of the origin of this virus has all the hallmarks of a modern fantasy, and can be discounted as irrelevant. I shall consider only whether this version is a rewrite of the 'VIRUS_SHOE' version, or vice versa as suggested by Alan Solomon. None of the evidence is conclusive, but such indications as there are clearly suggest that what we have is a new modification. The changes to the unreferenced strings do not include a change to the lengths, although one of these is now in a different location. This suggests that these changes were made separately to the virus via a disk editor, before the virus was disassembled to make the other changes. Initialising the disk sub-system before attempting to read or write is the more orthodox practice. A conventional programmer might well wish to conform to 'standard', but it is difficult to believe that a programmer would bother to change this to the alternative method. If a pseudo company name is to be created, implying two brothers (or other close family tie), the probable result would be 'ashar & ashar'. The most feasible explanation for the final 's' is that it was already there, and therefore easier to leave as 'ashar & ashars'. This is consistent with this change having been done before disassembly. Similarly, the spacing in the 'VIRUS_SHOE' version around the sub-string 'v9.0' is too consistent for it to be a later addition - particularly as there is no apparent reason for the corresponding gap in the 'ashar' version. The rest of the changes are tied together. The Brain virus is filled with misdirection concerning the volume label. The embedded string at offset 4A6H appears to be the label as used. Changing it will not affect the virus. The next thing a close examination might reveal is the encrypted ' (c) ashar ' immediately before the other string. This is obviously not the label either. I have seen a number of otherwise competent programmers foxed by the actual label routine. The label is embedded in code which is executed, but does very little, before it is used as data. It is my belief that having been disappointed twice, and having failed to discover the label, the programmer ripped out everything he (or she) did not understand. This included the redirection of the read to the boot sector, and the way that room has been left for the DOS system files in both the FAT and the directory. Joe Hirst British Computer Virus Research Centre 12 Guildford Street Brighton East Sussex BN1 3LS England Telephone: Domestic 0273-26105 International +44-273-26105 ------------------------------ Date: Thu, 27 Jul 89 09:04:28 -0400 From: Kenneth R. van Wyk Subject: Robert T. Morris, Jr. indicted for Internet Worm Forwarded from various lists: By James Rowley Associated Press Writer WASHINGTON (AP) A Cornell University graduate student blamed for a rogue computer program that infected as many as 6,000 computers with an electronic virus was indicted today on a felony computer-crime charge. Robert Tappan Morris was indicted by a federal grand jury in Syracuse, N.Y., on one count of accessing without authorization at least six computers in which the federal government has an interest. Morris, who has been criticized by a Cornell University commission that investigated last November's computer virus incident, is the first person to be charged under the Computer Fraud and Abuse Act of 1986, the Justice Department said in a statement released here. Morris, who is on leave from Cornell, could face a possible five-year sentence and a $250,000 fine if convicted of the charge. He could also be required to pay restitution to universities and military bases where computers were paralyzed by the virus. Morris has told friends he created the virus but didn't intend for it to invade computers around the country. The virus infected as many as 6,000 university and military computers on the nationwide ARPANET network, which is used by universities and military contractors to transmit non-classified data. The network was virtually shut down for several days, although no information stored in computers was lost. The indictment charged that Morris ``intentionally and without authorization'' accessed computers located at the University of California at Berkeley; the National Aeronautics and Space Administration in Moffett Field, Calif.; Purdue University in West Lafayette, Ind.; the U.S. Air Force Logistics Command at Wright Patterson Air Force Base in Dayton, Ohio, and others not specified. By accessing these computers, Morris ``prevented the authorized use of one or more of these federal interest computers and thereby caused a loss to one or more others'' of more than $1,000, the indictment charged. The indictment did not specify how much damage was caused by the computer virus. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253