VIRUS-L Digest Tuesday, 27 Mar 1990 Volume 3 : Issue 64 Today's Topics: Re: Virus replication rates New files to MIBSRV (PC) APRIL, a funny month for viruses Call for description on Viruses Northern computers - Disk killer (PC) Virus Bulletin is moving A (long) story of an old virus (Apple ][) [Ed. It was brought to my attention that Issue 64 never was sent out. I checked my records here, and the issue was edited, saved, and (I believe) sent, but it never got distributed. I don't know what caused the problem, but I'm re-sending the issue. I apologize for any inconvenience. This would explain why my email box has been so empty... :-)] VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Mon, 26 Mar 90 16:23:52 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Virus replication rates WHMurray@DOCKMASTER.NCSC.MIL writes >I am previewing a paper by Peter Tippett, M.D., Ph.D., which deals >with this issue. Dr. Tippett believes that the doubling time for >Jerusalem and Brain is about 2 months. I am not sure I agree with this. The Jerusalem virus is 27 months old and Brain is something like 50 months old. So, starting with one copy of the virus, we should now have 11.585 copies of Jerusalem, and 33.554.432 copies of Brain. The first number is certainly far to low, but it is more difficult to determine if the second number is incorrect. My personal estimate is as follows: Total number of PCs 30.000.000 Infected with Jerusalem 100.000-500.000 machines Infected with Brain 100.000-500.000 machines If one wants to count multiple infections on the same machine as multiple viruses, the estimate becomes: Infected with Jerusalem 2.000.000-10.000.000 not 11.585 Infected with Brain 1.000.000-5.000.000 not 33.554.432 I estimate 20 infected programs on every Jerusalem-infected machine, and 10 infected disketted for every Brain-infected computer. Of course, this estimate is probably wildly incorrect, but my point is that Jerusalem is at least as common (probably more common) than Brain, even though it is much younger. So - Dr. Tippett's formula simplifies the situation too much. I am willing to admit that the number of viruses may increase exponentially at first, but I think it would slow down later. My experience has shown, that once a virus manages to infect a single computer in an organization, it will usually spread throughout it in a month or two, no matter how large the organization is. (Well, organizations here in Iceland are not that large - The Bank of Iceland is one of the largest and they only have something like 700 PCs). I think that the number of infected machines *within* a single organization may grow something like this: machines infected 100 % | | ******* | ***** * | * * | * * 50 % | * * | * * | * * | ** * ** | ** * * * 0 % |****____________________*******__*___________ time The number will rise slowly at first, but assuming favorable conditions (no preventive software, disk/program traffic between different computers, etc.), it will infect maybe 80% of the machines in less than a month. The virus may remain unnoticed for a while, but once it it detected it is eradicated in a single day. Usually the virus is not wiped out 100%, which may cause it to reappear a month or two later - and then, finally, some preventive software is installed. Here in Iceland I would estimate that maybe 5% of PCs have been infected with a virus. However - if a single organization is examined, the story is different - either one finds no viruses or that 80% of the machines are infected. PS: The number of *new* virus variants seems not to increase as fast as it used to - doubling every 10 months. In the past six weeks we have only seen a few new virus strains - I wonder why ? - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: Mon, 26 Mar 90 09:15:43 -0600 From: James Ford Subject: New files to MIBSRV (PC) The following files have been uploaded to the pub/ibm-antivirus directory on MIBSRV.MIB.ENG.UA.EDU (130.160.20.80) for anonymous FTP. SCANV60.ZIP - McAfee's SCAN 3.1V60 (update) SCANRS60.ZIP - McAfee's (tsr) SCAN 1.4V60 (update) NETSCN60.ZIP - McAfee's NETSCAN V60 (update) CLEANP60.ZIP - McAfee's CLEAN UP V60 (update) PKZ110.EXE - Phil Katz's latest version of PKZIP (update). This is a self-extracting ZIP file. Speed increase of %5 - %15 on DBF-type files, overall speed increase, etc. McAfee's programs were downloaded from Homebase BBS on 3/25/90 at 11:45pm. - ---------- Whenever you learn all the answers, they change all the questions. - ---------- James Ford - JFORD1@UA1VM.BITNET, JFORD@MIBSRV.MIB.ENG.UA.EDU THE University of Alabama (in Tuscaloosa) Acknowledge-To: ------------------------------ Date: Mon, 26 Mar 90 13:15:00 -0500 From: Marc TARDIF Subject: APRIL, a funny month for viruses Hi networkers, There's April month coming with its April fools day and a friday the thirteen. I think no-one has to pannic but I think that you'd better check your anti-virus protection and bring it up to date. It better to prevent than cure. ========================================================================= | MARC TARDIF | Bitnet: S004@HECMTL01 | | Ecole des HAUTES ETUDES COMMERCIALES |============================| | MONTREAL, QUEBEC | Attention aux Virus: | | CANADA H3T 1V6 | L'informatique | | Phone: (514) 340-6066 | ca se protege! | ========================================================================= ------------------------------ Date: Mon, 26 Mar 90 10:56:00 -0500 From: Subject: Call for description on Viruses Hi everyone, I've got a small problem that stems with combatting the Stoned virus. It would help in combatting the virus if I knew exactly what it did. Does anyone out there know what this does specifically. Any other descriptions of other virus's would be helpful. Our PC labs have been infected with just about everything and I don't want my computer to get any of them. Thanks, Carl Merrill merrcar@iitvax ------------------------------ Date: Tue, 27 Mar 90 11:47:42 +0000 From: Fridrik Skulason Subject: Northern computers - Disk killer (PC) Several CS students here at the university recently ordered 33Mhz '386 machines from a company in Tawan named 'Northern Computers'. When the machines arrived, the students found that most of the machines were infected with the Disk Killer (Ogre) virus. The company in Taiwan has now been made aware of the problem. They were rather surprised, as they claimed to have run anti wiral software to check their machines. It turned out, however, that this 'anti-viral-software' only detected the Jerusalem virus. Anybody who has bought computers from Northern is strongly advised to check for this virus, before it activates and starts encrypting the hard disk. - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 | ------------------------------ Date: Tue, 27 Mar 90 14:24:23 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Virus Bulletin is moving To anyone interested in writing for (or subscribing to) the Virus Bulletin: >From April 2. the address of the Virus Bulletin will be: Virus Bulletin Ltd 21 The Quadrant Abingdon Science Park Abingdon OX14 3YS England Some articles from the April issue: 1260 Revisited - effect on anti-virus tools by viruses like 1260, by Dr. Peter Lammer Virus dissection - Tenbyte. Update to list of known or reported viruses - Datacrime IIB, Taiwan, 5120, 1702, June 16th, Saturday 14th and Virdem. Tutorial - How does an IBM PC virus infect a computer. Countermeasures - How do PC anti-virus tools work. Virus Dissection - Typo The DecNet worm Review: ViruSafe - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: ?-354-1-28801 | ------------------------------ Date: Sat, 24 Mar 90 03:25:22 -0800 From: joe@hanauma.stanford.edu (Joe Dellinger) Subject: A (long) story of an old virus (Apple ][) Sorry this article is rather long, but if you still have any old DOS 3.3 Apple ][ disks lying around please read it! (Feel free to read it for general entertainment value too, of course, even if you don't possess any such historical disks.) I have been asked by Gene Spafford to write an article detailing the life story of a Virus I wrote for Dos 3.3 on the Apple ][ in December, 1981 for one of his journals. Spafford wants me to write the story up because it's the earliest _documentable_ personal computer virus he's heard of. I'm trying to get more information that I plan to use to make that article more complete. 1) Why did I write it a virus? Am I an evil scum? At the time (remember, this was 1981) I was an undergraduate at Texas A+M. There was an active community of Apple ][ users in my dorm (Shuhmacher), with an _incredible_ amount of copying of pirated game programs going on. I noted that most games were damaged in various sorts of ways, but they were almost always still playable despite the damage. (For example, there was one popular Star Trek game in BASIC that had occasional garbage control characters in non-critical REM and PRINT statements; space war games often had random junk replacing some pictures of ships, etc.) I decided that I could explain this by invoking a sort of "evolution". For evolution to occur, you need mutation and natural selection. Well, there was "mutation" caused by people hacking with the games; more importantly, many copies of games were also accidentally mangled by sick disks and computers. (People would keep using game disks until they literally disintegrated. My early model Apple ][ was notoriously unreliable, and would crash about every 30 minutes in all sorts of interesting ways. A few well-placed bangs would usually get it working again.) "Natural Selection" entered the picture with the actions of users to either "reproduce" or "kill" copies of games. (For example, if your copy of a game was not playable, you would go get a fresh copy of it from your neighbor, reproducing his copy and killing yours. As there was only a finite amount of disk space for games, there was also competition between species of programs, too.) This idea of programs inhabiting a sort of computer biosphere led naturally to the idea of a "Computer Virus" as a likely accidental outcome of such evolution. My experiments started when I tried to find out what the minimum change to DOS was to make it viral. (I was thinking of something like a prion, a sort of proto-virus that can be created by repeated damage to plants. A prion can't jump from plant to plant by itself, but it will happily hitch a ride on your machete if you let it. Supposedly prions are actually becoming a serious agricultural problem with palm trees in some parts of the world.) As I remember the answer for DOS 3.3 was about 16 bytes, which was within the bounds of what could happen naturally if Apple computers with people randomly copying games between them were to exist for a few million years! The next logical step was trying to guess what an evolutionarily OPTIMAL program might look like. Certainly the program would be more successful if it didn't rely on the good will of humans to reproduce, but likewise it is a bad idea to damage your host (or give humans a reason to expend effort trying to kill you). So the ideal virus would spread by itself, but not cause harm or even any "symptoms" of any kind, if it could help it. I discussed these ideas with friends, many of whom also had Apple ]['s. None of them had ever heard of such a thing as a "computer virus" at the time. (Many Apple ][ users I knew scoffed at the idea that such a thing could possibly exist.) Well, by this time creating a virus sounded like a really interesting project, and it was a good excuse to learn 6502 machine language, so a group of us started working on my "evolutionarily optimal program" off and on in our (infrequent) spare time. Our first attempt, "Virus version 1" was finished in early 1982. Virus 1 was infectious, but still caused some symptoms on my computer despite our best efforts, so we kept it strictly quarantined and kept hacking. A couple months later Virus 2 was finished. It seemed to cause no ill effects at all, so I proceeded with the next step in my experiments and turned it loose in my own disks. The goal of this experiment was to see how quickly such a program would spread through my own disks if I continued using my computer normally. (So I had another good reason to want to make sure the virus was completely innocuous. In fact, in the end almost all of Virus 2's code was to check for various sorts of dangerous situations: non standard DOS, non standard disks, programs altering DOS, etc. In these cases the virus would either not attempt infection or immediately disconnect itself from DOS, committing suicide.) Interest in my "research" was high among the Apple community at A+M, so I also gave copies of Virus 2 to several friends who wanted to play with it. The idea of computer viruses spread rapidly; several other people started working on their own "less boring" (read damaging) ones. Fortunately (as far as I ever knew) they spent all of their time trying to dream up interesting pranks for the virus to pull, instead of determinedly trying to produce a working "evil" virus. 2) Did my virus ever escape? At first we carefully kept Virus 2 quarantined, but after a few months with no damaging symptoms we got a little lax, and the inevitable happened. I first found out Virus 2 had escaped when one of my A+M friends who had graduated and moved on to grad school at UIUC reported that everybody's copy of a (pirated) game called "Congo" had mysteriously stopped working there. Whenever people tried to get a fresh working copy, they would find that previously working copies would then also stop working. My friend realized what had happened and wrote me about it. We quickly wrote an "immunizer" program and distributed it at UIUC; the standard Apple utility "master create" sufficed as a disinfectant. We were never quite sure whether _all_ escaped copies of Virus 2 at UIUC were killed off, though. I was disappointed that Virus 2 was a failure, and started work on Virus 3. It turned out that Virus 2 caused problems because it made DOS 1 sector (256 bytes! a significant chunk of memory!) larger, to accomodate the extra code. A very few programs would blow up in strange ways because of this. (The solution was simply to boot from a noninfected disk, and THEN run the programs.) So the goal for Virus 3 was that it should take up no room in memory, and no room on disk. After some thought, we came up with a solution: Most of Virus 3's guts resided in unprotected memory where they could be freely written over. A small routine buried safely inside holes in DOS's Read-Write Translate Table triple-checked the unprotected code before jumping to it. (This code was a real nightmare; some bytes in the table served double duty as critical data values for DOS and executable op codes for the virus.) Virus 3 was a success; we never encountered any program whose behaviour was affected by the virus's presence. 3) What finally happened? Well, I don't really know. Since Virus 3 was effectively completely invisible, after a while we lost interest and pretty much forgot about the whole thing. We again intended to keep the virus quarantined, but a spot check in the fall of 1983 shortly after I graduated and moved to Stanford turned it up in several of my friend's collections on disks they thought were uninfected. By that point they didn't think it was worth the bother of removing it, though, so it spread unchecked. Interest in viruses at A+M had died down by this time, too. I only heard about my virus once more: around 1984 my friend at UIUC reported that an "evil" virus was attacking Apples there, and causing a lot of damage by randomly initializing disks. Some disks had a form of immunity to the evil virus, however: when infected by the evil virus, they would crash at boot time (which was better than appearing to boot normally and then causing damage later). It turned out the "immune" disks were ones that had previously been infected by Virus 3! >>>>>>>> Here's where I need your help: <<<<<<<<<< 4) Does it still exist? That's what I'd like to find out. The Virus wasn't particularly infectious; it only spread on "CATALOG" commands. It attached itself only to DOS, not programs, and was very careful only to attach itself to absolutely vanilla 48K slave DOS 3.3. Still, there are some old DOS 3.3 disks out there yet, aren't there? If you would like to look for it, here's where in memory to look: beginning at B6E8 regular DOS 3.3 has a bunch of 00's. Boot the disk you want to check to load that disk's copy of DOS into memory. Infected disks or non-infectious descendants of infected disks will have text of the form "(GEN 0000000 TAMU)" (in Hex this is "A8 C7 C5 CE A0 B0 B0 B0 B0 B0 B0 B0 A0 D4 C1 CD D5 A9") at B6E8. You can also see this text go by near the end of track 0, sector 0 if you use some utility to dump your disk as text. The number is a generation count, and so will be different in your copy. (13 generations saturated my own and my friend's collections, if you're interested.) If you should find the generation count, you might try also looking at 9CFE and 9CFF. If the virus is alive, this should contain the initials of the friend of mine who let your copy of the virus escape. (If it's JD, then I'm the guilty party.) Hopefully Virus 2 was wiped out, but perhaps it wasn't. If you want to check the version, the simplest way is to do a "CATALOG" of the disk you're checking, and then look at B3BF. Vanilla DOS 3.3 has a "00" at this location. Virus 2 instead has 02, and Virus 3 similarly has 03. (This "immunity" byte can spread when a new disk is initialized, thus providing a way for immunity to be created and passed on. For example, if a master disk is attacked it will be left marked immune but will be free of infection. Slave disks initialized off the master disk would then also be immune, even though they would otherwise be susceptible.) (If you don't find zeros at B6E8, 9CFE, and B3BF, but also don't find the bytes I've mentioned, then I don't know any more about it than you do, and there's not much point in getting excited and flaming me via e-mail.) If you DO find my virus on one of your old Apple ][ disks, please let me know! It will make the paper much more interesting! I'll acknowledge you at the end! (And please accept my apologies!) 5) Did the idea of Viruses I started spread or die out? Certainly everybody knows about viruses today. Did you hear rumors of some strange person at A+M working on one around 1982-1983? (And no, I was NOT the person who was expelled from A+M about that time for breaking into the mainframe and stealing Chemistry exams. I never kept my activities secret, nor did anything I thought I had to keep secret. For example, my virus is mentioned in a "Computer Recreations" column in 1986, but the author of that article mangled the information I sent him rather badly.) Do you know anything about the people who were breaking and distributing the copy-protected software turning up at A+M? The rumors at the time at A+M were that the software was coming "from Chicago". Many programs were "signed" by the breakers with such psuedonyms as "The Jerk", "The Beaver", and "Apple Pirated Program Library Exchange". Do you know anything about what happened at A+M after spring, 1983, after I graduated? I was told by one A+M graduate I met in 1989 that Virus 3 made it into the A+M Computer User's Group's disks after I left, but I don't really know that. 6) Do I condone virus writing? NO! As you hopefully read above, I sort of fell into virus writing from a weird perspective. I later realized how lucky I was not to have caused serious inconvenience to lots of people and possibly gotten into serious trouble (although in 1982 writing viruses wasn't yet illegal, as far as I know). After seeing how much annoyance our research group at Stanford has had with Macintosh viruses, I certainly wouldn't want to recommend virus writing as a worthwhile hobby. If my virus caused one of you trouble at some point in the past, I sincerely apologize. I'd like to also point out that I'm not a particularly good Apple ][ programmer either. You can tell that by the fact that it took me several months to create a working virus! (And writing a Virus is pretty easy using the information in "Beneath Apple DOS", to boot.) The worst part was that whenever I made a mistake DOS would stop working, and I'd have to re-poke the bytes in by hand, which I kept written down on pieces of junk mail! Using an assembler was out of the question, as the whole thing was only about 300 bytes and scattered in tiny bits and pieces in several places in DOS. It had lots of JMPs all over the place, self-modifying code and other such nightmares, all to make it as small as possible. (The larger it was and the more exposed in memory, the more work it was to replicate itself and the more chance there was of something unexpected going wrong.) Thanks for your cooperation! Sorry this posting was so long, but hopefully you found it entertaining... \ /\ /\ /\/\/\/\/\/\/\.-.-.-.-.......___________ \ / \ / \ /Dept of Geophysics, Stanford University \/\/\.-.-....___ \/ \/ \/Joe Dellinger joe@hanauma.stanford.edu apple!hanauma!joe\/\.-. ************* Drive Friendly, Y'all! ***************************************** ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253