ccx020@cck.coventry.ac.uk (James Nash) (03/06/91)
I have a copy of a virus that seems to confuse the various virus checkers I'm evaluating (and trying to convince my superiors to buy lots of!!!). Fridik's F-PROT calls it Plastique McAffee's SCAN calls it Taiwan 3 (as does AVSEARCH) Solomon's FINDVIRUS calls it Anticad 2 Now, I know that all these virii are related in some way or another but I am confused as to whether they are all the same or not. VIRUSSUM does not help much as it calls Taiwan 3 and Plastique seperate virii. From the description I have been given of what this virus does (I'm too chicken to experiment myself :-), it infects COM/EXE and boot sectors and at some point plays a tune. It also trashes some data files. Beyond that I know nothing. Anyone kind enough to lift the fog of confusion from my eyes? - -- James Nash, Computing Services, Coventry Polytechnic, England ccx020@uk.ac.cov.cck
frisk@rhi.hi.is (Fridrik Skulason) (03/13/91)
ccx020@cck.coventry.ac.uk (James Nash) writes: >Fridik's F-PROT calls it Plastique >McAffee's SCAN calls it Taiwan 3 (as does AVSEARCH) >Solomon's FINDVIRUS calls it Anticad 2 Don't forget the anti-virus programs which call it 'Invader' ..... :-) Anyhow - it is like this. This is a group of several viruses from Taiwan, created by disassembling the Jerusalem virus, modifying it and releasing it again. There are at least 6 viruses in the family: one 2576 bytes long one 2900 bytes long - the one you have. one 3012 bytes long three 4096 bytes long In addition, the (non-working) HM2 virus may be related, and a variant around 3000 bytes long has also been reported. Some of the variants contain the text "Plastique", either in plain text or encrypted - they also produce "explosion" sounds occasionally. All the viruses are targeted against the AutoCAD program - When a program named ACAD.EXE is run or sometimes when Ctrl-Alt-Del is pressed, the viruses will activate, overwriting data on floppy disks and hard disks, as well as garbling the contents of the CMOS. This behaviour produced the 'AntiCAD' name. The three 4096 byte variants also contain code for infecting the boot sector. The "Taiwan" name should IMHO not be used, as there is already a family of 4 viruses which have been called Taiwan-1, Taiwan-2, Taiwan-3 and Taiwan-4, but they are not related to the family discussed above. - -frisk Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |
PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) (03/13/91)
ccx020@cck.coventry.ac.uk (James Nash) writes: > Fridik's F-PROT calls it Plastique > McAffee's SCAN calls it Taiwan 3 (as does AVSEARCH) > Solomon's FINDVIRUS calls it Anticad 2 > > Now, I know that all these virii are related in some way or another > but I am confused as to whether they are all the same or not. VIRUSSUM > does not help much as it calls Taiwan 3 and Plastique seperate virii. This, plus other recent comments about difficulties in naming variants of viruses, suggests a better approach to naming viruses is needed. I posted a note recently about naming/identifying boot sector viruses - anyone who missed that can get a copy of BOOTID.ZOO and/or CHECKOUT.ZOO by anonymous ftp to 132.181.30.3 - these are still experimental, but worth looking at. [Ed. The hostname of 132.181.30.3 is cantva.canterbury.ac.nz] What I am suggesting now is a naming system for all types of virus (such as trojans), which depends on the contents of the virus, not where it was discovered or a piece of text one version displays. This isn't as easy as naming boot sector viruses, but should be possible. (Read: I haven't made a nice demo program this time; let's discuss it before anyone goes to the effort of programming something). If you've already looked at BOOTID.PAS, you may have noticed a range of hashcodes left unassigned (in byte 2), so I do intend to extend the hashcode into other areas. My guess is that a naming scheme would... 1. Use only letters and digits, 2. Not try to be pronouncable, but be short (up to 12 characters) and maybe have a "popular name" tacked on the end for convience. The reason is that good, descriptive "real" words becode easily exhausted, and may be just as difficult to pronounce in some countries as computer-generated names! 3. Certain bytes would flag what the virus attacks (.EXE, .COM, .SYS, .BAT files, and so on), whether it overwrites or appends to the original file, what interrupts it uses, and other distinguishing features of its effects. 4. The rest of the code would be a sophisticated checksum of the virus code, hopefully weighting important code in some way to give similar viruses similar codes. The aims, as with BOOTID, are to positively identify viruses, avoiding confusion as mentioned above. The method, I suspect, would be to isolate the virus fromn what it has infected (e.g. compare an infected .EXE file with the uninfected original, or (better still) use some automated dis- assembly software which works out what instructions are executed before the original program is executed). As I said, it probably won't be easy. But what do you think? Is it worthwhile? Essential? Mark Aitchison, Physics, University of Canterbury, New Zealand.