frisk@rhi.hi.is (Fridrik Skulason) (01/28/91)
A week ago I finished analysing the 70 or so new viruses I had received in Hamburg and started distributing version 1.14 of my program. I was hoping for a few virus-free days, but guess what happened.... In the past week I have received over 20 new viruses, and I know of 4 more "in the mail". I spent the weekend analyzing the new viruses, and as expected, it turned out that many of them were just variants of older viruses. In some cases the viruses are more-or-less rewritten, possibly by the same author, and possibly by someone with access to the source or a disassembly. A good exammple of this is a group of viruses from Taiwan, which are aither called Plastique or AntiCAD (although some people use Taiwan-3, Taiwan-4 etc). One of the members of the family is also known as Invader. All the viruses are targeted against AutoCAD. I now have copies of at least 6 members of the family, one 2576 byte, one 2900 byte, one 3012 and three 4096 byte variants. The viruses are based on the Jerusalem virus, although the 4096 byte variants are also able to infect the boot sector. In many other cases, the difference between two variants is very small - - only a few bytes (or even just a single bit) and the total length of the virus has not changed. How do such viruses get created ? Dr. Alan Solomon had some thoughts on this subject, and I agree with him: 1) accidental changes - bit errors in memory or when copying files. 2) deliberate changes, produced to prevent detection by some scanning program. 3) deliberate changes, produced to get a "reward" which some anti-virus companies offered for "new" viruses. - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |