ddavidso@mqccsunc.mqcc.mq.OZ.AU (Dean Davidson) (07/02/90)
New Virus "1022" One of our networks has been infected by a virus. It is not detectable by SCAN V63. Symptoms: Only infects .EXE files, adding 1022 bytes to them Infects files even if they are r/o Changes the date on the files it infects to the current system date. It appears that after running the first infected .EXE it starts up a TSR that carries out further infection Detection: running STRINGS on an infected file reveals : This message is dedicated to $ all fellow PC users on Earth $ Towards A Better Tomorrow $ And A Better Place To Live In $ 03/03/90 KV KL MAL [There is no CR/LF after the $ character - I added this so that the message is readable] Also detection might be done by looking at the date/time change on the infected files To scan all your files (until a version of SCAN is produced which detects this virus): GREP -d+ dedicated *.EXE [The GREP I used is the one that comes with Turbo Pascal] [I chose "dedicated" for the search string as it is the most unique word in the message] Damage: Unknown at this stage Removal : Restore the .EXE from backup Dean Davidson Microcomputer Support Office of Computing Services Macquarie University NSW 2109 Australia 61 2 805 7436
lexw@idca.tds.PHILIPS.nl (Lex Wassenberg) (07/10/90)
ddavidso@mqccsunc.mqcc.mq.OZ.AU (Dean Davidson) writes: >New Virus "1022" > >Symptoms: >Only infects .EXE files, adding 1022 bytes to them >Infects files even if they are r/o >Changes the date on the files it infects to the current system date. >It appears that after running the first infected .EXE it starts >up a TSR that carries out further infection > >Detection: >running STRINGS on an infected file reveals : > >This message is dedicated to $ >all fellow PC users on Earth $ > Towards A Better Tomorrow $ >And A Better Place To Live In $ > 03/03/90 KV KL MAL > >[There is no CR/LF after the $ character - I added this >so that the message is readable] > >Also detection might be done by looking at the date/time change >on the infected files > >To scan all your files (until a version of SCAN is produced which > detects this virus): >GREP -d+ dedicated *.EXE >[The GREP I used is the one that comes with Turbo Pascal] >[I chose "dedicated" for the search string as it is the most > unique word in the message] Is the text you mentioned contained in straight ASCII in the virus itself? In that case, If you own a virus scanner which is modifiable (that is, it works with a .dat file that contains the fingerprints of virusses) you could easily adapt the scanner so that it will recognize the virus. For example, use as fingerprint the first line: "This message is dedicated to". That would be: 54686973206D6573736167652069732064656469636174656420746F But you could just as easily pick one of the other lines (or all of them). Now that we are talking fingerprints: Does anybody own a list of known fingerprints of (the most common) virusses? If so, could you please mail it to me, or better: post it on the net. Tanks in advance. ________________ / / ___ _____/ Lex Wassenberg, Philips TDS / / /__ \/ ___/ Apeldoorn, The Netherlands / / ___/ /__ lexw@idca.tds.philips.nl / / /____/\___/ / /____________/ It's said that only 10 people on the whole world understood /_______________/ Einstein. I'm so brilliant that nobody understands me at all . Disclaimer: Since nobody understands me, I speak only for myself. [Ed. The danger in looking for ASCII strings, of course, is that you could get a lot of false alarms. This digest, for example, would be identified as containing the virus, since it contains the string "This message is dedicated to". Perhaps searching for the string _and_ some identifiable code would be more robust? Just a thought...]
lexw@idca.tds.PHILIPS.nl (Lex Wassenberg) (07/12/90)
>>Is the text you mentioned contained in straight ASCII in the virus >>itself? In that case, If you own a virus scanner which is modifiable >>(that is, it works with a .dat file that contains the fingerprints of >>virusses) you could easily adapt the scanner so that it will recognize >>the virus. For example, use as fingerprint the first line: "This >>message is dedicated to". That would be: >> >>54686973206D6573736167652069732064656469636174656420746F >> >>But you could just as easily pick one of the other lines (or all of them). To which the moderator added: > >[Ed. The danger in looking for ASCII strings, of course, is that you >could get a lot of false alarms. This digest, for example, would be >identified as containing the virus, since it contains the string "This >message is dedicated to". Perhaps searching for the string _and_ some >identifiable code would be more robust? Just a thought...] That would off course be true if you scan ANYTHING on your disk. However, since virusses are only dangerous when they are executed, most scanners only scan boot sectors, .COM files and ..EXE files. By doing so, this digest would NOT be marked infected, in fact it wouldn't be marked at all since it's a plain text file. The same holds for .DAT files or any file that contains no executable code. Off course there could be such clever virusses that hide part of themselves in other files than the ones which they are invoked from. In that case scanning a file for ASCII text makes no sense. You would have to scan for the part that will initially be executed, the first few instructions of the virus. Otherwise you'll not be able to tell WHICH file causes the malfunctioning of your system. { By the way, I wouldn't feel very comfortable if I knew there was a virus on } { my disk, even if I knew it would be in a file that's never executed :-) } ________________ / / ___ _____/ Lex Wassenberg, Philips TDS / / /__ \/ ___/ Apeldoorn, The Netherlands / / ___/ /__ lexw@idca.tds.philips.nl / / /____/\___/ / /____________/ It's said that only 10 people on the whole world understood /_______________/ Einstein. I'm so brilliant that nobody understands me at all . Disclaimer: Since nobody understands me, I speak only for myself.
cc_davidson@vaxa.mqcc.mq.oz.au (07/13/90)
lexw@idca.tds.PHILIPS.nl (Lex Wassenberg) writes: >ddavidso@mqccsunc.mqcc.mq.OZ.AU (Dean Davidson) writes: >> >>Detection: >>running STRINGS on an infected file reveals : >> >>This message is dedicated to $ >> *** deleted stuff *** >>GREP -d+ dedicated *.EXE >>[The GREP I used is the one that comes with Turbo Pascal] >>[I chose "dedicated" for the search string as it is the most >> unique word in the message] > >Is the text you mentioned contained in straight ASCII in the virus >itself? In that case, If you own a virus scanner which is modifiable To clear up a point: It is a DUMB virus - the strings are in ASCII not encrypted in any way. 'dedicated' is NOT a good signature as the editor points out. It can appear in many files - it was but a quick and dirty way to check. Using GREP, the context in which the string appears becomes apparent and thus you know if you have an infected file or not. BTW the program STRINGS is something I have had for years - it goes searching through any specified file and reports all the ASCII text it can find - a very useful utiity. By now John McAfee should have a copy of 1022 so expect to see a forthcoming version of SCAN being able to detect 1022. There is also an Australian scanning product, NBY, put out by a local anti-virus guru - Claude Almer. His latest version of NBY (Version 122) already detects 1022 If you wish to get a copy and don't mind the cost of the phone call you can call his BBS on 61 2 482 1716
RZOTTO@DKNKURZ1.BITNET (Otto Stolz) (07/19/90)
> Only infects .EXE files, adding 1022 bytes to them
Is this figure accurate?
I think that EXE files can only grow by multiples of 16.
Am I mistaken?
Humbly longing for enlightment :-)
Otto
CHESS@YKTVMV.BITNET (David.M.Chess) (07/23/90)
"Otto Stolz" <RZOTTO@DKNKURZ1.BITNET>: > I think that EXE files can only grow by multiples of 16. > Am I mistaken? Hm. I think you may be. An EXE file can be any length, and a virus can add any length to it. In general, a virus will round the length of the host file up to a multiple of 16 bytes *before* adding the virus code (because that's the only easy way to do it). So, for instance, an EXE infector that was 921 bytes long (just an example) adding itself to an EXE file that was 1590 bytes long would first round the victim up to 1600, and then add the 921, for a total of 2521. Something like that. I'm not entirely positive that all this is true, but I think it is! *8) DC
frisk@rhi.hi.is (Fridrik Skulason) (07/24/90)
RZOTTO@DKNKURZ1.BITNET (Otto Stolz) writes: >> Only infects .EXE files, adding 1022 bytes to them >Is this figure accurate? > >I think that EXE files can only grow by multiples of 16. >Am I mistaken? I just finished writing the routine to disinfect the Fellowship virus (called 1022 above). The virus code itself is in fact 1019 bytes, at least in the version I have. Actually, files may grow by less than 1019 bytes, as the virus may overwrite the last few bytes of the programs it infects, making 100% disinfection impossible. A 1022-byte version may exist, however. About .EXE infections in general...many viruses first pad the programs they infect with 1-15 bytes of garbage, so their length becomes a multiple of 16 bytes. The virus code is then added , but as it is of a fixed length, the length of the infected file MOD 16 will be constant for a given virus. This padding is done to ensure the virus starts on a paragraph boundary, making it possible to set the initial IP value to a fixed number. A disinfection program may be able to remove the virus, but probably not those extra 1-15 bytes. Other viruses just appent the virus code to the file, and set the initial IP value to a number that depends on the length of the original file MOD 16. - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |