frisk@rhi.hi.is (Fridrik Skulason) (12/06/89)
The question "How many different PC viruses are known ?" is a hard one.
The two main reasons why it is so:
1) Some viruses have been reported, but not made available for research,
so nobody has been able to compare them to existing viruses. In some
cases there are even doubts that the viruses in question exist at all.
The viruses in this group are "4096", "Nichols", "Missouri", "Agiplan",
"Retro" and "Screen".
2) Even when the viruses are available for study, it is often hard to
determine if two viruses are different or not.
Consider the following possibilities:
I Binary identical. No problem here - the viruses are identical.
II Code is identical on the binary level - text strings changed.
Some of the variants of "Brain" are a good example.
III Identical on assembly language level. One example includes viruses
created by typing in a disassembly and then assembling it, using an
assembler different from the one originally used. Different
assemblers will in many cases create different opcodes for the same
instruction. (the POP/PUSH instructions for example). An example
is the two variants of the "South African" virus that I have. One
is an original, the other is created using the disassembly by Jim
Goodwin.
IV Minor changes to code, extra NOP instructions added or other changes
made that have no effects on the function of the virus, but may
invalidate search strings. The "Lisbon" virus is a good example
of this.
V Minor changes to code, different lengths, bug corrections, different
activation dates and similar changes. Most of the 1701/1704 variants
fall in this category, but also "Saratoga", "2930","Mix1-B" etc.
VI Identical replication code, different functions. The "Sunday" virus
is a good example of this. Also "Ghost", "1704-Format", "Typo" and
"Advent".
VII Partially identical code - very different functions. "Fu Manchu"
is the best example.
VIII Different code - identical functions. Example: The "ping-pong"
effect in the MIX-1 virus.
IX Different code, Functionally identical replication and/or infection
mechanism. Different functions. No problem - different viruses.
So, what do we do ? We need to define when we consider two viruses to be...
...different viruses
...different strains of the same virus
...not to be considered different
Of course we can proceed from a different angle - select a few identification
strings for each virus and then classify new viruses as follows:
... contains all the identfication strings of the old one -> same
... contains some of the identification strings -> new variant
... contains none of the identification strings -> new virus
Or maybe use this method:
... the new virus can be removed by using the same program that was
used to remove the old one -> identical
... only a single constant or two need to be changed to make it
possible to use the same program to disinfect -> new variant
... new disinfection program/routine must be written -> new virus.
My opinion is that those two suggestions are practically useless, since two
different people working on the same virus may not reach the same conclusion.
comments/suggestions ?
- -frisk