frisk@rhi.hi.is (Fridrik Skulason) (09/23/89)
Actually I was not planning to write more about viruses from Israel
for a while, but I just could not resist.
You see, the latest virus reported there, the MIX1 virus, is in fact just
a variant of the Icelandic virus. I would not be surprised, if this was
in fact the variant mentioned some time ago, as
"...a hacked variant of the Icelandic virus, that a group of
hackers intends to distribute to various BBS..."
Fortunately, it is just a variant of the Icelandic-1 virus, like Saratoga.
If the authors of MIX1 had instead based their variant on Icelandic-2, we
might be seeing the start of a serious problem.
I have now almost finished disassembling MIX1, and here are a few details
not mentioned by Yuval Tal in his report:
The virus has been modified in several places, in order to fool virus
detection programs. The changes include replacing instructions with
other equivalent ones.
Examples XOR AX,AX ---> MOV AX,0000
MOV ES,AX ---> PUSH AX
POP ES
Also, NOP instructions have been inserted in several places, including inside
the identification strings used by VIRUSCAN and most other similar programs.
This seems to be a response by virus writers to anti-virus programs that look
for infection by using identification strings. This method has so far only
been used in two viruses that I know of, MIX1 and the '286 variant of the
Ping-Pong virus.
Apart from these changes, two parts of the virus are almost identical to other
variants of the Icelandic virus. In the installation part, the code to
check INT 13 has been removed. (as in Saratoga and Icelandic-2). The infection
routine has been modified in the following ways:
Infect every file (instead of every tenth program run.)
Do not infect a program, unless it is at least 16K long.
The Icelandic virus was first detected in June, disassembled a week later,
and the disassembly was made available around the beginning of July. The
MIX1 virus appeared in Israel in August - which is a very short time for a
virus to spread around the globe.
Now - the question is: How did the authors of MIX1 obtain the Icelandic virus ?
It is almost certain that these viruses do not have the same author, because
then the virus would surely have been based on Icelandic-2, which is a much
more dangerous and effective variant.
I see the following possibilities:
1) The author of MIX1 obtained a copy of Icelandic-1 from somebody
who got infected with it, disassembled it and created a new virus.
This sounds reasonable, but there is one major problem, which is
that the Icelandic virus has (as far as I know) not been detected
outside of Iceland.
2) The author obtained a disassembly, modified it and re-released it
as MIX1. It is already known that at least one virus writer has
access to virus disassemblies, that were only intended for virus
specialists.
The problem is that obtaining well-commented virus disassemblies is not hard,
and I would not be surprised if a number of new variants of viruses, based
on them would appear in the near future.
MIX1 and Ping-Pong '286 may be just the first of this new generation.
---- frisk