frisk@rhi.hi.is (Fridrik Skulason) (09/23/89)
Actually I was not planning to write more about viruses from Israel for a while, but I just could not resist. You see, the latest virus reported there, the MIX1 virus, is in fact just a variant of the Icelandic virus. I would not be surprised, if this was in fact the variant mentioned some time ago, as "...a hacked variant of the Icelandic virus, that a group of hackers intends to distribute to various BBS..." Fortunately, it is just a variant of the Icelandic-1 virus, like Saratoga. If the authors of MIX1 had instead based their variant on Icelandic-2, we might be seeing the start of a serious problem. I have now almost finished disassembling MIX1, and here are a few details not mentioned by Yuval Tal in his report: The virus has been modified in several places, in order to fool virus detection programs. The changes include replacing instructions with other equivalent ones. Examples XOR AX,AX ---> MOV AX,0000 MOV ES,AX ---> PUSH AX POP ES Also, NOP instructions have been inserted in several places, including inside the identification strings used by VIRUSCAN and most other similar programs. This seems to be a response by virus writers to anti-virus programs that look for infection by using identification strings. This method has so far only been used in two viruses that I know of, MIX1 and the '286 variant of the Ping-Pong virus. Apart from these changes, two parts of the virus are almost identical to other variants of the Icelandic virus. In the installation part, the code to check INT 13 has been removed. (as in Saratoga and Icelandic-2). The infection routine has been modified in the following ways: Infect every file (instead of every tenth program run.) Do not infect a program, unless it is at least 16K long. The Icelandic virus was first detected in June, disassembled a week later, and the disassembly was made available around the beginning of July. The MIX1 virus appeared in Israel in August - which is a very short time for a virus to spread around the globe. Now - the question is: How did the authors of MIX1 obtain the Icelandic virus ? It is almost certain that these viruses do not have the same author, because then the virus would surely have been based on Icelandic-2, which is a much more dangerous and effective variant. I see the following possibilities: 1) The author of MIX1 obtained a copy of Icelandic-1 from somebody who got infected with it, disassembled it and created a new virus. This sounds reasonable, but there is one major problem, which is that the Icelandic virus has (as far as I know) not been detected outside of Iceland. 2) The author obtained a disassembly, modified it and re-released it as MIX1. It is already known that at least one virus writer has access to virus disassemblies, that were only intended for virus specialists. The problem is that obtaining well-commented virus disassemblies is not hard, and I would not be surprised if a number of new variants of viruses, based on them would appear in the near future. MIX1 and Ping-Pong '286 may be just the first of this new generation. ---- frisk