RADAI1@HBUNOS.BITNET (Y. Radai) (08/29/89)
For several reasons, one of which is very irregular receipt of VIRUS-L, I've been out of touch with it for several weeks now. So please forgive me if some of the postings referred to below are a few weeks old. PC Virus List ------------- Lan Nguyen asks whether a list of PC viruses, incl. date first dis- covered and source(s), exists. I will soon be submitting to VIRUS-L a considerably updated version of the list I first posted on May 16. Meanwhile, Lan, I'm sending you my list as it currently stands (29 viruses, 70 strains). The Swap Virus -------------- Yuval Tal writes: >I don't think that it is so important how we call the virus. I've >decided to call it the swap virus becuase the message "The Swapping- >Virus...' appears in it! ....... I think that calling it "The >Dropping Letter Virus" will be just fine. Well, "The Dropping Letter Virus" would be a poor choice since (as I mentioned in an earlier posting) this also describes the Cascade and Traceback viruses. Yuval has explained that he originally called it the Swap virus because it writes the following string into bytes B7-E4 of track 39, sector 7 (if sectors 6 and 7 are empty): The Swapping-Virus. (C) June, 1989 by the CIA However, he has not publicly explained how the words SWAP VIRUS FAT12 got into the boot sector of some of the diskettes infected by this virus, so let me fill in the details. As David Chess and John McAfee both pointed out quite correctly, these words are not part of the virus. What happened was that Yuval wrote a volume label SWAP VIRUS onto each infected diskette for identification. Had his system been DOS 3 the label would have been written only into the root directory. But since he was apparently using DOS 4, it was also written into bytes 2Bh-35h of the boot sector. (That still leaves the string FAT12 in bytes 36h-3Ah to be explained. Under DOS4, the field 36h-3Dh is supposed to be "reserved". Anyone got any comments on that?) So although I didn't know at the time that the words SWAP VIRUS came from Yuval, it seems that my (and his original) suggestion to call it the Swap virus is still the best choice. The Israeli/Friday-13/Jerusalem Virus ------------------------------------- In response to a query from Andrew Berman, David Rehbein gave a quite accurate description of the virus, except for one small point: >(It will infect and replicate itself in ANY executible, no matter >the extension..check especially .OVL and .SYS) To the best of my knowledge, no strain of this virus (or, for that matter, of any other virus that I know of) infects overlay or SYS files. Andrew Berman writes concerning this virus: > She think's >she's cleaned it out by copying only the source codes to new disks, >zapping the hard drives, and recompiling everything on the clean hard >disks. It's a pity that so many people try to eradicate the virus by such difficult means when (as has been mentioned on this list and else- where) there is a file named UNVIR6.ARC on SIMTEL20 (in <MSDOS.TROJAN- PRO>) containing a program called UNVIRUS which will easily eradicate this virus and 5-6 others as well, plus a program IMMUNE to prevent further infection. Disassembling of Viruses ------------------------ In response to a posting by Alan Roberts, David Chess replied: >I think it's probably a Good Thing if at least two or three people do >independant disassemblies of each virus, just to make it less likely >that something subtle will be missed. I know my disassemblies (except >the ones I've spent lots of time on) always contain sections marked >with vaguenesses like "Does something subtle with the EXE file header >here". .... I probably tend to lean towards "the more the merrier"! I can appreciate David's point. However, I would like to point out that the quality of (commented) disassemblies differs greatly from one person to another. As Joe Hirst of the British Computer Virus Re- search Centre writes (V2 #174): >Our aim will be to produce disassemblies which cannot be improved upon. And this isn't merely an aim. In my opinion, his disassemblies are an order of magnitude better than any others I've seen. He figures out and comments on the purpose of *every* instruction, and vagueness or doubt in his comments is extremely rare. What I'm suggesting is this: If you have the desire, ability, time and patience to disassemble a virus yourself, then have fun. But unless you're sure it's a brand new virus, you may be wasting your time from the point of view of practical value to the virus-busting community. And even if you are sure that it's a new virus, take into account that there are pros like Joe who can probably do the job much better than you. So what about David's point that any given disassembler may miss something subtle? Well, I'm not saying that Joe Hirst should be the *only* person to disassemble viruses. Even he is only human, so there should be one or two other good disassemblers to do the job indepen- dently. But no more than 1 or 2; I can't accept David's position of "the more the merrier". Btw, disassemblers don't always get the full picture. Take, for example, the Merritt-Alameda-Yale virus, of which I have seen three disassemblies. They all mentioned that the POP CS instruction is invalid on 286 machines, yet none of them mentioned the important fact that when such a machine hangs the virus has already installed itself in high RAM and hooked the keyboard interrupt, so that the infection can spread if a warm boot is then performed! That fact seems to have been noticed only by ordinary humans. Y. Radai Hebrew Univ. of Jerusalem