home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
DP Tool Club 8
/
CDASC08.ISO
/
VRAC
/
PCL60A.ZIP
/
PART3.EXE
/
VIRUS.TUT
< prev
Wrap
Text File
|
1993-07-13
|
25KB
|
458 lines
----------------------------------------------------------------
VIRUS WARFARE: THE NOVEMBER MESSAGE
----------------------------------------------------------------
Interesting stories sometimes begin with a touch of horror.
Technological terror is so much more invigorating when the plot
is true and the author real . . .
Imagine you are a computer operator at a local college on a
crisp November afternoon. It is Monday and you have finished
running a routine payroll data processing job which will print
employee paychecks on Friday. You decide to check messages on
the University computer network which links colleges and
Universities throughout America. At 4:15 PM the following
message flashes onto your screen. This message is NOT fictional.
The dates and people are REAL:
Monday, 30 November 1987 BITNET computer network - URGENT
FROM: Kenneth R. Van Wyk, User Services Senior Consultant,
Lehigh University Computing Center (215)-758-4988
<LUKEN@LEHIIBM1.BITNET> <LUKEN@VAX1.CC.LEHIGH.EDU>
{RISKS-FORUM Digest Volume 5 : Issue 67}
Last week, some of our student consultants discovered a virus
program that's been spreading rapidly throughout Lehigh
University. I thought I'd take a few minutes and warn as many
of you as possible about this program since it has the chance of
spreading much farther than just our University. We have no
idea where the virus started, but some users have told me that
other universities have recently had similar problems.
The virus: the virus itself is contained in the stack space of
COMMAND.COM. When a PC is booted from an infected disk, all a
user need do to spread the virus is to access another disk via
TYPE, COPY, DIR, etc. If the other disk contains COMMAND.COM,
the virus code is copied to the other disk. Then, a counter is
incremented on the parent. When this counter reaches a value of
4, any and every disk in the PC is erased thoroughly. The boot
tracks are nulled, as are the FAT tables, etc. All Norton's
horses couldn't put it back together again... :-) This affects
both floppy and hard disks. Meanwhile, the four children that
were created go on to tell four friends, and then they tell four
friends, and so on, and so on.
Detection: while this virus appears to be very well written, the
author did leave behind a couple of footprints. First, the
write date of the COMMAND.COM changes. Second, if there's a
write protect tab on an uninfected disk, you will get a WRITE
PROTECT ERROR... So, boot up from a suspected virus'd disk and
access a write protected disk - if an error comes up, then
you're sure. Note that the length of command.com does not get
altered.
I urge anyone who comes in contact with publicly accessible
disks to periodically check their own disks. Also, exercise
safe computing -always wear a write protect tab. :-)
This is not a joke. A large percentage of our public site disks
have been gonged by this virus in the last couple of days.
END OF MESSAGE ...
----------------------------------------------------------------
COMPUTER VIRUSES: ELEGANT SOFTWARE
WITH A SAVAGE PURPOSE
----------------------------------------------------------------
If you followed the previous message closely you are beginning
to sense what a computer virus is and can do. A definition might
roughly describe a VIRUS as a SELF-REPLICATING computer program
which copies itself and attaches to one of the following areas
of a computer: the hard disk partition table, the DOS boot
sector of a hard disk or floppy or one or more executable files
within the system. It may also make itself resident in RAM
memory during computer operation.
Infected executable files may be operating system programs,
system device drivers, .COM files, .EXE files, overlay files or
any other file which can be loaded into memory and executed.
The virus activates itself at some predetermined (or randomly
determined) time and attempts to destroy, remove or otherwise
scramble data and programs. Some virus type even attempt to
damage computer hardware.
A trademark of a virus is that it is SELF-REPLICATING and thus
clones multiple copies of itself. A virus is a computer program
- designed by someone - to spread identical copies of itself
among many computers and destroy data or programs in a specific
targeted manner.
In many ways a computer virus is quite similar to a biological
virus. It attacks one computer then proliferates among many
computers as infected floppy disks and the programs contained
within are shared among many computer users. The virus may lie
dormant for many months, or even years, all the while
replicating its program code to many more programs and floppy
disks. When an infected program is run it will in turn infect
other programs and disks in that same computer. Sometimes, but
not always, viruses interfere with printing or other routine DOS
operations. Many times the programmer who designed the virus
allows unintentional errors to exist within the virus program
code which can cause unexplained system crashes and other odd
behavior BEFORE the virus is triggered to erase or destroy data.
It seems even viruses are not perfect programs and can be
subject to programming bugs and errors just like standard
programs!
What does a virus program look like to a human operator? Simply
a string of highly encoded computer data bytes which by
themselves mean nothing to the casual observer. If you were to
glimpse deep inside the computer program code which makes up a
virus you might see something on your screen like the following
"machine code" listing:
xxxx:0110 02 00 02 3B A2 F8 29 00-11 00 04 00 11 00 80 00
xxxx:0120 00 00 00 00 0F 00 00 00-00 01 00 FA 33 C0 8E D0
xxxx:0130 BC 00 7C 16 07 BB 78 00-36 C5 37 1E 56 16 53 BF
xxxx:0160 13 72 67 A0 10 7C 98 F7-26 16 7C 03 06 1C 7C 03
xxxx:0190 A1 34 7C E8 96 00 B8 01-02 E8 AA 00 72 19 8B FB
xxxx:01B0 B9 0B 00 F3 A6 74 18 BE-5F 7D E8 61 00 32 E4 CD
xxxx:01C0 16 5E 1F 8F 04 8F 44 02-CD 19 BE A8 7D EB EB A1
xxxx:01D0 1C 05 33 D2 F7 36 0B 7C-FE C0 A2 31 7C A1 2C 7C
xxxx:0200 0C 01 06 2C 7C F7 26 0B-7C 03 D8 EB D9 8A 2E 15
xxxx:0210 7C 8A 16 1E 7C 8B 1E 32-7C EA 00 00 70 00 AC 0A
xxxx:0230 18 7C FE C2 88 16 30 7C-33 D2 F7 36 1A 7C 88 16
xxxx:0240 1F 7C A3 2E 7C C3 B4 02-8B 16 2E 7C B1 06 D2 E6
xxxx:0250 0A 36 30 7C 8B CA 86 E9-8B 16 1E 7C CD 13 C3 0D
Computer virus programs can be designed in assembly machine
code, Basic, Pascal, C and even the DOS batch file language.
What triggers a virus to destroy data once it is embedded within
your computer? Depending on the person who designed the virus
programming code, the virus can trigger and destroy data based
on:
A date, perhaps Friday the 13th to add a cruel twist of fate.
The number of repetitions a certain program is run. An occurrence
such as printing the payroll or running Lotus 123. A lack of an
occurrence (removal of a name from a list.) A time of day,
perhaps 1 AM when an office network is running unattended. A
capacity, say when your hard drive reaches 90% capacity, nearly
full. A random time of day or random date, or both. The presence
of another program or removal of a program. Use of a modem or
your printer. A particular person's name or password.
Essentially, the programmer of the virus code selects a
"trigger" of some type and deliberately programs the virus to
wake up and "bite" when a certain condition is met!
One of the original viruses designed to infect the IBM PC came
from Pakistan where the programmers of the "Brain" virus wanted
to punish American software users who copied or "pirated"
commercial software. They did this by infecting illegal copies
of commercial software which they sold in their retail store in
Pakistan.
In 1989 a large number of viruses were reported as originating in
Israel. Some authorities speculate that PLO members might have
written virus programs for political purposes to "punish" those
living in Israel or America. Others speculate that those living
in Israel might have designed the virus programs to penetrate
complex computer networks in Arab countries or America to gain
access to sensitive government data. Rumors continue to surface
that perhaps the Russian KGB tried to develop a "super virus"
that could penetrate NATO computer systems.
In 1987, a European public BBS modem system was found to contain
a highly specialized program "toolkit" designed by a young
programmer. The purpose of this software toolkit was to assist
in designing yet better and more clever virus programs!
Private American BBS systems have been reported to exist wherein
virus programmers trade virus program code examples and ideas on
how to create "more savage" virus programs! These BBS systems
have confidential telephone numbers and passwords so that only
virus programmers can access these "virus libraries of
information."
What is the lure of programming a virus? The few programmers of
virus software who have been caught usually explain their act as
an intellectual challenge - an attempt to see how far
programming code can be extended. In some respects this may be
true. Virus programs are frequently crafted with obscure and
highly elegant machine code and must be self replicating, self-
modifying and "wired" with elaborate logic and algorithmic
triggers. A virus must be small, fast and very stealthy. A virus
in many respects is programming at the cutting edge of the
craft, and perhaps this is the lure.
----------------------------------------------------------------
NOW THE BAD NEWS:
VIRUSES AREN'T THE ONLY TOUGH KID ON THE BLOCK!
----------------------------------------------------------------
Perhaps we should back up and also define several other "rogue
program" types which pose a security risk to your computer data.
A TROJAN HORSE program appears as something useful - perhaps a
program to sort names or print a list of telephone numbers on
the computer. Yet it actually does something destructive either
immediately or at a later time. As an example, several trojan
horse programs offer to display X-rated images or colorful games
which distract your attention to the screen long enough for the
program to cheerfully erase your bookkeeping data. A trojan
horse might (but does not usually) replicate its code to several
other disks. This replication feature is more distinctive of a
true virus.
A LOGIC BOMB is much like a trojan horse and may lie hidden
within a useful program. However when a certain point of logic
or data is presented to the program (e.g., the programmer's name
is removed from the company payroll records presumably because
the programmer has been fired) then the logic bomb is activated
to "extract revenge" by scrambling payroll records or perhaps
removing all occurrences of the numbers 4, 7 and 9 from any data
throughout company records. Insidious . . .
A WORM is somewhat similar to a virus. It can replicate and
spread throughout a computer system. When the worm program is
run is creates copies of itself and runs those copies. It can
wreak havoc on interconnected computer systems such as are found
within university networks or government computers. A well-known
worm infection occurred in the Fall off 1988 when a worm program
was installed on a large internet network and quickly spread
through hundreds of government and university UNIX type
computers. All of the infected computers quickly bogged down as
the worm created and then ran many copies of itself thus
demanding more and more memory and computing time from
legitimate programs and more necessary work tasks.
A word before we continue. Virus programs are not THAT common.
They are real, but have been vastly over-reported in the popular
press. They seem to be more common within university communities
where youthful students might be tempted to "test" their
programming skills by creating virus programs. Commercial
software has OCCASIONALLY been infected, but for practical
purposes, commercial programs purchased from retail sources and
packed in original factory boxes are low probability sources of
viruses.
Public domain and shareware sources of software as well as
BBS/modem sources are sometimes suspected of virus infection,
but most reputable shareware distributors and BBS systems report
low computer virus incidence.
Indeed, the shareware and public domain software community is
more rigorous in routine testing for virus infections than the
commercial software development houses. Computer virus programs
DO exist, but they are quickly caught and erradicated from most
BBS systems and shareware sources. Your chance of computer virus
infection is probably on the order of 2% probability, but
knowledge and foresight are a wise investment in computer and
data security!
Published lists of virus programs detail unique virus names and
characteristics. One of the better virus lists is the shareware
software program DIRTY DOZEN which is available from most
computer clubs and many BBS systems. Some examples of virus
programs which have been identified include:
ICELANDIC
PENTAGON
DARK AVENGER
SYSLOCK
DISK KILLER/OGRE
ZERO BUG
VACSINA
DATACRIME
TRACEBACK
What can you do to protect your computer data?
Make frequent backups of data you consider essential. To "backup"
means to routinely copy important files from your hard drive to
floppies or other portable magnetic media. Weekly file backup is
a minimum. Daily is not unreasonable. Consider rotating between
two or three sets of backups (use backup floppy set #1, then set
#2 then set #3 - then back to set #1 and so on).
Limit the exchange of data disks within your workplace unless
necessary - especially if those disks contain EXE or COM files.
Always write protect all floppies unless they are data disks
which must be updated routinely.
If you find a file on a public BBS system interesting, leave it
there for a month and wait to see if other users report problems
with the program. This pessimistic outlook may save considerable
hard disk data. Other common sense suggestions for preventing
virus outbreaks include the following:
Avoid sharing commercial software and making copies for others.
It is a violation of the author's copyright to copy commercial
software, in any event. Always obtain public domain and
shareware software from reliable sources such as large BBS
systems - Compuserve and PC MagNet are relatively reliable as
are large shareware distributors such as PC SIG and Public Brand
Software who obtain their copies directly from the author via US
mail.
If possible, use one of the many virus checking programs on the
market to test public domain and shareware software prior to
installation on your system. Test ALL of your system's files -
perhaps at the same time as you perform routine backups - as a
monthly or weekly routine. The first time you start a suspected
public domain/shareware program run it from a floppy disk and
not your hard drive.
Always write protect your floppies if possible.
Use one of the available "vaccination programs" which continuously
monitor your system for unauthorized or otherwise unexpected data
transfers. These programs monitor your hard disk and memory for
activity not usually normal under DOS operations. If you do
detect a virus program, consider that both your hard disk and
your backup copies are probably infected. Keep original
application disks from the manufacturer safely tucked away and
protected by write protect tabs so they cannot be infected.
Never start a hard disk-equipped computer from a floppy disk
except the ORIGINAL DOS disk which is WRITE PROTECTED with a tab
in place. No exceptions!
Curiously, 90% of those infected with a virus or trojan horse
program are reinfected within a month! This attests to
widespread sharing of data disks and poor data work habits.
Don't always assume a computer problem is virus related. Most of
the time it is related to improper equipment use. Carefully
scrutinize file directories on your disk(s) for date or file
size changes. Viruses are fond of adding their code to the files
COMMAND.COM, IBMBIO.COM, or IBMSYS.COM. Perhaps jot down or
print out known file sizes and dates of creation and check for
any changes which may appear since you first installed that file
on your disk.
Both commercial and shareware/public domain software programs
exist whose purpose is to detect and repair damage caused by
virus software:
Software Program Purpose and method of action
------------------------------------------------------------------
Viruscan & From McAfee Associates telephone (408) 988-3832.
Clean Available from most BBS's, computer clubs, this
is an exceptional program, updated frequently.
Scans drives and RAM memory for virus presence.
The program is proactive: is searches for exact
virus "flags" rather than waiting for a virus to
hit. Program is self-testing to make sure that
it has not itself been infected! The scan
program searches for the virus, the clean
program attempts to remove it.
F-Prot From Fridrik Skulason, Reykjavik, Iceland.
Available from most BBS systems and shareware
vendors. Reliable and inexpensive virus utility.
Has scored higher on some tests than McAfee's
Virus Scan program.
VIRX Runs faster than Viruscan and detects and
deletes many of the same viruses. From
Microcom, Inc. POB 51816, Durham, NC 27717.
Dirty Dozen Detailed list of virus and trojan horse programs
which is available from most computer clubs or
shareware distributors. Interesting reading.
Dr. Solomon's A commercial virus detection and removal
Toolkit utility. Performs well. (800) 872-2599
AntiVirus From Central Point Software. Another highly
regarded commercial virus detection and removal
utility. (800) 445-2110
PC Magazine Checks and verifies your files and allows
PCDATA continuous testing prior to virus infection.
Free from computer clubs, shareware outlets,
BBS's. See February 13, 1990 edition, PC
Magazine. Cleverly provides backup for
crucial data and makes unique "fingerprint"
of sensitive files.
DBack Backup FAT Tables, similar capability in PCDATA.
PC-Tools Deluxe Repairs damage to file allocation table and
damaged files
Mace+ Repairs damage to file allocation table and
Utilities damaged files
Norton Utilities Repairs damage to file allocation table and
damaged files
----------------------------------------------------------------
WHAT NEXT? - WHAT TO DO WHEN A VIRUS BITES
----------------------------------------------------------------
The cat is out of the bag and you are pretty sure - that sinking
feeling - that a virus is in your computer. What next? If you
don't want to try to unravel the mess yourself, try calling
McAfee Associates at the telephone number listed above. They can
send you a diagnosis program (VIRUSCAN) and virus removal
program - also available from most computer clubs and shareware
vendors.
In the case of boot sector infestations, power down your system
then restart from an uninfected write-protected ORIGINAL COPY
DOS disk. Execute the DOS SYS command to attempt to overwrite
the boot sector with new startup files. This will work in most
cases. If it does not work, backup all data files which are
essential (and maybe infected) then perform a low level format
of the hard disk or a normal format if it is an infected floppy
disk. Do likewise for ALL floppies which may have come into
contact with the virus. When you are done, use VIRUSCAN to check
for the presence of continuing virus infestation.
If an EXE or COM file has been infected, power down the system,
reboot from the factory WRITE PROTECTED DOS disk, delete all
infected COM and EXE files then replace them with the original
files from the WRITE PROTECTED, factory original program disks.
Run any virus detection utility again to check for absence of
the virus.
For a disk partition table infection the only option short of a
removal utility is to low level format the disk. And with that
action destroy not only the virus but also your data. Better
hope you have backup data on a floppy disk!
After disinfecting a hard disk, you MUST test and probably
reformat EVERY floppy that came into contact with the infected
computer. If you are reinstalling a backup copy, do not restore
it unless it was made BEFORE the system became infected. Run
a virus testing utility to be sure.
For additional help, consider contacting the National Computer
Security Association at 717/258-1816 or McAfee Associates
at 408/988-3832.
Tutorial finished. Have you registered PC-Learn to receive your
bonus disks? Registration is encouraged. Shareware works on the
honor system! Send $25 to Seattle Scientific Photography,
Department PCL6, PO Box 1506, Mercer Island, WA 98040. Latest
version of PC-Learn and two bonus disks shipped promptly!