home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware Overload
/
ShartewareOverload.cdr
/
utils
/
antivir2.zip
/
NEWVIRUS
< prev
next >
Wrap
Text File
|
1988-02-14
|
8KB
|
132 lines
(This was found in the Info-IBMPPC digest Volume 7 Number 8 from USENET)
Date: Wed, 27 Jan 88 13:22:27 +0200
>From: Y. Radai <RADAI1%HBUNOS.BITNET@CNUCE-VM.ARPA>
Subject: Another PC Virus
Issue 74 of the Info-IBMPC digest contained a description of a "virus"
discovered at Lehigh University which destroys the contents of disks after
propagating itself to other disks four times. Some of us here in Israel,
never far behind other countries in new achievements (good or bad), are
suffering from what appears to be a local strain of the virus. Since it
may have spread to other countries (or, for all we know, may have been im-
ported from abroad), I thought it would be a good idea to spread the word
around.
Our version, instead of inhabiting only COMMAND.COM, can infect any ex-
ecutable file. It works in two stages: When you execute an infected EXE
or COM file the first time after booting, the virus captures interrupt 21h
and inserts its own code. After this has been done, whenever any EXE file
is executed, the virus code is written to the end of that file, increasing
its size by 1808 bytes. COM files are also affected, but the 1808 bytes
are written to the beginning of the file, another 5 bytes (the string
"MsDos") are written to the end, and this extension occurs only once.
The disease manifests itself in at least three ways: (1) Because of this
continual increase in the size of EXE files, such programs eventually be-
come too large to be loaded into memory or there is insufficient room on
the disk for further extension. (2) After a certain interval of time
(apparently 30 minutes after infection of memory), delays are inserted so
that execution of programs slows down considerably. (The speed seems to be
reduced by a factor of 5 on ordinary PCs, but by a smaller factor on faster
models.) (3) After memory has been infected on a Friday the 13th (the next
such date being May 13, 1988), any COM or EXE file which is executed on
that date gets deleted. Moreover, it may be that other files are also af-
fected on that date; I'm still checking this out.
(If this is correct, then use of Norton's UnErase or some similar utility
to restore files which are erased on that date will not be sufficient.)
Note that this virus infects even read-only files, that it does not
change the date and time of the files which it infects, and that while the
virus cannot infect a write-protected diskette, you get no clue that an at-
tempt has been made by a "Write protect error" message since the pos-
sibility of writing is checked before an actual attempt to write is made.
It is possible that the whole thing might not have been discovered in
time were it not for the fact that when the virus code is present, an EXE
file is increased in size *every* time it is executed. This enlargement of
EXE files on each execution is apparently a bug; probably the intention was
that it should grow only once, as with COM files, and it is fortunate that
the continual growth of the EXE files enabled us to discover the virus much
sooner than otherwise.
From the above it follows that you can fairly easily detect whether your
files have become infected. Simply choose one of your EXE files
(preferably your most frequently executed one), note its length, and ex-
ecute it twice. If it does not grow, it is not infected by this virus.
If it does, the present file is infected, and so, probably, are some of
your other files. (Another way of detecting this virus is to look for the
string "sUMsDos" in bytes 4-10 of COM files or about 1800 bytes before the
end of EXE files; however, this method is less reliable since the string
can be altered without attenuating the virus.)
If any of you have heard of this virus in your area, please let me know;
perhaps it is an import after all. (Please specify dates; ours was noticed
on Dec. 24 but presumably first infected our disks much earlier.)
Fortunately, both an "antidote" and a "vaccine" have been developed for
this virus. The first program cures already infected files by removing the
virus code, while the second (a RAM-resident program) prevents future in-
fection of memory and displays a message when there is any attempt to in-
fect it. One such pair of programs was written primarily by Yuval Rakavy,
a student in our Computer Science Dept.
In their present form these two programs are specific to this particular
virus; they will not help with any other, and of course, the author of the
present virus may develop a mutant against which these two programs will be
ineffective. On the other hand, it is to the credit of our people that
they were able to come up with the above two programs within a relatively
short time.
My original intention was to put this software on some server so that it
could be available to all free of charge. However, the powers that be have
decreed that it may not be distributed outside our university except under
special circumstances, for example that an epidemic of this virus actually
exists at the requesting site and that a formal request is sent to our head
of computer security by the management of the institution.
Incidentally, long before the appearance of this virus, I had been using
a software equivalent of a write-protect tab, i.e. a program to prevent
writing onto a hard disk, especially when testing new software. It is
called PROTECT, was written by Tom Kihlken, and appeared in the Jan. 13,
1987 issue of PC Magazine; a slightly amended version was submitted to the
Info-IBMPC library. Though I originally had my doubts, it turned out that
it is effective against this virus, although it wouldn't be too hard to
develop a virus or Trojan horse for which this would not be true. (By the
way, I notice in Issue 3 of the digest, which I received only this morning,
that the version of PROTECT.ASM in the Info-IBMPC library has been replaced
by another version submitted by R. Kleinrensing. However, in one respect
the new version seems to be inferior: one should *not* write-protect all
drives above C: because that might prevent you from writing to a RAMdisk or
an auxiliary diskette drive.)
Of course, this is only the beginning. We can expect to see many new
viruses both here and abroad. In fact, two others have already been dis-
covered here. In both cases the target date is April 1. One affects only
COM files, while the other affects only EXE files. What they do on that
date is to display a "Ha ha" message and lock up, forcing you to cold boot.
Moreover (at least in the EXE version), there is also a lockup one hour
after infection of memory on any day on which you use the default date of
1-1-80. (These viruses may actually be older than the above-described
virus, but simply weren't noticed earlier since they extend files only
once.)
The author of the above-mentioned anti-viral software has now extended
his programs to combat these two viruses as well. At present, he is con-
centrating his efforts on developing broad-spectrum programs, i.e. programs
capable of detecting a wide variety of viruses.
Just now (this will give you an idea of the speed at which developments
are proceeding here) I received notice of the existence of an anti-viral
program written by someone else, which "checks executable files and reports
whether they include code which performs absolute writes to disk, disk for-
matting, writes to disk without updating the FAT, etc." (I haven't yet
received the program itself.)
Y. Radai
Computation Center
Hebrew University of Jerusalem
RADAI1@HBUNOS.BITNET