Computer Virus!

By Rob Wentworth

Reprinted with permission from The Digital Viking
(official newsletter of the Twin Cities PC User Group)
July 1996

Data Recovery and Computer Viruses

At the last TC/PC meeting we were given a presentation on data recovery by Reed Ward from OnTrack Data Recovery. This presentation was received with enthusiastic discussion and questions — especially when the topic of data loss due to computer viruses came up. In fact, so much time was spent on answering virus questions posed by TC/PC members that Reed was unable to complete his presentation in the time allotted. Hopefully Reed can come back to TC/PC to tell us more about the fascinating topic of data recovery.

Because there was so much enthusiasm about the topic of computer viruses at last month’s meeting, July’s presentation by Symantec should be especially timely and informative. In fact, with all the current interest in computer viruses, now would be a good time to learn a little bit about the history and current state-of-the-art in computer viruses and computer virus-detection software.

What is a virus?

According to Symantec, the term "computer virus" is defined as follows: "a parasitic program written intentionally to enter a computer without the user’s permission or knowledge. The word parasite is used because a virus attaches to files or boot sectors and replicates itself, thus continuing to spread. Though some viruses do little but replicate, others can cause serious damage or affect program and system performance. A virus should never be assumed harmless and left on a system."

"Cookie Monster"

One of the earliest well-known virus-like programs was the "Cookie Monster" program which ran on PDP series minicomputers. This program would run undetected in the background, and occasionally halt the currently running program and display a message requesting a cookie. If the user then typed the word "cookie," the Cookie Monster program would go back to sleep and the user’s program would continue.

This program did not reproduce or spread, but was one of many prank programs manually loaded on computers at colleges and universities, as was the custom of programming hackers at that time. Most of these programs were harmless, but some of them (Trojans) were often employed to steal passwords from unsuspecting users.

Real viruses

The earliest known case of a computer virus that reproduced and spread far and wide goes back to late 1981. Apple II computer diskettes of that time typically were bootable and contained the disk operating system. A programmer at Texas A&M attempted to find the minimum change that would make a version of the DOS that was viral. A group came up with Version 1 of such a virus in early 1982, but quarantined it because of adverse effects.

Version 2 seemed to have no negative impact, and was allowed to "spread" through the disks of group members. Eventually the virus escaped to the general Apple user population. It was only then that the negative impact of the virus was seen: the additional code length caused some programs, and one computer game in particular, to abort.

A third version was written that made strenuous efforts to avoid the memory problems. Version 3 was found to have spread further than previous versions, but no adverse reactions were ever reported.

For those who have Apple DOS 3.3 disks, location B6E8 in memory, towards the end of track 0, sector 0 on disk, should be followed by eighteen zero bytes. If, instead, the text "(GEN xxxxxxx TAMU)" appears, the digits represented by the "x"s should be a generation counter for virus version 3.

This story has an interesting postscript. In 1984, a malicious virus was found to be spreading through the schools where all this took place. Some disks appeared to have some immunity. These immune disks turned out to all be infected with version 3, which protected them from the later harmful virus.

The Brain virus

The Brain virus is probably the earliest MS-DOS virus. At one time it was the most widespread of PC viral programs, due to the "superiority" of boot sector viral programs in terms of numbers of infections.

In one of the most common Brain versions, you will find text, unencrypted, giving the name, address, and telephone number of Brain Computer Services in Pakistan. This virus is copyrighted by "ashar and ashars." Given that Brain is relatively harmless it is possible that the virus was seen as a form of advertising for the company.

Brain is a boot sector infector (BSI), somewhat longer than some of the more recent BSIs. Brain occupies three sectors itself, and, as is usual with BSIs, repositions the normal boot sector in order to "mimic" the boot process.

As the boot sector is only a single sector, Brain, in infecting a disk, reserves two additional sectors on the disk for the remainder of itself, plus a third for the original boot sector. This is done by occupying unused space on the diskette, and then marking those sectors as "bad" so that they will not be used and overwritten.

The "original" Brain virus is relatively harmless. It does not infect hard disks or disks with formats other than 360K. Newer variants are less careful, and can overlay FAT and data areas.

Brain is the first "stealth" virus, in that a request to view the boot sector of an infected disk on an infected system will result in a display of the original boot sector. Although it hides its presence on the boot sector, it announces its presence in disk volume label, which becomes "(c) Brain" or "(c) ashar" or "Y.C.1.E.R.P" for different variants.

The Lehigh Virus

In the autumn of 1987, student consultants at Lehigh University were presented with a steady stream of IBM PC disks from which files had "mysteriously" disappeared. In November of 1987, however, it appeared that certain of the failed disks were not due to user carelessness, but rather were victim to a computer virus, dubbed the Lehigh virus.

The Lehigh virus overwrote the stack space at the end of the COMMAND.COM file. Research showed an increase of 555 bytes in the size of infected files.

When an infected COMMAND.COM was run (usually upon booting from an "infected disk"), the virus stayed resident in memory. When any access was made to another disk, via the TYPE, COPY, DIR, or other normal DOS commands, uninfected COMMAND.COM files would be infected.

A counter was kept of infections. After four infections, the virus would overwrite the boot and FAT areas of disks with contents from the BIOS. The date of infected COMMAND.COM files was altered by the virus, and, when attempting an infection on a write-protected disk, the virus would not trap the "WRITE PROTECT ERROR" message (a dead giveaway if all you were executing was a DIR command).

The Lehigh virus was limited in its "target population" to those disks which had a COMMAND.COM file, and, more particularly, those that contained a full operating system. The virus was self-limiting in that it would destroy itself once activated, and would activate after only four "reproductions." The Lehigh virus apparently never spread off the campus in that initial attack, but it may be found in a number of private virus collections, and may be "released" into the wild from time to time. Due to its simplicity, it has little chance of spreading today.

The Jerusalem Virus

The next well known virus to hit the scene was the Jerusalem virus, also known as the Israeli virus due to its having been first discovered in Israel. Although this virus was reported to slow down systems that were infected, it seems to have been the continual growth of EXE files which led to the detection of the virus.

In an early attempt at "political correctness", this virus was sometimes called by its "infective length," which was 1813 bytes for COM files, or 1808 bytes for EXE files, but the actual length may vary due to the requirement that the header of an EXE file be divisible by 16. One of the early infections of this virus was found to be in an office belonging to the Israeli Defense Forces. This fact was reported in an Associated Press article, which gave rise to another alias — the I.D.F. virus.

When the virus was first discovered, it was strongly felt that it had been circulating prior to November of 1987. The "payload" of file deletion on Friday the 13th gave rise to conjecture as to why the logic bomb had not "gone off" on Friday, November 13th, 1987. (Subsequent analysis has shown that the virus will activate the payload only if the year is not 1987.)

The next following "Friday the 13th" was May 13th, 1988. Since the last day that Palestine existed as a nation was May 13th, 1948 it was felt that this might have been an act of political terrorism. This led to another alias — the PLO virus.

Yet another alias is "sUMsDos," based upon text found in the virus code itself. This was, on occasion, corrupted to "sumDOS."

The name "Jerusalem virus" has gained notoriety, possibly due to the McAfee SCAN program identification. But whether we call it the 1808 virus or the 1813 virus or the Israeli virus or the Jerusalem virus or the I.D.F virus or the PLO virus or the sUMsDos virus or the sumDOS virus, it is still the same virus program (popularly known as Jerusalem).

Modern Viruses

Today, there are thousands of variants of computer viruses. You can download virus construction kits that incorporate the latest in stealth technology that even a child can operate.

There are viruses that can even infect the most hardened of operating systems, including Microsoft Windows NT. Polymorphic encryption viruses cloak themselves in a wrapper that encrypts their code and scrambles the physical order of the decryption instructions while maintaining a logical order with jump instruction – and the encryption key changes every time they reproduce!

Modern viruses can hide themselves from many virus detection programs by intercepting disk accesses and substituting data requests to "read" infected sectors with "clean" data. Even advanced detection programs that use protected mode programming to intercept direct hardware access to the disk controller I/O addresses can be defeated by using "stealth disk access," in which nonstandard disk controller I/O addresses larger than 16-bits that are truncated by the ISA bus to the standard disk addresses.

There are now even viruses that infect files previously thought uninfectable, including nonexecutable data files such as spreadsheets, documents, and even fonts and images. Any file that may contain WordBasic macros could be harboring a Document Macro Virus such as the "Concept Virus." And now we know that Postscript printers may be infected by simply printing a document containing an infected font or image (the virus changes the printer password, which requires physical disassembly to clear it).

The Future of Computer Viruses

Who knows what surprises lurk around the next corner? It is better to be aware of what is out there waiting to destroy our valuable data and to prepare for it, than to pretend that we are safe and our data is invincible.

Virus Prevention

The only safe way to prevent viruses is to start with an uninfected system and never load anything new onto it. Purchased software from major vendors has been found to contain viruses. Even a Microsoft Windows 95 beta CD is reported to have contained a virus.

The next best thing to never loading new software is to make regular backups of your data and regularly run the latest anti-virus programs from several different manufacturers — they don’t all detect the same viruses. One well respected source for anti-virus software is McAfee, which I run periodically. Another good source is Symantec, who will be giving us a presentation of Norton Anti-Virus at the next TC/PC general meeting.

See you there!