Virdem Virus

 


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************



  Report from Jim Bates - The Virus Information Service - June 1990


  === Virdem Virus ===



  The book by Ralf Burger has already been reviewed (VB Oct 89) and

  the incredible irresponsibility and arrogance of the author in

  publishing virus source code has been noted both here and elsewhere.

  Burger's suggestion (in 1986) that viruses - "used properly may

  bring about a new generation of self-modifying computer operating

  systems" has still not been realised and subsequent events have

  shown his book to be one of the current sources of reference for the

  inadequate and immature people who write viruses.  Another area

  where Burger has provided the virus writers with working material to

  further their craft is with so-called "demonstration" viruses.

  These not only mean that more recognition "signatures" need to be

  published, but they will also produce "families" of similar strains

  (like the Vienna group) which makes the whole process of fighting

  the threat much more complex than it needs to be.  It is well past

  time that international legislation was formulated to make such

  activity a criminal offence.  The most well known of Burger's demos

  is his VIRDEM virus, mentioned in the book.  Fortunately, this is

  poorly written and contains bugs so that acolytes will need to

  disassemble AND debug these programs before they can advance their

  own modifications.  However, this will undoubtedly be done and new

  viruses can be expected to use some of the techniques used in VIRDEM

  and other "demo" virus code.  For this reason, a brief description

  of VIRDEM may be useful to anti-virus researchers.


  VIRDEM uses a "generation" number for each successive infection up

  to a maximum of 9.  This is very simply done by incrementing a

  counter within the infection cycle and checking that it once it

  reaches nine, the counter is disabled.  This is used to collect

  indexed access to a table of entries which are, in turn, used as a

  basis for a guessing game when infected programs are executed.  What

  happens is that the generation number is used as the upper limit of

  an integer to be guessed.  An pseudo-random integer is generated by

  accessing and gating the system clock and if the operator's guess

  matches it then program operatio is allowed.  Otherwise the program

  does not run and an appropriate message is displayed (I disassembled

  the original Version 1.06 with German text).


  Burger's own comments on this are worth repeating to indicate the

  weak reasoning and woolly thinking that this man indulges in :-


  "Unfortunately the source code cannot be published because with the

  help of the source code anyone would be able to change the

  manipulation task and have a non-overwriting virus in 8088 machine

  language.  In addition it would be almost unthinkable if there were

  suddenly numerous dangerously modified versions of VIRDEM.COM

  around."


  This is either blindness or stupidity!  He obviously assumes that

  anyone buying (?) a demonstration virus will be incapable of

  disassembling it.  VIRDEM is quite easy to take apart and equally

  easy to understand (and modify) and is almost as dangerous in it's

  code form as it would be in source code.  It should also be noted

  that VIRDEM is NOT a "non- overwriting" virus, it reads the first

  1280 (500H) bytes of the target program file, and appends them to

  the end of the file.  It then overwrites these initial 1280 bytes

  with the virus code.  Finally, a small stub recovery routine is also

  appended. The virus only infects floppy disks placed into drive A:

  and rather than reporting in detail on the virus operation, I shall

  list Burger's own comments regarding it - together with my own

  findings after disassembly:


  1) All COM files up to the second subdirectory are infected.  (The

     virus is non resident and infects only one file during each

     execution)


  2) The first COM file in the root  directory (often

     COMMAND.COM) is not infected.  (This is true although no reason

     is given.  The possibility that COMMAND.COM will be the first

     file in the root directory is noted but no attempt is made in the

     code to avoid infecting it if it isn't.)


  3) COM files of more than about 1.5K in length are expanded by

     about 1.5K, shorter files are expanded by about 3K.  (Files

     longer than 1380 bytes are expanded by 1366 bytes - shorter files

     are first made 1280 bytes long and THEN expanded by 1366 bytes.

     No check is made on whether there is actually room for virus code

     and a work area within the 64K COM format limit so files greater

     than 62122 bytes are irreparably damaged.)


  4) Infected programs remain completely functional.  (As noted above,

     this is not true for large files and there are also some

     unpredictable and possibly dangerous effects when the machine

     configuration includes certain device drivers.)


  5) An infected program is recognised and cannot be infected twice.

     (True - an infected program is recognised by an initial word of

     9090H.)


  6) VIRDEM.COM inserts an additional function into the infected

     program.  This additional function is a guessing game whose

     difficulty level is dependent on the virus generation.  (True)


  7) VIRDEM mutates up to the ninth generation.  After that the

     propagation continues but no mutation takes place.  (Maybe the

     word "mutates" was an incorrect translation from the original

     German.  Certainly the virus counter is altered but not as a

     result of a "mutation", rather because of an infection counter.)


  This virus uses only DOS function calls and since it is not

  resident, it has no defence mechanisms against anti-virus search

  programs. Therefore a version with only simple modifications will

  not be difficult to detect.  More sophisticated changes will require

  separate disassembly and reporting.  The hexadecimal recognition

  string for this version is :-


         03 C3 8B F0 26 8B 1C 8B F3 BF 00 01 B9 00 05 90


  at offset 411 (19B Hex) from the start of an infected file.


  The fact that Burger was allowed to publish a "cookbook" and

  "demonstration" virus code for aspiring virus writers is an

  international scandal.  His irresponsibility is matched only by his

  publishers (DATA Becker and ABACUS).


  The information contained in this report is the direct result of

  disassembling and analysing a specimen of the virus code.  I take

  great pains to ensure the accuracy of these analyses but I cannot

  accept responsibility for any loss or damage suffered as a result of

  any errors or omissions.  If any errors of fact are noted, please

  let me know at :-


The Virus Information Service,

Treble Clef House,

64, Welford Road,

WIGSTON MAGNA,

Leicester  LE8 1SL


  or call +44 (0)533 883490


  Jim Bates


  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Comments

Post a Comment

Popular posts from this blog

WHAT THE WATCH TOWER BIBLE AND TRACT SOCIETY OF PENNSYLVANIA HAD TO SAY ABOUT WHAT WERE SUPPOSED TO HAVE HAPPENED in 1874

  AWAKEN                                                     Issue #33   1874 - WHAT THE WATCH TOWER BIBLE AND TRACT SOCIETY OF PENNSYLVANIA        HAD TO SAY ABOUT WHAT WERE SUPPOSED TO HAVE HAPPENED THEN.   This issue will comprise mainly of quotes from Watch Tower publications. Present day Jehovah's Witnesses are unlikely to be aware of any of this material. Why ? The Watch Tower had changed it's theology and does not bother to let it's followers know facts about the past especially since the present theology is totally contradictory to what was promoted in the past. Both sets of incompatible conjectures were promoted as being found  and proven in Scriptures. Prior to 1943 if a follower of the Watch Tower questioned any of the Watch Tower's teaching about 1874, that person risked getting kicked out of the group ...
Read more

Uninterruptable Power Source (UPS) FAQ

Article 61549 of news.answers: Xref: freenet.carleton.ca comp.misc:25723 comp.sys.hp.hardware:5708 comp.sys.sun.hardware:24796 comp.sys.sgi.hardware:9261 comp.sys.next.hardware:16000 comp.sys.dec:27561 comp.unix.admin:28511 comp.answers:8765 news.answers:33422 Path: freenet.carleton.ca!cunews!nott!bcarh189.bnr.ca!bcarh8ac.bnr.ca!bnr.co.uk!pipex!howland.reston.ans.net!news.cac.psu.edu!news.pop.psu.edu!hudson.lm.com!netline-fddi.jpl.nasa.gov!phoebe.jpl.nasa.gov!root From: ups@navigator.jpl.nasa.gov Newsgroups: comp.misc,comp.sys.hp.hardware,comp.sys.sun.hardware,comp.sys.sgi.hardware,comp.sys.next.hardware,comp.sys.ibm.hardware,comp.sys.dec,comp.unix.admin,comp.answers,news.answers Subject: Uninterruptible Power Source FAQ Followup-To: comp.misc Date: 10 Dec 1994 13:09:38 GMT Organization: Jet Propulsion Laboratory, Pasadena, CA Lines: 1346 Approved: news-answers-request@MIT.Edu Distribution: world Message-ID: <3cc9ai$fus@phoebe.jpl.nasa.gov> Reply-To: npc@minotaur.j...
Read more

Blade Runner FAQ

Archive-Name: movies/bladerunner-faq Version: 1.4 (May 1993) -------------------------------------------------------------------------------                                  BLADE RUNNER                            Frequently Asked Questions                        Copyright (C) 1993 Murray Chapman ------------------------------------------------------------------------------- Compiled by Murray Chapman (muzzle@cs.uq.oz.au), from sources too numerous to mention.  Thank-you one and all.                                INTRODUCTION                                ------------ The movie "Blade Runner"...
Read more