Whale Virus aka Mother Fish & Fish #9


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************



  Report from Jim Bates - The Virus Information Service - October 1990


  === Whale Virus aka Mother Fish & Fish #9 ===



  Preliminary report on the WHALE virus...


  By far the largest virus that researchers have yet seen was recently

  uploaded to a bulletin board in the U.S. and comprises just under

  10K of code.  The virus has been called The WHALE since that is the

  "title" which appears within the code after the first level of code

  decryption has been executed.  Disassembling this code has proven

  extremely time consuming and is still incomplete due to the

  pressures of other programming work on the various researchers

  currently working on it.  I am indebted to Dr. Peter Lammer of

  SOPHOS and Morgan and Igor of MacAfee Associates for access to their

  work on this and the report which follows collates results from all

  these sources although any errors in analysis or interpretation are

  entirely mine.  Before describing the code in such detail as we

  have, mention should be made of the "motherfish" message which was

  posted anonymously to VIRUS ECHO on FidoNet and reported in full in

  last months Virus Bulletin.  There are several discrepancies in this

  message which might suggest that the sender was either not

  completely familiar with the code or he was spreading deliberate

  dis-information.  Since more than half the virus code is concerned

  with confusing and misinforming anyone trying to disassemble it, I

  incline to the latter argument.  The use of "motherfish" (which does

  not appear in the code) in preference to "whale" is strange, and the

  reference to the virus "learning" detection methods and being a

  "living, breathing entity" is fanciful in the extreme, and

  inaccurate.  That "the virus cannot be detected by present methods"

  is hardly surprising since many newly discovered viruses make use of

  their authors proud new method of encryption/protection ideas.  The

  use of the word "disavow" is interesting since text within the code

  suggests that the author comes from Hamburg where such a word seems

  unlikely to be common parlance.  However, the suggestion that the

  code is modularly constructed seems accurate so unless this was a

  guess we must assume that the sender has SOME knowledge of the virus

  as a whole.



  Heavyweight Confusion Coding


  After self-encrypting and "stealth" viruses, a new term has been

  coined by a member of the Computer Crime Unit at New Scotland Yard.

  "Armoured" virus code describes the deliberate disinformation and

  confusion techniques noted in FISH6 and WHALE.  It is certainly

  appropriate in the case of WHALE since the "armour" outweighs the

  "stealth"!  The WHALE virus is characterised by large sections of

  code (estimated as at least 50% of the total) which involve

  extremely convoluted processing around and across the debug and

  single step interrupt handlers and accessing such hardware as the

  Programmable Interrupt Controller.  There is no other reason for

  this than the confusion of researchers trying to disassemble the

  code and the presence of this code has paradoxically caused

  researchers to heave a sigh of relief.  The reason for this is quite

  simply that such code costs an immense amount of processing time and

  when a machine becomes infected, processing speed slows by up to 50%

  - the WHALE is simply carrying so much programming weight (armour?)

  that its very bulk is its giveaway.  The amount of work involved in

  writing this virus was enormous and could well have been undertaken

  by more than one author.  Program construction seems to be modular

  and no effort has been spared to make the code extremely difficult

  for scanning programs to spot.  Aside from the now accepted

  technique of self encryption, this virus scrambles the order of its

  subroutines and varies the encryption algorithm use during file

  infection.  Also accepted as a "standard" technique now is the

  decryption/recryption process which is used to prevent detection of

  the virus code in memory.  This technique consists of maintaining

  most of the resident virus code in memory in encrypted form and only

  decrypting it just prior to processing.  Once a particular section

  has been executed a re-encryption routine is called which collects a

  new pseudo-random key value and re-encrypts the code just executed

  before stored the new key and continuing to the next part of the

  code.  The result is that only a small "window" around the code

  currently being executed is actually "in plain view", the remainder

  is variously and randomly encrypted.  This is obviously to forestall

  the possibility of a recognition string being used to identify virus

  code in memory.  The author obviously likes this technique since it

  is used at least 96 times throughout the code!  This is another part

  of the bulk that this unwieldy virus carries.  As with other recent

  viruses, there are several "undocumented" system calls (most of

  which are now well documented within the technical community) but

  two have been noted which may relate to specific packages, possibly

  of an anti-virus nature.


  There is still much work to be done in dissecting this code and the

  details that we have so far uncovered are necessarily fairly

  sketchy.  We can say that this is a parasitic virus which infects

  executables with an infection length of around 9416 bytes.  The

  actual appended length varies quite a lot from infection to

  infection and this is probably due to the insertion of some random

  junk and alignment of code on paragraph boundaries.  No simple

  search string is possible because of the multiple encryption

  techniques and modular scrambling.  There are considerable sections

  of self-modifying, self-checking and self-switching code within

  WHALE. This last technique consists of laboriously switching

  individual bytes within a specific subroutine using precalculated

  XOR values.  The result is a sort of global XOR effect which can be

  used to switch between two different routines or as a

  decrypt/recrypt process.


  The code appears to install itself as resident within the first

  available Memory Control Block and monitors system activity during

  normal DOS processing.  Stealth techniques are used to fool DOS into

  reporting original file sizes rather than the increased ones when

  files become infected.  This is done by intercepting the DOS Get

  File Size function (23H) and checking whether the target file is

  infected before returning either a true or modified file size to the

  calling routine.  The virus' method of detecting infection is still

  being analysed but there is some evidence that several checks are

  made, failure of any one of which will indicate that a file is NOT

  infected.  The complexity of these checks necessarily means that a

  "sparse infection" method (ie: not all files will be infected) may

  be employed.  This makes external detection more difficult but it

  does reduce the virility of the code and should mean that if this

  does appear "in the wild", it is unlikely to exist for long before

  detection and would therefore not spread too far.  One of the checks

  for infection seems to be that the hour field in the file time must

  be equal to or greater than 16 (ie:  4pm or later) since the top bit

  of that field is modified within the Function 57H (Get/Set file

  Date/Time) handler.  This too may limit the number of files suitable

  for infection.


  There are several similarities with the FISH6 and 4K viruses and

  this might indicate either a distinct development cycle by the

  author(s) or simply that someone has copied useful code and ideas

  from the earlier specimens.  I incline to the former view but

  whatever the truth of the matter the similarity in file infection

  technique provides a useful method of identifying the presence of

  any of these three viruses.  In the case of WHALE however, it is

  reported from the U.S. that some generations may not display this

  similarity and might therefore slip through this particular

  detection net.  The technique itself is discussed in the 4K data

  infection report elsewhere in this issue and with the exception of

  the differences in infected length (and the as yet unconfirmed U.S.

  reports), all three viruses show identical repetition of the

  original host header information.


  The external results of running the WHALE have so far produced at

  least 27 different "generations" (I dislike the term "mutations" as

  implying uncontrolled change) and each generation appears to be the

  result of scrambling the order in which subroutines are written to

  the target file as well as changing both the encryption 'lock' and

  'key'.  There is a counting mechanism fairly close to the beginning

  of the virus code which counts back from 0F0H (240 decimal) on the

  dissection copy but the significance of this has not yet become

  clear.  Possibly sections of the virus yet to be dissected may be

  invoked when the counter reaches zero.  Infection apparently takes

  place during a Function 4BH call to DOS (Load and Execute) and will

  therefore affect COM, EXE, OVR and other executable code which is

  run in this way.  At various times, the Interrupt vector addresses

  for Interrupts 1, 2, 3, 9, 13H, 24H and 2FH are accessed and may be

  modified for use by the virus code.  The main area of code

  subversion centres around the DOS Interrupt 21H and this is

  intercepted and passed through a function dispatcher routine.  This

  dispatcher monitors 15 separate DOS functions including both types

  of Find First/Next (11H, 12H, 4EH and 4FH), Open and Close file

  operations (0FH, 3DH and 3EH) and various types of File Read and

  Seek calls (14H, 21H, 27H and 42H).  Other functions handled are Get

  File Size (23H), Load and Execute (4BH) and Get/Set Date/Time (57H).

  As is now expected of this type of code, the DOS Critical Error

  vector is hooked during virus operation and appears to be correctly

  restored after use.


  As various layers of encryption are peeled back, two areas of plain

  text are revealed.  The first of these is written to a hidden file

  in the root directory of the C:  drive on a 4 to 1 random chance.

  This file is named FISH-#9.TBL and contains a copy of the boot

  sector of the drive, together with the following plain text ...


  FISH VIRUS #9   A Whale is no Fish! Mind her Mutant Fish and the

  hidden Fish Eggs for they are damaging.  The sixth Fish mutates only

  if the Whale is in here Cave.


  No other reference is made to this file from within the virus code

  and the content seems to indicate an adolescent concern with

  mysterious misinformation.  The "sixth Fish" may refer to the FISH6

  virus (and establish another definite link) but this has yet to be

  researched.  Since I haven't yet disassembled FISH6, I would be

  interested to know just how it got its name (why the '6' ?).  It is

  also interesting to note that TBL is one of the data file extensions

  attacked by the 4K virus (see article elsewhere in this issue).


  The second plain text section of code is displayed as a message if

  the system date is between 19th February and 20th March in any year

  except 1991 and then the system hangs with a Divide Overflow

  message, necessitating a power down reboot.  This is the only

  trigger point noted so far but there is a possibility that even

  these dates may be modified within differing generations.  The

  message reads ...


  THE WHALE IN SEARCH OF THE 8 FISH I AM '~knzyvo}' IN HAMBURG


  This is exactly as the message appears on screen and the characters

  between the single quotes appear to be a name of some sort.

  Preliminary cryptanalysis suggests that this name is probably

  'TADPOLES' since this results from simply subtracting a value of 42

  (decimal) from each character value and the ichthyological

  connection is obvious.  Whether the author(s) actually do come from

  Hamburg is not certain, since they are capable of producing this

  ludicrously silly code it is quite probable that they are

  pathological liars as well.


  Many researchers have conjectured that WHALE might be designed to

  interact with other viruses (notably FISH6) but to date, no evidence

  of this has yet been found within the code.


  As knowledge currently stands on this virus, it may well be an

  extremely childish and malicious attempt to waste the time of virus

  researchers across the world.  In rather the same way that the Fire

  Brigade can never ignore false alarms, the virus research community

  cannot ignore even the simplest virus code.  However, ANY virus code

  is potentially destructive and the perpetrators should be aware that

  the Computer Crime Unit at New Scotland Yard are now building a

  dossier of computer virus incidents in the U.K.  and WILL prosecute

  the authors even if they have never set foot in this country.  Under

  current legislation, conviction could carry a five year prison

  sentence.  If 'TADPOLES' reads this, he/they might like to speculate

  on such a sentence, which would undoubtedly be accompanied then and

  subsequently by the universal revulsion of the computing community

  world-wide.


  The arrival of this virus caused much consternation amongst

  knowledgeable researchers but preliminary examination has dispelled

  most of this concern.  It is interesting to speculate that in the

  WHALE, virus authors have at last reached a predicted point where

  their code has to carry so much protection that the original

  parameters of invisibility and mobility can no longer be maintained

  with any real reliability.  Such bulky and processor intensive code

  will generally reveal itself long before any payload can be

  delivered.


  Work will continue on disassembling and analysing this virus until

  all the fine details are known and further reports will appear as

  more information becomes available.


  VIS Classification - CEARKSd9416


  The information contained in this report is the direct result of

  disassembling and analysing a specimen of the virus code.  I take

  great pains to ensure the accuracy of these analyses but I cannot

  accept responsibility for any loss or damage suffered as a result of

  any errors or omissions.  If any errors of fact are noted, please

  let me know at :-


The Virus Information Service,

Treble Clef House,

64, Welford Road,

WIGSTON MAGNA,

Leicester  LE8 1SL


  or call +44 (0)533 883490


  Jim Bates


  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Comments

Post a Comment

Popular posts from this blog

WHAT THE WATCH TOWER BIBLE AND TRACT SOCIETY OF PENNSYLVANIA HAD TO SAY ABOUT WHAT WERE SUPPOSED TO HAVE HAPPENED in 1874

  AWAKEN                                                     Issue #33   1874 - WHAT THE WATCH TOWER BIBLE AND TRACT SOCIETY OF PENNSYLVANIA        HAD TO SAY ABOUT WHAT WERE SUPPOSED TO HAVE HAPPENED THEN.   This issue will comprise mainly of quotes from Watch Tower publications. Present day Jehovah's Witnesses are unlikely to be aware of any of this material. Why ? The Watch Tower had changed it's theology and does not bother to let it's followers know facts about the past especially since the present theology is totally contradictory to what was promoted in the past. Both sets of incompatible conjectures were promoted as being found  and proven in Scriptures. Prior to 1943 if a follower of the Watch Tower questioned any of the Watch Tower's teaching about 1874, that person risked getting kicked out of the group ...
Read more

Uninterruptable Power Source (UPS) FAQ

Article 61549 of news.answers: Xref: freenet.carleton.ca comp.misc:25723 comp.sys.hp.hardware:5708 comp.sys.sun.hardware:24796 comp.sys.sgi.hardware:9261 comp.sys.next.hardware:16000 comp.sys.dec:27561 comp.unix.admin:28511 comp.answers:8765 news.answers:33422 Path: freenet.carleton.ca!cunews!nott!bcarh189.bnr.ca!bcarh8ac.bnr.ca!bnr.co.uk!pipex!howland.reston.ans.net!news.cac.psu.edu!news.pop.psu.edu!hudson.lm.com!netline-fddi.jpl.nasa.gov!phoebe.jpl.nasa.gov!root From: ups@navigator.jpl.nasa.gov Newsgroups: comp.misc,comp.sys.hp.hardware,comp.sys.sun.hardware,comp.sys.sgi.hardware,comp.sys.next.hardware,comp.sys.ibm.hardware,comp.sys.dec,comp.unix.admin,comp.answers,news.answers Subject: Uninterruptible Power Source FAQ Followup-To: comp.misc Date: 10 Dec 1994 13:09:38 GMT Organization: Jet Propulsion Laboratory, Pasadena, CA Lines: 1346 Approved: news-answers-request@MIT.Edu Distribution: world Message-ID: <3cc9ai$fus@phoebe.jpl.nasa.gov> Reply-To: npc@minotaur.j...
Read more

Blade Runner FAQ

Archive-Name: movies/bladerunner-faq Version: 1.4 (May 1993) -------------------------------------------------------------------------------                                  BLADE RUNNER                            Frequently Asked Questions                        Copyright (C) 1993 Murray Chapman ------------------------------------------------------------------------------- Compiled by Murray Chapman (muzzle@cs.uq.oz.au), from sources too numerous to mention.  Thank-you one and all.                                INTRODUCTION                                ------------ The movie "Blade Runner"...
Read more