VIRUS-L Digest Friday, 2 Jun 1989 Volume 2 : Issue 126

VIRUS-L Digest Friday, 2 Jun 1989 Volume 2 : Issue 126

Today's Topics:
Computer Virus Catalogue (Aims and Scope)
Computer Virus Catalogue: format
Computer Virus Catalogue: Index (May 25, 1989)
Special ACM Issue on the Internet Worm

---------------------------------------------------------------------------

Date: Fri, 02 Jun 89 15:21 CET
From: [email protected]
Subject: Computer Virus Catalogue (Aims and Scope)

After having reverse-engineered several viruses on different PCs
(AMIGA, Atari, MacIntosh and IBM), we have developped (and
experimentally tested, in a German mailbox of the national Informatics
society, since December 1988) a format in which we describe essential
features of computer viruses: the Computer Virus Catalog. Thanks to
Y.Radai, David Ferbrache and Otto Stolz, this Catalog is now available
in a revised form. The goal is to describe all those features which a
(not too well-informed) user needs to analyse whether and what virus
may have reached his machine; moreover, the catalog should contain
some hints which established tools help him to erase the virus.

At this time, about 25 viruses (maybe some of which exist in German
locations have been catalogued. At the Virus Test Center of Hamburg
University/Informatics (with a group of students, who participate in
my 4-semester course on Computer Security), we have concentrated on
AMIGA and IBM PC viruses, but in the latter case, we have difficulties
to get virus code 1) because the German IBM PC virus scene doesnot
offer the internationally reported manifold, and 2) we refuse to
exchange viruses, like stamps (we also don't publish virus code or the
`dossiers' which we produced by reverse-engineering). We therefore
appreciate any help which we can get from competent and cooperative
experts in the field.

As a separat document I send:
1st: the format of the Computer Virus Catalog,
2nd: the index on entries at this time.

To minimize the transfer problems to `remote locations' (seen from a
Germanocentric world view), we try to find locations where the actual
entries may be invoked (e.g. in US). Moreover, in order to guarantee
some degree of completeness, we ask groups/persons with developped
knowledge in the field, to take on the task of adding information
about viruses not yet catalogued. We plan to establish a committee
which controls new or updated entries; while Y.Radai, and D.Ferbrache
have accepted to cooperate in this Virus Catalog Editorial Committee,
we hope for a few more experts to cooperate in this task.

Thank you in advance for comments. Klaus Brunnstein.

- -----------------------------------------------------------------------
PostAdress: Prof.Dr. Klaus Brunnstein
Faculty for Informatics, Univ.Hamburg
Schlueterstr.70
D 2000 Hamburg 13
Tel: (40) 4123-4158 / -4162 Secr.
ElMailAdr: [email protected]
FromINTERNET:Brunnstein%[email protected]
FromBITNET: Brunnstein%[email protected]
FromUUCP: brunnstein%[email protected]
- -----------------------------------------------------------------------

------------------------------

Date: Fri, 02 Jun 89 15:31 CET
From: [email protected]
Subject: Computer Virus Catalogue: format

- ------ Computer Virus Catalog 1.0: "Virusname" (Date of Entry) --------

Entry...............: "Virusname" (=Name of virus)
Alias(es)...........: Alternate Name(s)
Virus Strain........: "Family" (if any) to which this virus belongs
Virus detected when.: Date of first appearance
where.: Where has Virus been produced or detected
Classification......: System Virus (BootSector, Command.Com, BAT V.)
Link or Program Virus (Overwriting/Relocating V.)
Length of Virus.....: Length (Byte) if applicable.

- --------------------- Preconditions -----------------------------------

Operating System(s).: e.g. AMIGA-DOS, ATARI-TOS, MacOS, MS-DOS,
UNIX, VMS, MVS, VM
Version/Release.....: Special Version of OS (e.g. UNIX System V,
UNIX BSD, VMS etc) if needed, and Release
(e.g. MS-DOS 3.2, UNIX BSD 4.2)
Computer model(s)...: The Computer models (e.g. ROM BIOS versions)
on which the Virus runs.

- --------------------- Typical Attributes ------------------------------

Identification......: Typical texts, either messages (e.g. screen),
or texts in Virus body (readable with HexDump-
facilities), Volume Labels etc.
Type of infection...: Self-Identification methods;
Executable File infection(.COM,.EXE):overwriting,
dislocating; permanent/transient; RAM or File
(Direct Action) Infection; WCS infection (e.g.
CMOS store at initialisation setup);
System infection: RAM-Resident, Reset-Resident,
Bootblock/Bootsectors, Command.Com, BAT, Device
Handlers/Libraries etc;
Infection of unlinked Object Files;
Source Code Infection.
Damage..............: Permanent Damage: e.g. overwriting bootblock,
repeated restart/format, zeroing of sectors,
Bad Sectors in FAT etc;
Transient Damage: e.g. screen buffer manipulation,
audio effects, blinking LEDs
Particularities.....: special effects e.g. process velocity slowed-down
Similarities........: dis/similarities to other viruses ( either from
same "family" (=strain) or different viruses);
names of related viruses.

- --------------------- Agents ------------------------------------------

Tested vaccines.....: Names of those Antivirus programs tested
Vaccines successful.: Names of those Antivirus programs which, without
any restriction, were `successful' to identify and
destroy, without any side effect, the given virus
(details of Vaccine in Antivirus Catalog)
Standard means......: Means in the respective System which may be
used to identify/destroy this virus.

- --------------------- Classification ---------------------------------

Location............: e.g. Virus Test Center, University Hamburg, FRG
Classification by...: Author(s) of Reverse-Engineering Document
Documentation by....: Author(s) of this Catalog Entry;
Translator of Non-English document (if applicable)
Date................: Production/last Update of this Catalog Entry
(this information also in the 1st line)
Information Source..: Information used for Documentation (only in cases
where Reverse-Analysis was not possible).

-

Reply received on ACAD3A from user SXCNB99 at ACAD3A Batch 04:15:35
$1$DUA8: Rebuild & Analysis begins in one minute.

--------------------------End of "Virusname"-Virus---------------------

- -----------------------------------------------------------------------
PostAdress: Prof.Dr. Klaus Brunnstein
Faculty for Informatics, Univ.Hamburg
Schlueterstr.70
D 2000 Hamburg 13
Tel: (40) 4123-4158 / -4162 Secr.
ElMailAdr: [email protected]
FromINTERNET:Brunnstein%[email protected]
FromBITNET: Brunnstein%[email protected]
FromUUCP: brunnstein%[email protected]
- -----------------------------------------------------------------------

------------------------------

Date: Fri, 02 Jun 89 15:34 CET
From: [email protected]
Subject: Computer Virus Catalogue: Index (May 25, 1989)

=============================
Computer Virus Catalog Index:
May 25, 1989
=============================

Content/Short description of Catalog entries:
[(*) Viruses presently under reverse analysis,
catalogue entry will soon be available.]

1) Amiga DOS:
- -------------
*A.S.S. Virus BootBl/ResetRes? Antivirus-Virus (L=1024)
Byte Bandit Virus BootBl/ResetRes2 TransDamage (L=1024)
Byte Warrior BootBl/ResetRes2 Antivirus-Virus (L=1024)
*Camouflage Virus BootBl/ResetRes2 ????Damage (L=1024)
*Disk Doctors Virus BootBl/ResetRes? ????Damage (L=1024)
*Gaddafi-Virus BootBl/ResetRes. ????Damage (L=1024)
GYROS Virus BootBl/ResetRes1 TransDamage (L=1024)
IRQ-Team Virus Program/ResRes2/Disl. TransDamage L=1096
*Lamer Virus BootBl/ResetRes/SelfDisl.????Damage (L=1024)
NorthStar Virus Strain BootBl/ResetRes1 Antivirus-Virus (L=1024)
1.North Star I Virus
2.*North Star II Virus
Obelisk Virus BootBl/ResetRes1 TransDamage (L=1024)
*Paramount Virus BootBl/ResetRes? ????Damage (L=1024)
SCA-Virus Strain: BootBl/ResetRes. TransDamage (L=1024)
1.SCA-Virus: Swiss Cracking Association
2.AEK-Virus: SCA-text modified
*System Z 3.0 Virus BootBl/ResetRes? Antivirus-Virus(L=1024)
*UNKNOWN I Virus BootBl/ResetRes? ????Damage (L=1024)
*UNKNOWN II Virus BootBl/ResetRes? ????Damage (L=1024)

[BootBl: AMIGA-DOS uses two standardized bootsectors as one BootBlock;
ResetRes1: GYROS, NorthStar I/II, Obelisk and SCA/AEK Viruses become
"Reset Resident" via manipulation of Capture Vector
ResetRes2: Byte Bandit, Byte Warrior, Camouflage, IRG-Team and Lamer
viruses become "reset Resident" via manipulation of KickTag
Pointer)]

(Remark: unqualified information about several more viruses, including
names WARHAWK-V. and LSD-V. could not be confirmed up to date)

2) Atari TOS:
- -------------
ANTHRAX-Virus Prog(.PRG)Disl. PermDamage
=Milzbrand-Virus
c't Virus BootS/ResetRes PermDamage:FORMAT-HD (L<512)
Emil 1A-Virus BootS/ResetRes TransDamage (L<512)
Emil 2A-Virus BootS/ResetRes TransDamage (L<512)
*Mouse Virus BootS/??? PermDamage:Mouse up/down
=SIGNUM Virus
Zimmermann-Virus Prog(.PRG)Disl. TransDamage L=1414

3) MacIntosh:
- -------------
Aladin-Virus Prog/Disl.Code0 PermDamage L=3 kByte
Frankie-Virus Prog/Disl.Code0 PermDamage L=3 kByte

(Remark: several more viruses, such as nVIR, are under reverse-analysis;
for special knowledge of 68000: refer to David Ferbrache, Heriot-Watt-
University, Scotland/UK).

4) MS-DOS:
- ----------
Autumn(=Herbst)Virus Prog(.COM)Disl. TransDamage L=1704/1701
Bouncing Ball Virus BootS/--- TransDamage (L=1024)
Israeli Virus #1 Prog(.COM/.EXE)Disl.PermDamage L=1813/n*1808
Oropax Virus Prog(.COM)disl. TransDamage L=2756-2806
*SHOE Virus BootS/--- TransDamage

(Remark: Out of the multiplicity of MSDOS viruses, only a few have
in FRG; it is therefore difficult to receive copies for analysis)

5) Information Policy:
- ----------------------
5.1 Entries published in the Computer Virus Catalogue may be copied and
edited if the original source ("Computer Virus Catalogue, Virus Test
Center, University of Hamburg/Germany") is properly referenced and
changes applied are mentioned.

5.2 Several "NoName" Viruses have been produced in or are known to Virus
Test Center, Hamburg; such systems include MVS and VM, VMS and UNIX;
moreover, viruses with different replication strategies in MSDOS and
other PC systems have been tested. Since such "Test" viruses are
only produced to analyse proper defense methods (which maybe needed
in some future), it is the general information policy *not to dis-
tribute further information* in the Computer Virus Catalogue until
such viruses appear in "real world".

- ----------------------------------------------------------------------
PostAdress: Prof.Dr. Klaus Brunnstein
Faculty for Informatics, Univ.Hamburg
Schlueterstr.70
D 2000 Hamburg 13
Tel: (40) 4123-4158 / -4162 Secr.
ElMailAdr: [email protected]
FromINTERNET:Brunnstein%[email protected]
FromBITNET: Brunnstein%[email protected]
FromUUCP: brunnstein%[email protected]
- -----------------------------------------------------------------------

------------------------------

Date: Fri, 2 Jun 89 10:25 EDT
From: Roman Olynyk - Information Services <[email protected]>
Subject: Special ACM Issue on the Internet Worm

For those who aren't card-carrying members of ACM, the June issue of
"Communications of the ACM" (Vol 32, No. 6) is a special issue devoted
to articles on the now infamous Internet worm (the virus, not the person).

Articles include:
The Worm Story
The Internet Worm: Crisis and Aftermath
With Microscope and Tweezers: The Worm from MIT's Perspective
Password Cracking: A Game of Wits
The Cornell Commission: On Morris and the Worm

Also, a column, "Legally Speaking," features an excellent discussion
titled "Can Hackers Be Sued for Damages Caused by Computer Viruses?"
Look for the issue with the Cootie Bug cover!

------------------------------

End of VIRUS-L Digest
*********************

Downloaded From P-80 International Information Systems 304-744-2253