-----------------------------Date: 23 Jan 89 11:54:29 GMT (Mon)

From: Alan Jay <alanj@ibmpcug.co.uk>

Subject: Known PC Viruses in the UK and their effects
The article below summarises the viruses which have been known to
affect IBM PCs and compatibles in the United Kingdom. It is written
by Dr. Alan Solomon (drsolly@ibmpcug.CO.UK), the chairman of the IBM
PC User Group in the UK and appears in the February 1989 issue of
Connectivity, the newsletter of the User Group.
This article is (C) Copyright 1989 The IBM PC User Group (UK).
Permission is hereby granted to reproduce this article for non-profit
purposes, provided this notice is retained.
The Information Centre - PC Security by Dr Alan Solomon
- ------------------------------------------------------PCs are intrinsically very insecure. For many PCs, this might not
matter; who cares if someone finds out that the menu for tomorrow is
scrambled eggs? But increasingly, PCs are being used for critical
applications, and either there is extremely important data on them, or
else it is very important that they continue to run. Scrambled eggs
are fine - scrambled FAT is not.
Many people take backup for granted. Obviously, backups are done on a
regular basis, but how do you know that you have something that is
restorable? I'll be coming back to this in a subsequent article. For
now, I want to update members on the virus front, because quite a lot
has happened, and much of what you read in the press is distorted by the
Chinese Whispers treatment.
Virus facts and fiction
- ----------------------First, I have to say that the problems are very real. You have probably
read in Computing that IBM has been infected by 1704 virus. Secondly, I
must emphasise that viruses are still very, very rare on PCs, and many
problems reported as viruses, are t he same old problems we always had.
But they are getting commoner, and I am getting busier and busier in
dealing with outbreaks.
First, let me define some terms. A virus is a self-replicating program,
that copies itself without the user realising that this is happening. A
virus does not necessarily intend malicious damage.
The main damage is always, always done by people's reactions, not by the
viruses themselves. There is one virus around that has code in it for
deleting files, and other viruses have unfortunate side-effects. But
the main damage is usually done by someone panicking, and doing
something extremely silly, because they don't know what is the correct
procedure.
Viruses - what's out there?
===========================
Next - a list of the viruses that I know of so far, plus how to
recognise them, and the intentional and unintentional damage done.
Please remember, though, that most of these viruses have more than one

variant, and it would be possible to write a virus that mimicked the

action of an existing virus. So you mustn't assume that just because
your symptoms match those given below, that you have the exact same
virus. Also, the information given below is only a summary of all the
information available, so please don't treat it as a full manual.
Stoned. Every 32nd boot-up, you see ``Your computer is now stoned.''
The boot sectors of infected diskettes are obviously abnormal, and
include that message. No intentional damage. Unintentional damage trashes 1.2 Mb floppies if they have more than 32 files, trashes about
5% of hard disks.
Brain. You see (c) Brain as a volume label on diskettes, and diskettes
have 3k of bad sectors (the normal numbers are none at all, or 5k, or
sometimes more). No known intentional damage. Unintentional damage it slows down diskette accesses and causes time-outs, which can make
some diskette drives unusable.
Italian. Once every half hour, if you are accessing the disk, the
bouncing dot is triggered. The dot bounces off the edges of the screen,
and passes through any text, with replacement after it. Sometime, this
doesn't work properly, and screen displays are messed up. Infected
diskettes have 1k in bad sectors, infected hard disks have 2k (and other
numbers of bad sectors are possible). No known intentional damage.
Unintentional damage - the two copies of the FAT are left different; DOS
might not like this. Attempts to infect diskettes slows them down, and
some computers won't read floppies, due to time-outs.
1813 virus. Files grow by 1813 bytes (sometimes 1808), without changing
their date and time or read/write/ hidden attributes. COMMAND.COM does
not grow, to help it avoid detection. Many anti-virus products do
little more than watch COMMAND.COM. Intentional damage - there is code
in the virus for deleting each program that you run on every Friday
13th. Half an hour after the virus installs into memory, the computers
slows down - a 4.77Mhz PC runs at about 1/5 normal speed. A small black
window opens temporarily in the bottom left hand corner. Unintentional
damage - .COM files grow once, taking up slightly more space.
Also, .EXE files grow each time they are infected, and eventually will
not load.
648 virus. .COM files grow by 648 bytes, without changing date/time or
attributes. Intentional damage - one infected file in eight (at random)
is changed in such a way that the program will not run. No known
unintentional damage.
1701 virus. Files grow by 1701 bytes. This is a third generation virus
- - the code is encrypted, to fool programs that search for viruses
automatically, looking for code that is characteristic of viruses. This
also meant that disassembling it took a bit longer than usual, but I've
now finished the disassembly. Occasionally, 1701 triggers a
``hailstorm''. The characters on the screen behave as if the were
pinned to the screen, and someone is removing the pins one at a time it looks a bit like a hailstorm, and has suitable sound effects. In
fact, it is a purely audio-visual effect - nothing is happening to your
data. But most people seeing it, would be so alarmed that they would
reach for the off switch, and switching a computer off in the middle of
processing a database can cause big problems. IBM got infected recently
by 1704 virus, which I believe is a slightly different version of 1701.
They sent a letter to all customers that could conceivably have been
infected - a very responsible thing to do.

As you can see, there are an increasing number of viruses, and an

increasing number of people affected.
If you see any of these symptoms, you should do three things.
1. DON'T PANIC. That does more damage than anything else. Don't just
start deleting and formatting - at least keep a specimen so that I can
disassemble it. The flame thrower approach tends to destroy the
evidence of how it got in (which could help the unfortunate person that
inadvertently gave it to you) and without even fixing the problem.
Don't let anyone else panic, either.
2. Make sure that everyone who knows about it, is told to keep their
mouths shut. The press are desperately keen to find a big company that
has been struck, and will have a field day. An immense amount of damage
could be done to the company's name . If the company decides to tell the
world, that's fine and noble, but the decision must be made at the
highest possible level.
3. Seek expert advice. Do not attempt to deal with it yourself unless you have already dealt with several cases before, a virus is
outside your experience. In particular, the virus MUST be disassembled
- - otherwise it could have many surprises.
One of the biggest problems is in dealing with the diskettes. Every PC
is accompanied by a vast cloud of diskettes, and at least some of these
must be infected. Usually, less than 1% are infected (although in the
case of a boot sector virus such as Brain, Italian or Stoned, anything
up to 5% of diskettes could be infected before the virus is spotted),
but the problem is to find them. If you leave even one infected
diskette - well, it was almost certainly just one diskette that brought
the problem in. My approach is to use a hopper-fed machine that can
check 700 floppy diskettes per hour; the main alternative is to train
sufficient operators to do it manually.
How you treat infected disks and diskettes depends on the virus, and its
modus operandi. I haven't yet seen a situation where it was necessary
for anyone to lose any data, although the flame- thrower approach
certainly can do damage.
As if this wasn't bad enough, there are now a few more problems that I'm
trying to fight. The first is too late - one magazine has published
about 55% of the Italian virus, together with a useful plethora of
technical information about how it works. I won't tell you which
magazine, as I don't want things to get any worse, but many members will
have seen the article, and I would suggest that you write to the editor
to express your own opinions on the subject.
The next problem is that a magazine has quoted someone as saying that he
could write a virus that ``could put a software house out of business
overnight''. I don't think that the magazine should have used that
quote, and I hope that it doesn't give people ideas.
But the third problem is the worst. I have a firm rule about never
giving copies of a virus ``for experimental and research purposes'' to
anyone (except, of course, if a company already has the virus then it
doesn't matter). One could argue that this is tantamount to
suppression of useful information (and this has been suggested to me).
But obviously one should only give a virus to a responsible, technically

capable person, and I'm frankly not very good at assessing this over the
phone - I get many calls asking for viruses. So, since I can't be sure
that the person asking is a suitable candidate, I have so far always
refused. If a bona fide government department were to approach me, I
would probably feel different, but that hasn't happened.
One of the people who felt differently on this point, has obtained
copies of Brain and Italian. He has said that he will give copies to
anyone responsible person who asks him, for research purposes. I don't
know how he will decide, but I hope and pray that he is better at
judging character that I believe possible, and able to detect a
plausible liar. He says that he is acting from the highest, noblest
motive - freedom of information. I used to believe in freedom of
information myself, so I can almost understand him. But I profoundly
disagree with what he's doing, as the easiest way to write a virus, is
to disassemble someone else's, and change it to do what you want.
How to learn more
- ----------------The best way to keep up to date with virus developments is on Connect
(01-863 6646 - 1200, N, 8, 1). There are a number of conferences
devoted to viruses. This article was posted to Connect in conference
connect.virus on January 10th and I will be posting further updates to
this list of known viruses with their symptoms and effects as soon as I
have details.
One thing I have done is write a program for testing anti-virus
products. This uses a few different methods for writing to the boot
sector of floppy diskettes - TESTVACC is quite harmless, of course, but
it is doing something that many viruses do. Many anti-virus products
claim to be able to detect and/or prevent this sort of thing, so you
install your anti-virus program, and then run TESTVACC. TESTVACC tries
to write a simple message to the boot sector of the floppy disk, using
four different methods, any of which could be used by a virus.
I've tried several well-known anti-virus products, and although it
detected the first two methods of writing to the boot sector, it didn't
notice the third or fourth method. You can inspect the boot sector
afterwards, using whatever disk sector editor you like, and draw your
own conclusions. I'm making TESTVACC shareware, so it is available from
the User Group Library.
Also we hope to run a special series of workshops on viruses in the near
future. If you would like to take part then please write to me at the
User Group. This workshop will look at ways of reducing the risk of
infection, what to do if you think you are infected and in the event of
infection how to disinfect your systems.
Submitted by: Alan Jay (alanj@ibmpcug.CO.UK), Editor, Connectivity,
the newsletter of The IBM PC User Group, UK.
- -Alan Jay @ The IBM PC User Group, PO Box 360, Harrow HA1 4LQ ENGLAND
Phone: +44 -1- 863 1191
Email: alanj@ibmpcug.CO.UK
Path: ...!ukc!pyrltd!slxsys!ibmpcug!alanj
Fax: +44 -1- 863 6095
Disclaimer: All statements made in good faith for information only.
------------------------------