VIRUS-L Digest Friday, 2 Jun 1989 Volume 2 : Issue 126 Today's Topics: Computer Virus Catalogue (Aims and Scope) Computer Virus Catalogue: format Computer Virus Catalogue: Index (May 25, 1989) Special ACM Issue on the Internet Worm --------------------------------------------------------------------------- Date: Fri, 02 Jun 89 15:21 CET From: BRUNNSTEIN@RZ.INFORMATIK.UNI-HAMBURG.DBP.DE Subject: Computer Virus Catalogue (Aims and Scope) After having reverse-engineered several viruses on different PCs (AMIGA, Atari, MacIntosh and IBM), we have developped (and experimentally tested, in a German mailbox of the national Informatics society, since December 1988) a format in which we describe essential features of computer viruses: the Computer Virus Catalog. Thanks to Y.Radai, David Ferbrache and Otto Stolz, this Catalog is now available in a revised form. The goal is to describe all those features which a (not too well-informed) user needs to analyse whether and what virus may have reached his machine; moreover, the catalog should contain some hints which established tools help him to erase the virus. At this time, about 25 viruses (maybe some of which exist in German locations have been catalogued. At the Virus Test Center of Hamburg University/Informatics (with a group of students, who participate in my 4-semester course on Computer Security), we have concentrated on AMIGA and IBM PC viruses, but in the latter case, we have difficulties to get virus code 1) because the German IBM PC virus scene doesnot offer the internationally reported manifold, and 2) we refuse to exchange viruses, like stamps (we also don't publish virus code or the `dossiers' which we produced by reverse-engineering). We therefore appreciate any help which we can get from competent and cooperative experts in the field. As a separat document I send: 1st: the format of the Computer Virus Catalog, 2nd: the index on entries at this time. To minimize the transfer problems to `remote locations' (seen from a Germanocentric world view), we try to find locations where the actual entries may be invoked (e.g. in US). Moreover, in order to guarantee some degree of completeness, we ask groups/persons with developped knowledge in the field, to take on the task of adding information about viruses not yet catalogued. We plan to establish a committee which controls new or updated entries; while Y.Radai, and D.Ferbrache have accepted to cooperate in this Virus Catalog Editorial Committee, we hope for a few more experts to cooperate in this task. Thank you in advance for comments. Klaus Brunnstein. - ----------------------------------------------------------------------- PostAdress: Prof.Dr. Klaus Brunnstein Faculty for Informatics, Univ.Hamburg Schlueterstr.70 D 2000 Hamburg 13 Tel: (40) 4123-4158 / -4162 Secr. ElMailAdr: Brunnstein@RZ.Informatik.Uni-Hamburg.dbp.de FromINTERNET:Brunnstein%RZ.Informatik.Uni-Hamburg.dbp.de@Relay.CS.Net FromBITNET: Brunnstein%RZ.Informatik.Uni-Hamburg.dbp.de@DFNGate.Bitnet FromUUCP: brunnstein%rz.informatik.uni-hamburg.dbp.de@unido.uucp - ----------------------------------------------------------------------- ------------------------------ Date: Fri, 02 Jun 89 15:31 CET From: BRUNNSTEIN@RZ.INFORMATIK.UNI-HAMBURG.DBP.DE Subject: Computer Virus Catalogue: format - ------ Computer Virus Catalog 1.0: "Virusname" (Date of Entry) -------- Entry...............: "Virusname" (=Name of virus) Alias(es)...........: Alternate Name(s) Virus Strain........: "Family" (if any) to which this virus belongs Virus detected when.: Date of first appearance where.: Where has Virus been produced or detected Classification......: System Virus (BootSector, Command.Com, BAT V.) Link or Program Virus (Overwriting/Relocating V.) Length of Virus.....: Length (Byte) if applicable. - --------------------- Preconditions ----------------------------------- Operating System(s).: e.g. AMIGA-DOS, ATARI-TOS, MacOS, MS-DOS, UNIX, VMS, MVS, VM Version/Release.....: Special Version of OS (e.g. UNIX System V, UNIX BSD, VMS etc) if needed, and Release (e.g. MS-DOS 3.2, UNIX BSD 4.2) Computer model(s)...: The Computer models (e.g. ROM BIOS versions) on which the Virus runs. - --------------------- Typical Attributes ------------------------------ Identification......: Typical texts, either messages (e.g. screen), or texts in Virus body (readable with HexDump- facilities), Volume Labels etc. Type of infection...: Self-Identification methods; Executable File infection(.COM,.EXE):overwriting, dislocating; permanent/transient; RAM or File (Direct Action) Infection; WCS infection (e.g. CMOS store at initialisation setup); System infection: RAM-Resident, Reset-Resident, Bootblock/Bootsectors, Command.Com, BAT, Device Handlers/Libraries etc; Infection of unlinked Object Files; Source Code Infection. Damage..............: Permanent Damage: e.g. overwriting bootblock, repeated restart/format, zeroing of sectors, Bad Sectors in FAT etc; Transient Damage: e.g. screen buffer manipulation, audio effects, blinking LEDs Particularities.....: special effects e.g. process velocity slowed-down Similarities........: dis/similarities to other viruses ( either from same "family" (=strain) or different viruses); names of related viruses. - --------------------- Agents ------------------------------------------ Tested vaccines.....: Names of those Antivirus programs tested Vaccines successful.: Names of those Antivirus programs which, without any restriction, were `successful' to identify and destroy, without any side effect, the given virus (details of Vaccine in Antivirus Catalog) Standard means......: Means in the respective System which may be used to identify/destroy this virus. - --------------------- Classification --------------------------------- Location............: e.g. Virus Test Center, University Hamburg, FRG Classification by...: Author(s) of Reverse-Engineering Document Documentation by....: Author(s) of this Catalog Entry; Translator of Non-English document (if applicable) Date................: Production/last Update of this Catalog Entry (this information also in the 1st line) Information Source..: Information used for Documentation (only in cases where Reverse-Analysis was not possible). - Reply received on ACAD3A from user SXCNB99 at ACAD3A Batch 04:15:35 $1$DUA8: Rebuild & Analysis begins in one minute. --------------------------End of "Virusname"-Virus--------------------- - ----------------------------------------------------------------------- PostAdress: Prof.Dr. Klaus Brunnstein Faculty for Informatics, Univ.Hamburg Schlueterstr.70 D 2000 Hamburg 13 Tel: (40) 4123-4158 / -4162 Secr. ElMailAdr: Brunnstein@RZ.Informatik.Uni-Hamburg.dbp.de FromINTERNET:Brunnstein%RZ.Informatik.Uni-Hamburg.dbp.de@Relay.CS.Net FromBITNET: Brunnstein%RZ.Informatik.Uni-Hamburg.dbp.de@DFNGate.Bitnet FromUUCP: brunnstein%rz.informatik.uni-hamburg.dbp.de@unido.uucp - ----------------------------------------------------------------------- ------------------------------ Date: Fri, 02 Jun 89 15:34 CET From: BRUNNSTEIN@RZ.INFORMATIK.UNI-HAMBURG.DBP.DE Subject: Computer Virus Catalogue: Index (May 25, 1989) ============================= Computer Virus Catalog Index: May 25, 1989 ============================= Content/Short description of Catalog entries: [(*) Viruses presently under reverse analysis, catalogue entry will soon be available.] 1) Amiga DOS: - ------------- *A.S.S. Virus BootBl/ResetRes? Antivirus-Virus (L=1024) Byte Bandit Virus BootBl/ResetRes2 TransDamage (L=1024) Byte Warrior BootBl/ResetRes2 Antivirus-Virus (L=1024) *Camouflage Virus BootBl/ResetRes2 ????Damage (L=1024) *Disk Doctors Virus BootBl/ResetRes? ????Damage (L=1024) *Gaddafi-Virus BootBl/ResetRes. ????Damage (L=1024) GYROS Virus BootBl/ResetRes1 TransDamage (L=1024) IRQ-Team Virus Program/ResRes2/Disl. TransDamage L=1096 *Lamer Virus BootBl/ResetRes/SelfDisl.????Damage (L=1024) NorthStar Virus Strain BootBl/ResetRes1 Antivirus-Virus (L=1024) 1.North Star I Virus 2.*North Star II Virus Obelisk Virus BootBl/ResetRes1 TransDamage (L=1024) *Paramount Virus BootBl/ResetRes? ????Damage (L=1024) SCA-Virus Strain: BootBl/ResetRes. TransDamage (L=1024) 1.SCA-Virus: Swiss Cracking Association 2.AEK-Virus: SCA-text modified *System Z 3.0 Virus BootBl/ResetRes? Antivirus-Virus(L=1024) *UNKNOWN I Virus BootBl/ResetRes? ????Damage (L=1024) *UNKNOWN II Virus BootBl/ResetRes? ????Damage (L=1024) [BootBl: AMIGA-DOS uses two standardized bootsectors as one BootBlock; ResetRes1: GYROS, NorthStar I/II, Obelisk and SCA/AEK Viruses become "Reset Resident" via manipulation of Capture Vector ResetRes2: Byte Bandit, Byte Warrior, Camouflage, IRG-Team and Lamer viruses become "reset Resident" via manipulation of KickTag Pointer)] (Remark: unqualified information about several more viruses, including names WARHAWK-V. and LSD-V. could not be confirmed up to date) 2) Atari TOS: - ------------- ANTHRAX-Virus Prog(.PRG)Disl. PermDamage =Milzbrand-Virus c't Virus BootS/ResetRes PermDamage:FORMAT-HD (L<512) Emil 1A-Virus BootS/ResetRes TransDamage (L<512) Emil 2A-Virus BootS/ResetRes TransDamage (L<512) *Mouse Virus BootS/??? PermDamage:Mouse up/down =SIGNUM Virus Zimmermann-Virus Prog(.PRG)Disl. TransDamage L=1414 3) MacIntosh: - ------------- Aladin-Virus Prog/Disl.Code0 PermDamage L=3 kByte Frankie-Virus Prog/Disl.Code0 PermDamage L=3 kByte (Remark: several more viruses, such as nVIR, are under reverse-analysis; for special knowledge of 68000: refer to David Ferbrache, Heriot-Watt- University, Scotland/UK). 4) MS-DOS: - ---------- Autumn(=Herbst)Virus Prog(.COM)Disl. TransDamage L=1704/1701 Bouncing Ball Virus BootS/--- TransDamage (L=1024) Israeli Virus #1 Prog(.COM/.EXE)Disl.PermDamage L=1813/n*1808 Oropax Virus Prog(.COM)disl. TransDamage L=2756-2806 *SHOE Virus BootS/--- TransDamage (Remark: Out of the multiplicity of MSDOS viruses, only a few have in FRG; it is therefore difficult to receive copies for analysis) 5) Information Policy: - ---------------------- 5.1 Entries published in the Computer Virus Catalogue may be copied and edited if the original source ("Computer Virus Catalogue, Virus Test Center, University of Hamburg/Germany") is properly referenced and changes applied are mentioned. 5.2 Several "NoName" Viruses have been produced in or are known to Virus Test Center, Hamburg; such systems include MVS and VM, VMS and UNIX; moreover, viruses with different replication strategies in MSDOS and other PC systems have been tested. Since such "Test" viruses are only produced to analyse proper defense methods (which maybe needed in some future), it is the general information policy *not to dis- tribute further information* in the Computer Virus Catalogue until such viruses appear in "real world". - ---------------------------------------------------------------------- PostAdress: Prof.Dr. Klaus Brunnstein Faculty for Informatics, Univ.Hamburg Schlueterstr.70 D 2000 Hamburg 13 Tel: (40) 4123-4158 / -4162 Secr. ElMailAdr: Brunnstein@RZ.Informatik.Uni-Hamburg.dbp.de FromINTERNET:Brunnstein%RZ.Informatik.Uni-Hamburg.dbp.de@Relay.CS.Net FromBITNET: Brunnstein%RZ.Informatik.Uni-Hamburg.dbp.de@DFNGate.Bitnet FromUUCP: brunnstein%rz.informatik.uni-hamburg.dbp.de@unido.uucp - ----------------------------------------------------------------------- ------------------------------ Date: Fri, 2 Jun 89 10:25 EDT From: Roman Olynyk - Information Services Subject: Special ACM Issue on the Internet Worm For those who aren't card-carrying members of ACM, the June issue of "Communications of the ACM" (Vol 32, No. 6) is a special issue devoted to articles on the now infamous Internet worm (the virus, not the person). Articles include: The Worm Story The Internet Worm: Crisis and Aftermath With Microscope and Tweezers: The Worm from MIT's Perspective Password Cracking: A Game of Wits The Cornell Commission: On Morris and the Worm Also, a column, "Legally Speaking," features an excellent discussion titled "Can Hackers Be Sued for Damages Caused by Computer Viruses?" Look for the issue with the Cootie Bug cover! ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253