Virus Bulletin, June 1999
Contents
1. 16 VIRUS BULLETIN JUNE 1999 TUTORIAL When Barriers Break Down William E Jones amp Christine Orshesky Traditional barriers which included anti virus protection installed on each desktop or the standalone systems used to scan all diskettes as they came into or out of a facility are no longer sufficient We have been forced to move from protecting only the desktop to suites of anti virus products that provide multi tier protection at all points of entry to a network such as email servers and firewalls Many administrators and organizations have experienced times when their favourite anti virus or other security product did not measure up to the newest threat and the malicious item made its way past their barriers and into their networks causing them to respond instead of defend Macro viruses like Marker and Melissa clearly demon strated to many organizations the need for a more diverse response mechanism Moreover it is becoming imperative that every company establish a posture or strategy that will actively defend manage and respond effectively to malicious logic inci dents namely a response in layers approach including much more than just anti virus products Many of the protection strategies and incident management techniques outlined below are drawn from actual incident response initiatives and case studies Attack in Progress Recognizing the Symptoms To determine if something malicious has mad2. m just curious will they cart him off to prison or give him a medal Taiwanese hardware manufacturers will enjoy boom sales because of the incident When the Flash BIOS is destroyed with most PCs it is not possible to recover the damaged chip and it is necessary to replace the entire motherboard In some cases it is cheaper to replace the whole computer The CIH episode also epitomised one of the anti virus axioms can a computer virus destroy hardware Answer modern hardware components are protected from possible danger caused by software programs including viruses So this is no longer valid By the way this is the second one the first was are viruses able to infect text files Answer definitely not because the viruses are not able to live there Definitely not if a text file has no macros inside So viruses are able to destroy hardware And they do The story does not end there CIH s author released the source code of his viruses and the Flash corruption routine is now public knowledge Any virus maker is able to replicate it It is very possible that other DOS and macro viruses will use this routine to kill computers Indeed this has already begun a new multi partite DOS boot virus that I saw recently has CIH s Flash destruction routine in its code Until hardware manufacturers fix this problem users are in big danger Any new software they download from the Internet may be infected by
3. s what it s believed to do Melissa spread so quickly beyond its original targets that spammers expressed an interest in it as a model marketing tool in a field where the shotgun approach has always been popular Never mind the target see how widely you can spread the pellets On Parnassus Gods of Security suddenly became virus experts Instantly outdated Sendmail recipes based on email headers became popular Intrusion Detection and Response experts claimed Melissa as an object lesson even though it was very clearly not a targeted attack One security organization issued a quasi advisory statement which not only quoted struggling systems administrators as best practice but also advocated stout firewalling as an anti virus measure despite all the doubts of experts in that field In addition to this it included the trivially modified virus source code thus encouraging system administrators et al to experiment with virus code and practically forcing them to create new variants By all means guard against the guardians not just the home users not just the corporate users and system administra tors but the marketroids and consultants tech support boffins and all Viruses are not primarily a technical problem they re a social problem The real enemy is misinformation and that abounds both sides of the pro virus anti virus divide David Harley Support amp Security Analyst Imperial Cancer Research Fund UK
4. seen a virus do anything that is not easier and more reliable to do without a virus except be a virus of course 26 But Wait this is New Really One interesting and actually somewhat new idea which has come to light recently may show a slight change in the modus operandi of the virus writing community In the early months of 1999 we saw alleged virus writers and distributors attempting to spread confusion by going public on the Internet registering such domains as datafellowes com and vgrep com VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN JUNE 1999 13 The Codebreakers Internet site which vanished abruptly in the midst of the Melissa investigation was reincarnated as codebreakers net on a site hosted by a large web hosting company in Florida The site was no amateur looking hodge podge It was particularly well done with excellent graphics and a research feel to it It was registered to someone claiming to represent DataFellows Ltd 27 At this time the site appears to have been discontinued for unspecified reasons Contact information for the domain refers to an email address located at a different web hosting company in Cupertino CA
5. 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 4 VIRUS BULLETIN JUNE 1999 LETTERS Dear Virus Bulletin The VB Letters page contains material that is printed at my discretion but VB takes no responsibility for the diversity of opinion which can range from anti virus professional through single user to disgruntled customer This month s topics include misinformation and generic repair on which a tutorial will be published in the July issue Enjoy Ed Information Information Information I m startled by how closely your May Comment page echoes some of the rationalizations of virus writers distributors that Melissa and her siblings are the fault of computer users for visiting ahem recreational sites and newsgroups or trusting the object because they trust the source Microsoft for putting functionality ahead of security almost every time unprepared system administrators trusting in out of the box configurations and out of date virus definitions to cope with brute force mailstorm attacks managers who haven t locked down systems and implemented draconian policies It s true that some very nice people are utterly clueless about virus and anti virus technology The trouble is quite a few of them work in security and some even work in AV It s not what a virus does that matters it
6. 14 days and monitors the typical usage patterns eSafe Protect Gateway The eSafe Protect Gateway provides content filtering for different types of connections made though firewalls This includes the scanning and cleaning of SMTP HTTP and FTP connections There is also a facility called a Sandbox which can be used to configure the access to directories Access limitation can be defined manually Alternatively a learn mode can be employed to monitor normal usage so that a profile can be drawn up of the access needed for day to day activity Blocking rules can be defined for files and alerts issued if the rules are breached Files which pass through can be virus scanned using the integral virus scanner The anti virus module is subdivided into three components namely On demand scanner On access scanner and Environment It is possible both to strip macros from their text compo nents and remove cookie scripts and applet tags from some HTML pages Archive files are inflated and then scanned If an archive is compressed more than once ESP Gateway will keep inflating these recursive archives until the core files are reached Manual On demand Scan The configuration options for on demand scanning are not available on the console They have to be set up on the workstations This seems to miss the trick of being able to pre configure the majority of workstations and issue the settings when scans are deployed The administrator display mes
7. 3 YP England Tel 01235 555139 International Tel 44 1235 555139 Fax 01235 531889 International Fax 44 1235 531889 Email editorial virusbtn com World Wide Web http www virusbtn com US subscriptions only Virus Bulletin 18 Commerce Way Woburn MA 01801 USA Tel 781 9377768 Fax 781 9320251 ben z C C JS les ve This publication has been registered with the Copyright Clearance Centre Ltd Consent is given for copying of articles for personal or internal use or for personal use of specific clients The consent is given on the condition that the copier pays through the Centre the per copy fee stated on each page END NOTES AND NEWS Virus Bulletin s recently reinstated Letters page is your chance to air your grievances seek advice or just make yourself heard on anti virus related issues If you fancy appearing in the pages of VB email us your thoughts editorial virusbtn com Claiming virus protection is an integral part of the PC and should not have to be purchased separately Computer Associates International CAD has staked its claim in the free anti virus software arena The recently released InoculateIT Personal Edition InoculateIT PE for Windows 95 98 and NT workstation a re badged version of Vet Anti Virus is the product on offer Aimed at the single user the readme file recommends those looking to install anti virus protection to many computers in a business evaluate ot
8. Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 22 VIRUS BULLETIN JUNE 1999 warnings or not to use a Standard scan or SmartScan and to determine which file types are to be scanned A Standard scan looks at files for known viruses but does not create any integrity files The SmartScan uses integrity files to detect unknown viruses and determine whether to scan for known viruses Integrity files contain checksum values for files stored in a particular directory If the directory does not have an integrity file then the scanner scans for known viruses and creates one in that directory If the directory does have one the scanner compares the file against the contents of the integrity file If they are not consistent the file is scanned and the integrity file updated If they are the scanner does not scan for viruses Integrity files are named VS VSN and stored with a hidden attribute The whole point of the exercise is to try to improve performance by reducing the amount of virus scanning required The default set of files to include in an on access scan are COM EXE DO XL VXD SCR with SCR replacing DLL in the default set File settings can be configured for file creation file read and file execute However the reaction to an infection is
9. According to the person we asked at Data Fellows Finland neither the site nor these contact details had anything to do with the real company At the same time www datafellowes com appeared on the Internet hosted by the same Florida based company as codebreakers net As if registering a domain which is an obvious misspelling of an existing and well known anti virus software manufacturer were not enough there have also been reports of misleading email associated with this domain Several weeks ago I received an email appearing to be from Mikko Hypponnen an anti virus researcher working for Data Fellows The mail requested quite a few viruses As Mikko is a CARO member such a request seemed unlikely at best and so I gave it extra scrutiny Closer inspection showed that the message reply would have gone to datafellowes com not DataFellows com Several other prominent anti virus researchers also received similar requests Who exactly was the mystery mail sender I do not know Clearly had I complied with the request I would have been sending viruses to someone who was not the real Hypponnen Again at the time of writing the www datafellowes com site does not appear to be opera tional Neither the company which hosted the site nor Data Fellows was at liberty to discuss details of the incident due to police involvement Another example involves VGREP a popular utility produced by Sophos and available at www virusbtn com It pro
10. I thought it only fair to let the author of the May Comment respond for himself Ed The hype due to the Melissa scares brought out the worst in the AV marketroids computer industry and mainstream press The incidents would not have happened or their effects would have been minimized if a few simple precautions had been implemented In a free society we can believe that part of the problem is due to inadequacies of the workspace The fact that the problems do exist mean that malcontents will exploit them The enemy is misinformation but the good information is sadly lacking and when it does exist it is in a form that is indigestible Users look to Microsoft for guidance and if they get things wrong or cloud the issue we get the stick Will They Ever Learn Some folks think that Y2K will cause disruptions What happened with CIH in Asia What happened when 300 000 or more computers stopped working on 26 April Did they get them going Are they on paper now or doing without computers Can this in any way be a lesson for preparedness for the date roll over How come I haven t seen any follow up Patrick Neary Naturopathic Doctor USA E dentify or Not That is the Question Last month a customer sent me a couple of documents which were supposed to be infected with a new macro virus It was dropping the file ETHAN ___ in the root of his C drive as some of you may have already guessed it was a new version of Et
11. The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 24 VIRUS BULLETIN JUNE 1999 ADVISORY BOARD Pavel Baudis Alwil Software Czech Republic Ray Glath RG Software Inc USA Sarah Gordon WildList Organization International USA Shimon Gruper Aladdin Knowledge Systems Ltd Israel Dmitry Gryaznov Network Associates USA Dr Jan Hruska Sophos Plc UK Eugene Kaspersky Kaspersky Lab Russia Jimmy Kuo Network Associates USA Charles Renert Symantec Corporation USA Roger Riordan Computer Associates Australia Roger Thompson ICSA USA Fridrik Skulason FRISK Software International Iceland Joseph Wells Wells Research USA Dr Steve White IBM Research USA No responsibility is assumed by the Publisher for any injury and or damage to persons or property as a matter of products liability negligence or otherwise or from any use or operation of any methods products instructions or ideas contained in the material herein SUBSCRIPTION RATES Subscription price for 1 year 12 issues including first class airmail delivery UK 195 Europe 225 International 245 US 395 Editorial enquiries subscription enquiries orders and payments Virus Bulletin Ltd The Pentagon Abingdon Science Park Abingdon Oxfordshire OX14
12. Word itself That makes certain things simpler and much more reliable Since the virus code is in high level language the OLE functions are not too difficult either Interestingly the binary part does not infect other executables The virus is active in memory as a process and executed from the registry CurrentVersion Run field with the name of an existing DLL but with an EXE extension placed in the Windows system directory Beast is already in the wild in Russia and Spain Opening an Infected Document The virus arrives on a new system in an infected VBA document When an infected document is opened for the first time the embedded executable gets control from the AutoOpen macro placed in it First the macro checks if three hours have passed since the virus was active last time This is performed by checking a registry entry under SOFTWARE VB and VBA Program Settings called 3BEPb Startup which is created and updated by the binary part of the virus code If this was the very first time the ActiveDocument Shapes 3BEPb Activate command will execute an embedded object called 3BEPb meaning beast in Russian hence the virus name The actual embedded object is the virus code itself which is 41 472 bytes long and named C I EXE Normally a visible icon represents an embedded executable However Beast hides this icon so it cannot be seen by the Word user Wordpad under Windows98 can show the icon of the embedded object and
13. X97M Papa A can be seen as intended because of the missing End If from the code More precisely it is an intended worm not an intended virus except for the bug in the source the fecretck ft code is designed to replicate from computer to computer without eee infecting local Herr p Body IEDERE tate 1 tienta kk ioc iveiork pipire papare paparar fe an Lopeti files However on a a a Monday 29 March Tf 4 2 Then i gt BhE11 ping t L7 Ste LBT oe 1999 a fixed Elsti q 4 Than version was posted Shall ping t L Str Int E000 mae to USENET This new version contains a full a y functioning copy of X97M Papa in the form of a file called XPASS XLS 17 408 bytes long This version was named X97M Papa B and as stated before it is not a virus by itself but a worm The only important difference between the two versions is that the missing End If from the A variant is now in place for the B version In addition to this the source of the B strain is formatted in a different manner 36 empty lines have been inserted at the beginning of the macro code and the source has also shifted 110 positions to the right The only reason behind these changes is probably to make inspection of the virus code a little bit harder Unfortunately they are not the only measures taken by the author to prevent source inspection Functionality Papa s code is stor
14. a protective measure against viral infection was then tested Infected Word documents were copied into the My Documents directory and the diskinfo tables were updated to include these infected files Subse quently goat files in the same directory were infected from these documents ADinf32 successfully detected that the macro content of the goat files and the NORMAL DOT template had changed and warned that this was potentially due to a macro virus infection Thus far mention has only been made of Word and Excel files this unfortunately mirrors the situation as far as Dialogue Science are concerned since at the time of writing ADinf32 does not cope successfully with PowerPoint and Access file formats Modifying the configuration profile to associate PPT and MDB file extensions with macros made the situation worse since the increase in total file size upon macro infection is ignored as ADinf32 attempts to parse the macro content As part of their replication cycle some macros deposit files on to the hard disk i e W97M Ethan A and Win32 W97M Beast see p 6 of this issue ADinf32 provides a useful tool for monitoring such activity detecting these dropped files which may otherwise get missed by anti virus scanners especially if they possess odd file extensions Boot virus infections were also successfully detected by a ADinf32 Details concerning M oo the boot sectors before and H f 14 3 Pi after the cha
15. a virus Any new virus may have CIH s routine in its code This routine may be activated at any time for whatever reason the virus author chooses Be careful And check the Flash write protection switch on your computer s motherboard Don t let a virus cook a Chips omelette there Eugene Kaspersky VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN JUNE 1999 3 N EWS Prevalence Table April 1999 Two Be or not Two Be Virus Type Incidents Reports On Friday 7 May CS GaLaDRieL also known as Gala was ColdApe acro 926 18 3 discovered This is believed to be the first virus written in Cap acro 505 10 0 Corel SCRIPT which can infect files within CorelDRAW Ethan acro 495 9 3 Corel PHOTO PAINT and Corel VENTURA Win32 Ska File 463 9 2 When an infected script is activated it searches in the Class acro 432 8 5 current folder for other CorelDRAW scripts CSC files arker acro 419 8 3 parses their contents and finds the names of infected scripts Win95 CIH File 347 6 9 and scripts that are not infected yet On 6 June a message is displayed This virus has no destruc
16. head office How many students None We are a distance learning establishment handling the largest number of students in the world 200 000 to be precise Where Do I Fit In I work in the Technology Department looking after a few servers and getting involved in different projects within the University I started looking at the virus problem here in 1993 Now I look after Technology advise other areas within The Open University and run an advice conference for 60 000 students Some of the courses we run require the students to have Internet access and we give them access to a conferencing system called Firstclass Within this system are a set of sub conferences related to their course plus a set of other conferences for general discussions and information I started and now run one of these conferences for virus information and help In its turn this conference has a sub conference that holds copies of the anti virus package Vet Anti Virus which students can download for free We have agreed a licence with Compu ter Associates who acquired developers Cybec in January 1999 to allow all OU students to download this software from our closed conferencing system or if appropriate a password protected web site I also post update files for other packages so that students can continue to use any other brand of software that they may have purchased and keep up to date drivers We are certainly not in the sales market of saying use th
17. is limited to installation on a single computer For multi server deployment or deployment of scanners onto PCs additional licences need to be purchased Presentation and Installation Normally this product comes on CD but the test version was installed from a downloaded self extracting file The first thing that happens when it begins the setup is to offer to check for the latest version via the Internet A choice of network is presented namely Windows NT Novell NetWare or other Choosing the NT route led to a request for confirmation that the computer was an NT Server on the designated domain Following on the default destination directory can be chosen or you can opt for a user defined location The next prompt asks whether the installation will be either for evaluation purposes or a full registration The latter requires a 17 character code supplied with the packaging to be entered If only a 30 day evaluation is required the installation can continue There follows a sequence of file copying and then an option to install an on line alert facility This sends a detection message to a specified email address For this facility to operate an email address and SMTP server need to be designated This option was not used on the test configura tion The next option is to obtain automatic downloads of updates There follows a warning that sandboxes for some Internet enabled applications are placed in learn mode This lasts for
18. number of their viruses actually causing many problems was quite small too especially considering the number of viruses known to exist the number of computer viruses which were reported spreading in the wild was 71 13 with a total virus count of about 3200 14 During this time there were virus writers known and unknown working on their own and working in groups like Phalcon Skism RABID NuKe Trident and SLAM They used handles like Dark Angel Attitude Adjuster and Aristotle They wrote viruses placing them on publicly accessible BBSs FTP sites and WWW sites and they kept some to themselves 15 In some cases they sent viruses only to anti virus research ers because while they wanted to show they could write proof of concept viruses they did not want to release them to the general public They wrote viruses that were not released in any way into cyberspace for lack of a better term and never caused anyone any problem other than necessitating their inclusion in scanners just in case they wrote viruses that they did release into cyberspace causing all sorts of problems They made source code available and they kept code just for their private individual use or just for use within their own group They dedicated their viruses to various people they used some viruses to promote their own groups or identities and they left some viruses completely anonymous They attended secondary schools and Universi
19. publishers 14 VIRUS BULLETIN JUNE 1999 FEATURE 2 pOLEmorphism Andy Nikishin amp Mike Pavluschick Kaspersky Lab D ja vu was our first impression when we started examin ing the polymorphism of OLE viruses We have seen this all before Before we examine macro virus polymorphism let us look back and see how it started with file viruses About ten years ago there were simple viruses like Vienna or Yankee though it must be said the latter is rather a complex example which took a couple of days to analyse These viruses were not encrypted Then came the age of encrypted viruses like Cascade Proud and Words The first polymorphic virus called Chameleon became known in the early 1990s The problem with polymorphic viruses became really serious a year after that in April 1991 with the worldwide epidemic of Tequila the analysis of which took more than a couple of days Finally in early 1992 we saw the first polymorphic engine MtE Suddenly you could get a polymorphic mutant virus from a conventional non encrypting virus by simply linking object modules the polymorphic OBJ file and the virus OBJ file together All virus researchers were surprised and shocked anticipating lots of new polymorphic viruses and wondering how to detect them Now all modern anti viral scanners can detect strong polymorphic viruses Virus construction kits appeared alongside polymorphic viruses These kits facilitated the gen
20. specific holes Summary As we have seen in many of the more recent incidents malicious logic threats have the ability not only to disrupt and corrupt data but also to send data outside an organiza tion potentially exposing the data or the company to unfriendly recipients With increased capabilities of viruses Trojan horses and other forms of malware it is no longer enough to install an anti virus product on particular platforms and consider yourself protected When the traditional barriers break down a cohesive and effective process must be poised to manage and respond to the resulting incident Most elements of an effective response cannot be bought off the shelf These elements are knowl edge experience and skill it takes preparation and time to incorporate them into your working environment It takes more than anti virus products and a few technicians to prevent manage and recover from malicious logic attacks VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 18 VIRUS BULLETIN JUNE 1999 PRODUCT REVIEW 1 DialogueScience AntiVirus Kit v3 0 The spotlight this month falls upon a Russian product as we take a look at DialogueScience s AntiVirus Kit DSAV The complete
21. the macro content of such a file will actually trigger ADinf32 into thinking that it has changed additions to the content of the document or spreadsheet are ignored Using Advanced Diskinfoscope Without a hard copy of any user manual to hand there are two ways of approaching ADinf32 either peruse the help files religiously noting down the important points or just point click and use the on line help when necessary Initially the latter approach was chosen and the ease with which the program was used bears testimony to the logical and user friendly interface VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN JUNE 1999 19 As with any non essential utility program if ADinf32 encroaches too much into the user s normal routine it would not be used Pleasingly therefore the overhead in running ADinf32 is quite low When first executed it prompts the user to create the diskinfo tables for each of the fixed drives This process is reasonably quick approxi mately 15MB sec of data was catalogued during testing Subsequent disk scans were performed at a similar rate and so if scheduled to run at Windows startup they would be finished in the time taken to make t
22. the Smart Scan integrity file name VS VSN the path of the alert filename C ESPLAN VS95NT LOG and copy infected viruses to a quarantine directory C WIRUSES There are further options to add a bespoke message for virus notifica tion and the option to sound an alarm In addition there is an option to create an ignore list The default selection includes VSCHK COM CONFIG DOS SUHDLOG DAT ASMREC MEM BLOCK MEM VIRUS MEM VIRUS PGM and WIN386 S WP Updates Updates are provided for the duration of the licence by downloading from a secure eSafe site The ESP Gateway can be configured to download and install updates auto matically on a regular basis The update facility is available under the environment section and can be obtained from a downloaded file a floppy or a directory on the LAN Scanning Overhead To measure the extra work performed in detecting a virus a diskette comprising 26 EXE and 17 COM files was scanned The scan was repeated with the files infected with the Natas 4744 virus It took 36 minutes and 30 seconds to scan 5 500 clean files with no false positives During the Clean set scan there were three instances when the scanner reported that it had skipped some files Detection Rates The eSafe Protect scanner was tested against the traditional Virus Bulletin test sets In the Wild Standard Polymor phic Macro and Boot Sector All the tests were conducted using the default scanner file extensi
23. virus and offer some general computing advice where the importance of learning how to manage files perform frequent backups and correctly use anti virus software is stressed Following this the use of ADinf32 is described in detail with frequent screen shots to help familiarise the user with the product The principles of operation of ADinf32 are reasonably straightforward Upon disk scanning information concern ing the logical drives boot sector bad clusters and file tree is recorded Additionally a form of checksumming is used to verify the integrity of files a Cyclic Redundancy Check CRC of each is performed All this information is stored in data files referred to in DSAV as diskinfo tables When first executed ADinf32 has to scan the PC in order to build these files Once created they act as references to which fresh data from subsequent scans can be compared As well as the standard disk scan ADinf32 also provides a facility to search for stealth viruses For this it compares the information returned by the OS to that it reads direct from the BIOS Win9x or physical device WinNT any differences suggest of a suspected stealth virus infection DSAV uses different CRC methods depending upon the format of the scanned file Of particular relevance to current computer virus threats ADinf32 parses the macro components from Word and Excel files and includes only this information in the file CRC Thus only changes to
24. 28 VAT for the Client version For details contact Phillip Benge Tel 44 171 3726666 fax 44 171 3722507 or email benge enterprise net CompSec 99 the 16th World Conference on Computer Security Audit and Control will take place from 3 5 November 1999 at the QE2 Centre Westminster London UK A Directors Briefing will be held on 4 November Conference topics include malicious software firewalls network security and Year 2000 contingency planning For more details contact Tracy Stokes at Elsevier Tel 44 1865 843297 fax 44 1865 843958 or email t stokes elsevier co uk The call for papers for the ninth annual EJCAR conference has gone out The deadline for submission is 1 July 1999 The First European Anti Malware Conference takes place in Brussels Belgium from 4 7 March 2000 A broad range of topics for papers include malicious code unwanted side effects or malfunction network security the information age and society cryptography privacy and anonymity new media and e commerce For more information visit the web site http www eicar dk VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers
25. 5 the updates for the staff were posted and by mid day Technology machines had the updates installed These updates are also used by the rest of the University and the relevant areas responded in the same way proving that even a diverse operation like The Open University can update staff and students efficiently Even so this event is making us look at the internal strategy again to see if we can improve response times I think that I have a different problem from most supporting staff and students in virus protection and I hope that this gives an insight in how we have tackled the problem with no students on site We are now trying to get to grips with the larger problem of educating all 200 000 students rather than just those on line Interesting logistics problem Let s not forget that we also have the job of looking after the staff of the University without them the students would not be able to study All virus reports go via either Roger Moore in our Aca demic Computing Department or myself and between us we have a database where we log these reports This gives us an idea of the viruses seen by staff and students and shows how students at home see a different set of viruses from the set seen by members of staff This information once verified is passed to VB for inclusion in the Prevalence Table once a month Final Word At VB 98 Vesselin Bontchev stated that people like myself and plenty of others in the same line of
26. B and independent consultant New Zealand Register Now Virus Bulletin 9th Annual Conference 30 September 1 October The Hotel Vancouver Canada Call Jo Peck 44 1235 555139 email jo virusbtn com http www virusbtn com B99 VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 6 VIRUS BULLETIN JUNE 1999 VIRUS ANALYSIS 1 Beast Regards P ter Szor Data Fellows Anarchy 6093 a DOS COM and EXE infector and also the first known binary virus able to infect Word 6 documents appeared almost two years ago see VB October 1997 p 6 Not surprisingly we have not seen many other viruses like it since hacking document formats to add macros into them is not an easy task On the other hand Navrhar created by a Slovakian virus writer tries to infect known VxDs when an infected document is opened by dropping a 32 bit dropper There are a few other examples but all of them share the same kind of limitations These viruses often corrupt documents during infection since the algorithms used are not at all reliable Navrhar saves its binary dropper to the end of the documents Using this approach the dropper code can be lost from documents when an infected fast saved document i
27. ISSN 0956 9979 JUNE 1999 NWT TT TON B U L L iti VUI THE INTERNATIONAL PUBLICATION ON COMPUTER VIRUS PREVENTION RECOGNITION AND REMOVAL Editor Francesca Thorneloe Technical Consultant Fraser Howard Technical Editor Jakub Kaminski Consulting Editors Nick FitzGerald Independent Consultant NZ Ian Whalley Sophos Plc UK Richard Ford Independent Consultant USA Edward Wilding Maxima Group Plc UK IN THIS ISSUE Oh dear oh dear oh dear Virus Bulletin At long last the Letters page makes a comeback in this issue Love it or hate it it s your way to have your say starting on p 4 Define your terms Find out all you need to know about polymorphism Two researchers from Kaspersky Lab set the record straight on p 14 e Don t panic Our tutorial this month paves the way for future corporate case studies In clear and easy to follow steps the actions to take in the event of a virus or malware outbreak on your system are documented on p 16 CONTENTS COMMENT Flashback When the Chips were Down 2 VIRUS PREVALENCE TABLE 3 NEWS 1 Two Be or not Two Be 3 2 ThanY2Ks for the Memory 3 LETTERS 4 VIRUS ANALYSES 1 Beast Regards 6 2 Papa Don t Preach 8 A DAY IN THE LIFE Educating Who 10 FEATURES 1 Virus Writers Part 2 12 2 pOLEmorphism 14 TUTORIAL When Barriers Break Down 16 PRODUCT REVIEWS 1 DialogueScience AntiVirus Kit v3 0 18 2 eSafe Protect Enterprise 21 END NOTE
28. S AND NEWS 24 VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 2 e VIRUS BULLETIN JUNE 1999 COMMENT c lt It was a real world computer catastrophe 99 Flashback When the Chips were Down Black Monday 26 April was doomsday for thousands of computers in many countries Corpora tions stopped working due to destroyed PCs newspapers were neither printed nor delivered about 50 of banks in one ex USSR country were unable to process transactions one company was unable to send the year s report to the tax office Tech support phones were hot as hell tech support staff had no time for tea or cigarette breaks Destroyed hard disks corrupted Flash BIOS chips lost work time and money these are true stories and I personally saw a woman crying because her husband lost several years worth of work She asked about recovering the hard drive The black trail of destruction started in the Far East where day begins and followed the time zone covering the world People entered offices turned on their computers and lost them Those who had infected PCs at home lost data later when they returned from the office It was a real world computer catastrophe and I can t recall a more powerful on
29. additional load of an application accessing files e Deselect virus scan Sandbox and Firewall e Program unloaded run after the server tests to check how well the server is returned to its former state The timing results proved difficult to assess When the creation and reading tests were run they gave low overhead compared with the baseline When the virus detection was turned off along with the Sandbox and Firewall options the speed test was actually faster than the baseline A similar result was reported in the March Comparative Review Perhaps the marketing spin should be load eSafe but don t run it and it will improve your server s performance This is the first set of tests using Windows NT v4 0 Service Pack 5 and it appears that the base setting is slower than under Service Pack 3 Summary Although eSafe Protect comprises a number of facilities for Internet protection the main emphasis of this review was the anti virus component of the product The concern about detection rate at the beginning of the article seems well founded Although the detection rates were on a par with previous results from the March Comparative Review for this engine they still appear to be on the low side compared with other scanners Although focused on the anti virus aspect of the product it is interesting to see this type of product evolving to counter the new threats posed by the Internet If the detection rates can be improved t
30. ailbox is also the place where virus reports from other Technology Department staff arrive We have the software that they use set up to mail a report to me if a virus is found This report lets me know if I need to help as its not been cleaned or if it needs following up to find and notify the source The last mailbox is my private box and that one normally has messages from family friends and the Virus Info List I also spend time looking at the major anti virus web sites including Virus Bulletin to see if there is any new informa tion that needs passing on to staff and students This can be done in a couple of ways in the Firstclass conference or via http antivirus open ac uk the Technology Department s anti virus web site Which Viruses Do I See The two different environments of staff and students provide a varied range of viruses Since January 1999 the viruses seen by staff at the OU have in the majority been macro viruses plus a lot of Trojans and joke programs like Geschenk The range that has been reported by the students shows more diversity with Boot Sector File infectors and Macro viruses taking equal shares CIH has shown up a few times this year with five reports on the 26 April The problem is not getting the software to the users but getting them to use it How can you get a home user to download and install it on their own machine used for work and fun The only method I have in this type of environment is
31. ally In terms of scanning speed DrWeb32 has changed little from that reported in recent Comparative Reviews lying on the slower end of the scale relative to other anti virus scanners If using the DSAV package however the scanning speed of the anti virus module is less important than that of the integrity checker since only selected new or modified files will regularly require scanning SpIDer Guard provides the on access component of anti virus protection Following installation and a system rebbot it is automatically started but can also be loaded from the Start Menu An icon in the taskbar confirms that SpIDer Guard is loaded and double clicking the icon gives access to the configuration options These are very straight forward and reminiscent of those for DrWeb32 Detection Rates Throughout recent comparative reviews DrWeb32 has shown itself to be up there with the big names in terms of detection rates setting an example to some major products This time around detection rates were excellent again For both on demand and on access scanning 100 detection against the ItW file and boot and Polymorphic test sets was matched by 99 9 detection in the Standard and Macro sets Templates infected with W97M Boom A De and W97M ZMK F and a Win32 Ska infected DLL file accounted for the misses during on demand scanning SpIDer Guard missed these samples also as well as MDB files infected with A97M AccessiV A and B variants Co
32. annot be read until you have already installed the product The usual choice of typical compact or custom installations are offered by InstallShield following which a summary of the components the user has selected to install is shown In choosing a custom install options to install ADinf32 DrWeb32 and SpIDer Guard for Windows are provided Once the chosen options are confirmed file copying takes place Subsequently the user is prompted to reboot the system when installing on an NT machine but not on Windows 9x machines despite the fact that changes to system files have been made in all cases Upon rebooting two icons are placed on the desktop to load either DrWeb32 or ADinf32 Alternatively each of the programs can be loaded from the Windows Start Menu What is Advanced Diskinfoscope Strictly speaking file integrity checkers are not pure anti virus products However a product capable of monitoring the size date attributes and in some cases content of files is certainly a logical weapon to use in the anti virus war It is with this in mind that Dialogue Science have integrated Advanced Diskinfoscope into DSAV The product is supplied in two versions a 32 bit version ADinf32 for Windows 9x and NT and a 16 bit version ADinf for use in DOS and Windows 3 xx environments The help files for ADinf32 are well set out and reasonably thorough The first few pages present a brief description of the various types of computer
33. are seen Containing the Breach When malicious logic or indeed an intruder has compro mised a system or network and thwarted the protective barriers a concerted effort must be made to contain the spread of the virus or other malicious code The actual mechanisms to isolate the affected system s will vary but disconnecting the affected area from external or internal contact via a network or user is generally the best approach Disconnect all affected systems from the network thus you will prevent the malicious code from spreading This is particularly useful if the virus is spread via email In some cases you also prevent it from performing its payload which may include sending information via FTP or from pinging a remote site Block adversarial IP addresses or close ports depending on the nature of the malicious logic the payload may include uploading information via ftp to a remote location potentially a hostile or competitive organization In these cases disabling the use of certain ports can help to contain the virus and to prevent you from advertising to an adver sary that you are indeed infected Investigating the Incident Once you have quarantined the affected systems and contained the breach an investigation as to the source and type of breach and the potential recovery methods must be completed as quickly as possible An analysis of the audit data and an inspection of the system s is necessary to determi
34. ational emergency and government cover ups and conspiracies surrounding the year 2000 date change The Prevalence Table includes a total of 215 reports across 48 further viruses Readers are reminded that a complete listing is posted at http www virusbtn com Prevalence Not content to sit back and watch his life s work declared a national secret he vowed to sell his books off cheaply and quickly for the good of society The Little Black Book of Computer Viruses The Virus Creation Labs and other classics along with inexplicable but perhaps more intriguing titles such as The Quest for Water Planets were offered at cut prices to like minded survivalists Distribution of virus types in reports Multi partite Boot A slave to his own perceptions Ludwig warned about financial meltdowns and infrastructure crashes come the year 2000 Justification perhaps for demanding cash any major currency we re easy backed up by longwinded explanations about politically incorrect companies having had credit card funds seized Enough said His illogically juxtaposed predictions for widespread panic by December 1999 or February 1999 seem unlikely but VB joins him in suggesting if you haven t purchased a year s worth of dehydrated food yet it s probably too late anyway E VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0
35. cts viruses and removes them when found Changing some one s software configuration is a big no no from way back It is time this changed Way back most PC users were relative experts Nowadays this is not so Most virus victims are surprised that their anti virus software does not reset all the changes made by the virus they were unfortu nate enough to have run That these changes often cannot be correctly reversed programmatically is a good reason not to attempt many of them The case of the virus protection options in Office applications is different Viruses are more prevalent than ever and macro viruses make up the bulk of infections More new viruses arrive from customer sites than in the past The only chance most users have against new macro viruses is the built in warning options Microsoft provides Successful macro viruses disable this weak line of defence the first chance they get any form of protection should do the opposite Demand this feature from your anti virus developer Insist that it should not be a configurable option if it is the bad guys will just add another few lines of code to their creations to disable this fix The piffling number of users who need the warnings disabled will know how to fix this and if they really are expert enough to do without this warning they should never need to clean a virus anyway so it will not inconvenience them Nick FitzGerald Ex Editor of V
36. der to put an end to it The first macro detection engines built on the infected macro s name to seek for macro viruses Virus makers took advantage of this weakness in macro scanners to create the first semi poly morphic macro virus WM Outlaw Its technique is polymorphic in that it changes its macro names on every infection and stores them in WIN INI If Word is restarted the virus reads the names of the macro from WIN INI The names generated are just a character plus a number e g A326 or RT898763 The reason that it uses characters at the beginning of the name is that Word can only use macros that begin with one The polymorphic mechanism of this virus was extremely simple but its source code rather big The virus gets the current time and depending on the current hour generates the first letter for a future macro name the rest of it the virus generates using Word s random generator Outlaw caused some detection trouble to those anti virus companies which did not employ a good macro engine The First Real Polymorphic OLE2 Viruses WM FutureN is generally considered to be the very first polymorphic Word macro virus It generates random names and uses WordBasic s EditReplace command to change the original name to generated ones During its spread the virus changes the name of its macro and that of only one of its arguments but it still illustrates how to write Word 95 polymorphic viruses Using such technologies several poly
37. detected this time round Real time Scanning Overhead To determine the impact of the scanner on the workstation when it is running the following test was executed 200 files of 21 MB a mixture of DOC DOT XLS XLT XLA EXE and COM files to reflect typical file types being moved were copied from one folder to another using XCOPY The folders used for the source and target were excluded from the virus scan so as to avoid the risk of a file being scanned while waiting to be copied The default setting of Maximum Boost for Foreground Application was used throughout for consistency Timing tests were run with Standard scan rather than SmartScan to avoid the overhead of generating the integrity files Due to the different processes which occur within the server the time tests were run ten times for each setting and an average taken The tests were as follows e Program not loaded establishes the baseline time for copying the files on the server e Program installed scanning files being created tests the impact of the application scanning files as they are created on the server e Program installed reading files only tests the impact of the application scanning files as they are being read e Program installed scanning both creating and reading files tests the impact of the application scanning files when being created and read e Program installed scanning both creating and reading files and running manual scan tests the
38. e I approximate the result of the CIH epidemic as half a million incidents five hundred thousand computers destroyed in one day The US and western Europe escaped the carnage maybe because they had already been scared by Melissa Newspapers TV and radio waved flags about it for several days people duly updated their anti virus software and the virus had no chance of surviving Maybe there were fewer incidents in these countries because people there had already got accustomed to using anti virus software and paying attention to the virus problem What about the victims of the disaster Don t say they didn t know about it they did I m sure anti virus companies the world over beat their biggest and loudest drums about 26 April Did users dismiss it as the usual advertising trash Does that mean there is too much trash in anti virus advertising so users switch off Maybe Did the victims follow the rule it will never happen to me That s more likely They did know about the virus they did know about black Monday they did pay attention to the anti virus press releases but they did not obtain and run don t mention a complete anti virus package even a single free small utility to detect the virus in the system there were several such programs released by anti virus companies And so the lemmings died What about the Taiwanese originator of the disaster He has been caught and the whole incident investigated I
39. e it through one must know what is protected behind the barriers when it changes and what the changes may mean Traditional processes like configuration management auditing and user awareness are all good ways to be able to identify the symptoms of malicious code in addition to any installed anti virus product that is running on a given platform Configuration Management knowing your system content and configuration is essential to enabling you to detect when something has changed Such things as configuration control and integrity checking can provide visibility into changes in a system or network User Awareness you can have eyes and ears at every level of the system When users are provided with good guidance and clear reporting procedures they are able and willing to report suspicious activities and can sometimes be your early warning system Review of Auditing Information turn on any auditing that is available This will provide additional information about unauthorized access and file changes that can identify a possible attack Auditing can also help to piece together what occurred after an attack is identified Capture enough audit data to make it meaningful but not so much that the system performance is severely impacted When reviewing audit data look for unusual port usage unauthorized file access file permission changes and connectivity with suspicious sites or organizations particu larly where file transfers
40. e recently been added ee E Using DrWeb32 Fairly standard configuration options are offered by DrWeb32 but there is no concept of user profiles to enable specific tasks to be set up and then repeatedly performed by a single click Instead changes to the configuration must be made manually prior to each scan By default files are scanned By format although this can be changed to All files Selected types i e by exten sion or User masks Archives and packed executables are included in the scan and there is an option to scan E mail files although this is greyed out unless the Mail module of DSAV is also installed Currently the product is only designed for use on workstations and so infection reports are only written to a log file and to the screen Presumably as the product is developed to provide network functional ity remote reporting options will appear The action DrWeb32 takes upon finding an infection depends on whether the file is considered infected incur able or suspicious Options to report only attempt cure delete rename or move the files in question are provided for each of these three conditions As is becoming increasingly popular in anti virus packages a facility to obtain updates from a remote site is provided and assuming the user has a valid username and password they can be obtained weekly or monthly on a day of your choice from the DialogueScience FTP site automatic
41. ed in Workbook_Open a function which is part of the ThisDocument module This technique has become very popular as it is an easy way to prevent most users from seeing any suspicious macros in the Tools Macro dialog When a document containing the worm is loaded in Excel the Workboook_Open function takes control First the code disables the CTRL BREAK ESC or COMMAND PERIOD combinations which can be used to stop the macro from running After that it resets the native random number generator of Excel and tries to instantiate an object of the Outlook type Needless to say this only works if MS Outlook is installed in the local machine If it is not installed or if the current system runs Outlook Express a reduced version of Micro soft s Mail Client the worm will not be able to spread However if Outlook is installed in the system the worm will try to spread First it will try to log into the default Outlook profile After that it simply goes through all the Outlook address lists and selects the first 60 entries It will also create a new email and add the first 60 entries of the respective address list to the recipients field of the newly composed message VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission
42. edure succeeds the virus tries to add the AutoOpen macro into the default code module using the AddFromString function The AutoOpen macro code is placed in text format in the data area of the virus body and it is encrypted with the method described above Beast decrypts the short macro code then adds it to the active document Document infection is complete Finally the virus tries to close the Visual Basic Editor As long as Beast is active in memory and the user tries to access the Visual Basic Editor the virus will close the application in a second at the end of its window procedure Payload The payload is called if the CD ROM device has been detected during initialization and the time is between 9 35pm and 7 12am In this time frame the virus opens and closes the door of the CD ROM shelf This happens about every 10 seconds all night long and can cause hardware failures pretty soon I can imagine the face of a guard watching a few hundred infected PCs in a large computer lab at night with opening and closing CD ROM doors Conclusion We can expect more and more modern multi partite viruses which support executable document infections This method will replace the BOOT COM EXE multi partite type in the very near future Unfortunately the OLE functionality makes it relatively easy to create such viruses This means that products which claim to handle macro viruses only will face new chal lenges since it is not enough to remove
43. elegate pack contact Jo Peck at VB Tel 44 1235 555139 fax 44 1235 531889 or email joanne peck virusbtn com Further details are on the Virus Bulletin web site at http www virusbtn com Workshops and courses run by Sophos in July 1999 include Advanced Internet Security on 6 July Implementing Windows NT Security on 7 8 July and Practical Anti Virus on 14 15 July All the sessions will take place at the organization s training suite in Abingdon UK For details on late bookings for June or to reserve your place in July contact Karen Richardson Tel 44 1235 544015 fax 44 1235 559935 or visit http www sophos com Central Command and Kaspersky Lab annnounce the release of the first integrated anti virus protection for Microsoft Office 2000 AntiViral Toolkit Pro for Microsoft Office 2000 offers protection against viruses in Word Excel Access and PowerPoint as well as via the Internet A special edition of this product may be downloaded for evaluation from http www avp com For more information contact Renee Barnhardt Tel 1 330 7232062 or email renee avp com Reflex Magnetics has launched Reflex Disknet Data Security for Windows NT v1 7 which includes a Program Security Guard PSG a powerful software module which claims to protect against viruses like Melissa Additional new features include the Reflex Macro Interceptor and Boot sector protection It is available now at 249 VAT for the Administrator and
44. eout to one millisecond to avoid unwanted delays Two IP addresses 207 222 214 225 and 24 1 84 100 are targeted by the PING commands These two hosts are in the ALL NET and HOME COM domains respectively It is worth mentioning the ALL NET domain is registered to Fred Cohen the same name as the one used in the subject field of the emails sent out by the worm Dr Cohen was recently involved in the shutdown of a VX site related to the Caligula macro virus a decision which clearly upset the author of the Papa worm According to a some reports they got around 1 000 PINGs per day which gives an idea of how prevalent the Papa worm is hopefully was On the other hand there are rumors that the PINGs were not generated by the virus but by its author s in order to trick the anti virus world into believing that the worm is becoming widespread This is not unlikely spoofing a PING source address is very easy and there are plenty of tools available This second hypothesis is also sustained by the fact that there were no Papa reports in the April WildList Of course the respective ICMP packets could have been generated by Papa but without further information this is pure theory General Observations We should first note that unlike Melissa X97M Papa does not set a marker if the macro was sent out to other users via email This can be seen as a design flaw because each time an infected workbook is opened t
45. eproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN JUNE 1999 7 into the registry accidentally many times The virus tries to create a file mapping object called 3BEPb and checks if this object has the FDEEF40h mark at its beginning If it is not placed there the virus assumes that it is not in memory yet and tries to install itself otherwise it will simply terminate the executed dropper The virus code uses Structured Exception Handling most of the time to protect itself from visible crashes It gets the Windows system directory and searches for a DLL name there and randomly selects one e g SHELL DLL Then the virus checks if SHELL EXE exists If not Beast tries to copy the executed embedded copy into the system directory as SHELL EXE If this procedure is successful the virus tries to update the CurrentVersion Run field to include the name of the created executable SHELL EXE in this example Finally it executes this copy and terminates the other copy executed by the AutoOpen macro Installing the 3BEPb Window Procedure When the new copy of the virus is executed Beast checks again for its existence in memory Since this procedure has bugs in some cases it will install a new copy of the virus in registry again Finally one instance will call a procedure which registers a new window procedure called 3BEPb This procedure is created as a h
46. eration of virus source texts in form or assembler object modules and even the infected files themselves Needless to say generated viruses were rather different but we consider that viruses made in this way can be classed as legitimate polymorphs What is Polymorphism According to Eugene Kaspersky viruses are called poly morphic if they cannot be detected using so called virus masks parts of nonchanging virus specific code It also applies to those which can be detected this way albeit with great difficulty This is achieved in two ways either by encrypting the main code of the virus nonconstant key with random sets of decryption commands or by changing the executable virus code There also exist other rather more exotic examples of polymorphism A good example of this is the DOS virus Bomber it is not encrypted but the sequence of instruc tions which pass control to the body of the virus is itself completely polymorphic Polymorphic viruses exist in all kinds of forms from boot and file DOS viruses to Windows and even macro viruses Part 1 The Past Macros Windows 95 was released in August 1995 and the first macro virus was discovered It was WM Concept Nobody paid serious attention to that fact as a result of which virtually all the anti virus companies were not ready for what happened next There was a a macro virus epidemic and these companies started to work out quick but inad equate steps in or
47. etection problems because of the huge volume of garbage code This engine is used by W97M DMVCK1 C W97M Splash and others Every line of the Word 97 macro virus Sin has its own label A polymorphic engine changes label names and lengths randomly It is quite slow and makes unworkable code if any line of the original code has a colon in first 20 characters There is a modification of this engine which inserts garbage code like YY Y LLLV in certain places W97M SWLABS99 B uses another feature the Visual Basic interpreter If the string of virus source code ends with _ the next string of code is a continuation of previous one The virus gets its own code lines and splits them into several groups depending on a random counter The code is not changed too much but becomes quite unreadable and obstructs analysis of the virus Though most viruses use similar polymorphic engines there are some very unusual and original ones that use non standard solutions for example W97M Walker B Every line of code of this virus starts with a digital label and ends with a Goto statement pointed to the next line The first line of code is a jump to the first meaningful code line The virus mixes its code lines in random order but still works There is one more aspect of polymorphism in macro viruses manual polymorphism It is very easy to obtain the source code of a macro virus Therefore anyone can modify the original code Everyone
48. fixed and depends on the selec tion made File creation s action is to delete the file With file read and file execution access is denied There are three groups of settings 1 Recommended V file create action delete file X file read access denied V file execution access denied 2 Custom Any combination of the above options is allowed To change a selection right click to toggle the choice 3 Disengage scanner X file create action delete file X file read access denied X file execution access denied Scheduled Scan The scheduler can be defined to run unscheduled or scheduled once every hour every day every week every month The start time can be configured separately for time day and date The scheduler is integrated with the on demand scanner unscheduled and uses the same settings Administration The setup for administration can have a password to prevent unauthorized change There is an integral virus information list the test version was dated 12 May 1999 The virus portion of the module is handled in two parts Server administration is controlled by eSafe Console which also provides monitoring facilities eSafe Protect provides the configura tion options for the entire product The client programs provide support under Windows 95 98 DOS and Windows NT Under the environment option which is called from the Administrator program it is possible to change
49. gorise the question This means working out if this a virus report a Vet software enquiry some other anti virus package problem someone answering a query or a Is this a real virus or a hoax question On the subject of the latter I try to keep a sub conference up to date on all reported hoaxes getting my updates at Rob Rosenburger s excellent web site Computer Virus Myths CIAC or different anti virus vendors but students and staff still ask before reading the conference One of the other considerations I have to take into account is Is the user computer literate Some users questions can be quite technical and they can address issues which range from asking what a virus does requesting instruc tions on how to download the anti virus software even down to the question Does downloading the software protect my machine or do I need to run something OU students come from all walks of life Some of them are very competent computer professionals and even UK sales managers of anti virus companies For others it may be the first time they have used a PC I therefore have to figure out the level of expertise the user has and apply the correct level of explanation to match that expertise For those of you who can just walk up a flight of stairs to the user and give them a quick lesson in computer know how I wish These users are somewhere in the UK or in some cases around the world and I do not have the lu
50. han Our customer had already checked a different anti virus site where some of the most widespread viruses are listed Sure enough Ethan was listed as W97M Ethan with no version suffix As far as our customer was concerned it was enough for him to accuse me of not detecting a perfectly well known in the wild virus The virus was unknown to me and as far as exact identification goes it was a totally new version with a couple of new lines added VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN JUNE 1999 5 It was a version of Ethan A similar to most variants floating around but still a new unknown one That would not be a problem but Ethan is known to avoid heuristics of some AV products including ours To make matters worse there are some anti virus programs out there which simply don t care about Ethan versions and detect them generi cally by adding a fixed size CRC There are products which can detect almost any new version produced by the Ethan virus snatching a perfectly innocent macro which had the bad luck to be stored before infection in the ThisDocument module That includes viral macros new Ethan versions can easily appear from multiple NORMAL DOT infecti
51. he morning cup of tea Scanning for stealth viruses was slower however with scan rates of approximately 5 MB sec being achieved The concept of profiles is used ne eee to configure and manage aie RCI teat es ADinf32 Besides the default T ooo and boot up profiles that are ee meme Ere part of the package additional customised profiles can be created in order to automate integrity checks of the system To facilitate this process it is possible to copy one of the existing profiles make the required changes and save it as a new profile Information as to what drives and files are scanned and what action should be taken if any changes are detected is stored within each of the profiles Thus it is possible to configure ADinf32 to scan certain file types or specific files folders at each or just the first Windows startup If changes are detected during a disk scan the user is prompted to view the results in an Explorer esque window From this window right clicking any of the displayed files enables options to Scan for viruses using DrWeb32 View properties or apply Special marks e g hide changes declare file as stable A detailed summary of all the changes is also written to a log file ADINF32 LOG and a list of the files in question are retained in ADINF LST Upon quitting ADinf32 the user is asked whether the diskinfo table should be updated to reflect the changes For changes that ADinf32 considers non suspiciou
52. he worm will send itself to the first 60 recipients in each Outlook address list There is really no reason to send someone a contaminated workbook more than once except maybe in the hope that if the user does not run Excel to check the workbook the first time they will eventually get bored after five or six such emails and open the worksheet to see what it does Another interesting feature of this worm is the GUIDs in the original documents posted to USENET With Melissa they provided some useful information about the computer the virus was written on as the MAC address of the network board was included in the GUIDs For Papa the same information is useless The author of the Papa worm was probably familiar with this technique as we can see from a message posted to alt comp virus in which he blames Microsoft for violating users privacy via inclusion of personal information in the GUIDs However while he was overwriting the GUIDs with trash 0x36 he also patched some fields of the _VBA_PROJECT_CUR PROJECT stream which resulted in a password protected VBA Project module Therefore a suspicious user trying to inspect the emailed document will not be able to see the worm source without special tools Conclusion The Internet is starting to play an important part in our lives Services like email are becoming available to more and more computer users and the danger of getting a virus or worm this way is becoming a reality Cases
53. hen this could be a useful tool for a site administrator particularly in schools eSafe Protect Enterprise for Windows NT Detection Results Test set Viruses Detected Score n the Wild Boot 44 44 100 0 n the Wild File 519 526 98 7 Standard 1217 1265 95 9 Polymorphic 13968 14444 96 7 acro 2526 2773 91 1 Overhead of On access Scanning The tests show the time in seconds taken to copy 200 COM and EXE files 21 MB Each test was epeated ten times and an average taken Time Overhead ot loaded 22 0 Loaded creation 22 2 0 87 Loaded reading 22 5 1 97 Loaded creation reading 22 1 0 38 manual scan 24 0 8 93 Technical Details Product eSafe Protect Enterprise Developer International Aladdin Knowledge Systems Ltd 15 Beit Oved Street PO Box 11141 Tel Aviv 61110 Israel Tel 972 363 62222 Fax 972 353 75796 UK Aladdin Knowledge Systems UK Ltd 1 William Street Windsor Berkshire SL4 1BB UK WWW hittp www aks com and http www esafe com email esafe sales aks com or info esafe co uk Price 10 to 40 per seat dependent upon quantities Hardware Used Workstation Compaq Prolinea 590 80 MB of RAM 2 GB hard disk running NT Server v4 0 SP5 Virus Test sets Complete listings of the test sets used are at http www virusbtn com Comparatives Win98 199905 test_sets html VIRUS BULLETIN 1999 Virus Bulletin Ltd
54. her anti virus products in the InoculateIT range Updates are provided via a Live Update applet and the web Registered users can request technical support by email but a disclaimer on the web form offering this claims such support initially is only available to North American customers Apart from the CAI splash screens InoculatelIT PE should be familiar to users of Vet Anti Virus This is the first free fully featured scanner offered for NT and Windows 9x with unlimited updates on demand and on access components plus technical support its impact on the home user small office market will be watched keenly Details can be obtained at the web site http www cai com antivirus personal At this year s Secure Computing Award ceremony in London Network Associates received the Academy Award for Best Anti virus Solution for VirusScan v4 0 and the Special Award for Best Security Software for PGP v6 0 Symantec won the Reader s Trust Award for Best Anti virus Product for Norton AntiVirus v5 0 Information Systems Auditor is a new UK monthly publication which covers all aspects of computer security including Y2K risk assess ment legality issues fraud and viruses A limited free trial offer is available Tel 44 1993 824130 or email sales intnews com Registrations are now being taken for VB 99 to be held in Vancou ver Canada from 30 September 1 October For your copy of the conference brochure or registration information and a d
55. idden window of the actual instance of the virus Microsoft s Spy application can be used to find this window easily otherwise it is hidden After this the virus sets a timer A WM_TIMER message will be generated by Windows very frequently with the 645h ID from then on Then the virus waits in a loop until shutdown and halts itself The hidden window procedure waits for the WM_TIMER messages all the time The Window Procedure The 3BEPb window handles three incoming windows messages The virus kills its timer or halts execution in the cases of WM_DESTROY and WM_CLOSE When a WM_TIMER message is coming in the virus checks if this timer messages has the 645h ID and if so it terminates the timer temporarily Next it updates the registry under 3BEPb Startup with the actual time Then it starts to use OLE functions and tries to get a handle to the active document object of the running the Word application When this function fails the virus checks for the payload conditions and calls its payload routine After this it restarts its timer again and returns When a handle to an active document is available the virus calls its infection module First it tries to check if there are any embedded objects in the document but in some cases this routine seems to fail since the virus sometimes adds multiply embedded executables into the documents Then it tries to add the executable C I EXE as a Shape into the document named 3BEPb If this proc
56. ilities spreads around the world in a matter of days and stopping the epidemic requires lots of work and attention In the past two months we have witnessed two such unfortunate examples namely the Internet worm Happy99 also known as Win32 Ska see VB April 1999 p 6 and the recently encountered macro virus W97M Melissa VB May 1999 p 5 There are also similar viruses or worms perfectly able to spread over the world and hit thousands and thousands computers which tend to get overlooked because of the success and notoriety of some of their bigger brothers A case in point is the Excel 97 worm X97M Papa The History A few days after the Melissa virus began its ascension an X97M Papa A dropper document was posted to USENET Fortunately this 16 896 byte document contained an intended version of words an End If Compile error instruction was AN missing from the Block If without End If source so the respective code threw up an error when the document was loaded in Excel The document itself was supposed to contain a list of XXX passwords Instead it contains the following text located in the E column El http all net E4 For ALL the Latest XXX Passwords ES Free If this original document is loaded in Excel an error message box is opened stating Compile error Block If without End If At the same time Excel opens the VBA Editor with the worm source highlighted at the faulty line Thus
57. ion 21 Private Communication 1999 Used with permission 22 Dibbell J 1995 Viruses are Good For You WIRED 23 Myers S 1995 Computer Viruses The Infection Spreads to Japan Computing Japan 24 Cohen F 1991 Trends in Computer Virus Research ASP Press 25 Stojakovic Celustka S 1994 The Legend Fred Cohen Alive Volume 1 Issue 1 26 Peterson P 1999 Used with permission 27 Internic 1999 WHOIS Registrant DataFellows Ltd DATAFELLOWES DOM 28 Gordon S 1993 Virus Exchange BBS A Legal Crime From the Proceedings of The Use and Abuse of Computer Networks Ethical Legal and Technological Aspects American Association for the Advancement of Science National Conference of Lawyers and Scientists 29 In 17 30 In 28 31 Gordon S 1999 Viruses in the Information Age A presentation pre print for The BlackHat Briefings National Computer Security Center and Secure Computing Las Vegas Nevada 32 Ahern T amp Durrington V Effects of anonymity and group saliency on participation and interaction in a computer mediated small group discussion Journal of Research on Computing in Education Vol 28 Issue 2 VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the
58. is familiar with the examples of this W97M Wazzu XM Laroux and W97M Concept Virus Constructor Kits A virus constructor does not constitute a virus by itself Virus constructors are special tools which generate new viruses without the use of programming VicodinES Macro Poppy Construction Kit or VMPCK for Word 97 is the most notorious constructor It can create viruses based on four fundamental parameters infection strategy 14 variants stealth procedures 6 variants payloads and triggers 10 variants and extra code 9 variants This kind of badware may cause a headache for virus researchers Part 3 The Future Office 2000 It is always a little daunting to predict the future what if predictions come true When we discussed this article we tried to dream up a future for macro viruses and we were afraid of our ideas It is not too difficult to make links with the past Just imagine by using VBAS features a virus is able to modify its code beyond recognition during run time which can make it very hard to detect Using polymorphic engines together with encrypted code may result in time to improve our scanner VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers
59. is or that software if it turns out that students have already bought a package we try to offer some support If they have not at least we can offer one for the duration of their study time at The Open University This idea of supplying software and help to such a large number of students is probably unique in education but the method of teaching employed by The Open University lends itself to this type of dissemination of information It takes teaching a stage further in that we teach the main courses but offer advice on virus problems facing all students who use computers in study and work Email Anyone So how does my day start The first thing I have to look at when I get in to work is my email all seven mail boxes plus two main conferences Two of the mail boxes feed in to the third and they are on the Firstclass system where most students post messages On Firstclass I have the mailboxes for an IT support conference which I monitor and the main Anti virus Support conference the most important conference Here is where students post the highest number of mes sages ranging from problems with the implementation of Vet Anti Virus through virus reports to the obligatory I know this is not the right place but notes Of the messages received in this conference 95 are virus related and on average there are about 10 to 15 each morning Sifting through them can take time Each one has to be read and I have to cate
60. iters and their behaviours is both yes and no One purportedly new idea is something called in its current incarnation Project Zero It was designed as an experiment which should show what would happen if nobody in the VX community released viruses to the public any more for an arbitrary time period of for example one year 19 While this may seem noble one goal of such a project could be to lull the anti virus developers and users into a false sense of security Despite its emergence as a novel idea the same idea was tossed around by NuKE affiliates in the old days 20 Be it vortex or vacuum the idea is the same just dressed up in millennium garb Another new idea is that viruses are actually evolutionary programs In particular several virus writers have recently mentioned to me 21 their belief that replicating code could be used to explore various concepts of artificial life This is certainly true but not a new idea it was explored long ago in 22 23 to cite just two examples Addition ally these types of experiments in authentic artificial life concepts are worlds apart from virus writing and should probably not be mentioned in the same breath Then there is the idea of viruses that could be good entities also frequently cited as a new idea discussed several years ago in 24 25 Padgett Peterson well known anti virus and general security expert says it best I have never
61. like Happy99 Ska and Melissa are not accidents and we now need to educate and inform our users more than ever about the new threats arising at the dark rim of the Net X97M Papa Name X97M Papa A and X97M Papa B Aliases acro Word97 Papa A B Type Email propagated worm written in VBA and running in Excel 97 Trigger Activation date Payload With a one in three probability it launches PINGs directed to one of the following two IP addresses 207 222 214 225 or 24 1 84 100 Detection and removal Use an anti virus program able to detect and remove the worm An anti virus solution implemented at the mail router server level is recommended VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 10 VIRUS BULLETIN JUNE 1999 A DAY IN THE LIFE Educating Who David Phillios The Open University UK First things first what is The Open University or OU It is a UK teaching establishment that has a central office in a town called Milton Keynes In the middle of the English countryside it is fifty miles from London or Birmingham and two hours from the nearest beach The University employs around 7 000 staff of whom approximately 3 000 work in the
62. morphic macro viruses were created for example WM MiniMorph a very small virus which does not have arguments with a constant name Then came viruses which inserted random comments and labels into their code WM PolyPoster WM Junk and finally WM UglyKid The latter virus see VB October 1997 p 8 uses quite a complex polymorphic engine Different infected files have variable sets of commands in the virus macros Depending on a random counter the virus inserts garbage code after every line of significant code which gets random data or the current time or inserts a comment string or leaves this line blank Mutating this way the virus can overgrow its size To avoid this it creates a new macro instead of copying the old one It uses quite a complex method to hide its main code in documents and templates the main virus code is placed in the AutoText area and the virus macros VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN JUNE 1999 I5 just read it from there copy the text to the macros area and execute it This was the first known virus to hide itself in this way which is very difficult to detect The Word macro virus K302 has an unusual structure the text
63. n some cases complete recovery may include labour intensive steps depending on the payload and complexity of the attack In addition complete recovery will also include the verification of the eradication effort such as rescanning a system once a virus is removed Notifying Others of the Breach There are three main parties who should be notified System Administrators informing the administrators of systems or networks connected to yours as well as poten tial sources and recipients of the virus will aid in the containment of the infection It will also allow other system administrators to be on guard for suspicious behaviour on systems under their control Management it is very important to keep management informed If there is a need for a legal investigation management needs to be aware of the circumstances and potential impact of such an investigation Another impor tant aspect of this is management s ability to provide concurrence and enforce compliance with recommended actions easing the pain of performing some unpopular and adverse actions such as disconnecting services or users from the network during an incident Users as mentioned previously they are the eyes and ears for the system Unfortunately they are also the hands that introduce malicious logic into the system Keeping users informed can aid in the containment It is not imperative nor should it be encouraged to provide them with details Ho
64. nclusions As with other similarly packaged programs that are avail able the question of integration between the modular components is of particular interest In DSAV s case the results suggest that integration has only been weakly implemented thus far Notably the package could be greatly improved by altering the way in which changes detected by ADinf32 are handled The issue of updating the data files diskinfo tables of an integrity checker with recent changes to the system is of fundamental importance to its successful operation After all updating the data files to include potentially infective files essentially validating them completely undermines such a program It is interesting therefore that upon detecting non suspicious changes to the system ADinf32 prompts the user to update the diskinfo tables prior to scanning the files in question with DrWeb32 Another area which needs attention is the handling of PowerPoint and Access files by the ADinf32 module O97M Triplicate D made its premi re on the WildList last month and with the current prevalence of macro viruses this is a matter of some importance The developers have informed VB that extensions to the package to include a 32 bit ADinf Cure module to aid file recovery Windows NTFS support and network administra tion are under way Coupled with the resolution of the few problems uncovered during testing such additions will no doubt fortify what is a promising pr
65. ne the source and scope of the breach Analyse logs damage assessment is usually done by reviewing the audit logs from the system or network for changes in configurations unknown entries unauthorized file access unsuccessful password attempts and suspicious network activity Careful analysis may provide a clearer picture of how the malicious logic entered the system what it did once it arrived and where it may have travelled some relatively recent viruses have carried a log along with them providing a kind of travel itinerary Inspect the system s looking for Trojan horse programs or other forms of malicious code is crucial to the successful recovery of the system and can shed light on the extent of VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN JUNE 1999 17 the damage or infection An active configuration manage ment process that manages the standardization of system configuration and the verification of the integrity of the system facilitates this Not only should you look for the immediately obvious items look for backdoors that may have been inserted during the system compromise such as automated scripts which upload potentially sensitive data to a remo
66. nge are displayed with the changes highlighted ama ems SE e The user has the option of Hia restoring the original configu L ration although it would be nice to have the option of scanning the boot sectors for viruses prior to this decision since the change may be due to a legitimate reason DrWeb32 anti virus scanner Lovers of stylish logos and dramatic splash screens will not gain satisfaction from DrWeb32 The splash screen dis played upon loading is more reminiscent of early Windows 3 xx products The program is easily controlled either by using the drop down menus or from the buttons on the toolbar These buttons enable the user to view folders to scan view scan results show scan statistics clear scan VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 20 VIRUS BULLETIN JUNE 1999 results obtain updates via a TCP IP connec tion configure setup options or exit the program altogether A slight lack of attention to detail is apparent in the on line help files supplied with the submitted product They seemed to have been designed for a slightly older version of DrWeb32 since some of the screen shots seem to be missing certain options that have mor
67. nts as it provides detection for new versions which can even help sometimes in comparative reviews After all if we look at some macro comparatives for example the one from a respectable German university we will see that the best macro detection is achieved by generic detectors rather than exact detection based engines The only difference from other programs is that I decided RAV reports such modules as Suspicious rather than reporting a known virus I think this is a fair solution as I don t want to loose my exact all right exact enough identification which is still a noble cause to me and to few other respectable people out there Costin Raiu RAV team leader GeCAD Romania When is Protection not Protection Why don t anti virus products reset the virus protection options in Word Excel etc while disinfecting macro viruses More and more often I deal with users of Microsoft Office products who are on their second or greater infection incident and who have had this option disabled when the virus was contracted When questioned they deny having received the warning The document you are opening contains macros or customizations On further questioning they recall seeing it months ago when they contracted the first virus Most are surprised when they think about it a bit more that they did not receive that warning this time Of course the reason why is simple for us experts Anti virus software dete
68. oduct Technical Details Product DialogueScience AntiVirus Kit Developer DialogueScience Inc 40 Vavilova St Moscow 117786 Russia Tel 7 095 9382970 email sales dials ru WWW http www dials ru Availability Windows 9x NT 16MB RAM amp 10MB disk space Version Evaluated 3 0 Price Annual subscription inclusive of full updates 29 for ADinf32 49 for DrWeb32 Contact distributor for multiple or site licence details Hardware Used 166MHz Pentium MMX with 64MB of RAM 4 GB hard disk CD ROM drive and 3 5 inch floppy running Windows 95 98 and NT Virus Test sets Complete listings of the test sets used are at http www virusbtn com Comparatives Win98 199905 test_sets html VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN JUNE 1999 21 PRODUCT REVIEW 2 eSafe Protect Enterprise Martyn Perry eSafe Protect ESP provides various elements of protection aimed at Internet users with virus protection being one aspect in the whole range of services From previous experiences with multi function products the quality of the virus detection tends to suffer at the expense of other modules Let us see if that is true this time The licence
69. of the code s main infection routine is commented The virus creates a temporary macro copies its text to it removes comments executes and deletes it This is good way to fool heuristic analysers This virus also has a polymorphic routine which modifies the decoding un remming routine Modification is concluded by adding garbage code not only to functions but also to some collation strings and by the initializiation of some variables even calling some WordBasic functions This virus also adds a number of goto statements that go to the next line W97M Slow has a rather strong polymorphic engine and contains all of the features described above On each infection the virus polymorphic engine renames internal virus variables to randomly selected names of randomly selected lengths As a result there are no constant search strings with which to identify the virus Fortunately there were no tools to modify the source code in Excel 95 and Access and we do not have any polymor phic viruses for these applications Do you see the similari ties with file viruses The first macro viruses were so simple then they became weak polymorphs and finally they were transmuted into strong polymorphic beasts That was our past Now it is time to move on to the present Part 2 The Present MS Office 97 The release of Office 97 saw a new era Visual Basic 5 was accepted as the integrated standard programming language Office s applica
70. of the publishers VIRUS BULLETIN JUNE 1999 9 This message will have the subject Fwd Workbook from all net and Fred Cohen and contains the following text in its body Urgent info inside Disregard macro warning Finally the current active workbook including the worm macro will be attached to the newly formed message and the message sent to the Outbox queue As stated before the worm will send such a message for each address list in the current Outlook configuration Therefore the next time Outlook is run the respective messages can be seen in the Outbox This is what a worm generated message looks like After the messages including the worm host are sent the virus logs out of the s MAPI kige n od Cheregard MATE AEEA provider lo and rusa short payload routine The payload is activated on a random basis with a one in three probability To do that the virus generates a random number between zero and five and if the respective number is two or four a PING command is launched in the background BRE Dm jmi edo ham i ed d hrd linker Eem Pak le T Ge pee fee ei er ee ji eed El AAi me ft amp rjo M The PING command is run with the t switch this will make it run forever pinging the respective host until the process is killed in one way or another Also the PING command is run with a random packet size from zero to 59 999 bytes Finally the worm sets the ping tim
71. ons Many products including my own are using exact identifi cation well maybe not so exact but exact enough to distinguish between Ethan variants and they don t detect new variants of it created in a simple and likely way NORMAL DOT files with non empty ThisDocument modules are not common but they do exist There are even many useful programs which plant macros in the ThisDocument module which if infected with Ethan will create a new virus What is the solution Our customer will gladly switch to one of those generic detection programs if they can detect his viruses and my program can t Exact identification is a noble purpose but losing a customer just for that is not exactly fun or noble There is a neat solu tion Subroutine based identification Each subroutine in a module is checksummed separately and the virus is detected on a subroutine basis The small disadvantage is the increasing amount of data required to identify a virus Advantages include better detection of new variants which is the issue here However switching from module based to subroutine based detection requires some effort from the AV producer and I don t think I can do it in a short time Solution two is to use a fixed size CRC either for all viruses which will lose exact detection or maybe only for some of them for example for our good friend Ethan Until I decide to switch to Subroutine based CRCs I think this is the best for my clie
72. ons supplied The scan action option was selected in order to delete the infected files and the residual file count used to determine the resulting detection rate eSafe Protect successfully detected all of the ItW boot sector viruses but results were poor against the ItW File set seven samples of TPVO 3783 A remaining undetected Three viruses in the Polymorphic test set caused problems for ESP namely DSCE Demo Girafe TPE and one sample of Natas 4744 Meanwhile against the Standard test set samples of Win32 Ska Win32 Redemption Argyle VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN JUNE 1999 23 Win95 Boza D CMOS 3622 Cruncher DBF 1046 DNA 1206 Greets 3000 Win95 Navrhar Pizelun and TPVO 3783 B were all missed Results against the Macro test set were equally disappoint ing Misses were recorded against the full range of Office viruses including the polymorphic X97M Soldier A PP97M Vic A PP97M Shaper A XM SpellChecker A and eleven variants of Laroux to name but a few Re running the tests with All files selected did little to change the picture the only difference being that the samples of O97M Triplicate without extensions all four variants were
73. package provides the user with a file integrity checking module an anti virus package a mail scanning module optional and a card security module optional In this review we investigate the first two components of this package Advanced Diskinfoscope for Windows 9x NT and DrWeb32 v4 10 Are the programs really two modules of a complete protection kit or merely two standalone products bundled together by the marketing team Installation For the time being at least DSAV is only distributed in electronic form and so the fully boxed product which we normally require for standalone reviews was not available Instead a CD was supplied containing the programs and the on line documentation The product was installed onto Windows 95 98 and NT plat forms The CD ROM autoruns when inserted into the PC and lt some following the DSAV splash mimo screen the installation routine begins under the fatherly guidance of InstallShield Due to the electronic distribution of this product the lack of a manual came as no surprise What was a surprise however was the lack of any readme file prior to the installation process It may be that the product has been designed to be used with on line help only but as pointed out within those help files it is recommended that you do not install ADinf32 until you have scanned your hard disk with DrWeb32 and a disk utility package A touch of chicken and egg syndrome since this message c
74. rom the US and one from Australia Where there are some strongly regionalized groups 31 these regionalizations seem based on language limitations Some virus writers are more willing to discuss issues now This may be partly due to the general acceptability of counter culture ideas on the Internet per se or the supposedly increased anonymity afforded by various forms of Internet communication 32 There is more willingness to debate publicly at least on the part of some virus writers and those who favour public availability of viruses Next month we examine motivations and justifications Understanding why can provide some insights which will help us take action that can slow down the viral glut 13 Richardson K 1994 Computer Viruses The Breadth of the Problem Sophos Technical Report 14 The WildList 1993 November www wildlist org 15 Gordon S 1994 Technologically Enabled Crime Shifting Paradigms for the Year 2000 Computers amp Security Elsevier Science Publications 16 Gordon S 1994 The Generic Virus Writer From the Proceedings of The 4 International Virus Bulletin Conference Jersey Channel Islands 17 Gordon S 1996 The Generic Virus Writer II From the Proceedings of The 6th International Virus Bulletin Conference Brighton UK 18 The WildList 1999 February www wildlist org 19 Private Communication 1995 Used with permission 20 Private Communication 1999 Used with permiss
75. s the focus is on the Update button Following this the user is prompted to scan the non suspicious files for viruses exactly which anti virus scanner is used be it Windows or command line m based can be configured within the profile setup The scanner can be set to start automatically immediately after quitting ADinf32 with no user prompt rT Certain changes are considered suspicious by ADinf32 For example changes to the boot sectors master or DOS changes to files that have been declared as stable or the existence of peculiar date time file stamps all trigger it into suspecting a virus infection Additionally changes to the macro content of Word and Excel files are considered suspicious Following a scan in which suspicious changes have been detected the user is warned and after having viewed the results prompted logically not to update the detected changes to the diskinfo tables Subsequently however a peculiarity in the action that ADinf32 undertakes was noticed Above it was noted that upon detection of freshly created files the user is prompted to scan them Surprisingly though this same action is not recommended when the detected changes to the file system are considered suspicious Surely a more satisfactory integration between the integrity checker and the scanner would be to enforce the scanning of suspected objects Virus Detection with Advanced Diskinfoscope The use of ADinf32 as
76. s saved without the fast saving option In such a case Word optimises the document s structure leaving the dropper code out of the new image Quite a few similar limitations exist but most importantly the document structures are just too difficult for the average virus writer to hack especially when it comes to VBA format So far all known binary viruses with document infectors attacked the old Office 6 documents A new virus from Russia is the first known binary virus to infect VBA documents Win32 W97M Beast 41472 A the new CARO standard for naming such multi partites is written in Borland Delphi and compiled to 32 bit Portable Executable format Personally I think that the internal structure of Delphi applications is really ugly Analysing the actual virus code is not a pleasurable experience for any virus researchers but it is certainly challenging The disassembly list of the virus is about 1 MB and only 22 000 lines long Fortunately the major part of this code is in standard Delphi it can be eliminated easily with the latest version of IDA Interactive Disassembler which arrived on my desk just in time Beast uses a new method of infection compared to other binary viruses which infect documents Instead of hacking the VBA format on a bit by bit level Beast s author uses OLE APIs to inject macro code as well as embedded executable code into documents by using the internal OLE Object Linking and Embedding support of
77. sage states The on demand scanner does not affect normal operation or present a security risk Therefore it is not configured by the administrator 2 a oo The default set of files to include in a scan are COM EXE DO XL VXD and DLL Scan methods are Standard scan Smartscan Remove integrity files and Scan and analyse The choices of scannable items are Archive files Macro files All files or File extensions There is an additional option to activate a progress display For reporting purposes a file can be defined default C ESPLAN DEFAULT REP There are options to over write an existing file append to it or limit the appended data up to a maximum file size The level of detail in the report information can also be selected There is a separate choice of responses depending on the infection type These types are Removable virus Non removable virus or File modified For the first option you can Ask user Notify user Delete file Remove virus For Non removable virus the choices are reduced to Ask user Notify user Delete file Finally the File modified choices are Ask user Notify user Recalculate file In all instances there is the option to write to the alert file On access Scan The configuration for this screen consists of two tabs Operation modes and Scanning activities The scanner can be configured to run silently i e not displaying virus VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon
78. save the document in old Office 6 document format leaving the macros out The embedded objects can easily be deleted in Wordpad making this a solution for manual disinfection Unfortunately it is not a blanket solution since Wordpad under Windows 95 and Windows NT v4 0 does not support VBA documents When the embedded virus code is executed the virus installs itself in the system Installation of the Binary Code Firstly standard Delphi library functions are called from the entry point of the 32 bit virus code These functions perform important initializations for Delphi libraries and OLE functions and also check for a CD ROM device initializing it if there is one since the virus payload routine is related to CD ROM devices Important texts are encrypted in the data area of the virus body and decrypted one by one when they should be used The actual encryption is based simply on a shifted XOR key Each character of the encrypted string is decrypted by using XOR with the actual position of the character in the string starting from one The first string which is decrypted is 3BEPb After decrypting this string the virus checks if it is already active Actually this routine has some logical bugs in it and can fail sometimes meaning that the virus can install itself VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be r
79. te location Planning the Defensive Attack Preparing for recovery and prevention of recurrence is essential You already know that you have been infected or attacked by a certain virus or other form of malicious logic Contact the vendor if you have not already done so contacting your security product vendors particularly your anti virus vendor in the case of a new unknown virus is essential A patch or fix may allow you to recover your systems with the least effort and minimal data loss and should be thoroughly explored before more destructive methods such as file deletion or drive formatting Formulate the plan with the information from the investi gation and the possibility of a patch or fix it is time to assemble the system administrators and other key system and network personnel affected by the incident such as email administrators This team will develop the strategic and tactical approach to recovering from the incident as well as preventing the incident from recurring if possible This approach should be in the form of easy to follow steps which if necessary can be repeated at a later time The Clean Up Effort Performing sweeps of the systems with anti virus software can effectively stop the continued spread of known viruses and malicious codes from propagating throughout the system or networks It can also provide a relatively effec tive method for recovering infected files when a clean backup is unavailable I
80. the conference and the odd article in the student newspaper Sesame We can only try to educate and when something like Melissa appears in the newspaper it helps but hopefully not too often as this can have the opposite effect of breeding complacency in the users Time for Coffee After I have done all the checks and answered the queries in some way I head for the coffee machine because after this I start my other work in Technology This ranges from web site design IT support Network support summer school course production software support and access database maintenance plus anything else PC orientated that Technology wants done Response Times If a student is passed to me via either our student helpdesk or a message on Firstclass I try and sort the problem within 24 hours or as long as it takes to get a set of disks to them If it is a member of staff the response is immediate we try to solve all on site problems as soon as possible Take the case of Melissa I had three messages in my mail box on that fateful Monday morning two from unknown sources and one from CIAC As soon as I saw that message I went on line to Sophos Vet and NAI for confirmation and downloaded the update files I do not know if I suspected something or it was just that the wife was starting work early that day but I was in work by 8am instead of my usual 8 30ish By 8 30 the updates and information about Melissa were posted for the students by 8 4
81. the virus module and embedded objects from documents the virus has to be removed from memory and all executable copies should be deleted also Only high quality anti virus products will be able to solve all of these problems Win32 W97M Beast Aliases SBEPb Type Win382 Windows 97 macro virus Hex Pattern in EXE files 83EB 0274 1683 EBOE 740A 81EB 0301 0000 7416 EB23 E887 BOFF FFEB 2A8D 55F0 8B45 O8E8 A2FF FFFF EB1D 81FA 4506 0000 7515 Payload Opening and closing CD ROM door between 9 35pm and 7 12am Removal Use reliable and recently updated anti virus software to remove the virulent macros and embedded objects from your documents VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 8 VIRUS BULLETIN JUNE 1999 VIRUS ANALYIS 2 Papa Don t Preach Costin Raiu GeCAD srl There are times in an anti virus researcher s life when the VX scene is calm and there are no terrible new viruses around Even better there are times when known in the wild viruses are added to the product a long time before customers are actually hit However sometimes we also have hard times when everything seems chaotic a virus especially a virus with worm like capab
82. ties and they were professionally employed 16 They began to beta test viruses 17 In May 1999 there are approximately 150 viruses found in the wild 18 with approximately 30 000 known to exist Some virus writers are pretty well known signing their creations while some prefer to do their deeds in secret Some labour alone while others work in groups like 29a SLAM all new all revised and not related in any way to the original The Codebreakers and The NoMercy Virus Team They use names like DarkMan VicodinES and Knowdeth Some put their viruses up on FTP or WWW sites some prefer to keep them for themselves Some restrict their distribution to within their own groups In some cases they send viruses only to AV researchers Some virus writers today release their viruses to unsuspect ing users others do not actively release them Some make code available while others prefer to keep it to themselves Some viruses are dedicated to individuals or causes other viruses are used to self promote Some remain anony mously authored Virus writers attend secondary schools and Universities Some are professionally employed Beta testing of viruses is pretty common Sound familiar New Bottles Old Wine Some people claim interesting new ideas have come out of the virus writing community Has the creativity of virus writers actually started to take on a whole new face The answer as is so common when analysing virus wr
83. tion gave software developers a lot of new abilities but it gave them to virus writers too The universal object model of VBA lets applications interact with each other Besides the single syntax of VBAS for all Office programs means that one macro code can be written for all applications Virus makers took full advantage of these features to create new cross platform viruses such as O97M Triplicate see Virus Bulletin February 1999 p 4 and O97M Cross June 1998 p 11 One more associated feature worth a mention is the useful and easy procedure which modifies the source code of macro modules during run time Taken together it might appear that virus writers were handed a trump card but in spite of all these features they very seldom use non traditional methods to write polymorphic routines in viruses They still use tricks taken from Word 7 viruses fortunately for all of us Most polymorphic macro viruses are incredibly similar because they use the same polymorph procedures Here are a few of the most popular ones VAMP v1 0 stands for Vic s Advanced Macro Poly This polymorphic macro engine is used by many others such as W97M Bench and W97M Pri The engine replaces variable names in the code with randomly generated ones APMRS uses another polymorphic macro engine which inserts a few random numbers into the virus body gener ated every time it is run As a result its size increases with every run This virus may also cause d
84. tive capabilities First acro 275 5 4 research reports conclude that it has a very low prevalence Laroux acro 161 3 2 in the wild and can be classified as low risk A full analysis pad acro 125 2 5 is scheduled for next month s issue Concept Bso 97 9 Mid May saw the discovery of Emperor a CIH style virus Temple acro 88 1 not a CIH variant capable of erasing the data on the hard Melissa acro 80 6 drive and corrupting the Flash BIOS This is a memory Tea ace 94 0 resident polymorphic multi partite virus about 6 000 bytes FE long It infects 16 bit DOS COM and EXE programs Appder ao 68 3 over writing the MBR of the hard drive and boot sector on unch acro 66 8 floppies It uses several anti debugging tricks stealth Footer acro 52 0 techniques and a difficult algorithm to disable built in CopyCap acre 36 0 7 anti virus protection If Form Boo 24 0 5 Walker acro 23 0 5 ThanY2Ks for the Memory AntiEXE Boo 22 0 4 VB s old adversary Mark Ludwig has closed down his Parity_Boot Boo 24 0 4 publishing business American Eagle A somewhat paranoid Protecied AO 19 0 4 and doom laden flyer he sent to the prospective buyers of his remaining stock attempted to explain his motives for Others 215 4 3 publishing computer virus information in the first place In Total 5053 100 his effort to empower people computers being Big Brother s tools of choice for enslaving you he went on to warn of a n
85. vides a quick and easy reference for virus names Imagine my surprise when I spotted Vgrep Anti Virus Inc using vgrep hotmail com as an email address Is this related to the Codebreakers and Datafellowes events Only time will tell It seems that the bad guys are attempting to confuse the issue by a troublesome but not particularly creative manipulation of procedure The question remains is this new Setting up BBSs which appeared to be legitimate research facilities was a favourite ploy of some early virus writers 28 The mid 1990s saw the same sorts of attacks using email when virus writers pretended to be everyone from Dark Avenger to well known anti virus researcher Frans Veldman and everything in between Confusion is the name of the game So while the Internet provides some novel twists to the chase the overall ploy is unchanged the robbers are pretending to be the cops The operational characteristics and demographics of virus writers have undergone some subtle shifts which began several years ago 29 While geographic hot zones do pop up from time to time the advent of cheap connectivity for many has resulted in more global alliances not centred around a particular BBS the Net as it were in action Once relatively regionalized 30 groups that do exist seem more geographically diverse The Codebreakers group reportedly has seven members from Europe Austria and Germany three f
86. wever information on the general ways in which the system can be or has been compromised and the impact it may have or had on their data can help to heighten their awareness and help bring the safe computing messages directly into the user s reality Documenting the incident s processes and procedures can be valuable in preventing future compromises Documenta tion can help to alleviate hasty decisions and provide a step by step account of the recovery effort for future reference It is also important to note the source and scope of the incident This provides valuable insight into the incident trends and the effectiveness of the protections in place Planning for the Next Attack Contingency planning is one way to incorporate lessons learned into our defensive posture Administrators and technicians must know the limitations and vulnerabilities of their systems which port or router is most susceptible to which type of attack or at what point in the system archi tecture anti virus protection can be most effective Network systems should be protected using defensive layers routers firewalls anti virus software security scanners and integrity checkers Systems should be scanned at scheduled times and networks assessed to identify vulnerabilities before they can be exploited All known vulnerabilities should be documented along with the specific risk This may mean installing vendor patches or reconfiguring networks to close
87. work cannot be trusted to pass on accurate information to The WildList Organization I do not profess to be an expert but Roger Moore and I are the OU s resident knowledge base We both get our information from the real Experts and use it to help and protect both staff and students After more than seven years I feel it s time these experts looked at teams like ours and worked with us to educate and disseminate good virus protection practice rather than still trying to isolate us Two papers at VB 99 are centered on the WildList I wonder if the idea of including organizations like ours has been shelved Time will tell VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers 12 VIRUS BULLETIN JUNE 1999 FEATURE 1 Virus Writers Part 2 Sarah Gordon IBM Research I will put off my discussion of why virus writers write viruses until Part 3 next month This article will examine the question How have they changed If you ve been counting this is question number five In October 1993 the number of virus writers who were actively contributing to the problem of computer viruses found in the wild comprised a relatively small percentage of the global computing population The
88. xury of popping along to see them I have had to learn how to educate users from all lifestyles and at all computer literacy levels about viruses using email On the odd occasion I do get to talk on the telephone That takes care of three mail boxes and a couple of conferences I also check the First class server that is for staff that mostly reside in the Technology Department but this is never too active VIRUS BULLETIN 1999 Virus Bulletin Ltd The Pentagon Abingdon Oxfordshire OX14 3YP England Tel 44 1235 555139 99 0 00 2 50 No part of this publication may be reproduced stored in a retrieval system or transmitted in any form without the prior written permission of the publishers VIRUS BULLETIN JUNE 1999 I1 Next I look at my main Open University mail box which also has a secondary mail box linked to it from the Lotus Notes server I administer which in turn is running anti virus software checking the servers mail boxes The main box is where the messages from CIAC Network Associates NAD Vet Command and others arrive Here is where I start checking for new alerts etc Thankfully these do not happen too often and I have to say that reports from NAI have virtually dried up since the Dr Solomon s takeover was announced in June 1998 The Open University has a Dr Solomon s site licence and I was in regular contact with the Aylesbury UK office but since the takeover I do not get many messages from them This m
Download Pdf Manuals
Related Search