Virus Technical Review
David.J.Ferbrache
davidf at cs.heriot-watt.ac.uk
Sat Feb 11 07:51:17 AEST 1989
This request has appeared on the bitnet virus-l mailing list, and has
been crossposted to the appropriate comp.sys groups and to comp.risks.
I apologise for any readers who receive duplicate copies.
-------------------------------------------------------------
A review of the threat posed to the security and integrity of
microcomputer systems posed by self-replicating code segments
-------------------------------------------------------------
I am in the process of compiling information on existing computer viruses,
with a view to the production of a technical paper reviewing the threat
to system security posed by both present computer viruses and likely
future developments.
To this end I would be very grateful for information on individual
infections, preferably detailing the symptoms observed, damage caused and
disinfection techniques applied. Naturally I am also interested in details
of the operation of the viruses, although I appreciate the reticence shown
by infected parties to disseminate any details of virus operation, on the
basis that it could lead to development of further viruses.
The technical report is part of a Doctoral research thesis in computer
security, and will be available in late May. Distribution of the technical
report will be restricted to people who have a legitimate interest
(ie systems managers, commercial concerns, research), as I expect to
review the techniques exploited by viruses in a fair degree of detail at
the BIOS/DOS interface level. The report will consider the techniques used by
virus to duplicate, the ways in which viruses gain control of the computer
system, the camouflage techniques adopted and a brief overview of the
existing computer viruses. Finally the report will consider the likely
development of the threat from viruses, and how this developing threat
can be addressed by protective software in both virtual and non-virtual
machine operating environments.
At the moment I know of the following viruses:
IBM PC MS/DOS
1. Lehigh variant 1 and 2 2. New Zealand (stoned)
3. Vienna (Austrian, 648) 4. Blackjack (1701, 1704)
5. Italian (Ping Pong) 6. Israeli variant 1 (Friday 13th, 1813,
PLO, Jerusalem), variant 2, variant 3
(April 1st), variant 4
7. Brain (Pakastani) and variants 8. Yale
Also potentially variant of the Rush Hour and VirDem viruses developed
during the CCC's work on viruses.
APPLE MAC
1. NVir variant A and B, Hpat 2. Scores
3. INIT 29 4. ANTI
5. Peace (MacMag)
APPLE II
1. Elk
AMIGA
1. SCA 2. Byte Bandit
3. IRQ
ATARI ST
1. Boot sector 2. Virus construction set viruses
Mainframe OS worms
1. Internet worm 2. DECNET worm
2. BITNET Xmas chain letter
I would be grateful for any information on these, or any other viruses.
Reports of infection may be given in confidence, in which case they will
only be used as an indication of geographical distribution of infection.
A summary of known viruses, their symptoms, geographic distribution and
known disinfection measures will be posted to the list as soon as
sufficient information is available to prepare an interim report.
As part of the paper I will also be reviewing the effectiveness of viral
disinfection software, and would thus be interested in details of any
software you use, its effectiveness, and availability.
Thanks for your time!
For those interested here is a summary of a few of the virus reports published
on virus-l and usenet,
Subject, author and date Virus Virus-l issue
THE AMIGA VIRUS - Bill Koester (CATS) SCA LOG8805
comp.sys.amiga, 13 November 1987
New Year's Virus Report - George Robbins IRQ
1 January 1989, comp.sys.amiga
The Elk Cloner V2.0 - Phil Goetz ELK
26 Apr 1988
THE ATARI ST VIRUS - Chris Allen ATARI ST
22 March 1988, comp.sys.atari
Features of Blackjack Virus, Otto Stolz BLACKJACK v2.24
24 Jan 1989
Comments on the "(c) Brain" Virus BRAIN LOG8805
Joseph Sieczkowski, Apr 1988
Brain and the boot sequence, Dimitri Vulis BRAIN v2.5
5 Jan 1989
The Israeli viruses, Y.Radai ISRAELI LOG8805
2 May 1988
VIRUS WARNING: Lehigh virus version II LEHIGH v2 v2.35
Ken van Wyk, 3 Feb 1989
The Ping-Pong virus, Y.Radai ITALIAN v2.18
17 Jan 1989
Known PC Viruses in the UK and their effects MOST PC v2.23
Alan Solomon, 1989
Yale Virus Info, Chris Bracy, YALE LOG8809a
2 Sep 1988
New Macintosh Virus, Robert Hammen ANTI
comp.sys.mac, 7 Feb 1989
Hpat virus-it is a slightly modified nVIR HPAT
Alexis Rosen, comp.sys.mac, 7 Jan 1989
INIT 29: a brief description, INIT 29 v2.18
Joel Levin, 18 Jan 1989
A detailed description of the INIT 29 virus INIT 29 v2.30
Thomas Bond, 27 Jan 1989
The Scores Virus, John Norstad SCORES LOG8804
info-mac digest, 23 Apr 1988
Macintosh infection at Seale-Hayne College TSUNAMI LOG8808d
Adrian Vranch, 8 July 1988
DEFENCE DATA NETWORK MANAGEMENT BULLETIN, DECNET (see also v1.59a)
50, 23 Dec 1988,
The internet worm program, an analysis INTERNET
Gene Spafford, Nov 1988
I apologise for any researchers whose articles I have not cited, in what is
currently an incomplete list of references. Hopefully, this article
will be of some use in providing a general list of viruses which have
affected computer systems in the past.
Thanks for your time, and I look forward to any information you can
supply me with.
Dave Ferbrache Personal mail to:
Dept of computer science Internet <davidf at cs.hw.ac.uk>
Heriot-Watt University Janet <davidf at uk.ac.hw.cs>
79 Grassmarket UUCP ..!mcvax!hwcs!davidf
Edinburgh,UK. EH1 2HJ Tel (UK) 31-225-6465 ext 553
More information about the Comp.unix.wizards
mailing list