Virus FAQ From alt.comp.virus Newsgroup
February 1995
DISCLAIMER: I assume no responsibility for any misuse of the items contained within this FAQ.

Table of Contents

I. Preface

There have been several posts in alt.comp.virus, asking why there wasn't an alt.comp.virus FAQ. I decided that was enough and set out to start writing it. As with all FAQs it is not complete and won't cover every question, but, that's why it's open for improvement. So any thing you would like to see added, including the debates, send to: danishm@iia.org.

A. Definitions of viruses and other types of electronic "life"

1. What is a virus?

A virus is a program that contains the ability to replicate. It has the ability to spread itself through many computers. It does this by using the DOS and BIOS interrupts, generally. (Other types of disk access will be discussed later and are also found in VLAD#3.) It requires other programs to be able to spread, which makes it different from a worm.

2. What is a worm?

A worm, like a virus, spreads itself by replication. A worm does not require third party programs to replicate and usually spread themselves through networks.

3. What is a trojan horse?

A trojan horse does not replicate, but is substituted for another program by a user. Generally they wreak havoc on the computer when they run.

4. What is an ANSI bomb?

An ANSI bomb does not replicate either like a trojan horse, and usually does damage by remapping the keyboard using ANSI.SYS (hence it's name) to damage the computer. An example would be, an ANSI bomb remaps the letter A to 'FORMAT C: /U /AUTOTEST' or 'ECHO Y:FORMAT C:'.

B. Discussion of programming techniques

1. Run-time .COM infecting viruses

In this FAQ I will only cover .COM file infection because it is very easy for the beginner. Run-time viruses are run before the program and search for new .COM files to infect. If they are of great size it can slow down the execution of a program and thus warn the user. In theory run-time viruses are extremely easy, but in practice occasionally will produce problems...depending on how you're doing it. Overwriters are simple and easy to spot, they overwrite the program: Non-overwriters, or appenders, are a lot better in that they don't destroy programs that they infect: As you see the virus replaces the first few bytes with a jump to the virus code. After the jump the virus replaces the original code in it's proper spot, ONLY in memory. Then the virus does it's stuff and jumps back to the beginning of the program and the program runs as nothing had happened. At least that's what supposed to happen. Some programs may cause problems, but that is the exception, not the rule.

2. Memory-resident .COM infecting viruses

Memory-resident viruses are much better than their run-time kin because:
  1. They don't cause sluggish delays caused by searching and writing before the file is run.
  2. They have a wider reach.
  3. They can be smaller sometimes.
  4. They can hide their code and increases in files in a DIR listing.
Plus much more. More knowledge is required however to write one, but that is obvious and I will attempt to write a guideline (no code) to go by when writing one.

First thing it should do is check for a previous installation. This can be accomplished by making up a value for AX and checking for it in your handler.

Next memory reservation is required, this involves freeing up some memory because .COM files get everything when run, then allocating some memory for your code. Changing the value in MCB:0001h to 0008h will make that memory resident. You can also decrease total conventional memory and put your code up there.

Next you must move your code to that segment, wherever it may be, in a MCB-controlled segment or top of memory.

Next you must point your interrupts that you are hooking to your code in the segment that you reserved.

Then restore control to the host program. The interrupt handler is pretty straightforward, but for a better description, refer to another source.

3. Alternate infection methods

The appending method of infection is not alone. Many other methods are available including putting the virus first: Another is to put the jump in another location, such as to search for one in the program:

4. Other tips & tricks

Everyone wants their virus to be undetectable and efficient, so here are a few tricks I picked up, along with references from where I got them. 
    mov     di,0101h     ; If mov   di,0100h  TBSCAN detects it
    dec     di
    push    di
    ret
                    ; (from VLAD)
    mov     cx,word ptr [bp+old3]  ; Alternate way of detecting .EXE files
    add     cl,ch
    cmp     cl,167
    je      close
                    ; (from VLAD)
    lea     si,[bp+old3]    ; Combines move of original 3 bytes and the
    mov     di,0101h        ; jump back to 0100h
    dec     di
    movsw
    movsb
    push    di
    ret

5. FTP sites and IRC bots

Here are a few FTP sites that have virus-related stuff: Here are a few IRC bots that carry virus stuff: Most of the bots can be found on channel #virus

C. Virus removal and anti-virus software

1. The Correct way to use FDISK /MBR

We've had people suggesting FDISK /MBR to people with MBR infections but often they don't mention the problems that can come about from using it. FDISK /MBR rewrites the Master Boot Record to the basic minimum the machine needs to operate. If you have DriveSpace, Stacker, or any other type of utility that installs itself in the MBR, and you FDISK /MBR your disk, you could lose all of your data because the proper programs are not loaded. If that is the case find a good AV program such as F-PROT and use it instead. In fact it always is a good idea to find a different alternative rather than FDISK /MBR.

2. Removing Boot/MBR viruses

To determine that this is a virus that doesn't encrypt the original Boot/MBR, boot from a CLEAN floopy disk and try and access the hard disk. If you can't, it's a stealth virus and refer to the next section on Removing Boot/MBR stealth viruses. If you can and there is no programs like Stacker loaded in your original Boot/MBR then it is ok to use FDISK /MBR, SYS C:, though it is recommended that you use AV-software instead. If you do need get back the original, either extract and disassemble the Boot/MBR, contact the author of the virus, or if that frightens you, get some AV-software to remove it.

3. Removing Boot/MBR stealth viruses

Refer to section 2 to find out if the virus is stealth. This method will NOT work with non-stealth viruses, and is not guarenteed to work. Make a program to extract the Boot/MBR. Then reboot your machine from the infected hard disk and run the program. It should return the original Boot/MBR. After this copy it to a disk that is NOT a boot disk. Now you have a copy of your original Boot/MBR and you now can replace the Boot/MBR of your hard disk with the original Boot/MBR. I will let you go about the coding by yourself though I will be glad to send you files to do it. If you are afraid of permanently destroying your hard disk, get some AV-software to do it for you.

4. Removing file viruses

Before removing file viruses, boot from a clean disk. Now you may go through with DEBUG and see if there is a jump at the beginning to almost the end of the file it may be infected. Disassemble the point where it jumped to, and see if the code resembles virus code. If it does, attempt to look for the original few bytes. If that prospect frightens you or you don't want to bother searching each file, get AV-software to check them for you.

5. Anti-virus software review

I have prepared a review of anti-virus software from what I have gathered in my journeys throughout the internet.

Central Point Anti-Virus (CPAV) - Isn't very good, but at least is original, MSAV rips off most of it.

Microsoft Anti-Virus (MSAV) - Is horrible, besides the fact it rips off CPAV.

Norton Anti-Virus (NAV) - Not very good, though it gets good ratings from magazines and stuff because of it's user interface, all graphical.

McAfee ViruScan (SCAN) - An ok scanner, better than CPAV, MSAV, and NAV, but not the best.

ThunderByte Anti-Virus (TBAV) - An awesome scanner, it's capabilites with unknown viruses are astounding.

F-Protect (F-PROT) - I have never seen a better scanner, it combines heuristic capability (detecting unknown viruses) with an excellent scanning and removal facility.

D. On-going debate on different views on viruses

1. Debate on viruses made for the hell of it

-Nothing-

2. Debate on viruses as smart weapons

-Nothing-

3. Debate on "good" viruses

-Nothing-

Another Nasty Virus Worm.ExploreZip(pack)

Worm.ExploreZip(pack)

Detected as: Worm.ExploreZip(pack)

Aliases: W32/ExploreZip.worm.pak, MiniZip Worm, I-Worm.ZippedFiles, W32/ExplorezipB

Known Variants: Worm.ExploreZip

Infection Length: 120,495 bytes

Area of Infection: C:\Windows\System\

Likelihood: Common

Detected on: Nov 25, 1999

Region Reported: US, Eupore, Japan

Characteristics: Worm, Trojan Horse, packed

Description

Worm.ExploreZip(pack) was discovered on Nov 24, 1999. This worm is a variant of Worm.ExploreZip, which was discovered in Israel, on Jun 6, 1999. The only difference is Worm.ExploreZip(pack) has been packed by file compression, which still allows the worm to be executed normally and does not require any manual uncompressing. Because of the compression, the file size is about 40% smaller than the original Worm.ExploreZip.

Symptoms and Payload

The behavior of the worm is identical to Worm.ExploreZip. It can propagate itself very quickly through email automatically and also via the network. When the email is sent, it will have the following email content.

I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs.

It will also contain a worm attachment named zipped_files.exe.

In addition, when Worm.ExploreZip(pack) is executed, it searches drives C through Z of your computer system and accessible network machines for particular files. The worm then destroys all files containing any of the following extensions: .h, .c, .cpp, .asm, .doc, .xls, .ppt. This is accomplished by calling CreateFile(), and making the file extensions 0 bytes long. One may notice extended hard drive activity when this occurs. This can result in non-recoverable data.

This payload routine continues to happen while the worm is active on the system. Thus, any newly created files matching the extensions list will be destroyed as well.

Technical Details

The worm utilizes MAPI-capable e-mail programs on Windows systems to propagate itself. The worm e-mails itself out as an attachment with the filename zipped_files.exe. The body of the e-mail message may appear to come from a known e-mail correspondent and contains the following text:

I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs.

Once the attachment is executed, it will unpacked itself and execute the original Worm.ExploreZip routine. It may display an error message informing the user that the file is not a valid archive.

The worm proceeds to copy itself to the c:\windows\system directory with the filename explore.exe and then modifies the WIN.INI file so that the program is executed each time Windows is started. The worm then utilizes your e-mail client to harvest e-mail addresses in order to propagate itself. Users may notice that their e-mail client launches when this occurs.

The worm will continue to monitor the Inbox for new messages and respond accordingly.

The worm will also search the mapped drives and networked machines for Windows installations and copy itself to the Windows directory of the remote machine. It will then modify the WIN.INI accordingly.

Repair Notes

1.Remove the line

run=<Windows System Path>\Explore.exe

or

run=<Windows System Path>\_setup.exe

from the WIN.INI file for Windows 9x systems.

For Windows NT, remove the registry entry

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

which will refer to Explore.exe or _setup.exe

2.Delete the file Explore.exe or _setup.exe. One may need to reboot first or kill the process using Task Manager or Process View (if the file is currently in use).

Norton AntiVirus users can protect themselves from this virus by downloading the current virus definitions either through LiveUpdate or from the Download Virus Definition Updates page.

Write-up by: Raul Elnitiarta and Motoaki Yamamura Nov 30, 1999

  • Back To The Top    • Back To Home