User`s guide
VIRUS BULLETIN ©1991 Virus Bulletin Ltd, 21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England. Tel (+44) 235 555139.
/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted
by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.
VIRUS BULLETINPage 14 August 1991
boot sector on floppy disks. The network was accessed
(LOGIN followed by running of various applications, fol-
lowed by LOGOUT). The workstation was cleared of infection
and the network connection was re-established. The worksta-
tion hard disk and the workstation memory were examined for
infection, and, as expected, nothing was found.
Multi-Partite Viruses
A clean workstation was used to log into the file-server. The
workstation was infected with the Flip multi-partite virus.
Files on the local fixed disk could be infected as usual, but
when files on the file-server were executed, DOS returned the
message:
EXEC Error
In general a multi-partite virus infects files on a network drive
in the same way as a parasitic virus, but in addition the virus
infects the boot sectors of disks attached to the workstation.
NETWARE SPECIFIC VIRUSES
There are three cases of viruses reported to have been written
specifically to circumvent NetWare security.
First ‘Novell Virus’
In February 1990 there appeared an (unconfirmed) report of a
‘Novell’ virus which supposedly destroyed the Novell-specific
file allocation table.
The virus was said to be capable of penetrating a file-server
from a workstation even if it was not logged on to the
network. It was suggested that this might be possible by
altering the NET$DOS.SYS program by using C libraries
released by Novell.
Novell has not encountered this virus, nor has the company
received any reports of it. Neither Sophos nor Virus Bulletin
have had any further reports about this ‘virus’ apart from the
Editorial in Virus Bulletin in February 1990.
Dr. Jon David
In July 1990 New York consultant Dr. Jon David released a
report about a virus which he observed propagating on a
Novell LAN. Dr. David said that the virus, a Jerusalem
mutation, bypassed NetWare file-server write-protection and
also deleted write-protected files on the server.
After a heated exchange in the press and the Virus-L Bulletin
Board between Dr. David and Novell (at one point Novell was
threatening to sue Dr. David), Novell confirmed that the virus
was Jerusalem, that it did propagate on unprotected networks,
but denied the allegation that it bypassed NetWare security.
The most disturbing fact was that Dr. David refused to
disassemble the virus himself or release his sample to a
responsible organisation for analysis. He preferred to observe
the virus effects, rather than analyse the virus structure.
The universal conclusion seems to be that the virus was a
standard copy of Jerusalem with no specific ability to subvert
NetWare security.
NetWare Virus From The Netherlands
In April 1991 Virus Bulletin received a virus (GP1) from
Holland which contained instructions to subvert NetWare
security. Interestingly enough, the virus was received in
source-code form. It is reported to have been developed in
Leiden (Holland) as a result of an unofficial challenge by a
state organisation employee to a student.
GP1 Virus Structure
The virus is based on the Jerusalem virus, with NetWare-
specific instructions added to the disassembled version of
Jerusalem. The virus is memory-resident but contains no
stealth features. The Novell network handler is accessed via a
FAR JMP call instead of a FAR CALL; analysis indicates that
if the FAR JMP instruction is changed into the FAR CALL
instruction, the virus could become fully functional.
The virus is not infective unless it is run on a NetWare
workstation. It intercepts four different INT 21H services, of
which the most interesting is the NetWare-specific service
E3H. This is checked to see whether the sub-function request-
ing the service is a user LOGIN procedure. If it is, the LOGIN
is executed under the control of the virus and the return code
is examined. If the LOGIN is successful, the virus sends a
copy of the original login request block to the socket number
2A9FH. We suspect that this is a broadcast message (for more
information see page 9).
Practical Trials On NetWare 2.11
The virus was assembled after changing the FAR JMP to a
FAR CALL instruction. An experimental network consisting
of a dedicated file-server (on a Compaq 386s, 80 Mbyte hard
disk) and a workstation (Amstrad PC-ECD, 20 Mbyte hard
disk) was set up with default security paramaters.
The virus replicated in the same way as Jerusalem (when
NetWare was present), but no other effects were observed.
The background of this virus continues to be investigated and
it appears that the copy obtained was an unfinished version.
Practical Trials On NetWare 3.11
An experimental network consisting of a dedicated file-server
(on a Compaq 486/25, 310 Mbyte hard disk, 4 Mbyte RAM)
and a workstation (Amstrad PC-ECD, 20 Mbyte hard disk,
640 Kbyte RAM) was set up with default security parameters.