User`s guide

ManualsBrandsAMSTRAD ManualsComputer equipmentPC-ECD

/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted

by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.

VIRUS BULLETINPage 20 August 1991

This list (Figure 1.) gives some idea of just how comprehen-

sively this virus attempts to monitors system services.

Stealth Features and 62 Seconds Stamp

All the familiar stealth capabilities are present including the

subtraction of virus code from reported file lengths for

infected files. However, the virus uses the very old method of

marking its own infection by setting the time field to 62

seconds. This signature produces some interesting results

since some software deliberately sets its time field in this

fashion (in an ill-informed attempt to prevent infection) and is

therefore reported as being 2100 bytes shorter than it really is

when 2100 is memory-resident. Under the right circum-

stances, this causes incorrect loading of files marked in this

way with consequent corruption and malfunctioning of the

machine.

Some software vendors still insist on marking their products

in this way (presumably under the misconception that this will

give them protection against viruses); they should realise that

such a practice simply makes their software more likely to fail

when certain stealth viruses are active in memory.

Interrupt Interception

The 2100 virus prevents attempts to change certain system

vectors (using ‘legal’ DOS procedures) but ‘fakes’ the results

and thereafter erroneously reports the effects, so that simple

virus detection software will be unaware of the changes.

Similarly, programs attempting to Terminate and Stay

Resident are hooked into the system in a way that the virus

can still remain hidden and in control.

These techniques present enormous obstacles to the

development of resident anti-virus monitoring programs;

these processes must be clearly appreciated before any

such monitoring software is designed.

Trigger Routine

There is a selective trigger routine which only comes into

operation if the virus locates the Bontchev software. This

routine has not been copied in any of the other viruses under

discussion here - Migram, Smack or Murphy - and it would be

irresponsible to publish exact details of what this is or how it

works. I suspect that the plagiarists did not recognise it for

what it was and therefore left it out of their own creations.

However, I can report that during tests, the results of the

trigger routine varied considerably from machine to machine

and usually resulted in a general failure to the point at which a

power-down reboot was necessary. Actual corruption of data

stored on disk did not occur during testing and seems unlikely.

There are two highly specific areas in which this virus causes

concern: one is in the ROM search routine which appears

targeted initially at the machine BIOS but may also identify

certain anti-virus add-on boards. The other is in a section of

code which addresses and utilises the services of a device

driver to access the fixed disk and modify the boot sector.

This modification is not part of the infection process but

seems to remove a particular protection mechanism employed

by the anti-virus software or firmware being targeted.

Both of these routines prove the assertion made long ago that

there is no such thing as a 100 percent defence against viruses

(except perhaps by switching your PC off permanently!),

regardless of whether hardware or software is used. However,

the point is that 2100 is one of the more sophisticated viruses

and contains stealth routines which cause difficulties for

simple virus defence programs.

Summary - 2100 Virus

The virus infects COM and EXE files (including

COMMAND.COM) but ignores files with the SYSTEM

attribute set. It is an appending, stealth, targeting virus with an

infective length of 2100 bytes. The code is not encrypted. The

trigger routine is only effective if Vesselin Bontchev’s anti-

virus software is found. A reliable search pattern is:

D3E8 408C D103 C18C D949 8EC1 BF02 00BA

The Murphy Viruses

The Murphy viruses contain text suggesting they were written

by ‘Lubo and Ian’ who are reported by Vesselin Bontchev as

being Lubomir Mateev Mateev and Iani Lubomirov Brankov -

both from Bulgaria.

There are at least three known variants of the original Murphy

virus and although these are awaiting a full dissection,

preliminary disassemblies have been completed in which large

sections of code similar to that used by Dark Avenger have

been found. This is yet another indication of the unoriginality

and poor technical capabilities of the writers. The infection

routine has been identified reliably and differs from that used

in the Dark Avenger viruses. It is this routine which has been

copied by Cracker Jack in his attempts to produce his own

viruses.

The Migram and Smack Viruses

With the exception of the trigger routines, these two viruses

are identical their operational code. It appears that Migram

came first since it is comprised of almost ‘straight’ code.

A second version (Migram-2) is identical save for two NOP

instructions placed at strategic points (where no assembler

would place them) and possibly designed as an experiment in

disrupting pattern recognition searching. This hypothesis is

supported when the Smack virus is examined and found to

contain an inordinately large number of NOP instructions

inserted seemingly at random throughout most parts of the

code (excepting the portions copied from 2100 and Murphy).