User`s guide

ManualsBrandsAMSTRAD ManualsComputer equipmentPC-ECD

/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted

by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.

VIRUS BULLETINPage 22 August 1991

Suffice it to say that the display of relatively sophisticated

code alongside a plainly infantile mess gives these viruses a

strange appearance when disassembled.

Also within the code for the Smack virus are plain text

messages which are not displayed during virus operations.

These are as follows:

This virus was written in Italy by Cracker Jack

this virus!!

Special message to Patricia Hoffman: I love

you!!!!!!!! SmackSmack!!

Can you give me your telephone number??? Ciao

bellissima!

Seasoned VB readers will know that Patricia Hoffman

maintains a regularly updated listing of known IBM PC

viruses which is widely distributed as a shareware text file.

(Technical Editor’s note: ‘Cracker Jack’ has expressed

dissatisfaction with researchers renaming the ‘Patricia’ virus

to ‘Smack’ - one of his viruses contains the string ‘Smack

Virus ....What a horrible name!!!!!!!!!!!!!!!!!!!’ More omi-

nously, the same virus contains the message ‘Compliments to

the Dark Avenger for the nice viruses...’.)

Conclusions

The fact that an inexperienced ‘pimply’ has copied code

(albeit without knowing exactly how it works) from known

viruses into his own ‘creations’ is nothing new. The fact that

such a virus was available to him in the first place is of more

concern and even though his feeble attempts have not pro-

duced the effect that he desired, it is of paramount importance

that he (Cracker Jack) and his ‘mentor’ (Dark Avenger) be

stopped by whatever means are available.

Some time ago, I observed that one of the major advantages

that anti-virus researchers had over the virus writers was the

collaboration that had been achieved across the world. This

advantage is rapidly being eroded since the advent of the virus

‘exchange’ Bulletin Boards, and as the analyses of the above

viruses show, an increasing degree of plagiarism is occurring.

The Murphy viruses were written in Bulgaria and their

authors’ close proximity to Dark Avenger (maybe they know

each other personally) probably explains how the ‘collabora-

tion’ came about.

It is possible that the obvious plagiarism of 2100 and Murphy

within Migram and Smack may not have occurred as a result

of virus exchange through a Bulletin Board, but the fact

remains that it probably did happen that way.

A lone voice in the UK has recently defended the existence of

these boards on the dubious grounds that proscribing them

would be an infringement of ‘human liberty’. This argument

calls into question the possible motives behind such a defence

but what utter nonsense! Can it be called an infringement of

liberty that poisons, weapons, certain chemicals, explosives

and similar dangerous items are not publicly available?

Similarly, public access to a range of viruses (especially

commented source code) represents a danger that must be

prevented. When calling these boards, the general offer of a

one-for-one exchange is a positive inducement to callers to

write or modify viruses in order to use them as an ‘invitation’

into the inner sanctum.

Two measures by which this activity might be stopped come

immediately to mind - if some system of licensing bona-fide

researchers were implemented, unlicensed possession of virus

source code or collections of virus samples could be made a

criminal offence. Alternatively, intentional transmission of

virus code across the public telephone network could be

criminalised in a way that would allow the authorities to close

down the offending boards immediately. In the United

Kingdom, the deliberate and unauthorised insertion of a virus

into a computer system is a criminal offence under Section 3

of the Computer Misuse Act 1990. However, the possession of

virus code and making malicious programs available for

download is not illegal under the terms of this Act. The

transmission of virus code via public telephone networks may

contravene telecommunications laws in different countries but

this remains a legal grey area.

SUMMARY

Migram Virus (two versions)

These infect only EXE files and are simple appending viruses

with infective lengths of 1219 and 1221 bytes. The operational

code is identical in the two versions and is not encrypted

during infection. Any ZIP files opened for read only when the

system date indicates a Saturday, will be deleted.

An alternative trigger routine attempts a low level format of

the first five tracks of drive C: but fails through incorrect

coding. These viruses may be recognised by the Murphy(2)

and HIV recognition patterns published in the July 1991

edition of VB.

Smack Virus (two versions)

These vary only in their infective length and are simple

appending viruses with infective lengths of 1825 and 1841

bytes. A reliable hexadecimal search pattern was published in

the July 1991 edition of VB.

‘‘If ‘Cracker Jack’ were a plumber

he would have drowned years

ago...’’