User`s guide

ManualsBrandsAMSTRAD ManualsComputer equipmentPC-ECD

/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted

by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.

Page 3

VIRUS BULLETINAugust 1991

TECHNICAL NOTES

The GP1 Mystery Unravelled

A short updated and amended report on the GP1 virus (first

reported by VB in June of this year) appears on page 9 of this

edition. One of the difficulties in reporting malicious pro-

grams which target proprietary software is that specific

knowledge of the software’s exact operation is not generally

available to the researcher.

VB is indebted to Novell for its assistance in unravelling some

of the mysteries behind GP1. Contrary to our original pub-

lished report, the GP1 virus does not attempt to gain privi-

leged access on to the network. Instead, it attempts to broad-

cast passwords to a ‘trawler’ program resident on a network

node. Eric Babcock of Novell terms this program ‘EARS’ due

to its presumed ability to ‘listen’ (or collect) password

information. The GP1 virus samples received by Novell were

not supplied with the associated ‘EARS’ program so analysis

must remain somewhat hypothetical.

In live testing, the GP1 virus replicates in much the same way

as the standard Jerusalem virus from which it was derived (see

p. 14). It is believed that the GP1 virus was used in testing

network security on a specific LAN in Holland although no

further information has become available.

The results of various experiments with live computer viruses

on NetWare are also published in a report on pp. 10-18. The

most important conclusion of the report is that network

administrators should distinguish clearly between NetWare

rights and attributes. Attributes are part of NetWare’s

workstation environment emulation, while rights are Net-

Ware’s own security and access control system. Attributes

provide no protection against viruses, while the proper use of

rights offers substantial protection against virus propagation.

The Invisible Twin

One of the viruses included in this month’s list of new arrivals

is the Twin-351 virus. It belongs to a small group of compan-

ion viruses, which includes AIDS II and TPworm.

Companion viruses have been described before in the Virus

Bulletin - they are unique in that they do not actually change

the files they ‘infect’; instead they exploit the fact that DOS

executes a COM file before a corresponding EXE file.

The virus creates a new COM file for each EXE file it

‘infects’, and when the user attempts to run the EXE file, the

COM file containing the virus will be executed instead. The

virus does whatever it is designed to do, and finishes by

loading and executing the EXE file. To avoid detection, all the

known companion viruses set the ‘hidden’ attribute bit.

The Twin-351 virus adds a new twist to this method. It

remains resident in memory, and hooks into INT 21H. When

the FindFirst function is called, the virus traps the call, thus

preventing the FindFirst function (and any subsequent

FindNext function) from finding any hidden files. By defini-

tion, this makes the virus a stealth virus, as it does not make

any apparent changes to any programs, and takes active steps

to prevent detection of itself while active.

Most virus scanners use the FindFirst/FindNext functions to

locate the files they scan, so they will not find the virus while

it is active in memory. However, virus scanners which read

the directory on a sector-by-sector basis will encounter no

problems in detecting it.

ANSI Bombs and Trojans

Recently a large batch of malicious programs arrived indi-

rectly from one of the larger virus ‘exchange’ BBSes. In

addition to the usual collection of new viruses, it included an

‘ANSI bomb generator’. The purpose of this program is to

assist in the creation of escape sequences, which could then be

incorporated in a text file.

The escape sequences use the key-redefinition ability of

ANSI.SYS: if the TYPE command is used to display the file

containing such an escape sequence, one or more keys on the

keyboard could be redefined. For example the Z key might be

redefined as ‘<ESC>DEL *.*<ENTER>Y<ENTER>’, which

would delete the files in the current directory if the user

pressed the Z key while at the DOS prompt.

Trojan horse writers often use embedded escape sequences

intercepted by the ANSI.SYS driver, which is loaded by a

command in the CONFIG.SYS file on many PCs. Redefining

‘A’ as ‘X’ or ‘F’ as ‘T’ may cause confusion, but redefining

‘R’ as ‘DEL *.TXT’ (for example) could have more serious

consequences. This is easily done. The following sequence

<ESC>[082;"<ESC>DEL *.TXT";13p

(where <ESC> is the Escape character, hexadecimal 1B),

incorporated in a README file is an example of a typical

ANSI Trojan. The unsuspecting user uses the TYPE command

to display the contents of the file README, and in so doing

unwittingly redefines the key ‘R’. Each time he presses ‘R’

thereafter, the keystroke is expanded by ANSI.SYS to ‘DEL

*.TXT’ followed by a carriage return. More devious schemes

can be devised. Bulletin Board operators (SysOps) normally

search all messages for escape sequences to prevent unsus-

pecting users downloading this type of Trojan. The easiest

way to combat this type of Trojan is to eliminate the statement

DEVICE=ANSI.SYS

from the CONFIG.SYS file.

This method of key-redefinition is old and well-known and

several replacements for ANSI.SYS exist with this feature