Malicious software that has gone down in history. Part III
The subject of art can be a painting, sculpture, poem, symphony and even a computer virus, no matter how strange it sounds. Unfortunately, the creation of viruses in our day is associated with extracting the benefits of his creation or causing harm to others. However, at the dawn of computer technology, virus writers were true artists, whose colors were pieces of code, skillfully mixed, they turned into a masterpiece. And their goal was not to offend someone as much as to declare oneself, to demonstrate one’s intelligence and ingenuity and, at times, just to amuse people. Today we will continue our acquaintance with the various creations of virus writers, who in one way or another deserve our attention. (If you want to familiarize yourself with the previous parts, here are the references: Part I and Part II )
Fork bomb (All ingenious is simple) - 1969
Fork bomb is not a separate virus or worm, but a family of extremely simple malware. The structure of the Fork bomb code can consist of only 5 lines. Using some languages ​​to write this kind of malware eliminates the need to use colons, parentheses, and sometimes all alphanumeric characters.
The Fork bomb operates in a very simple way: first, the program loads itself into memory, where it creates several copies of itself (usually two). Then each of these copies creates as many copies as the original, and so on until the memory is completely full, which leads to system failure. Depending on the device, this process takes from several seconds to several hours.
One of the first recorded cases of the Fork bomb is its appearance on the computer Burroughs 5500 at the University of Washington in 1969. This malware was named “RABBITS”. In 1972, the virus writer Q The Misanthrope created a similar program in the BASIC language. It's funny that at this moment the author was in 7th grade. There was also a case in an unknown company, in 1973, when their IBM 360 were infected with the rabbit program. As a result, a young employee was fired and accused of spreading the virus.
Cascade (falling down) - 1987
One of the funniest viruses of its time. Why just find out so.
When the virus entered the system and activated, it first of all checked for the presence of the line “COPR. IBM. If there was one, the virus should have stopped and NOT infecting this machine, but due to an error in the virus code, infection still happened. Next Cascade became resident in the memory. The virus infected any .com file when it was launched. Cascade replaced the first 3 bytes of the file with the code that led to the code of the virus itself.
And now what about the results of the virus. They took effect if the infected file was launched between October 1 and December 31, 1988. All the characters on the DOS screen just began to randomly fall, literally down the screen. That is why the virus was called Cascade (cascade). Sometimes, some sounds were reproduced.
After spreading around the world, many Cascade variants appeared - about 40. Some of them were created by the previous author hoping to fix the IBM copyright recognition bug, however, these virus variants continued to successfully infect computer giant systems. Other options instead of a waterfall of characters led to the formatting of hard drives, or simply contained some kind of message. In any case, the original of the Cascade virus was remembered by many.
It's funny that the author tried to avoid infecting IBM computers, but at the same time not only those were infected, but also the whole office in Belgium became a victim. As a result, IBM released to the public its antivirus, which was previously used only within the company.
Nothing is known about the origin of the virus and its author. There is speculation that Cascade was written by someone from Germany or Switzerland.
Eddie (Hallowed Be Thy Name) - 1988
One of the first Bulgarian viruses and the first creation of Dark Avenger, which became extremely famous thanks not only to its viruses, but also the so-called Dark Avenger Mutation Engine (about it a bit later). Dark Avenger named its virus after the symbol of the Iron Maiden group - a skeleton named Eddie.
After hitting the computer, the virus became resident in memory. The victims of the infection were the .com and .exe files. At the same time there was no need to execute these programs for infection, it was enough just to read them (copy, move, check the contents of the file). There was also the possibility of infection of antivirus software, which could lead to the infection of any file that was scanned by this software. After every 16th infection, the virus rewrote a random sector.
Later, the source code of the virus was published on the Internet, which gave rise to many of its variants:
Eddie.651
Eddie.1028
Eddie.1530
Eddie.1797
Eddie.1799
Eddie.1800.B
Eddie.2000.C
Eddie.2000.D
Eddie.Alexander
Eddie.Apa
Eddie.father
Eddie.jasper
Eddie.Jericho (Two Variants)
Eddie.Korea
Eddie.Major
Eddie.Oliver
Eddie.Psko
Eddie.Satan
Eddie.Shyster
Eddie.sign
Eddie.Uriel
Eddie.VAN
Who is the author of some of them is unknown to this day. Variations of Eddie, released from the pen of Dark Avenger:
Eddie.V2100 - contained the words "Eddie lives" and, if there is an Anthrax virus in the last sector of the disk, transferred it to the partition table, thereby restoring the virus.
For a long time, Eddie retained the status of the most common volgari virus, while it was also recorded in West Germany, the USA and the USSR.
Father Christmas (Ho-ho-ho) - 1988
Shortly before Christmas (Catholic) in 1988, the worm Father Christmas began its journey through DECnet (an early version of the Internet, so to speak). The birthplace of the worm is considered to be the University of Neuchâtel in Switzerland.
The HI.COM file acted as a worm that copied itself from one DECnet node to another. Then he tried to start himself using either Task Object 0 (a program that allows performing operations between two connected computers) or through DECnet login and password. If the launch fails, the worm deletes its HI.COM file from the victim's system. If successful, the worm is loaded into memory, after which it uses the MAIL_178DC process to delete the HI.COM file. Next, the worm sends a SYS $ ANNOUNCE banner at 20597 :: PHSOLIDE, and then checks the system clock. If the infection time falls between 00:00 and 00:30 on 24/12/1988, the worm creates a list of all users of the system and sends its copies to them. If the infection occurred after 00:30 of the above date, the worm simply ceased to be active.
In search of a new victim, the worm randomly generated a number ranging from 0 to 63 * 1024. When the appropriate number was found, he copied the HI.COM file to the victim’s water. After 00:00 24/12/1988 distribution did not occur.
Father Christmas also displayed a message (of a very benevolent, if you can say so about malware, character):
«From: NODE :: Father Christmas 24-DEC-1988 00:00
To: You ...
Subj: Christmas Card.
Hi,
How are ya? I had a hard time preparing all the presents. It
isn't quite an easy job. I'm getting more and more letters from
every year
Rambo-Guns, Tanks and Space Ships up here at the
Northpole. But now the good part is coming. Distributing all
it is a real fun. When i
slide down the chimneys I often find a little present offered by
the children, or even a little brandy from the father. (Yeah!)
Anyhow the chimneys are getting tighter and tighter every
year. I think I’ll put on my diet. And after
Christmas I've got my big holidays :-).
Now you’re at home !!!
Merry christmas
and a happy new year
Your Father Christmas
Transfer:
"From: NODA: Father Christmas 24-DECEMBER-1988 00:00
To: You ...
Subject: Christmas Card
Hello,
How do you? It was hard for me to prepare all these gifts. This is not an easy task. I get more and more letters from children every year and it’s not easy to get guns like Rambo, tanks and spaceships at the North Pole. But now will be the good part. Delivering gifts on my sleigh with deer is very fun. When I go down the chimney, I often find little presents from children, or even a little brandy from dad. (Hooray!) In any case, chimneys every year are becoming closer and closer. I think I need to go on a diet again. And after Christmas, I will have my great holidays :-).
Now stop sitting in front of the computer and have a good time at home !!!
Merry Christmas
and happy New Year
Your Father Christmas
Father Christmas did not become the conqueror of the world, he infected only 6,000 machines, and only 2% of them activated the worm. However, there is a curious fact: a worm from Switzerland reached the Goddard Space Flight Center in a suburb of Washington in just 8 minutes.
The creator of such an unusual and chronologically tied worm was never found. It is only known that a computer from the university was used, to which so many people had access.
Icelandic (Eyjafjallajökull) - 1989
The first virus that infected the .exe file exclusively on a DOS system. Place of birth - Iceland.
Icelandic came to the computer as an .exe file, when launched, the virus checked for itself in the system’s memory. If its copy was not there, the virus became resident. He also modified some blocks of memory in order to hide his presence. This could lead to a system crash if the program tried to write to these very blocks. The virus further infects every tenth executable file, adding its own code at the end of each. If the file was “read only”, Icelandic deleted its code.
If the computer used hard drives of more than 10 megabytes, the virus selected a FAT area that was not used, and marked it as beaten. This operation was performed every time an infection of a new file occurred.
There were also several varieties of Icelandic, which differed from each other in some functions and properties:
Icelandic.632 - infects every third program. Marked as a broken one cluster on the disk, if it was more than 20 megabytes;
Icelandic.B - was improved to make it more difficult for some antiviruses to detect; it didn’t perform anything other than distribution;
Icelandic.Jol is a sub-variant of Icelandic.B, which on December 24th displayed a message in Icelandic “Gledileg jol” (“Merry Christmas”);
Icelandic.Mix1 - first discovered in Israel, caused a distortion of characters when transferring them to serial devices (for example, printers);
Icelandic.Saratoga - with a 50% chance of infecting a running file.
Diamond (Shine bright like a diamond) - 1989
Another virus from Bulgaria. It is assumed that its author is Dark Avenger, since this virus has much in common with its first creation, Eddie.
When you run an infected program, the virus entered memory, occupying 1072 bytes. The virus checked programs that were monitored with interrupts 1 or 3. If there were any, this check caused the system to freeze and the virus could no longer replicate itself. If there were no such programs, Diamond joined any running program that weighed less than 1024 bytes. In the process of infection, the virus avoided the file COMMAND.COM. Also in the virus itself, it was possible to detect a string that makes it easy to identify it - “7106286813”.
Diamond became the progenitor of several of its variants, which differed by the type of impact on the infected system and by the method of distribution and infection:
Rock steady
A 666-byte virus that did not become resident in memory if the infection occurred on the 13th of any month. Instead, it formatted the first 1 to 10 sectors on the first hard disk. After that, I rewrote the first 32 sectors of the C drive: garbage data and rebooted the system. It was first discovered in Montreal (Canada).
The file infection path was also quite curious. To start, Rock Steady checked the “weight” of the file: less than 666 bytes (for any format) and more than 64358 bytes (for .com files). Then the virus checked whether the file names start with the letters “MZ” and “ZM”, after which they changed them from “ZM” to “MZ” and vice versa. The virus also changed the value to 60 and took away its “weight” of 666 bytes from the size of the infected file.
David
Perhaps came from Italy. Was first seen in May 1991. The first version of this virus could not infect .exe files, but its sub-version, released in October 1992, already had such an opportunity. It led to a frequent crash of the system when the .com file was executed, while the virus did not avoid the COMMAND.COM file in the process of infection, as the original did. If the infected .exe file was launched on Tuesday, the virus formatted the disks. Also displayed on the screen a bouncing ping-pong ball and a message of the following content:
It is believed that this virus was created by the same person who wrote David, since Damage was also detected in May 1991, also in Italy. The virus infects a file that is larger than 1000 bytes, and did not avoid the COMMAND.COM file. If the system’s clock showed 2:59:53 PM, a multi-colored diamond appeared on the screen, which disintegrated into smaller diamonds, which removed characters from the screen. The phrases “Damage” (for which he received its name) and “Jump for joy !!!” were found in the virus code.
Lucifer
Another virus from Italy, discovered in May 1991. Infected a file larger than 2 kilobytes, including COMMAND.COM. If the timestamp of the file was 12:00 pm before infection, the virus disappears after infection.
Greemlin
Oh, this Italy, oh, this May 1991. This virus is also from there. Strongly slowed down the system (about 10%). On July 14th of any year, he rewrote some sectors of the A :, B: and C: disks.
There were several other options, but their main feature was that they did not check for the presence of their copies in the victim files, which led to their repeated infection.
Alabama (Alabama Shakes) - 1989
The virus under the DOS system, which has infected the .exe files. When an infected file was activated, the virus became resident in memory. However, unlike other resident viruses, Alabama did not infect a file when it was executed. The virus was looking for a file to infect in this directory, and if this did not work, only then it would switch to the method of infecting the activated files. Also, on Friday, instead of infecting files, the virus opened a random file instead of what the user wanted to open. Alabama displayed flashing text on the screen an hour after the system was infected:
SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW ...
Box 1055 Tuscambia ALABAMA USA.
Dark Avenger Mutation Engine (DAME) - 1991
This is not a virus, but this module is made extremely famous by a certain Dark Avenger, which we have already mentioned earlier.
When a virus that uses DAME infects a file, the encrypter issued the virus code for garbage. And when the file was opened, the descrambler returned the virus code to its previous working form.
Dark Avenger also added an archive containing a separate module for generating random numbers, which, when used, helped the virus to spread.
Thanks to the DAME module, virus writers have made it much easier to create polymorphic viruses, despite the complexity of implementing the module in the code of the original virus. At the same time, using the module made it possible to create many variants of the same virus. According to malware researchers, by the end of 1992, there were about 900,000 variants of virus variants that used DAME.
Starship (Back in the USSR) - 1991
So we got to their homeland. Starship virus was created in the USSR. But this is not where its distinctive features end.
The method of infection with the Starship virus was very difficult, in due time, and unusual. This virus has infected files like .com and .exe. When these files opened, Starship infected the master boot record. At the same time, the virus did not become resident in memory and did not infect other .com and / or .exe files. Starship modified three bytes in partitioned data tables and implemented its code in 6 consecutive sectors of the last track of the hard disk.
Also Starship tracked how many times the computer was loaded. When this happened, the virus loaded itself into the video memory, where it was decrypted (in other words, it was deployed). Being in the video memory, the virus violated interruptions in order to protect itself from rewriting on the hard disk and waited for the completion of the work of the first available program. When this happened, the virus moved itself to the main memory, where it occupied 2688 bytes.
Next, Starship infected .com and .exe files on disks A: and B :. At the same time, he added his code inside the file only after it was closed, thereby complicating detection.
The result of the virus was visible after 80 computer downloads. Under the melodious sounds on the screen color pixels were displayed, each of which signified one of the connections to the disks.
Groove ("When you get a groove, time flies") - 1992
And here is the virus that the Dark Avenger DAME creation used to encrypt (point 8). Groove was the first virus that used the aforementioned module to infect .exe files. The homeland of this malicious software is Germany, although it managed to spread around the world, reaching even the United States.
The virus, after activating the infected file, was located in the “high” memory, below the limit
DOS in 640K.640K or DOS 640k boundary
“In 1982, when the IBM PC was introduced with 64K RAM on the motherboard, the maximum program size of 640K seemed incredibly huge. Some users were concerned that the MS-DOS OS itself and the resident in-memory device drivers, as well as applications, should fit into a 640K memory space. At that time there were not so many programs, and most of them easily fit in 64K. Now, of course, the programs have incredibly increased in size. DOS has become more, and there are many device drivers that add features that are now considered well, just necessary. A minimum of 640K is already insufficient, which Windows intends to fix.
Although IBM and Microsoft have set the limit to 640K, the Intel 8088 microprocessor still has a big responsibility. The original IBM-PCs were equipped with Intel 8088 microprocessors. There are so many contacts coming from one block, and this number dictates how much memory can get access microprocessor. The Intel 8088 had 40 contacts (20 for memory access), enough to access 1000K of memory. When designing the IBM PC, engineers needed some of the 1000K in order for the computer to work with the monitor. An additional part of 1000K was used for various basic system functions so that the computer could work. Engineers also reserved part of 1000K for future needs. What remains and is our 640K. "
Quote from the book Software Patents / Third Edition / 2012 (by Gregory A. Stobbs)
The Groove virus attached its code to the .com and .exe files that the user ran. At the same time, to infect .exe files, the latter had to be smaller than a certain size (unfortunately, I did not find information about which one). Infection of programs led to disruption of their work. And infection with COMMAND.COM makes it impossible to boot the system.
After 00:30, the virus displayed the message:
Dont wory, you are not alone at this hour ...
ThisVirus is NOT dedicated to Sara
its dedicated to her groove (... thats my name)
This Virus is only a test Virus there for
be ready for my next test ...
Transfer:
Don't worry, you're not alone at this hour ...
This virus is not dedicated to sarah
he is dedicated to her groove (... so my name is)
This virus is only a test virus, because
be ready for my next test ...
In order to prolong its existence, the virus deleted or corrupted files related to antivirus programs.
Qark's Incest family ("we are family, I got all my sisters with me ...") - 1994
In this paragraph, we consider not one virus, but the whole “family” authored by Australian virus writer Qark, who as a result joined the group of brothers in arms “VLAD” (Virus Labs & Distribution). Qark's active work in the ranks of the organization falls from 1994 to 1997.
And now more about the "family members" of the viral clan.
Daddy
By reducing the size of the MCB (Memory Control Block), but only if this MCB is the last one in the chain. The virus can also create its own MCB with the setting of the owner field value (0x0008 - command.com) and join INT 21h.
Infection of files occurs when they are opened or when the user becomes familiar with their data or properties. Daddy also hid the size of his location directory from FCB findfirst / findnext. And infected files were marked as such by changing the time stamp value to the date stamp value.
Daddy also contained the following lines:
[Incest Daddy]
by Qark / VLAD
Mummy
If under MS-DOS, no file extension was specified to execute it, .COM files took precedence over .EXE files. Infected .com files run a virus, and then open the original .exe files. For a start, the virus ran the original .exe files, after which it became resident by joining INT 21h.
Like Daddy, the virus was encrypted and used similar methods of avoiding detection. In addition, Mummy had another unusual stealth mechanism: companions .com files were created with a hidden set of attributes. When running the FindFirst ASCII, the virus removed the hidden part from the requested attribute mask. This made it possible to avoid infected files from entering the list of antivirus search results.
The Mummy virus code contained the signature:
[Mummy Incest] by VLAD of Brisbane.
Breed baby breed!
Sister
This virus used the same MCB manipulation method as Daddy. Infection of flags occurred when performing such tasks: discovery, execution, Chmod, renaming. The infected files were marked by adding the “magic” value in the MZ format.
Signature in Sister virus code:
[Incest Sister]
by VLAD - Brisbane, OZ
Brother
In order not to repeat, just say that this virus did the same thing as other members of the “family”: it changed the MCB, joined the INT 21h. Also deleted the base of checksums of antivirus programs Central Point Anti-Virus and Microsoft Anti-Virus. To mark infected files, set the seconds in the time stamp to 62.
Tentacle (I'm the Tentacle Virus!) - 1996
Another family of viruses, although its representatives were not created at the same time, but only followed one after another as different updated versions. Possible countries of origin of this virus can be considered the UK or France.
After activating the infected file, the virus began a search in the currently open directory and in the Windows directory environment. Search targets are .exe files. In the open directory, 1 file was infected, in Windows - 2. The virus caused damage to some files.
A distinctive feature of the Tentacle virus was the replacement of the icon of the infected file with its own (see the picture below), but only if the infection occurred between 00:00 and 00:15.
Also in the virus code you could find the phrase:
Virus Alert! This file is infected with Win.Tentacle
CAP (Dios y Federacion) - 1996
Macro Word virus written by Jacky Qwerty from Venezuela. However, a few weeks later he said farewell around the world.
The virus contained from 10 to 15 macros, depending on the language version of Word. If the language is English, the macros were as follows:
Cap
Autoexec
Autoopen
Fileopen
Autoclose
File save
FileSaveAs
FileTemplates
Toolsmacro
FileClose
In other language versions, the virus created 5 additional macros that were copies of the last five of the above list. When an infected file was activated, the CAP virus deleted the macros from NORMAL.DOT, replacing them with its own. And the Macros, Customize and Templates buttons disappeared from the drop-down menu. If the toolbar had an icon, it just stopped working.
When decrypting macros, you could see the following message:
'CAP: Un virus social ... y ahora digital ...
'“J4cKy Qw3rTy” (jqw3rty@hotmail.com).
'Venezuela, Maracay, Dic 1996.
'PD Que haces gochito? Nunca seras Simon Bolivar ... Bolsa!
Transfer:
CAP: social virus, and now digital.
J4cKy Qw3rTy (jqw3rty@hotmail.com).
'Venezuela, Maracay, Dic 1996.
P.S. What are you doing little cowboy? You will never be Simon Bolivar! Fool!
Esperanto ("I did a movie in Esperanto") - 1997
The world's first multiprocessor virus. It hurt both on Microsoft Windows and DOS PCs with x86 processors, and on MacOS with Motorola or PowerPC processors.
Work on Windows and DOS
First of all, after activation, the virus checked for a working copy of itself in memory. If there was none, it became resident in the memory. Infected .com and .exe files during their opening. Also could infect the main files DOS, NewEXE and Portable EXE.
Work on MacOS
To successfully infect files, at the end of the virus code there was a special MDEF resource. The OS will interpret the Intel code as garbage and immediately go to Motorola code processing. This leads to the fact that the code is executed by the operating system without emulation, allowing the virus to become resident in memory. The ability of the virus to run on MacOS with the PowerPC processor comes from Motorola emulation in the Macintosh core. Given the infection of system files, the virus was activated at system startup. Esperanto Finder, . Windows DOS, MacOS .
Esperanto Windows MacOS . MacOS .com .exe, MDEF , . .com .exe MacOS , Windows.
26 ( 32-bit Windows):
Never mind your culture / Ne gravas via kulturo,
Esperanto will go beyond it / Esperanto preterpasos gxin;
never mind the differences / ne gravas la diferencoj,
Esperanto will overcome them / Esperanto superos ilin.
Never mind your processor / Ne gravas via procesoro,
Esperanto will work in it / Esperanto funkcios sub gxi;
never mind your platform / Ne gravas via platformo,
Esperanto will infect it / Esperanto infektos gxin.
Now not only a human language, but also a virus…
These are not just virtual servers! This is a VPS (KVM) with dedicated drives, which can be no worse than dedicated servers, and in most cases - better! VPS (KVM) c ( VPS (KVM) — E5-2650v4 (6 Cores) / 10GB DDR4 / 240GB SSD 4TB HDD / 1Gbps 10TB — $29 / , RAID1 RAID10) , , , , , „“!