From: Chris McDonald STEWS-IM-CM-S (2/24/93) To: /usr/cmcdonal/maillist:@wsmr-em, CC: cmcdonal@wsmr-emh03.army.MIL Mail*Link¨ SMTP Overview of Virus Creation 1. The Virus Creation Laboratory (VCL) is the work of Nowhere Man, who states that he released a beta test version 0.75 on April 23, 1992. Version 1.00 carries a July 5, 1992 initial release date. I obtained my copy of the program from the Computer Virus Developments Quarterly, Volume 1, Number 2 -- Winter, 1992/3. The Quarterly is the work of Mark Ludwig, the author of "The Little Black Book of Computer Viruses". 2. VCL arrived on a single non-write protected disk. The program was in an encrypted ZIPPED file with an install program. The decrypt executable was on the disk. When one has completed decryption, one then invokes the install program. The installation screen identifies the source path of the VCL files, the destination path for installation which a user may change, and requests the user supply a password to unlock the files. Mr. Ludwig provided the password in a footnote to his Quarterly article on VCL. 3. If installation succeeds, one has the VCL executables, approximately 40,000 bytes of documentation, and eight "samples" of what one can produce with VCL. Nowhere Man states that he produced the samples in less than thirty minutes, and provides these names for the seven viruses and one trojan horse: Kinison, Code Zero, Pearl Harbor, Earth Day, Viral Messiah, Dontatello, Yankee-Doodle II, and Richard Simmons. A separate file describes the significance of the naming convention. For example, the "Richard Simmons Trojan displays a cute message, then helps the victim get rid of that unsightly FAT". 4. What is VCL? It is a menu-driven program to create appending, overwriting and spawning viruses as well as trojan horses for MS-DOS environments. One has options to determine the type of program to be produced, to set infection rates, to determine search paths for infection, and to select other variables. Probably the most interesting feature, and the most complicated for me, was the Effects menu option. The "stock" options run the gamut from "play a tune" to "erase files". When one selects an effect, one then must choose a condition which will trigger the effect. Trigger mechanisms can employ time, the day, the year, etc. I was never able to get certain options to work, but in most cases I am sure it was my errors rather than a function of VCL. The final VCL operation is to save one's work in a .VCL file and select a menu option to generate an .ASM file. One exits VCL and attempts to assemble the .ASM file with a MASM-compatible assembler. Nowhere Man recommends TASM in his documentation. 5. What immediate impact does VCL pose for users? I ran the following anti- viral tools against the eight samples with these results: a. F-PROT, version 2.07 100% Detection Rate b. Viruscan, version 100 100% Detection Rate c. NAV, version 2.1 (updates through Detected only one and that as the December 1992) Whale d. Thunderbyte Scanner, verion 5.03 100% Detection Rate e. VirX, version 2.06d 100% Detection Rate f. CPAV, version 1.4 100% Detection Rate g. ViruSafe, version 4.6 100% Detection Rage h. Virus Buster, version 3.93 Detected five out of eight with specific identifications i. IBM AntiVirus/DOS, version 1.0 0% Detection Rate The "heuristic" scanning features of Thunderbyte Scanner were particularly impressive in analyzing individual samples. A few of the tools were less specific on identification alarming for a "VCL" creation rather than for Nowhere Man's naming convention. But the results suggest that anti-viral researchers received the VCL sometime ago and incorporated the necessary detection techniques. Mr. Ludwig in his article had a 100% detection rate with version 97 of Viruscan which indicates that one may not even require the most current version of an existing tool. He also states that he created his own VCL viruses which Viruscan detected without exception. 6. What future impact might VCL pose for users? Nowhere Man states that in future versions of VCL one may expect the ability to create appending .exe viruses, to create boot sector viruses, to create memory resident viruses, to perhaps provide a polymorphic encryption facility, and to actively engage memory resident anti-viral programs. [Note: Targetting anti-viral program modules has already occurred, such as the Peach virus.] These enhancements would obviously present more attractive avenues for virus creation. 7. Mr. Ludwig is somewhat disparaging of the VCL. He takes issue with Nowhere Man's documentation claims as well as with the code worthiness of the output: "VCL isn't thoroughly debugged, and it can generate some strange code." I have heard other anti-viral researchers comment on this fact. It will be interesting to see if Nowhere Man chooses to respond. The VCL documentation states that Nowhere Man can be contacted on the Hell Pit Bulletin Board System which has been discussed in Phrack and in the Computer Underground Digest. This would suggest to me that Mr. Ludwig could have contacted Nowhere Man, assuming that the latter is still active on the BBS which I have confirmed is still in operation. 8. The recent National Computer Security Association's 2nd International Virus Conference and Exhibition in San Franciso had some interesting discussion on the VCL, particularly on the legality of distributing viral code and engines to generate such code. The United Kingdom, for example, has taken aggressive action to close down viral creation operations. More than one European viral researcher suggested how foolish we were in the United States to tolerate such activity. In the final analysis perhaps the significant impact of VCL will be to encourage, if not force, a reexamination of our legal standards and personal attitudes. Since there are now several programs to automate some facet of viral/trojan horse production, the matter has moved beyond one of simple theoretical discussion. ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;24 Feb 1993 11:11:15 U Return-path: cmcdonal <@WSMR-SIMTEL20.ARMY.MIL:cmcdonal@wsmr-emh03.army.mil> Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01GV3IW2SQA89BVFYV@icdc.llnl.gov>; Wed, 24 Feb 1993 11:02:21 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01GV3IVI9GO09BVG0M@icdc.llnl.gov>; Wed, 24 Feb 1993 11:01:56 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA00175; Wed, 24 Feb 93 11:02:25 PST Received: from WSMR-SIMTEL20.ARMY.MIL by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA00163; Wed, 24 Feb 93 11:02:11 PST Received: from wsmr-emh03.army.mil by WSMR-SIMTEL20.ARMY.MIL with TCP; Wed, 24 Feb 1993 12:01:02 -0700 (MST) Date: 24 Feb 1993 11:48:05 -0700 (MST) From: Chris McDonald STEWS-IM-CM-S Subject: Overview of Virus Creation Laboratory Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: /usr/cmcdonal/maillist:@wsmr-emh03.army.mil Cc: cmcdonal@wsmr-emh03.army.MIL Resent-message-id: <01GV3IW2WQYQ9BVFYV@icdc.llnl.gov> Message-id: <9302241902.AA00163@pierce.llnl.gov> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"/usr/cmcdonal/maillist:@wsmr-emh03.army.mil" X-VMS-Cc: IN%"cmcdonal@wsmr-emh03.army.MIL" Content-transfer-encoding: 7BIT ======================================================================