Virus or ‘Various informations and resources under seize’ was designed back in Pakistan (Can you believe they made it even before us) back in 1986. It was the Brain virus from Pakistan. Brain was a boot sector virus and only infected 360k floppy disks. Interestingly, even though it was the first virus, it had full-stealth capability.
In December of 1986, a file infecting demo virus was introduced. It was called Virdem and was created in Germany.
Two other demo virus have 1986 copyright notices. These are the Burger virus (Program Virus ver. 1.1 by R. Burger) and the Rush Hour virus by B. Fix.
Here is some information regarding this issue for those who are interested:
1987 – Outbreaks
o Klaus Barbie sentenced for Nazi war crimes.o DOS 3.3o OS/2 1.0o Windows 2.0 released.o PS/2 introduced.
In October of 1987, Brain was discovered in the wild, at the University of Delaware.Other viruses were first discovered in 1987 at Universities around the world. In November, the Lehigh Virus was discovered at Lehigh University in the United States. The virus only infected Command.com. Since Command.com remains resident, this was technically the first memory resident file infector.
In December, the Jerusalem virus, appeared at the Hebrew University of Israel. It was the first file infector designed to go memory-resident. It is possible that Jerusalem was the fourth in a series of viruses by the same author. The other three were the Suriv variants 1, 2, and 3. (Suriv is Virus spelled backwards). These however came to light after Jerusalem did. Jerusalem was also the first virus discovered that infected programs with either .COM or .EXE extensions (and the first to contain a bug which causes it to re-infect already infected programs).
Reportedly, around this time, Stoned (the first MBR infector) was written by a student at the University of Wellington in New Zealand and the Vienna Virus was written by an Austrian high school student.
In 1987 a book was released with a disassembly of the Vienna virus. Also in that book was source code for other viruses, including the Burger and Number One viruses.
A virus appeared in South Africa that deleted files on Friday the 13th
1988 – Variations
o Terrorists kill tourists on Aegean cruise ship.o Bomb destroys Pan-Am 747 over Lockerbie, Scotland..o DOS 4.0 with support for hard drives over 32 meg.o OS/2 1.1 released.o Less-expensive 80386SX announced.o A variant of Brain (Shoe) was found in the wild at Houston University in the USA. A “defanged” variant of the South African Friday the 13th virus is made available on BBS’s in the USA.
The Den Zuk viruses (two versions) were created in March by Denny Yanuar Ramdhani in Bandung, Indonesia. The virus will detect and remove the Brain virus. It also immunizes the disk against Brain infection. This was evidently the first anti-virus virus. (A letter from the virus’s creator was published in the Virus Bulletin of February, 1991)
The Cascade Virus is found in Germany. It is a memory-resident virus and introduced self-encryption using a random key. Cascade was evidently the first encrypted virus.
Ping Pong Virus was found at the university of Turin in Italy in March.
Media Attention
During 1988, viruses started getting media attention. Magazines with articles included:
* Business Week, Aug 1* Byte, Jul* Changing Times, Sep* Compute!, Jun, Jul, Aug, Oct, Dec* Datamation, Sep 15, Oct 15* Design News, Dec 19* Fortune, Dec* Futurist, Sep/Oct* Industry Week, Aug 15* Newsweek, Nov 14, Nov 28* PC-Computing, Nov, Dec* PC Magazine, Feb 29, Jun 14, Jun 28* Personal Computing, Jul* Science, Apr 8, Nov 25* Time, Feb 1, Sep 26* US News and World Report, Oct 3* Working Woman, Sep
In addition, PC Week had over 20 articles on viruses during the year. Some of today’s top antivirus researchers got started before 1989.
1989 - Feeding frenzy
o Exxon Valdez oil spill.o Bush becomes US President.o Czechs and Romanians end communist rule.
o Intel announces 80486.o OS/2 1.2 released.o Dilbert was born.
By the time I examined my first virus on August 16, 1989, there were about 30 known viruses. Until then I had only read about them. I had been writing security and copy protection programs in assembler at the time and had made a program to detect viruses and Trojans. I ran it on the virus (Jerusalem.1808.Standard) and several alarms sounded. Today the program would be called a heuristic scanner. It had very limited distribution on a couple of local BBS’s and a total of one registered user.
Not long after I got the virus, that one registered user (Rick Mendosa) offered me a job at a business magazine where I became the research editor. One day soon after that he handed me a clipping about a virus that people thought would soon wreak havoc on civilization.
DataCrime
The Washington Post of September 17, 1989 reported, under the headline “Computer Virus Sparks a User Scare; Some Analysts Say the ‘Friday the 13th’ Fears Are Overblown” “A computer ‘virus’ that springs to life destructively on Friday the 13th is on the loose, and across the country computer users are rushing helter-skelter to protect their machines against it.” There was actually some confusion in the flurry of news reports and quoted “experts”. Actually two viruses were being described in the reports. One was DataCrime, which would trigger any day after October 12th. The other was Jerusalem, which triggers on any Friday the 13th. And this October 13th was on a Friday.
Here are some other headlines from other stories about DataCrime from this period:
* “Rumors abound of Columbus Day virus attacking MS-DOS nets” - Federal Computer Week, August 28, 1989* “Experts warn of DataCrime virus, plan prevention” - PC Week, September 11, 1989* “Virus outbreak rumored” MIS Week, September 18, 1989* “NIST fears virus attack after holiday” - Government Computer News, October 2, 1989* “Friday the 13th: a virus is lurking” - New York Times, October 8, 1989* “Computer virus doesn’t cause much lost sleep - Wall Street Journal, October 13, 1989* “Computer Virus Cases Called Rare” - The Washington Post, October 14, 1989* “Virus Week finds sites ready, still waiting for infections” - Computerworld, October 16, 1989* “DataCrime fizzles in U.S.” - Newsbytes, October 17, 1989
Dark Avenger
Yet, although DataCrime was blown all out of proportion, several important viruses did first appear during 1989. One in particular was mentioned in the headline: “‘Dark Avenger’ wreaks havoc at software firm” - PC Week, December 25, 1989
The Dark Avenger.1800 virus, unlike DataCrime, actually could represent a threat worldwide. The virus was reportedly written in Sophia, Bulgaria in January of 1989, by an individual calling himself Dark Avenger. It well represented the coming escalation in the virus vs. anti-virus war.
This virus introduced two worrisome features. First, it was designed to do slow, insidious damage to the system rather than sudden obvious damage. It would randomly write garbage to sectors of the drive. So damage would tend to go unnoticed. In turn damaged files would be backed up.
Second, it was a fast-infector. Resident viruses before this would infect programs as they were run. Dark Avenger also infects programs if they are opened. Therefore, if the virus as in memory and you ran an anti-virus scanner (that wasn’t aware of the virus) on the system, the virus would piggyback on the scanner and infect every program the scanner looked at.
Frodo Lives
In October of 1989, another important virus was discovered in Haifa, Israel. This was the Frodo virus. Frodo was the first full-stealth file infector. It was designed to damage the hard disk if run on or after September 22 of any year. However, in all reported samples of the virus the damage routine is corrupted and Frodo simply hangs the system.
Frodo got its press coverage the following year with the headline:
* “Computer Virus Is Due to Strike Today, Expert Warns” - Los Angeles Times, September 22, 1990 (From Reuters)
Et cetera
Other interesting viruses in 1989 were:
* Alabama virus discovered in Israel.* Amstrad virus reportedly published in a magazine.* DBase virus reported by Ross Greenberg.* Do Nothing virus on BBS’s in Israel.* Vienna.Ghostballs in Iceland. Puts a non-infective, modified Ping-Pong boot sector on the A: drive.* Icelandic, Saratoga, and MIX1 viruses discovered in Iceland.* Murphy viruses. Later distributed as source code on European BBS’s.* Trackswap virus. With text: “(C) June, by the CIA.” Vacsina (and later Yankee Doodle) viruses.* Zerobug virus.
Research and Development
A few months before I got my first virus, Steve White organized the High Integrity Computing Laboratory at IBM’s Thomas J. Watson Research Center. About the same time, IBM released its first antivirus product.
One month before I got my first virus, a journal called Virus Bulletin began. It was and is an excellent source of accurate, timely information on viruses.
In retrospect, it seems that many seeds sprouted around this time that grew into today’s antivirus industry. For example, in these early days before 1990, most of today’s top antivirus professionals got started.
Among these are:
Bill Arnold, Tjark Auerbach, Pavel Baudis, Vesselin Bontchev, David Chess, Paul Ducklin, Richard Ford, Ray Glath, Ross Greenberg, Dmitry Gryaznov, Jan Hruska, Eugene Kaspersky, Jeff Kephart, Mike Lambert, Igor Muttik, Roger Riordan, Fridrik Skulason, Alan Solomon, Wolfgang Stiller, Morton Swimmer, Roger Thompson, Frans Veldman, Joe Wells, Steve White, and Righard Zwienenberg.
1990 - S.P.A.M.
o Iraq invades Kuwait.o East and West Germany unite.o Lech Walesa elected Polish president.o Windows 3.0 (Hardware) 80486 released.
Have you ever seen a Stealth, Polymorphic, Armored, Multipartite virus?
Stealth is a mechanism by which a virus hides size increase and/or its own code.
Polymorphism involves encrypted viruses where the decryption routine code is variable.
Armoring is used to prevent anti-virus researchers from disassembling a virus.
Multipartite is a virus that can infect both programs and boot sectors.
Well, 1990 was the year of mix and match. Demo viruses from two separate researchers in the United States introduced advanced polymorphism as well as armoring (these were the V2Px viruses, Virus-90 and Virus-101). The Fish virus was full stealth and encrypted with a very short decryptor (14 bytes).
Joshi took boot sector stealthing to new levels.
The title of “first successful multipartite virus” should probably go to the Flip virus (which is also polymorphic). There were however two multipartite viruses that probably predate Flip. They were Anthrax and V1, but neither was very successful.
Then we found out what armor really was. A new virus appeared that was more armored than a M1A1 Abrams tank.
The Mother of all Viruses
I was still a magazine editor in 1990. I asked a well known anti-virus developer about a new virus and he predicted some degree of doom and gloom. Good thing I never published his prediction. It was the Whale virus, and a better description of its effectiveness was given at a virus conference in early 1991. There, Steve White of IBM said that he could give the Whale virus to everyone in the audience and it still wouldn’t spread.
While there was not much frenzy in the press about Whale, there was way too much paper and ink wasted on it in the anti-virus industry. Even more time was wasted by anti-virus researchers.
VxBBS
During 1990, a new threat arose in the form of virus exchange BBS’s. These boards had huge virus collections for download. But to download viruses, the user had to upload viruses first. This resulted in hundreds of viruses being created just for upload. Moreover, many hacked viruses, non-viruses, attempts at viruses, and completely innocent programs were being uploaded. In turn, these unwieldy conglomerate masses made their way into antivirus research collections. Worse still, such horrific “test collections” fell into the hands of product reviewers. (During 1992, one of these sets was sold in the United States for $100.)
Anti-Virus Products
By the end of 1990 there were a number of anti-virus products available. While researching this timeline, I found a list of scanners I was going to test for a magazine review. The list is dated December 18, 1990. The products I had for testing were:
* AntiVirus Plus from Iris* Certus from Certus International* Data Physician from Digital Dispatch* Turbo Antivirus from Carmel* Virex-PC from Microcom* Virucide (McAfee’s Pro-Scan) from Parsons* Virusafe from Elia Shim* ViruScan from McAfee
At the time, I felt this list was fairly complete. It isn’t. Other anti-virus scanners from 1990 include:
* Dr. Solomon’s Anti-Virus Toolkit from S&S* F-Prot from Frisk Software* ThunderByte from ESaSS* Vaccine from Sophos* Vaccine from World Wide Data* V-Analyst from BRM* Vet from Cybec* VirusBuster from Hunix* Virscan from IBM* Vi-Spy from RG Software
One other product appeared in December of 1990 of which I had heard rumors. Its release foreshadowed a new direction the antivirus industry would take in 1991. The product was Norton AntiVirus.
1991 - Corporate takeover
o U. N. forces win Gulf War.o Warsaw Pact dissolved.o DOS 5.0 released.o OS/2 1.3 released.o Intel introduces less-expensive 80486S
I never finished that review. Instead, one of the companies I had been dealing with hired me as a programmer. In January of1991 I accepted a job with Certus. I moved my family (wife and four kids) from sunny southern California to snowy northern Ohio and began my career in anti-virus research.
Also in January of 1991, Roger Riordan of Cybec in Australia discovered a Stoned variant. He found that it triggered on the birthday of a Max Telfer. Max, evidently not wanting the thing named after him, suggested the name of someone else born on that day. So Roger named it Michelangelo.
In March, at an anti-virus conference, Roger gave me a copy of the virus. I really didn’t think much about it at the time. I had no inkling at all of the magnitude of media mayhem that Michelangelo would cause.
Also in March, Dark Avenger announced on a Bulgarian BBS that he and his friends were working on a new virus that would mutate in 1 of 4,000,000,000 different ways. That “virus” didn’t appear until January of 1992 and actually turned out to be something that hit the anti-virus community harder than Michelangelo hit the press. It wasn’t actually a virus, it was a object file to link to viruses. It was a mutation engine (MtE).
Additionally in March of 1991, the VCS V1.0 was discovered. VCS stands for Virus Construction Set. The set allowed the user to build viruses. Other virus construction kits followed. Nowhere Man’s VCL (Virus Construction Lab) had a nice Borland-like DOS interface and allowed the user to build viruses by pointing and clicking. Later, Phalcon/Skism’s PS-MPC also allowed virus mass-production. Look in any anti-virus products virus list and you’re sure to see lots and lots of VCL and PS-MPC viruses.
April of 1991 saw the discovery of the ultimate SPaM virus. Tequila is not only Stealth, Polymorphic, and Multipartite, it is also an anti-anti-virus virus (or retrovirus) and uses tunneling.
On a plane ride with Peter Tippett, returning from that conference in March, we discussed anti-virus techniques and problems. The result of that discussion was a new product called Novi. We designed it so that it detected common viruses during installation and thereafter prevented infection by known and unknown viruses. The box said “No Updates Required.” Novi was released in September of 1991. In the following month a new type of virus was discovered and we had to update Novi.
The DirII virus did not infect in the traditional ways. It has been termed a “linking virus” and “cluster virus.” It actually places a single copy of itself on the disk. Then it infects by setting the cluster pointers in directory sectors to point to itself.
Corporate Takeover
The antivirus industry started to look, smell, and taste like money.
The big news in the antivirus industry in 1991 involved the utility software companies in the United States. After Symantec released Norton AntiVirus, their competitors jumped in by repackaging Israeli anti-virus products.
* Central Point released CPAV (Carmel’s Turbo AntiVirus).* Fifth Generation released Untouchable (BRM’s V-Analyst).* X-Tree released ViruSafe (EliaShim’s ViruSafe).
The last two were actually released in January of 1992. The other main anti-virus product from Israel, AntiVirus Plus from Iris, was later licensed by Cheyenne Software.
In the years that followed 1991, an amazing consolidation occurred. It seemed to start when Symantec bought Certus. I moved back to California and worked on Norton AntiVirus 3.0.
The consolidation went like this:
1992 - Symantec acquires Certus (and I move back to California).1993 - Central Point Merges with X-Tree.1993 - Symantec acquires Fifth Generation.1994 - Symantec acquires Central Point.
During this time I often thought of the phrase “Resistance is futile. You will be assimilated.”
1992 - Nightmares
o Yugoslav Federation breaks up.o Czechoslovakia becomes Czech and Slovak Republics.o Windows 3.1 released.o OS/2 2.0 released.o First notebooks with 80486 processors appearedo Vendor Nightmares
In January of 1992 we received Dark Avenger’s mutation engine. Not too long before this Fridrik Skulason and Alan Solomon had wrestled with descriptions of variably modified decryption routines and coined the term “polymorphic” as it applies to computer viruses. Here was polymorphism incarnate.
In February, I traveled to California for meeting with other anti-virus vendors. I liked the term “polymorphic” so much that I drilled it into everyone else’s psyches. The trip included a dinner with John Dvorak. Soon after, he wrote an article pushing the MtE, polymorphism, and multipartitism.
It is of interest that Dark Avenger took several months to produce his mutation engine and most anti-virus developers had detection for it in a day or two. Well, actually, many had detection that was too good. They could detect 101 percent (all MtE samples and a few other files). MtE brought to light the high risk of false positives in polymorphic viruses. Many of us went back to the drawing boards.
As if this wasn’t enough, before 1992 was over, Dark Avenger sent us his next nightmare creation. Commander Bomber was highly polymorphic, but not encrypted. Moreover, we had to coin another term to describe the way it infected. It was the first polymorphic, permutation virus.
Other innovative viruses appeared in 1992:
* EXEBug introduced CMOS modification to prevent clean booting.* Groove was the first .EXE infecting MtE virus. It also targeted many anti-virus products.* Invol was the first .SYS infector. It was also slightly polymorphic.* Starship was a SPM, slow infector. It also introduced a new way to infect the hard drive.* V-Sign was the first polymorphic boot sector virus.* WinVer 1.4 was the first Windows virus.
User Nightmares
March meant Michelangelo media mayhem. As in the case of the DataCrime virus in 1989, Michelangelo hit the headlines in early 1992. The differences were that Michelangelo actually was in the wild and that there were more anti-virus companies competing for user dollars. Predictions of destruction ranged from one company spokesman who allegedly claimed that as many as 5 million systems would go down, to another company spokesman who said that it was more likely that you’d spill coffee in your keyboard than get the virus. Below is an example of how the headlines paralleled the DataCrime frenzy. The relevant headlines just in the Los Angeles Times were:
* Michelangelo Virus Is Alive and Virulent, Waiting for March 6 - Feb 21* Doomsday Nears for Infected PCs - Feb 20 Paint It Scary: Businesses, Others Scramble to Thwart* Michelangelo PC Virus - Mar 4* Michelangelo Virus Hits PCs at Some Firms Early - Mar 6* Most Escape Brush With ‘Michelangelo’ - Mar 7* Few Casualties From Dreaded Computer Virus - Mar 8
The full extent of this media mayhem was documented by Pamela Kane in an article titled “Anatomy of a Virus Scare” (ISPNews of May/June 1992) and in her book P.C. Security and Virus Protection Handbook.
While cases of the virus were few, anti-virus software sales soared. Because of this, some anti-virus companies appear to have thought that this feast would continue. Some overextended themselves and were unready for the sales famine that followed later in the year. Some of those companies no longer exist.
1993 - AV-DOS
o Fire kills 72 cult members in Waco Texas.o South Africa agrees to share transition powers.o MS-DOS 6.0 released with Microsoft Anti-Virus includedo PC-DOS 6.1released with IBM AntiVirus included.
In mid-1993 I moved back to California to work at Symantec’s Peter Norton Product Group. About this same time I started a personal project to document exactly which viruses were being reported in the wild. I compiled a list of 100 viruses from various lists of “common viruses” and posted it to other members of CARO. I asked them to confirm or challenge each virus on the list.
In July I posted the first official WildList.
A number of significant new viruses appeared in 1993.
Soon after the release of MS-DOS 6.0, which contained Central Point Anti-Virus (CPAV) under the name Microsoft Anti-Virus (MSAV), a virus appeared in Germany that contained code to disable the resident portion of this anti-virus product. That virus was Tremor, which is still fairly common in Europe.
A buggy, bloated new virus appeared in the wild in the Washington, DC area that was called SatanBug. The virus got some minor press coverage. With the assistance of the anti-virus industry, federal agents tracked down its author and paid him a visit. Since he was a minor nothing came of the investigation.
Another virus that appeared was Monkey. Monkey is loosely based on the Stoned virus, but is full-stealth and stores the original master boot record (MBR) in an encrypted form. Unlike Stoned the virus does not leave the original partition table for the infected drive in place. The result is that the drive is invisible to DOS if the system is booted from an infected floppy diskette.
An additional problem with Monkey involved a “cure-all” technique that was publicized and became popular after Michelangelo became well known. The technique involves using an undocumented option with FDISK (a partitioning utility shipped with DOS). Using the command “fdisk /mbr” writes the code portion of the master boot record, but doesn’t make any changes to the partition table in the MBR.
For viruses like Stoned and Michelangelo this overwrites the start of the virus code and leaves the partition information. The technique does “kill” the virus. In the case of Monkey-like viruses that don’t preserve the partition information using this command “kills” the virus and leaves virus code in the partition table. The drive is then inaccessible to DOS.
Other interesting viruses this year were:
Strange, a boot virus that exploits an undocumented bug in DOS versions (early versions of PC-DOS and all versions of MS-DOS).
Cruncher, touted as a “good” virus because it compresses infected programs and gives the user more disk space.
1994 - Outbreak on the Net
o Major quake hits Los Angeles (and the author).o Tribal warfare breaks out in Rwanda.o DOS 6.22 released.o OS/2 Warp released.
During 1994 there were a number of interesting new viruses as well as some non-incidents.
A virus called Kaos4 was posted to the alt.binaries.pictures.erotica news group in a file called Sexotica.
The virus, which was encoded as text, was downloaded by a number of users, decoded into an executable program and run on their systems. In this way, visitors to this particular location along the superhighway, launched a small epidemic.
Fortunately, Kaos4 is a truly mediocre virus. Had it been a more effective virus, it could easily have become pandemic. As it is, the virus is still reported in the wild in many countries.
Another virus called Chill, or Chill Touch, was found in some games on ZiffNet. Few were downloaded via Compuserve and the virus, like Kaos4, was mediocre, so the virus never really spread.
A virus called Junkie appeared and there was some initial press release hype about it. The virus was not initially wide spread, but has slowly taken hold and has become slightly common.
A destructive virus called Pathogen appeared in England. It contained a polymorphic engine called SMEG and was written by Black Baron. The author was later tracked down by New Scotland Yard’s Computer Crime Unit and jailed.
Two notable viruses appeared during 1994 that have since become quite common. Both are polymorphic and multipartite. These are One_Half and Natas (Satan spelled backwards).
1995 - A whole new concept
o Major quake hits Kobe, Japano Oklahoma City federal building bombed.o PC-DOS 7.0 released.o Windows 95 released.
The year began quietly enough. Things were continuing as in the past. Everyone was waiting for the release of Chicago (Windows 95) and wondering what effect the new operating system would have on the future of anti-virus.
It was known that the most common viruses were boot viruses which would not replicate under Windows 95. Some anti-virus companies were starting to foresee the death of their anti-virus products as DOS died. Then in August every thing changed.
Sarah Gordon at Command Software Systems discovered and analyzed a new type of virus. Jimmy Kuo suggested a name the next day. Since that time it has been called Concept. Concept was a macro virus.
Concept is a macro virus written in WordBASIC (an interpreted programming language similar to Visual Basic for Applications). The language is built into the Microsoft Word environment. Specifically, the virus is written in the English-language implementation of WordBASIC. Therefore, Concept will not run within the MS-Word environment if WordBASIC has been implemented in another language.
DOS viruses run in the DOS environment, Mac viruses run in the Mac environment, and Concept runs in the MS-Word environment. Thus, Concept appears to be cross-platform. It runs on systems that MS-Word runs on (Windows 95,Windows NT, Macintosh, etc.). But, Concept is not a Windows virus or a Macintosh virus. It is an MS-Word virus. The MS-Word environment is the operating system that Concepts replicates within.
Although the anti-virus community has pointed out that the idea of macro viruses is nothing new, most of the product developers were quite unprepared for Concept.
Dealing with Concept involves more than simply releasing a signature or a new database. Most anti-virus product developers have had to make major code changes in their products. That the anti-virus community was unprepared is illustrated by the fact that Virus Bulletin’s July, 1996 testing reported that eight of twenty-four scanners they tested (using default mode) failed to detect Concept. One third of these anti-virus products missed the world’s most common virus.
By the end of 1995, several other macro viruses were produced. While this new type of virus required a rethinking of viruses, it actually also breathed new life into the anti-virus field.
The new operating systems are no longer a hostile environment for viruses.
1996 - Lions and Tigers and Hares
o Olympics in Atlanta, Georgia bombed.o TWA Flight 800 explodes off Long Island, New York.
During 1996 many more macro viruses have appeared. A few (Nuclear, NOP, and Wazzu) have become fairly common, but by no means a common as Concept. By the middle of the year, Concept was clearly the most common virus in the world.
Also in 1996 the first virus specifically for Windows 95 appeared. The virus, Boza, is a pitiful virus and is highly unlikely to spread. It was, however, widely publicized by anti-virus vendors and the press. (See our Hype Alert on Boza.)
In like manner, another virus called Hare was also trumpeted far and wide by the publicists. It became wide spread by being downloaded from the Internet, but is also buggy, mediocre, and unlikely to spread. (See our Hype Alert on Hare.)
Still another notable virus caught the attention of the anti-virus marketing community. This was Laroux. Laroux is notable as the first virus to successfully infect Microsoft Excel spreadsheets. It was first discovered and analyzed by Sarah Gordon of Command Software Systems. However, like Hare, only a few reports of the virus in the wild have been received (actually, only two sites at this writing).
Wednesday, September 24, 2008
Remove autorun.inf manually
INstructions to remove Autorun.inf
Hto remove autorun.inf virus which is cause of opening
of your drives in separate window when u click on the drive name in my computer
There is a Trojan/virus (either the Win32/Pacex virus or the Win32/PSW.Agent.NDP trojan) that uses those two files. Here is how you can get rid of them:
1) Open up Task Manager (Ctrl-Alt-Del)
2) If wscript.exe is running, end it.
3) If explorer.exe is running, end it.
4) Open up “File New Task (Run)” in the Task manager
5) Run cmd
6) Run the following command del #:\autorun.* /f/a/s/q with other drives in turn
where # is replaced by drive name e.g-c,d,e etc
Be careful with this command it can delete your all data one by one from your hdd if execute wrongly so place your mouse on x position of cmd prompt windows and if it starts deleting your files close it
or we can do this step by without ending explorer.exe
just hit windows+R it will show you run dialog box now type cmd there,it will give you command prompt
now navigate to #:\ where # replaced with your different drive name
i am taking the example of c:\ drive
now write c:\del/a/s/q/f and give a space now press tab until you see autorun.inf press enter
now yo done do the rest steps as i said (be careful see clearly autorun.inf before deleting it and don’t delete any ntdelect there it may crash your system)
7) Go to your Windows\System32 directory by typing cd c:\windows\system32
8 ) Type dir /a avp*.*
9) If you see any files names avp0.dll or avpo.exe or avp0.exe, use the following commands to delete each of them:
attrib -r -s -h avpo.exe
del avpo.exe
10) Use the Task Manager’s Run command to fire up regedit
11) Navigate to HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run (as usual, take a backup of your registry before touching it!)
12) If there are any entries for avpo.exe, delete them.
13) Do a complete search of your registry for ntde1ect.com and delete any entries you find.
14) Restart your computer.
Hto remove autorun.inf virus which is cause of opening
of your drives in separate window when u click on the drive name in my computer
There is a Trojan/virus (either the Win32/Pacex virus or the Win32/PSW.Agent.NDP trojan) that uses those two files. Here is how you can get rid of them:
1) Open up Task Manager (Ctrl-Alt-Del)
2) If wscript.exe is running, end it.
3) If explorer.exe is running, end it.
4) Open up “File New Task (Run)” in the Task manager
5) Run cmd
6) Run the following command del #:\autorun.* /f/a/s/q with other drives in turn
where # is replaced by drive name e.g-c,d,e etc
Be careful with this command it can delete your all data one by one from your hdd if execute wrongly so place your mouse on x position of cmd prompt windows and if it starts deleting your files close it
or we can do this step by without ending explorer.exe
just hit windows+R it will show you run dialog box now type cmd there,it will give you command prompt
now navigate to #:\ where # replaced with your different drive name
i am taking the example of c:\ drive
now write c:\del/a/s/q/f and give a space now press tab until you see autorun.inf press enter
now yo done do the rest steps as i said (be careful see clearly autorun.inf before deleting it and don’t delete any ntdelect there it may crash your system)
7) Go to your Windows\System32 directory by typing cd c:\windows\system32
8 ) Type dir /a avp*.*
9) If you see any files names avp0.dll or avpo.exe or avp0.exe, use the following commands to delete each of them:
attrib -r -s -h avpo.exe
del avpo.exe
10) Use the Task Manager’s Run command to fire up regedit
11) Navigate to HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run (as usual, take a backup of your registry before touching it!)
12) If there are any entries for avpo.exe, delete them.
13) Do a complete search of your registry for ntde1ect.com and delete any entries you find.
14) Restart your computer.
Use system restore when you can’t boot your system
If your system has failed to the point where you cannot access the Windows GUI either through booting normally or through safe mode,
you may still have the chance to use the System Restore feature if you have it enabled,
by running it form the command prompt.
To do this:
1.Restart your computer and press F8 after the POST screen to bring up the Windows XP boot menu.
2.Choose ‘boot in safe mode with command prompt.’
3.If your system gets to the command prompt successfully, type “‘%systemroot%\system32\restore\rstrui.exe’ “ without quote and then press enter.
4.Follow the onscreen instructions to restore your computer to a previous saved point.
you may still have the chance to use the System Restore feature if you have it enabled,
by running it form the command prompt.
To do this:
1.Restart your computer and press F8 after the POST screen to bring up the Windows XP boot menu.
2.Choose ‘boot in safe mode with command prompt.’
3.If your system gets to the command prompt successfully, type “‘%systemroot%\system32\restore\rstrui.exe’ “ without quote and then press enter.
4.Follow the onscreen instructions to restore your computer to a previous saved point.
IP Address Explained
Every system connected to the Internet or connected to a particular network has a unique Internet Protocol Address of an IP Address. Just as in the real world every person has his or her own Home Contact Address, similarly every system connected to the Internet has its own unique IP Address. Your IP Address is the address to which data should be sent to ensure that it reaches your system. The IP Address of a system acts as the system’s unique identity on the net.
An Internet Protocol Address (IP Address) is a 32-bit address or number, which is normally written as four decimal numbers (of 8 bits each) , each separated from the other by a decimal.. This standard is known as the dotted-decimal notation.
Example: A Typical IP Address would be as follows: 202.34.12.23
It can be further broken down as:
202 representing the first 8-bits.
34 representing the next 8-bits.
12 representing the third 8-bits.
23 representing the fourth 8-bits.
Thus when considered together 202.34.12.23 represents 32-bits. So basically we can conclude that each decimal in an IP Address represents 1 byte or 8 bits. It is important to note than an IP Address can contain numbers from 0-255.
There are a huge number of IP Addresses in use in the present day . All these IP Addresses have some sort of relation with each other and each individual IP Address can reveal a lot of secrets about the Network, of which it is a part. Before we move on to that, we need to understand the fact that all IP Addresses being used are divided into a number of ranges, which are as follows:
Class Range
A 0.0.0.0 to 127.255.255.255
B 128.0.0.0 to 191.255.255.255
C 192.0.0.0 to 223.255.255.255
D 224.0.0.0 to 239.255.255.255
E 240.0.0.0 to 247.255.255.255
So, we can easily conclude that one can find out the Class to which an IP Address belongs to simply by comparing the numeral before the first decimal of the IP Address with the above table.
For Example: In The IP Address 203.43.21.12, the number before the first decimal is 203 and the above table tells us that it belongs to Class C of the range of IP addresses
The various IP Addresses are divided into the different classes on the basis of the structure of their Network or in other words on the basis of what the various numbers separated by decimals actually stand for. To understand this, let us refer to the following:
Class Information
A It has the first 8-Bits for Netid and the last 24-bits for Hostid
B It has the first 16-Bits for Netid and the last 16-bits for Hostid
C It has the first 24-Bits for Netid and the last 8-bits for Hostid
D It represents a 32-bit multicast Group ID.
E Currently not being used.
The above table will be clearer after reading the following examples:
Examples:
An IP Address 203.45.12.34 belonging to Class A means that the network ID is 203 and the host ID is 45.12.34
If the Same IP Address belonged to Class B, then the network ID would become 203.45 and the host ID would become 12.34
And if it belonged to Class C then the network ID would become 203.45.12 and the host ID would become 34.
Almost all ISP’s prefer to use a Class B Network and some may use class C network. If that is the case then each time you login to your ISP, then the first 2 octets of your IP Address would not change, while the last two are likely to change. However, even if only the last octet changes, and the remaining three remain constant, it is likely that the ISP uses Class B addressing.
An IP Address, which belongs to the Class-A addressing system having a network ID equal to 127, is referred to as the special address. It is actually known as the Loopback Interface. It allows clients and servers on the same system to communicate with each other.
The loopback address, which is commonly used, is 127.0.0.1. Almost all systems have also given the loopback address the special name ‘localhost’.
An IP Address does not necessarily have to be represented in the dotted decimal form. There is more than a single way in which one can represent an IP Address. Some of there are as follows-:
1. Decimal System: If an IP Address is being represented in the Decimal system, then it means that it is being represented in the Base 10 system. The normal IP Addresses are represented in the Decimal System. Example: 216.115.108.245
2. Domain Name System: If an IP Address is being represented in the form of human recognizable characters and names then it is said to be in the form of DNS system. Example: www.yahoo.com
3. DWORD Format: DWORD is short for double word. It basically consists of two binary“words” (or lengths) of 16 bits. However, it is almost always represented in the decimal number system i.e. having a base 10. Example: D8736CF5, which when represented in the form of a decimal number system with a Base 10 becomes 3631443189
4. Octal System: If an IP Address is represented in the octal system, then it means that it is being represented in the Base 8. Example: 33034666365
5. Hexadecimal System: If an IP Address is represented in the Hexadecimal System, then it is actually being represented in the Base 16 system.
6. A Cross Breed: If an IP Address is being represented in the mixture of any of the above two systems, then it is said to be a Cross Breed.
All the examples portrayed above are some form or the other of the same address of the same system. What I mean to say by this is that typing any of the following in your browser will take you to the same site
An Internet Protocol Address (IP Address) is a 32-bit address or number, which is normally written as four decimal numbers (of 8 bits each) , each separated from the other by a decimal.. This standard is known as the dotted-decimal notation.
Example: A Typical IP Address would be as follows: 202.34.12.23
It can be further broken down as:
202 representing the first 8-bits.
34 representing the next 8-bits.
12 representing the third 8-bits.
23 representing the fourth 8-bits.
Thus when considered together 202.34.12.23 represents 32-bits. So basically we can conclude that each decimal in an IP Address represents 1 byte or 8 bits. It is important to note than an IP Address can contain numbers from 0-255.
There are a huge number of IP Addresses in use in the present day . All these IP Addresses have some sort of relation with each other and each individual IP Address can reveal a lot of secrets about the Network, of which it is a part. Before we move on to that, we need to understand the fact that all IP Addresses being used are divided into a number of ranges, which are as follows:
Class Range
A 0.0.0.0 to 127.255.255.255
B 128.0.0.0 to 191.255.255.255
C 192.0.0.0 to 223.255.255.255
D 224.0.0.0 to 239.255.255.255
E 240.0.0.0 to 247.255.255.255
So, we can easily conclude that one can find out the Class to which an IP Address belongs to simply by comparing the numeral before the first decimal of the IP Address with the above table.
For Example: In The IP Address 203.43.21.12, the number before the first decimal is 203 and the above table tells us that it belongs to Class C of the range of IP addresses
The various IP Addresses are divided into the different classes on the basis of the structure of their Network or in other words on the basis of what the various numbers separated by decimals actually stand for. To understand this, let us refer to the following:
Class Information
A It has the first 8-Bits for Netid and the last 24-bits for Hostid
B It has the first 16-Bits for Netid and the last 16-bits for Hostid
C It has the first 24-Bits for Netid and the last 8-bits for Hostid
D It represents a 32-bit multicast Group ID.
E Currently not being used.
The above table will be clearer after reading the following examples:
Examples:
An IP Address 203.45.12.34 belonging to Class A means that the network ID is 203 and the host ID is 45.12.34
If the Same IP Address belonged to Class B, then the network ID would become 203.45 and the host ID would become 12.34
And if it belonged to Class C then the network ID would become 203.45.12 and the host ID would become 34.
Almost all ISP’s prefer to use a Class B Network and some may use class C network. If that is the case then each time you login to your ISP, then the first 2 octets of your IP Address would not change, while the last two are likely to change. However, even if only the last octet changes, and the remaining three remain constant, it is likely that the ISP uses Class B addressing.
An IP Address, which belongs to the Class-A addressing system having a network ID equal to 127, is referred to as the special address. It is actually known as the Loopback Interface. It allows clients and servers on the same system to communicate with each other.
The loopback address, which is commonly used, is 127.0.0.1. Almost all systems have also given the loopback address the special name ‘localhost’.
An IP Address does not necessarily have to be represented in the dotted decimal form. There is more than a single way in which one can represent an IP Address. Some of there are as follows-:
1. Decimal System: If an IP Address is being represented in the Decimal system, then it means that it is being represented in the Base 10 system. The normal IP Addresses are represented in the Decimal System. Example: 216.115.108.245
2. Domain Name System: If an IP Address is being represented in the form of human recognizable characters and names then it is said to be in the form of DNS system. Example: www.yahoo.com
3. DWORD Format: DWORD is short for double word. It basically consists of two binary“words” (or lengths) of 16 bits. However, it is almost always represented in the decimal number system i.e. having a base 10. Example: D8736CF5, which when represented in the form of a decimal number system with a Base 10 becomes 3631443189
4. Octal System: If an IP Address is represented in the octal system, then it means that it is being represented in the Base 8. Example: 33034666365
5. Hexadecimal System: If an IP Address is represented in the Hexadecimal System, then it is actually being represented in the Base 16 system.
6. A Cross Breed: If an IP Address is being represented in the mixture of any of the above two systems, then it is said to be a Cross Breed.
All the examples portrayed above are some form or the other of the same address of the same system. What I mean to say by this is that typing any of the following in your browser will take you to the same site
Breaking In Windows XP Password
This post covers most of the ways of cracking windows XP users’ password.
Method 1:
If you have an administrator account (Not Guest)
then the XP users’ passwords can be reset using command prompt.
Go to the task-bar and click on the Start button, then click on run and in the place given on dialog box type “command”, press enter.
Now In the Command prompt type “net user”
the screen will display the list of users available on machine
suppose there are three administrator users with the name of admin1, admin2 and admin3
then the password of any user can be changed by logging into the account of any one administrator
for example if we want to change the password of admin1
then we can change it from the following command
net user admin1 password
similarly for other desired users
The general syntax is for changing password is
net user
Limitations: The above method will only work if you are logged in as the administrator user.
Method 2:
Windows Recovery option,
Boot from the Windows XP CD and press enter when you are prompted to Install Windows copy, on the next screen there is a repair existing Windows version. This method is also known as windows recovery method,
The repair option will take as much time as the installation would have taken because the Windows file-system is replaced including the SAM file where the password is stored.
C:\Windows\System32\config\sam
whereas the users’ setting remain untouched.
Thus the users’ password is reset to NULL value.
#In repair mode you have another hole to modify the password.It is easier.The steps are as following.
Boot from xp bootable.After license agreement is done(pressing f8) select the target window for repair.
After file copy completed machine will restart.And repair process will start.You will see ‘installing devices’ 39 minutes left etc. at bottom left of your screen.
Now press Shift+f10.A console(command window) will open.
type nusrmgr.cpl and hit enter.This will let you to enter in the user account setting.Now change the password.You will not be asked for old password. Just type the new password there.
Continue the repair process.It is strongly recommended that you continue the repair until it is completed.
You are done, the password is replaced.The password strength does not matter in this case.
Method 3:
Boot your computer from a live Linux CD or DVD which has an NTFS/HPFS file-system support. Then Mount the drive which has Windows copy installed on it. Copy the sam file on the location
C:\Windows\System32\config\sam
Which will be mentioned as /media/disk-1/Windows/System32/config/sam
It is a common misconception that sam file can be viewed through normal text editor, sam file isnt a normal text file.
Gnome, KDE or vim text Editors won’t display the content of this file
Open the file using Emacs Editor (available in nearly all the distributions of Live Linux). It will be hard to find the the password hashes, so go for the user-names which are not encrypted, just after the user-names passwords’ hashes can be found out, copy the code between “%” sign and on the the Google search for the rainbow tables, They will provide the decrypted value which have already been brute-forced earlier. This is isn’t a sure shot method, as the rainbow project is still under development. The password can be set to NULL by deleting the content, but this might result in the corruption of the sam file, and recovery is the only option left after it.
Limitations: This Method can corrupt your SAM file, which may lead to a repair of Windows XP, and you can risk your personal data with that.
Method 4:
OPHcrack method.
This is a sure shot password recovery method based upon bruteforcing.
This Live CD is based upon the slax LiveCD v.5.1.7. It has been customized to include ophcrack 2.3.3 and the SSTIC04-10k tables set. It is able to crack 99.9%% of alphanumeric passwords. Since the tables have to be loaded into memory, cracking time varies with the amount of available RAM. The minimum amount of RAM required is 256MB (because the LiveCD uses a lot of it). The recommended amount is 512MB. Ophcrack will auto-detect the amout of free memory and adapts its behaviour to be able to preload all the tables it can.
A shell script launched at the beginning of the X session(Session for managing your desktop) does the job of finding the Windows partition and starting appropriate programs to extract and crack password hashes. It will look for all partitions that contains hashes. If more than one are found, you will have to choose between them.
If your partition is not detected, make sure your the partition containing the hashes you want to crack is mounted and the use ophcrack ‘Load from encrypted SAM’ function to recover your Windows hashes. Then click ‘Launch’ and the cracking process will start.
Download the ISO image of OPH crack Live Linux CD from sourceforge mirrors.
Method 1:
If you have an administrator account (Not Guest)
then the XP users’ passwords can be reset using command prompt.
Go to the task-bar and click on the Start button, then click on run and in the place given on dialog box type “command”, press enter.
Now In the Command prompt type “net user”
the screen will display the list of users available on machine
suppose there are three administrator users with the name of admin1, admin2 and admin3
then the password of any user can be changed by logging into the account of any one administrator
for example if we want to change the password of admin1
then we can change it from the following command
net user admin1 password
similarly for other desired users
The general syntax is for changing password is
net user
Limitations: The above method will only work if you are logged in as the administrator user.
Method 2:
Windows Recovery option,
Boot from the Windows XP CD and press enter when you are prompted to Install Windows copy, on the next screen there is a repair existing Windows version. This method is also known as windows recovery method,
The repair option will take as much time as the installation would have taken because the Windows file-system is replaced including the SAM file where the password is stored.
C:\Windows\System32\config\sam
whereas the users’ setting remain untouched.
Thus the users’ password is reset to NULL value.
#In repair mode you have another hole to modify the password.It is easier.The steps are as following.
Boot from xp bootable.After license agreement is done(pressing f8) select the target window for repair.
After file copy completed machine will restart.And repair process will start.You will see ‘installing devices’ 39 minutes left etc. at bottom left of your screen.
Now press Shift+f10.A console(command window) will open.
type nusrmgr.cpl and hit enter.This will let you to enter in the user account setting.Now change the password.You will not be asked for old password. Just type the new password there.
Continue the repair process.It is strongly recommended that you continue the repair until it is completed.
You are done, the password is replaced.The password strength does not matter in this case.
Method 3:
Boot your computer from a live Linux CD or DVD which has an NTFS/HPFS file-system support. Then Mount the drive which has Windows copy installed on it. Copy the sam file on the location
C:\Windows\System32\config\sam
Which will be mentioned as /media/disk-1/Windows/System32/config/sam
It is a common misconception that sam file can be viewed through normal text editor, sam file isnt a normal text file.
Gnome, KDE or vim text Editors won’t display the content of this file
Open the file using Emacs Editor (available in nearly all the distributions of Live Linux). It will be hard to find the the password hashes, so go for the user-names which are not encrypted, just after the user-names passwords’ hashes can be found out, copy the code between “%” sign and on the the Google search for the rainbow tables, They will provide the decrypted value which have already been brute-forced earlier. This is isn’t a sure shot method, as the rainbow project is still under development. The password can be set to NULL by deleting the content, but this might result in the corruption of the sam file, and recovery is the only option left after it.
Limitations: This Method can corrupt your SAM file, which may lead to a repair of Windows XP, and you can risk your personal data with that.
Method 4:
OPHcrack method.
This is a sure shot password recovery method based upon bruteforcing.
This Live CD is based upon the slax LiveCD v.5.1.7. It has been customized to include ophcrack 2.3.3 and the SSTIC04-10k tables set. It is able to crack 99.9%% of alphanumeric passwords. Since the tables have to be loaded into memory, cracking time varies with the amount of available RAM. The minimum amount of RAM required is 256MB (because the LiveCD uses a lot of it). The recommended amount is 512MB. Ophcrack will auto-detect the amout of free memory and adapts its behaviour to be able to preload all the tables it can.
A shell script launched at the beginning of the X session(Session for managing your desktop) does the job of finding the Windows partition and starting appropriate programs to extract and crack password hashes. It will look for all partitions that contains hashes. If more than one are found, you will have to choose between them.
If your partition is not detected, make sure your the partition containing the hashes you want to crack is mounted and the use ophcrack ‘Load from encrypted SAM’ function to recover your Windows hashes. Then click ‘Launch’ and the cracking process will start.
Download the ISO image of OPH crack Live Linux CD from sourceforge mirrors.
Subscribe to:
Posts (Atom)