NEWS FROM THE LAB - Thursday, July 26, 2012

1992 Posted by Mikko @ 15:40 GMT

It's time for the annual greetings from Vegas. Yes, it's the week of Black Hat and DEF CON.

black hat 2012

This time around DEF CON is celebrating it's 20th anniversary. The very first Vegas hacker party organized by Jeff Moss was in the summer of 1992.

I wasn't in Vegas in 1992 - my first DEF CON was DEF CON 7 in 1999.

So I started thinking where I was in the summer of 1992 and what was I doing. I went through my archives. Turns out I spent the summer of 1992 analysing the very first Windows viruses. Before this, we had been spending our time with MS-DOS and Mac malware.

Here's a write-up published in our "Update Bulletin 2.06, 1992":

WinVir - a true alarm

F-Secure has analysed the first Windows specific computer virus. It recognizes the Windows NE files and uses direct action methods against Windows applications. The virus does not infect normal DOS applications. The virus sample was received from Sweden. The exact origin of the virus is not known.

The results of preliminary analysis are as follows:

  • The virus infects only Windows EXE files
  • The strings `Virus_for_Windows v1.4' and 'MK92' are embedded in the code
  • The virus infects only Windows applications. The infections are generated at the moment of executing an infected application.
  • As a result of the infection mechanisms used by the virus an infected file does not start with first double click but only with the second. The virus does not constitute a major threat to Windows users. It is not a very efficient infector and does not try to harm data.
The infection procedure:
1. The virus is activated when an infected application is executed.
2. The virus searches for a file suitable for infection from the
default directory using MS-DOS INT 21h, AX=4E, 4F services
3. If no targets can be found, the execution is finished with the
call INT 21h, AX=4C00. The actual Windows application is not
4. If targets are found, they are opened one by one and the time
stamps saved in memory.
5. The MZ and NE headers are checked.
6. Several values are checked from the NE header.
7. The virus code is added in the middle of the application.
8. The replaced code is moved to the end of the application.
9. The CS:IP from the NE header is changed to point to the
beginning of the viral code.
10. The virus deletes its code from the original file and rebuilds
it to a functional state,
11. The execution is finished.

Other observations:

  • After the virus code is executed, the original application is not executed. This will seem as a failed double click. As the virus rebuilds the original file if it manages to infect a new file, the next attempt to execute the original application is successful.
  • The infected files grow with 854 bytes.
  • The infection does not change the time stamp of the target application file.
  • The virus is not encrypted or protected in any way.
  • No activation routines could be found.
  • The name of the infector application and the name of the infected file is saved in the virus code.

Wow. A Windows malware which is all of whopping 854 bytes in size. Times sure have changed.

Signing off,