Two serious cases (PC)

Skip to first unread message

Fridrik Skulason

Dec 27, 1989, 7:47:52 AM12/27/89
Most virus researchers exchange/distribute viruses only on a strict
need-to-know basis, in order to limit the spread of viruses. However, this
does not work as well as intended. There are now two known cases where
untrustworthy people seem to have obtained viruses from researchers.

Case #1: Icelandic-1/Saratoga

I discovered the Icelandic-1 virus here in Iceland in June this year.
When I had disassembled it, I sent a disassembly of an infected file
to several experts in the USA, UK and Israel, including the HomeBase
folks (McAfee). Before I sent out the disassembly, I made one small
change to it. This change had no effect on the operation of the virus,
but it would make it possible to determine if a copy of this virus found
outside of Iceland was based on my disassembly or not.

Looking back, I can see that this was not a very good idea, simply
because there was a possibility that somebody might select an invalid
identification string, based on this disassembly. So, those of you having
a copy of my disassembly, please contact me if you want to correct it.
This change was also (by accident) included in the Icelandic-2
disassembly, since I used the Icelandic-1 disassembly as a basis for

Now - back to the Icelandic-1 virus.

Three days after the virus was made available on the HomeBase bulletin
board, in a restricted area that only a few people had access to, a new
virus was discovered in Saratoga and uploaded to the HomeBase BBS. Some
people thought for a while that Saratoga was an older variant of
Icelandic-1, because it was at first said to have been found "a few
months earlier", but this turned out to be a misunderstanding.

Saratoga was just a minor variant of Icelandic-1, but the change I made
was present in the virus, so it was obviously based on my disassembly.
When Saratoga was found, I had only sent Icelandic-1 to three or four
persons in the US - and, as far a I know, it had only been made available
to other persons in one place (HomeBase). They believe that the person
responsible for the creating "Saratoga" has now been found, and his
access to the restricted area has been terminated.

Case #2: Dbase

The dBase virus was discovered by Ross Greenberg. It seems to have been
planted at only a single site, because no other reports appeared for
several months. Recently Ross made the virus available to a number of
virus researchers. Within two weeks the first infection reports had
started to arrive - the virus had escaped.

We know that at least some of the reported infections were based on the
copy from Ross, because he made one small change to the virus, before it
was distributed. One instruction was overwritten by two "harmless"
instructions, in order to disable the most harmful effect of the virus -
the disk trashing part. This change is also present in some of the
infected files that have been found recently. (In other cases the
original instruction is present)

As I said before, I do not consider it a very good idea to make changes to
viruses, but it paid off in the two cases described above. Who knows how
many other cases of virus infections are (indirectly) the result of virus
collection/distribution by virus experts.

At least it is certain that we have to be a lot more careful in the future.

- -frisk

Reply all
Reply to author
0 new messages