Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

The Violator Virus - Burger’s Continuing Legacy

Edward Wilding
Virus Bulletin, April 1991, pp. 22-23
ISSN 0956-9979
April 1991

[Back to index] [Comments]

The technical competence of virus writers varies considerably, from abysmally poor to reasonably proficient but this is not usually a consideration which affects the actual functioning of virus code (apart, of course, from programming bugs).

Over a period of time, a researcher will develop a “feel” for the style and structure of particular viruses and may even be able to link apparently dissimilar programs and reasonably ascribe them to the same original author. Such stylistic analyses have little value to computer users but they may become extremely useful as computer misuse legislation is adopted worldwide and law enforcement agencies begin to home in on the criminals responsible for the problem.

One of the most obvious links discovered to date concerns the origins of the Violator virus and it highlights the undoubted advantages of detailed disassembly of virus code over the faster (but less effective) sparse analysis technique. Before examining the conclusions of a stylistic analysis, I will first describe Violator.

Brief Description

This is a non-resident virus which infects only COM files of between 10 and 64000 bytes. Infection takes place on a ‘oneshot’ basis (i.e. one file is infected each time the virus is executed). Files in the current directory are attacked first and when they are all infected, the search continues by accessing files within directories listed in the system PATH setting. A date controlled destructive trigger routine is incorporated and described below. The code is not encrypted and responds readily to automatic disassembly.

Operation

From the initial jump instruction at the head of the host COM file, the virus first collects an offset value which is subsequently used throughout the code to address various data items. This value is modified during the infection routine to reflect the length of the new host file. Once this offset has been collected, it is used to access the original three bytes of the host header and these are replaced at the top of the file.

A check is then made on the current DOS version and processing returns to the host program if this is earlier than version 2.00. If the DOS version is acceptable, the virus sets up its own Disk Transfer Area and then checks the current setting of the system date to see whether the trigger routine should be executed.

The code to check the date is extremely clumsy but the criteria are as follows:

If the date is before 15th August 1990 then the trigger is not executed. If the month is January to July (inclusive - any year) the trigger is not executed. If the date is the 1st to the 14th (inclusive - any month) the trigger is not executed. This selection of dates for the trigger routine does not affect the infection routines which are processed every time the code is executed. Once the trigger routine has run, processing continues with the normal infection routines.

Trigger

The trigger routine consists of a small loop which uses the BIOS INT 13H call to attempt to format the first track of all floppy drives from A to Z. This will obviously destroy the boot sector of any unprotected floppy disks in those drives. The virus does not install a special critical error handler and no check is made for error conditions. This means that unless there is a write-enabled disk in every floppy drive, the DOS error handler will report either “Sector not found” or “Drive not ready” errors to the screen. No attempt is made to initialise the format instruction correctly.

Infection

The infection routine begins by accessing the Environment Segment belonging to the host program and searching for the “PATH=” command. Once this is found, its position is stored for later use.

A search mask of “*.COM” is then used with a call to Function 4EH of INT 21H to find the first matching file. Attributes are set to include System and Read Only files. Once a file is found, the time field is checked for a value of 1FH (31 = 62 seconds) in the seconds field. If this is found, the file is assumed to be infected and the search continues with a Function 4FH (Find Next) call. If no matching (uninfected) file is found in the current directory, processing collects the first parameter in the “PATH=” statement and continues the search there. This process continues until all of the directories (delimited with a semi-colon) noted in the path statement have been searched.

Once a suitable file is found, the usual processes of collecting and storing the attributes and the date/time field are executed and the file is then opened for write access. Files which were set to Read Only access are still at risk since the virus resets these temporarily during infection to allow write privileges.

The next phase collects the first three bytes of the new host and stores them within the virus code. The 1055 bytes of the virus code are then written to the end of the host file and a new offset is calculated for the initial jump. The new jump instruction is written to the beginning of the file and the file date and time field is restored to its original value but with the seconds field set to 1FH (62 seconds). The file is then closed and the attributes restored to their original value before the virus passes control back to the original host program. A recognition pattern for Violator has already been published (VB, January 1991) and this analysis has confirmed this string as accurate and effective.

The Washburn-Burger Connection

The operations described above are unremarkable and are similar to those found in most parasitic viruses. What is interesting is when a stylistic analysis is conducted and considerable similarity is revealed between large sections of the code in the Violator, Casper and V1 viruses.

Casper is a ‘hacked’ development of the 1260 virus (V2P1) written by Mark Washburn in the U.S. and V1 is listed in Ralf Burger’s book Computer Viruses - A High Tech Disease (VB, October 1989, p.19) as a version of the Vienna virus.

There is no equivocation in this comparison; the similarities are numerous (even to the duplication of NOP instructions and bugs). The temptation to speculate upon the original derivation of Violator is irresistible:

Given three viruses from (apparently) three different sources, the first question is which came first. In this case there is no doubt that the original Vienna virus was first since it is a disassembly of this which appears as the V1 listing in Burger’s book. The book was originally published in Germany in 1987 (the English translation appeared around a year later), so we can place Vienna at pre-1987.

Dating the other two is less easy. File dates are not reliable since they can be changed so easily, but in this case there are other indications concerning the original dates of Casper and Violator. The earliest report that I can find concerning Violator appears in the Patricia Hoffman listing from the United States, dated November 1990. The Hoffman listing is a first class initiative and it deserves success. Unfortunately it seems to be plagued with many inaccuracies in the virus reports which add to the confusion concerning exactly how particular viruses operate. In this case for example, Violator is reported as follows:

When a program infected by the Violator virus is executed, what happens depends on what the system date is set to. If the date is prior to August 15, 1990, the virus will infect 1 .COM file located in the current directory, adding 1,055 bytes to the program. If the date is August 15, 1990 or after, the virus will not affect any files.

This is plainly at variance with my observation of the current sample which is infective regardless of the date and triggers as described above. However, the reported text strings and other details match exactly and do seem to indicate that we are referring to the same virus. The same entry reports that: “The Violator virus was submitted in August, 1990 by an anonymous user of the HomeBase BBS”. This places Violator no later than August 1990 so we only need to date Casper to complete the timescale. The source listing of Casper (which includes Washburn’s name and address) contains the message “Copyright (C) Mark Washburn, 1990. All Rights Reserved”. Assuming that this ‘copyright’ message is correct, this enables us to date Casper to 1990, but the exact month of its development is unknown.

Unfortunately, it is impossible to draw absolutely firm conclusions from the above speculation but the alternatives are interesting in themselves. Violator and Casper could both have been written by the same hand or both could have been copied from the Burger book, but independently.

It is also possible that sections of Violator could have been copied from Casper (and, less likely, vice versa). It should be remembered that source code for the Casper virus has been widely distributed.The presence of certain incorrect checks and the position of some of the NOP instructions leads me to suspect that Violator was probably copied from the Burger book, as was Casper. The impression gained during disassembly of Violator is that it was written by someone with virtually no knowledge of PCs who had access to some virus source code and a rather poor reference book to DOS. It is impossible to determine whether the same author was involved in both cases, even though Violator contains text claiming “Copyright (c) 1990 RABID!” and Washburn has certainly demonstrated his desire to corner the ‘market’ through claiming copyright.

More importantly, this examination highlights once again the fact that virus source code is immensely more dangerous than its assembled equivalent because source code will continue to spawn modified strains. Burger’s publication of source code to the Vienna virus has spawned more viruses and variants than any other single action. Washburn’s V2P1, V2P2 and V2P6 are all based on the Burger listing. (Even disregarding his public dissemination of virus code, the existence of the destructive Casper virus which is derived from 1260, has served to discredit Washburn as a responsible researcher.) Ultimately Violator, which is clearly related to the V1 source code, is another damning indictment of Burger.

Technical Editor’s comment: Analysis of the Casper virus assembly listing indicates that is not developed from a disassembly of the V2P1 executable, as Washburn claims (see page 20). Rather it is created by modifying the virus’ source code which indicates that V2P1 (1260) source code is in circulation.

It is my opiniont hat Casper and Violator were developed independently but that they share a common ancestor; namely the original Vienna virus. It is unlikely that the author of Violator had access to Casper (or V2P1) as Violator contains none of the special code which makes V2P1 different to Burger’s published Vienna variant, V1. It is equally unlikely that the author of Casper had access to Violator as its code contains none of the mistakes found in the latter virus.

There is one seemingly indisputable connection - Washburn used Burger’s published source code to create his V2P1 (1260) virus and the source code to 1260 is now in circulation. The publication and/or distribution of source code represent a greater threat than the distribution of binary virus code and are acts of gross irresponsibility.

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org
deenesitfrplruua