Computer Viruses: The Infection Spreads to Japan
Computer virus: A program designed to replicate by copying itself
unnoticed into other programs; the effects of a virus may be malicious or
benign. This month, associate editor Steven Myers introduces us to the
world of computer viruses, with a focus on recent viral outbreaks and
countermeasures in Japan.
by Steven Myers
Computer viruses are increasing dramatically in number, strength, and
complexity - hardly a day goes by without discovery of a new strain.
Although viruses have been around for over a decade, there remains a high
degree of misunderstanding among most computer users about how they are
created, how they spread, and the likelihood of being personally affected
by a virus. There is little limit to the damage that virus programs are
capable of causing if allowed to spread undetected. Only common-sense
precautions and specific, effective methods of protection can shield users
from these often-destructive "self-replicating" programs.
Judging from recent media reports, including an eye-opening NHK
television special that aired in January, it is clear that computer users
in Japan can no longer consider themselves immune from virus infections.
As DOS/V (IBM PC-compatible) computers and office networks become
increasingly common in Japan, there has been a sharp rise in the number of
reports of foreign-originated computer virus contaminations. The number of
Japan-made viruses is increasing as well. According to the Information-
Technology Promotion Agency, Japan, there were 1,127 official reports of
destructive viruses in Japan in 1994, with the vast majority of the
victims being corporate users. And in the first months of 1995,
information technology (IT) professionals in Tokyo have reported
encountering various heretofore-unseen viruses on their clients' hard
drives - some of which could not be easily removed.
The numbers of infections reported in 1994 are significant because in
Japan, perhaps even more so than in other countries, the exact magnitude
of the virus threat is difficult to estimate. Companies are reluctant to
report viruses found on their computers for fear of alarming clients or
garnering embarrassing publicity. The problem is further distorted by
sensationalist reports in the Japanese media as well as by the aggressive
marketing campaigns of anti-virus product developers. In spite of the
increased user awareness of viruses, however, it is clear that there has
been a disturbing increase in both virus damage and the total number and
variety of viruses being reported in Japan.
A brief history of viruses in Japan
Unlike many other Asian countries, which have been described as "hotbeds
of virus development," Japan was - until recently ó relatively free of
computer viruses. This was due in part to the relatively low amount of
network file-sharing and the low number of MS-DOS computers used in Japan.
While proprietary architectures (such as those used by NEC, Fujitsu, and
other manufacturers) restricted software compatibility, they also offered
a certain degree of built-in protection from the viruses that target IBM
PC-compatible machines. (There were some viruses specific to Japanese PCs,
such as the NEC 9800 series, but these were much less prevalent and
largely nuisances rather than destructive.)
The first official report of malicious software in Japan was an incident
on the PC-VAN online service in June 1988. A trojan horse program,
containing code designed to steal user IDs and passwords, was sent by e-
mail to several users of the PC-VAN network. When the program was run,
part of the code attached itself to the unknowing user's COMMAND.COM file.
The next time the user accessed PC-VAN, the program wrote the user's
encrypted ID and password to an area where they could be read and
decrypted by the perpetrator. After this incident was discovered, NEC
started a special "personal computer security project" to prevent similar
attacks and investigate other forms of destructive software.
The next major incident was in October 1989, when six Macintosh computers
at Tokyo University were found to be infected with the nVIR virus. It
required over a month to eradicate the virus completely.
In 1989, the first report of a Japan-made virus came with the discovery
of the Christmas in Japan virus. This soon spawned several new strains,
including Valentine and Go to School. Following the Halloween virus scare
in October 1992, virus production in Japan began to show a marked
increase. Although most of the Japanese viruses were not as sophisticated
as their overseas counterparts, they nonetheless caused enough damage to
convince Japanese users that viruses were no longer just a "foreign
problem."
The advent of DOS/V computers in 1992 meant that viruses from overseas
began to appear more frequently in Japan. Some of these, such as Yankee
Doodle, Cascade, and Stoned, still show up fairly regularly. Since 1993,
several variations of the FORM virus have been showing up often in Japan
(including on some of Computing Japan's computers-Ed.). While computer
viruses now occur inside Japan with increasing regularity, their incidence
is still quite low compared with that of other Asian countries.
In response to the sharp increase in reports of computer viruses in 1994,
however, Nifty-Serve opened a new FVIRUS forum in December. This forum is
devoted solely to the distribution of information pertaining to viruses in
Japan. According to news bulletins posted on this forum, several new
viruses were reported between November '94 and January '95 (see sidebar on
page 34).
Recent Asian developments
Detailed information about viruses written in Japanese is still extremely
hard to come by, in part because the prevalent attitude is that easily
accessible knowledge about how viruses work will encourage Japan's
computer otaku to try and write their own. When a crude shareware "virus-
making kit" was uploaded to one of the large Japanese commercial networks
last year, it was quickly removed by the sysop and turned over to the JCVA
(Japan Computer Virus Association), which then issued stern warnings to
all BBS administrators against allowing the posting of any kind of virus-
related material. Contrast this with the wealth of virus-related
information in English, which (along with the heavily commented source
code and executable files for hundreds of viruses) can be easily found
just by browsing the Internet and monitoring a few Usenet newsgroups.
A representative of McAfee Inc., the well-known maker of anti-virus
products, reports that Asian countries such as China and Taiwan are
extremely active in the production of new viruses. A large number of
recent viruses, for example, appear to have originated at Beijing
University, the University of Manila, and several Taiwanese universities.
According to the McAfee representative, one dramatic difference between
most Asian countries and the Western world is that there is a much higher
probability of finding an Asian-produced virus "in the wild" (outside of a
virus researcher's lab). The spread of these viruses among unsuspecting
Asian users also tends to be faster.
Polymorphic viruses
Some of today's most dangerous viruses are polymorphic (mutating) viruses,
which can take on dozens or even hundreds of different forms. The original
virus-scanning products looked for sequences of bytes called "scan
strings" that were unique to a particular virus. Virus writers countered
this by encrypting their programs, so the scanning programs were changed
to look for the code that decrypts the virus file. A polymorphic virus,
however, is designed to alter its decryption algorithm each time it
replicates (appends itself to a file, boot sector, etc.). This makes it
extremely difficult for virus-scanning products to spot a polymorphic
virus.
One polymorphic virus that appeared in Japan recently has been dubbed the
Anti-CMOS virus. It reportedly escapes detection by the Norton, Central
Point, and Microsoft scanners - it is caught only by the very latest
version of McAfee scanning software. Further¤more, the farther this virus
spreads, the more difficult it becomes to remove, because it rewrites and
encrypts itself with each replication. It is unclear at this point
precisely what kind of damage the virus is intended to wreak. The source
of this virus is also unknown, though in February the Daily Yomiuri ran an
article claiming that the Chinese government has accused United States
agents of deliberately planting polymorphic viruses that resemble Anti-
CMOS on Chinese computers in retaliation for Chinese software piracy.
The war against viruses
With the recent torrent of destructive viruses infecting computers all
over the world, many people have come to view the virus problem as a
battle - one in which users must defend their computers against the viral
enemy. The real war, however, appears to be taking place between the virus
-writers and the anti-virus product industry. According to virus
researcher David Stang, the results of this war are clear: the virus
writers "have won, and will continue to win, the battles. The virus
writers will also win the war, although their viruses will lose some of
the battles with anti-virus software." Stang cites as reasons for his view
the huge number of skilled virus authors, coupled with their zealous
motivation and close cooperation. He compares that with the anti-virus
authors, who work in isolation, always on the defensive, and in tough
competition with one another.
The only clear loser in this war is the user. It is essential that users
learn more about how viruses work, and how to prevent their spread.
Scanning products have several drawbacks - the process can be slow, time-
consuming, and unreliable óbut they are helpful in detecting the more
common viruses. Among IT professionals in Japan, the anti-virus product of
choice appears to be McAfee's VirusScan, which has been able to detect and
remove most of the prevalent viruses here. (DOS/V users should be sure to
run anti-virus software in the Japanese mode of the Japanese environment.
Otherwise, files with kanji or kana file names will be skipped or could
cause the system to hang.) While scanners and other anti-virus products
can help in certain situations, these products alone do not offer much in
the way of a long-term solution to the virus threat.
The chance of virus infection can be greatly reduced (especially in a
large office) by simply using some "good sense" measures. Also, be careful
not to boot from floppy disks that have been used in other computers. It
is also important to remove floppy disks from their drives after
finishing, and to write-protect disks before using them with another
computer.
Frederick Cohen, a leading authority on computer viruses, has proposed in
several of his books and papers a wide variety of both technical and non-
technical virus defenses that can be applied at both the individual and
corporate level to protect users from viruses. Stang, on the other hand,
is one of a growing number or researchers who believe that the best way to
deal with the virus problem is to employ AI (artificial intelligence)
techniques, such as behavior blocking, in which program code is
dynamically analyzed and checked for suspicious behavior before being
allowed to run.
Can there be a "good" virus?
If computer viruses are viewed from a strictly business perspective, it is
hard to see them as anything more than destructive nuisances to be
eradicated as quickly as possible. In recent years, however, many
programmers and research scientists have begun to look at viruses in a
different light: trying to find new and constructive applications of the
techniques used in virus-making. Certainly, any assembly-language
programmer who has ever analyzed the source code of a well-written virus
can appreciate the technical complexity involved in creating such a
program.
Cohen has suggested that computer viruses can actually be considered
living organisms in the information environment. They could be used for
countless constructive purposes, he notes, including file compression and
distributed database management. Mark Ludwig, publisher of the Computer
Virus Developments Quarterly newsletter, has taken the idea one step
further by creating a programming utility called the Darwinian Genetic
Mutation Engine, which gives any DOS virus the ability to evolve
"genetically" and "swap genes" with other viruses.
In Japan, Tom Ray, a visiting scholar at Kyoto's Advanced
Telecommunications Research Institute, has been breeding viruses - with
the full support of his employers and the financial backing of several
large corporations. Ray hopes to eventually turn the Internet into a
jungle of self-replicating programs, or "organisms," as he calls them. His
project, called Tierra, has spawned many non-destructive viruses that have
the ability to improve the efficiency of their own code upon replicating.
This is a development that has practical implications in the area of
software optimization.
Viruses are here to stay
Regardless of how computer viruses are perceived, they are undeniably here
to stay. Although most common viruses do little damage, it is imperative
that measures be taken by users to guard against infection. The JCVA has
requested that companies report all viruses found, so that up-to-date
information can be maintained on their BBS, which is available to all
users (see the "For more information" sidebar for the BBS number). Taking
a little time to learn more about viruses and following safe, "good-sense"
computing practices can go a long way toward preventing the spread of
destructive viruses.
Types of viruses
Viruses are commonly classified according to whether they infect files or
the boot sectors of disks.
A boot-sector virus infects the boot area of a disk, so that the virus
gets loaded into memory ahead of other programs. Once in memory, the virus
can attack the master boot record of the hard disk as well as any floppy
disks that are accessed.
File infectors attach themselves to executable files, usually COM or EXE
files (although OVL overlay files, Windows DLL files, and SYS device
drivers can also be infected).
A multipartite virus is a relatively new virus type that infects both
files and boot areas.
A polymorphic virus takes on a different form every time it replicates,
making detection by scanning products difficult.
Stealth viruses employ various methods to escape detection, such as not
showing an increase in the size of an infected file or avoiding being
listed as a TSR when the user types MEM.
A trojan horse is a file that appears to be a useful program, but is
actually destructive. These programs frequently act as host files for the
viruses that cannot stand on their own.
A sampling of recent viruses reported in Japan
B1 (reported 11/94 in the Kanto area)
Infects the hard disk boot record and floppy disk boot sector (MS-DOS).
Jan. 800 (reported 12/94 in the Kanto area)
A file-infecting virus that goes after EXE and COM files. When an
infected file is run or copied, other files on the current drive are
destroyed (MS-DOS).
Ripper (reported 12/94 in the Chubu area)
A boot sector virus; goes memory-resident upon boot-up from an infected
disk. It infects hard disk and floppies; destroys data when user tries to
write to a disk (MS-DOS).
Cvex3 (reported 12/94 in the Chubu area)
A file-infecting virus; destroys all infected EXE and COM files (MS-
DOS).
Floss (reported 12/94 in the Kanto area)
A boot sector virus. After being loaded into memory, the virus infects
the hard disk master boot record and floppy disk boot sector; causes
system to write to the wrong area of the disk, overwriting any files
stored in that area (MS-DOS).
Junkie (reported 1/95 in the Kanto area)
A multipartite virus that infects the hard disk master boot record,
floppy disk boot sector, and COM files. Displays the following message:
DrW-3
Dr White - Sweden 1994
Junkie Virus - Written in Malmo...M01D
This virus is still being examined, and the exact extent of any
additional damage caused is unclear.
A simple virus infection example
To better understand how a virus spreads, let's take a look at a very
simple example of a virus that infects COM files on the current drive.
Suppose that you have a floppy disk containing three COM files:
EXAMPLE.COM, NEXT.COM, and LAST.COM. The virus attaches to a host program
because it cannot stand on its own. On our sample disk, EXAMPLE.COM is an
infected file that serves as a host for the virus (step 1).
In order to run, the virus must take control from the host program. This
is easiest to do at the start of program execution. The virus replaces the
first few bytes of the host program with an instruction to jump to the end
of the host file, where the instructions of the virus program begin. In
this example, the size of EXAMPLE.COM is 0FFFH (about 4K). The first few
bytes of the infected file are a "jmp 1000" instruction that moves control
to the beginning of the virus. The first bytes of the original host file
are saved; these will be put back when the virus finishes in order for the
host program to execute successfully. (Note that initially this must all
be prepared ahead of time by the virus author. Here, we've assumed for the
sake of simplicity that the first bytes of all three COM files on the disk
are the same, an instruction called "start.")
When the user types "A:\>EXAMPLE" the machine code for both the host
EXAMPLE.COM file and the virus code are loaded into memory, as shown in
step 2. The PSP (Program Segment Prefix) is a 256K (100H) block of memory
that stores information about the COM file. Actual program execution
begins from offset 101H (this is the offset from the beginning of the 64K
segment of memory that the COM file is loaded into). In the diagram, the
arrow points to the memory location where execution begins (that is, where
the CPU fetches the first instruction from). After the bytes of the first
instruction (jmp 1000) are processed, the arrow would move to location
51100H and processing of the virus instructions would start.
Once running, the virus searches the directory for other COM files. To do
this, the virus writer would have included an assembly language routine
(viruses are written almost exclusively in assembly language) to search
the FAT (File Allocation Table), which is always stored in the same place
on disk. If an uninfected COM file is found, the virus infects it by
taking out and saving the first few bytes of the file, replacing these
bytes with a jump to the end of the COM file, and then writing its own
code to the end of the file. This is shown in step 3. Note that after all
other files have been infected, the virus could do something destructive,
such as erasing files on the disk.
Finally, the virus takes the first bytes of the original COM file host
(the "start" instruction), puts them back in their original place, and
then jumps to this location so that the host file can execute properly
(step 4). If the virus did not do anything in step 3 to make itself
noticed (such as displaying a message), the user is likely to be unaware
that other files have been infected.
For more information
Viruses in Japan (Information is in Japanese)
Watanabe, Akira. Computer Virus Encyclopedia. Ohmsha, Tokyo; 1993.
Information-Technology Promotion Agency (Joho Shori Shinkyo Jigyo
Kyokai); phone 03-3433-4844.
Japan Computer Virus Association; phone 03-3493-9623
Information-Technology Promotion Agency BBS: 03-3459-8944 (latest
information concerning the number and type of viruses reported in Japan)
Japan Computer Virus Association BBS: 03-5996-2400 (virus forum and
FAQ)
Nifty-Serve: 03-5471-5806 (access FVIRUS, a forum devoted to computer
viruses in Japan)
Viruses in general
The following books all provide a good general overview of computer
viruses and virus protection methods:
Cohen, Fred. A Short Course on Computer Viruses, 2nd Edition. John Wiley
and Sons, New York, 1994.
Ferbrache, David. A Pathology of Computer Viruses. Springer-Verlag,
London, 1992.
Hruska, Jan. Computer Viruses and Anti-Virus Warfare. Ellis Horwood,
West Sussex, England, 1992.
Kane, Pamela. PC Security and Virus Protection. M&T Books, New York,
1994.
Minasi, et al. Inside MS-DOS 6.22. New Riders Publishing, Indianapolis,
1994.
Slade, Robert. Robert Slade's Guide to Computer Viruses. Springer-
Verlag, London, 1994.
Those wanting to study computer viruses in more depth might find the
following two books of interest. They are banned from numerous bookstores
and condemned by many in the mainstream PC community because both of these
books contain virus source code along with meticulously detailed
explanations.
Ludwig, Mark. The Little Black Book of Computer Viruses. American Eagle
Publications, Inc., Tucson, Arizona, 1991.
Ludwig, Mark. Computer Viruses, Artificial Life, and Evolution. American
Eagle Publications, Inc., Tucson, Arizona, 1993.
Also of interest
Usenet Newsgroups: alt.comp.virus, comp.virus
Anonymous FTP sites: ftp.netcom.com (/pub/br/bradleym,
/pub/fi/filbert); oak.oakland.edu; aql.gatech.edu (/pub/virii);
wuarchive.ustl.edu; archive.rst.edu; tierra.slhs.udel.edu
(/tierra/tierra.tar.Z)
Newletters: Computer Virus Developments Quarterly (American Eagle
Publications, Tucson, Arizona); 40Hex (can be downloaded from
ftp.netcom.com (/pub/br/bradleym)
