_______________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Satan Bug Virus on MS-DOS computers September 4, 1993 1000 PDT Number D-22 __________________________________________________________________________ NAME: Satan Bug virus PLATFORM: MS-DOS/PC-DOS Computers TYPE: Memory resident, polymorphic, encrypted DAMAGE: Infects .COM, .EXE, .SYS, and .OVL files. Damages infected files, makes LANs inaccessible by damaging the LAN drivers. SYMPTOMS: Files grow at each infection, file dates change, files on LAN file servers become inaccessible. DETECTION: DataPhysician Plus 4.0B, Scan V106, Norton AntiVirus 2.1 with August 1993 virus definitions. __________________________________________________________________________ Critical Facts about the Satan Bug Virus CIAC has been alerted that the Satan Bug virus, a new virus previously thought to be contained, has been located at multiple sites in the "wild." The Satan Bug virus is an encrypted, polymorphic virus that infects all .COM, .EXE, .SYS, and .OVL files on MS-DOS/PC-DOS computers. Infection Mechanism When an infected file is run, the virus installs itself in memory, and then infects COMMAND.COM. Thereafter, whenever an executable file is opened or executed it is infected with the virus. Infected files grow in size from 2.9K to 5.4K bytes, and the creation date is increased by 100 years. Potential Damage It does not appear that this virus does any intentional damage, but infected files may be inoperative. In addition, the virus is not easily removed from infected files, requiring that they be replaced with uninfected copies from backup disks (See Appendix). The virus damages network drivers, making it impossible for a machine to connect to a network and use network services. Detection Anti-virus scanners dated before August 1993 that use virus signature scanning will not be able to recognize this virus. Anti-virus scanners that use file signature scanning should be able to detect that the files have been changed, but will not be able to name the virus. Most anti-virus scanner vendors are updating their programs at this time, so scanners dated after August 1993 should be able to detect the virus by name. As of the release of this bulletin, McAfee's SCANV 106 and Norton AntiVirus version 2.1 with the August 1993 virus definitions update are known to detect it. The DataPhysician Plus package (VirHunt, ResScan) version 4.0B is in final testing and will be available soon. Warning If you run an infected anti-virus scanner, nearly every executable file on your disk will be infected. Virus scanners must open a file to scan it, and if this virus is in memory, the act of opening the file for scanning will infect it. Most scanners first check themselves to see if they are infected with a virus, and display a "Virus Found" or "File Damaged" message when they start up. If this happens, do not scan your disk with this scanner. Even if the scanner claims that it can remove the virus from itself, don't scan your disk with it. The memory resident portion of the virus will still infect your disk. To scan a computer infected with a memory resident virus like the Satan Bug virus, you must boot the computer with a clean (uninfected), locked floppy that contains a clean version of the virus scanner software. Delete any infected files the scanner finds, and replace them with fresh copies. See the Appendix for more information. For More Information or Assistance If you require additional information or assistance, please contact CIAC at: Phone: (510) 422-8193 / FTS FAX: (510) 423-8002 / FTS E-mail: ciac@llnl.gov. Previous CIAC bulletins and other information are available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). CIAC wishes to thank Bill Kenny of DDI, Joe Wells of Symantec and David Proulx of NAVCERT for their help in preparing this bulletin. --------------------------------------------------------------------------- Appendix - Scanners, Encrypted Viruses and Removing Memory Resident Viruses The following appendix answers some frequently asked questions about virus scanners, encrypted viruses, and disinfecting hard disks. Anti-Virus Scanners Virus scanners use two different methods for detecting infected files; scanning for virus signatures, and scanning for changes in executable files. A signature scanner must have a string of bytes or signature that it can detect in a file that uniquely identifies a virus. If a virus does not contain a known signature, then the scanner will not detect it. File scanners look at a files attributes, creation date and time, length, checksum, file header, and other properties to determine if a file has changed. A file scanner can detect a new virus, but can not tell what virus it is. Actually, a file scanner can not tell if a file is infected by a virus only that a file has changed in some way. However, any changes in executable files should be viewed with a lot of suspicion. Few executable files rewrite themselves after installation. None of the DOS utility programs (FORMAT, ASSIGN, etc.) should ever change during normal use, so view changes there as a probable virus infection. Problems Removing Encrypted Viruses Encrypted viruses like the Satan Bug are particularly difficult to remove from an infected program. Most viruses of this type attach themselves to the end of a program, and then remove a small piece from the beginning of the program and insert code there that causes the virus code to be run first. When the virus code completes running, it executes the small piece of code it removed from the beginning of the program and then continues with the original program. That way, when you run an infected program, you will only notice a slight hesitation at the beginning when the virus code runs, and then the infected program runs like normal. Encrypted viruses store this piece of the normal program within the virus code and then encrypt the virus code. For an anti-virus program to be able to patch an infected program, it must be able to decrypt the encrypted virus to find the piece of missing code so that it can be put back where it belongs. The Satan Bug virus has up to nine levels of encryption, the level being different for each infection. Decrypting this much code is a very difficult process, so most anti-virus programs are not expected to be able to repair programs infected with the Satan Bug virus. On the other hand, some file signature scanning programs may save enough of the scanned files to be able to repair an infected program. The Data Physician Plus package does save a sufficient amount of information to be able to repair a program infected with the Satan Bug virus. However, you must have created the file signature file before your program was infected. Again, if at all possible, you should always replace infected files rather than repairing them to insure that you have undamaged copies. Disinfecting Hard Disks Infected With a Memory Resident Program Virus In order to disinfect a disk infected with a memory resident program virus, you first need to get the virus out of memory, then you need to scan the disk with an uninfected copy of the Virus Scanner. To get the virus out of memory, boot your computer with a clean, locked boot disk. Then you can scan the hard disk using an anti-virus scanner, also located on a locked disk. The following steps can be used to disinfect systems infected with memory resident program viruses such as the Satan Bug. It is also applicable to non-memory resident program viruses, but is not applicable to boot sector viruses and partition table viruses which need additional steps. 1. You need a locked, uninfected emergency boot floppy disk that contains the virus scanner, FORMAT.EXE, SYS.COM, and FDISK.COM, any disk management software needed to access your hard disk such as DiskManager. You also need simple CONFIG.SYS and AUTOEXEC.BAT files that let you bring up your system in a limited way, and any backup/restore software you may use. You need to have made this disk before your system gets infected, or make it on some other uninfected machine. 2. Boot the infected computer with the locked, uninfected floppy. 3. Run the copy of the virus scanner on the uninfected floppy and scan the hard disks on the infected computer. 4. Once the scan has completed, delete any infected files the scanner found and scan the disk again. Repeat this step until no more infected or changed files are found. Alternately, you can let the scanner disinfect all the files if it can, but this is not always possible or preferable. 5. When the scanner indicates that the hard disk is clean: Restore the system using the SYS command. This step replaces the invisible system files, COMMAND.COM, and the boot sector. 6. Restore any deleted executables from your locked master disks or backup sets. 7. Scan the disk again with your virus scanner. Note that at this point, the scanner may detect changes in some files because you have copied in new versions. If the scanner detects a virus, then delete the infected file. Later you will need to scan your source disk for that infected file, to see if it is infected as well. 8. Remove the emergency floppy and reboot the computer. Your computer should boot up correctly. 9. Insert the emergency floppy and run the scanner again just to be sure you have gotten every infected file. 10. Start scanning any floppy disks that may have been infected by your computer. Keep in mind that the virus could have been active for months before you discovered it. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.