The Bulgarian and Soviet Virus Factories The Bulgarian and Soviet Virus Factories ======================================== Vesselin Bontchev, Director Laboratory of Computer Virology Bulgarian Academy of Sciences, Sofia, Bulgaria 0) Abstract =========== It is now well known that Bulgaria is leader in computer virus production and the USSR is following closely. This paper tries to answer the main questions: Who makes viruses there, What viruses are made, and Why this is done. It also underlines the impact of this process on the West, as well as on the national software industry. 1) How the story began ====================== Just three years ago there were no computer viruses in Bulgaria. After all, these were things that can happen only in the capitalist countries.
They were first mentioned in the April issue of the Bulgarian computer magazine “Komputar za vas” (“Computer for you”) [KV88] in a paper, translated from the German magazine “Chip” [Chip]. Soon after that, the same Bulgarian magazine published an article [KV89]], explaining why computer viruses cannot be dangerous. The arguments presented were, in general, correct, but the author had completely missed the fact that the majority of PC users are not experienced programmers. A few months later, in the fall of the same year, two men came in the editor’s office of the magazine and claimed that they have found a computer virus. Careful examination showed that it was the VIENNA virus.
At that time the computer virus was a completely new idea for us. To make a computer program, whose performance resembles a live being, is able to replicate and to move from computer to computer even against the will of the user, seemed extremely exciting. The fact that “it can be done” and that even “it had been done” spread in our country like wildfire. Soon hackers obtained a copy of the virus and began to hack it. It was noticed that the program contains no “black magic” and that it was even quite sloppily written. Soon new, home–made and improved versions appeared.
Some of them were produced just by assembling the disassembly of the virus using a better optimizing assembler. Some were optimized by hand. As a result, now there are several versions of this virus, that were created in Bulgaria — versions with infective lengths of 627, 623, 622, 435, 367, 353 and even 348 bytes. The virus has been made almost two times shorter (its original infective length is 648 bytes) without any loss of functionality. This virus was the first case. Soon after that, we were “visited” by the CASCADE and the PING PONG viruses.
The later was the first boot–sector virus and proved that this special area, present on every diskette can be used as a virus carrier, too. All these three viruses were probably imported with illegal copies of pirated programs. 2) Who, What & Why. =================== 2.1) The first Bulgarian virus. ——————————- At that time both known viruses that infected files ( VIENNA and CASCADE) infected only COM files. This made me believe that the infection of EXE files was much more difficult.
Unfortunately, I made the mistake by telling my opinion to a friend of mine. Let’s call him “V.B.” for privacy reasons.(1) …………………………… ……….. [(1) These are the initials of his true name. It will be the same with the other virus writers that I shall mention. Please note, that while I have the same initials (and even his full name resembles mine), we are two different persons.] …………………………… ……….. The challenge was taken immediately and soon after that I received a simple virus that was able to infect only EXE files.
It is now known to the world under the name of OLD YANKEE. The reason for this is that when the virus infects a new file, it plays the “Yankee Doodle” melody. The virus itself was quite trivial. Its only feature was its ability to infect EXE files. The author of this virus even distributed its source code (or, more exactly, the source code of the program that releases it). Nevertheless, the virus did not spread very widely and even had not been modified a lot.
Only a few sites reported to be infected by it. Probably the reason for this was the fact, that the virus was non–resident and that it infected files only on the current drive. So the only possibility to get infected by it was to copy an infected file from one computer to another. When the puzzle of creating a virus which is able to infect EXE files was solved, V.B. lost his interest in this field and didn’t write any other viruses.
As far as I know, he currently works in real–time signal processing. 2.2) The T.P. case. ——————- The second Bulgarian virus–writer, T.P., caused much more trouble. When he first heard the idea about aself–replicating program, he was very interested, decided to write his own virus, and he succeeded. Then he tried to implement a virus protection scheme and succeeded again. The next move was to improve his virus to bypass his own virus protection, then to improve the virus protection and so on.
That is why there are currently about 50 different versions of his viruses. Unfortunately, several of them (about a dozen) were quite “successful.” They spread world–wide. There are reports about them from all countries of the former Eastern block, as well as from the USA and West Europe. Earlier versions of these TP viruses are known under the name VACSINA, because they contain such a string. In fact, this is the name of the virus author’s virus protection program.
It is implemented as a device driver with this name. The virus merely tries to open a file with this name, which means “Hey, it’s me, let me pass.” The latest versions of the virus are best known under the name YANKEE DOODLE, because they play this tune. The conditions on which the tune is played are different with the different versions of the virus — for instance when the user tries to reboot the system, or when the system timer reaches 5 p.m. All TP viruses are strictly non–destructive. Their author payed particular attention not to destroy any data.
For instance, the virus does not infect EXE files for which the true file length and the length of the loadable part as it is present in the EXE header, are not equal. As far as I know, no other virus that is able to infect EXE files works this way. Also, the virus does not try to bypass the resident programs that have intercepted INT 13h, therefore it takes the risk to be detected by most virus activities monitoring software. The author of the virus obviously could circumvent it — for instance it uses a clever technique, now known as “interrupt tracing” to bypass all programs that have hooked INT 21h. The only reason for not bypassing INT 13h as well, is that this would also bypass all disk casheing programs, thus it could cause damage. Of course, the fact that the virus is not intentionally destructive does not mean that it does not cause any damage.
There are several reports of incompatibilities with other software; or of panicking users, that have formatted their disks; or, at least, damage caused by time loss, denial of computer services, or expenses removing the virus. It is well known, that “there ain’t no such thing as a good virus.” The TP viruses were not spread intentionally; the cause could be called “criminal negligence.” The computer used by T.P. to develope his viruses was also shared by several other people. This is common practice in Bulgaria, where not everyone can have a really “personal” computer to work with. T.P.
warned the other users that he is writing viruses, but at this time computer viruses were a completely new idea, so nobody took the warning seriously. Since T.P. didn’t bother to clean up after himself, these users got, of course, infected. Unintentionally, they spread the infection further. When asked about the reason of writing viruses, T.P.
replied that he did this in order to try several new ideas; to better learn the operating system and several programming tricks. He is not interested in this field any more — he has stopped writing viruses about two years ago. 2.3) The Dark Avenger. ———————- In the spring of 1989 a new virus appeared in Bulgaria. It was obviously “home–made” and just to remove any doubts about it, there was a string in it, saying “This program was written in the city of Sofia (C) 1988-89 Dark Avenger.” The virus was incredibly infectious — when it was in memory, it was sufficient to copy or just to open a file to get it infected. When the user felt that there is a virus in his/her system and, without booting from a non–infected write–protected system diskette, ran an anti–virus program which wasn’t aware of this new virus, he usually got all his/her executable files infected.
The idea of infecting a file when it is opened was new and really “successful.” Now such viruses are called “fast infectors.” This strategy helped the virus to spread world– wide. There are reports from all European countries, from the USA, the USSR, even from Thailand and Mongolia. On the top of this, the virus was very dangerously destructive. On each 16th run of an infected program, it overwrote a sector on a random place of the disk, thus possibly destroying the file or directory that contained this sector. The contents of the overwritten sector was the first 512 bytes of the virus body, so even after the system has been cleaned up, there were files, containing a string “Eddie lives..somewhere in time!” This was causing much more damage than if the virus was just formatting the hard disk, since the destruction was very unnoticable and when the user eventually discovered it, his backups probably already contained corrupted data.
Soon after that, other clever viruses began to appear. Almost all of them were very destructive. Several contained completely new ideas. Now this person (we still cannot identify him exactly) is believed to be the author of the following viruses: DARK AVENGER, V2000 (two variants), V2100 (two variants), 651, DIAMOND (two variants), NOMENKLATURA, 512 (six variants), 800, 1226, PROUD, EVIL, PHOENIX, ANTHRAX, LEECH.. Dark Avenger has several times attacked some anti–virus researchers personally. The V2000/V2100 viruses claim to be written by “Vesselin Bontchev” and in fact hang the computer when any program, containing this string is run.
A slightly modified variant of V2100 (V2100-B) has been used to trojanize version 66 of John McAfee’s package VIRUSCAN. There are reports that Dark Avenger has called several bulletin board systems in Europe and has uploaded there viruses. The reports come from the UK, Sweden, the Netherlands, Greece.. Sometimes the viruses uploaded there are unknown in Bulgaria (NOMENKLATURA,ANTHRAX). But they are obviously made in our country — they contain messages in Cyrillic.
Sometimes Dark Avenger uploads a Trojan program that spreads the virus — not just an infected program. This makes the detection of the source of infection more difficult. One particular case is when he has uploaded a file called UScan, which, when run, claims to be the “universal virus scanner,” written by Vesselin Bontchev. Even the person who has uploaded it, has logged under the name “Vesselin Bontchev.” In fact, the program just infected all scanned files with the ANTHRAX virus. While the other Bulgarian virus writers seem to be just irresponsible or with childish mentality, the Dark Avenger can be classified as a “technopath.” He is a regular user of several Bulgarian bulletin board systems, so one can easily exchange e-mail messages with him. When asked why his viruses are destructive, he replied that “destroying data is a pleasure” and that he “just loves to destroy other people’s work.” Unfortunately, no measures can be taken against him in Bulgaria.
Since there is no law for information protection, his activities are not illegal there. He can be easily caught by tapping the phones of the BBSes that he uses, but the law enforcement authorities cannot take such measures, since there is no evidence of illegal activities. Alas, he knows this perfectly. 2.4) Lubo & Ian. —————- Some of the Dark Avenger’s viruses proved to be very “successful” and caused real epidemics.
That is why they were often imitated by other virus writers, that had no imagination to design their own virus, but were jealous of Dark Avenger’s fame. So they just disassembled his viruses (usually the first one) and used parts of it — sometimes without even understanding their purpose. Such is the case with the MURPHY viruses. According to a string in them, they are written by “Lubo & Ian, USM Laboratory, Sofia.” These people do exist and they have used their real names. “Lubo” has even been several times interviewed by newspaper’s reporters.
They claim that the virus was written for vengeance. They have done some important work for their boss and the latter refused to pay them. That is why they developed te virus in one night and released it. The fact that the virus will spread outside the laboratory just didn’t come to their minds. However, this does not explain the developing of the other versions of the same virus (there are at least four variants). Nevertheless, it proves one more time that it is better (and safer, too) to pay the good programmers well.. Besides MURPHY, these two virus writers have created another virus, called SENTINEL (5 variants).
The only unusual thing with this virus is that it is written in a high–level programming language (Turbo PASCAL), but is not an overwriting or a companion virus as most HLL viruses are. It is able to infect COM and EXE files by appending itself to them and by preserving their full functionality. It is also memory resident, hides the file length increase when the user issues the DIR command, and even mutates. 2.5) The virus writer from Plovdiv. ———————————– This man, P.D., claimed that he has written viruses “for fun” and only “for himself” and that he “never releases them.” Unfortunately, at least two of them have “escaped” by accident. These are the ANTI- PASCAL605 and the TERROR viruses.
Especially the latter is extremely virulent and caused a large epidemic in Bulgaria. P.D. was very sorry for that and submitted examples of all his viruses to the anti–virus researchers so that the respective anti–virus programs be developed — just in case some of these viruses escapes too. These viruses turned out to be quite a few, ranging from extremely stupid to very sophisticated. Here are some of them: XBOOT, ANTIPASCAL (5 variants), TINY (11 variants), MINIMAL-45, TERROR, DARK LORD, NINA, GERGANA, HAPPY NEW YEAR (2 variants), INT 13. P.D.
claims that the DARK LORD virus (a minor TERROR variant) is not written by him. The TINY family has nothing to do with the Danish TINY virus (the 163–byte variant of the KENNEDY virus), and, as well as the MINIMAL-45 virus, are written with the only purpose to make the shortest virus in the world. Now P.D. is not writing viruses any more — because “it is so easy, that it is not interesting,” according to his own words. He is currently writing anti–virus programs — and rather good ones. 2.6) The two guys from Varna. —————————– They are two pupils (V.P.
and S.K.) from the Mathematical High School in Varna (a town on the Black Sea). They have developed several viruses and continue to do so, producing more and more sophisticated ones. Furthermore, they intentionally spread their viruses, usually releasing them on the school’s computers or in the Technical University in Varna. When asked why they write and release viruses, they reply “because it’s so interesting!” The viruses written by them are: MG (5 variants), SHAKE (5 variants), DIR and DIR II. All of them are memory resident and infect files when the DIR command is performed. The last one is an extremely virulent and sophisticated virus — as sophisticated, as THE NUMBER OF THE BEAST. It is also a completely new type of virus — it infects nether boot sectors, nor files.
Instead, it infects the file system as a whole, changing the information in the directory entries, so that each file seems to begin with the virus. There is a counter of the number of infected systems in the virus body. There is evidence that V.P. and S.K. collect infected files, copy the contents of the counter and then draw curves of the spread of infection, checking the normal distribution law. They are doing this “for fun.” 2.7) W.T.’s case. —————– W.T. is a virus writer from Sofia, who has written two viruses — WWT (2 variants) and DARTH VADER (4 variants).
According to his own words, he has done so to test a new idea and to gain access to the Virus eXchange BBS (see below). The new idea consisted of a virus (DARTH VADER) that does not increase file lengths, because it searches for unused holes, filled with zeros, and writes itself there. Also, the virus does not perform any write operations. Instead, it just waits for a COM file to be written to by DOS and modifies the file’s image in memory just before the write operation is performed. W.T.
does not write viruses any more, but he is still extremely interested in this field. He is collecting sophisticated viruses and disassembles them, looking for clever ideas. 2.8) The Naughty Hacker. ———————— This virus writer, M.H., is a pupil and also lives in Sofia. He has written several viruses, most of which contain the string “Naughty Hacker” in their body. All of them are non– destructive, but contain different video effects — from display desynchronization to a bouncing ball. Currently, at least 8 different variants are isolated, but it is believed that even more exist and are spread in the wild.
Also, it is believed that M.H. continues to produce viruses. As usual, he is doing so “because it is interesting” and “for fun.” He is also the author of three simple boot sector viruses (BOOTHORSE and two others that are still unnamed). 2.9) Other known virus writers. ——————————- The persons listed above are the major Bulgarian virus producers. However, they are not alone. Several other people in Bulgaria have written at least one virus (sometimes more).
In fact, making a virus is currently considered there a kind of sport, or a practical joke, or means of self–establishment. Some of these virus writers have supplied their creations directly to the anti–virus researchers, as if they are waiting for a reward. This happens quite often — probably they expect that the anti–virus researcher, as the best qualified person, will evaluate their creation better. Sometimes the fact that their virus becomes known, is described, and is included in the best anti–virus programs is sufficient for these people and they don’t bother to really spread their virus in the wild. So, probably the main reason for these people to produce viruses is the seek of glory, fame, and self–establishment. Such known Bulgarian virus writers (with the respective names of their viruses given in parentheses) are V.D. from Pleven (MICRO-128), A.S.
and R.D. from Mihajlovgrad (V123), I.D. from Trojan (MUTANT, V127, V270x), K.D. from Tutrakan (BOYS, WARRIER, WARRIOR, DREAM), and others. 2.10) Unknown Bulgarian virus writers. ————————————– Of course, there are also other virus writers, that are not known to the author of this paper.
Sometimes it is possible to determine the town where the viruses were developed — usually due to an appropriate string in the virus body, or because the virus wasn’t found elsewhere. Some of the viruses are very simple, others are quite sophisticated. Here are examples of such viruses. – The KAMIKAZE virus has been detected only in the Institute of Mathematics at the Bulgarian Academy of Sciences, Sofia and is probably made there; – The RAT virus, made in Sofia, as it is written in its body; – The VFSI (HAPPY DAY) virus has been developed in the Higher Institute of Finances and Economics in Svishtov (a small town on the Danube) by an unknown programmer; – The DESTRUCTOR virus, probably made in Plovdiv, where it has been first detected; – The PARITY virus, probably written in the Technical University, Sofia, since it has not been detected elsewhere; – The TONY file and boot sector viruses, probably created in Plovdiv where they have been first detected; – The ETC virus, detected only in Sofia; – The 1963 virus, a quite sophisticated one, probably made in the Sofia University; – The JUSTICE virus. 2.11) The Virus eXchange BBS.
—————————– About a year ago, the virus writing in Bulgaria entered a new phase. The virus writers began to organize themselves. The first step was the creation of a specialized bulletin board system (BBS), dedicated to virus exchange. The Virus eXchange BBS. It’s system operator (SysOp), T.T.
is a student of computer science in the Sofia University. He has established the BBS in his own home. On this BBS, there are two major kinds of files — anti–virus programs and viruses. The anti–virus programs can be downloaded freely. In order to get access to the virus area, one has to upload there a new virus.
However, anyone who uploads a new virus, gets access to the whole virus collection. S/He could then download every virus that is already available, or even all of them. No questions are asked — for instance for what reason s/he might need these viruses. Furthermore, the SysOp takes no steps to verify the identity of his users. They are allowed to use fake names and are even encouraged to do so.
Dark Avenger and W.T., between them are, the most active users, but there are also names like George Bush from New York, Saddam Hussein from Baghdad, Ozzy Ozburn and others. Since this BBS has already a large collection of computer viruses (about 300), it is quite difficult to find a new virus for it. If one wants badly to get access to the virus area, it is much simpler to write a new virus, instead of trying to find a new one. That is exactly what W.T. did.
Therefore, this BBS encourages virus writing. Furthermore, on this BBS there are all kinds of viruses — some of them as 1260, V2P6Z, FLIP, WHALE are considered as extremely dangerous, since they are using several new ideas and clever tricks, which makes them very difficult to be recognized and removed from the infected files. And the Virus eXchange BBS policy makes all these viruses freely available to any hacker that bothers to download them. This will, undoubtedly, lead to the creation of more and more such “difficult” viruses in the near future. The free availability of live viruses has already given its bitter fruits. It helped to viruses created far away from Bulgaria and not widely spread, to cause epidemics in our country.
Such was the case of the DATALOCK virus. It has been created in California, USA and uploaded to the Virus eXchange BBS. A few weeks later it was detected in the Technical University, Sofia. Probably one of the users of the BBS had downloaded it from there and spread it “for fun.” In the similar way the INTERNAL, TYPO and 1575 viruses entered our country. But the free availability of known live viruses is not the most dangerous thing.
After all, since they are already known, there already exist programs to detect and probably to remove them. Much more dangerous is the free availability on this BBS of virus source code! Indeed, original source code or well commented virus disassemblies of several viruses are freely available on the Virus eXchange BBS — just as any other live virus. To name a few, there are: DARK AVENGER, OLD YANKEE, DIAMOND, AMSTRAD, HYMN, MLTI830, MURPHY, MAGNITOGORSK, ICELANDIC, MIX1, STONED, JERUSALEM, DATACRIME, BURGER, ARMAGEDON, OROPAX, DARTH VADER, NAUGHTY HACKER, 512, VIENNA, 4096, FISH#6, PING PONG, BLACK JEC, WWT, MG, TSD, BOOTHORSE, BAD BOY, LEECH.. Most of them are perfectly assemblable sources. The publishing of virus source code has proven to be the most dangerous thing in this field.
The VIENNA, JERUSALEM, CASCADE and AMSTRAD viruses are the best examples. Their source code has been made publicly available, which led to the creation of scores of new variants of these viruses. The known variants of only these four viruses are about 20 % of all known viruses, which means more than a hundred variants. One can imagine the consequences of making publicly available the source code of all the viruses listed above. In less than a year we probably will be submerged by thousands new variants..
In fact, this process has already begun. The HIV, MIGRAM, KAMASYA, CEMETERY and ANTICHRIST viruses have been obviously created by someone who had access to the source of the MURPHY virus. The ENIGMA virus is clearly based on the OLD YANKEE code. There have been reports about infections with these viruses in one Italian school and an Italian virus writer, known as Cracker Jack is a user of Virus eXchange.. The damage caused by this BBS alone to the rest of the world is big enough.
But this is not all. Since possession of “viral knowledge” (i.e., live viruses, virus source code) has always tempted hackers and since the legitimate anti–virus researchers usually exchange such things only between themselves and in a very restricted manner, it is not surprising that similar “virus boards” began to pop up around the world. There are currently such BBSes in the USA, Germany, Italy, Sweden, Czechoslovakia, the UK and the Soviet Union. Stopping their activities is very difficult in legal terms, because the possession, storage or willful downloading of computer viruses usually is not considered as a criminal offence. And it shouldn’t be — otherwise the anti–virus researchers themselves will not have a way to exchange virus samples to work with. The creation of a virus–oriented BBS, the system operator of which supported the writing, spreading and exchanging of virus code didn’t go unnoticed in Bulgaria.
Almost all virus writers have obtained a modem (a not very easy thing in Bulgaria) and contacted it. Afterwards, they began to contact each other by means of electronic messages on this BBS. They have even created a specialized local conference (local for Bulgaria), in order to keep in touch and to exchange ideas how to write clever viruses. Therefore, they began to organize themselves — a thing that cannot be said about the anti–virus research community in all countries.. 3) New ideas.
============= As it can be seen from the examples above, the whole of Bulgaria has turned into some kind of computer virus developing laboratory, where any capable (or not so capable) pupil/student/ programmer is tempted to write his own virus and to test it in the wild. It is not therefore unusual that several completely new ideas were first developed in our country. I shall try to enumerate here some (only the most important) of them. – The interrupt tracing technique, capable of finding the original handler (in DOS or BIOS) of any interrupt vector, has been first implemented in the YANKEE DOODLE (TP) viruses. Later other viruses in the world began to use it (4096, NAUGHTY HACKER).
– The “fast infectors” — viruses that infect on file opening or even on any file operation were first developed in Bulgaria. The first such virus was the DARK AVENGER. Now there are a lot of fast infectors. One of them — 1963 — even infects on file deletion. – The “semi–stealth” viruses — viruses that hide the increasing of the size of the infected files (the 651 virus) or that remove them from the inflected files when one loads …