Legends of virus construction: the beginning of the war


    The end of the eighties was an amazing time for the country of the Soviets. Accumulated and growing discontent translates into a bastard "restructuring". In the TV - the shameful withdrawal of Soviet troops from Afghanistan, in the shops - empty shelves and grocery cards. “A star named the Sun” and “I Want to Change” are heard from every iron. Meanwhile, in the depths of the USSR MCC Gosplan, Dmitry Nikolaevich Lozinsky discovers on one of the computers the reason for her unusual behavior, which turned out to be an unusual program. The neutralization tool was written in one evening and was named after the AIDS test system, which was liked to be mentioned on the radio about the same time as the great achievement of medicine.

    The virus was a simple program whose code was not subjected to any additional processing and was easily detected with the help of specialized software. At that time, there was still no uniform system for naming malware. But in this respect, almost nothing has changed today, the antivirus offices cannot agree among themselves, and the same viral “strain” may be called differently in different antivirus packages. „Vienna.648“ got its name after the place of primary detection and size - 648 bytes.

    Franz Svoboda and Ralph Berger were the first to find the virus at about the same time, although it is not known for certain which of them did it first, because each of them said that he had received the virus from the other. The program would have remained famous for its first appearance in the USSR and nothing more. But Ralph Berger, having published the source code in his book (ISBN 1557550433), opened Pandora's casket. Any programmer could change the source code to create a similar program based on it. An avalanche of "forks" hit the world of cars. Sometimes among them met the inveterate "scoundrels" such as Ghostballs and Chameleon. Some descendants of this virus are still found in the "natural" habitat (for many years, novice programmers and schoolchildren have done more than 60 variants of this infection, most likely this number can be safely multiplied by 10, and then I'm not sure that this is all).

    "Vienna.648" is a typical file non-resident virus that, after receiving control, infects files, most often at the time of launching the infected media. A characteristic feature of non-residents is their short life cycle, including the launch, search and infection of their victims. There are several common search algorithms for non-residents of possible victims. Like many other old viruses, it was written in assembly language and hit executable COM-files (COM-programs are usually small applications, system utilities or small resident programs).

    Our today's "hero" was the very first to use the search method on the "path", a fairly efficient search algorithm, a kind of “know-how” that does not require a complete bypass of all the disk directories. MS-DOS provided a mechanism for creating a list of predefined directories, most often written in the AUTOEXEC.BAT system batch file. These lists fell into the system environment and became available for all programs. The directories contained in the “PATH” line (“path”) always contained executable files. After the virus starts a line beginning with the “path”, the virus separated the directories with the “;” symbol and added the search mask of the COM files, after which infection occurred and the control was transferred.

    The virus was attributed to the end of the COM program file, and at the beginning entered the assembler command to go to its body, while adding a virus code to the end of the program made it impossible to use direct addressing to memory cells, as direct links changed, and therefore it was necessary to complicate algorithms using indirect addressing with offset. This complication required the introduction of additional code that calculates the addressing. The presence of such a code was an important signature sign of infection of the program.

    Given the simplicity of the program and the obscurity of its creator to the present day, we can assume that it was created by “try on the pen”, or by an experiment that was slightly out of control. This apparent simplicity in conjunction with easily detectable signatures speak in favor of this hypothesis, but it does not prove it definitively. Despite the seemingly triviality, we should not forget that Vienna.648 was also the first virus that was detected and destroyed by the antivirus program.

    There is a version that the author of the program is Berger, although he denied any involvement in this. Be that as it may, it was he who launched the pendulum of the new digital war . So began the opposition of viruses and anti-virus programs ...

    Also popular now: