1991 Product Launches and Polymorphism

In 1991, the virus problem was sufficiently interesting to attract the large marketing companies. Symantec launched Norton Anti-Virus in December 1990, and Central Point launched CPAV in April 1991. This was soon followed by Xtree, Fifth Generation and a couple of others. Most of these companies were rebadging other company’s programs (nearly all Israeli). The other big problem of 1991 was “glut.” In December 1990, there were about 200-300 viruses; by December 1991 there were 1,000 (there may have been even more written that year, because by February, we were counting 1,300).

Glut means lots of viruses, and this causes a number of unpleasant problems. In every program, there must be various limitations. In particular, a scanner has to store search strings in memory, and under DOS, there is only 640KB to use (and DOS, the network shell and the program’s user interface might take half of that).

Another Glut problem, is that some scanners slow down in proportion to the number of viruses scanned for. Not many scanners work this way, but it certainly poses a problem for those that do.

A third Glut problem, comes with the analysis of viruses; this is necessary if you want to detect the virus reliably, to repair it, and if you want to know what it does. If it takes one researcher one day to disassemble one virus, then he can only do 250 per year. If it takes one hour, that figure becomes 2,000 per year, but whatever the figure, more viruses means more work.

Glut also means a lot of viruses that are similar to each other. This then can lead to mis-identification, and therefore a wrong repair. Very few scanners attempt a complete virus identification, so this confusion about exactly which virus is being found, is very common.

Most of these viruses came from Eastern Europe and Russia; the Russian virus production was in full swing. But another major source of new viruses was the virus exchange BBSes.

Bulgaria pioneered the VX BBS, but a number of other countries quickly followed. Some shut down not long after they started up, but the Milan “Italian Virus Research Laboratory” was where a virus author called Cracker Jack uploaded his viruses (which were plagiarised versions of the Bulgarian viruses). Germany had Gonorrhea, Sweden had Demoralised Youth, America had Hellpit, UK had Dead On Arrival and Semaj. Some of these have now either closed down or gone underground, but they certainly contributed to the glut problem. With a VX BBS, all a virus author has to do, is download some source code, make a few simple changes, then upload a new virus, which gives him access to all the other viruses on the board.

1991 was also the year that polymorphic viruses first made a major impact on users. Washburn had written 1260 and the V2 series long before, but because these were based on Vienna, they weren’t infectious enough to spread. But in April of 1991, Tequila burst upon the world like a comet. It was written in Switzerland, and was not intended to spread. But it was stolen from the author by a friend, who planted it on his father’s master disks. Father was a shareware vendor, and soon Tequila was very widespread.

Tequila used full stealth when it installed itself on the partition sector, and in files it used partial stealth, and was fully polymorphic. A full polymorphic virus is one for which no search string can be written down, even if you allow the use of wild cards. Tequila was the first polymorphic virus that was widespread. By May, the first few scanners were detecting it, but it was not until September that all the major scanners could detect it reliably. If you don’t detect it reliably, then you miss, say, 1% of infected files. The virus starts another outbreak from these overlooked instances, and has to be put down again, but now there is that old 1%, plus another 1% of files that are infected but not detected. This can continue for as long as the user has patience, until eventually the hard disk contains nothing but files that the scanner cannot detect. The user, thinks that after the virus coming back a number of times, it gradually infected fewer and fewer files, until now he has gotten rid of it completely.

In September 1991, Maltese Amoeba spread through Europe – another polymorphic virus. By the end of the year, there were a few dozen polymorphic viruses. Each of these is classified as “difficult,” meaning it takes a virus researcher more than a few hours to do everything that needs to be done. Also, most products need some form of hard coding in order to detect the virus, which means program development, which means bugs, debugging, beta testing and quality control. Furthermore, although a normal virus won’t slow down most scanners, a polymorphic virus might.

It was also in 1991, that Dark Avenger announced the first virus vapourware. He threatened a virus that had 4,000,000,000 different forms. In January 1992, this virus appeared, but it wasn’t a virus.

The information in this section was provided by and used with permission of Dr. Solomon Software. Please do not further use the material without obtaining your own permission to use it.

Up Arrow Dr Solomon History Up Arrow
Prior Page Next Page
1990 The Game Gets More Complex 1992 Michelangelo