Path: utzoo!utgpu!!mailrus!ames!apple!usc!polyslo!vlsi3b15!!!virus-l From: RADAI1@HBUNOS.BITNET (Y. Radai) Newsgroups: comp.virus Subject: The strange story of the WordPerfect virus (PC) Message-ID: <0003.8906152051.AA18060@spot.CC.Lehigh.EDU> Date: 15 Jun 89 11:46:58 GMT Sender: Virus Discussion List Reply-To: VIRUS-L@IBM1.CC.Lehigh.EDU Lines: 77 Approved: A virus which specifically infects WordPerfect was described recen- tly by people from Pace and Stanford. Despite a few discrepancies in some of their descriptions, I suspect that they have the same virus which was described in VIRUS-L last January by Eldad Salzmann and Dirk Bode. In any case, since I have just now discovered the explanation for that virus, I am giving it here. Last January, Eldad Salzmann described in VIRUS-L how his Word- Perfect program suddenly started looking in drive A: for the file WP.EXE when it had previously been working well from his hard disk. Soon Dirk Bode reported that this behavior sounded like the problem they had, which was caused by a memory-resident virus that attaches itself to every executed COM or EXE file except WP 4.2; however it prevents WP from using the hard disk. This sounded a lot like the behavior of the Israeli virus, although as far as I knew, that virus never alters normal execution of a pro- gram it infects. Also, while one could see from the disassembly that the virus was deliberately coded not to infect COMMAND.COM, there was absolutely nothing to indicate that WP was also singled out for special treatment. So my guess was that either someone had hacked the Israeli virus to make it attack WP, or that the WP problems were caused by something other than a virus. Later Otto Stolz kindly sent me a copy of Dirk's virus, mentioning that he could find no difference between it and the Israeli virus. But it was only a few days ago, when Eldad sent me his copy of WP.EXE, that I finally got around to researching this virus. I have now found the solution to the enigma. First of all, I verified that the WP virus is indeed identical with the Israeli virus. There now remained two main questions: (1) How can a virus which is programmed to add code to files without affecting their behavior, not do this in *all* cases? (2) What is so special about WP.EXE? I discovered that when the virus is in RAM and WP is executed, instead of adding 1808 bytes to the end of WP.EXE, as it does with almost every other EXE file, the virus *overwrites* part of WP.EXE (at least in the case of WP 4.2) with the 1808-byte viral code! Now when a WP.EXE file is executed, WP apparently checks itself for validity before doing anything else. If the virus has overwritten code instead of appending it, WP will discover that it is invalid. This causes it for some reason to look for the file WP.EXE on drive A:. If it doesn't find it, it issues the message "Can't find correct copy of WP.EXE". In any case, one can no longer use the copy of WP.EXE on the h.d. This was where I had gotten to at the beginning of the week. I dropped the subject for a while to work on other things, until yester- day, when (without consciously thinking about the matter) it suddenly hit me *why* the Israeli virus treats WP.EXE differently from other EXE files. In order to determine the length of an EXE file it is infecting, a virus can use the the length-of-file field (bytes 2 through 5) in the header at the beginning of the EXE file, and this is indeed what the Israeli virus does when infecting EXE files. But what if the value of this field is incorrect?? I looked at these bytes in the uninfected WP.EXE, and found that they were 80 01 29 01 (hex). Translating, we get (01*256 + 29h - 1)*512 + 01*256 + 80h = 151936, which is much smaller than the actual length of the file (269963 bytes). Checking the infected WP.EXE I found that the starting address of the viral code was precisely 151936. Also, by changing these bytes in the uninfected WP.EXE to 8B 00 10 02, I was able to get WP to execute normally even after infection. Thus my hunch was con- firmed. (As to why the value of this field was incorrect in the header of WP.EXE, I leave this to the WordPerfect Corp. to explain.) I have also heard of another file, PK36.EXE, which is overwritten by the Israeli virus. Presumably this too is due to an incorrect byte count in its header. The description by "IA96000" of the virus discovered at Pace differs from that of the Israeli virus in a few respects. However, experience has taught me that descriptions of viruses at a time of panic are often inaccurate, so that my guess is that it's the same virus. In any case, anyone who needs a program for eradicating the Israeli virus (plus a few others) can obtain one (UnVirus by Yuval Rakavy) by writ- ing to me. (Please indicate if you want it in uuencoded or xxencoded form.) Y. Radai Hebrew Univ. of Jerusalem RADAI1@HBUNOS.BITNET