Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!accuvax.nwu.edu!tank!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: drsolly@ibmpcug.co.uk (Alan Solomon) Newsgroups: comp.virus Subject: Ashar virus article Message-ID: <0004.y8907131623.AA04591@ge.sei.cmu.edu> Date: 13 Jul 89 00:38:49 GMT Sender: Virus Discussion List Lines: 129 Approved: krvw@sei.cmu.edu A comparison of Ashar and Brain Recently, an academic institution in the South of England (who do not wish to be named) finished cleaning out a virus that put " (c) ashar" as the volume label. They sent us a specimen for analysis - here are our findings. Ashar is very similar to Brain, which has been described in detail elsewhere. But there are some interesting differences, which are worth documenting, and they lead to a tentative conclusion. Difference 1 The volume label that is put on the diskette is " (c) ashar" instead of " (c) Brain". The text in the boot sector contains "(c) 1986 ashar & ashars (pvt) Ltd VIRUS_SHOE RECORD" and the "V9.0" is absent. The rest of the text "Dedicated to the dynamic memories" etc is exactly the same, including the mis-spelling of "messeges" and the grammatical errors. Difference 2 In Ashar, the volume label is put into the first available directory entry, whereas with Brain, it cannot be put into the first or second entry. If there is a volume label on one of the first two entries, an attempt to install the system will fail, making the virus more noticeable and more of a nuisance. Difference 3 The body of the virus, and the stored (original) boot sector, is placed in three fake bad clusters. In Brain, this must be on or after cluster 55; the purpose of this is probably to allow space for the Dos system files. Ashar allows the body of the virus to be on any free cluster on the diskette. Difference 4 Brain uses quite a complicated encryption scheme to encode the volume label that it places on diskettes, presumably to make it harder for someone to change it. Ashar uses a much simpler scheme. It stores the volume label as a character string, in negated form, so that all you have to do to decode it is a NEG instruction. There are 11 bytes in Brain, which was previously thought to contain rubbish. These 11 bytes are the negated " (c) ashar ". Immediately after these, there is " (c) ashar $" in clear. These 11 bytes, and the cleartext, are unused by Brain. Difference 5 Ashar resets the floppy disk controller before reading or writing to the device in a number of places; Brain does the reset after the access if it fails. Difference 6 When Brain is installed in memory, and you try to look at the boot sector of a diskette, Brain reads the original boot sector that has been stored further down the diskette, and shows you that normal boot sector instead. This applies to programs that use the data in the boot sector, but also to Debug, Norton, Mace, PC-Tools and other disk sector editors. One of the effects of this is to mislead you into thinking that the diskette is normal. Ashar stores the original boot sector of the diskette, and uses it to continue the boot process after an attempt has been made to boot from an infected floppy. But it does not redirect subsequent attempts to read the boot sector. When you look at the boot sector, you see an infected boot sector. Conclusion on Brain Ashar and Brain are definitely two versions of the same virus; the code is nearly the same, apart from the differences documented above. But Brain has a sophistications that Ashar doesn't have, such as the boot-read redirection, the space left in the FAT and directory for the installation of the system, and the greatly improved encryption system. Brain contains, as an unused remnant, the NEG-encrypted Ashar volume label. That would tend to imply that Ashar predates Brain, and the greater sophistications in Brain tend to confirm this. This would imply that Ashar was the precursor to Brain. If this is true, then the version of Brain which has not got the telephone numbers on the boot sector (but has "Dedicated to the memories"), is previous to the version with the telephone numbers, which would imply that the telephone numbers version is a hack of the real Brain. It is very easy to change the boot sector - any disk sector editor would allow that. Until Ashar, we had no way of telling whether the "Dedicated to the memories" version came before or after the telephone numbers version. Now we have a strong indication that the telephone numbers version came afterwards. One possibility is that Ashar is a kind of hoax; a computer-virus Piltdown that is intended to mislead virus researchers. It would be very difficult to change Brain to Ashar or vice versa unless you had the source code, or a very good disassembly. Why should anyone try to fool virus "palaeontologists" in this way, when such researchers scarcely exist (yet). And it would seem to be a pretty pointless exercise - if a programmer was that good and wanted to make their mark, they would not have simplified Brain, they would have complicated it, or even used it as a basis to write a completely different, and much worse, virus. So, if the telephone-numbers version of Brain comes after the "Dedicated to the memories", the numbers are probably nothing to do with the virus, and the whole story of the Brain brothers and the writing of the virus comes into doubt. More general conclusion In order to discover this kind of information, viruses from the field must be carefully analysed. We need some way for virus researchers to be able to exchange specimens. Reports of vcrus sightings, and summaries and catalogues of viruses are obviously very useful, but to generate the raw material from which these can be produced, actual specimens must be analysed by researchers. Dr Alan Solomon Day voice: +44 494 791900 S&S Anti Virus Group Eve voice: +44 494 724201 Water Meadow Fax: +44 494 791602 Germain Street, Data: +44 494 724946 Chesham Bucks, HP5 1LP Usenet: drsolly@ibmpcug.co.uk England Gold: 83:JNL246