_______________________________________________________
              The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
         _____________________________________________________
                         Information Bulletin
 
                 Satan Bug Virus on MS-DOS computers
 
September 4, 1993 1000 PDT                                       Number D-22
__________________________________________________________________________
NAME:         Satan Bug virus
PLATFORM:     MS-DOS/PC-DOS Computers
TYPE:         Memory resident, polymorphic, encrypted
DAMAGE:       Infects .COM, .EXE, .SYS, and .OVL files. Damages infected 
              files, makes LANs inaccessible by damaging the LAN drivers.
SYMPTOMS:     Files grow at each infection, file dates change, files on LAN
              file servers become inaccessible.
DETECTION:    DataPhysician Plus 4.0B, Scan V106, Norton AntiVirus 2.1 with 
              August 1993 virus definitions.
__________________________________________________________________________
              Critical Facts about the Satan Bug Virus

CIAC has been alerted that the Satan Bug virus, a new virus previously thought 
to be contained, has been located at multiple sites in the "wild." The Satan 
Bug virus is an encrypted, polymorphic virus that infects all .COM, .EXE, 
.SYS, and .OVL files on MS-DOS/PC-DOS computers. 

Infection Mechanism

When an infected file is run, the virus installs itself in memory, and then 
infects COMMAND.COM. Thereafter, whenever an executable file is opened or 
executed it is infected with the virus. Infected files grow in size from 2.9K 
to 5.4K bytes, and the creation date is increased by 100 years.

Potential Damage

It does not appear that this virus does any intentional damage, but infected 
files may be inoperative. In addition, the virus is not easily removed from 
infected files, requiring that they be replaced with uninfected copies from 
backup disks (See Appendix). The virus damages network drivers, making it 
impossible for a machine to connect to a network and use network services.

Detection

Anti-virus scanners dated before August 1993 that use virus signature scanning 
will not be able to recognize this virus. Anti-virus scanners that use file 
signature scanning should be able to detect that the files have been changed, 
but will not be able to name the virus. Most anti-virus scanner vendors are 
updating their programs at this time, so scanners dated after August 1993 
should be able to detect the virus by name. As of the release of this 
bulletin, McAfee's SCANV 106 and Norton AntiVirus version 2.1 with the August 
1993 virus definitions update are known to detect it. The DataPhysician Plus 
package (VirHunt, ResScan) version 4.0B is in final testing and will be 
available soon.

    Warning

If you run an infected anti-virus scanner, nearly every executable file on 
your disk will be infected. Virus scanners must open a file to scan it, and if 
this virus is in memory, the act of opening the file for scanning will infect 
it. Most scanners first check themselves to see if they are infected with a 
virus, and display a "Virus Found" or "File Damaged" message when they start 
up. If this happens, do not scan your disk with this scanner. Even if the 
scanner claims that it can remove the virus from itself, don't scan your disk 
with it. The memory resident portion of the virus will still infect your disk.

To scan a computer infected with a memory resident virus like the Satan Bug 
virus, you must boot the computer with a clean (uninfected), locked floppy 
that contains a clean version of the virus scanner software. Delete any 
infected files the scanner finds, and replace them with fresh copies. See the 
Appendix for more information.

For More Information or Assistance

If you require additional information or assistance, please contact CIAC at:
     Phone: (510) 422-8193 / FTS
     FAX:   (510) 423-8002 / FTS 
     E-mail: ciac@llnl.gov.

Previous CIAC bulletins and other information are available via anonymous ftp from 
irbis.llnl.gov (ip address 128.115.19.60).

CIAC wishes to thank Bill Kenny of DDI, Joe Wells of Symantec and David Proulx 
of NAVCERT for their help in preparing this bulletin.

---------------------------------------------------------------------------
Appendix - Scanners, Encrypted Viruses and Removing Memory Resident Viruses 

The following appendix answers some frequently asked questions about virus 
scanners, encrypted viruses, and disinfecting hard disks.

Anti-Virus Scanners

Virus scanners use two different methods for detecting infected files; 
scanning for virus signatures, and scanning for changes in executable files. A 
signature scanner must have a string of bytes or signature that it can detect 
in a file that uniquely identifies a virus. If a virus does not contain a 
known signature, then the scanner will not detect it. File scanners look at a 
files attributes, creation date and time, length, checksum, file header, and 
other properties to determine if a file has changed. A file scanner can detect 
a new virus, but can not tell what virus it is. Actually, a file scanner can 
not tell if a file is infected by a virus only that a file has changed in some 
way. However, any changes in executable files should be viewed with a lot of 
suspicion. Few executable files rewrite themselves after installation. None of 
the DOS utility programs (FORMAT, ASSIGN, etc.) should ever change during 
normal use, so view changes there as a probable virus infection.

Problems Removing Encrypted Viruses

Encrypted viruses like the Satan Bug are particularly difficult to remove from 
an infected program. Most viruses of this type attach themselves to the end of 
a program, and then remove a small piece from the beginning of the program and 
insert code there that causes the virus code to be run first. When the virus 
code completes running, it executes the small piece of code it removed from 
the beginning of the program and then continues with the original program. 
That way, when you run an infected program, you will only notice a slight 
hesitation at the beginning when the virus code runs, and then the infected 
program runs like normal. 

Encrypted viruses store this piece of the normal program within the virus code 
and then encrypt the virus code. For an anti-virus program to be able to patch 
an infected program, it must be able to decrypt the encrypted virus to find 
the piece of missing code so that it can be put back where it belongs. The 
Satan Bug virus has up to nine levels of encryption, the level being different 
for each infection. Decrypting this much code is a very difficult process, so 
most anti-virus programs are not expected to be able to repair programs 
infected with the Satan Bug virus.

On the other hand, some file signature scanning programs may save enough of 
the scanned files to be able to repair an infected program. The Data Physician 
Plus package does save a sufficient amount of information to be able to repair 
a program infected with the Satan Bug virus. However, you must have created 
the file signature file before your program was infected. Again, if at all 
possible, you should always replace infected files rather than repairing them 
to insure that you have undamaged copies.

Disinfecting Hard Disks Infected With a Memory Resident Program Virus

In order to disinfect a disk infected with a memory resident program virus, 
you first need to get the virus out of memory, then you need to scan the disk 
with an uninfected copy of the Virus Scanner. To get the virus out of memory, 
boot your computer with a clean, locked boot disk. Then you can scan the hard 
disk using an anti-virus scanner, also located on a locked disk. The following 
steps can be used to disinfect systems infected with memory resident program 
viruses such as the Satan Bug. It is also applicable to non-memory resident 
program viruses, but is not applicable to boot sector viruses and partition 
table viruses which need additional steps.

    1. You need a locked, uninfected emergency boot floppy disk that contains 
       the virus scanner, FORMAT.EXE, SYS.COM, and FDISK.COM, any disk 
       management software needed to access your hard disk such as 
       DiskManager. You also need simple CONFIG.SYS and AUTOEXEC.BAT files
       that let you bring up your system in a limited way, and any 
       backup/restore software you may use. You need to have made this disk
       before your system gets infected, or make it on some other uninfected 
       machine.
    2. Boot the infected computer with the locked, uninfected floppy. 
    3. Run the copy of the virus scanner on the uninfected floppy and scan the
       hard disks on the infected computer. 
    4. Once the scan has completed, delete any infected files the scanner 
       found and scan the disk again. Repeat this step until no more infected 
       or changed files are found. Alternately, you can let the scanner 
       disinfect all the files if it can, but this is not always possible 
       or preferable.
    5. When the scanner indicates that the hard disk is clean: Restore the 
       system using the SYS command. This step replaces the invisible system 
       files, COMMAND.COM, and the boot sector.
    6. Restore any deleted executables from your locked master disks 
       or backup sets. 
    7. Scan the disk again with your virus scanner. Note that at this point, 
       the scanner may detect changes in some files because you have copied in 
       new versions. If the scanner detects a virus, then delete the infected 
       file. Later you will need to scan your source disk for that infected 
       file, to see if it is infected as well.
    8. Remove the emergency floppy and reboot the computer. Your computer 
       should boot up correctly.
    9. Insert the emergency floppy and run the scanner again just to be sure 
       you have gotten every infected file.
   10. Start scanning any floppy disks that may have been infected by your 
       computer. Keep in mind that the virus could have been active for months 
       before you discovered it.

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Your agency's team will coordinate with CIAC.  The Forum
of Incident Response and Security Teams (FIRST) is a world-wide
organization.  A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.

Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights.  Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California.  The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.