VCL.OLYMPIC VIRUS HITS THE NEWS =============================== About F-Prot's bulletin 2.11. "We're (for once!) innocent!" -------------------------------------------------------------------------------- The Olympic virus hits the news ------------------------------- VCL.Olympic -virus received a lot of publicity in the beginning of February. This was caused by the Olympic-theme activation routine of the virus, and the suspicions that the virus had infected the computer systems of the 1994 Winter Olympics in Lillehammer. In later checks this virus was not found in Lillehammer systems. VCL.Olympic is written by a Swedish virus writing group Immortal Riot. This group is discussed more closely in another story in this Update Bulletin. The VCL.Olympic is a normal COM file infector. The method used by the virus to search for the next file to be infected is not very efficient, though. Once the virus has infected a large number of the files on the hard disk, it might take half a minute for the virus to find a new victim file. Such a slowdown is likely to make the virus easier to spot. The virus activates by random after the 12th of February - the 1994 Winter Olympics start on this date. At the time of activation, the virus draws the Olympic circles to the screen and displays some comments the Games. After this, it overwrites the first 256 sectors of the first hard disk in system. The virus also disables Ctrl-C and Ctrl-Break during the destruction routine. Finally, the machine is hanged. When an infected file is executed, the virus first decrypts its code. Then it starts to recursively search for suitable victim files, starting from the root directory of the current drive. When the virus finds a file to infect, it first checks it's size to make sure the added virus code will not grow the file over the size limit of COM files, 64KB. Then it inspects the first bytes of the candidate file to see if it already contains a similar jump construct that the virus is about to insert to the beginning of file. If such structure is found, the virus considers the file to be already infected and starts to search for another victim. The virus does not check for the `MZ' or `ZM' markers to distinguish EXE files. This means that the virus will corrupt EXE files that have been renamed to have a COM extension. When such a corrupted file is executed after infection, the virus will be able to spread further, but is unable to transfer control back to the original program. In most cases the machine will just crash. The actual infection process consists of storing the original first three bytes of the file to the end of the file and replacing them with a jump to a decryption routine, which the virus also appends to the end of the file. An encrypted version of the virus code is also stored to the end of the file, before the decryption routine. The virus uses a single pseudo-random variable key based on the infection time to encrypt it's code. VCL.Olympic is able to infect files which have the DOS read-only attribute turned on. It will also restore the date and time stamps of the infected files. However, infected files grow in size by 1440 bytes, and this is visible in the directory listing. The virus has no directory-stealth routines, since it does not stay resident. VCL.Olympic has a one-in-ten chance to activate if the date is equal to or greater than the 12th of February. The current year is not tested, so the virus will activate in the future as well. If the virus does not activate, it will return the control back to the original program. A lot of the code resembles the viruses generated by the VCL virus generator, up to the point of the standard VCL-like note; a short message in the end of the virus, which is not displayed at all. In this virus, the note text reads: "Olympic Aid(s) `94 (c) The Penetrate". This virus is probably based on VCL-created code, and has just been modified to avoid detection by some of the most popular scanners. F-PROT Professional 2.11 detects and disinfects VCL.Olympic. -------------------------------------------------------------------------------- Source: F-PROT version bulletin 2.11.Copyright (c) 1994 Data Fellows Ltd. -------------------------------------------------------------------------------- HERE COMES MY REPLY! ==================== Oh shit! More publicity! I really hate being accused for something I havn't done! Yes, up my ass that this quote is true: VCL.Olympic is written by a Swedish virus writing group Immortal Riot. They claimed that we did it? How the fuck can they state that the virus 'IS written by..', not 'probably/possibly written by?'. I find that really quite weird since it isn't true. Anyway, as the name tells, it was written to infect the computers at the olympic games, held in Lillehammer, Norway. I find that very, strange that we should be accused for something thought to be spread in Norway. First off all, we don't have access to any computer located in Norway, and since we don't do any hacking, it's really impossible for us to reach the computers up there in our neighbour country. Then the virus. It's really nothing fancy about it. Up to this day, (1994-03-12) we (Metal Militia) have finished a new memory resident size-stealth infector. So even if we would like to infect Lillehammer with a virus, we'd have chosen the best virus created by us. Does it make any sense to spread a slow, poor replicating virus? I hope not. Then if we go through the functions included in that virus. "A lot of the code resembles the viruses generated by the VCL virus generator". Yeah!, that's actually quite true. I've myself looked through the VCL.Olympic (or Olympic Aid(s) '94)) and it surely looked like it was based on VCL-code! The funny thing here is that we never have 'created' a virus in VCL, PS-MPC, IVP or any other generator. Would we 'create' a virus written in for example VCL for a purpose like this? Hardly! If we would like publicity we would have given BETTER examples of viruses than a 'poor' VCL-hack (Sorry Penetrator!) Ok! Ok! I've used desctructive code generated by VCL and other stolen pay-loads by NuKE, but what I've learned is that the infect-routine is what counts, right? And that NW.NuKE.256.trash works really great! Then anyhow, the (c) note "Olympic Aid(s) `94 (c) The Penetrate". They claimed that we're four members so far (in the other article included here!) That's true, It's me (The Unforgiven), Metal Militia, Raver and B-Real. B-Real joined in today, and Sub-Life was released from the group b'cos of his total inactivity. But this Penetrate person? Member of Immortal Riot? I can't see "(c) '94 Immortal Riot" anywhere in the code, can you? So, four members? Learn some math before screaming loud about all kinda stuff. Then the funny question comes? Why did they write that we'd made the virus? I've really no idea about that, do you? So, therefor I'd like to deny *everything* in the case of VCL.Olympic. I havn't written it, neither Metal Militia, Raver nor any other member in our group. I like the Olympic Games, and I would never think about destroying an arrangement like that. I'd like to say that this article 'VCL.OLYMPIC' from F-PROT version bulletin 2.11. Copyright (c) 1994 Data Fellows Ltd. (Haha!, Source correct given??) is pure shit! The statement they printed had no foundation, in fact they must have taken it right out of the air! Thanks for reading, and remember not to trust the greedy, corrupt and lame AV-persons! = THE UNFORGIVEN =