The Bulgarian And Soviet Virus Factories

.. them with a debugger (YANKEE DOODLE) both are viruses, made in our country. – Hiding the true file length usually causes problems, because CHKDSK is able to detect the difference between the disk space marked as used in the FAT and the reported file length. Only two Bulgarian viruses in the world are able to handle this problem — DIAMOND and V2100. – The first really “stealth” file infector — the 512 virus was Bulgarian.

It is true however, that the idea has been discovered independently almost at the same time in other parts of the world (the 4096 virus from Israel). – The only known stealth parasitic virus, which “stealthy” features go down to the BIOS level (i.e., it cannot be detected if active in memory even if the infected file is read at sector and not at file level) is the Bulgarian INT13 virus. – One of the first multi–partite viruses (viruses that are able to infect both files and boot sectors) — the ANTHRAX virus, has been developed in Bulgaria. It is true, however, that similar ideas can be noticed in the 4096 and GHOST BALLS viruses, which are developed much earlier. Also, other multi–partite viruses (VIRUS-101, V-1, FLIP, INVADER) were created independently almost at the same time (and even earlier) in other parts of the world.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

– The idea first used in the LEHIGH virus — to place the virus body in an unused part of the file COMMAND.COM has been further developed by several Bulgarian viruses. They all can infect any COM or EXE file (unlike the LEHIGH virus) in the usual way, but when they are infecting the command interpreter, they place themselves in an area filled with zeros at the end of the file and thus in this case they do not increase its length. Such viruses are TERROR, NAUGHTY HACKER and others. – The method, mentioned above has been developed even further by other Bulgarian viruses. They have noticed that any sufficiently large area of zeros in any file (not just COMMAND.COM) can be used to hide the virus body.

The viruses that use this method are again of Bulgarian origin — PROUD, EVIL, PHOENIX, RAT, DARTH VADER.. The latter even does not write to the infected files — it leaves this task to DOS. And the RAT virus hides itself into the unused part of the EXE file headers. – One of the extremely mutating viruses is the Dark Avenger’s virus LEECH. It can exist in more than 4.5 billion variants. It is true, however, that this is neither the first entirely mutating virus (1260 being the first), nor it has the most flexible mutating mechanism (it is much simpler than V2P6Z).

– A completely new type of computer virus (DIR II) has been developed by two Bulgarian pupils. This virus does not infect neither files, nor boot sectors. Instead, it infects file systems as a whole, or more exactly — directory entries. – Different tricks to get control without directly hooking the INT 21h vector were developed by several Bulgarian virus writers. The TERROR virus places a JMP instruction to its body in the original INT 21h handler in DOS. The viruses from the PHOENIX family ( 800, 1226, PROUD, EVIL, PHOENIX) hook an interrupt that is called by DOS on every file–related function (INT 2Ah, AH=82h). The DIR II virus patches itself in the chain of DOS disk device drivers.

– The first virus, that is able to infect device drivers (SYS files only), is, of course, Bulgarian. This is the HAPPY NEW YEAR ( 1600) virus. – The first fully functional parasitic virus, written entirely in a high level language (Turbo PASCAL) is the Bulgarian virus SENTINEL. – The Bulgarian virus ANTHRAX is the first virus that is resident in memory only temporary. It removes itself from there after it has infected the first file and then acts as a non–resident virus.

– The shortest memory resident virus in the IBM PC world — only 128 bytes — is again developed in Bulgaria. There are reports about a 108–byte resident virus, also from there, but they are unconfirmed yet. – The shortest virus in the IBM PC world — only 45 bytes long, is the Bulgarian virus MINIMAL-45. It seems possible, however, to shorten it even further — up to 31 bytes, with a big loss of reliability. 4) Why so many viruses are created in Bulgaria. =============================================== Computer viruses are created in all parts of the world, not only in Bulgaria.

However, the portion of them that are created in our country is extremely high. Therefore, in the whole world there exist preconditions that make virus writing tempting, but in Bulgaria there exist specific conditions as well. 4.1) Specific reasons for virus writing in Bulgaria. ————————————————– — 4.1.1) The first, and most important of all is the existence of a huge army of young and extremely qualified people, computer wizards, that are not actively involved in the economic life. The computerization in Bulgaria began without economical reasons. Since our country was a socialist one, its economics was of administrative type. The economics didn’t need to be computerized.

In fact, computers and planned economics are quite incompatible — computers help you to produce more in less time and with less effort and money, while the goal of a manager in a planned economics is to fulfil the plan exactly as it is given — for no more and no less time, and with no more and no less money. However, the communist party leaders in Bulgaria decided that we should computerize — mainly to be able to supply computers to the Soviet Union and circumvent the embargo. While computerization in itself is not a bad thing, we made a very severe mistake. Bulgarian economics was very weak (now it is even weaker), but we had quite a lot skilled people. Therefore, we should not have tried to produce hardware while we had good chances in the software industry, where mainly “brainware” is required.

However, Bulgaria did just the opposite. Instead of buying the hardware, we began to produce it (mainly illegal Apple and IBM clones). Instead of producing our own software and to try to sell it in the West, we began to steal Western computer programs, to change some copyright notices in them, and to re–sell them (mainly in Bulgaria, in the Soviet Union, and in the other countries of the former Eastern block). At that time most Western software was copy protected. Instead of training our skilled people in writing their own programs, we began to train them to break copy protection schemes. And they achieved great success in this field. The Bulgarian hackers are maybe the best in cracking copy protected programs. Besides, they had no real hope in making and selling their own programs, since, due to the total lack of copyright law on computer software, it was impossible to sell more than two or three examples of a computer program in Bulgaria.

The rest were copied. Since the introduction of computers in the Bulgarian offices was not a natural process, but due to an administrative order, very often these computers were not used — they were only considered as an object of prestige. Very often on the desk of a company director, near the phone, stood a personal computer. The director himself almost never used the computer — however sometimes his/her children came to the office to use it — to play games or to investigate its internals. While the price of personal computers in Bulgaria was too high to permit a private person to have his/her own computer, it was a common practice to use the computer at the office for personal reasons.

At the same time, the computer education was very widely introduced in Bulgaria. Everyone was educated in this field — from children in the kindergartens to old teachers that had just a few years until pension. Since this kind of science is better comprehended by younger brains, it is no wonder that the people, who became most skilled in this field, were very young. Very young and not morally grown–up. We spent a lot of effort teaching these people how to program, but forgot to educate them in computer ethics.

Besides, the lack of respect to the others’ work is a common problem in the socialist societies. 4.1.2) The second main reason is the wide–spread practice of software pirating (which was, in fact, a kind of state policy) and the very low payment of the average programmers. As was mentioned above, Bulgaria took the wrong decision in producing computers and stealing programs. There is still no copyright law, concerning computer software there. Because of this, the software piracy was an extremely widespread practice. In fact, almost all software products used were illegal copies.

Most people using them have never seen the original diskettes or original documentation. Very often there was no documentation at all. Since all kinds of programs (from games to desktop publishing systems) were copied very often, this greatly helped for the spread of computer viruses. At the same time, the work of the average programmer was evaluated very low — there were almost no chances to sell his/her software products. Even now, a programmer in Bulgaria is paid 100 to 120 times less than the programmer with the same qualification in the USA.

This caused several young people to become embittered against the society that was unable to evaluate them as it should. There is only one step in the transformation of these young people into creators of destructive viruses. Some of them (e.g., the Dark Avenger) took this step. 4.1.3) The third major reason is the total lack of legislative against creation and willful distribution of computer viruses and against illegal access and modification of computer information in general. Because of the lack of copyright laws on computer software, there is no such thing as ownership of computer information in Bulgaria. Therefore, the modification or even the destruction of computer information is not considered a crime — since no one’s property is damaged.

The Bulgarian legislature is hopelessly old in this area. Furthermore, even if the appropriate law is accepted in the future, as a punishing law it will not be able to be applied to crimes, committed before it was passed. Therefore, the virus writers still have nothing to fear of. That is why, the creation of new computer viruses has become some kind of sport or entertainment in Bulgaria. 4.1.4) The next reason is the very weak organization of the fight against computer viruses in Bulgaria. Just now our country is in a very deep economical crisis. We lack funds for everything, including such basic goods as food and gasoline.

At the same time, the organization of the virus fight would require money — for the establishment of a network of virus test centers that collect and investigate computer viruses, centers equipped with the best hardware, centers that are able to communicate between themselves and with the other similar centers in the world in an effective way. Such an effective way is the electronic mail system — and Bulgaria still does its first steps in global computer communications. All this requires a lot of money — money that our government just does not have now. 4.1.5) Another reason is the incorrect opinion, that the society has on the computer virus problem. Still, the victims of a computer virus attack consider themselves as victims of a bad joke, not as victims of a crime. 4.1.6) The least important reason, in my opinion, is the availability and the easy access to information of a particular kind. All kind of tricks how to fool the operating system circulate among the Bulgarian hackers.

Some of them are often published in the computer related magazines. As it was mentioned above, there is even a specialized BBS, dedicated to virus spreading and a special (local to Bulgaria) FidoNet echo, dedicated to virus writing. Not to mention the well–known file INTERxyy, published by Ralf Brown from the USA as shareware. It is very popular in Bulgaria, since it contains, carefully described, a huge number of undocumented tricks. However, this is not a very important reason.

Usually those, who have decided to make a virus already know how to do it, or, at least, can figure it out by themselves. They do not need to take an existing virus and to modify it. The proof is the prevalence of original Bulgarian viruses over the variants of known ones, as well as the fact, that many new ideas for virus writing were first invented and implemented in Bulgaria. 4.2) General reasons. ——————— Since viruses are also created in all the other parts of the world, there should be also some general reasons for this.

These reasons are, of course, valid for Bulgaria too. Let’s see these general reasons. 4.2.1) Wish for glory. Every programmer dreams that his/her program gets widely spread and used. A lot of very good programmers write and distribute wonderful software packages for free — with the only intention to have more users using their package.

However, for a program to be used, it has to be good enough. And not every programmer is able to make a program so good that the users will widely use it — even for free. At the same time, computer viruses do spread very widely, regardless and even against the users’ will. So, when a virus writer reads in a newspaper that his virus has been discovered at the other end of the world, he feels some kind of perverted pleasure. Some people write viruses just to see their names (or the names of their viruses) published in the newspapers.

This reason has yet another aspect. In the beginning of the virus era, when the idea of the computer virus was very new, only the very good programmers were able to make a virus. It became a common myth that if you can write a virus, you’re a great programmer. This myth might have been justified at the beginning, but now it is completely without sense. Nevertheless, young hackers began to write viruses — just to prove to their friends and to the rest of the world how good programmers they are. Some of them were really unable to invent something original — that’s why they just picked a known virus, modified it a bit and released this new mutation.

This explains why there are so many variants of the simplest viruses that were first created — BRAIN, JERUSALEM, STONED, VIENNA, CASCADE.. A typical example is the Italian virus writer, who calls himself Cracker Jack. 4.2.2) Simple human curiosity. One has to admit that the idea of a computer program that is able to spread by its own means, to replicate, to hide from the user (who is believed to maintain the computer under full control), and in general to behave as a real live being is really fascinating. Just simple human curiosity is sufficient to make some people, if they are young and irresponsible enough, to try to make a computer virus.

Some of them do succeed. A greater and greater part, if we consider the amount of last reports for new viruses. Some of them claim that they are writing viruses “only for themselves,” “only for fun,” and that “they do not spread them.” However, it is often impossible to fully control the spread of a “successful” computer virus. The more clever these viruses are, the greater the probability that they will “escape.” There is an idea to teach students how viruses are made — of course in a very strongly restricted environment. Maybe at least for some this will fulfil their curiosity and they will not be tempted to write their own virus. Maybe if we force every computer science student to learn Dr. Fred Cohen’s theorems on the computational aspects of computer viruses, if we administer an exam and ask students to design a virus protection scheme or to help a cluster of users, attacked by a computer virus for a course work — well, maybe in this case these students will have more than enough of the computer virus problem and will not want to hear about it any more — least to make their own viruses.

4.2.3) Easy access to information. Sufficient information, needed to write a virus can be found easily. This information is often even more accessible than in Bulgaria. The person that wants to write an average virus needs only to dig in the respective manuals — manuals, which are often not available in Bulgaria. However, the usefulness of the easy access to this information is much greater than the damage, caused by the fact that it is used by the virus writers.

4.2.4) Military interests. It is often rumoured that the superpowers are working on the problem how to use computer viruses to destroy the enemy computers’ software. It is even very probable, that in several countries such research is performed. There are reports on this from the USA, France and the USSR. This is no wonder — it is the right of every military force to investigate any new idea and to consider the possible usefulness and/or threats it might bring to the national defense.

However, it is quite improbable that the computer viruses can be used for this purpose. Just like the live viruses, the computer ones are able to spread only among individuals with very similar immunotype, i.e. — among compatible computers. The most widely used kinds of personal computers are the IBM PC, Macintosh, Amiga and Atari ST. It is therefore no wonder that the vast majority of existing computer viruses are able to infect only these computers. In the same time, viruses that infect one kind of computer (say, IBM PC), are unable to spread (or even to run) on another (e.g., a Macintosh).

They are usually not able to run even on two different operating systems in one and the same computer. Even a different version of the same operating system might cause big problems to a particular computer virus — up to preventing it to work. The common personal computers are never assigned important tasks in the army. Therefore, even if a virus infects them, and even if it destroys all the data on all such computers, the caused damage will not be of great importance. Computers that are used for the really important things, such as rocket leading or cannon aiming, are always specialized ones. Their programs are usually hard–coded and only data can be entered in them. It is not possible to insert an infected IBM PC diskette in the computers that control the NORAD system. At the same time, the computers that control different important devices are usually incompatible even between themselves.

Therefore, even if someone writes a virus for a specialized rocket computer, this virus will not be able to infect the computers of a strategic bomber or even these of a rocket of a different system. So, such virus will not spread very much. And last, but not least, such virus has to be placed somehow in the enemy’s computers. Since, as we saw above, it won’t be able to spread from one computer to another of a different kind, obviously someone has to insert it in the victim computer. But if you have access to the enemy’s computers, you don’t need a virus.

You can do the same task easier (and often much better) “manually”, or with a Trojan horse or a logic bomb. 4.2.5) Corporate interests. It is also often speculated that the large software companies and the producers of anti–virus software make or willfully spread computer viruses. There is some reason behind this. Indeed the fear of viruses can make the user buy only original software (sometimes — quite expensive), and not to use pirated copies, shareware or freeware.

At the same time, companies that produce anti–virus software are interested that their products are sold. And they will be, if the user needs anti–virus protection. However, it is rather improbable, that a software company (whether producing or not anti–virus software) will take the risk to become known that it willfully spreads viruses. It will be probably boycotted by its users and the losses of income will be much greater than any gains. As to the producers of anti–virus software, they don’t need to write viruses themselves, in order to sell their programs.

It is sufficient to use the hype that the media accords to the problem, to mention how many viruses there are and how many of them their wonderful product is able to defeat. 5) The Soviet virus factory and virus writing in the other countries ================================================== =================== of the former Eastern block. ============================ While Bulgaria was one of the best computerized countries in East Europe, the political, economical, and social conditions in the other countries were (and maybe still are) quite similar. That is why the virus writing and spreading has been developed in these countries too. Viruses are created in Poland ( W13, 217, 583, FATHER CHRISTMAS, DOT EATER, JOKER, VCOMM, AKUKU, 311, HYBRYD), in Hungary ( STONE `90, FILLER, MONXLA, POLIMER, TURBO KUKAC), in Czechoslovakia (the AANTIVIRUS virus), and even in Yugoslavia ( 17Y4, SVIR). According to some reports from Romania, there are no viruses written there, but the W13, YANKEE DOODLE, DARK AVENGER and StONED viruses are quite widespread.

However, the country most similar to Bulgaria is, undoubtedly, the Soviet Union. According to the Soviet anti–virus researcher Bezrukov [Bezrukov], the first virus appeared there almost at the same time as in Bulgaria and, by the way, it was the same virus ( VIENNA). So, the preconditions are almost the same as with our country. There are, however, two main differences: the level of computerization and the number of virus writers. The level of computerization is still much lower than in Bulgaria. There are much fewer computers per person than in our country.

The users are much more isolated, due to the much larger distances. The telephone network is in the same miserable condition, as in Bulgaria. The networks are very few and not widely used. For instance, in Sofia alone there are more FidoNet nodes than in the whole Soviet Union. It is not safe to send floppy disks by regular mail, since they will be probably stolen. All this delays very much the spreading of viruses.

Unfortunately, it also delays the distribution of anti–virus products and the information exchange between the anti–virus researchers. For instance, examples of new viruses created there reach the Western anti–virus researchers with huge delays. Unfortunately, the other factor is much more dangerous. In the USSR there are much more programmers than in Bulgaria and they seem at least as much motivated in creating new viruses. The virus writing in the Soviet Union is currently in the same state as it was in Bulgaria about three years ago.

However, at that time only nine variants of known viruses and one stupid original virus has been created there (6 VIENNA variants, 3 AMSTRAD variants, and the OLD YANKEE virus). At the first Soviet anti–virus conference in Kiev (mid–November, 1990) more than 35 different viruses of Russian origin were reported. Some of them were variants of known viruses, while others were completely new. It has been noticed that the Soviet virus writers are less qualified than the Bulgarian ones, but they use a destructive payload in their creations much more often. Since the reasons of virus writing in the USSR are very similar to those in Bulgaria; since this virus writing occurs in a much larger scale; and since no steps are taken by the authorities in order to stop it, it is possible to predict that in the next few years the Soviet Union will be far ahead of Bulgaria in computer virus creation and that a new, much larger wave of computer viruses will come from there.

Probably after a year, several (up to ten) virus writers with the qualification of the Dark Avenger will emerge from there. 6) The impact of the Bulgarian viruses on the West and on the national ================================================== ==================== software industry. ================== While a huge part of the existing viruses are produced in Bulgaria, a relatively very small part of them spread successfully to the West. Of more than 160 Bulgarian viruses, only very few ( DARK AVENGER, V2000, V2100, PHOENIX, DIAMOND, NOMENKLATURA, VACSINA, YANKEE DOODLE) are relatively widespread. At the same time some of them ( DARK AVENGER, V2000, YANKEE DOODLE, VACSINA) are extremely widespread. According to John McAfee, about 10 % of all infections in the USA are caused by Bulgarian viruses — usually by the DARK AVENGER virus. In West Europe this virus shares the popularity with YANKEE DOODLE and VACSINA.

Of the viruses listed above, the major part are written by the Dark Avenger — all except YANKEE DOODLE and VACSINA. Almost all his viruses (in this case — with the exception of DIAMOND, which is the least spread) are extremely destructive. The PHOENIX and NOMENKLATURA viruses corrupt the FAT in such a subtle way, that when the user notices the damage, there is no way to disinfect the infected files and even to determine which files are damaged. The only way is to reformat the hard disk. It is difficult to estimate the costs of all damage caused by Bulgarian viruses.

There are reports from Germany about a 10,000,000 DM damage, caused only by the VACSINA virus. It is probable, however, that these numbers are largely overestimated. The huge number of known Bulgarian viruses causes also indirect damage to the West community, even if the viruses themselves do not escape from Bulgaria, but only examples of them are supplied to the anti–virus researchers. These researchers have to develop anti–virus programs against these viruses (just in case the latter succeed to spread outside Bulgaria). Therefore, they have to waste their time and efforts. Furthermore, the user is forced to buy new anti–virus programs (or pay for updates of the old ones), in order to feel safe against these viruses.

In the same time, the creation and spreading of Bulgarian viruses causes a lot of damage to the Bulgarian economics. In Bulgaria, the Bulgarian viruses are much more widespread. More than 80 % of about 160 known Bulgarian viruses have been detected in the wild in our country. It is difficult, however, to evaluate, or even to estimate the exact costs of the caused damage, since in Bulgaria the term “property of computer information” simply does not exist in legal sense. It is the same with the cost of this information. In fact, the creation of computer viruses causes also indirect damage to our economics.

First of all, a lot of extremely capable people are wasting their minds to create destructive viruses, instead of something useful. Second, the fact that the Bulgarian programmers use their time to create computer viruses destroys their reputation as a whole. No serious software company accepts to deal with Bulgarian programmers or software companies, because it is afraid that the supplied software might be pirated or might contain a virus. 7) Conclusion. Virus writing in Bulgaria is an extremely widespread hobby. Most of the major virus writers are known, but no measures can be taken against them.

Their work causes a lot of damage to the Western community, as well as to the national economics. Therefore, it is urgent to take legal measures in this direction; measures that will make virus writing and willful spread of computer viruses a criminal act. This is the only way to stop, or at least to reduce the threat. References ========== [KV88] Viruses in Memory, Komputar za vas, 4–5, 1988, pp.12–13 (in Bulgarian) [KV89] The Truth about Computer Viruses, Vesselin Bontchev, Komputar za vas, 1–2, 1989, pp. 5–6 (in Bulgarian) [Chip] Die neue Gefahr — Computerviren, Steffen Wernery, Chip, 9, 1987, pp. 34–37 (in German) [Bezrukov] Computer Virology, Nikolay Nikolaevitch Bezrukov, Kiev, 1991, ISBN 5-88500-931-X (in Russian).


I'm Lydia!

Would you like to get a custom essay? How about receiving a customized one?

Check it out