Posted by: David Harley | September 9, 2012

Virus Writers and Virus Researchers

When I wrote at ESET about a new Irish Ransomware Report, I mentioned the “Irish Virus” hoax/joke which goes something like this:

You have just been infected with the “IRISH VIRUS”.

This virus works on the honour system. Please delete all the files on your hard drive manually and forward it to everyone on your mailing list.

(I think it’s probably too obvious that this is a joke for it to be effective as a hoax, but some AV companies apparently consider it to be problematic.)

But then I would say that. In a subsequent private conversation, someone with a long memory suggested that Dr. Alan Solomon (the man behind Dr. Solomon’s Antivirus Toolkit, subsequently bought by McAfee) and myself may have been indirectly responsible for the Irish Virus hoax. I don’t think he was serious, but it’s a mildly amusing story anyway, so let me explain.

Back in 1997 or thereabouts, someone posted a request to the newsgroup alt.comp.virus, where Dr Solly and I, among many others, were responsible for an FAQ document that was pretty comprehensive, though seriously outdated now. If you’re interested in reading it – and it does have some historic interest – it’s still up at www.faqs.org. Actually, I suspect that’s not the last version: I ought to check that, I suppose, but it’s still many years since I updated it.

In fact, people still ask me about it, though I don’t see me updating it at this time.

Anyway, back to the anecdote. The post in question read:

: Hi there

: I’m a newbie in protection against viruses i know alot about ASM viruses
: but i need some Source codes for Pascal Viruses

: So if you got any then please mail the source code to me

Being something of a curmudgeon even then (made old before my time by years of AV administration and removing viruses from other people’s systems), I snapped back:

begin
writeln(‘I am totally lacking in imagination and credibility…..’)
end.

However, Alan and I had an exchange of emails subsequently which I later cited in presentations when discussing the esoterica of virus structure, among other things. Annoyingly, I can’t lay hands on the original thread at this moment, but my recollection is that he suggested a version that actually had a mechanism to enable it to replicate, along these lines:

begin
writeln(‘Please forward this program to everyone in your address book.’)
end.

Not being one to surrender the opportunity to have the last word too easily, I then suggested a modification that would answer the topical (at the time) debate of whether a virus could damage hardware.

begin
writeln(‘Please forward this program to everyone in your address book.’)
writeln(‘Now please jump and down on your mouse.’)
end.

Well, I suppose that there is a distinct resemblance between the ‘Irish Virus’ replication mechanism and ours, but I somehow doubt that my re-use of the above in a more public (educational) context really inspired the hoax. And I certainly hope that no-one (possibly David Sanger) is going to tell me that my modification was the inspiration for Stuxnet. 😉 But that’s a topic I might return to in the next day or two…

David Harley
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: