By Other Means

Little has been made in the mainstream press of the fact that the recent virus ExploreZip, a Delphi program, specifically attacked C++ and Assembler sources. Stob wonders if we are on the verge of an internecine techie war.

Day 51. First reprisal by a C++ faction for the ExploreZip assault: the so-called Big Girl's Blouse Worm. As well as spreading itself, the worm attacks systems by seeking out all DLLs and EXEs written in Delphi. Rather than deleting or overwriting these files, the worm appends random bytes to the end, adding a few 100 KB more every time. It simultaneously modifies the EXE headers so that the enlarged file is loaded into memory. Eventually Delphi programs on a BGB-infected machine collapse underneath the weight of the megabytes of gunk they must haul up into RAM at load time.

The strange moniker is explained by a taunting anonymous message posted to one of the newly created anti-Delphi newsgroups. Here is the text:

L3T M WRiT3 ViRUZ3Z, L3T M WRiT3 D3ViC3 DRiV3RZ, L3T M WRiT3 WiNDOW M4N4G3RZ; BUT 4Z LONG 4Z TH3Y UZ3 P4ZC4L, TH3Y R ZTiLL 4 BUNCH OF BiG GURRRLZ BLOUZ3Z.

D34TH 2 TH3 D3LPHiLTH SCUM! i H8 TH3M 4LL!

TH3 D3LPHiLTH KiLL3R

The opinions expressed in this message are the author's own, and do not in any way reflect those of Drommington-Egbarth Small Plastic Containers Inc.

A crack team of computer experts from the FBI tries to prolong this thread in an attempt to track down 'The Delphilth Killer'. In the unmoderated newsgroup, however, the Feds are unable to prevent it from turning into a rather pointless discussion about where the apostrophe should go in the phrase Big Girl's Blouses.

Day 72. A group of militant Visual Basic programmers decide that they have been ignored for long enough, and produces its own example of the genre. The VisBas virus has several unusual features; the most striking being that it uses a standard installer to propagate itself:

Despite — or perhaps because of — this, the virus is quite successful in spreading. It appears on the cover CD of one of the PC magazines, where it is described as a 'must have Internet connection management and desk diary tool'. Thereafter it is rapidly adopted by all the rival publications, often winning the 'Freeware of the Month' award, until it becomes even more common than that other staple: the out-of-date version of Netscape-Communicator-now-with-annoying-yellow-AOL-Thing.

However, the malevolent action of the virus — to rename .PAS files to .BAS 'to show we are just as good' — is so feeble that the anti-virus toolkit companies don't even bother to issue a patch to cope with it, and the VisBas team retires to sulk.

Day 105. However, the Visual Basic effort has not been entirely disregarded, and a Delphi faction retaliates devastatingly. Using a simple virus which, in a brilliant piece of social engineering, spreads by masquerading as unwanted Microsoft promotional email ('Travel to Hong Kong to be among the first to learn about Microsoft's new COM+ mousewheel technology!'), the payload is hideously cruel. It penetrates the huge cluster of life-support DLLs, OCXs, and what not that every Visual Basic program needs to help it breath and — here's the clever bit — patches one at random to its own previous version.

The consequences are appalling. VB programs start dying like flies, often corrupting files and databases as they go, and in extreme cases actually causing machines to catch fire. Since the affected DLL is actually a genuine VB support DLL, albeit of a slightly older version, the standard anti-virus tools are useless. Finally, Microsoft itself snaps into action, and issues a warning message to its promotional email mailing lists. The impact of the warning is rather muted, as before release it is edited and passed by the Redmond marketing department: 'Microsoft technology triumphs again...'

Ultimately the Delphi virus is successfully countered by a vaccine program, which performs exactly the same version substitution trick — but on the BDE.

Day 127. The first Java virus appears, exploiting a previously unnoticed security hole in the applet sandbox of certain JVMs. Allegedly really devastating, it really needs to run on a multi-Gigahertz, multi-processor Sun to be seen at its best. This, combined with the fact that most web users close their browsers on reflex at the dread words 'Loading Java applet', rather limits its impact. But it is jolly well designed, and portable, which is the main thing.

Day 143. The first Linux virus, thought to be created by the very, very extreme 'We love Windows; even Exchange Server' group. The virus spreads itself in packets of data in the archaic NETBIOS protocol and gains control using a fixed-size buffer overwrite. Although it can infect Windows machines, it only actually attacks Intel machines running SAMBA — a package, which allows non-Windows machines to act as Windows file servers. Once installed the virus monitors network traffic looking for likely password strings; every time if finds a candidate, it tries to become root user.

Once a machine has been fully infected, the system appears to go through a standard shutdown. Meanwhile, in the background, the core OS is overwritten. The unfortunate Linux user sees one last message: