The Bulgarian and Soviet Virus Factories


The Bulgarian and Soviet Virus Factories
========================================

Vesselin Bontchev, Director
Laboratory of Computer Virology
Bulgarian Academy of Sciences, Sofia, Bulgaria


0) Abstract
===========

It is now well known that Bulgaria is leader in computer virus
production and the USSR is following closely. This paper tries to
answer the main questions: Who makes viruses there, What viruses are
made, and Why this is done. It also underlines the impact of this
process on the West, as well as on the national software industry.

1) How the story began
======================

Just three years ago there were no computer viruses in Bulgaria.
After all, these were things that can happen only in the capitalist
countries. They were first mentioned in the April issue of the
Bulgarian computer magazine "Komputar za vas" ("Computer for you")
[KV88] in a paper, translated from the German magazine "Chip" [Chip].
Soon after that, the same Bulgarian magazine published an article
[KV89]], explaining why computer viruses cannot be dangerous. The
arguments presented were, in general, correct, but the author had
completely missed the fact that the majority of PC users are not
experienced programmers.

A few months later, in the fall of the same year, two men came in the
editor\'s office of the magazine and claimed that they have found a
computer virus. Careful examination showed that it was the VIENNA
virus.

At that time the computer virus was a completely new idea for us. To
make a computer program, whose performance resembles a live being, is
able to replicate and to move from computer to computer even against
the will of the user, seemed extremely exciting.

The fact that "it can be done" and that even "it had been done"
spread in our country like wildfire. Soon hackers obtained a copy of
the virus and began to hack it. It was noticed that the program
contains no "black magic" and that it was even quite sloppily
written. Soon new, home--made and improved versions appeared. Some of
them were produced just by assembling the disassembly of the virus
using a better optimizing assembler. Some were optimized by hand. As
a result, now there are several versions of this virus, that were
created in Bulgaria --- versions with infective lengths of 627, 623,
622, 435, 367, 353 and even 348 bytes. The virus has been made almost
two times shorter (its original infective length is 648 bytes)
without any loss of functionality.

This virus was the first case. Soon after that, we were "visited" by
the CASCADE and the PING PONG viruses. The later was the first
boot--sector virus and proved that this special area, present on
every diskette can be used as a virus carrier, too. All these three
viruses were probably imported with illegal copies of pirated
programs.

2) Who, What & Why.
===================

2.1) The first Bulgarian virus.
-------------------------------

At that time both known viruses that infected files ( VIENNA and
CASCADE) infected only COM files. This made me believe that the
infection of EXE files was much more difficult. Unfortunately, I made
the mistake by telling my opinion to a friend of mine. Let\'s call him
"V.B." for privacy reasons.(1)
...................................................................
[(1) These are the initials of his true name. It
will be the same with the other virus writers that I shall mention.
Please note, that while I have the same initials (and even his full
name resembles mine), we are two different persons.]
...................................................................
The challenge was taken immediately and soon after that I received a
simple virus that was able to infect only EXE files. It is now known
to the world under the name of OLD YANKEE. The reason for this is
that when the virus infects a new file, it plays the "Yankee Doodle"
melody.

The virus itself was quite trivial. Its only feature was its ability
to infect EXE files. The author of this virus even distributed its
source code (or, more exactly, the source code of the program that
releases it). Nevertheless, the virus did not spread very widely and
even had not been modified a lot. Only a few sites reported to be
infected by it. Probably the reason for this was the fact, that the
virus was non--resident and that it infected files only on the
current drive. So the only possibility to get infected by it was to
copy an infected file from one computer to another.

When the puzzle of creating a virus which is able to infect EXE files
was solved, V.B. lost his interest in this field and didn\'t write any
other viruses. As far as I know, he currently works in real--time
signal processing.

2.2) The T.P. case.
-------------------

The second Bulgarian virus--writer, T.P., caused much more trouble.
When he