Copy Link
Add to Bookmark
Report
Crypt newsletter 13
ÜÜÜ ÜÜÜÜÜÜÜÜ ÜÜÜ ÜÜÜÜÜÜ ÜÜ ÜÜ ÜÜÜ ÜÜÜÜÜ ÜÜÜÜÜÜÜ ÜÜÜÜÜ
Û±±Û Û±±±±±±±Û Û±±Û Û±±±±±Û Û±±Û Û±±Û Û±±Û Û±±±±Û Û±±±±±±Û Û±±±±Û
Û±±Û ßßßßßßßß Û±±Û ßßßßÛ±±Û Û±±Û Û±±Û Û±±Û ßßßÛ±±Û ßßßÛ±±Û ßßßßß
Û±±Û Û±±Û ÜÜÜÜÛ±±Û Û±±Û Û±±Û Û±±Û ÜÜÜÛ±±Û Û±±Û
Û±±Û Û±±Û Û±±±±±Û ßß Û±±Û Û±±Û Û±±±±Û Û±±Û
Û±±Û Û±±Û ßßßßÛ±±Û Û±±Û Û±±Û ßßßßß Û±±Û
Û±±Û ÜÜÜÜÜÜÜÜ Û±±Û Û±±Û Û±±Û Û±±Û Û±±Û
Û±±Û Û±±±±±±±Û Û±±Û Û±±Û Û±±Û Û±±Û Û±±Û
ßßß ßßßßßßßß ßßß ßß ßß ßßß ßß
NEWSLETTER NUMBER 13
****************************************************************
******* Another festive, info-glutted, tongue-in-cheek training
manual provided solely for the entertainment of the virus
programmer, security specialist, casual home/business user or PC
hobbyist interested in the particulars - technical or otherwise
- of cybernetic data replication and/or mutilation. Jargon free,
too. EDITED BY URNST KOUCH, February - March 1993
CRYPT INFOSYSTEMS BBS - 215.868.1823
****************************************************************
TOP QUOTE: ". . . in the end the perfumed and tailored yes men
are as dangerous and evil as the bullies they serve."
-- Morley Safer
IN THIS ISSUE: News . . . Interview with Kim Clancy of the AIS
BBS . . Aristotle founds the Virginia Institute of Virus
Research . . . Mark Ludwig's 1st International Virus Writing
Contest . . . SUSAN virus . . . VOOTIE virus: a demo virus
optimized for PRODIGY e-mail . . . Lawrence Livermore Labs
switches to puppet manufacturing after bottom falls out of
thermonuclear weapons design . . . ViruDos: an April Fool's
command shell . . . In the reading room with TIME and WIRED
magazines . . . FLAGYLL virus . . . much more
News: JAPS NOT PLAGUED MUCH BY VIRUSES: NUMBER OF REPORTED CASES
TRIVIAL SEZ CRYPT NEWSLETTER
Japan's Information Technology Promotion Agency says "computer
damage" (?) caused by viruses amounted to 253 cases. Agency
bureaucrats attributed the surge in data vandalism, four-fold
over 1991, to international exchange of software. That's it,
blame the foreigners! Wooo.
MAN PRANKS EX-WIFE WITH PC TROJAN, EX-WIFE SHOWS SKILLFUL USE OF
LOCAL SHERIFF
A Santa Rosa, CA., computer prankster has been stung by a felony
tampering charge after admitting he sabotaged his ex-wife's
computer files. If convicted, prankster James Welsh could be
headed for a three year trip to the "bighouse."
The 32-year-old James Welsh says he sent a disk with a "kamikaze
program" to his ex-wife as vengeance for an unpleasant divorce.
Welsh's former wife, Kathleen Shelton, had all her files erased
when she used the booby-trapped program. The trojan left a
taunting limerick as its calling card. Shelton said Welsh set up
the system for her and she had [stupidly] continued to rely on
him for help and advice.
Welsh's defense will hinge upon the fact that he claims the
trojan erased a program that he had pirated. Because it was a
pirated "ware," "it [is] not protected under the state's
anti-hacking law," he says. No news on how closely software
engineers at CERT or the SPA will be watching this case.
TOMORROW CANCELLED! RUSTY & EDIE'S BUSTED FOR PIRACY,
UNDERGROUND BBSer's SAY THEY HAD IT COMING, SUITS PLAY
DUMB
"No hassles. No rules! Just a couple of burn-out hippies from
the '60s . . ." were a number of the lines sysops Rusty & Edie
used to describe themselves in various ads plugging the wonders
of their BBS. Now "First to try on the new felonization of
piracy bill" can be added to the list.
The FBI and SPA stormed the gates of the Boardman, Ohio,
bulletin board system in early February, seizing equipment
and accusing the operators of pirating software. In what has
become a standard statement whenever large pirate BBS's are
raided, the Software Publishers Association, which worked with
the FBI in investigating the case, said agents seized computers,
hard disk drives and telecommunications equipment, as well as
financial and subscriber records. ". . . following the receipt
of complaints from a number of SPA members that their software
was being illegally distributed on the Rusty & Edie's BBS" the
trade group said that it began an investigation months earlier
which included the download of retail programs from the BBS.
The system, established in 1987 and described as the third
largest BBS in the country in a glowing review which landed in
the pages of Computer Shopper only days before the bust,
maintained 124 nodes and more than 14,000 subscribers.
For $89 a year, "subscribers . . . were given access to the
board's contents, including many popular copyrighted business
and entertainment packages," droned the SPA statement.
Alert Crypt Newsletter readers familiar with the issue of
software piracy had a variety of responses to the news. "Copy
that floppy!" cried a subscriber in the northeast. "I'm
surprised it took so long," sneered another. "I was going to
join the week before the bust, but they were too expensive,"
added a reader from the Midwest. Jim O'Brien, the editor in
charge of the section in Computer Shopper which ran the review
of Rusty & Edie's claimed neither he nor free-lance writer
Dennis Fowler had any inkling the BBS was allegedly involved in
piracy.
The FBI has not charged Russell and Edwinia Hardenburgh in the
case. The FBI has also been equivocal on whether it will extend
its dragnet to include patrons of the system.
And as of the last week in February the ACLU had thrown its hat
into the ring on the side of the BBS, challenging the
constitutionality of the raid on the grounds that the piracy
charge should have been pursued in civil court. ACLU Ohio
legal director Kevin O'Neill conceded to the United Press
International that the FBI's copyright infringement, uh, piracy,
charges might have merit.
HAND PUPPETS TO TEACH COURSE IN COMPUTER ETHICS (BUT WILL THEY
BE ELIGIBLE TO JOIN THE UNION)?
Still reeling from the double rabbit-punch of the end of the
Cold War and a Democrat in The White House, which has seen their
40-year pursuit of better ways to make thermonuclear explosives
and X-ray pumped space weapons at the expense of the taxpayer
thrown into disrepute, Lawrence Livermore Laboratory scientists
are turning to puppetry as one way of justifying their continued
funding.
Livermore Computation Organization employees Lonnie Moore and
Gale Warshawsky have developed a pilot puppet program to teach
very young school children about computer ethics and security.
The stars of the show cover two of the major computer
stereotypes: Gooseberry, a stupidly trained computer operator,
and Dirty Dan, a "hapless, heinous hacker," software pirate and
virus spreader.
In one skit, according to the Associated Press, Dirty Dan brings
home a computer game obtained from a friend and ends up
"feeding" Chip - the computer - a virus which "makes him dizzy."
" . . . nobody out there is teaching ethics and security," said
Moore on the reason for his program. The Crypt Newsletter
adds, "Who's the leader of the gang that's made for YOU and ME?
M - I - C, Kay - E - Why, M - O - U - S - E!!!"
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
PROFILE: KIM CLANCY & THE AIS BBS - VIRUS CODE FOR ALL
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Here at the Crypt Newsletter, every time the editorial staff
reads another piece of e-mail from the local FeebNets saying,
"If you have virii on your board, soon 'The Feds [in blinking
red]' will be giving you a call, so be carrefill [sic]."
or
"Here in England, bobbies from Scotland Yard just confiscated
Tinker Dill's Virus Happy Place in Squatney. It's a bloody
shame. <RWG>"
we have a good laugh. And that's because the two cover a whole
wealth of ignorance concerning possession of virus code. The
first is the handiwork of the 15-year old user thoroughly
convinced that a US Robotics modem and 1 terabyte of anarchy
texts makes him an expert on every legal and social aspect of
cyberspace. The second generally comes from users who take the
popular press too seriously and have no qualms with authorities
capable of routinely violating the rights of the helpless,
unwitting or unpopular.
It would be a rude shock to these people to know that the U.S.
government runs a BBS which archives A LOT of well-commented
virus source code that any taxpayer can access and leech until
their diskettes are full. Run by Bureau of The Public Dept.
employee Kim Clancy, the BBS is called AIS and is the
clearinghouse for a stockpile of information covering a variety
of underground and aboveground computer security issues.
"Our computers track the deficit. That's job security," laughed
Clancy in a recent interview.
"The only thing we don't have is live viruses, but the source
code's there - that's certainly not far from it," she said.
"We've got the Virus Creation Laboratory, too."
AIS was started about two years ago and has grown steadily
since. Membership currently exceeds 600. It reached critical
mass, Clancy said, when Computer Underground Digest interviewed
her and profiled the system as a convenient place for the hacker
underground and security-types to mingle.
Much of AIS's material Clancy acquired on repeated jaunts to
"underground" (man, do we hate that term) BBS's like Hell Pit
and the now defunct Nun-Beaters Anonymous, both in the Chicago
area.
Needless to say, Clancy has maintained contact with a number of
virus programmers, some of whom she says are her best technical
advisors. On one occasion, virus authors from NuKe and
Phalcon/SKISM set up an early morning conference call with her,
one which was monitored, she said, by the Secret Service.
Later, said Clancy, an agent called her and warned her she
shouldn't have made sport of a security "expert" in the military
who was a user on AIS, something the agent could only have known
as an eavesdropper. Clancy shrugs this off as venal harassment
and repeats the story when lecturing around the country.
About the stock of virus code? "I've had very few complaints,
very little comment to me, directly," finished Clancy.
The AIS sysop's philosophy seems to be one that encompasses the
idea that if you want to know about something, you need to get
your hands on it without interference. Sounds dangerous!
Give AIS and Kim Clancy a ring at 304.420.6083.
ÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅ
³ARISTOTLE: "IT'S A GIANT PISSING CONTEST!" HE SEZ OF Vx/A-V ³
ÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅ
"It's a giant pissing contest and the only guy getting hurt is
John Q. Public!" quoth Aristotle in a recent interview concerning
his decision to drop out as the dean of virus exchange BBS'ing.
"As far as the anti-virus people go, 60% of the files on virus
exchanges are 'goat files.' ["Goats" are the small host
programs, usually bearing the identifier of an anti-virus
developer, which researchers infect with a virus they wish to
examine.] Now, you want to crash virus exchanges, make my
collection illegal. Well, you tell me how I got all these
'goats!'
"Everybody's talking shit," Aristotle continued, explaining that
security people and anti-virus developers have agents on every
virus exchange. The sysops think their systems are hard to
penetrate, Aristotle claims, but the reality is just the
opposite. The anti-virus developers get the newest viruses
direct from the source, use them to fuel their advertising
campaigns and trade viruses from their collections in return for
continued access. All the while, Aristotle says, there's little
chance any of the new viruses will actually end up in the wild.
"There's complete distrust, everyone in the [groups] is scared
to death of each other." Aristotle went on to explain a recent
tiff with members of Phalcon/SKISM stemming from Kim Clancy's
late night conference [see above] which had been monitored by
the Secret Service. Aristotle was party to the alliance call,
too, and was painted as the "man on the inside," a Secret
Service informer. Untrue, Aristotle says, completely untrue.
Aristotle is best known for his drive to sell viruses and source
code in bulk, the entirety of "The Black Axis BBS" collection.
There have been 40 takers, so far, Aristotle says. And they're
not kids. "You think a kid has the money?" he asked. "Who do
you think does? Haha."
The virus sales paid for a course in computer information system
management at William & Mary University, he said. "My research
was on viruses and the underground. I got an A."
Aristotle also maintained the VxNet, linking a number of virus
exchanges and quasi-virus exchanges globally. The Crypt
Newsletter asked him what would become of it.
"You want it?" he said with a laugh.
While The Black Axis is gone, Aristotle has replaced it with the
Virginia Institute of Virus Research in Newport News. No more
handles, either, said John Buchanan.
"My object was to bring all this out into the open. I got the
virus programmers to start arguing with the security people on
the FidoNet," Buchanan concluded. "I did that."
IN THE READING ROOM: TIME AND PUZZLEMENT - SUPERMARKET NEWS MAG
MUGS "CYBERPUNK"; ALL HACKERS LOOK LIKE R. U. SIRIUS, DANCE TO
HOUSE MUZIK, GOBBLE ECSTASY, QUOTE TIMOTHY LEARY, IT'S KEWL, MAN
Buzzwords, like "cyberpunk," I've decided, are cruel pranks
sickeningly ambitious writers at glossy magazines use to make
themselves instant authorities. Media magnification always makes
these terms legitimate, whether they are or not, so you know
that while the TIME article on "cyberpunk" two weeks ago was
pure baffle-crap (see, I can make my own buzzword, too), inside
4 months it will have spawned 6 like-minded articles in other
supermarket magazines, taking on a complete life of its own.
So, I'm gonna rehash some of this nonsense now, in hope that you
laugh, because if you don't, when you see it again as truth in
the coming weeks, you just might have to cry.
Didja know,
that the computer virus is "the cybernetic analogue of AIDS," a
disease which has affected millions worldwide and caused
horrifying death and human suffering? According to Phil
Elmer-Dewitt of TIME, it's so!
Didja know,
according to certified geezer Timothy Leary, "the PC is the LSD
of the '90s"? Like you, I thought this was a fatuous,
self-serving statement. But then I thought about it some more
and began to feel warm inside. Since I missed LSD when it came
around the first time, it felt good to know that I now had an
unending supply of it sitting on my desk, just in case I felt
the need to be "groovy."
Didja know,
that now "cyberpunks" don't look like young men with coke-bottle
thick glasses and plastic pocket-protectors? No, they look like
young, less warty, versions of Tiny Tim (which is what R. U.
Sirius looks like in the photo in TIME magazine). It's true!
Didja know,
cyberpunks listen to "house" music, that "post-industrial,"
droning, art-phag stuff that bands with names like Surgical
Penis Klinik and Throbbing Gristle couldn't sell in the '80s
because it was "too" alternative, but now it's big business
because computer dudes and dudettes don't like those dead, fat
guys in Lynyrd Skynyrd. Yup, it's true! And boy am I bummed!
What am I going to do with my Angry Samoans and Mentors records?
Didja know,
"without visual cues, people communicating on-line tend to
flame: to state their views more heatedly than they would face
to face?" Visual cues-visual shmues - here I thought they did
it because there was little chance they would get popped on the
jaw for being a jerk.
Didja know,
the movie "Terminator 2" was a cult film?
Didja know,
that TIME magazine used the same virtual illustration of
"virtual reality d00d sucking the face off a virtual reality
d00dette" as the movie "The Lawnmower Man," and the magazines
OMNI, COMPUTE, PC Computing, Byte, MacWorld, Discover, Newsweek,
Rolling Stone, SPIN, Science News, Playboy, Penthouse, Gent, USA
Today, Details, MONDO 2000, Dog Fancy, Cat Fancy, Harpers, The
Atlantic, etc., etc., etc.?
Didja know,
that the Electronic Frontier Foundation is a group that defends
"exploratory hacking"? Well, they didn't know and they seemed
pissed in Computer Underground Digest when they found out.
Didja know,
that TIME magazine is now sold with samples of cheap men's
cologne, along with ads for "Elvis not dead" books and chemicals
which will chase away your male pattern baldness? It's true!
-----------------------------------------------------------------
W E L C O M E
T O
T H E
F I R S T
* * * * * * * * * * * * * * * * * * * * * * * * * * * *
* *
* I N T E R N A T I O N A L *
* *
* C O M P U T E R *
* *
* V I R U S *
* *
* W R I T I N G *
* *
* C O N T E S T *
* *
* * * * * * * * * * * * * * * * * * * * * * * * * * * *
- 1 9 9 3 -
Final Date For Submissions: APRIL 1, 1993
This Contest is Sponsored by:
American Eagle Publications, Inc.
P. O. Box 41401
Tucson, AZ 85717 USA
Publisher of The Little Black Book of Computer Viruses
* * * * * * * * * * * * * * * * * * * * * * * * * * * *
! DISTRIBUTE THIS FILE ALL OVER THE KNOWN UNIVERSE !
* * * * * * * * * * * * * * * * * * * * * * * * * * * *
Ok, all you genius hackers out there! Here is a challenge
for you. Prove your stuff!
This is an INTERNATIONAL contest, and this file is
being circulated all over the world, so if you want to compete,
be forewarned, you've got worldwide competition. Only the best
have a chance in this game.
Still up to the challenge?
Ok, here it is:
I am writing Volume 2 of The Little Black Book of Computer
Viruses. This is a study of the scientific applications of
computer viruses, and their use in artificial life research,
and all of that neat stuff. One of the things I want to discuss
in the book is the limit on the size of a virus for a given
level of functionality. So I took the TIMID virus from Volume 1
and tore it down to the bare minimum. Not good enough. I wrote
a virus that worked a little differently. I tore that one down
to the bare minimum. Good enough? Well maybe. But maybe not.
I have some pretty compact code, but is it the absolute best?
I'm guessing somebody out there can top it.
Here are the rules:
(1) The object of this game is to write the smallest
virus you can with the required level of functionality.
(2) The virus must be capable of infecting all COM files
on the logged drive in the current directory of a PC,
no matter how many COM files are there. It may infect
them as quickly or as slowly as you like, so long as
it can be demonstrated that it will do so in an hour,
when running the programs in that directory one after
the other in sequential order.
(3) The virus must recognize itself and avoid re-infecting
files that have been infected. At most, only one in
fifty thousand files should get accidently re-infected,
assuming that the data in unknown COM files is random.
(4) The virus must terminate gracefully if it cannot find a
file to infect.
(5) The virus must not destroy any of the code in any file
which it infects. It must allow that code to execute
properly, or refuse to infect a file.
(6) The virus must be self-contained. It cannot hide
code in some common location on disk.
(7) The virus must function properly under MS-DOS 5.0 with
no TSR's resident, and nothing loaded high.
(8) The size will be determined by the larger of (A) the
number of bytes the virus code itself takes up in
an infected file, and (B) the largest number of bytes
the virus adds to a program when it infects it.
The best code I have for a virus that follows these rules right
now is 139 bytes long. Both source and executable are included
in the ZIP, named LITTLE.ASM and LITTLE.COM.
In the event of a tie for size, originality and ingenuity of
the code will break the tie. All judges decisions are final.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
The winner will receive the following:
(1) A $100 CASH REWARD.
(2) Your code will be published in The Little Black Book
of Computer Viruses, Volume 2.
(3) I will give you credit for the code and for winning
the International Virus Contest in the book, using
either your real name or an alias, your choice,
published in the book.
(4) Your name will be posted on the MISS bulletin board
as the contest winner.
(5) A free copy of The Little Black Book of Computer
Viruses, Volume 2, and a one year subscription to
Computer Virus Developments Quarterly ($95 value).
Three honorable mention winners will receive a free copy of
The Little Black Book of Computer Viruses, Volume 2.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
You may make an entry in two ways:
(1) Mail your entry on a PC format floppy disk to American Eagle
Publications, Inc., PO Box 41401, Tucson, AZ 85717 USA.
(2) Upload your entry to the M.I.S.S. bulletin board at
(805)251-0564 in the USA. Log on as GUEST, password VIRUS,
last 4 digits of phone number 0000, and upload to the CONTEST
UPLOADS directory.
A valid entry consists of the following items:
(A) Complete source code for a virus, which can be assembled
using either TASM, MASM, or A86. If you use another assembler
and don't know if one of the above will work, then send the
assembler along with the submission. If you do anything tricky
that we may not understand, you must explain it in comments in
the assembler source.
(B) A statement of who you are (aliases accepted) and how to
get in touch with you in case you win the contest. This
information will be kept strictly confidential, and encrypted
at all times.
By submitting an entry to the contest, you agree that the
copyright to your entry will be considered the property of
American Eagle Publications. The copyright to any losing
entry will be returned to the owner upon written request.
In the event that you win or receive honorable mention in the
contest, the copyright to the code will remain the property
of American Eagle Publications, Inc.
You may submit your entry encrypted with PGP 2.1 if you
desire. Use the following public key to encrypt:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.1
mQBNAitZ9w4AAAECAOXJYOsJNavAAWFBRwf4/u0QWMJ9IHj8eajgOfDRdlCNwEBJ
wMs1vb5GcdJCaeoCgBR3Xxzh6oEo2nrwfru8mqMABRG0CE1BTHVkd2ln
=P6d4
-----END PGP PUBLIC KEY BLOCK-----
Go to it!
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
D O N ' T M I S S O U T ! ! !
Get Your Very Own
International Virus Writing Contest 1993
T-SHIRT
Great fun to wear to your local user's group meeting, or the
next computer security conference you attend. Sure to get
people's attention and initiate lots of interesting
conversation. Specify Small, Medium, or Large.
Only $9.95
from
American Eagle Publications, Inc.
P.O. Box 41401
Tucson, AZ 85717
(US Customers please add $3.00 for UPS delivery)
(Overseas customers please add $7.50 for airmail delivery)
(Overseas customers please add $3.00 for surface delivery)
(AZ residents add 5% sales tax)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
American Eagle Publications, Inc., gives you first class
information to learn the ins and outs of viruses. You may
order any of the following items from American Eagle
Publications, PO Box 41401, Tucson, AZ 85717. (Shipping is $2.00
to the US, $7.50 for overseas airmail.) AZ residents add 5%
sales tax.
The Little Black Book of Computer Viruses, Volume 1,
by Mark Ludwig. This award-winning book will teach you the
basics of how viruses work in no-nonsense terms. 192 pp.,
$14.95.
The Little Black Book of Computer Viruses Program Disk. All
of the programs in the book, both source code and executables,
$15.00.
Computer Virus Developments Quarterly, This takes up where the
Little Black Book leaves off, providing the reader with
quarterly updates on viruses and anti-virus technology.
For the advanced security specialist or programmer. One year
subscription with diskettes, $75.00 postpaid, overseas airmail
add $10.00.
Computer Virus Developments Quarterly, current single issue,
$25.00. (Please inquire as to price and availability of back
issues.)
Technical Note #1: The Pakistani Brain Virus, a complete
disassembly and explanation. This is one of the first boot
sector viruses ever written, and the first stealth boot sector
virus. It hides on floppy disks and inserts the label (c) Brain
on the disk. 32 page booklet and diskette with assembler source
and compiled virus, $20.00.
Technical Note #2: The Stoned Virus, a complete disassembly and
explanation. The Stoned is the world's most successful boot
sector virus. It infects floppy disks and hard disks. Find out
what makes it tick. 24 page booklet and diskette with assembler
source, compiled virus, and detection tool, $20.00.
Technical Note #3: The Jerusalem Virus, a complete disassembly
and explanation. Jerusalem is an old but highly effective virus
which hides in memory, and infects every program you try to
execute. It starts deleting programs on Friday the 13th. Booklet
and diskette with assembler source and compiled virus, $20.00.
Technical Note #4: How to Write Protect an MFM Hard Disk. The
only hard-and-fast way to stop viruses from spreading is to
physically write-protect your disk. This tech note tells you how
to do it for the older MFM style drives. Some companies
sell such devices for hundreds of dollars, but this booklet
will tell you how to do the job for under $20. Complete with
theory, circuit diagrams, and a circuit board layout. No
diskette, $12.00.
How to Become a Virus Expert, a 60 minute audio tape by author
Mark Ludwig tells you how to get hold of the critical information
you need to protect your computers, and stop relying on some anti-
virus product developer to spoon-feed you. $10.00.
Wanted: Translators for these works in all languages and outlets
for these works in all countries. An opportunity for big $$ awaits
the enterprising person. Please contact us.
================================================================
No Virus Contest is complete without POLITICAL COMMENT:
Freedom is only free if it is VOLUNTARY. If you live in a
"democratic" nation that will not allow secession, then you DO
NOT live in a free country. The democracies of this world are
learning how to become tyrannies. Support a Secession Amendment
for your constitution, before it is too late and you wish you
had. Secession is the only logical way to short-circuit the trend
toward big government and tyranny, short of all-out civil war.
-- Mark Ludwig
================================================
CRYPT NEWSLETTER GIVES YOU A FIGHTING CHANCE IF YOU HOSE
YOURSELF WITH A "TYPICAL" MEMORY RESIDENT VIRUS
Ever wish the "suit" computer magazines supplied something more
useful than utilities to "beep the speaker" or "turn OFF that
pesky numLock light?" Well, Hell has a better chance of freezing
over before that happens. But we're not like that here at the
Newsletter! NosirreeBob! We've got a batch file, yes a "batch
file" for you - absolutely free, which in most cases will allow
you to remove any generic resident virus from the command processor
and start the machine from a clean memory slate.
Add it to the VERY BEGINNING of your AUTOEXEC.BAT. Then, create
a directory called SAVE and:
copy COMMAND.COM C:\SAVE\WHATMEWO.RRY
copy C:\DOS\FC.EXE C:\SAVE\HELL.NO
copy C:\DOS\FIND.EXE C:\SAVE\HELL.YES
Then add the 17-byte utility, REBOOT.COM (included in
this issue), to your SAVE directory and rename a copy of it
as GREET.OOT in the same directory.
@ECHO OFF
ECHO -=SANDOZ-KOUCH=- ANTI-VIRUS BATCH FILE! WOO-WOO!!
PAUSE
SET HOME=C:\COMMAND.COM
SET SAFE=C:\SAVE\WHATMEWO.RRY
SET LOC1=C:\CARBUNKL
SET LOC2=C:\FESTER
IF EXIST %LOC2% DEL %LOC2%
FC %HOME% %SAFE% | FIND "FC: no differences encountered" > %LOC1%
COPY %LOC1% %LOC2%
DEL %LOC1%
COPY %LOC2% %LOC1%
IF EXIST %LOC2% DEL %LOC2%
IF EXIST %LOC1% GOTO END
GOTO VIRUS
:VIRUS
ECHO COMMAND.COM could be fouled by a virus!
ECHO Hit CTRL-C TO STOP MACHINE NOW . . . or
ECHO to refresh the file and purge memory, just
PAUSE
GOTO REFRESH
:REFRESH
CD \SAVE
COPY WHATMEWO.RRY C:\COMMAND.COM
COPY HELL.NO C:\DOS\FC.EXE
COPY HELL.YES C:\DOS\FIND.EXE
REBOOT
:END
IF EXIST %LOC1% DEL %LOC1%
SET HOME=
SET SAFE=
SET LOC1=
SET LOC2=
CD \SAVE
COPY GREET.OOT REBOOT.COM
-----the rest of whatever you're doing----
What this batch job does is set up a back-up archive of your
command processor in the SAVE directory, along with the
executables called by the program. If FC detects any
differences between the back-up and your command processor, the
pipe through FIND creates a 0 byte file which can't be copied.
The batch file traps the "nocopy" result, assumes COMMAND.COM is
fouled, restores it and promptly reboots the machine. Typical
memory resident viruses can easily infect the files used during the
batch, which is why we restore them just before rebooting, too.
Essentially, the Victor Charlie anti-virus program uses much of
this methodology, only it costs you $50.
This batch file will uncover marginal or "semi-stealth" viruses
which infect COMMAND.COM. Most of these spoof the file
size change as reported by the DIR command through Interrupt 21
(that is they simply subtract their size from the amount
reported before DIR presents it to the user). FC will detect them
since it is not dependent upon these functions. For example,
the HITLER virus (from Newsletter 11) the PC BYTE BANDIT and
ARCV's SCROLL, all marginal stealth, are detected and removed from
COMMAND.COM by the batch file.
A few points to keep in mind: viruses which parasitize
COMMAND.COM can cause it to fail or its functions to become
slightly deranged. The LITTLE virus, included in this issue,
messes up COMMAND.COM just enough to prevent the SET commands
from working, although the machine will boot properly. This
causes the batch file to fail - a quite noticeable occurrence. In
the real world, you should be suspicious when this happens.
Also, some resident infecter are ill-mannered. The MULE
variant of Jerusalem will cause boot failure if it gets into
COMMAND.COM - another quite noticeable gaff. The Scroll and
PC Byte Bandit - as well as a number of other memory resident
viruses - attempt to infect batch files as they are executed.
Both attach themselves to the Newsletter batch file. In
this case, the batch file will remove them from COMMAND.COM and
reboot the machine anyway, although you will get a number of
"bad command" messages as DOS tries to read the binary
gibberish which is the virus attached to the end of the
file. If this happens to you, restore the file.
What this file won't do:
It won't protect you from an overwriting virus, like VOOTIE (in
this issue). VOOTIE is a dumb virus and it will immediately
cause boot failure if it gets into the root directory. You will
notice this problem. It will also not protect your
command processor from full stealth viruses and it will NOT
protect your machine from multi-partite or partition sector
infecting viruses. It can also be defeated by viruses which
infect the target executable on copy. In our estimation, this
isn't common enough for you to worry about.
None of this will protect you from a virus infection that has
crawled all over your hard disk before it gets into the command
processor. (Also keep in mind, that some viruses will SHUN your
command processor.) If this file reports a virus and reboots your
machine, it's a smart move to stop the load of your AUTOEXEC.BAT
with a judicious "Control-C" as soon as the "-=Sandoz-Kouch=-"
banner reappears and the program pauses. At this point, you
stand a good chance of being able to examine your machine more
closely without a virus in memory to worry you. At the very
least, you get a good warning.
Like features of the hated Victor Charlie 5.0 anti-virus
program, you can expand the batch file to restore any of the
programs called in your old AUTOEXEC.BAT. In fact, this isn't
a bad feature to add to the REFRESH segment of the code.
Do it yourself if you like.
---------------------------------------------------------------
VOOTIE VIRUS: SMALL ENOUGH FOR PRODIGY E-MAIL; OW VIRUS, EVEN
BETTER
---------------------------------------------------------------
Recently, PRODIGY, the interactive information service for
numerous mixed-up Democrat, Bush-voting yuppies, liberalized its
policies as to what users can and can't discuss on its public
message base forums. Formerly, the service exercised
rigid editorial control over these, enlisting wannabe
busy-body's with the aid of a "fink" switch, which anyone
could use to flame and squeal anonymously on the electronic
scribblings of others.
Although, the "fink" switch is still in operation, users are no
longer routinely spiked for posting "help me's" on how to attain
live viruses or source code.
For Newsletter readers who are also PRODIGY members, the VOOTIE
virus is small enough to fit into the 6-panel PRODIGY e-mail
format as source code or a DEBUG script. So when someone asks
for a virus on PRODIGY, you can swiftly send VOOTIE as a simple
example. The rationale is similar to the one which sent the TINY
virus to interested parties on the FidoNet a couple of years
ago.
VOOTIE is merely an overwriting virus; a younger, smaller
brother to POPOOLAR SCIENCE included in issue 12. It is, in
essence, merely a small fragment of runaway code. Such programs
are called "virons," whatever that is, in the VSUM database.
If you MUST have a term, use "viroid." "Viroid" is a real
world scientific label used to characterize very small, extremely
simple natural viruses. "Viron" is anti-virus jargon; "viroid" is
more scientific, more accurate. And hep, too. Use it and leave
your listeners flabbergasted on the next user group lecture stop.
VOOTIE overwrites everything in the current directory by
printing itself on top of its targets. Infected .COMfiles can
spread VOOTIE, as can .EXE's, if under 65k in size. Data is
mutilated. VOOTIE will make a disk unbootable if it enters the
root directory. VOOTIE infected files are ruined as usable
programs, you must delete them. Infected files can be identified
by the time/date stamp which is updated to mark the time of
infection. A file viewer can spot the name VOOTIE, in weird ASCII,
near the end of the virus in infected or mutilated files. In
addition, the OW virus by the TridenT group, a smaller 42-byte
overwriting program, is included in this issue for comparative
purposes.
---------------------------------------------------------------
SUSAN AND FLAGYLL VIRUSES: RESIDENT, OVERWRITING PROGRAMS
The SUSAN virus, an interesting program created by Night
Breeze, is included in this issue as a source listing.
The programmer has tied the viruses infection cycle into the
DIR function so that it infects only the first .EXEfile in the
current directory. Since SUSAN is in overwriting virus, it
naturally destroys its host files. This would be devastating
if the virus infected a fresh .EXE in the current directory
every time the user typed DIR. However, by limiting the virus to
one file, Night Breeze has kept it from being too disruptive.
In addition, it spoofs the user with a "Bad command or file
name" error message when an infected file is loaded.
SUSAN also keeps a count of infections and begins deleting files
when conditions outlined in the source code are met.
You can compare SUSAN to the FLAGYLL virus, another memory
resident infecter which overwrites .EXEfiles on load. If you try
FLAGYLL out, you'll see it's immediately noticeable, ruining
every .EXE that attempts to run. SUSAN would be similar if it
was not restricted to one file per directory. FLAGYLL-Z governs
its destructive infections by relying on a value returned from the
system clock to determine when it will infect. This trigger is
noted in FLAGYLL-Z's source code and can be easily tweaked to
see how the virus's behaviour is altered.
Excutables infected by either the SUSAN or FLAGYLL viruses are
permanently ruined. To remove the viruses from the system, reboot
the machine and delete the infected files. All of the viruses can
be found by searching for the embedded text strings noted in their
respective source codes.
VIRUDOS: A PRACTICAL JOKE COMMAND SHELL
Also included in this issue is ViruDos. ViruDos is a simple
command shell which can be inserted into the AUTOEXEC.BAT. It
is harmless, but the colorful "Bartles & Jaymes" virus which
afflicts the user is a laff riot at computer shows
and parties. To tell more would spoil the fun. Read the
accompanying documentation and fire it up. ViruDos's
programmers "Thank you for your support."
----------------------------------------------------------------
FICTUAL FACT/FACTUAL FICTION: DARK COFFIN BLASTED BY FLIP VIRUS
----------------------------------------------------------------
For most of the month of February the Dark Coffin virus exchange
has been off-line due to a close look at the business end of the
FLIP virus. Sysop Pallbearer is slowly picking up the pieces and
promises to be answering the phone by the time you read this.
Remember mates, it only makes sense, always keep a back-up!
The March issue of PC Magazine sports am exceedingly smelly
product review of a fistful and anti-virus software packages.
In what has become known informally as a "done deal," Central
Point Anti-virus and Norton Anti-virus took home top honors,
beating out performers like F-Prot, Leprechaun Software's Virus
Buster and the Solomon Anti-virus Toolkit. The Toolkit and
Virus-Buster both took hits for their user interfaces, which
apparently weren't attractive enough for PC Mag's team of rogue
reviewers. It is unfortunate that computer viruses, as a rule,
remain unimpressed by various elaborate menuing schemes leading
to the question, "Who, exactly, was the testing aimed at?"
Advertisers or customers. The alert Crypt Newsletter reader
already knows the answer, as we suspect, so do the losers in
this runoff.
The product reviewers warned of new bugaboos like "stealth"
viruses and the "Virus Construction [sic] Laboratory." And
we were surprised to learn that companion/spawning viruses are now
classified as "stealth" - because they create "hidden" files.
Don't tell that to our copy of DOSSHELL which lists them very
nicely alongside every other program on our machine!
In summation, once again consumer reporting takes it on the chin
at the hands of "suit computer mag" reporters who should NOT
forgive their parents for imposing the heavy burden of fetal
alcohol syndrome upon them.
----------------------------------------------------------------
Thanks and a tip o' the hat for this issue go out to alert
readers Mr. Badger, Lookout Man, Cory Tucker and SandoZ.
----------------------------------------------------------------
The Crypt Newsletter includes virus source code in each issue.
If assembled, it will produce working copies of the viruses
described. In the hands of incompetents, irresponsibles and
and even the experienced, these programs can mess up the software
resources of any IBM-compatible PC - most times, irretrievably.
Public knowledge that you possess such samples can make you
unpopular - even shunned - in certain circles of your computer
neighborhood, too.
This copy of the Crypt Newsletter should contain the following
files:
CRPTLT.R13 - this electronic document
VOOTIE.ASM - VOOTIE virus source listing
OW.ASM - OW virus source listing
SUSAN1.ASM - SUSAN virus source listing
FLAGYLL.ASM - FLAGYLL virus source listing
FLAGYLLZ.ASM - FLAGYLL-Z virus source listing
LITTLE.ASM - LITTLE virus source listing
VDOS.DOC - Documentation for ViruDos
VIRUDOS.EXE - ViruDos joke command shell
BARNJ.BSV - Bartles & Jaymes data file, must accompany
VIRUDOS.EXE
FLAGYLL & FLAGYLL-Z.SCR - Scriptfiles for FLAGYLL viruses
SUSAN1.SCR - Scriptfile for SUSAN virus
VOOTIE.SCR - Scriptfile for VOOTIE virus
OW.SCR - Scriptfile for OW-42 virus
MAKE.BAT - handy, dandy "maker" for programs in this issue
To assemble the programs in this issue, just unzip all of them
into the current directory, add the MS-DOS program DEBUG.EXE and
type "MAKE" at the prompt.
You can pick up the Crypt Newsletter at these fine BBS's, along with
many other nifty, unique things.
CRYPT INFOSYSTEMS 1-215-868-1823 Comment: Crypt Corporate East
DARK COFFIN 1-215-966-3576 Comment: Crypt Corporate West
THE HELL PIT 1-708-459-7267
DRAGON'S DEN 1-215-882-1415
RIPCO ][ 1-312-528-5020
AIS 1-304-420-6083
CYBERNETIC VIOLENCE 1-514-425-4540
VA. INSTITUTE OF VIRUS RESEARCH 1-804-599-4152
UNPHAMILIAR TERRITORY 1-602-PRI-VATE
THE OTHER SIDE 1-512-618-0154
MICRO INFORMATION SYSTEMS SERVICES 1-805-251-0564
REALM OF THE SHADOW 1-210-783-6526
STAIRWAY TO HEAVEN 1-913-235-8936
THE BIT BANK 1-215-966-3812
CYGNUS-X 1-215-791-2457
CAUSTIC CONTAGION 1-817-776-9564
The Crypt Newsletter staff welcomes your comments, anecdotes,
thoughtful articles and hate mail. You can contact Urnst Kouch at
Crypt BBS, CSERVE#:70743,1711 or Internet: 70743.1711@compuserve.com
