Copy Link
Add to Bookmark
Report
Crypt newsletter 07
*******************************************
The CRYPT Newsletter (#7) - Early Oct.,1992
Another in a continuing series of info-glutted
humorous monographs solely for the enjoyment
of the virus programmer or user interested
in the particulars of cyber-electronic data
replication and corruption.
--Edited by URNST KOUCH
********************************************
This issue's top quote!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"Ross Perot is an empty valise."
-Ed Koch on the former Electronic Data
Systems leader's re-entry into the
presidential race.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
IN THIS ISSUE: SPECIAL Election Day viruses: VOTE and
VOTERASE...the DEICIDE virus...FIDO news...INCAPABILITIES:
Off-the-cuff evaluations & fear and loathing on PRODIGY...
from the Reading Room: "Cyberpunk" by Hafner and Markoff
...McAfee Associates close in on "fuck you money"...Vidkun
Quisling Medal awarded...more...
----------------------------------------------------------
NEWS! NEWS! NEWS! VITRIOL! NEWS!
This issue we award the Vidkun Quisling Gold Medal of Rank
Hypocrisy to Gary Watson of Data Systems.
Here at the newsletter bungalow we couldn't help but notice
programmer Gary Watson's insistence that he has
been the victim of a disinformation campaign launched by virus
exchange BBS's. "Do I upload source codes to virus
boards, not so, not so!" is the essence of this claim, aired
on the FidoNet VIRUS_INFO echo.
To help get at the truth, we're releasing a log and archive
listing documenting Watson's visit to the Dark Coffin BBS in
Pennsylvania.
What follows is a reprint of a BBS log generated by WWIV 4.21,
the software in use on Dark Coffin:
1702: Gary Watson #58 23:54:19 08/07/92 [Torrance CA]
Q, S, X, >, >, >, S, Q, Q, X, T, L, >, >, >, *, Q, X, T, *, X, Q, , Q
//S**T! I GOTTA CHECK THE F****N MESSAGE BASES...., T, ?, U, Z, <, >, <, <
<, <, <, <, <, F, //WELL, ONE OF EM AT LEAST, *, U, X, U
>>>+DANGER .ZIP uploaded on NEW UPLOADS<<<
C, C, H, A, T, X, /, \, \, Q, Q, ?, O,
Read: 20 Time on: 16
All comments following // are command line messages one of us used to
type to the other. Notice upload of DANGER.ZIP. Next, the PKUNZIP
listing of what was kept from that archive:
PKUNZIP (R) FAST! Extract Utility Version 1.93 ALPHA 10-15-91
Copr. 1989-1991 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
PKUNZIP Reg. U.S. Pat. and Tm. Off.
Searching ZIP: DANGER.ZIP
Length Method Size Ratio Date Time CRC-32 Attr Name
------ ------ ----- ----- ---- ---- -------- ---- ----
24704 Implode 7072 72% 09-25-91 10:44 26dbaec9 --w- MIX1.ASM
3193 Implode 1527 53% 03-05-89 22:21 1d1d5ed8 --w- AMST-847.ASM
13009 Implode 3179 76% 01-01-80 00:06 ec3b2f22 --w- BADBOY2.ASM
19037 Implode 6318 67% 06-05-90 11:54 ce10ca04 --w- MURPHEXE.ASM
12453 Implode 2783 78% 04-04-90 17:35 78c45414 --w- STONE.ASM
26586 Implode 5754 79% 04-04-90 17:35 50ad447b --w- DATACRIM.ASM
19495 Implode 7985 60% 01-03-90 23:19 31f550c8 --w- EDDIE.ASM
8897 Implode 2914 68% 05-05-90 18:13 0953d928 --w- DIAMOND.ASM
45577 Implode 10889 77% 05-05-91 18:51 065542d3 --w- V2100_.ASM
15042 Implode 2663 83% 04-18-91 16:58 19fc2ef6 --w- LEECH.ASM
58090 Implode 12176 80% 08-11-92 22:43 ddccc22e --w- VSOURCE.ASM
19310 Implode 6330 68% 03-09-91 15:53 50e8c26a --w- HORSE2.ASM
47596 Implode 11030 77% 03-13-91 18:29 21efc392 --w- 4096.ASM
3042 Implode 1139 63% 12-28-88 12:32 a7404cb9 --w- BOOT1.ASM
10830 Implode 2939 73% 08-11-92 22:43 a7ae08a6 --w- DIR2.ASM
7212 Implode 2215 70% 08-11-92 22:47 4de925cf --w- MASTER.ASM
------ ------ --- -------
334073 86913 74% 16
And an extracted header from one of the source codes, STONE.ASM:
; IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM;
; : British Computer Virus Research Centre :
; : 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England :
; : Telephone: Domestic 0273-26105, International +44-273-26105 :
; : :
; : The 'New Zealand' Virus :
; : Disassembled by Joe Hirst, November 1988 :
; : :
; : Copyright (c) Joe Hirst 1988, 1989. :
; : :
; : This listing is only to be made available to virus researchers :
; : or software writers on a need-to-know basis. :
; HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<
Now, while this isn't IRONCLAD proof of Gary Watson's
duplicity, it IS close enough for most purposes. And, yes, here
at the bungalow we can still imagine cries of "Disinformation!"
or "It's a FRAME-UP!" or "I never did that!" We feel confident
that the reasonable Crypt reader will weigh the veracity of a Gary
Watson (who self-admittedly views those unlike him as "targets" and
has an ego so big he is easily stroked into flaming on the
FidoNet by barbs from those much younger than he) against that
of the urbane and always courteous editors of the Crypt
Newsletter.
We are pleased to award Gary Watson the Quisling Medal.
When ex-New York City mayor Ed Koch was asked to comment on the
Quisling award, he said, "Gary Watson is an empty valise."
A HOT TIP!
Nowhere Man informs the Crypt Newsletter that he is readying
a polymorphic encryption module for domestic release. This is
in addition to his work on VCL 2.0 which could be coming to
you sometime around the holiday season!
*****************************************************************
A CRYPT NEWSLETTER SPECIAL: VOTE and VOTERASE, custom Election
Day viruses!!!
*****************************************************************
In this issue, we give the readers the VOTE! VOTE (or VOTE, SHITHEAD)
is a memory resident, spawning virus which is not detected by the
recent versions of SCAN, Thunderbyte's tbSCAN, Datatechnik's AVScan,
NORTON Antivirus or Central Point Antivirus.
Upon installation, VOTE will reside in a small hole in system memory
invisible to all but the most discerning eye. It hooks INT 21 and
monitors the DOS load function. From there, it will create hidden/
read-only 'companion' files for every .EXE program called. All
of these 'infected' programs will continue to function normally;
VOTE's disk writes are minimal and not likely to be noticed by
anyone NOT looking for the virus. VOTE will accumulate on the
infected system's hard file in an almost totally transparent
manner until Election Day. On Election Day, at the start of the
morning's computing, the first .EXE executed which has a VOTE
'companion' counterpart will result in activation. VOTE will lock
the machine into a loop in which the user is gently but insistently
reminded to go to the polling place. Computing will be impossible
on Nov. 3rd, unless VOTE is completely removed from the system.
After Nov. 3rd, VOTE will again become transparent.
VOTE is an ideal virus and we encourage the Crypt reader to do his
bit (ouch!) to reawaken democracy in this country. VOTE will not harm
files in any way. VOTE is simply removed by booting from
a clean disk, tallying up all the 'hidden/read-only' 348 byte .COM
duplicates of .EXE files, and deleting the .COMfiles. No special
anti-virus software is necessary, as long as the user knows VOTE is
afoot and what to look for.
The Crypt reader will remember the basic characteristics of the
INSUFF spawning virus in issue #6. VOTE utilizes the same principles,
attacking poorly implemented systems auditing and integrity checking
software like that found in CPAV. In fact, VOTE can operate IN THE
TEETH of a number of a-v software default installations. Unlike
unknown resident viruses which instantly attempt to infect a-v
software as it fires up, thus making the set upon program squeal
about file modification, VOTE can successfully 'infect' any
program which can't scan it. It will instantly create a 'companion'
which will go resident any time the a-v program is subsequently
used. Tested against CPAV, SCAN, tbSCAN, AVScan and Leprechaun's
Virus-Buster, VOTE capably created 'companions' for each executable
as they were employed. And none of the packages seemed to mind.
Some a-v types prefer to refer to viruses like VOTE as "worms," because
like the archetypical INTERNET "worm," they do not alter the programs
they 'infect.' Recently, another corporate-military-security stiff
even suggested the term "viro-worm" on the CSERVE VIRUSFORUM. This
is an example of idiot-savant jargon. Good for cowing the uninitiated,
it serves the additional purpose of convincing a dupe that he has
actually gotten value for his money if ever he hands over a certified
check for someone's "computer security paper." You should know
"companion virus" remains a perfectly acceptable term for programs
like VOTE. It is clear, concise and descriptive, something
"viro-worm" is not.
The source code for the VOTE "companion virus," as well as its
DEBUG script, are included in this issue. The TASM listing invites
the reader to extend the life of VOTE beyond November 3rd by simply
changing the activation.
However, for those Crypt subscribers convinced that democracy has failed
and that Election Day is a mere sham perpetrated by the ruling elite,
we include VOTERASE. VOTERASE is exactly like VOTE, EXCEPT on Election
Day it wakes up and expunges all files from an infected system.
VOTERASE displays no message, it merely makes Election Day into an
even harder working day. VOTERASE is quick. Files disappear in mere
fractions of a second. A heavily infected disk could, theoretically,
be emptied in minutes after the start of the day's computing on Nov. 3rd.
The DEBUG script for VOTERASE is included with this issue. (Note:
VOTERASE will not damage the partition table of the hard file or
overwrite programs with gobble. The hard disk will experience boot
failure if its command processor and system files are removed by
VOTERASE. In most cases, a simple restoration from backup after
elimination of VOTERASE should get things moving again.)
The Crypt Newsletter has included the VOTE viruses to commemorate
America's long tradition of rule by and for the people!
Disclaimer: The VOTE viruses are non-partisan. Neither recommend
you vote for any particular candidate.
So remember, just VOTE!!! Your computer could be watching!!
***********************************************************************
***********************************************************************
INCAPABILITIES: PRODIGY USERS GRUMBLE ABOUT NORTON ANTIVIRUS 2.1
***********************************************************************
In Crypt newsletter #6, we reprinted an ad issued by SYMANTEC touting
the new Norton Antivirus's ability to scan for Mutation Engine-loaded
viruses.
To make a point, we created the INSUFF viruses to poke a hole in
this claim. Our tests showed that Norton Antivirus 2.1 did not detect
ANY mutations generated by ANY of the MtE-loaded INSUFF viruses.
Now users of NAV 2.1 are starting to complain on PRODIGY, the
Sears Roebuck electronic info service for novice
computerists, that the SYMANTEC software detects the MtE in some
data files. Henri Delger, a virus watcher on PRODIGY who
advises people with questions on rogue programming, has chronicled
this as a nasty false-positive bug inherent in NAV 2.1. He
recommends users demand free upgrade to the next version. Delger
estimated that NAV 2.1 reliably detects about 40% of known
viruses.
Smart consumer advice: NAV 2.1 will detect false MtE images in your
data, but remains incapable of detecting real MtE infections.
In a spot evaluation of Central Point Software's
Anti-Virus, we ran its scanner against 350 virus samples
generously obtained from Long John Silicon by way of Todor
Todorov's virus collection. CPAV identified 68% of the samples,
as contrasted to F-PROT 2.05, which detected a full 98%.
Smart consumer advice: Why pay $100 for something which works
poorly, when you can have a finely tooled racin' machine for free?
********************************************************************
ADDITIONAL DATA ON HILGRAEVE's HyperACCESS/5 COMM PROGRAM:
You may still be interested in the virus scanner part of Hilgraeve's
HA/5, commented on only briefly in the previous issue. But you
require more information before you unhitch your trucker's wallet.
Here, then, in Hilgraeve's own words:
"To give you the most comprehensive, up-to-date protection possible,
Hilgraeve uses the same signatures as the IBM Virus Scanning
Program, with IBM's consent. This is an excellent source, because
IBM devotes tremendous effort to collecting and identifying
viruses."
Sez who? Does anyone you know actually use IBM software?
Anyway, while HA/5 remains a fine terminal program we continued
to be dismayed at its HyperGuard 'virus filter' performance as we
used it to transfer samples between BBS's in eastern Pennsylvania.
Eventually, we just turned the 'filter' off. As of now, BBS and comm
program scanners have a long way to go before they are of much
practical use. And that doesn't even begin to deal with
programming tricks like PKliting and stand-alone encryption which
are used to 'conceal' scanned viruses and logic bombs during
electronic transfer.
We recommend Hilgraeve delete this feature from future versions of
HA/5 and replace it with an in-line file archiver to complement
the software's handy "Unpack" de-archiver.
**************************************************************************
MCAFEE GOES PUBLIC, TRANSLATION: EMPLOYEE STOCKHOLDERS GET 'FUCK YOU'
MONEY - DON'T YOU WISH YOU DID??
Purloined from CSERVE's Online Today, Oct. 7, 1992
**************************************************************************
Online Today
MCAFEE ASSOCIATES GOES PUBLIC
(Oct. 7)
McAfee Associates Inc., known for its line of anti-virus
software, has gone public and investors gave the stock of the Santa
Clara, Calif., firm a warm reception. On its first day of public
trading, the stock rose 25 percent over its initial price.
According to United Press International, McAfee offered 1.05
million shares, with the remaining 1.55 million coming from
stockholders. It has 11 million shares of common stock outstanding
after the offering.
Yesterday, McAfee shares closed at $20.125 in over-the-counter
trading. Its 2.6-million-share offering was priced at $16 a share.
Besides its anti-virus software, McAfee recently released it first
two general purpose utilities to enable users to repair damaged
files and disks.
Reports from United Press International are accessible in
CompuServe NewsGrid database (GO NEWSGRID) and through the Executive
News Service (GO ENS).
--Charles Bowen [Well, look who it is!]
****************************************************************************
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
IN THE READING ROOM: "Cyberpunk: Outlaws and Hackers on the
Computer Frontier" by Katie Hafner and John Markoff
(Simon & Schuster paperback)
Divided into three discrete sections, "Cyberpunk," for the most part,
attempts to retell the tale told by Cliff Stoll in "The Cuckoo's
Egg." And why not? The story of a bunch of disgruntled, drug-gobbling
Huns attempting to steal phony U.S. defense secrets off the INTERNET
for a computer-ignorant KGB is too fantastic to be anything less than
riveting.
And so what if it's old news! It's the telling that counts and though
it's fairly obvious that the authors know about as much about
computers as the journalists who covered Michelangelo, "Cyberpunk" is
still a better read than anything a systems programmer could dream up.
[Well, maybe I'm a little unfair to the authors. Katie Hafner WAS an
editor at Data Communications magazine, so she MUST know what a
computer is. However, John Markoff reports on the industry for the New
York Times and as far as I can tell there's never been any sign of
sentient life in 'tech' reporting from that quarter.]
As for the virus story there's almost none unless you count
Robert T. Morris, Jr's, INTERNET "worm." But, you'll thrill to the
description of Morris's father, anyway. You'll be able to picture him
as just the kind of patronizing, intellectual turd you'd expect would
be asked to be the head of a NSA research arm secretly figuring out
new ways to break codes, new ways to open people's mail, still more
interesting and new ways to listen in on your telephone conversations,
even more fun and interesting ways to waste taxpayer money without
having to tell you about it, yet more ways to raise a kid who uses
tips you've given him from the NSA to create a national scandal,
new and great ways to be a king-asshole snoop gr-zz-rrz-zzzz, etc.
Yeah, that's hot!
And "Cyberpunk" has all the info on "hacker" Kevin Mitnick who
terrorized small businesses, the phone company and numerous
college administrators in Southern California. His was a glorious
life, spending long hours cajoling lonely business secretaries
into giving away system passwords over the phone, just like the cons
at the local jail who even as you read this are no doubt ripping off
someone stupid from the pay phone in the prison lounge.
Yes, a most excellent "phone-phreak" life, where you take off for
a weekend of brute-force hacking ensconced in the luxurious
digs of the local "hooker" crashpad. Yup, learn how to be an
elite "cyberpunk," cuffed to a chair in the night watchman's office
like a common piss-soaked drunk caught wandering the campus of a
local community college. That's where it's at, man. And "Cyberpunk"
will give you a good idea on just how to go about it.
The Crypt Newsletter recommends "Cyberpunk"!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
666 - the DEICIDE virus, for all the Crypt Newsletter's Slayer fans
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
DEICIDE is a simple, horribly destructive overwriting virus. It
will attempt to infect all .COM files except COMMAND.COM in the
root directory on any disk. Once it has run out of .COM files to
infect, it will smash the C: hard file by meddling with its first 80
sectors.
Programs infected by DEICIDE are completely destroyed. When called
DEICIDE will display "File corruption error," just the kind of
cryptic DOS message that will send a new computer user into
paroxysms of confusion.
The A86 source of DEICIDE is included in this issue. Liner notes
and an 'altered' DEBUG script are also provided, supplying a 'new'
copy of DEICIDE to readers interested in further study.
DEICIDE is not very long-legged as viruses go; in fact, one might
consider it more along the lines of a slightly 'delayed' trojan.
Its author, "Glen Benton," has written a number of other similar
viruses from his refuge in Holland.
**********************************************************************
ADDITIONAL SOFTWARE DOCUMENTATION FOR CRYPT NEWSLETTER #7:
**********************************************************************
By now, perhaps, you know the drill. Software described in the
Crypt newsletter is supplied as source code, DEBUG scripts, or
both. For those without an assembler, copy the .SCR files in
this archive into a directory and bring up the C:> prompt.
If the DOS program DEBUG is in your path, merely type
DEBUG <*.scr
where *.scr is the .scr file for the software you wish to
produce. Then hit <enter>.
After a few moments, the program should be ready for you in
the current directory.
[If even this seems like a mystery, feel free to get someone
to help who knows what he's doing. We recommend, however, that
in this case you NOT try executing Crypt Newsletter software.]
This issue contains the VOTE viruses. VOTE is included as
a listing and DEBUG script, while VOTERASE is supplied only
as a script. In addition, you will found the A86 source
listing for the DEICIDE virus and its corresponding scriptfile.
Additional user notes for this issue are found in the
headers of the accompanying assembly listings.
Remember, that programs included with the Crypt Newsletter
are quite capable of destroying your data, executable valuables
and/or making your day seem overlong. In fact, your computing day
WILL be made longer if you are stupid and careless with them.
Indeed, your father, wife or significant other will probably not
find DEICIDE clever and amusing at all if it gets loose for half
an hour on the family system while the company news organ or some
equivalent, but necessary, twaddle is being prepared.
******************************************************************
This issue of the Crypt Newsletter SHOULD contain:
CRPTLET.TR7 - this text
VOTE.ASM - TASM source listing for the VOTE virus
VOTE.SCR - DEBUG script for the VOTE virus
VOTERASE.SCR - DEBUG script for the VOTERASE virus
DEICIDE.ASM - A86 listing for Glen Benton's DEICIDE virus
DEICIDE2.SCR - DEBUG script for the DEICIDE virus
If any of these files are missing: Complain at once,
go to any of the BBS's listed following this text, and
grab a COMPLETE copy.
******************************************************************
Additional note: Vidkun Quisling is an in-famous trademark of
the Norwegian government. Quisling, a WWII Axis collaborator,
aided Adolf Hitler in his conquest of Norway in 1940. In gratitude,
Der Fuehrer made him Norway's puppet ruler. After the war ended,
angry Norwegians tried Quisling for treason, won an easy conviction
and had him shot.
******************************************************************
Readers should feel free to send e-mail to editor URNST KOUCH
on any of the BBS's listed in this file. On Hell Pit, I can be
reached as COUCH.
To ensure you don't miss an issue of the newsletter, I invite you
to come to DARK COFFIN and e-mail me with a data number of your
favorite BBS. I'll include it in my database and begin delivery if
they'll have it. This guarantees you'll be the first on your block
to get fresh issues.
The Crypt newsletter is distributed first at the following sites:
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º This V/T info phile brought to you by ç, º
º Makers/Archivists/Info Specialists on Viruses/Trojans. º
ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹
º Dark Coffin úúúúúúúúúúúúúúúúúúúú HQ/Main Support úúú 215.966.3576 º
ÇÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ
º VIRUS_MAN úúúúúúúúúúúúúúúúúúúúúú Member Support úúúú ITS.PRI.VATE º
º Callahan's Crosstime Saloon úúúú Southwest HQ úúúúúú 314.939.4113 º
º Nuclear Winter úúúúúúúúúúúúúúúúú Member Board úúúúúú 215.882.9122 º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ