Copy Link
Add to Bookmark
Report
Crypt newsletter 12
ÜÜÜ ÜÜÜÜÜÜÜÜ ÜÜÜ ÜÜÜÜÜÜ ÜÜ ÜÜ ÜÜÜ ÜÜÜÜÜ ÜÜÜÜÜÜÜ ÜÜÜÜÜ
Û±±Û Û±±±±±±±Û Û±±Û Û±±±±±Û Û±±Û Û±±Û Û±±Û Û±±±±Û Û±±±±±±Û Û±±±±Û
Û±±Û ßßßßßßßß Û±±Û ßßßßÛ±±Û Û±±Û Û±±Û Û±±Û ßßßÛ±±Û ßßßÛ±±Û ßßßßß
Û±±Û Û±±Û ÜÜÜÜÛ±±Û Û±±Û Û±±Û Û±±Û ÜÜÜÛ±±Û Û±±Û
Û±±Û Û±±Û Û±±±±±Û ßß Û±±Û Û±±Û Û±±±±Û Û±±Û
Û±±Û Û±±Û ßßßßÛ±±Û Û±±Û Û±±Û ßßßßß Û±±Û
Û±±Û ÜÜÜÜÜÜÜÜ Û±±Û Û±±Û Û±±Û Û±±Û Û±±Û
Û±±Û Û±±±±±±±Û Û±±Û Û±±Û Û±±Û Û±±Û Û±±Û
ßßß ßßßßßßßß ßßß ßß ßß ßßß ßß
NEWSLETTER NUMBER 12
**********************************************************************
Another festive, info-glutted, tongue-in-cheek training manual
provided solely for the entertainment of the virus programmer,
security specialist, casual home/business user or PC hobbyist
interested in the particulars - technical or otherwise - of
cybernetic data replication and/or mutilation. Jargon free, too.
EDITED BY URNST KOUCH, January - February 1993
CRYPT INFOSYSTEMS BBS - 215.868.1823
**********************************************************************
TOP QUOTE: "We live in cheap and twisted times."
--Hunter S. Thompson, "Songs of The Doomed,"
1990.
-------------------------------------------------------------------
IN THIS ISSUE: NEWS . . . Anti-anti-virus virus's revisited:
the LOCKJAW series, quick analysis of the SANDRA virus . . . IN
THE READING ROOM: critique of various articles; review of
MONDO 2000 annual; VIRUS: The comic book! . . . return to
MICHELANGELO virus: an appraisal of the media's mishandling of the
March 1992 affair and software vendor collusion . . . sophisticated,
but warped, humor . . . and the usual potpourri of material.
**********************************************************************
********************************************************************
MICHELANGELO HYPE REVISITED: A SKEPTIC'S VIEW
********************************************************************
Just about a year ago the media exploded with weird stories of
impending catastrophe at the hands of a mysterious computer program.
Thrown a newsprint and TV body-block by techno-impaired editors and
reporters lacking even the sense to pour piss from a boot, the world
reeled. But the sky refused to fall and in the best tradition of
"calendar" journalism, the Crypt Newsletter has received permission
to reprint a critique of the events surrounding March 6, 1992.
"THE LITTLE VIRUS THAT DIDN'T: The press couldn't get enough
of Michelangelo. But did it fall prey or save the day?"
Republished from the Washington Journalism Review, May 1992.
The great Michelangelo computer virus scare of 1992 has proved to be
another classic example of Chicken Little journalism -- or the
Reporters Who Cried Wolf, depending on your tast in fairy tales.
At first glance, the story was a sexy one. The virus had an
instantly recognizable name. It was attached to a specific date --
March 6 --an attractive hook for editors with a penchant for calendar
Page 1
journalism. It was simple: On the birthday of its namesake, the virus
would destroy data within the computers it had infiltrated through
infected disks. And it boasted big numbers: By one estimate, as many
as 5 million IBM and IBM-compatible computers worldwide were going
to be victims of Michelangelo, a relatively small computer code written
and unleashed by an anonymous, devious programmer.
Newspapers around the country ran headlines warning of imminent
disaster. "Thousands of PC's could crash Friday," said USA Today.
"Deadly Virus Set to Wreak Havoc Tomorrow," said the Washington Post.
"Paint It Scary," said the Los Angeles Times.
Weeks after M-day, many antiviral software vendors and some reporters
still insist the coverage prevented thousands of computers from
losing data. John Schneidawind of USA Today says "everyone's PC's
would have crashed" had the media not paid much attention to
Michelangelo.
The San Jose Mercury News credited the publicity with saving the day.
One widely quoted antiviral vendor, John McAfee of McAfee Associates,
says the press deserves a medal.
In reality, many of the predictions were suspect. Those making them,
often computer security product vendors or closely related industry
associations, usually stood to profit from the widespread coverage.
And many reporters bit hard.
One vendor who played a key role was McAfee, one of the nation's
leading antiviral software manufacturers and founder and chairman
of the nonprofit Computer Virus Industry Association (CVIA). It was
McAfee who told many reporters that as many as 5 million computers
were at risk. He says he made the projection based on a study
that the virus had infected 15 percent of computers at 600 sites.
Both Reuters and the Associated Press sent the figure around the world.
McAfee says he didn't present it the way it was reported. "I told
reporters all along that estimates ranged from 50,000 to 5 million,"
he says. "I said, '50,000 to 5 million, take your pick,' and they
did."
But researcher Charles Rutstein of the International Computer
Security Association (ICSA), a for profit consulting group,
says even 50,000 was an exaggeration. Also widely quoted,
Rutstein says he told reporters early on to expect no more than
10,000 computers infected worldwide. (There are more than 35 million
computers in the United States alone, according to some estimates.)
"Five million is just ridiculous, but the press believed it because
they had no reason not to," Rutstein says now. "McAfee seems
credible." (McAfee responds that the ICSA and other critics are
"fringe groups.")
While many articles failed to disclose or merely mentioned in passing
that McAfee's antiviral software has sold more than 7 million copies
of its Viruscan and expects revenues of more than $20 million this year,
McAfee scoffs at the idea that he or other vendors hyped the threat
to generate sales. "I never contacted a single reporter, I never sent
out a press release, I never wrote any articles," he says. "I was just
sitting here doing my job and people started calling." He maintains
that the coverage of Michelangelo cost him money. "It was the
worst thing for our business, short-term," he says. "We offer
shareware [where users are trusted to pay], so we got tons of calls
from non-paying customers.
Page 2
"Before the media starts to crucify the antivirus community," he
continues, "they should look in the mirror and see how much [of the
coverage] came from their desire to make it a good story." But
he adds quickly, "Not that I'm a press-basher."
Schneidawind's and AP's efforts after March 6 to track Michelangelo
found only a few thousand afflicted computers worldwide, including
2,400 erroneously reported to be at the New Jersey Institute of
Technology. The institute actually had only 400 computers infected
with any virus; few had Michelangelo. A Philadelphia Inquirer
reporter got it wrong, says institute spokeman Paul Hassen, and it
spread quickly. "That was the first time I've been that close to
a feeding frenzy," he says. Perhaps the most embarrassed news
organization was CNN, which on March 6 staked out McAfee's offices
in Santa Clara, California, waiting for a doomsday that never
came.
Soon after the clock struck midnight on March 6, may reporters
seemed to suspect they'd been had. The Los Angeles Times, which
had quoted McAfee's 5 million figure on March 4, carried a
Reuters story three days later that reported the "Black Death"
had turned out to be little more than "a common cold."
AP downgraded its "mugger hiding in the closet" to a mere "electronic
prank."
AP Deputy Business Editor Rick Gladstone says the wire service
quickly downplayed the story after its initial reports and included
comments from the ICSA's Rutstein, who said the threat from the
virus had been exaggerated. "Our big oversight was to quote
McAfee's 5 million figure in the beginning of the coverage but we
backed off that," Gladstone says, adding that his staff "felt
somewhat vindicated" when relatively few computers were affected on
March 6. "Some of us in the press were suckered," he says.
Schneidawind doesn't feel he was. "We went into this with our
eyes open," he says. But on March 9, in an article entitled
"Computer virus more fright than might" (the subhead was a
more confident "Michelangelo kept at bay by early detection"),
the USA Today reporter chronicled his frustrations tracking the
virus. He reported that he had asked Rutstein and McAfee, again
identified as the CVIA chairman, to provide a working sample
of Michelangelo. Both declined. "It'd be like giving him a
biological virus because he wanted to play with it," McAfee says.
McAfee was also "reluctant to divulge the names of companies
struck by the virus" according to Reuters.
McAfee now estimates that only 10,000 systems were stricken
worldwide on March 6, a number he says he derived by counting the
number of calls he received from victims and guessing that they
estimated 5 percent of the total. But he insists the numbers
aren't as important as "the scope of the problem," which, he says
the press largely ignored. "For the first time, you had large
well-respected companies shipping the virus with their new computers
and software. How did it filter into secure environments like
that?"
Schneidawind agrees. "The estimates may have been overblown,
but no one new for sure until the 6th," he says. "Consider the
BCCI scandal, where everyone faulted the press for not being there.
I'd rather err on the side of caution."
Page 3
Schneidawind didn't seem to do that in a sidebar to his March 9 article
in which he listed other computer pests poised to strike in March.
Supplied by yet another antiviral software vendor, the list did not
reveal that most of the bugs were either variants of the same
root virus -- known as "Jerusalem" -- or rare species found only
in eastern Europe. Like many others the story did not make clear
that every week of the year is filled with trigger dates for
numerous viruses. (Or that user mistakes destroy more data than
viruses do.) More importantly, only a handful of some
1,000 worldwide viruses are common enough that a user may
occasionally encounter one. Of those, most only display silly
messages or compel the computer to play a tune.
On March 6, Michael Rogers and Bob Cohn of Newsweek offered a post
mortem to Michelangelo that warned readers to "beware the next round
of computer viruses," including the Maltese Amoeba and "the scariest
new virus . . . the Mutation Engine." What they and others such as
Ted Koppel of ABC's Nightline and John Fried and Michael Rozansky
of the Philadelphia Inquirer failed to say was that the Maltese Amoeba
had only been active in Ireland. Moreover, the Mutation Engine isn't
a virus at all, but a user-friendly encryption tool that virus-writers
use to disguise their creations.
To their credit, neither The New York Times nor The Wall Street Journal
gave much credence to Michelangelo. John Markoff of the Times in
particular provided restrained, intelligent coverage that virtually
ignored McAfee and other antivirus vendors. And The Journal's Walter
Mossberg wrote a "Personal Technology" column that realistically
appraised the viral threat as minimal.
Unfortunately, the hype over Michelangelo could cause wary journalists
to ignore more prevalent destructive viruses that could occur in
the future. It will cause more of the rogue programs to be
circulated, if only because their creators love the
attention. For some soul, the coverage given to
Michelangelo must have provided quite an adrenalin rush. It certainly
did for the press.
---------------------------------------------------------------------
As for a look back a year later:
1. Whatever happened to the Maltese Amoeba? The answer:
Who cares?
2. Where is the sound of PC's crashing in 1993 to the tune
of the "scariest new virus . . . the Mutation Engine"?
*****************************************************************
MODEL ANTI-VIRUS AUTHOR LEGISLATION PRESSED INTO THE
HANDS OF THE CRYPT NEWSLETTER: PETER TIPPETT HAS
COMPANY NAME ATTACHED TO RISIBLE DRIVEL
*****************************************************************
Recently we've had the time to look over a back issue of
Virus News and Reviews which contained some "model"
legislation designed for the express purpose of combating
computer viruses. Devised by Peter Tippett of Certus International,
the document makes clear that it was written to impress people
ignorant of computers in even the most general sense. It
propagates the idiotic notion that writing viruses is some kind
of specialized skill, or "art" as Tippett puts it, and by
Page 4
regulating individuals expert in the "art," the computer virus
problem can be solved.
For example, an excerpt from Tippett's "model" in Virus News
and Reviews (July 1992):
"A computer virus may only be created or modified, but never sold,
distributed, or allowed to be distributed, for bonafide research
purposes, and then only under the following circumstances:
"1. The virus is created for a legitimate, localized research
purpose;
"2. Strict provisions are made to always contain the virus within
the expressed domain of its author/researcher and to not allow the
virus to replicate or otherwise move to any media or computing
system outside of the author's/researcher's direct control;
"3. At least five days before any computer virus is created or
modified under this sub-part, the intent to create or modify a
computer virus must be publicly announced by its intended author in
at least three publicly available publications, each with a
circulation of at least 100,000. The announcement will contain at
least:
1) the name, company, title, address and telephone number of the
responsible party,
2) the name, company, title, address and telephone number of the
computer virus author, if different than the responsible party,
3) the address and location of the intended research,
4) the start date and intended finish date of the intended
research, and
5) the expressed intent to create or modify a computer virus.
"4. The research or study virus, or virus modification must contain
within its own code, and in a form that survives replication to all
progeny of the parent virus, the name of the responsible party and
other information sufficient for anyone of average skill in the art
to reliably discover."
Point 1 calls for the formation of a judging group which will appraise
virus research as worthy of license. To this day, no such group
exists in any field of scientific (professional or non-professional)
endeavor, at least not in the way envisioned by Tippett's model
legislation. The closest things to this are government research and
granting agencies like the National Science Foundation. But,
while the NSF doesn't have to grant money for research it
feels inexpert or uninteresting, it has no power to make it taboo.
(It can create an environment where certain avenues of research
are seen as "unfundable." This can be crippling in some fields,
but not in this case where just about anyone with a couple
PC's, a modem and a real desire to work can set up shop.)
Tippett's legislation would be a first in this regard. We think this
is a laughable assumption that shows a typical businessman's lack of
knowledge about how the critical pursuit of information
proceeds in any field. (In an aside: Tippett's writing brings
to mind Robert X. Cringely's assessment of Lotus Development's
Jim Manzi as an American businessman who shuns PC's, hates using
them and considers researchers and technical people "dickheads.")
Page 5
In Point 3, Tippett requires publication notice for virus creation.
This is an unenforceable bureaucratic requirement which would be
unlikely to be taken seriously even by people working in a
"legitimized" environment.
As for Point 4: Many virus authors and researchers already put plenty
of identification in their creations. This hasn't changed anything
nor does it prevent people from erasing or altering such identification
at whim. This point serves no obvious purpose and, in our opinion,
is legally meaningless.
The remainder of Tippett's "model" is similarly uninformed as to the
reality of virus construction and distribution, embarrassing when
one considers that he's published in Virus News and Review. But
perhaps this is intentional, since the facts are difficult to
adequately describe in a mere one-page letter. As a "paper" or
proposal in any college course worth its salt, Tippetts' submission
would gain a solid F. But for congressional legitimacy, if that's
its aim, excellence is not a requirement. Maybe Peter Tippett
is a lot smarter than we think.
**********************************************************************
IN THE READING ROOM: VIRUS - THE COMIC BOOK!
********************************************************************
It had to happen. There have been sci-fi and techno-thrillers
about viruses, so WHY NOT a comic book?
You'd expect this to be strange, but so what! Aren't a lot of
comics? Why should "Virus," published by Dark Horse, be
an exception?
But first, a little background. Dark Horse has made its name
by peddling an endless flood of titles devoted to squeezing
the last drop of greenish ichor from movies like "Alien" and
"Predator." That philosophy ensures just about anything it
prints is a big hit, selling out immediately in the kinds of comic
stores run by tubercular, ex-artfags with an intense dislike
for patrons who don't reserve at least ten new titles each
month.
You'd imagine, then, that a copy of "Virus" was tough for
The Crypt Newsletter to find. It was. And if not for alert reader
Captain AeroSmith who shipped one air-freight from Cleveland, we
might not have seen it at all.
That said, the first issue of "Virus" wasn't bad. Fair art, good
dialogue and a story that revolves around an abandoned Chinese
radar and telemetry ship that comes under the power of some
inter-cosmic computer virus that has beamed down into its radio
antenna and set up shop in the mainframe. The original crew is
butchered, necessitating the trapping of some ocean-wandering riff-raff
who think they're going to appropriate the boat for lots of cash
money. "Virus" nixes this plan at once by ripping the
breast-bone out of one of the thieves with the aid of a
computer-controlled winch.
"Aaaiiieeee!" screech the trapped sailors. They want out, but not
before being attacked by something that looks like a cross between
a kite and a flying pipe-wrench made from sails and human integuement.
What does this have to do with viruses or the computer
Page 6
underground? Who knows! "Virus" is cracked, but I guarantee you'll
be negotiating with your local dealer for the next issue.
*******************************************************************
IN THE READING ROOM II: MONDO 2000 - A User's Guide To The
New Edge by R. U. Sirius, Queen Mu and Rudy Rucker (HaperPerennial)
*******************************************************************
"Thanks for a country where no one's allowed to mind their
own business . . . Thanks for a nation of finks."
--William S. Burroughs in "Mondo 2000"
I'm no expert on the "cyberpunk" magazine, but MONDO 2000 -
the book - squeezed a smirk out of me when the William Burroughs
quote cropped up amidst non sequiturs and chapters on pranking the
media and "smart" drugs. That the wizened author of "Naked Lunch" is
now a center piece in such an effort surely has some kind of
quantum significance. So, know that MONDO 2000 is the literary
equivalent of a Ren & Stimpy cartoon: stretches of intense
flatulence punctuated by flashes of brilliance and dumb cunning.
[Much like the Crypt Newsletter, perhaps.]
For instance, the chapters on "smart" drugs and tarantulas (?!)
are patent nonsense. The "smart" drug idea comes from that
small segment of the populace who've accidentally rediscovered
how absorbing a read the Physician's Desk Reference is when your mind
has that "roasted" character that comes from too many simultaneous
hits of caffeine and unfiltered Camels. Tarantulas, Queen Mu says,
are deadly, too. (I knew it, I knew there had to be a reason they
sell the ugly things to any schnook who goes into a pet store!)
If you can overlook stuff like that, MONDO 2000 is hep.
Rudy Rucker's introductory essay, for one thing, is inspirational.
And there's plenty of weird computer jokes, BBS's to call,
summaries of all the important stuff that's gone down in "cyberspace"
in the past ten years - in other words, MONDO 2000's a good book for
the coffee table. It will impress your friends, I bet.
********************************************************************
QUICK AND DIRTY DISASSEMBLY OF VIRUS CODE: THE SANDRA VIRUS -
AN ENCRYPTED ANTI-ANTI-VIRUS VIRUS SPILLS ITS SECRETS TO ANY
LAYMAN
*******************************************************************
This month, two articles crossed Crypt Newsletter desks that painted
the picture that virus disassembly is a job best left to the experts.
It is a common myth - a nuts, self-serving statement propagated by
greedheads who WANT you to think that you are a helpless schnook.
In reality, anyone who works seriously with viruses knows that in
90% all cases, virus disassembly is about a 5-minute job, tops.
As an illustration, the Crypt Newsletter will walk you through
a quick and dirty dissection of the SANDRA virus using only
two tools: the shareware ZanySoft debugger and the retail Sourcer
commenting disassembler programs.
Since the Sandra virus came into this country as a "naked" file, there
is little need to instruct you in how to execute the
virus onto a clean, small, workable "host." Since no virus researcher
had to do it, we will presume, in this case, that you won't have
to either. (And that leaves room for another chapter in this
story in the next issue.)
Page 7
The first step is a no-brainer. Fire up Sourcer with the following
command line (this presumes you have created the SANDRA virus from
the DEBUG script supplied with the Crypt Newsletter):
C>SR SANDRA.COM
This will load SANDRA into Sourcer and bring up the disassembler's
menu. The Sourcer defaults will suffice, so hit "G" for GO.
In less than 15 seconds Sourcer will have coughed out a file
called SANDRA.LST. Take a look at it. By the black-coated
turd from Jesus's arse! What gibberish. You'll see that SANDRA
appears to be a small segment of cryptic assembly code instructions,
then some words that almost look like English and quite an oodle of
hexadecimal values arrayed in columnar "define byte" (or "db")
format.
This immediately tells the experienced that SANDRA is
encrypted, and rather weirdly at that. (If SANDRA had been unencrypted,
your job would be finished. The virus would be laid out in front
of you.)
The next step, then, is to trick the virus into decrypting itself
and then writing the "plain text" version to disk. This is simple
in theory, only slightly more difficult in practice. Envision that
the portion of the virus you want to execute is the decryptor
loop, a small stretch of instructions which will unscramble the
virus in memory. Might not that segment of cryptic assembly gobble
that Sourcer produced on its first pass contain the keys to
the decryptor? Yup, good guess. And it looks like this:
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
sandra proc far
3C44:0100 start:
3C44:0100 F8 clc ; Clear carry flag
3C44:0101 E8 002F call sub_2 ; (0133)
3C44:0104 FB sti ; Enable interrupts
3C44:0105 F8 clc ; Clear carry flag
3C44:0106 <--execute to this address jmp loc_6 ;*(027C)
3C44:0106 E9 73 01 db 0E9h, 73h, 01h
3C44:0109 3C data_3 db 3Ch ; xref 3C44:013D
3C44:010A 00 data_4 db 0 ; xref 3C44:0149
You notice that SANDRA starts by calling a sequence of instructions
dubbed "sub_2" by Sourcer. Looking down the listing (which is
not included here) you see that "sub_2" is another segment of
plain-text assembly code. This is the viral unscrambler and when
we have returned from it, the virus is ready to cook off. The next
job for SANDRA, then, is to begin its work. Looking at
the assembly commands above, you see SANDRA jumps (jmp) to a new
location, which looks encrypted in the listing you're
working on.
The idea you want to use is that by executing the virus right
up to the "jmp," it's possible to get it to translate itself
Page 8
in memory without it looking for a file to infect, infecting that
file and re-garbling itself. This is easy to do with any
debugger. We'll use the ZanySoft product because it's not
as intimidating as DOS's DEBUG to the novice user. In fact,
it is almost idiot-proof and requires little overhead on
the part of anyone.
Fire up the ZanySoft debugger by typing:
C>ZD86
ZanySoft is menu driven. Use its "File" drop-down menu to
load the virus. Then bring down its "Run" menu and double-click
on the "go to xxxx:xxxx" command. This tells ZanySoft to
execute the loaded program to a certain address - which it
will prompt you to supply -- and stop. The address needed is
the one corresponding to the "jmp" in the above listing. Sourcer
has supplied it, and it is ear-marked in the diagram: 0106.
Type in 0106 at ZanySoft's prompt and hit <enter>. The virus
is decrypted. Now, return to the "Files"
menu and select the option, "Write to .COM." Accept the
default value ZanySoft brings up and hit <enter> again. The
virus has now been written to the disk from memory, and in
"plain-text" or unencrypted form. Look at it under a file
viewer. Remember those words that looked like English? Well,
now they ARE English. You should see some gobble like "the
Nazg'l," "dedicated to Sandra H.", and "*.EXE," "*.COM," the
latter two giveaways that the virus hunts for these files.
Load the unencrypted virus into Sourcer once again. Accept
the defaults and hit "Go". Fifteen seconds later the
virus has been disassembled for you, only now it's almost
all assembly instructions. Is this so mysterious? Even
though you may know next to nothing about assembly, you can
still use the Sourcer listing to make some informed deductions
about the virus.
Go to the bottom of the listing and look at the interrupt
usage synopsis. It looks like this:
±±±±±±±±±±±±±±±±±± Interrupt Usage Synopsis ±±±±±±±±±±±±±±±±±±
Interrupt 16h : Keyboard i/o ah=function xxh
Interrupt 20h : DOS program terminate
Interrupt 21h : DOS Services ah=function xxh
Interrupt 21h : ah=2Ch get time, cx=hrs/min, dx=sec
Interrupt 21h : ah=3Bh set current dir, path @ ds:dx
Interrupt 21h : ah=3Ch create/truncate file @ ds:dx
Interrupt 21h : ah=3Dh open file, al=mode,name@ds:dx
Interrupt 21h : ah=3Eh close file, bx=file handle
Interrupt 21h : ah=40h write file bx=file handle
Interrupt 21h : ah=41h delete file, name @ ds:dx
Interrupt 21h : ax=4301h set attrb cx, filename @ds:dx
Interrupt 21h : ah=4Eh find 1st filenam match @ds:dx
Interrupt 21h : ah=4Fh find next filename match
Interrupt 21h : ax=5701h set file date+time, bx=handle
As you see, SANDRA has instructions for "find first filename
match", "find next filename match" and "set current directory,
path." If you've seen this newsletter and its source listings
before, you might suspect that SANDRA is a direct-action
(or non-resident) virus. Coupled with the .COM/.EXE filemasks,
that's a good, educated guess.
Page 9
Like any virus, it has a "write to file" function. However, in
this case, cross-referencing your listing shows that SANDRA
doesn't worry about adding itself to the end of the file during
the write. This means SANDRA's an "overwriter." It's the simplest
kind of infector, a feature exclusively the domain of primitive
direct-action viruses. And since it means that the virus
destroys everything it lands on, an instantly noticeable
stunt, it marks SANDRA as a trivial pest at best.
Your eye might also be drawn to the "delete file" and
"truncate file" functions. "Ah-ha!" you say having
a vague understanding about how sneaky viruses work.
SANDRA deletes files corresponding to the list of plain-text
filenames it carries around. And those file names are for
anti-virus software programs! SANDRA is an anti-anti-virus
virus! Wow.
Now you know enough to broadly characterize SANDRA as an
encrypted, over-writing virus that tries to delete a
raft of anti-virus programs. You might even be tempted
to run a test and execute SANDRA against some bait files.
If you do that on a typical American system, you'll find
another interesting feature at once. A great many systems
now use WINDOWS, and that means they're set up with either
QEMM or MS-DOS's EMM386 as memory managers. If SANDRA is
executed on any of these environments it will generate an
"exception" forcing a reboot of the machine.
Why is that, for cryin' out loud? Actually, it's another
anti-anti-virus measure, although a back-handed one.
NEMESIS, a German memory resident anti-virus monitor
uses expanded memory to monitor a system at the sector
level. Because of this, it requires the user to have
the requisite amount of expanded memory and the manager
for it: QEMM or EMM. SANDRA seems to make the generous
assumption that any machine using one of these might have
NEMESIS installed, and it forces a shutdown through EMM
to stop the infection and avoid potential detection.
Since SANDRA appears to be German, it is not unreasonable
that its author might be more concerned about NEMESIS
than anyone in the U.S., where the program is nonexistent.
In real terms, this feature makes SANDRA, at best,
a reluctant virus. On many machines, it will just
flat out refuse to infect.
By further combing over the code on breaks from hanging about
the water-cooler, you'll find that SANDRA deletes the
following data-integrity files from selected a-v software:
- "ANTIVIR.DAT"
- "CHKLIST.CPS" --Central Point AV
- "C:\CPAV\CHKLIST.CPS" --same as above
- "C:\NAV_._NO" --Norton Antivirus
- "NOVIRCVR.CTS"
- "NOVIPERF.DAT"
- "C:\TOOLKIT\FSIZES.LST" --Solomon's Toolkit
- "C:\FSIZES.QCV" --Solomon's Toolkit
- "C:\UNTOUCH\UT.UT1" --Untouchable
- "C:\UNTOUCH\UT.UT2" --Untouchable
- "C:\VS.VS"
- "C:\TBAV\VIRSCAN.DAT" --Thunderbyte, truncates file
Page 10
- "C:\)(.ID -- Integrity Master, I believe
By now, you're very confident you can execute SANDRA without
hurting yourself. Actually, you could have done that after
a quick look at the interrupt synopsis. In any case, you're
still cautious so you install FLU-SHOT. Haha! SANDRA
won't infect. And you've uncovered its last interesting
secret: it exits when FLU-SHOT or a couple of other
resident programs are present.
This isn't the definitive book on SANDRA, but it's more than
enough for reasonable purposes. After all, this IS the "quick and
dirty" guide to virus disassembly. And the rules here can be
applied to a full 90% of the viruses you might come across.
Sure, there can be the occasional bird with tricks in it
to make this kind of fast interpretation a thorny job.
But, chances are, you will never see one.
So after a few more stabs at this with viruses from the
newsletter, your home collection, or wherever, you can sell
yourself as an experienced hand at "quick & dirty" virus
disassembly.
****************************************************************
****************************************************************
THE LOKJAW PROGRAMS: MORE SIMPLE IMPLEMENTATIONS OF RETALIATING
ANTI-ANTI-VIRUS VIRUSES
****************************************************************
Intrigued by the Proto-T scam, virus writer Nikademus sent his
LOCKJAW program to the Crypt Newsletter for examination. The
Nikademus LOCKJAW virus is a variant of "Proto-T," a resident
.COM infector originally derived from Civil War, altered to
delete a series of anti-virus programs when they are executed.
As an added fillip, the virus marks the deletion with an
entertaining "chomping" graphic effect!
The easiest way to soak this up is to head right for the assembly
listings included in this issue. The actual file recognition
and deletion routines can be adapted for many resident viruses.
As an example, the newsletter has transformed LOCKJAW into a
spawning .EXE-infecting virus in its "ZWEI" and "DREI" variants.
File deletion on load isn't novel in resident viruses. But by
coupling it to anti-virus recognition LOCKJAW underscores the
necessity of having the user realize he MUST remove the virus
from memory before using his software, or at the very least,
operate from a write-protected diskette. (Although, as you will
see with LOKJAW-DREI, the latter step is also potentially dodgey
business.)
In the wild, the entertaining virus "chomp" would be removed, as it
is a dead giveaway that the virus is present and in control
of the machine. (For that matter, so is sudden file deletion.
But the effect would remain puzzling to uninformed users.)
Taking this idea one step further, LOKJAW-DREI is a modification
which removes file deletion and replaces it with a fake
disk-trashing routine which the virus uses to strike the hard file
when an anti-virus program is called to find it.
Although LOKJAW-DREI only makes the drive temporarily inacessible,
it doesn't take a great leap of imagination to see its
Page 11
potential. Mark Ludwig talked about this at length in an article
on "retaliating viruses" published in American Eagle's "Computer
Virus Developments Quarterly #1" In that issue he supplied the
code for such an animal, the direct action Retaliator virus, an
Intruder variant.
The point that he made, and a valid one, is that the existence
of such a virus on a machine makes it absolutely necessary
that the user know what he's doing when he goes out looking
for it.
The LOCKJAW viruses, however, are easy to "play" with. They
will become resident below the 640k boundary and infect .COMs or
.EXE's, depending upon the variant, upon execution. They will
also show a noticeable 4k drop in memory available to free programs.
By running Scan, F-Prot, Integrity Master or Central
Point Anti-Virus when LOCKJAW is present, the "retaliating"
effect is shown. Of course, this software is deleted so
don't use your only copy unless you want it erased. (Not a
bad strategy for some software.)
LOCKJAW can be removed from memory by simply rebooting from a
clean, write-protected system disk.
[In a related note: The SANDRA and LOKJAW viruses come with
Central Point Anti-virus as a default. Even though the
software is continually drubbed in product reviews and word-of
mouth gossip, it is included in the coming MS-DOS 6.0. This
ensures that it will be even more ubiquitous on home and business
machines in 1993 - a fact of interest to virus and competing
anti-virus developers alike.]
***************************************************************
***************************************************************
IN THE READING ROOM III: CRITIQUE OF DISCOVER PIECE ON THE
BULGARIAN VIRUS CONNECTION
***************************************************************
I'm sure a number of alert newsletter readers have, by now,
browsed through the February issue of Discover magazine and seen
the excerpt from another book on "hackers" called "Approaching Zero,"
to be published by Random House. The digested portion is from a
chapter dealing with what authors' Bryan Clough and Paul Mungo call
"the Bulgarian virus connection."
While it was interesting - outwardly a brightly written
article - to someone a little more familiar with the subject matter
than the average Discover reader, it was another flawed attempt
at getting the story right for a glossy magazine-type readership.
First, we were surprised that reporters Mungo and Clough fell
short of an interview with virus author, the Dark Avenger. Since
they spent so much time referring to him and publishing a few
snippets of his mail, it was warranted, even if he is a very tough
contact.
In addition, they continually exaggerate points for the sake of
sensationalism. As for their claim that the Dark Avenger's "Mutating
Engine" maybe being the "most dangerous virus ever produced,"
there's no evidence to support it. First, they continue the
hallowed media tradition of calling the Mutation Engine
a virus. It's not. The Mutation Engine is a device which we've gone
Page 12
over in these pages again and again.
The Crypt reader knows it doesn't automatically make the virus
horribly destructive, that's a feature virus-writers put into
viruses separate from the Engine.
And although the first Mutation Engine viruses introduced into
the U.S. could not be detected by scanners included in
commercial anti-virus software, most of these packages included
tools to monitor data passively on any machine. These tools
COULD detect Mutation Engine viruses, a fact that can still be
demonstrated with copies of the software. And one that almost
everyone covering the Mutation Engine angle glosses over, if they
bother to mention it at all. In any case, Mutation Engine code
is well understood and viruses equipped with it are now no more
hidden than viruses which don't include it.
Of greater interest, and an issue Mungo and Clough don't get to, is
the inspiration the Dark Avenger Mutation Engine supplied to virus
programmers.
By the summer of 1992, disassembled versions of the Mutation Engine
were everywhere, for all intents.
It seemed only a matter of time before similar code kernels with
more sophisticated properties popped up and this has been the case.
Coffeeshop, a virus mentioned in the original Discover piece,
is just such an animal, although the authors don't get into it.
Coffeeshop utilizes a slightly more sophisticated variable encryptor
- called the Trident Polymorphic Engine - which adds a few features
not present in the Dark Avenger model as well as decreasing its
size. It, too, has been distributed in this country as a device
which can be utilized by virus authors interested in shot gunning
it into their own creations. It is of Dutch origin, produced by
a group of programmers known as "TridenT." TridenT, a group with
a taste for whimsy, freely acknowledges the inspiration of
the Mutation Engine. Curiously, Coffeeshop is Dutch slang for a
place to pick up some marijuana. Very interesting, is it not?
However, the Trident Polymorphic Engine is no more inherently
dangerous than the Mutation Engine. Viruses utilizing it can be
detected by the same tools used to detect Mutation Engine viruses
before those could be scanned.
The reporters also claim that disassembling a virus to find out
what it does is a "difficult and time-consuming process" capable
of being carried out "only by specialists." This is another myth
which feeds the perception that viruses are incredibly
complicated and that one can only be protected from them by the
right combination of super-savvy experts.
It has little basis in reality which is why we spent some time
shooting it in the rear end in an earlier portion of this
issue.
And that's what's the most irritating about Mungo and Clough's
research. In search of the cool story, they further the dated idea
that virus-programming is some kind of arcane art, practiced by
"manic computer freaks" living in a few foreign countries where
politics and the economy are oppressive . While it's true that
a few viruses are clever, sophisticated examples of programming, the
reality is that almost anyone (from 15-year olds to
Page 13
middle-aged men) with a minimal understanding of assembly language
can (and does) write them from scratch or cobble new ones together
from pieces of found code or toolkits.
Since everyone's computers DON'T seem to be crashing from viral
infection right and left (remember Michelangelo?), Mungo and Clough,
in our opinion, really stretch the danger of the "Bulgarian virus
factory."
This is such an old story it has almost become shtick, a routine
which researcher Vesselin Bontchev (apparently Clough and Mungo's
primary source) has parlayed into an intriguing career.
A great number of the 200 or so Bulgarian viruses the reporters
mention in fear-laden terms ARE already here, too - stocked on
a score of BBS's run by programmers and computer enthusiasts.
Mungo and Clough write of "the scope of the problem . . . not
[becoming] apparent for several years." That's an easy, leading
call to make because no one will remember or hold them to it in
2000. The Crypt newsletter suggests "We don't know."
Now that would have been more honest. But we doubt if it would have
sold as well.
[To add insult to injury, the authors warn of the ominous LoveChild
virus, counting toward zero, waiting to ambush your hard file. It's
worth noting the Skulason's F-Prot casually dismisses LoveChild as
a buggy virus which only operates on machines running DOS 3.3.
Solomon's Toolkit modestly judges it as capable of "moderate"
damage.]
=-=In true domino effect, PRODIGY - the "interactive home computer
service" for numerous, mixed-up, Bush-voting, Democrat yuppies -
recycled segments of the Discover article on January 30 in its
"Headline News" section. The un-bylined story loudly proclaimed
"the Mutating Engine . . . the most dangerous virus ever" and re-
iterated ominous news of LoveChild, a program which won't function
on many systems. LoveChild, alert Crypt newsletter readers may
be interested to know, "will erase all of a computer's memory,"
according to PRODIGY Headline News.=-=
****************************************************************
IN THE READING ROOM IV: WRITER AND EX-JOCKEY DICK FRANCIS
REPORTS ON COMPUTER VIRUSES IN "DRIVING FORCE," HIS LATEST NOVEL
OF MYSTERY AND INTRIGUE
****************************************************************
It turns out that one of the Crypt Newsletter staffers is a
fiend for Dick Francis. In case you don't know, Francis is an
entire publishing company unto himself. He cranks out enough
material in a year to give Stephen King a run for his money.
However, he's never been pegged as a "computer" writer.
So it came as a surprise when a staffer shrieked in glee,
ran over to where I was lurking by the water-cooler and
thrust Francis's manuscript into my face.
"Look, look, Michelangelo!!" she gibbered. And there it
was, a fictional account of someone's office getting cold-cocked
by the virus. But enough of this, here's a teaser:
-=[ The computer man, perhaps twenty, with long light brown hair
through which he ran his fingers in artistic affectation every
few seconds, had given up trying to resuscitate our hardware by
the time I got back to the office.
"What virus?" I asked, coming to a halt by by Isobel's desk
and feeling overly beleaguered. We had flu, we had aliens, we
had bodies, we had vandals, we had concussion. A virus in
the computer could take the camel to its knees.
"All our records," Isobel mourned.
Page 14
"And our accounts," chimed Rose.
"It's prudent to make backups," the computer man told them
mock-sorrowfully, his young face more honestly full of scorn.
"Always make backups,ladies."
"Which virus?" I asked again.
He shrugged, including me in his stupidity rating. "Maybe
Michelangelo . . . Michelangelo activates on March 6 and
there's still a lot about."
"Enlarge," I said.
"Surely you know?"
"If I knew, I've forgotten."
He spelled it out as to an illiterate. "March 6 is Michelangelo's
birthday. If you have the virus lying doggo in your computer
and you switch on your computer on March 6, the virus activates."
"Michelangelo is a boot-section virus," the expert said, and to
our blank-looking expressions long-sufferingly explained. "Just
switching the machine on does the trick. Simply switching it on,
waiting a minute or two and switching off. Switching on is called
booting up. All the records on your hard disk are wiped out at
once with Michelangelo and you get the message 'Fatal disk error.'
That's what happened to your machine. The records are gone. There's
no putting them back."
"What exactly is a virus?" Rose inquired miserably.
"It's a program that tells the computer to jumble up or wipe
out everything stored in it." He warmed to his subject. "There
are at least three thousand viruses floating around. There's
Jerusalem II that activates every Friday the 13th, that's a
specially nasty one. It's caused a lot of trouble, has that
one."
"But what's the point?" I asked.
"Vandalism," he said cheerfully. "Destruction and wrecking for
its own sake." He ran his fingers through his hair. "For instance,
I could design a sweet little virus that would make all your
accounts come out wrong. Nothing spectacular like Michelangelo,
not a complete loss of everything, just enough to drive you mad.
Just enough to make errors so that you'd be forever checking and
adding and nothing would ever come out right." He loved the idea,
one could see.
"How do you stop it?" I asked.
"There are all sorts of expensive programs nowadays for detecting
and neutralizing viruses. And a whole lot of people thinking up
ways to invent viruses that can't be got rid of. It's a whole
industry. Lovely, I mean, rotten."
Viruses, I reflected, meant income, to him. ]=-
How's that? Not bad, for a mystery writer! Why, Francis seems
more knowledgable about the subject than the writers of glossy-cover
Page 15
"suit" computer publications! But we're not gonna tell you how
it ends, you'll just have to dig up "Driving Force" (Putnam)
for yourself.
*****************************************************************
IN THE READING ROOM V: NEW YORK TIMES AND THE PHRAKR TRAKR -
BBS's: THE ROOT OFFAL EVIL (OUCH, PUNNY!)
******************************************************************
In a January 25 'A' section article, a N.Y. Times reporter profiles
the "Phrakr Trakr," a federal undercover man keeping our
electronic streets safe from cybernetic hoodlums too numerous to
mention singly.
Reporter Ralph Blumenthal immediately reveals himself as yet
another investigator from the mainstream who has never gotten
anything from underground BBS's first-hand, focusing on the
Phrakr Trakr's tales of nameless computer criminals trafficking
in "stolen information, poison recipes and bomb-making
instructions."
We're not going to dwell on the issue of phone-related phraud
and the misappropriation of credit card accounts (which has
been well-established), but Blumenthal's continued
attention to text files for "turning household chemicals into
deadly poisons, [or] how to build an 'Assassin Box' to supposedly
send a lethal surge through a telephone line" is sickening. It
furthers the generalization that all reporters are fetal-alcohol
damaged rubes with little educational background beyond elementary
school. Anyone who's seen or stock-piled text files on a BBS knows
they're either menacingly written trivial crap or bowdlerized
reprints from engineering, biology and chemistry books. In either
case, hardly noteworthy unless you're one who can't tell the
difference between comic books and real news.
The Times delivers a back-to-the-camera photo of the Phrakr Trakr,
an overweight man with a handcuff dangling from
his suspenders. He "patrols THOUSANDS [emphasis ours] of computer
bulletin boards" states the photo's slug-line, an absurd claim which
neatly overlooks the fact that there's not enough time in a year
to physically accomplish the deed.
The Phrakr Trakr has his own newsletter, F.B.I., for
"Find um [sic], Bust um [sic], Incarcerate um [sic]." "Got any
codez?" indeed.
*****************************************************************
FICTUAL FACT/FACTUAL FICTION
*****************************************************************
HOUSE AD: CRYPT INFOSYTEMS BBS is now running full-time. Pick
up the newest useless files and Crypt Newsletters direct. Bask
in the scintillating conversation and avuncular charm of
sysop and editor, URNST KOUCH. Meet the very funny PALLBEARER.
And acquaint yourself with all their fine friends.
The number? 215.868.1823.
-----------------------------------------------------------------
GRAY AREAS magazine is looking to interview virus authors for
a continuing series of articles. The Crypt Newsletter editorial
staff recently had an opportunity to meet with the editor
of GRAY AREAS, Netta Gilboa, and came away with the conviction
that the magazine is dedicated to exposing all points of view
on many subjects. In other words, you don't need a highly paid
mouthpiece, a movie contract or the Congressional Medal of
Honor to be of interest to its editors. A recent
issue featured an excellent interview with John Perry Barlow
among other sections too numerous to cover adequately here.
Contact GRAY AREAS at any of the following:
grayarea@well.sf.ca.us
ph: 215.353.8238
mail: POB 808
Broomall, PA 19008-0808
--------------------------------------------------------------------
Phalcon/SKISM programmer Dark Angel has produced the G2, or
Second Generation viral code generator. Capable of producing
resident .COM/.EXE infecting virus with limited poylmorphism,
Dark Angel's documentation states the G2 supersedes the
PS-MPC. The Phalcon/SKISM programmer plans to update the G2 code
base as time allows; he maintains in the instructions to the program
that G2 has much more flexibility than the PS-MPC, capable
of multiple arrangements of commented code and data segments.
Although the G2 is separate from the PS-MPC, it appears that
those users familiar with the former will have no trouble
adapting to the latter.
---------------------------------------------------------------------
PRODIGY, the "interactive home computer service" for numerous
mixed-up, Bush-voting, Democrat yuppies, has cut its work force
by 25, putting approximately 250 people onto the street.
----------------------------------------------------------------------
IBM - panicked by the tolling bell of impending corporate doom - has
moved to can CEO John Akers, presumably because the company is
non-competitive under his leadership. Akers will remain to head
the team selected to draft his replacement. Does this make sense
to you or are WE nuts? Draft the guy you're firing to find his own
replacement. Yes, this is a GOOD PLAN. Sell your IBM stock while
you still can. That's the Crypt Newsletter's advice.
____________________________________________________________________
END CREDITS: Thanks and a tip o' the hat to NIKADEMUS, CAPTAIN
AEROSMITH and the usual crew of alert readers.
Page 16
--------------------------------------------------------------------
The Crypt Newsletter includes virus source code in each issue.
If assembled, it will produce working copies of the viruses
described. In the hands of incompetents, irresponsibles and
and even the experienced, these programs can mess up the software
resources of any IBM-compatible PC - most times, irretrievably.
Public knowledge that you possess such samples can make you
unpopular - even shunned - in certain circles of your computer
neighborhood, too.
To assemble the software included in this issue of the newsletter,
copy the MS-DOS program DEBUG.EXE to your current directory,
unzip the newsletter archive into the same directory and
type MAKE at the DOS prompt.
This issue of the newsletter should contain the following
files:
CRPTLT.R12 - this document
MAKE.BAT - instant "maker" for this issue's software.
Ensure that the MS-DOS program DEBUG.EXE is in the
machine path or current directory, before
typing "MAKE".
LOCKJAW.ASM - assembly listing for the LOCKJAW virus
LOKJAWZ.ASM - " " " LOKJAW-ZWEI
LOKJAWD.ASM - " " " LOKJAW-DREI
LOCKJAW.SCR - scriptfile for LOCKJAW
LOKJAWZ.SCR - " " LOKJAW-ZWEI
LOKJAWD.SCR - " " LOKJAW-DREI
SANDRA.SCR - " " SANDRA virus
You can pick up the Crypt Newsletter at these fine BBS's, along with
many other nifty, unique things.
CRYPT INFOSYSTEMS 1-215-868-1823 Comment: Crypt Corporate East
DARK COFFIN 1-215-966-3576 Comment: Crypt Corporate West
THE HELL PIT 1-708-459-7267
DRAGON'S DEN 1-215-882-1415
RIPCO ][ 1-312-528-5020
AIS 1-304-420-6083
CYBERNETIC VIOLENCE 1-514-425-4540
THE VIRUS/BLACK AXIS 1-804-599-4152
NUCLEAR WINTER 1-215-882-9122
UNPHAMILIAR TERRITORY 1-602-PRI-VATE
THE OTHER SIDE 1-512-618-0154
MICRO INFORMATION SYSTEMS SERVICES 1-805-251-0564
REALM OF THE SHADOW 1-210-783-6526
STAIRWAY TO HEAVEN 1-913-235-8936
THE BIT BANK 1-215-966-3812
CYGNUS-X 1-215-791-2457
The Crypt Newsletter staff welcomes your comments, anecdotes,
thoughtful articles and hate mail. You can contact Urnst Kouch
Crypt BBS, CSERVE#:70743,1711 or Internet: 70743.1711@compuserve.com
Page 17
For those who treasure hardcopy, Crypt Newsletter is available as a
FAX subscription: $20 for a ten issue run. It can also be had as one of
those Mickey Mouse-looking papyrus newsletters produced by WordPerfect
C.A.N.T.'s [Corporate Animal, No Talent] for the same price. All
inquiries should be directed to the Crypt Newsletter e-mail
addresses.
-*-
Page 18