Copy Link
Add to Bookmark
Report
Crypt newsletter 05
**********************************************
The Crypt Newsletter [mid-Sept.'92]: another in
an infrequent series of factual, info-glutted,
tongue-in-cheek monographs solely for the enjoyment
of the virus programming professional or enthusiast
interested in the particulars of electronic mayhem.
-*-
Edited by URNST KOUCH.
**********************************************
This issue's quote: "It's a new hobby, folks."
--John Dvorak on virus programming, from the 2nd
edition of Dvorak's Telecommunications, Dvorak and Anis (McGraw-Hill).
*******************************************************************
IN THIS ISSUE: Local news...viruses for sale...condensed results of
NCSA scanner evaluation...viruses as tools of civil disobedience...
MacMag Peace virus dropper charged with crime...trojan programming
and stomping out the pernicious threat of hard core pornography...
Hans Von Braun, enlightened fellow...dummkopf of month award...
Nowhere Man's CRYPTCOM 2.0...Pallbearer's KONSUMER KORNER...
the CASINO virus...NUKEX...BATCOMPI trojan...the PENIS trojan...
CORRUPTO 2 and more.
NEWS! NEWS! NEWS! NEWS! NEWS!
Frans "Dutch" Hagelaars nee SomethingAndersswhateversomething,
Poobah of the Virus echo distributed on the FidoNet,
clamped down on the public domain Wizard's Retreat BBS
in Allentown, PA, for refusing to delete virus exchange sysop
Tim Caton (aka Pallbearer) from its caller base.
In order to preserve the transmission of the echo, Wizard
Retreat sysop Scott Miller has made the echo 'read-only'
for all local callers. He declined to delete user Caton.
In related news, Phalcon/SKISM's Night Crawler, the other
FidoNet virus echo user excommunicated in "Dutch's" late Summer
purge, reappeared in the waning days of August to wish Hagelaars
well.
"You, my good man, can go to HELL!" commented the SKISM member.
In unrelated news: We now reprint a fragment of a recent
post from FidoNet Virus echo user and 14-year assembly
programmer, Gary Watson. In it Watson protested his being
labeled a pampered menial by the Crypt Newsletter for constantly
being allowed to flame on topics which usually get 'lesser' users
barred.
"Why would I want to [pass viruses on FidoNet]? "I make a
point of *not* collecting them," claimed Mr. Watson.
Interested readers will be amused to find that the same
"Nixon" Watson was recently spotted uploading an archive
containing live samples and source code to BADBOY 2, DIAMOND,
DIR-2, OUTLAND, MURPHY, MG, MIX, HORSE, PINGPONG, 4096, LEECH,
AMSTRAD, CRAZYEDDIE, etc., to the DARK COFFIN BBS.
The Dark Coffin is hosted by the shunned & hated Caton and,
incidentally, seems to be the mailing address of this newsletter.
Small world, isn't it, Gary? Not a collector? INDEED.
ANYWAY, here at the Crypt newsletter, we reckon the Virus
echo and its users would be BETTER served if "Dutch" Hagelaars
took the following steps:
1. Discourage trivial posts like those generated by
Gyuri "George" K. GK's disjointed messages resemble
what can only be described as the distracting chatter
of a madman. Hey, try and keep it on the subject, eh?
[Oops, hope he's not DAV incognito!]
2. Time to consider instituting separate feeds to all nodes
where users persist in posting "SEKRIT" messages in Polish,
Danish, Slavonic, Chervonsky, Basque, Martian or whatever.
As an Ami Schwein, I speak only de Englise, dammit, and see
little value in wading through apocryphal messages which appear
to be written in ecthje fiudoaw resstetiii. (See what I mean?)
It's quite possible users from nether-Poo-Stink, Central Europe,
feel the same way about MY lingua franca. Do something
about this.
3. Encourage more exchange of detailed, high value info
relevant to virus study, i.e., ripped off copies of
Virus Bulletin, news briefs, more posting from Virus - L
Digest (the Crypt Newsletter, heh). At this point, the echo
is about as informative as the QModem users help group.
Rob Slade and Paul Ferguson are two who DON'T continually
transmit useless, anecdotal, horrifyingly re-quoted replies
to the fragmented discussions of others (see #1 for an
example). Many could learn from them. Time to tear the
lid off the source code ban, too. The cows have left
the barn, boys.
Until these steps are taken, the Virus echo will remain trivial.
"It's no big loss," said Caton. Res Ipso Loquitur.
Down on the Gulf of Mexico in Mission, TX, sysop Zendor of the
Other Side BBS has taken matters into his own hands and started
charging a small fee for bulk mail delivery of viruses,
source code, and related files. For $1.00 cash money,
Zendor will supply a catalog; for $10.00, a diskette of the
software in his archive.
Compared to the $15.00 asking price for "The Little Black Book of
Computer Viruses" (American Eagle Publishing, Tucson, AZ)
companion diskette, Zendor's terms seem quite fair. Mail him
at 1807 Cassandra, Mission, TX 78572, or call The Other Side
at 512-618-0154.
In related news, The Other Side is a member of the WWIV StormLink
net and sponsors the "Infected Files" sub nationwide. In its first
week, "Infected Files" posts included the source code for
the SARA GORDON virus (mistakenly posted at the MtE) and debug scripts
for the FELLOWSHIP and MIMIC2 viruses, among others. Sadly, it
didn't take long for someone to cry foul and threaten its closure
unless all source codes and hex dump transmissions were curtailed.
The punitive action achieved little, since virus exchange sysops
continued to freely trade advice and phone numbers at will. Now
izzit me, or are all net co-ordinators trained to be morons?
What difference is there between posting codes or BBS numbers
where codes and live viruses can be freely downloaded? A free
no-prize to you if you can explain it to me! Just another case
of the Emperor's New Clothes.
Symantec has taken the step of uploading a freeware version of the
Norton Antivirus's scan utility, NAVSCA.ZIP, to the IBMSYS and
VIRUSFORUM SIG's on COMPUSERVE. This is not the first time
a colorful commercial outfit has attempted to do battle with the
shareware market. Back at the time of the Michelangelo scare,
XTREE made available a free version of UNVIRUS, the scanning utility
from its VIRUSAFE package. About the only remarkable points about
XTREE's program where the amusing cheeping noises it made when
searching memory for 'stealth' viruses and the hysterically silly
virus descriptions: "Fill in your own virus - This virus is very
dangerous and will corrupt all the files on your system, eventually
totally destroying the disk!"
As for NAVSCAN's efficacy as a brute-force scanner against the
new crop of viral programs? We took it into the Crypt virus
lab and scooped up a handful of VCL 1.0 variants
(DIARRHEA 1 & 2, HEEVAHAVA and RED HERRING), a few direct action
infectors designed with VCL 1.0 but optimized to avoid detection
by SCAN v95B (MIMIC 1 & 2, DIOGENES) and two weirdos - COMMANDER
BOMBER and STARSHIP. The score? No hits. Here at the Crypt
Newsletter, we deem these results unsuitable for "optimum
consumer confidence." Even if it's free.
And now for your further infotainment, a newsbrief culled and cribbed
without permission from a post by FidoNet virus echo user Paul
Ferguson. Take it away (and thanks anyway), Paul!
Reprinted without permission from Federal Computer Week, 17 August 1992 -
(page 34)
8<-------- Cut Here ---------------
MOST VIRUS-DETECTION PRODUCTS SUCCESSFUL
by Richard A. Danca
Most PC virus-detection products do an excellent job of finding known
viruses on a PC, according to tests run by the National Computer
Security Association, Carlisle, Pa.
In NCSA's tests, 12 of 16 virus-detection products found more than 90
percent of the 848 viruses or virus variants in NCSA's database. Only
two of the products found fewer than 80 percent of the files.
NCSA tested all the products it received after announcing it would
conduct the tests, said membership director Paul R. Gates.
The association will run tests every month, and future tests will
probably include other virus detectors, he said. Questions remain,
however, about the validity of the tests and the hazards viruses pose.
Three products found 100 percent of the 848 viruses NCSA used in the
test: Virex-PC from Microcom Inc., Norwood, Mass.; Panscan from Panda
Systems, Wilmington, Del.; and Findviru from S&S International,
Berkhamsted, Hertfordshire, Britain.
NCSA uses the term "infected files" to refer to the viruses it tested
because many viruses are variants of others and because there are no
agreed-upon naming criteria, Gates said, nor did NCSA distinguish
between common and unusual viruses. "The common ones are in there with
the rare ones."
ONLY DETECTION WAS TESTED
NCSA tested only virus detection, not removal. Many viruses make it
impossible to re-create programs or data they have infected, so
detection is more important than removal, Gates said. "Mostly what
people do is restore [files] is not to run the remover capability but
to reinstall software" and restore data from backups. "That is the
correct way of doing it."
One company whose product scored low criticized NCSA's tests and
objectivity. Commcrypt Inc., Beltsville, Md., said the Scan Plus
portion of its Detect Plus software found 73 percent of 2,201 strains
of viruses in a February test NCSA ran. "In a nutshell, we're not
privy to the library we're tested against," said Warren Wertz,
research director at Commcrypt.
It is possible that some of the files in the NCSA database are "naked
viruses or benign viruses" that cannot damage data.
The NCSA database was available only to members of the Anti-Virus
Program Developers consortium who paid a membership fee, said
Commcrypt president William H. Landgraf. "If you're willing to pay the
money - $2,000 or more a quarter - they'll provide you with the list
of viruses."
In a certificate it issued to Commcrypt in February, NCSA said,
"Nearly all of these [2,201] strains have rarely or never been seen
'in the wild.' Scan Plus detected all common viruses."
Commcrypt has many customers in the U.S. Postal Service and the
federal courts, Wertz said. "They haven't got any viruses - that we
know about - that they couldn't get rid of," he said.
NCSA and other experts acknowledge that common viruses are far more
likely to cause damage. The most common viruses include strains of
Jerusalem, Stoned and Michelangelo, according to both NCSA and
Commcrypt. In addition, "some people estimate that 90 to 95 percent of
the data lost is because of operator error." Gates said.
"I have some question about scan tests of viruses that just exist in
the laboratories," said Bryan Seborg, PC and local area network
security program director at the Federal Deposit Insurance Corp.
Seborg is also a virus researcher and instructor at the University of
Maryland.
Seborg agreed with NCSA's Gates, however, on the limited value of
virus removers. "The ones that do a cleanup are not a good idea."
FDIC policy requires users to destroy infected files and reinstall
software, For viruses that destroy boot records or hidden MS-DOS
files, the FDIC solution is to use DOS' FDISK or SYS commands, Seborg
said.
AUGUST VIRUS SCANNER TEST RESULTS
VENDOR PRODUCT VERSION SCORE
Central Point CPAV 1.3* 94
Certus NOVI 1.1D 95
Commcrypt Detect Plus 2.10 60
Fifth Generation UTSCAN 24.00 90
Frisk Software F-PROT 2.04 99
IRIS CURE 20.01 93
Leprechaun Software Virus Buster 3.92 98
McAfee Associates SCAN 93 99
Microcom Inc. Virex-PC 2.2 100
Panda Software Panscan 4.05 100
RG Software Vi Spy 9.0 97
S&S International Findviru 5.60 100
Stiller Research Integrity Master 1.23A 88
Symantec NAV 2.0* 70
Trend Micro Devices PCSCAN 2.0 91
Xtree ViruSafe 4.6 86
* Test was run with the August version of the vendors' virus signature
definition file, which is available to their installed base.
[ Source: National Computer Security Association ]
[Readers of this issue of the Crypt newsletter are invited to
comment, no holds barred, on this study and Danca's article.
Send comments to The Dark Coffin BBS, 1-215-966-3576 or
leave mail for Couch on The Hell Pit.]
NEXT UP: THE COMPUTER VIRUS AS A TOOL OF INDIVIDUAL EMPOWERMENT
by THE FLIM-FLAM MAN
It's time to start thinking in real terms about the computer virus
as a tool for individual empowerment.
To avoid an overly windy essay, I'm going to focus on two REAL
human examples.
The first deals with a woman in her mid-40's who works for a small
specialty book publishing firm in the Lehigh Valley of eastern PA.
(I've kept the descriptions of individuals deliberately vague to
protect them from inappropriate attention.)
In early 1992 she found herself sexually harassed in the workplace by
her boss, a man for whom she felt no attraction. Unable to tell him
to bug off, and knowing that in a small business there
was no place to turn but the street, she became enraged. So she
planned a late night smash-and-grab raid into the office to delete
certain key files on his personal computer. This she did. The next
day her boss was confused, frustrated and angry over the loss of
his precious data. He did not hip to the fact that his work had
been sabotaged by the woman quietly smiling in the next room.
Given the opportunity to use a computer virus for the job,
it is not totally unreasonable to assume this woman would have
seriously entertained the idea of using it as a tool of redress.
In any case, she was a computer vandal. And not the computer vandal
most corporate stiffs like to paint: a maladjusted, teen or
disgruntled, shirking whiner. Rather, she was somewhere in between;
a reasonable worker pushed deep into a corner. As further food for
thought: Do you think that the use of a computer virus, IN THIS
INSTANCE, would have been BAD?
A second example: mid-level staffers at a large metropolitan corporation
in eastern Pennsylvania have had to grapple with the installation of
a project implemented on a Macintosh desktop system. The junior
technical administrator put in charge of bringing the system online
has not proven up to the challenge. After two years of work, the
system crashes daily, eats work, locks unpredictably and forces
continued overtime on staffers who have to work around its shortcomings.
The technical administrator is openly hostile to any suggestions
from staffers who are compelled to use the system daily. The
administrator's supervisor will not listen to suggestions from
underlings that more expert technical help is necessary. The project
has become a costly, political hot potato; its failure would mean
the rep of the management team that committed to it two years
previously.
At this point the staffers who must work with the non-functional system
daily have begun entertaining the idea of inserting a Mac virus into
the already deeply screwy system. The rationale for use is that it could
force a system crash which the current technical administrator could
not quickly remedy. Such a disaster might break the logjam of upper
management arrogance and force the consultation of someone better
suited to programming of Macintosh's. They also feel that since
viruses are anonymous, the blame would most likely fall on the
local administrator's head for allowing it to happen.
This is another graphic example of reasonable workers who feel they've
been backed into a corner by leaders who seem dumb as stumps.
The computer virus is viewed by the victimized as their road to
empowerment.
These workers are smart enough to realize that there
is no guarantee that a bad situation will be made better by a
virus. But they do think that throwing a monkey wrench into the
system, bringing it to a noisy, ugly halt, might buy some breathing
room.
As told here, I'm sure most readers WILL feel some empathy for
the people above. It's not a stretch to think of someone in the
same tight spot. And that is why, as the gap between managers and
grunts in a our technological society becomes wider, the computer
virus or rogue program will be seen more and more as one of THE tools
for empowerment.
Anyone who works in the corporate security field should be scared
white at this prospect. Because the hardest 'virus-droppers'
to fight will be the the honest, determined employees,
who become progressively alienated by the cynicism and indifference
from an organization they work for.
***********************************************
NEWS BREAK! NEWS BREAK! NEWS BREAK! NEWS BREAK!
***********************************************
NEWS clip from one of COMPUSERVE's free services:
Online Today
CANADIAN CHARGED WITH PLANTING ALDUS COMPUTER VIRUS
(Aug. 20)
Former Canadian computer magazine publisher Richard Brandow, 28,
has been accused of planting a computer virus that tainted thousands
of copies of Aldus Corp. software in 1988.
According to The Associated Press, Brandow, who now writes for
"Star Trek," has been charged by prosecutors in King County,
Washington with malicious mischief and could face up to 10 years in
on if he is convicted.
Brandow said he finds the charges surprising. "What are they going
to do?" he asked, "It happened four years ago, and I am here in
Montreal."
He told AP that he arranged for a message to flash briefly on
computer screens that wished peace "to all Macintosh users around the
s were designed to educate the public
to the danger of viruses. Brandow included his name in the message so
he could be contacted.
The virus made its way eventually to Aldus where it infected a
master disk for producing copies of Freehand, an illustration
program. After the virus was discovered, Aldus recalled 5,000 copies
of Freehand and replaced another 5,000 copies it had in its
inventory. The incident cost the firm $7,000.
Ivan Orton, King County senior deputy prosecuting attorney, told AP
it was the first time the state has brought such criminal charges. He
also said he believes the incident was the first time a virus had
tainted commercial software.
For more news from The Associated Press, consult the Executive News
Service.(GO APONLINE).
--Cathryn Conroy
[URNST KOUCH butts in: In this story, reporter Conroy is refering
to the MacMag Peace virus, commissioned by Brandau, then the editor of MacMag
magazine. Its trigger date of March 2, 1988, was the
first anniversary of the Mac II - at which time the virus displayed
the universal peace sign, or something to that effect. After Mar 2,
the virus erased itself. Why do the authorities always come up with
a charge YEARS later; a day late and a dollar short, so to speak? And by the
way, it is spelled "Brandau."]
IN SEARCH OF TROJAN PROGRAMMING or CRYPT NEWSLETTER's CAMPAIGN
AGAINST THE UNRESTRICTED FLOW OF PC PORNOGRAPHY
A good deal of this issue is devoted to helping the reader optimize
his planned trojan programs for real world success.
Let's face it, trojans which blindly sack the fixed disk and
contain unencrypted, embedded ASCI strings like "You're fucked now,
lamer!! Ahahahahaha!" don't cut it in the real world. Of course,
such trojans will always work against the PC initiate. But admit it,
that's about as much good sport as shooting fish in a barrel. No
challenge, no style. Far better to just put a ballpeen hammer through
the monitor and do some real damage.
A good trojan should distract the user. It should, perhaps, display a
fine graphic, send a cryptic error message to the monitor, or
appear to do . . . nothing. Good trojan programmers never stoop to that
old bromide, "You're fucked now, lamer!!"
So, to start, you will want to subscribe to Lee Jackson's HACK REPORT,
available at too many public electronic archives to count.
It's a fine guide and tells you just what's out there; it even
chronicles the more successful trojans. It is GOOD FOR IDEAS.
For example, in the pd world, many were duped by the XTRATANK trojan,
a genuinely clever and twisted set of programs that promised to
double a user's disk space free of charge. In reality XTRATANK placed
Michelangelo and Stoned virus onto the machine in two discrete steps.
XTRATANK batted directly to the average user's weakest spot: The
desire to gain something for nothing!
Upon installation, a portion of Michelangelo's code was copied
to the boot block of the disk. This was not enough to trigger any scanner.
After the user realized the program was doing nothing for him, he would
uninstall it, probably using the de-installation software.
The de-installation software copied the remainder of Michelangelo
to the boot block and inserted Stoned into memory. At this point,
a scan run reveals something seriously wrong. Many were sucked in by
XTRATANK.
But maybe you don't have the time or the will to come up with
an XTRATANK. Consider making trojans out of pornographic files.
It's easy, the trojans are simple to put into the wild and
serve a purpose: they burn users whose sexual tastes run to the
bizaare. For this purpose, I've included the code to a flashy, but crass,
display which writes an animated ANSI of a squirting gland directly to
the video page. Then it crushes the drive. The ANSI was converted
into code suitable for direct video writes by the most recent version
of the LAUGHING DOG screen maker. The utility of this code is that
ANSI.SYS does not have to be loaded, the graphic effect will take
quite nicely without it. (See the appendix file: PENIS.ASM.)
A second trojan is an update of CORRUPTO, something I designed
using VCL 1.0. CORRUPTO 2 will display the error message "Cannot
open lezbosex.dat/Critical errorlevel=25" when executed and
then drop a small proprietary Crypt program which can surgically
rewrite the partition onto an executable in the current directory.
Include CORRUPTO in an archive with at least one other V-loader of
wimmen getting it on with each other or something similar. (The idea
here is that Lesbian loaders are a hot download. It's true, they just
blow right out the door.) The user runs the first loader in the archive
and gets an eyeful. He starts polishing his knob and runs CORRUPTO 2.
Nothing but the error. Damn! Some cretin took the .DAT file out of
the archive, he thinks! Stupid pirates! (Don't forget to include
another dummy .DAT file for the real program, to make the sham filth
seem even more real.)
In reality, a partition bomb is now installed upon CORRUPTO,
the other V-loader, and any other executable in the directory.
When any one of these is invoked, the partition table on the C drive
of any 80286 and up machine will be silently and quickly rewritten.
The results will be somewhat disruptive to the days computing activity,
UNLESS the user has a back-up image of the partition saved off disk and
the wit to reload it.
There are other benefits in creating trojans for porn directories.
1] Victims never squeal. Most Americans are far too neurotic to
admit something bad happened to them while they were watching "dirty"
sex. Its like confessing to your girlfriend you have a problem
with horrible anal itching. It's just not done. So they may not even
inform the sysop, giving your trojan longer shelf-life.
2] Such trojans are deceptively simple to upload to 'adult'
directories, the bigger the better. Large adult directories
aren't well-supervised. Let's face it, even the biggest
pervert doesn't have enough time in the day to keep track
of all the squamous product he stocks. Do you think he's gonna look
at yours closely? Bet against.
3] Such trojans will not show up in The Hack Report. Lee Jackson
does not cover this angle, for obvious reasons.
4] It puts you on the Republican side in the war on porn. You
can be smug, like them, in knowing that YOU ARE DOING THE
RIGHT THING when stomping on those presumed vile by the Moral
Majority. Heck, you might even strike a few Republicans
anonymously in this manner.
5] Think of the kid who's gonna have to explain to his Dad
why the PC in the study room just went down. You could be steering
the boy in the right direction by discouraging him from tieing up the
phone and blowing valuable online time downloading more filth.
But pd trojans have their place, too. To that end, Crypt Newsletter
has included the DEBUG script to BATCOMPI.COM, a very effective
BAT2EXE trojan. BATCOMPI will, indeed, compile your .BAT files
into flawless .COM's. However, don't make a mistake when editing
your .BATfile!! BATCOMPI will point out the line number and then
punish the drive with a heavy stick. Also included are the
convincing, BUT COMPLETELY BOGUS, docs for BATCOMPI, written by
"Ned Turnquist." Be sure to include these with BATCOMPI, wherever
it goes, to further give it that right patina of legitimacy. (Like
XTRATANK, BATCOMPI strikes at the greed of users who wish a
"free lunch.")
And also for your trojan programmer's toolkit, a DEBUG script of
NOWHERE MAN's CRYPTCOM utility. CRYPTCOM serves many purposes.
Use it to put an encryption shell over your trojan, in the
event that someone might look at it with CHK4BOMB. Use it to
put an encryption shell on an old virus that you'd like to
get past an initial run by an up-to-date scanner.
[Also in this issue, a DEBUG scipt of the CASINO virus. The
CASINO virus is a very fine program, but, unfortunately, it scans.
If you want to get CASINO past the original round of scanning on
any machine, CRYPTCOM it.]
CRYPTCOM is merely part of Nowhere Man's Nowhere Utilities 2.0
software package. If you find it helpful, you'll want to dash
out and obtain the complete package at places like The Hell Pit
or the BBS's listed at the end of The Crypt Newsletter.
[For assembly, take the DEBUG script for the appropriate trojan,
virus, or utility listed in the newsletter appendices and
go to the C:\> prompt.
Type, DEBUG <*.scr, where the wildcard is the name of the appropriate
script. Then <enter>. If DEBUG is in your path,
the CASINO virus, BATCOMPI, CRYPTCOM, or NUKEX should now be assembled
and sitting in the current directory, ready for use.
NUKEX? "What's that, URNST?" I hear you screech. NUKEX is a bonus
trojan! Invoking NUKEX will immediately abolish the directory
structure on the C: drive of any machine and along with it,
all the files on the disk. NUKEX is heavily cushioned for error
and will gracefully exit to DOS if something unforseen occurs.
(However, this is unlikely.) NUKEX is completely silent, too.
Recommended uses: as a stand-alone rabbit-punching program or
for inclusion as a 'dropped' payload, deposited by virus or
trojan. NUKEX can be deployed as a subroutine in any
virus, too. [NUKEX can easily be configured to erase any drive, but
the copy included with the Crypt Newsletter is good ONLY for
the C: drive.] I have passed along the source code to Nowhere Man
who is reviewing it for inclusion in the VCL 2.0.
NUKEX does not format or overwrite the affected drive. It does
however, present the user with the unpalatable job of "unerasing"
hundreds, if not thousands, of files and directory entries.
NUKEX user note: if invoked from a floppy disk, NUKEX will
abolish the directory structure on a fixed disk, leaving itself
intact. If invoked from anywhere on the fixed drive, NUKEX will
erase itself in the process of deleting the entire disk. So make
sure you have a backup.]
These programs and utilities should prove helpful if you are
considering going into the 'trojanizing' business. Remember:
The right tools for the right job!!
***********************************************
THE FIRST CRYPT NEWSLETTER NATHAN HALE AWARD!!!
***********************************************
Goes to Hans Von Braun, chief sysop for the COMSEC BBS in San Francisco.
Our hats off to Von Braun, a member of the National Computer Security
Association who seems to firmly believe that bulletins like 40HEX
magazine should be made freely available to any interested party.
Since 40HEX describes in detail tricks of virus development, Von Braun
writes in a recent issue of the NCSA NEWS (a reprint of which was passed
along to us here at Crypt's editorial bungalow), "We [have been] told
that there are only a handful of people in the world that should have
this information; they are antivirus program developers."
Von Braun writes earlier, "I believe it is better for
you to HAVE the information than not to have the information."
Now, please go back to the statement "there are only a handful of
people in the world that should have this information." Whew!
That's a grand claim! It almost makes virus code sound more
dangerous than nuclear secrets. Of course, you, the Crypt reader
know this to be patent bullshit. And, apparently, in some manner
so does Mr. Von Braun.
There are two reasons which come to mind when explaining the a-v
developers' dumbo rationale for the "eat-your-peas, we know what's best,
no virus code for you" rule. They are:
1]. They really DO believe, in some Luddite way, that letting
people onto this stuff instigates virus propagation. They DO
believe that the average lumpen prole is too irresponsible to
handle code correctly. This is very Republican and corporate,
and although extremely deluded, easy to grasp. It is soothing
balm to many clients' ears.
2]. And the real kicker: This info
falls into the realm of "proprietary" secrets. Giving away
proprietary information increases your competition,
hurts your market advantage, and is, in general, bad for the
pocket book because it will spawn users who don't require you
to hold their pecker for them when they encounter a virus.
So, kudos to Mr. Hans Van Braun for his "interesting" stand.
We include his mailing address here so that you might send
your opinion to him on this matter:
123 Townsend Street
Suite 555
San Francisco, CA 94107
****************************************************************
AND THE CRYPT NEWSLETTER's US NEWS & WORLD REPORT IRAQI COMPUTER
VIRUS PRIZE FOR THIS MONTH . . .
****************************************************************
Goes to Michael Callahan (alias Dr. FileFinder), editor of SHAREWARE
MAGAZINE. Even after a two issue series interviewing John McAfee,
Callahan still believes that viruses can permanently damage the
hard disk. (Talk about dense.) Now you can argue with me on this one,
but show me a user who claims his machine was irrevocably damaged
by a virus and I'll show you a user too embarrassed to admit
he "Pepsi syndrome'd" himself.
And Patricia Hoffman's virus library IS NOT the national computer
virus library, Mike. It may be a big library, but it's not the
government's, it's not open to private citizens (like national
libraries) and it is not similar to the American Type Culture
Collection (ATCC) which is the U.S. clearinghouse for real-live
microbes of the natural kind.
********************************************
AND THE CRYPT NEWSLETTER VIRUS OF THE MONTH:
********************************************
The CASINO virus - from the island of Malta.
The CASINO virus is a memory resident .COM infector. It will
infect COMMAND.COM and will infect .COM files on the internal
DIR function, DIR function called by any other program and
when clean files are opened for any reason.
When CASINO is resident, infected files will show only very small
increases in file size, although the virus is not true "stealth."
The interesting trait of CASINO is its activation: On any January 15,
April 15, and Aug. 15, CASINO will display the following message:
"DISK DESTROYER * A SOUVENIR OF MALTA
I have just destroyed the FAT on YOUR DISK!
However, I have a copy in RAM and I'm giving you one last
chance to restore your precious data!
WARNING: IF YOU RESET NOW ALL YOUR DATA WILL BE LOST - FOREVER!
Your data depends on a game of JACKPOT.
CASINO DE MALTE JACKPOT"
CASINO will then compel the user to play a game of chance. If he
loses, the FAT is destroyed.
When I described this to Mrs. URNST KOUCH, she said, "That's evil."
A DEBUG script of the CASINO virus is included with this issue of
the Crypt Newsletter. Enjoy your copy of CASINO virus.
PALLBEARER's KONSUMER KORNER: THE TERM PROGRAM FOR VIRUS COLLECTION
/********** FACILITATION OF VIRUS COLLECTION I: THE TERM PROGRAM *************/
The entire focus of this small article is intended
to save you and your SysOp time and money in the virus trade. This, num-
ber one in the series, is designed to help you find the best terminal
program for your needs. It reflects solely my opinion, but I am
sure you will find it valuable.
In the spirit of 'Consumer Reports' and Ralph Nader, I have parked
myself in front of the computer during much of my spare time to compile
this report (I know, REAL hard work...). So, without further adieu:
-*-
PALLBEARER'S GUIDE TO "TERM"
(Yeah, I know it's a stupid name, but hey, I'm the author, I'm
allowed to do stupid things.)
-*-
First, my old standby: Procomm Plus 2.01
Well, I have been using a version of Procomm Plus since I started
collecting virii, and BBSing, for that matter. Many people find
ProComm to be clumsy. I, personally, enjoy it. Overall, it has two major
flaws: One - it only supports 3 external protocols; two - it does
not support AVATAR. Beyond this, I find it very versatile. It
DOES support many internal protocols, including ZMODEM, XMODEM-CRC, 1K,
and 1K-G; YMODEM and G, plus a host of other "lesser knowns" such as
SEAlink, WXMODEM, IMODEM, and, of course, KERMIT, which is run as
an external. I find the internal ZMODEM inadequate, thus I
retain DSZ as an external protocol, which I have configured for
MobyTurbo. HS/Link and Super-Zmodem are also easily supported. On the
plus side, PCPlus provides COMPUSERVE B+, the famous information
exchange's protocol of choice. And one BIG feature is the pulldown menus
from which everything can be configured. With PCPLUS, the only time
one must ever make use of the install program is if you desire an
easier way to change modem config and COM ports. PCPLUS also
supports a Keyboard file for easy user remap, and has a wonderful
internal utility that speeds up the keyboard of an AT or above.
The whole ball of wax, including colors, is configurable from the
menus. Of course, the internal split-screen chat is also accessed
this way.
The host mode, for you menu fanatics, leaves much to be desired,
but works nonetheless; those of you desirous of running BBS through
Procomm Plus Host, however, should remove your collective thumb
from your ass and get a life.
Last, the big question with many PC users today: the SPACE. Well,
Procomm requires over a Meg of space BUT I would allocate 2.5 Megs on
my drive for it: this includes constant screen captures and little down-
loads here and there that seem to be forgotten about. For me, space
is no object, but for many users this problem is one that is
paramount.
-*-
Qmodem 5.0
Ahh, the term software that sounds like a transfer protocol. After
testing this package, my only compliment is that it supports plenty
of external protocols, shrinks out for a DOS shell, supports AVATAR,
and is frugal on my hard drive. But my REAL advice to those of you who
have a Qmodem archive? Delete it. This is one of the worst and
clunkiest terms I have EVER seen. It displays a nice ANSi at startup,
and has a colorful install program (sort of reminded me of that of
Windows 3.1), but otherwise bites the big one. I was constantly referring
to the help screen, since none of the hotkeys from other terms were
represented (save for the standard PAGEUP/PAGEDOWN file xfers).
A plus: file transfer data screens are very informative. However,
this, too, is tainted by a generally hard-to-navigate interface. I will
admit I did not spend a lot of time with Qmodem, time I still
regret wasting.
A final bonus: Qmodem 5.0 features a superior host
mode with great menus, etc, but only 2 security levels. Well, what do you
expect from a term program's host, anyway? I repeat myself: If you
choose a term for its host mode, your thumb smells strangely of shit.
-*-
COM-AND 2.8
I am surprised to admit I was pleased with this SHAREWARE program. It
incorporated many of the keys of the best of the "off-the-shelf" out
there. COM-AND also has a hotkey for ASCII download, which will play
your session back to you later just like a tape recorder. Nice. Or it
can be speeded up with a simple keystroke to simply scroll across the
screen. The dialing directory, always an important part of any term,
was limited in size to 100 entries, but, then again, who keeps 100
entries in the dialing directory (before you say 'ME!,' look and see
when the last time you called some of those BBSes was...)? The directory
gave me a feeling of deja vu, too. It is faintly reminiscent of those
early releases by DataStorm. The documentation was thorough, and
an EXCELLENT help screen could be accessed by striking F10.
One major feature found in COM-AND and in many other "bare-bones"
terms, is control and configuration almost exclusively
by script. All of the major configuration files were written
in plain English, and could be easily modified in the internal editor,
reached by simple hotkey.
Another thing that caught my attention, and it should've caught yours
while reading this report, is that EVERYTHING has a simple hotkey.
This can be good or bad. The drawback: While you are learn-
ing the software you must constantly refer to the helpscreen. This will
cost you time, and time is money (Ma Bell does not come
cheap). I suggest picking a group of local BBSes and learning COM-AND on
those while sticking with another, more familiar term, for LD.
I guarantee, however, as you improve with time, you will notice
a marked preference for COM-AND while LD calling; you'll be pleased by
the ease of use and timesaving brought to you by the hotkeys.
COM-AND also features one more perq: Encryption. All of its user
script files (logon/logoff, etc) are saved in the .CMD format, which
as the docs say, prohibit "casual perusal" from people looking for
passwords, etc. This makes it an excellent candidate for use on a
multi-user system. All of these are decrypted in memory and may be
easily edited in the internal editor. Macro and other files are not
automatically encrypted, but may be garbled manually with a hotkey.
As for file transfers, COM-AND features all of the major protocols
(XMODEM, YMODEM, YMODEM-G, CIS-B and B+ enhanced, and, of course, ZMODEM),
but it leaves much to be desired in the fact that it does not
(or so it seems) support external protocols. (COM-AND supports external
additions through an "accessories" menu. It works well but is
not particularly user-friendly. -Ed.) Now, this is easy enough to
fix, write yourself batch files and drop to DOS for your file
transfers. For those few who find this too difficult (or time consuming
for bad typists), then either live with the internals, or COM-AND is
not for you. COM-AND also features an internal Kermit server.
Overall, I prefer Procomm Plus, thank you very much,
because of the fact that COM-AND implements externals poorly. Other-
wise, COM-AND is flawless; a wonder in its configurability.
Even the nag screen doesn't bother me, all it wants you to do is hit
a key, and I have to do that with Procomm after it initializes the modem.
I do consider COM-AND good enough to register!
It can be picked up from your local pd BBS.
-*-
Telemate 3.01
Last but not least is another shareware answer to term,
in the spirit of Apogee's Trilogies comes Telemate 3.01, which, like
Qmodem 4.5 (I tested the registered version, 5.0) and COM-AND,
is shareware. Also, along the Apogee lines, Telemate is a superior
term program. It supports multiple externals, multiple common and
uncommon protocols, and many different emulations including my
'must have', AVATAR.
Telemate has one queer feature - it plays music to you.
That's right! I sat down for the first time with Telemate (incidentally,
I did not receive the data files for the built-in tutorial, so this
critique is limited), and did a file transfer, the point of this
report. When it was completed, I knew my computer meant business
because it began to play the theme from 'Jeopardy' when I
didn't press a key fast enough for Telemate's liking. Later, I
discovered this song could be changed during installation. Speaking of
which, my biggest complaint with Telemate: all of the major
settings had to be changed from the config program, which was not
available on the fly. Also, the Pulldown bar is always exposed
and includes a status bar at the bottom, giving the user only 23 lines.
(As far as I could tell, it was simplest to leave it this way.)
One unique plus to Telemate is its split-screen and box effects, as
though it's being run under Windows. For instance, it is possible
to view a text file or the redisplay buffer in one window and have
the term in the main window. It is also possible to edit a text
or script file in a window with the term in another. I find this a
BIG plus to anyone using a term program; it will greatly facilitate
your time online.
Last, I must comment on the dialing directory. Frankly,
it stunk. The default colors were horrible, and editing the entries was
a mess. Also, it requires 3 or 4 keystrokes to dial an entry, rather
than one stroke needed for most terms. The dialing directory also had
annoying habit of coming up as soon as Telemate was called. Thus,
if you simply needed to send a string to your modem, you had to wait until
after initialization and then exit from the dialing directory - or
start dialing a BBS in Europe and not even realize it (and the
author of Telemate refuses to pay phone bills incurred in this manner...
sheesh, what a pain...).
All in all, I found Telemate to be an acceptable term program and would
switch in a second, if the dialing directory were improved. Well,
there's always next release, for tomorrow is another day (fiddle-dee-dee).
-*-
{COMMO} 5.3
For all the manly men in the virus collecting community, Fred
Brucker's assembly-coded term program could be for you. COMMO's
strong points are its raw, unsurpassed speed of operation, extremely
small kernel when shelling to DOS and powerful master macro utility
which controls all functions in simple, intuitive one-stroke
hotkeys. Alt-D - dial! PageUP - upload! Alt-X: BE GONE! COMMO
also takes up almost NO space on a hard drive. Hey, even a
steroid-gobbling idiot can use COMMO!
COMMO's disadvantage (and it's one that weenies will be leary of):
It supports only Xmodem and Ymodem internally. The good news: Zmodem,
HS/Link and Compuserve B+ are ready for your use. Just drop the
programs into the COMMO directory and they are, almost magically,
ready for work WITH NO USER CONFIGURATION REQUIRED.
As shareware, COMMO is quite reasonably priced: $25 cash money.
Shelling out a little more gains a host of COMMO-ready scripts which
activate a mini-host and a number of other somewhat useless utilities.
/*
* Well, I do hope you enjoyed this small romp through this vail of tears,
* er, terms. Be on the lookout for next issue's guide to transfer
* protocols: and remember, it's good stuff, because I'm not only a
* CryPt SysOp, I'm also a member. Acknowledgements to authors and
* ordering info for each reviewed program is found below.
*
* -Pallbearer [CryPt]
*
*/
PROCOMM PLUS 2.01: Copyright (c)1987, 1991, Datastorm Technologies.
QMODEM 5.0: Copyright (c)1992, Mustang Software
COM-AND 2.8: Copyright (c)1991 CABER software (R. Scott McGinnis).
Available through PLINK, GEnie, UNISON, NWI, Delphi,
and CompuServe.
TELEMATE 3.01: Copyright (c)1988 - 1992, White River Software.
CompuServe in IBMCOM forum Library 3/Comm program.
FidoNet requestable from 1:2202/1 as 'telemate'.
{COMMO} 5.3: Copyright (c)1989, 1992; Fred P. Brucker
On CSERVE, go IBMCOM, Library 3/Comm programs.
-Hey, you find this boring, but what if you ever
WANT to get a copy of one of these?
****************************************************************************
ADDITIONAL USER NOTES ON PROGRAMS INCLUDED WITH THIS ISSUE OF
THE CRYPT NEWSLETTER - A SERVICE TO THE TERMINALLY STUPID BECAUSE
WE CARE
The CORRUPTO script will produce CORRUPTO.COM. In 'heuristic' mode,
F-PROT 2.05 flags CORRUPTO as containing routines which search for
.COM and .EXE files, possibly indicative of a virus. This is
true and gives you a good excuse to run CRYPTCOM on CORRUPTO after
manufacture and see how it cleans this problem up. In addition,
you might want to consider touching up the size (CORRUPTO is less
than 1k, hardly convincing as a simple V-loader.) and date/time stamps
on the trojan. For those tasks, you'll need the rest of Nowhere Man's
Nowhere Utilities 2.0. I'm sure you'll want to get them and see how
easy they make these mundane chores for yourself.
[On F-PROT 2.05: Fans of this program, and I am one, are probably
somewhat bemused by its increasingly skitzy performance, which
Skulason duly notes in F-PROT's expanding 'bug reports.' 2.05 is
incrediby slow and sometimes hangs when analyzing files
heuristically, destroying much of this feature's utility for the
average user. And occasionally 2.05 does not appear to scan memory
at all on my machine. Geezus.]
You can also "tickle the dragon's tail" with CORRUPTO. Place it in
a directory by itself and execute it. CORRUPTO will install a drive bomb
on itself in a trice, display an error message, beep once and return
you gracefully to the DOS prompt. This is just as things will appear
to the pigeon. DO NOT RUN CORRUPTO AGAIN!! (Unless you want to replace
the partition on your fixed disk, anyway.) Delete the file and prepare
your original copy of CORRUPTO (you did make a backup, didn't you?)
for its trojan archive.
THE NUKEX script will generate NUKEX.COM. NUKEX.COM can be flagged
by F-PROT 2.04 as 'suspicious' because it contains a recursive
search mechanism. Don't forget to use CRYPTCOM if you want to
avoid all possibility of this.
For further info on the Nowhere Utiltities CRYPTCOM, see the
accompanying appendix, CRYPTCOM.DOC. Meanwhile, see this
final ad:
*****************************************************************************
The Nowhere Utilities v2.0 are finally out! v2.0 includes several bug
fixes and improvements, in addition to three new utilities:
o DECRYPT: Decrypts data encrypted with most 8- and 16-bit
encryption schemes, usually in under 10 seconds!
o FAKEWARE: In just a few minutes, FAKEWARE will generate
a totally bogus ware, right down to the ZIP comment and
.NFO file by a famous cracking group. Great for distributing
new virii and trojans.
o USER2TXT: Converts a Telegard v2.5/v2.7 or X-Ot-Icks v3.8
user list to a readable ASCII file. Useful for on-line
reference while hacking...
Get the Nowhere Utilities today! A fine set of programs to help the
corrupted programmer develop and spread his creations. Useful to just
about anyone at one time or another. From the author of Virus Creation
Laboratory.
[NuKE] Release [NuKE] Release [NuKE] Release [NuKE] Release [NuKE] Release
*****************************************************************************
-*-
Closing quote for the day:
"Remember, boys and girls, to put your roller skates away
at the TOP of the stairs."
--Soupy Sales
-*-
This issue of the Crypt Newsletter SHOULD contain the following
files:
CRYPTLET.TR5 - this document
PENIS.ASM - MASM/TASM compatible source listing for the PENIS
trojan
CORRUPTO.SCR - DEBUG script for the CORRUPTO 2 trojan
NUKEX.SCR - DEBUG script for the bonus trojan/util, NUKEX
CRYPTCOM.SCR - DEBUG script for Nowhere Man's CRYPTCOM
trojan/virus toolkit utility, Nuke
International Software, Inc.
CRYPTCOM.DOC - documentation and user notes for CRYPTCOM
CASINO.SCR - DEBUG script for the CASINO virus
BATCOMPI.SCR - DEBUG script for BAT2EXE trojan program
BATCOMPI.DOC - 'fake' documentation for BATCOMPI trojan program
ASM.BAT - ancillary file to accompany BATCOMPI.DOC
If any of these files are missing, demand upgrade!
As usual, current and complete issues of the Crypt Newsletter can
be obtained at the DARK COFFIN BBS. Here at the newsletter, we welcome
your comments and contributions, so, until next time . . .
I remain your obedient servant,
URNST KOUCH
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º This V/T info phile brought to you by ç, º
º Makers/Distributors/Info Specialists in Phine Viruses/Trojans. º
ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹
º Dark Coffin úúúúúúúúúúúúúúúúúúúú HQ/Main Support úúú 215.966.3576 º
ÇÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ
º VIRUS_MAN úúúúúúúúúúúúúúúúúúúúúú Member Support úúúú ITS.PRI.VATE º
º Callahan's Crosstime Saloon úúúú Southwest HQ úúúúúú 314.939.4113 º
º Nuclear Winter úúúúúúúúúúúúúúúúú Member Board úúúúúú 215.882.9122 º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ