Copy Link
Add to Bookmark
Report
Chaos Digest Volume 01 Numero 27
Chaos Digest Mercredi 19 Mai 1993 Volume 1 : Numero 27
ISSN 1244-4901
Editeur: Jean-Bernard Condat (jbcondat@attmail.com)
Archiviste: Yves-Marie Crabbe
Co-Redacteurs: Arnaud Bigare, Stephane Briere
TABLE DES MATIERES, #1.27 (19 Mai 1993)
File 1--40H VMag Issue 1 Volume 2 #000-5(1) (reprint)
Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost by sending a message to:
linux-activists-request@niksula.hut.fi
with a mail header or first line containing the following informations:
X-Mn-Admin: join CHAOS_DIGEST
The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070)
or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P.
155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299)
groups.
Issues of ChaosD can also be found on some French BBS. Back issues of
ChaosD can be found on the Internet as part of the Computer underground
Digest archives. They're accessible using anonymous FTP from:
* kragar.eff.org [192.88.144.4] in /pub/cud/chaos
* uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos
* halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos
* ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest
* ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos
* nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos
* orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos
CHAOS DIGEST is an open forum dedicated to sharing French information among
computerists and to the presentation and debate of diverse views. ChaosD
material may be reprinted for non-profit as long as the source is cited.
Some authors do copyright their material, and they should be contacted for
reprint permission. Readers are encouraged to submit reasoned articles in
French, English or German languages relating to computer culture and
telecommunications. Articles are preferred to short responses. Please
avoid quoting previous posts unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Chaos Digest contributors
assume all responsibility for ensuring that articles
submitted do not violate copyright protections.
----------------------------------------------------------------------
Date: Tue May 11 09:24:40 PDT 1993
From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. )
Subject: File 1--40H VMag Issue 1 Volume 2 #000-5(1) (reprint)
40Hex Volume 1 Issue 2 0000
001...........................How to sneak infected files into past SCAN
002...........................The safe way to play with viruses.
003...........................Theory Dept. Viruses Slow vs. Fast.
004...........................Interview of the month: Skism One.
005...........................Artical on The Dark Avenger.
006...........................The mother of all viruses - WHALE!
007...........................And now a word from a real dick.
008...........................The Ontario Virus.
009...........................The 1260 Virus.
010...........................The Skism 808 source code.
011...........................Vienna/Violator source code.
40Hex Staff
Hellraiser....................Editor/Programming Consultant ETC...
Nick Haflinger -=PHALCON=-....CO-Editor/Writer/Theory Consultant
Skism One.....................Virus supply/Co-Programming Consultant
The Punisher (Brooklyn).......Virus supply
Garbage Heap..................Main Virus Supply/Overseer
Spell Checker.................Obvoiusly there is none
Call the 40HEX/SKISM Homebase ----- The Landfill BBS (914)-HAK-VMBS
Sysop Garbage Heap.
Home of -=PHALCON=-
40Hex wants YOU - The write articles for this mag. Lets make it world wide!
Send any articles to the 40Hex HQ - The Landfill BBS!
Special shout out to - Sub-Zero (the hard core group), DC Wave, all the
kids at school.
+++++
40Hex Volume 1 Issue 2 0001
- HOW TO GET INFECTED FILES INTO LAME BBS's -
Ok, one problem with sending infected files to BBS's is that you never
can tell if they will be detected by SCAN. Or if you are sending bombs
the sysop might use CHK4BOMB to detect code that is data damaging.
I'm gonna tell you how to get around this, what you need is the following-
PKLITE or LZEXE
and
A good hex editor
What you do is this, compress the infected file with Pklite or Lzexe. This
will make change the files checksum and ID strings quite a bit so it can't
be detected by SCAN and damaging data will not be found by CHK4BOMB. The
problem is that now the sysop can use CHK4LITE to detect is the file is
indeed infected. So what you do is this --
Load up the hex editior -
Now look at the file, it will look something like this if you compressed it
with PKLITE.
---------------------------------------------------------------------------
0000 4D 5A 12 01 13 00 00 00-07 00 98 05 4A A4 52 02 MZJR
0010 00 04 00 00 00 01 F0 FF-50 00 00 00 03 01 50 4B PPK
0020 4C 49 54 45 20 43 6F 70-72 2E 20 31 39 39 30 20 LITE Copr. 1990
0030 50 4B 57 41 52 45 20 49-6E 63 2E 20 41 6C 6C 20 PKWARE Inc. All
0040 52 69 67 68 74 73 20 52-65 73 65 72 76 65 64 00 Rights Reserved
0050 0A 00 20 00 17 01 48 00-4A 04 4A A4 E2 03 00 40 HJJ@
0060 00 00 56 11 00 00 1C 00-00 00 00 00 00 00 00 00 V
0070 B8 E3 07 BA 4B 02 8C DB-03 D8 3B 1E 02 00 73 1D K;s
0080 83 EB 20 FA 8E D3 BC 00-02 FB 83 EB 19 8E C3 53 S
0090 B9 C3 00 33 FF 57 BE 48-01 FC F3 A5 CB B4 09 BA 3WH
00A0 36 01 CD 21 CD 20 4E 6F-74 20 65 6E 6F 75 67 68 6! Not enough
00B0 20 6D 65 6D 6F 72 79 24-FD 8C DB 53 83 C3 2D 03 memory$S-
00C0 DA BE FE FF 8B FE 8C CD-8B C5 2B EA 8B CA D1 E1 +
----------------------------------------------------------------------------
You see the header? Well what you have to do is overwrite the header with
garbage. Don't write text cause that is to dectectable by a dump program.
Just overwrite the part that says "PKLITE corp....Reserved" with hex bytes.
Also distroy the part of the code that says "Not enough memory", dont kill
the "$" symbol.
This will make the compressed file-
A> Undetectable to virus scanners, and CHK4BOMB type programs
B> Un-Decompressable
C> CHK4LITE wont notice it as a PKLITE file
It's that easy!
Keep in mind however than any file that the virus infects will no longer
be encrypted by PKLITE, so this method is good only on getting your virus
into the front door.
See the article in issue one on making new virus strains.
Forenote
After writing this article SCAN Version 80 came out, It now has the
ability to scan into Pklite compressed files. Just to let you know that
this teqnique still works and SCAN cannot detect the file as being
compressed as PKLITE.
HR
+++++
40Hex Volume 1 Issue 2 0002
THE SAFE WAY TO EXPERIMENT WITH VIRUSES
The problem with fooling around with viruses is that you never know
what damage there going to do to your hard disk. I have a couple of
so called viruses that when run, automatically screw up the FAT on
all the disks in the system. Well, theres a way around getting the
shaft from these programs, and also to experiment with legitament
viruses.
The key is the DOS utitlity SUBST, make this batch file, and copy it
to a floppy.
----------------------------------------------------------------------------
@echo off
subst d: a:\
subst c: a:\
----------------------------------------------------------------------------
What this will do is send any access to disks C: and D: (the two
hard disks in my case) to drive A: So the only damage inflicted
will be to the floppy in A:
No programs can access you hard disk when this command is issued. I
use it all the time and as of now it has proved 100% safe.
Oh yeah, if you dont feel like distroying a floppy every time you
mess with a virus, you can do this teqnique from a RAM disk.
Have fun...
HR
+++++
40Hex Volume 1 Issue 2 0003
Virus Spreading - Fast Or Slow? By Nick Haflinger -=PHALCON=-
Call The LandFill BBS (914) Hak-Vmbs
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
One of the questions while writing your virus is how quickly you want
it to spread. The easy answer is "As fast as possible" but this is not
always the best answer. If a virus moves slowly, it will take much longer
before somebody notices hard drive space disappearing, he/she will notice
fewer changes to the file dates, and all other symptoms will be lessened.
However, this does provide longer for anti-virus people (pronounced Scum,
with a capital S) to discover the virus. This issue ties directly into the
issue of activation, short or long. Since the issues are virtually
identical, I will cover both together, because they are so closely tied.
The Case For Fast
+++++++++++++++++
Viri should spread as quickly as possible. This allows as little
time as possible for the makers of antivirus programs to come up with an
antidote before the virus is widely spread. This should be tied with a
short activation period to cause as many problems as possible before
detection is possible. Because fewer copies are generated before activation,
each copy may be larger. This allows for more extensive anti-anti-viral
tactics, which are becoming increasingly more important as the number of
anti-viral products rises. Just remember, most of these products are shit.
So don't worry too much.
The Case For Slow
+++++++++++++++++
Viri should spread slowly, because this is less obtrusive, and therefore
users are less likely to notice a change in the system. This should be
coupled with a long activation period as to have maximum penetration before
the virus activates. A slow-spreading virus will circulate to more virus
programmers who will be able to modify the program for specific needs or to
adapt to antiviral tactics. On a purely academic note, slow spreading viri
must be smaller, as more copies must be generated. This means that viri must
be programmed better, which is good for the general community.
The Case Against Fast
+++++++++++++++++++++
Fast spreading of viri is likely to draw attention. Once a virus
has been caught, in most of the cases, it is dead and useless. A virus
should infect the greatest area in the shortest time before the anti-virus
people inevitably catch up to the virus. However, because of the necessity
of a short activation time, this virus has a lesser range than a slow-
spreading virus. The programmer must rely on either (a) the quick
distribution of the virus along at least a regional level --or-- (b) the
ability of other virus programmers to obtain and modify either the source
code or dissassemble and modify the distributed virus. If possible, the
source should be distributed along trusted channels. There should be as
little chance as possible of an antiviral researcher obtaining a copy of
the sourse for your masterpiece.
The Case Against Slow
+++++++++++++++++++++
A slow spreading virus is much more likely to get caught by antiviral
people prior to its necessarily long pre-activation period. There will be
more defenses out against the virus before it has spread much. However, if
the virus is well-done, it will have spread far before it is caught.
Conclusion
++++++++++
Actually, I lied. There is no conclusion to be drawn from this, as
this is in itself the conclusion of long hours of thought and much
brainstorming on BBSs. If you would like to comment, I can be reached on
LandFill BBS, phone number above. In a future article, I will attempt to
cover anti-anti-virus tactics. I may also respond to some important
questions/comments I may receive. Start your viri now! And may the best
bug win!
NH
+++++
40Hex Volume 1 Issue 2 0004
Interview with Skism One - AKA Lord SSS (triple S)
This interview was taken by Hellraiser on July 7, 1991 in Washington
Square Park, Manhatten.
HR: So what got you started in the virus business?
SSS: Well, I used to write graffiti all over and that got sort of
played out, so I needed something else distructive to do. So
I started getting into computers, then the next thing you know
I'm writing viruses.
HR: What was you first experence with viruses?
SSS: Well the first time I heard of them was when that dickhead got
arrested for putting the worm...
HR: You mean Morris?
SSS: Yeah that asshole, it was on the news and all that - so I got
to thinking, that would be a cool thing to do.
HR: What was the first virus you ran across?
SSS: Ha... Some dick gave me a copy of (pause) it think it was
Norton 4.0 when it first came out. So I took it home and put
it on my hard drive. The next thing you know all this weird
shit starts going on. Like programs won't run and this little
box opens up on the bottom of my screen all of a sudden. So I
get a copy of SCAN, then I find out almost all my files are
infected with Jerusalem.
HR: What did you do?
SSS: Well I re-formatted the drive and examined the copy of Jeru for
months. Then one day I used a Hex editor to change the suMSDOs
string to SKISM-1. Then I went to all the computers I could
find and infected them. The next thing you know my friend
shows me this list with my name on it. It was Patti Hoffmans
document. Shit, I thought I was the man back then.
HR: Then what?
SSS: Then - well I got into assembler and dissasembly and I started
to learn how to modify the code and all that. The next thing
you know I had made my own virus from the scraps of Jeru.
HR: Captian Trips, right?
SSS: Yeah, sort of. Then someone I know sent it to all the boards
in town under a trojan name and fucked a lot of peoples shit
up. Oh well. Then I guess I grew out of the scavenger mode
and started writting my own shit, from scratch.
HR: Like what?
SSS: Well they were all called Skism so and so, like Skism 10, Skism
11 and all that. Then I meet people and they started helping
me out and now we got this thing going on.
HR: You mean Smart Kids Into Sick Methods?
SSS: Yeah, you know all thid did did dat.
HR: How do you name your viruses?
SSS: Well depends whats on my mind. Skism was my tag for like four
years, so I thought it would be cool if people saw my name in
the newspaper and all that. I got Captian Trips after reading
The Stand, by Stephen King. 1992 was just what I named it cause
the virus came out to be about 1945 bytes so I jusy padded it out
to next years date. 808 was named after the TR-808, a 'drum
machine' used in hip-hop.
HR: Whats the latest projects?
SSS: You know, you wrote most of the shit.
HR: Tell them. The people.
SSS: Well, we did SKISM 1992, which was funny, then a member of
SKISM, who shall be nameless made 808. Now I'm just taking a
break from viruses and computers for the summer.
HR: You stopped?
SSS: Your crazy, nah - It's got to wait a while, then I'll get back
into it - when school starts again.
HR: What do you think of McAffe?
SSS: He's cool, what the fuck am supposed to say. He does a good
job at spreading my name around. I really like Pat Hoffman,
thanks for the write ups. You got to understand - these people
make us into infamous villians. I can deal with that.
HR: Do you mind them detecting your viruses?
SSS: Nah, fuck it - If my shit can make it from NY to California
without effort, it shows it works. Thats it. Thers a lot more
where that came from. One more thing, I hate that gay bitch
Ross Greenburg author of Flu-Shot. What
a dick. He's just an asshole tring to sell his shit product.
He's got a big mouth and instead of crashing his board, I'd
like to kick his fucken ass. Where's his office? Up one 57th
right? Lets take a walk. Just kiddin' but the guys product
sucks and he's just a greedy asshole. I'm glad I sent a trojan
version of his virus scanner around. Ha you dick!
HR: What virus authors do you look up to?
SSS: Myself - Ha Ha (laughter) Ha Ha. No, I love Whale - that was
clever. I like Dark Avenger, the real one. Its hard to be
original, and these guys were. Hats off you crazy fuckin'
Bulgarian Metal-Head!
HR: What about groups of virus writers?
SSS: I think were the only one. Oh yeah and those Rabid people you
told me about, yeah there just like us - people tring to make
there mark in the world, or should I say dent in the world.
Germans are bugging out too - Shit, they write half the shit out
there these days. More power to them
HR: What is your advise to people who want to write viruses?
SSS: Get a late pass! No as I said more power to you. Just remember
you got to have style and learn to be ORIGINAL.
HR: What next from you?
SSS: I don't really know. I'm waiting to hook up a few more people
to the pack, then we'll get the thing rollin HARD. Till then
'A little at a time...'
At the time this artical was finished, the Skism team was at work on
a new virus code named Bad Brains.
HR
+++++
40Hex Volume 1 Issue 2 0005
The Dark Avenger
--- ---- -------
Part I. The Dark Avenger
-------------------------
Introduction:
The following text file was sent directly to Professor Vesselin Bontchev in
a public sent to an anti-viral board located in Sofia, Bulgaria.
Bontchev is one of the leading anti-viral researchers in Europe today. A
producer of number of effective anti-viral programs in Bulgaria, his
programs are widely used throughout Europe.
The Dark Avenger is Bulgaria's most dangerous viral code writer and a heavy
metal fanatic - as this message concerning himself, written by him (often
referring to himself in third person) reveals:
+++++
DARK AVENGER
============
DARK AVENGER is the pseudonym used by a particularly prolific and
malicious Bulgarian virus writer. It is also the name given in the
West to some of his earlier viruses. His viruses include:
DARK AVENGER V651, V1800, V2000 and V2100
NUMBER OF THE BEAST aka 512 (several versions)
ANTHRAX (Infects both files and boot sectors)
V800 and its derivatives: 1226, PROUD, EVIL & PHOENIX
Some other viruses, e.g. NOMENKLATURA & DIAMOND are in his style but
are believed to be the work of others. MURPHY has been strongly
influenced by him but is known to be of different authorship.
CRAZY EDDIE may also be his.
Several 'hacks' are now appearing of V1800, V2100, MURPHY and DIAMOND.
Eddie is the mascot of the British heavy metal group, Iron Maiden
(hence 'up the irons'). It is a 20 foot high skeleton that appears
on stage with them and is featured on the sleeves of all their
albums.
Anthrax and Damage Inc are other heavy metal groups whose names have
been featured in some Dark Avenger viruses. Iron Maiden numbers have
also been mentioned including 'Somewhere in Time', 'Only the Good Die
Young' and 'Number of the Beast'.
Unusually, this virus writer has also produced a virus removal
program together with a version log of his EDDIE series, as
reproduced below with its original spelling and grammar.
"DOCTOR QUICK! Virus Doctor for the Eddie Virus Version 2.01
10-31-89 Copyright (c) 1988-89 Dark Avenger. All rights reserved.
DOCTOR /? for help
It may be of interest to you to know that Eddie (also known as "Dark
Avenger") is the most widespread virus in Bulgaria for the time
being. However I have information that Eddie is well known in the
USA, West Germany and USSR too.
I started in writing the virus in early September 1988. In those
times there were no any viruses in Bulgaria, so I decided to write
the first Bulgarian virus. There were some different Eddie's versions:
VERSION 1.1, 16-DEC-1988
In December I've decided to enhance the virus. This version could
infect files during their opening. For that reason, a read buffer
was allocated in high end of memory, rather than using DOS function
48h when needed. The disk was destroyed instead of the infected files.
VERSION 1.2, 19-DEC-1988
This added a new feature that causes (for example) compiled programs
to be infected at once if the virus is resident. Also, the "Eddie
lives..." message was added (can you guess why exactly "Eddie"?)
VERSION 1.31, 3-JAN-1989
This became the most common version of Eddie. A code was added to
find the INT 13 rom-vector on many popular XT's and AT's. Also,
other messages were added so its length would be exactly 1800 bytes.
There was a subsequent, 1.32 version (19-JAN-1989), which added
self-checksum and other interesting features that was abandoned
because it was extremely buggy.
In early March 1989 version 1.31 was called into existence and
started to live its own life to all engineers' and other suckers'
terror. And, the last
VERSION 1.4, 17-OCT-1989
This was a bugfix for version 1.31, and added some interesting new
features. Support has been added for DOS 2.x and DOS 4.x. For
further information about this (the most terrible) version, and to
learn how to find out a program author by its code, or why
virus-writers are still not dead, contact Mr. Vesselin Bontchev (All
Rights Reserved).
So, never say die! Eddie lives on and on and on... Up the irons!"
NOTE:
Vesselin Bontchev, who the Dark Avenger is trying to discredit, is a
leading virus researcher at the Bulgarian Academy of Sciences.
+++++
Post Note:
There is a rumor concerning the fact that RABID now has the Dark Avenger on
their staff of virus writers, and that the new Dark Avenger variant released
by them was, in fact, written by him. This has yet to be proven.
The more acceptable belief concerning this new strain is that RABID simply
picked up the source code for Dark Avenger, released last December, and
modified it.
Part II - Dark Avenger - Strain A
---------------------------------
Vesselin Bontchev reports in May 1990:
The Dark Avenger virus.
======================
- I found two new mutations of this virus. Well, maybe
"mutations" is not the correct word. In the first of them, the
first 16 characters of the string "Eddie lives... somewhere in
time!" were replaced with blanks.
In the second example, all strings (the message above, the
copyright message and the "Diana P." string) were replaced with
blanks. - The author of the Dark Avenger virus (The bastard! I
still cannot determine who he is.) has released the source code
of his virus.
It is full with ironic comments about me. Of course, now we have
to expect lots of new, similar viruses to appear. At least, this
leaded to one good thing - the source helped me very much in
disassembling the V2000 virus. - I received a rather offensive
anonymous letter from this person. In it he claims to be also
the author of both the V2000 (I trust this) and the Number of the
Beast viruses (the latter is unlikely). [See Above]
Information About the Dark Avenger Virus, courtesy of
"Virus Bulletin Ltd," Buckinghamshire, England.
Note:
This information is far more valuable than the standard
Virus Summary by Patricia Hoffman. Her entry concerning DA
fails to go into more depth about the Dark Avenger virus and
apparently she has yet to receive information of the
different versions of DA. Such information is already a year
old, but she has yet to include it.
Entry...............: Dark Avenger
Alias(es)...........: ---
Virus Strain........: Dark Avenger
Virus detected when.: November 1989
where.: USA
Classification......: February 1990
Length of Virus.....: about 1800 Bytes
--------------------- Preconditions -----------------------------------
Operating System(s).: DOS
Version/Release.....:
Computer model(s)...: IBM-compatible
--------------------- Attributes --------------------------------------
Easy Identification.: Two Texts:
"Eddie lives...somewhere in time" at beginning
and
"This Program was written in the City of Sofia
(C) 1988-89 Dark Avenger" near end of file
Type of infection...: Link-virus
COM-files: appends to the program and installs a
short jump
EXE-files: appends to the program at the
beginning of the next paragraph
Infection Trigger...: COM and EXE files are corrupted on any read
attempt even when VIEWING!!!
Storage media affected: Any Drive
Interrupts hooked...: Int 21 DOS-services
Int 27 Terminate and Stay Resident
Damage..............: Overwrites a random sector with bootblock
Damage Trigger......: each 16th infection; counter located in
Bootblock
Particularities.....: -
Similarities........: -
--------------------- Agents ------------------------------------------
Countermeasures.....: NONE! All data can be destroyed !!!!
There is no way in retrieving lost data.
Backups will most probably be destroyed too.
Countermeasures successful: install McAfee's SCANRES.
Standard means......: Good luck! Hopefully the virus did not destroy
too many of your programs and data.
--------------------- Acknowledgement ---------------------------------
Location............: VTC Uni Hamburg
Classification by...: Matthias Jaenichen
Documentation by....: Matthias Jaenichen
Date................: 31.01.1990
------------------------------
End of Chaos Digest #1.27
************************************
