********************************************** The CryPt Newsletter: another in an occasional series! ********************************************** NEWS! NEWS! NEWS! It's been an exciting summer at the Crypt! With the procure- ment of Nowhere Man's Virus Creation Laboratory, virus researchers have much to do. The VCL is a revolutionary tool: an automated interface which puts a comprehensive viral assembly library into the hands of those who can benefit by it most. Unlike the Mutation Engine which has proven itself a thorny, un-user friendly development with small utility (within two weeks of its widespread release, most anti-virus scanners had been adjusted to catch it), the VCL allows the determined virus programmer to create an almost infinite variety of novel and troublesome programs, limited only by his patience, dedication and imagination. Fuckin'-A! The VCL is fun! Preliminary study of the VCL by anti-virus researchers have prompted some to declare on the FidoNet virus echo that VCL code will be easily countered. This is premature and easily defied. F-PROT, one of the most efficient of the current crop of scanners CAN detect some VCL variants in "Secure Scan" and "Heuristic" mode. However, "Secure Scan" findings are easily patched by incorporation of encryption routines in the raw code and "trapping" of the nascent virus body in a small custom-made .COM 'host' shell.* In "heuristic" mode, F-PROT is dangerous - BUT only when the user 'knows' what he is looking for! In my experience, few users will even attempt to use a "heuristic" mode on a regular basis. The reasons are these: 1) 'Heuristic"+ is a big word and, so, it must be hard to use (stupid, I know, but true!); and 2) The false positive rate requires some interpretation (Lazy fucks deserve to be parasitized by viruses - .Ed). The same can be said for THUNDERBYTE's TBSCAN which implements an even more aggressive form of heuristic scanning. Interpretation of shakey files is easy "when" the user knows what he is looking for, more problemmatical when flying blind. In addition, TBSCAN isn't particularly user-friendly which means most potential targets of viral attack won't have it in their arsenal. (Thank the general level of incompetence in American society for this. Virology is as much sociology as assembly, I say.) *[This is a simple stunt which suggested itself after reading Mark Ludwig's "The Little Black Book of Computer Viruses" (American Eagle Publishing, Tucson, AZ)] +['Heuristic' - all you have to know is that 'heuristic' means F-PROT scans for certain 'patterns' of machine instruction: resident services, self-modification, weird jump intructions, discontinuous code sequences, garbage instructions, strange memory entrance, illegal writes or formats to the disk, etc.] IN THE MEAT OF THIS ISSUE: Two VCL-produced virus source-codes: DIARRHEA and DIARRHE6, which demonstrate one of the nicer features of the VCL, ANSI screen development and "dropper" routines. DIARRHEA can be assembled with TASM and linked in the standard manner. Place the assembled file on a floppy with SHELLT.COM [Included in this newsletter]. Ensure that SHELLT is in a different directory for quickest results. Call the virus and it will promptly infect the shell. This allows the encryption engine to turn once and supplies the virus in a form easily introduced into the wild. Now for the interesting part: DIARRHEA is an appending virus which displays a BIG ANSI every Friday. It goes something like this: EAT MY DIARRHEA - GG Allin & The Texas Nazis. It's a real attention grabber and since DIARRHEA really doesn't do anything but that, it's got an even chance of spreading rather nicely before someone gets surprised by the ANSI. At which point they could go berserk. Hahaha. [I know, I have a juvenile sense of humor.] DIARRHE6 is for those more impatient to see immediate results. DIARRHE6 'drops' a TheDraw prepared .COMfile onto all .EXE files in the virus's path of infection. This, in effect, destroys the original program and replaces it with the BIG ANSI which displays the hated EAT MY DIARRHEA message. In truth, DIARRHE6 will be noticed fast since .EXE files are eaten up by the ANSI substitute rather quickly. Don't expect it to spread too far, although there is the chance that an inexperienced user will be drawn into thinking that the destroyed .EXE's are actually infected with a over-writing virus. To make this potential a little more polished, I've included an optional modification for DIARRHE6. I've prepared a fragment of the WHALE virus in 'define byte' form in the included file, VIRUS1.DAT. Use your favorite text editor to replace the ANSI data table at offset DATA01 in DIARRHE6.ASM with VIRUS1.DAT JUST AS THE FILE IS WRITTEN. Then assemble. This will produce a virus which drops a WHALE string onto .EXE's in its path, instead of the motorized ANSI. When the victim goes to use a scanner on his damaged files, he'll find the WHALE or, possibly, a DIR string. Scarey!!! While he's offhunting for this new strain of WHALE, your modified version of DIARRHE6 could still be going strong. [Actually, I'm sure you see the potential here. You could actually drop an entirely different virus onto the file, causing a more serious secondary infection.] Remember that you'll want to let the modified DIARRHE6 infect SHELLT.COM before you release it so that it encrypts itself and the embedded WHALE string. This way, it won't scan for WHALE until the string is 'dropped.' When you assemble this you will notice the text "Eddie lives . . . somewhere in time! Written in the city of Sofia, Bulgaria." in the un-encrypted virus. Yup, it's loosely cribbed from DARK AVENGER even though the 'dropped' table scans predominantly as WHALE. I put it there to confuse things even more. When the victim executes the .EXE this file has been dropped on, the phrase from the DARK AVENGER (or CRAZY EDDIE) will display. Hahahah! More confusion! (You can rip it out if you don't like it; be my guest.) Other scanners may identify the dropped string as DIR (THUNDERBYTE does) or SPARSE, which is fine. You see, I had so much fun with the idea I couldn't resist stuffing all kinds of psychologically troubling nonsense into VIRUS1.DAT. And, you will need TASM or MASM to fully utilize these listings. IN CONCLUSION: Do yourself a big favor and find the VCL. Nowhere Man's creation is quite a pleasure to use, allowing your wildest creative juices to flow. CONFUSION TO YOUR ENEMIES! -URNST KOUCH DARK COFFIN BBS 215-966-3576 VIRUS_MAN BBS 215-PRI-VATE This issue of the CryPt newsletter should contain: DIARRHE4.ASM - the source listing to DIARRHEA virus DIARRHE6.ASM - the source listing to DIARRHE6 virus SHELLT.COM - a helpful shell for initial infection trapping VIRUS1.DAT - a 'define byte' table for a dummy COMfile which contains WHALE & DIR virus signature strings as well as text from CRAZY EDDIE virus. CRPT.LTR - this newsletter If it doesn't, DEMAND UPGRADE!!! heh-heh, a little joke.