ÜÜÜ ÜÜÜÜÜÜÜÜ ÜÜÜ ÜÜÜÜÜÜ ÜÜ ÜÜ ÜÜÜ ÜÜÜÜÜ ÜÜÜÜÜÜÜ ÜÜÜÜÜ Û±±Û Û±±±±±±±Û Û±±Û Û±±±±±Û Û±±Û Û±±Û Û±±Û Û±±±±Û Û±±±±±±Û Û±±±±Û Û±±Û ßßßßßßßß Û±±Û ßßßßÛ±±Û Û±±Û Û±±Û Û±±Û ßßßÛ±±Û ßßßÛ±±Û ßßßßß Û±±Û Û±±Û ÜÜÜÜÛ±±Û Û±±Û Û±±Û Û±±Û ÜÜÜÛ±±Û Û±±Û Û±±Û Û±±Û Û±±±±±Û ßß Û±±Û Û±±Û Û±±±±Û Û±±Û Û±±Û Û±±Û ßßßßÛ±±Û Û±±Û Û±±Û ßßßßß Û±±Û Û±±Û ÜÜÜÜÜÜÜÜ Û±±Û Û±±Û Û±±Û Û±±Û Û±±Û Û±±Û Û±±±±±±±Û Û±±Û Û±±Û Û±±Û Û±±Û Û±±Û ßßß ßßßßßßßß ßßß ßß ßß ßßß ßß NEWSLETTER NUMBER 13 **************************************************************** ******* Another festive, info-glutted, tongue-in-cheek training manual provided solely for the entertainment of the virus programmer, security specialist, casual home/business user or PC hobbyist interested in the particulars - technical or otherwise - of cybernetic data replication and/or mutilation. Jargon free, too. EDITED BY URNST KOUCH, February - March 1993 CRYPT INFOSYSTEMS BBS - 215.868.1823 **************************************************************** TOP QUOTE: ". . . in the end the perfumed and tailored yes men are as dangerous and evil as the bullies they serve." -- Morley Safer IN THIS ISSUE: News . . . Interview with Kim Clancy of the AIS BBS . . Aristotle founds the Virginia Institute of Virus Research . . . Mark Ludwig's 1st International Virus Writing Contest . . . SUSAN virus . . . VOOTIE virus: a demo virus optimized for PRODIGY e-mail . . . Lawrence Livermore Labs switches to puppet manufacturing after bottom falls out of thermonuclear weapons design . . . ViruDos: an April Fool's command shell . . . In the reading room with TIME and WIRED magazines . . . FLAGYLL virus . . . much more News: JAPS NOT PLAGUED MUCH BY VIRUSES: NUMBER OF REPORTED CASES TRIVIAL SEZ CRYPT NEWSLETTER Japan's Information Technology Promotion Agency says "computer damage" (?) caused by viruses amounted to 253 cases. Agency bureaucrats attributed the surge in data vandalism, four-fold over 1991, to international exchange of software. That's it, blame the foreigners! Wooo. MAN PRANKS EX-WIFE WITH PC TROJAN, EX-WIFE SHOWS SKILLFUL USE OF LOCAL SHERIFF A Santa Rosa, CA., computer prankster has been stung by a felony tampering charge after admitting he sabotaged his ex-wife's computer files. If convicted, prankster James Welsh could be headed for a three year trip to the "bighouse." The 32-year-old James Welsh says he sent a disk with a "kamikaze program" to his ex-wife as vengeance for an unpleasant divorce. Welsh's former wife, Kathleen Shelton, had all her files erased when she used the booby-trapped program. The trojan left a taunting limerick as its calling card. Shelton said Welsh set up the system for her and she had [stupidly] continued to rely on him for help and advice. Welsh's defense will hinge upon the fact that he claims the trojan erased a program that he had pirated. Because it was a pirated "ware," "it [is] not protected under the state's anti-hacking law," he says. No news on how closely software engineers at CERT or the SPA will be watching this case. TOMORROW CANCELLED! RUSTY & EDIE'S BUSTED FOR PIRACY, UNDERGROUND BBSer's SAY THEY HAD IT COMING, SUITS PLAY DUMB "No hassles. No rules! Just a couple of burn-out hippies from the '60s . . ." were a number of the lines sysops Rusty & Edie used to describe themselves in various ads plugging the wonders of their BBS. Now "First to try on the new felonization of piracy bill" can be added to the list. The FBI and SPA stormed the gates of the Boardman, Ohio, bulletin board system in early February, seizing equipment and accusing the operators of pirating software. In what has become a standard statement whenever large pirate BBS's are raided, the Software Publishers Association, which worked with the FBI in investigating the case, said agents seized computers, hard disk drives and telecommunications equipment, as well as financial and subscriber records. ". . . following the receipt of complaints from a number of SPA members that their software was being illegally distributed on the Rusty & Edie's BBS" the trade group said that it began an investigation months earlier which included the download of retail programs from the BBS. The system, established in 1987 and described as the third largest BBS in the country in a glowing review which landed in the pages of Computer Shopper only days before the bust, maintained 124 nodes and more than 14,000 subscribers. For $89 a year, "subscribers . . . were given access to the board's contents, including many popular copyrighted business and entertainment packages," droned the SPA statement. Alert Crypt Newsletter readers familiar with the issue of software piracy had a variety of responses to the news. "Copy that floppy!" cried a subscriber in the northeast. "I'm surprised it took so long," sneered another. "I was going to join the week before the bust, but they were too expensive," added a reader from the Midwest. Jim O'Brien, the editor in charge of the section in Computer Shopper which ran the review of Rusty & Edie's claimed neither he nor free-lance writer Dennis Fowler had any inkling the BBS was allegedly involved in piracy. The FBI has not charged Russell and Edwinia Hardenburgh in the case. The FBI has also been equivocal on whether it will extend its dragnet to include patrons of the system. And as of the last week in February the ACLU had thrown its hat into the ring on the side of the BBS, challenging the constitutionality of the raid on the grounds that the piracy charge should have been pursued in civil court. ACLU Ohio legal director Kevin O'Neill conceded to the United Press International that the FBI's copyright infringement, uh, piracy, charges might have merit. HAND PUPPETS TO TEACH COURSE IN COMPUTER ETHICS (BUT WILL THEY BE ELIGIBLE TO JOIN THE UNION)? Still reeling from the double rabbit-punch of the end of the Cold War and a Democrat in The White House, which has seen their 40-year pursuit of better ways to make thermonuclear explosives and X-ray pumped space weapons at the expense of the taxpayer thrown into disrepute, Lawrence Livermore Laboratory scientists are turning to puppetry as one way of justifying their continued funding. Livermore Computation Organization employees Lonnie Moore and Gale Warshawsky have developed a pilot puppet program to teach very young school children about computer ethics and security. The stars of the show cover two of the major computer stereotypes: Gooseberry, a stupidly trained computer operator, and Dirty Dan, a "hapless, heinous hacker," software pirate and virus spreader. In one skit, according to the Associated Press, Dirty Dan brings home a computer game obtained from a friend and ends up "feeding" Chip - the computer - a virus which "makes him dizzy." " . . . nobody out there is teaching ethics and security," said Moore on the reason for his program. The Crypt Newsletter adds, "Who's the leader of the gang that's made for YOU and ME? M - I - C, Kay - E - Why, M - O - U - S - E!!!" ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PROFILE: KIM CLANCY & THE AIS BBS - VIRUS CODE FOR ALL ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Here at the Crypt Newsletter, every time the editorial staff reads another piece of e-mail from the local FeebNets saying, "If you have virii on your board, soon 'The Feds [in blinking red]' will be giving you a call, so be carrefill [sic]." or "Here in England, bobbies from Scotland Yard just confiscated Tinker Dill's Virus Happy Place in Squatney. It's a bloody shame. " we have a good laugh. And that's because the two cover a whole wealth of ignorance concerning possession of virus code. The first is the handiwork of the 15-year old user thoroughly convinced that a US Robotics modem and 1 terabyte of anarchy texts makes him an expert on every legal and social aspect of cyberspace. The second generally comes from users who take the popular press too seriously and have no qualms with authorities capable of routinely violating the rights of the helpless, unwitting or unpopular. It would be a rude shock to these people to know that the U.S. government runs a BBS which archives A LOT of well-commented virus source code that any taxpayer can access and leech until their diskettes are full. Run by Bureau of The Public Dept. employee Kim Clancy, the BBS is called AIS and is the clearinghouse for a stockpile of information covering a variety of underground and aboveground computer security issues. "Our computers track the deficit. That's job security," laughed Clancy in a recent interview. "The only thing we don't have is live viruses, but the source code's there - that's certainly not far from it," she said. "We've got the Virus Creation Laboratory, too." AIS was started about two years ago and has grown steadily since. Membership currently exceeds 600. It reached critical mass, Clancy said, when Computer Underground Digest interviewed her and profiled the system as a convenient place for the hacker underground and security-types to mingle. Much of AIS's material Clancy acquired on repeated jaunts to "underground" (man, do we hate that term) BBS's like Hell Pit and the now defunct Nun-Beaters Anonymous, both in the Chicago area. Needless to say, Clancy has maintained contact with a number of virus programmers, some of whom she says are her best technical advisors. On one occasion, virus authors from NuKe and Phalcon/SKISM set up an early morning conference call with her, one which was monitored, she said, by the Secret Service. Later, said Clancy, an agent called her and warned her she shouldn't have made sport of a security "expert" in the military who was a user on AIS, something the agent could only have known as an eavesdropper. Clancy shrugs this off as venal harassment and repeats the story when lecturing around the country. About the stock of virus code? "I've had very few complaints, very little comment to me, directly," finished Clancy. The AIS sysop's philosophy seems to be one that encompasses the idea that if you want to know about something, you need to get your hands on it without interference. Sounds dangerous! Give AIS and Kim Clancy a ring at 304.420.6083. ÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅ ³ARISTOTLE: "IT'S A GIANT PISSING CONTEST!" HE SEZ OF Vx/A-V ³ ÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅ "It's a giant pissing contest and the only guy getting hurt is John Q. Public!" quoth Aristotle in a recent interview concerning his decision to drop out as the dean of virus exchange BBS'ing. "As far as the anti-virus people go, 60% of the files on virus exchanges are 'goat files.' ["Goats" are the small host programs, usually bearing the identifier of an anti-virus developer, which researchers infect with a virus they wish to examine.] Now, you want to crash virus exchanges, make my collection illegal. Well, you tell me how I got all these 'goats!' "Everybody's talking shit," Aristotle continued, explaining that security people and anti-virus developers have agents on every virus exchange. The sysops think their systems are hard to penetrate, Aristotle claims, but the reality is just the opposite. The anti-virus developers get the newest viruses direct from the source, use them to fuel their advertising campaigns and trade viruses from their collections in return for continued access. All the while, Aristotle says, there's little chance any of the new viruses will actually end up in the wild. "There's complete distrust, everyone in the [groups] is scared to death of each other." Aristotle went on to explain a recent tiff with members of Phalcon/SKISM stemming from Kim Clancy's late night conference [see above] which had been monitored by the Secret Service. Aristotle was party to the alliance call, too, and was painted as the "man on the inside," a Secret Service informer. Untrue, Aristotle says, completely untrue. Aristotle is best known for his drive to sell viruses and source code in bulk, the entirety of "The Black Axis BBS" collection. There have been 40 takers, so far, Aristotle says. And they're not kids. "You think a kid has the money?" he asked. "Who do you think does? Haha." The virus sales paid for a course in computer information system management at William & Mary University, he said. "My research was on viruses and the underground. I got an A." Aristotle also maintained the VxNet, linking a number of virus exchanges and quasi-virus exchanges globally. The Crypt Newsletter asked him what would become of it. "You want it?" he said with a laugh. While The Black Axis is gone, Aristotle has replaced it with the Virginia Institute of Virus Research in Newport News. No more handles, either, said John Buchanan. "My object was to bring all this out into the open. I got the virus programmers to start arguing with the security people on the FidoNet," Buchanan concluded. "I did that." IN THE READING ROOM: TIME AND PUZZLEMENT - SUPERMARKET NEWS MAG MUGS "CYBERPUNK"; ALL HACKERS LOOK LIKE R. U. SIRIUS, DANCE TO HOUSE MUZIK, GOBBLE ECSTASY, QUOTE TIMOTHY LEARY, IT'S KEWL, MAN Buzzwords, like "cyberpunk," I've decided, are cruel pranks sickeningly ambitious writers at glossy magazines use to make themselves instant authorities. Media magnification always makes these terms legitimate, whether they are or not, so you know that while the TIME article on "cyberpunk" two weeks ago was pure baffle-crap (see, I can make my own buzzword, too), inside 4 months it will have spawned 6 like-minded articles in other supermarket magazines, taking on a complete life of its own. So, I'm gonna rehash some of this nonsense now, in hope that you laugh, because if you don't, when you see it again as truth in the coming weeks, you just might have to cry. Didja know, that the computer virus is "the cybernetic analogue of AIDS," a disease which has affected millions worldwide and caused horrifying death and human suffering? According to Phil Elmer-Dewitt of TIME, it's so! Didja know, according to certified geezer Timothy Leary, "the PC is the LSD of the '90s"? Like you, I thought this was a fatuous, self-serving statement. But then I thought about it some more and began to feel warm inside. Since I missed LSD when it came around the first time, it felt good to know that I now had an unending supply of it sitting on my desk, just in case I felt the need to be "groovy." Didja know, that now "cyberpunks" don't look like young men with coke-bottle thick glasses and plastic pocket-protectors? No, they look like young, less warty, versions of Tiny Tim (which is what R. U. Sirius looks like in the photo in TIME magazine). It's true! Didja know, cyberpunks listen to "house" music, that "post-industrial," droning, art-phag stuff that bands with names like Surgical Penis Klinik and Throbbing Gristle couldn't sell in the '80s because it was "too" alternative, but now it's big business because computer dudes and dudettes don't like those dead, fat guys in Lynyrd Skynyrd. Yup, it's true! And boy am I bummed! What am I going to do with my Angry Samoans and Mentors records? Didja know, "without visual cues, people communicating on-line tend to flame: to state their views more heatedly than they would face to face?" Visual cues-visual shmues - here I thought they did it because there was little chance they would get popped on the jaw for being a jerk. Didja know, the movie "Terminator 2" was a cult film? Didja know, that TIME magazine used the same virtual illustration of "virtual reality d00d sucking the face off a virtual reality d00dette" as the movie "The Lawnmower Man," and the magazines OMNI, COMPUTE, PC Computing, Byte, MacWorld, Discover, Newsweek, Rolling Stone, SPIN, Science News, Playboy, Penthouse, Gent, USA Today, Details, MONDO 2000, Dog Fancy, Cat Fancy, Harpers, The Atlantic, etc., etc., etc.? Didja know, that the Electronic Frontier Foundation is a group that defends "exploratory hacking"? Well, they didn't know and they seemed pissed in Computer Underground Digest when they found out. Didja know, that TIME magazine is now sold with samples of cheap men's cologne, along with ads for "Elvis not dead" books and chemicals which will chase away your male pattern baldness? It's true! ----------------------------------------------------------------- W E L C O M E T O T H E F I R S T * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * I N T E R N A T I O N A L * * * * C O M P U T E R * * * * V I R U S * * * * W R I T I N G * * * * C O N T E S T * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * - 1 9 9 3 - Final Date For Submissions: APRIL 1, 1993 This Contest is Sponsored by: American Eagle Publications, Inc. P. O. Box 41401 Tucson, AZ 85717 USA Publisher of The Little Black Book of Computer Viruses * * * * * * * * * * * * * * * * * * * * * * * * * * * * ! DISTRIBUTE THIS FILE ALL OVER THE KNOWN UNIVERSE ! * * * * * * * * * * * * * * * * * * * * * * * * * * * * Ok, all you genius hackers out there! Here is a challenge for you. Prove your stuff! This is an INTERNATIONAL contest, and this file is being circulated all over the world, so if you want to compete, be forewarned, you've got worldwide competition. Only the best have a chance in this game. Still up to the challenge? Ok, here it is: I am writing Volume 2 of The Little Black Book of Computer Viruses. This is a study of the scientific applications of computer viruses, and their use in artificial life research, and all of that neat stuff. One of the things I want to discuss in the book is the limit on the size of a virus for a given level of functionality. So I took the TIMID virus from Volume 1 and tore it down to the bare minimum. Not good enough. I wrote a virus that worked a little differently. I tore that one down to the bare minimum. Good enough? Well maybe. But maybe not. I have some pretty compact code, but is it the absolute best? I'm guessing somebody out there can top it. Here are the rules: (1) The object of this game is to write the smallest virus you can with the required level of functionality. (2) The virus must be capable of infecting all COM files on the logged drive in the current directory of a PC, no matter how many COM files are there. It may infect them as quickly or as slowly as you like, so long as it can be demonstrated that it will do so in an hour, when running the programs in that directory one after the other in sequential order. (3) The virus must recognize itself and avoid re-infecting files that have been infected. At most, only one in fifty thousand files should get accidently re-infected, assuming that the data in unknown COM files is random. (4) The virus must terminate gracefully if it cannot find a file to infect. (5) The virus must not destroy any of the code in any file which it infects. It must allow that code to execute properly, or refuse to infect a file. (6) The virus must be self-contained. It cannot hide code in some common location on disk. (7) The virus must function properly under MS-DOS 5.0 with no TSR's resident, and nothing loaded high. (8) The size will be determined by the larger of (A) the number of bytes the virus code itself takes up in an infected file, and (B) the largest number of bytes the virus adds to a program when it infects it. The best code I have for a virus that follows these rules right now is 139 bytes long. Both source and executable are included in the ZIP, named LITTLE.ASM and LITTLE.COM. In the event of a tie for size, originality and ingenuity of the code will break the tie. All judges decisions are final. $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ The winner will receive the following: (1) A $100 CASH REWARD. (2) Your code will be published in The Little Black Book of Computer Viruses, Volume 2. (3) I will give you credit for the code and for winning the International Virus Contest in the book, using either your real name or an alias, your choice, published in the book. (4) Your name will be posted on the MISS bulletin board as the contest winner. (5) A free copy of The Little Black Book of Computer Viruses, Volume 2, and a one year subscription to Computer Virus Developments Quarterly ($95 value). Three honorable mention winners will receive a free copy of The Little Black Book of Computer Viruses, Volume 2. $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ You may make an entry in two ways: (1) Mail your entry on a PC format floppy disk to American Eagle Publications, Inc., PO Box 41401, Tucson, AZ 85717 USA. (2) Upload your entry to the M.I.S.S. bulletin board at (805)251-0564 in the USA. Log on as GUEST, password VIRUS, last 4 digits of phone number 0000, and upload to the CONTEST UPLOADS directory. A valid entry consists of the following items: (A) Complete source code for a virus, which can be assembled using either TASM, MASM, or A86. If you use another assembler and don't know if one of the above will work, then send the assembler along with the submission. If you do anything tricky that we may not understand, you must explain it in comments in the assembler source. (B) A statement of who you are (aliases accepted) and how to get in touch with you in case you win the contest. This information will be kept strictly confidential, and encrypted at all times. By submitting an entry to the contest, you agree that the copyright to your entry will be considered the property of American Eagle Publications. The copyright to any losing entry will be returned to the owner upon written request. In the event that you win or receive honorable mention in the contest, the copyright to the code will remain the property of American Eagle Publications, Inc. You may submit your entry encrypted with PGP 2.1 if you desire. Use the following public key to encrypt: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.1 mQBNAitZ9w4AAAECAOXJYOsJNavAAWFBRwf4/u0QWMJ9IHj8eajgOfDRdlCNwEBJ wMs1vb5GcdJCaeoCgBR3Xxzh6oEo2nrwfru8mqMABRG0CE1BTHVkd2ln =P6d4 -----END PGP PUBLIC KEY BLOCK----- Go to it! +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ D O N ' T M I S S O U T ! ! ! Get Your Very Own International Virus Writing Contest 1993 T-SHIRT Great fun to wear to your local user's group meeting, or the next computer security conference you attend. Sure to get people's attention and initiate lots of interesting conversation. Specify Small, Medium, or Large. Only $9.95 from American Eagle Publications, Inc. P.O. Box 41401 Tucson, AZ 85717 (US Customers please add $3.00 for UPS delivery) (Overseas customers please add $7.50 for airmail delivery) (Overseas customers please add $3.00 for surface delivery) (AZ residents add 5% sales tax) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ American Eagle Publications, Inc., gives you first class information to learn the ins and outs of viruses. You may order any of the following items from American Eagle Publications, PO Box 41401, Tucson, AZ 85717. (Shipping is $2.00 to the US, $7.50 for overseas airmail.) AZ residents add 5% sales tax. The Little Black Book of Computer Viruses, Volume 1, by Mark Ludwig. This award-winning book will teach you the basics of how viruses work in no-nonsense terms. 192 pp., $14.95. The Little Black Book of Computer Viruses Program Disk. All of the programs in the book, both source code and executables, $15.00. Computer Virus Developments Quarterly, This takes up where the Little Black Book leaves off, providing the reader with quarterly updates on viruses and anti-virus technology. For the advanced security specialist or programmer. One year subscription with diskettes, $75.00 postpaid, overseas airmail add $10.00. Computer Virus Developments Quarterly, current single issue, $25.00. (Please inquire as to price and availability of back issues.) Technical Note #1: The Pakistani Brain Virus, a complete disassembly and explanation. This is one of the first boot sector viruses ever written, and the first stealth boot sector virus. It hides on floppy disks and inserts the label (c) Brain on the disk. 32 page booklet and diskette with assembler source and compiled virus, $20.00. Technical Note #2: The Stoned Virus, a complete disassembly and explanation. The Stoned is the world's most successful boot sector virus. It infects floppy disks and hard disks. Find out what makes it tick. 24 page booklet and diskette with assembler source, compiled virus, and detection tool, $20.00. Technical Note #3: The Jerusalem Virus, a complete disassembly and explanation. Jerusalem is an old but highly effective virus which hides in memory, and infects every program you try to execute. It starts deleting programs on Friday the 13th. Booklet and diskette with assembler source and compiled virus, $20.00. Technical Note #4: How to Write Protect an MFM Hard Disk. The only hard-and-fast way to stop viruses from spreading is to physically write-protect your disk. This tech note tells you how to do it for the older MFM style drives. Some companies sell such devices for hundreds of dollars, but this booklet will tell you how to do the job for under $20. Complete with theory, circuit diagrams, and a circuit board layout. No diskette, $12.00. How to Become a Virus Expert, a 60 minute audio tape by author Mark Ludwig tells you how to get hold of the critical information you need to protect your computers, and stop relying on some anti- virus product developer to spoon-feed you. $10.00. Wanted: Translators for these works in all languages and outlets for these works in all countries. An opportunity for big $$ awaits the enterprising person. Please contact us. ================================================================ No Virus Contest is complete without POLITICAL COMMENT: Freedom is only free if it is VOLUNTARY. If you live in a "democratic" nation that will not allow secession, then you DO NOT live in a free country. The democracies of this world are learning how to become tyrannies. Support a Secession Amendment for your constitution, before it is too late and you wish you had. Secession is the only logical way to short-circuit the trend toward big government and tyranny, short of all-out civil war. -- Mark Ludwig ================================================ CRYPT NEWSLETTER GIVES YOU A FIGHTING CHANCE IF YOU HOSE YOURSELF WITH A "TYPICAL" MEMORY RESIDENT VIRUS Ever wish the "suit" computer magazines supplied something more useful than utilities to "beep the speaker" or "turn OFF that pesky numLock light?" Well, Hell has a better chance of freezing over before that happens. But we're not like that here at the Newsletter! NosirreeBob! We've got a batch file, yes a "batch file" for you - absolutely free, which in most cases will allow you to remove any generic resident virus from the command processor and start the machine from a clean memory slate. Add it to the VERY BEGINNING of your AUTOEXEC.BAT. Then, create a directory called SAVE and: copy COMMAND.COM C:\SAVE\WHATMEWO.RRY copy C:\DOS\FC.EXE C:\SAVE\HELL.NO copy C:\DOS\FIND.EXE C:\SAVE\HELL.YES Then add the 17-byte utility, REBOOT.COM (included in this issue), to your SAVE directory and rename a copy of it as GREET.OOT in the same directory. @ECHO OFF ECHO -=SANDOZ-KOUCH=- ANTI-VIRUS BATCH FILE! WOO-WOO!! PAUSE SET HOME=C:\COMMAND.COM SET SAFE=C:\SAVE\WHATMEWO.RRY SET LOC1=C:\CARBUNKL SET LOC2=C:\FESTER IF EXIST %LOC2% DEL %LOC2% FC %HOME% %SAFE% | FIND "FC: no differences encountered" > %LOC1% COPY %LOC1% %LOC2% DEL %LOC1% COPY %LOC2% %LOC1% IF EXIST %LOC2% DEL %LOC2% IF EXIST %LOC1% GOTO END GOTO VIRUS :VIRUS ECHO COMMAND.COM could be fouled by a virus! ECHO Hit CTRL-C TO STOP MACHINE NOW . . . or ECHO to refresh the file and purge memory, just PAUSE GOTO REFRESH :REFRESH CD \SAVE COPY WHATMEWO.RRY C:\COMMAND.COM COPY HELL.NO C:\DOS\FC.EXE COPY HELL.YES C:\DOS\FIND.EXE REBOOT :END IF EXIST %LOC1% DEL %LOC1% SET HOME= SET SAFE= SET LOC1= SET LOC2= CD \SAVE COPY GREET.OOT REBOOT.COM -----the rest of whatever you're doing---- What this batch job does is set up a back-up archive of your command processor in the SAVE directory, along with the executables called by the program. If FC detects any differences between the back-up and your command processor, the pipe through FIND creates a 0 byte file which can't be copied. The batch file traps the "nocopy" result, assumes COMMAND.COM is fouled, restores it and promptly reboots the machine. Typical memory resident viruses can easily infect the files used during the batch, which is why we restore them just before rebooting, too. Essentially, the Victor Charlie anti-virus program uses much of this methodology, only it costs you $50. This batch file will uncover marginal or "semi-stealth" viruses which infect COMMAND.COM. Most of these spoof the file size change as reported by the DIR command through Interrupt 21 (that is they simply subtract their size from the amount reported before DIR presents it to the user). FC will detect them since it is not dependent upon these functions. For example, the HITLER virus (from Newsletter 11) the PC BYTE BANDIT and ARCV's SCROLL, all marginal stealth, are detected and removed from COMMAND.COM by the batch file. A few points to keep in mind: viruses which parasitize COMMAND.COM can cause it to fail or its functions to become slightly deranged. The LITTLE virus, included in this issue, messes up COMMAND.COM just enough to prevent the SET commands from working, although the machine will boot properly. This causes the batch file to fail - a quite noticeable occurrence. In the real world, you should be suspicious when this happens. Also, some resident infecter are ill-mannered. The MULE variant of Jerusalem will cause boot failure if it gets into COMMAND.COM - another quite noticeable gaff. The Scroll and PC Byte Bandit - as well as a number of other memory resident viruses - attempt to infect batch files as they are executed. Both attach themselves to the Newsletter batch file. In this case, the batch file will remove them from COMMAND.COM and reboot the machine anyway, although you will get a number of "bad command" messages as DOS tries to read the binary gibberish which is the virus attached to the end of the file. If this happens to you, restore the file. What this file won't do: It won't protect you from an overwriting virus, like VOOTIE (in this issue). VOOTIE is a dumb virus and it will immediately cause boot failure if it gets into the root directory. You will notice this problem. It will also not protect your command processor from full stealth viruses and it will NOT protect your machine from multi-partite or partition sector infecting viruses. It can also be defeated by viruses which infect the target executable on copy. In our estimation, this isn't common enough for you to worry about. None of this will protect you from a virus infection that has crawled all over your hard disk before it gets into the command processor. (Also keep in mind, that some viruses will SHUN your command processor.) If this file reports a virus and reboots your machine, it's a smart move to stop the load of your AUTOEXEC.BAT with a judicious "Control-C" as soon as the "-=Sandoz-Kouch=-" banner reappears and the program pauses. At this point, you stand a good chance of being able to examine your machine more closely without a virus in memory to worry you. At the very least, you get a good warning. Like features of the hated Victor Charlie 5.0 anti-virus program, you can expand the batch file to restore any of the programs called in your old AUTOEXEC.BAT. In fact, this isn't a bad feature to add to the REFRESH segment of the code. Do it yourself if you like. --------------------------------------------------------------- VOOTIE VIRUS: SMALL ENOUGH FOR PRODIGY E-MAIL; OW VIRUS, EVEN BETTER --------------------------------------------------------------- Recently, PRODIGY, the interactive information service for numerous mixed-up Democrat, Bush-voting yuppies, liberalized its policies as to what users can and can't discuss on its public message base forums. Formerly, the service exercised rigid editorial control over these, enlisting wannabe busy-body's with the aid of a "fink" switch, which anyone could use to flame and squeal anonymously on the electronic scribblings of others. Although, the "fink" switch is still in operation, users are no longer routinely spiked for posting "help me's" on how to attain live viruses or source code. For Newsletter readers who are also PRODIGY members, the VOOTIE virus is small enough to fit into the 6-panel PRODIGY e-mail format as source code or a DEBUG script. So when someone asks for a virus on PRODIGY, you can swiftly send VOOTIE as a simple example. The rationale is similar to the one which sent the TINY virus to interested parties on the FidoNet a couple of years ago. VOOTIE is merely an overwriting virus; a younger, smaller brother to POPOOLAR SCIENCE included in issue 12. It is, in essence, merely a small fragment of runaway code. Such programs are called "virons," whatever that is, in the VSUM database. If you MUST have a term, use "viroid." "Viroid" is a real world scientific label used to characterize very small, extremely simple natural viruses. "Viron" is anti-virus jargon; "viroid" is more scientific, more accurate. And hep, too. Use it and leave your listeners flabbergasted on the next user group lecture stop. VOOTIE overwrites everything in the current directory by printing itself on top of its targets. Infected .COMfiles can spread VOOTIE, as can .EXE's, if under 65k in size. Data is mutilated. VOOTIE will make a disk unbootable if it enters the root directory. VOOTIE infected files are ruined as usable programs, you must delete them. Infected files can be identified by the time/date stamp which is updated to mark the time of infection. A file viewer can spot the name VOOTIE, in weird ASCII, near the end of the virus in infected or mutilated files. In addition, the OW virus by the TridenT group, a smaller 42-byte overwriting program, is included in this issue for comparative purposes. --------------------------------------------------------------- SUSAN AND FLAGYLL VIRUSES: RESIDENT, OVERWRITING PROGRAMS The SUSAN virus, an interesting program created by Night Breeze, is included in this issue as a source listing. The programmer has tied the viruses infection cycle into the DIR function so that it infects only the first .EXEfile in the current directory. Since SUSAN is in overwriting virus, it naturally destroys its host files. This would be devastating if the virus infected a fresh .EXE in the current directory every time the user typed DIR. However, by limiting the virus to one file, Night Breeze has kept it from being too disruptive. In addition, it spoofs the user with a "Bad command or file name" error message when an infected file is loaded. SUSAN also keeps a count of infections and begins deleting files when conditions outlined in the source code are met. You can compare SUSAN to the FLAGYLL virus, another memory resident infecter which overwrites .EXEfiles on load. If you try FLAGYLL out, you'll see it's immediately noticeable, ruining every .EXE that attempts to run. SUSAN would be similar if it was not restricted to one file per directory. FLAGYLL-Z governs its destructive infections by relying on a value returned from the system clock to determine when it will infect. This trigger is noted in FLAGYLL-Z's source code and can be easily tweaked to see how the virus's behaviour is altered. Excutables infected by either the SUSAN or FLAGYLL viruses are permanently ruined. To remove the viruses from the system, reboot the machine and delete the infected files. All of the viruses can be found by searching for the embedded text strings noted in their respective source codes. VIRUDOS: A PRACTICAL JOKE COMMAND SHELL Also included in this issue is ViruDos. ViruDos is a simple command shell which can be inserted into the AUTOEXEC.BAT. It is harmless, but the colorful "Bartles & Jaymes" virus which afflicts the user is a laff riot at computer shows and parties. To tell more would spoil the fun. Read the accompanying documentation and fire it up. ViruDos's programmers "Thank you for your support." ---------------------------------------------------------------- FICTUAL FACT/FACTUAL FICTION: DARK COFFIN BLASTED BY FLIP VIRUS ---------------------------------------------------------------- For most of the month of February the Dark Coffin virus exchange has been off-line due to a close look at the business end of the FLIP virus. Sysop Pallbearer is slowly picking up the pieces and promises to be answering the phone by the time you read this. Remember mates, it only makes sense, always keep a back-up! The March issue of PC Magazine sports am exceedingly smelly product review of a fistful and anti-virus software packages. In what has become known informally as a "done deal," Central Point Anti-virus and Norton Anti-virus took home top honors, beating out performers like F-Prot, Leprechaun Software's Virus Buster and the Solomon Anti-virus Toolkit. The Toolkit and Virus-Buster both took hits for their user interfaces, which apparently weren't attractive enough for PC Mag's team of rogue reviewers. It is unfortunate that computer viruses, as a rule, remain unimpressed by various elaborate menuing schemes leading to the question, "Who, exactly, was the testing aimed at?" Advertisers or customers. The alert Crypt Newsletter reader already knows the answer, as we suspect, so do the losers in this runoff. The product reviewers warned of new bugaboos like "stealth" viruses and the "Virus Construction [sic] Laboratory." And we were surprised to learn that companion/spawning viruses are now classified as "stealth" - because they create "hidden" files. Don't tell that to our copy of DOSSHELL which lists them very nicely alongside every other program on our machine! In summation, once again consumer reporting takes it on the chin at the hands of "suit computer mag" reporters who should NOT forgive their parents for imposing the heavy burden of fetal alcohol syndrome upon them. ---------------------------------------------------------------- Thanks and a tip o' the hat for this issue go out to alert readers Mr. Badger, Lookout Man, Cory Tucker and SandoZ. ---------------------------------------------------------------- The Crypt Newsletter includes virus source code in each issue. If assembled, it will produce working copies of the viruses described. In the hands of incompetents, irresponsibles and and even the experienced, these programs can mess up the software resources of any IBM-compatible PC - most times, irretrievably. Public knowledge that you possess such samples can make you unpopular - even shunned - in certain circles of your computer neighborhood, too. This copy of the Crypt Newsletter should contain the following files: CRPTLT.R13 - this electronic document VOOTIE.ASM - VOOTIE virus source listing OW.ASM - OW virus source listing SUSAN1.ASM - SUSAN virus source listing FLAGYLL.ASM - FLAGYLL virus source listing FLAGYLLZ.ASM - FLAGYLL-Z virus source listing LITTLE.ASM - LITTLE virus source listing VDOS.DOC - Documentation for ViruDos VIRUDOS.EXE - ViruDos joke command shell BARNJ.BSV - Bartles & Jaymes data file, must accompany VIRUDOS.EXE FLAGYLL & FLAGYLL-Z.SCR - Scriptfiles for FLAGYLL viruses SUSAN1.SCR - Scriptfile for SUSAN virus VOOTIE.SCR - Scriptfile for VOOTIE virus OW.SCR - Scriptfile for OW-42 virus MAKE.BAT - handy, dandy "maker" for programs in this issue To assemble the programs in this issue, just unzip all of them into the current directory, add the MS-DOS program DEBUG.EXE and type "MAKE" at the prompt. You can pick up the Crypt Newsletter at these fine BBS's, along with many other nifty, unique things. CRYPT INFOSYSTEMS 1-215-868-1823 Comment: Crypt Corporate East DARK COFFIN 1-215-966-3576 Comment: Crypt Corporate West THE HELL PIT 1-708-459-7267 DRAGON'S DEN 1-215-882-1415 RIPCO ][ 1-312-528-5020 AIS 1-304-420-6083 CYBERNETIC VIOLENCE 1-514-425-4540 VA. INSTITUTE OF VIRUS RESEARCH 1-804-599-4152 UNPHAMILIAR TERRITORY 1-602-PRI-VATE THE OTHER SIDE 1-512-618-0154 MICRO INFORMATION SYSTEMS SERVICES 1-805-251-0564 REALM OF THE SHADOW 1-210-783-6526 STAIRWAY TO HEAVEN 1-913-235-8936 THE BIT BANK 1-215-966-3812 CYGNUS-X 1-215-791-2457 CAUSTIC CONTAGION 1-817-776-9564 The Crypt Newsletter staff welcomes your comments, anecdotes, thoughtful articles and hate mail. You can contact Urnst Kouch at Crypt BBS, CSERVE#:70743,1711 or Internet: 70743.1711@compuserve.com