******************************************* The CRYPT Newsletter (#7) - Early Oct.,1992 Another in a continuing series of info-glutted humorous monographs solely for the enjoyment of the virus programmer or user interested in the particulars of cyber-electronic data replication and corruption. --Edited by URNST KOUCH ******************************************** This issue's top quote! ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ "Ross Perot is an empty valise." -Ed Koch on the former Electronic Data Systems leader's re-entry into the presidential race. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ IN THIS ISSUE: SPECIAL Election Day viruses: VOTE and VOTERASE...the DEICIDE virus...FIDO news...INCAPABILITIES: Off-the-cuff evaluations & fear and loathing on PRODIGY... from the Reading Room: "Cyberpunk" by Hafner and Markoff ...McAfee Associates close in on "fuck you money"...Vidkun Quisling Medal awarded...more... ---------------------------------------------------------- NEWS! NEWS! NEWS! VITRIOL! NEWS! This issue we award the Vidkun Quisling Gold Medal of Rank Hypocrisy to Gary Watson of Data Systems. Here at the newsletter bungalow we couldn't help but notice programmer Gary Watson's insistence that he has been the victim of a disinformation campaign launched by virus exchange BBS's. "Do I upload source codes to virus boards, not so, not so!" is the essence of this claim, aired on the FidoNet VIRUS_INFO echo. To help get at the truth, we're releasing a log and archive listing documenting Watson's visit to the Dark Coffin BBS in Pennsylvania. What follows is a reprint of a BBS log generated by WWIV 4.21, the software in use on Dark Coffin: 1702: Gary Watson #58 23:54:19 08/07/92 [Torrance CA] Q, S, X, >, >, >, S, Q, Q, X, T, L, >, >, >, *, Q, X, T, *, X, Q, , Q //S**T! I GOTTA CHECK THE F****N MESSAGE BASES...., T, ?, U, Z, <, >, <, < <, <, <, <, <, F, //WELL, ONE OF EM AT LEAST, *, U, X, U >>>+DANGER .ZIP uploaded on NEW UPLOADS<<< C, C, H, A, T, X, /, \, \, Q, Q, ?, O,  Read: 20 Time on: 16 All comments following // are command line messages one of us used to type to the other. Notice upload of DANGER.ZIP. Next, the PKUNZIP listing of what was kept from that archive: PKUNZIP (R) FAST! Extract Utility Version 1.93 ALPHA 10-15-91 Copr. 1989-1991 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help PKUNZIP Reg. U.S. Pat. and Tm. Off. Searching ZIP: DANGER.ZIP Length Method Size Ratio Date Time CRC-32 Attr Name ------ ------ ----- ----- ---- ---- -------- ---- ---- 24704 Implode 7072 72% 09-25-91 10:44 26dbaec9 --w- MIX1.ASM 3193 Implode 1527 53% 03-05-89 22:21 1d1d5ed8 --w- AMST-847.ASM 13009 Implode 3179 76% 01-01-80 00:06 ec3b2f22 --w- BADBOY2.ASM 19037 Implode 6318 67% 06-05-90 11:54 ce10ca04 --w- MURPHEXE.ASM 12453 Implode 2783 78% 04-04-90 17:35 78c45414 --w- STONE.ASM 26586 Implode 5754 79% 04-04-90 17:35 50ad447b --w- DATACRIM.ASM 19495 Implode 7985 60% 01-03-90 23:19 31f550c8 --w- EDDIE.ASM 8897 Implode 2914 68% 05-05-90 18:13 0953d928 --w- DIAMOND.ASM 45577 Implode 10889 77% 05-05-91 18:51 065542d3 --w- V2100_.ASM 15042 Implode 2663 83% 04-18-91 16:58 19fc2ef6 --w- LEECH.ASM 58090 Implode 12176 80% 08-11-92 22:43 ddccc22e --w- VSOURCE.ASM 19310 Implode 6330 68% 03-09-91 15:53 50e8c26a --w- HORSE2.ASM 47596 Implode 11030 77% 03-13-91 18:29 21efc392 --w- 4096.ASM 3042 Implode 1139 63% 12-28-88 12:32 a7404cb9 --w- BOOT1.ASM 10830 Implode 2939 73% 08-11-92 22:43 a7ae08a6 --w- DIR2.ASM 7212 Implode 2215 70% 08-11-92 22:47 4de925cf --w- MASTER.ASM ------ ------ --- ------- 334073 86913 74% 16 And an extracted header from one of the source codes, STONE.ASM: ; IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; ; : British Computer Virus Research Centre : ; : 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England : ; : Telephone: Domestic 0273-26105, International +44-273-26105 : ; : : ; : The 'New Zealand' Virus : ; : Disassembled by Joe Hirst, November 1988 : ; : : ; : Copyright (c) Joe Hirst 1988, 1989. : ; : : ; : This listing is only to be made available to virus researchers : ; : or software writers on a need-to-know basis. : ; HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< Now, while this isn't IRONCLAD proof of Gary Watson's duplicity, it IS close enough for most purposes. And, yes, here at the bungalow we can still imagine cries of "Disinformation!" or "It's a FRAME-UP!" or "I never did that!" We feel confident that the reasonable Crypt reader will weigh the veracity of a Gary Watson (who self-admittedly views those unlike him as "targets" and has an ego so big he is easily stroked into flaming on the FidoNet by barbs from those much younger than he) against that of the urbane and always courteous editors of the Crypt Newsletter. We are pleased to award Gary Watson the Quisling Medal. When ex-New York City mayor Ed Koch was asked to comment on the Quisling award, he said, "Gary Watson is an empty valise." A HOT TIP! Nowhere Man informs the Crypt Newsletter that he is readying a polymorphic encryption module for domestic release. This is in addition to his work on VCL 2.0 which could be coming to you sometime around the holiday season! ***************************************************************** A CRYPT NEWSLETTER SPECIAL: VOTE and VOTERASE, custom Election Day viruses!!! ***************************************************************** In this issue, we give the readers the VOTE! VOTE (or VOTE, SHITHEAD) is a memory resident, spawning virus which is not detected by the recent versions of SCAN, Thunderbyte's tbSCAN, Datatechnik's AVScan, NORTON Antivirus or Central Point Antivirus. Upon installation, VOTE will reside in a small hole in system memory invisible to all but the most discerning eye. It hooks INT 21 and monitors the DOS load function. From there, it will create hidden/ read-only 'companion' files for every .EXE program called. All of these 'infected' programs will continue to function normally; VOTE's disk writes are minimal and not likely to be noticed by anyone NOT looking for the virus. VOTE will accumulate on the infected system's hard file in an almost totally transparent manner until Election Day. On Election Day, at the start of the morning's computing, the first .EXE executed which has a VOTE 'companion' counterpart will result in activation. VOTE will lock the machine into a loop in which the user is gently but insistently reminded to go to the polling place. Computing will be impossible on Nov. 3rd, unless VOTE is completely removed from the system. After Nov. 3rd, VOTE will again become transparent. VOTE is an ideal virus and we encourage the Crypt reader to do his bit (ouch!) to reawaken democracy in this country. VOTE will not harm files in any way. VOTE is simply removed by booting from a clean disk, tallying up all the 'hidden/read-only' 348 byte .COM duplicates of .EXE files, and deleting the .COMfiles. No special anti-virus software is necessary, as long as the user knows VOTE is afoot and what to look for. The Crypt reader will remember the basic characteristics of the INSUFF spawning virus in issue #6. VOTE utilizes the same principles, attacking poorly implemented systems auditing and integrity checking software like that found in CPAV. In fact, VOTE can operate IN THE TEETH of a number of a-v software default installations. Unlike unknown resident viruses which instantly attempt to infect a-v software as it fires up, thus making the set upon program squeal about file modification, VOTE can successfully 'infect' any program which can't scan it. It will instantly create a 'companion' which will go resident any time the a-v program is subsequently used. Tested against CPAV, SCAN, tbSCAN, AVScan and Leprechaun's Virus-Buster, VOTE capably created 'companions' for each executable as they were employed. And none of the packages seemed to mind. Some a-v types prefer to refer to viruses like VOTE as "worms," because like the archetypical INTERNET "worm," they do not alter the programs they 'infect.' Recently, another corporate-military-security stiff even suggested the term "viro-worm" on the CSERVE VIRUSFORUM. This is an example of idiot-savant jargon. Good for cowing the uninitiated, it serves the additional purpose of convincing a dupe that he has actually gotten value for his money if ever he hands over a certified check for someone's "computer security paper." You should know "companion virus" remains a perfectly acceptable term for programs like VOTE. It is clear, concise and descriptive, something "viro-worm" is not. The source code for the VOTE "companion virus," as well as its DEBUG script, are included in this issue. The TASM listing invites the reader to extend the life of VOTE beyond November 3rd by simply changing the activation. However, for those Crypt subscribers convinced that democracy has failed and that Election Day is a mere sham perpetrated by the ruling elite, we include VOTERASE. VOTERASE is exactly like VOTE, EXCEPT on Election Day it wakes up and expunges all files from an infected system. VOTERASE displays no message, it merely makes Election Day into an even harder working day. VOTERASE is quick. Files disappear in mere fractions of a second. A heavily infected disk could, theoretically, be emptied in minutes after the start of the day's computing on Nov. 3rd. The DEBUG script for VOTERASE is included with this issue. (Note: VOTERASE will not damage the partition table of the hard file or overwrite programs with gobble. The hard disk will experience boot failure if its command processor and system files are removed by VOTERASE. In most cases, a simple restoration from backup after elimination of VOTERASE should get things moving again.) The Crypt Newsletter has included the VOTE viruses to commemorate America's long tradition of rule by and for the people! Disclaimer: The VOTE viruses are non-partisan. Neither recommend you vote for any particular candidate. So remember, just VOTE!!! Your computer could be watching!! *********************************************************************** *********************************************************************** INCAPABILITIES: PRODIGY USERS GRUMBLE ABOUT NORTON ANTIVIRUS 2.1 *********************************************************************** In Crypt newsletter #6, we reprinted an ad issued by SYMANTEC touting the new Norton Antivirus's ability to scan for Mutation Engine-loaded viruses. To make a point, we created the INSUFF viruses to poke a hole in this claim. Our tests showed that Norton Antivirus 2.1 did not detect ANY mutations generated by ANY of the MtE-loaded INSUFF viruses. Now users of NAV 2.1 are starting to complain on PRODIGY, the Sears Roebuck electronic info service for novice computerists, that the SYMANTEC software detects the MtE in some data files. Henri Delger, a virus watcher on PRODIGY who advises people with questions on rogue programming, has chronicled this as a nasty false-positive bug inherent in NAV 2.1. He recommends users demand free upgrade to the next version. Delger estimated that NAV 2.1 reliably detects about 40% of known viruses. Smart consumer advice: NAV 2.1 will detect false MtE images in your data, but remains incapable of detecting real MtE infections. In a spot evaluation of Central Point Software's Anti-Virus, we ran its scanner against 350 virus samples generously obtained from Long John Silicon by way of Todor Todorov's virus collection. CPAV identified 68% of the samples, as contrasted to F-PROT 2.05, which detected a full 98%. Smart consumer advice: Why pay $100 for something which works poorly, when you can have a finely tooled racin' machine for free? ******************************************************************** ADDITIONAL DATA ON HILGRAEVE's HyperACCESS/5 COMM PROGRAM: You may still be interested in the virus scanner part of Hilgraeve's HA/5, commented on only briefly in the previous issue. But you require more information before you unhitch your trucker's wallet. Here, then, in Hilgraeve's own words: "To give you the most comprehensive, up-to-date protection possible, Hilgraeve uses the same signatures as the IBM Virus Scanning Program, with IBM's consent. This is an excellent source, because IBM devotes tremendous effort to collecting and identifying viruses." Sez who? Does anyone you know actually use IBM software? Anyway, while HA/5 remains a fine terminal program we continued to be dismayed at its HyperGuard 'virus filter' performance as we used it to transfer samples between BBS's in eastern Pennsylvania. Eventually, we just turned the 'filter' off. As of now, BBS and comm program scanners have a long way to go before they are of much practical use. And that doesn't even begin to deal with programming tricks like PKliting and stand-alone encryption which are used to 'conceal' scanned viruses and logic bombs during electronic transfer. We recommend Hilgraeve delete this feature from future versions of HA/5 and replace it with an in-line file archiver to complement the software's handy "Unpack" de-archiver. ************************************************************************** MCAFEE GOES PUBLIC, TRANSLATION: EMPLOYEE STOCKHOLDERS GET 'FUCK YOU' MONEY - DON'T YOU WISH YOU DID?? Purloined from CSERVE's Online Today, Oct. 7, 1992 ************************************************************************** Online Today MCAFEE ASSOCIATES GOES PUBLIC (Oct. 7) McAfee Associates Inc., known for its line of anti-virus software, has gone public and investors gave the stock of the Santa Clara, Calif., firm a warm reception. On its first day of public trading, the stock rose 25 percent over its initial price. According to United Press International, McAfee offered 1.05 million shares, with the remaining 1.55 million coming from stockholders. It has 11 million shares of common stock outstanding after the offering. Yesterday, McAfee shares closed at $20.125 in over-the-counter trading. Its 2.6-million-share offering was priced at $16 a share. Besides its anti-virus software, McAfee recently released it first two general purpose utilities to enable users to repair damaged files and disks. Reports from United Press International are accessible in CompuServe NewsGrid database (GO NEWSGRID) and through the Executive News Service (GO ENS). --Charles Bowen [Well, look who it is!] **************************************************************************** ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ IN THE READING ROOM: "Cyberpunk: Outlaws and Hackers on the Computer Frontier" by Katie Hafner and John Markoff (Simon & Schuster paperback) Divided into three discrete sections, "Cyberpunk," for the most part, attempts to retell the tale told by Cliff Stoll in "The Cuckoo's Egg." And why not? The story of a bunch of disgruntled, drug-gobbling Huns attempting to steal phony U.S. defense secrets off the INTERNET for a computer-ignorant KGB is too fantastic to be anything less than riveting. And so what if it's old news! It's the telling that counts and though it's fairly obvious that the authors know about as much about computers as the journalists who covered Michelangelo, "Cyberpunk" is still a better read than anything a systems programmer could dream up. [Well, maybe I'm a little unfair to the authors. Katie Hafner WAS an editor at Data Communications magazine, so she MUST know what a computer is. However, John Markoff reports on the industry for the New York Times and as far as I can tell there's never been any sign of sentient life in 'tech' reporting from that quarter.] As for the virus story there's almost none unless you count Robert T. Morris, Jr's, INTERNET "worm." But, you'll thrill to the description of Morris's father, anyway. You'll be able to picture him as just the kind of patronizing, intellectual turd you'd expect would be asked to be the head of a NSA research arm secretly figuring out new ways to break codes, new ways to open people's mail, still more interesting and new ways to listen in on your telephone conversations, even more fun and interesting ways to waste taxpayer money without having to tell you about it, yet more ways to raise a kid who uses tips you've given him from the NSA to create a national scandal, new and great ways to be a king-asshole snoop gr-zz-rrz-zzzz, etc. Yeah, that's hot! And "Cyberpunk" has all the info on "hacker" Kevin Mitnick who terrorized small businesses, the phone company and numerous college administrators in Southern California. His was a glorious life, spending long hours cajoling lonely business secretaries into giving away system passwords over the phone, just like the cons at the local jail who even as you read this are no doubt ripping off someone stupid from the pay phone in the prison lounge. Yes, a most excellent "phone-phreak" life, where you take off for a weekend of brute-force hacking ensconced in the luxurious digs of the local "hooker" crashpad. Yup, learn how to be an elite "cyberpunk," cuffed to a chair in the night watchman's office like a common piss-soaked drunk caught wandering the campus of a local community college. That's where it's at, man. And "Cyberpunk" will give you a good idea on just how to go about it. The Crypt Newsletter recommends "Cyberpunk"! ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 666 - the DEICIDE virus, for all the Crypt Newsletter's Slayer fans ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ DEICIDE is a simple, horribly destructive overwriting virus. It will attempt to infect all .COM files except COMMAND.COM in the root directory on any disk. Once it has run out of .COM files to infect, it will smash the C: hard file by meddling with its first 80 sectors. Programs infected by DEICIDE are completely destroyed. When called DEICIDE will display "File corruption error," just the kind of cryptic DOS message that will send a new computer user into paroxysms of confusion. The A86 source of DEICIDE is included in this issue. Liner notes and an 'altered' DEBUG script are also provided, supplying a 'new' copy of DEICIDE to readers interested in further study. DEICIDE is not very long-legged as viruses go; in fact, one might consider it more along the lines of a slightly 'delayed' trojan. Its author, "Glen Benton," has written a number of other similar viruses from his refuge in Holland. ********************************************************************** ADDITIONAL SOFTWARE DOCUMENTATION FOR CRYPT NEWSLETTER #7: ********************************************************************** By now, perhaps, you know the drill. Software described in the Crypt newsletter is supplied as source code, DEBUG scripts, or both. For those without an assembler, copy the .SCR files in this archive into a directory and bring up the C:> prompt. If the DOS program DEBUG is in your path, merely type DEBUG <*.scr where *.scr is the .scr file for the software you wish to produce. Then hit . After a few moments, the program should be ready for you in the current directory. [If even this seems like a mystery, feel free to get someone to help who knows what he's doing. We recommend, however, that in this case you NOT try executing Crypt Newsletter software.] This issue contains the VOTE viruses. VOTE is included as a listing and DEBUG script, while VOTERASE is supplied only as a script. In addition, you will found the A86 source listing for the DEICIDE virus and its corresponding scriptfile. Additional user notes for this issue are found in the headers of the accompanying assembly listings. Remember, that programs included with the Crypt Newsletter are quite capable of destroying your data, executable valuables and/or making your day seem overlong. In fact, your computing day WILL be made longer if you are stupid and careless with them. Indeed, your father, wife or significant other will probably not find DEICIDE clever and amusing at all if it gets loose for half an hour on the family system while the company news organ or some equivalent, but necessary, twaddle is being prepared. ****************************************************************** This issue of the Crypt Newsletter SHOULD contain: CRPTLET.TR7 - this text VOTE.ASM - TASM source listing for the VOTE virus VOTE.SCR - DEBUG script for the VOTE virus VOTERASE.SCR - DEBUG script for the VOTERASE virus DEICIDE.ASM - A86 listing for Glen Benton's DEICIDE virus DEICIDE2.SCR - DEBUG script for the DEICIDE virus If any of these files are missing: Complain at once, go to any of the BBS's listed following this text, and grab a COMPLETE copy. ****************************************************************** Additional note: Vidkun Quisling is an in-famous trademark of the Norwegian government. Quisling, a WWII Axis collaborator, aided Adolf Hitler in his conquest of Norway in 1940. In gratitude, Der Fuehrer made him Norway's puppet ruler. After the war ended, angry Norwegians tried Quisling for treason, won an easy conviction and had him shot. ****************************************************************** Readers should feel free to send e-mail to editor URNST KOUCH on any of the BBS's listed in this file. On Hell Pit, I can be reached as COUCH. To ensure you don't miss an issue of the newsletter, I invite you to come to DARK COFFIN and e-mail me with a data number of your favorite BBS. I'll include it in my database and begin delivery if they'll have it. This guarantees you'll be the first on your block to get fresh issues. The Crypt newsletter is distributed first at the following sites: ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º This V/T info phile brought to you by €ç˜ž, º º Makers/Archivists/Info Specialists on Viruses/Trojans. º ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ º Dark Coffin úúúúúúúúúúúúúúúúúúúú HQ/Main Support úúú 215.966.3576 º ÇÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ º VIRUS_MAN úúúúúúúúúúúúúúúúúúúúúú Member Support úúúú ITS.PRI.VATE º º Callahan's Crosstime Saloon úúúú Southwest HQ úúúúúú 314.939.4113 º º Nuclear Winter úúúúúúúúúúúúúúúúú Member Board úúúúúú 215.882.9122 º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ