textfiles/magazines/CRYPT/crptltr.vir

                **********************************************
                The CryPt Newsletter: another in an occasional
                                   series!
                **********************************************


      NEWS! NEWS! NEWS!

      It's been an exciting summer at the Crypt!  With the procure-
      ment of Nowhere Man's Virus Creation Laboratory, virus researchers
      have much to do.

      The VCL is a revolutionary tool: an automated interface which
      puts a comprehensive viral assembly library into the hands of
      those who can benefit by it most.  Unlike the Mutation Engine
      which has proven itself a thorny, un-user friendly development
      with small utility (within two weeks of its widespread release,
      most anti-virus scanners had been adjusted to catch it), the
      VCL allows the determined virus programmer to create an almost
      infinite variety of novel and troublesome programs, limited only
      by his patience, dedication and imagination. Fuckin'-A! The
      VCL is fun!

      Preliminary study of the VCL by anti-virus researchers have 
      prompted some to declare on the FidoNet virus echo that VCL
      code will be easily countered.

      This is premature and easily defied.  F-PROT, one of the most efficient
      of the current crop of scanners CAN detect some VCL variants
      in "Secure Scan" and "Heuristic" mode.  However, "Secure Scan"
      findings are easily patched by incorporation of encryption
      routines in the raw code and "trapping" of the nascent virus
      body in a small custom-made .COM 'host' shell.*  In "heuristic"
      mode, F-PROT is dangerous - BUT only when the user 'knows' what
      he is looking for!  In my experience, few users will even attempt
      to use a "heuristic" mode on a regular basis. The reasons are
      these: 1) 'Heuristic"+ is a big word and, so, it must be hard to
      use (stupid, I know, but true!); and 2) The false positive rate
      requires some interpretation (Lazy fucks deserve to be parasitized
      by viruses - .Ed). 
      
      The same can be said for THUNDERBYTE's TBSCAN
      which implements an even more aggressive form of heuristic
      scanning.  Interpretation of shakey files is easy "when" 
      the user knows what he is looking for, 
      more problemmatical when flying blind.  In addition,
      TBSCAN isn't particularly user-friendly which means most potential
      targets of viral attack won't have it in their arsenal. (Thank the
      general level of incompetence in American society for this. Virology
      is as much sociology as assembly, I say.)
      
      *[This is a simple stunt which suggested itself after reading
       Mark Ludwig's "The Little Black Book of Computer Viruses"
       (American Eagle Publishing, Tucson, AZ)]

      +['Heuristic' - all you have to know is that 'heuristic' means
       F-PROT scans for certain 'patterns' of machine instruction:
       resident services, self-modification, weird jump intructions,
       discontinuous code sequences, garbage instructions, strange
       memory entrance, illegal writes or formats to the
       disk, etc.]

       IN THE MEAT OF THIS ISSUE:

       Two VCL-produced virus source-codes: DIARRHEA and DIARRHE6, which
       demonstrate one of the nicer features of the VCL, ANSI screen
       development and "dropper" routines.

       DIARRHEA can be assembled with TASM and linked in the standard
       manner. Place the assembled file on a floppy with SHELLT.COM 
       [Included in this newsletter]. Ensure that SHELLT is in a different
       directory for quickest results. Call the virus and it will 
       promptly infect the shell. This allows the encryption engine to
       turn once and supplies the virus in a form easily introduced into the
       wild.

       Now for the interesting part: DIARRHEA is an appending virus
       which displays a BIG ANSI every Friday. It goes
       something like this: EAT MY DIARRHEA - GG Allin & The Texas
       Nazis.  It's a real attention grabber and since DIARRHEA really
       doesn't do anything but that, it's got an even chance of 
       spreading rather nicely before someone gets surprised by
       the ANSI. At which point they could go berserk. Hahaha.
       [I know, I have a juvenile sense of humor.]

       DIARRHE6 is for those more impatient to see immediate results.
       DIARRHE6 'drops' a TheDraw prepared .COMfile onto all .EXE 
       files in the virus's path of infection.  This, in effect,
       destroys the original program and replaces it with the
       BIG ANSI which displays the hated EAT MY DIARRHEA message.
       In truth, DIARRHE6 will be noticed fast since .EXE files
       are eaten up by the ANSI substitute rather quickly. Don't
       expect it to spread too far, although there is the chance that
       an inexperienced user will be drawn into thinking that the
       destroyed .EXE's are actually infected with a 
       over-writing virus.

       To make this potential a little more polished, I've included
       an optional modification for DIARRHE6.  I've prepared a
       fragment of the WHALE virus in 'define byte' form
       in the included file, VIRUS1.DAT.  Use your favorite
       text editor to replace the ANSI data table at offset
       DATA01 in DIARRHE6.ASM with VIRUS1.DAT JUST AS THE FILE IS WRITTEN.

       Then assemble.

       This will produce a virus which drops a WHALE string
       onto .EXE's in its path, instead of the motorized ANSI.
       When the victim goes to use a scanner on his damaged files,
       he'll find the WHALE or, possibly, a DIR string. Scarey!!! 
       While he's offhunting for this new strain of WHALE, your modified
       version of DIARRHE6 could still be going strong.

       [Actually, I'm sure you see the potential here. You could 
       actually drop an entirely different virus onto the file,
       causing a more serious secondary infection.]

       Remember that you'll want to let the modified DIARRHE6 infect
       SHELLT.COM before you release it so that it encrypts itself and
       the embedded WHALE string. This way, it won't scan for
       WHALE until the string is 'dropped.' When you assemble this
       you will notice the text "Eddie lives . . . somewhere in time!
       Written in the city of Sofia, Bulgaria." in the un-encrypted
       virus. Yup, it's loosely cribbed from DARK AVENGER even though
       the 'dropped' table scans predominantly as WHALE. I put it
       there to confuse things even more. When the victim executes
       the .EXE this file has been dropped on, the phrase from
       the DARK AVENGER (or CRAZY EDDIE) will display. Hahahah!
       More confusion! (You can rip it out if you don't like it;
       be my guest.) Other scanners may identify the dropped string
       as DIR (THUNDERBYTE does) or SPARSE, which is fine. You see, I had 
       so much fun with the idea I couldn't resist stuffing all 
       kinds of psychologically troubling nonsense into VIRUS1.DAT.

       And, you will need TASM or MASM to fully utilize these listings.

       IN CONCLUSION:

       Do yourself a big favor and find the VCL. Nowhere Man's creation
       is quite a pleasure to use, allowing your wildest creative
       juices to flow.

       CONFUSION TO YOUR ENEMIES!

       -URNST KOUCH
       DARK COFFIN BBS 215-966-3576
       VIRUS_MAN BBS   215-PRI-VATE

       This issue of the CryPt newsletter should contain:
       DIARRHE4.ASM - the source listing to DIARRHEA virus
       DIARRHE6.ASM - the source listing to DIARRHE6 virus
       SHELLT.COM - a helpful shell for initial infection trapping
       VIRUS1.DAT - a 'define byte' table for a dummy COMfile
       which contains WHALE & DIR virus signature strings as well
       as text from CRAZY EDDIE virus.
       CRPT.LTR - this newsletter
       If it doesn't, DEMAND UPGRADE!!! heh-heh, a little joke.