287 lines
14 KiB
Plaintext
287 lines
14 KiB
Plaintext
|
||
**************************************
|
||
The CRYPT newsletter: semi-serious ish
|
||
number 2, or another in an intermittent
|
||
series. --URNST KOUCH. M.CS, D.d.(Master:
|
||
Cork-Screwin', Dirty-Dealin', etc.)*
|
||
***************************************
|
||
|
||
*[I got this from George C. Scott in "The Flim-Flam Man."
|
||
You should ren this excellent movie; perhaps even use
|
||
'The Flim-Flam Man' as your 'handle.'!]
|
||
|
||
|
||
NEWS! NEWS! NEWS! NEWS!
|
||
|
||
Hot from the gossip-mongers on the FidoNet virus echo:
|
||
|
||
Tim Caton (The Pallbearer) and a member of
|
||
Phalcon/SKISM, were recently given three month furloughs by moderator
|
||
Frans "Dutch" SomethingorotherAndersssomething for yakking
|
||
about virus exchanges, etc., blah-blah-blah. In "Dutch's"
|
||
own words: they were "excommunicated."
|
||
|
||
"Excommunication" translates loosely as "you can still
|
||
post, but no one is allowed to reply to you or they
|
||
will be excommunicated, too." No word from "Dutch"
|
||
on the inherent 'unworkability' of this arrangement,
|
||
although Caton continues to post and receive responses.
|
||
Apparently, even "Dutch" doesn't believe his own spout.
|
||
|
||
As for Caton: "This is just a hobby for me, you hear,
|
||
a hobby!! I could be baskin' in the sun in Florida!"
|
||
he bellowed.
|
||
|
||
The "Dutch" policy also does not explain why FidoNet
|
||
fave Gary ("I've been programming in assembly for 14
|
||
years!") Watson is given such a long leash to discuss
|
||
transfer of viral material when newer members are
|
||
continually slapped around for discussing the same
|
||
general topics.
|
||
|
||
Speaking of that rogue, Watson, wasn't it he
|
||
he who spent a recent afternoon running SCAN over
|
||
about 650,000 (?!??!) MtE loaded viral samples?
|
||
Now, izzit me, or does this strike you as nuts?
|
||
There is such a thing as being thorough, and then
|
||
there is: CLEARLY INSANE. Working on your
|
||
Ph.D. thesis Gary? I'm glad I'm not on your
|
||
committee - pass the No-Doze, Quimby, Watson's giving
|
||
his research report on the MtE thisafter...
|
||
|
||
SPOTTED ON THE CSERVE VIRUS FORUM: 'Outlaw Joz'
|
||
and 'Bocephus' viruses have been seen plaguing hapless
|
||
corporate stiffs. Our salute to whomever is responsible
|
||
for naming 'Outlaw Joz'! Obviously, they know how to
|
||
come up with a classy moniker.
|
||
|
||
Also seen (hey, this is like being one of those Audobon
|
||
society 'birder' weenies): GEEK virus, a mini-epidemic of
|
||
4096 and NPOX.
|
||
|
||
And a special slap upside the head to Virus Bulletin
|
||
'journalist' Mark Hamilton. Hamilton recently sent
|
||
derogatory private e-mail blind-siding fellow VIRUSFORUM member
|
||
Eric Essman as "a sleaze." Amazingly, Hamilton sent it
|
||
to Essman, too (by mistake, apparently).
|
||
Essman promptly turned it into a 'public' multi-mail. Oops!
|
||
Pay more attention to those account addresses, Mark!
|
||
That's an e-mail faux-pas!
|
||
|
||
THE GENVIR 1.0: THREAT OR MENACE??
|
||
|
||
Have you seen this program: The GENVIR 1.0 French virus
|
||
generator?
|
||
|
||
Outwardly, it's quite an elaborate menu-driven viral
|
||
design suite for "researchers." But when you get to
|
||
the punchline - the time for it to cough up a virus
|
||
to your specs - up comes a 'crippleware' nag screen.
|
||
Better part with the francs first and register, it
|
||
sez, or no viruses for you!
|
||
|
||
Well, c-a-l-l-l-l-l-l Dr. FileFinder!
|
||
|
||
In any case, the GENVIR 1.0 remains interesting for a number of
|
||
reasons. First, it's copyright date of 1990 makes it an early
|
||
attempt, if legit, to derive cash from viral code. This
|
||
predates Mark Ludwig's "Little Black Book" and viral companion
|
||
disk by at least two years.
|
||
|
||
Second, it shows that someone thought that a viral programming
|
||
tool had commercial potential, never mind the possible legal
|
||
ramifications.
|
||
|
||
Third, since it's 'crippled' shareware, the possibility exists
|
||
that GENVIR 1.0 is the software equivalent of the Piltdown
|
||
Man - an elaborate hoax designed to entice saps into sending
|
||
their hard-earned cash money to an anonymous POB. Haha!!
|
||
|
||
Whatever the truth, the GENVIR 1.0 is surrounded in controversy,
|
||
generated, perhaps, by the rage of virus fanatics who spend the
|
||
precious filepoints to download it.
|
||
|
||
Is there a GENVIR virus (like MANTA) floating around?
|
||
You tell me if you've got the 'registered' version!!*
|
||
|
||
[*Note: if you obtain GENVIR 1.0, better have your pocket
|
||
French-English dictionary ready. It's 100% frog, but
|
||
still easily doped out if you've got the patience.]
|
||
|
||
CASH FOR CODE: AN IDEA WHOSE TIME HAS COME?
|
||
|
||
Have you been charging for downloading rights on your exchange?
|
||
Well, if not, perhaps you should. From what I can tell
|
||
here in lower Slobville, Pennsylvania, viruses and their source
|
||
codes are in high demand. And a lot of people who want them
|
||
have trouble getting at them, either because they don't have
|
||
a unique virus to upload or don't wish to be bothered with
|
||
programming one.
|
||
|
||
Now, there's nothing wrong with this attitude. After all, should
|
||
you have to hand machine your own Mossburg AlleySweeper before you
|
||
stroll into a firearms store to purchase one? Of course not.
|
||
If that were so, the locals would be rioting in the streets from
|
||
here to the Florida Keys over infringement of their constitutional
|
||
rights.
|
||
|
||
This potential customer base cannot look to the anti-virus
|
||
community for help. Remember, John McAfee has said something to
|
||
the effect that passing on the code of Michelangelo would be akin to
|
||
giving some street urchin a vial of human pathogens.
|
||
|
||
So, the field is wide open for the virus exhanges. Rather
|
||
than ask for 'donations', why not simply package viral
|
||
samples in bulk lot and charge what the market will bear,
|
||
depending upon strain demand or prevalence?
|
||
|
||
Viral samples could also be packaged with descriptive docs to
|
||
enhance their value and given a guarantee test for 'live'
|
||
quality before put on line. Think of it. In the long run,
|
||
who do you think will attract more users: the virus exchange
|
||
with hundreds of cryptic archives totally loaded with misnamed
|
||
strains, dummy files, incomplete fragments of code or 100k
|
||
infected games, or the exchange that distributes well documented,
|
||
completely characterized, naked viral samples. [This, of
|
||
course, entails some work. The archivist will have to go
|
||
through his files and transfer virus-infected utilities/games/etc.
|
||
to a testing area where the virus can be 'trapped' in a small
|
||
generic .COMstub before return to the archive. Documents will
|
||
have to be prepared and formatted, too. This serves a double
|
||
purpose, screening out 'dead' files.]
|
||
|
||
Anyway, I think you know the answer. Think of the virus archive
|
||
as a specialty 'chemical' firm providing lab quality goods for
|
||
interested hobbyists, researchers and the occasional mis-guided
|
||
. . . um, terrorist.
|
||
|
||
American gadget freaks, particulary computer hobbyists, are
|
||
inveterate packrats and collectors. In my opinion, those
|
||
interested WILL pay for quality samples, easily obtained
|
||
from straightforward BBS's not saddled with idiotic posting ratios,
|
||
overly chatty menus or disdainful, mocking 'help' prompts.
|
||
|
||
Do yourself a favor. Start making some money off your long
|
||
distance collection.
|
||
|
||
SCAN 95B AND VCL CODE: A VERY BRIEF RESEARCH REPORT ALMOST
|
||
TOTALLY DEVOID OF EXACTING DETAIL
|
||
|
||
The news is out. SCAN 95B detects VCL code as the [Con] virus.
|
||
How long will it take you to retool your custom-designed virus
|
||
so that it can be ready to head back out into the wild?
|
||
|
||
The answer: not very long. I recently spent 15 minutes breaking
|
||
SCAN's 'death-grip' on some VCL variants. Simply, the basic
|
||
technique involves making minor changes to, um, well ... heh-heh,
|
||
some secrets have to remain 'proprietary' because there are
|
||
flies on the walls of even the most remote BBS.
|
||
|
||
However, included with this issue of the Cryptletter IS a hex
|
||
dump of the MIMIC1 virus, a VCL 1.0 product that DOES NOT
|
||
scan under 95B. So, you can reverse engineer it if you
|
||
like, but lemme tell ya confidentially, you can probably
|
||
figure it out yourself in less time than I did.
|
||
|
||
The REAL point of this abstract again demonstrates the inevitable
|
||
passing of the brute-force scanner. With the advent of Nowhere
|
||
Man's VCL (and the easy availability of many viral source codes),
|
||
it remains possible to flood any region with a variety of
|
||
easily patched, viral samples. Only software which performs
|
||
functions analogous to something like INTEGRITY MASTER is not
|
||
obsolete. However, will the average American realize this?
|
||
Probably not for another five years.
|
||
|
||
ONE FINAL BURNING QUESTION!!
|
||
|
||
Why does Mark Hamilton's Virus Bulletin cost so much? When
|
||
viral sources are commonplace, when there are 'free' magazines
|
||
of technical advice like 40Hex, why is there a
|
||
market for Virus Bulletin? The answer: some haven't
|
||
caught on. Give someone you know in the corporate security
|
||
business some source codes, the VCL or PS-MPC, a copy of 40Hex,
|
||
Nuke Info Journal, or, hey, even the Cryptletter.
|
||
Once they know where to find 'em, perhaps they'll weigh the
|
||
cost effectiveness and eventully put Hamilton out of a job.
|
||
Information is not property/goods in the sense that most
|
||
Westerners envision it as!! Don't pay throat-cutting prices
|
||
for things you have a right to be able to research for free!
|
||
Journals like Virus Bulletin belong in engineering libraries,
|
||
subscriptions bought and paid for by department funds, available
|
||
to all, just like any other scientific journal.
|
||
|
||
CRYPTLETTER APPENDICES: AH, THE GOOD STUFF!
|
||
|
||
This issue of Crypt contains two hexdumps of live viruses:
|
||
MIMIC.DMP and MIMIC2.DMP.
|
||
|
||
Go to the C prompt and type C:\> debug <mimic.dmp .
|
||
Voila! The MIMIC1 virus is ready to go! Same for MIMIC2.DMP
|
||
|
||
Some info: MIMIC 1 is an unscanned VCL variant. Encrypted,
|
||
.COM appending, MIMIC 1 activates on Fridays and hunts down
|
||
.EXE's. The target .EXE's are transformed into DEN ZUKO
|
||
'zombies.' When called, the .EXE's/DEN ZUKO 'zombies' will
|
||
load and display the fancy-shmancy DEN ZUKO graphic effect.
|
||
The 'zombies' are not infectious and will NOT scan as DEN
|
||
ZUKO virus. The astute among you will know that DEN ZUKO
|
||
is a boot infector. Think of the confusion that could ensue
|
||
when the DEN ZUKO graphic appears on a PC screen, but memory
|
||
scans clean for boot infectors. I'm sure you see the potential.
|
||
The clever will also observe that the hexdump has a rather large
|
||
'zero' byte stub. This was the generic stump I attached to
|
||
MIMIC1 so that its encryption engine would turn once.
|
||
The actual virus is about 1000 bytes smaller than the
|
||
final hexdump product.
|
||
|
||
MIMIC 2 is an unscanned, encrypted .COM/.EXE infector produced
|
||
from hybridized VCL and PS-MPC code. On Fridays, MIMIC 2 shuts
|
||
down its rounds of infection and goes on an .EXE hunt to
|
||
transform them into JERUSALEM virus 'zombies.' The JERUSALEM
|
||
'zombies' will go resident when executed, effect system slowdown
|
||
and the characteristic black scrolling screen effect. The 'zombies'
|
||
do not scan, are not infectious and are not overly bright. They
|
||
will load one on top of the other in low RAM (about .9k) if
|
||
called in multiples.
|
||
|
||
And last: CRMBL.ASM - an a86 'falling letters/CASCADE virus'
|
||
effect written so that it is easily shot-gunned into VCL
|
||
1.0 product. It can also be made into a stand-alone.
|
||
|
||
My thanks again go out to Nowhere Man, without whom blah-blah-
|
||
blah. If you enjoy the Cryptletter, drop me a line, wampum,
|
||
rotten fruit, whatever at the DARK COFFIN BBS.
|
||
[I am also interesting in keeping Cryptletter reasonably
|
||
error free. I've made every effort to determine that the
|
||
hex dumps and code as provided will work on an average
|
||
IBM PC. However, errors could have crept in in production.
|
||
If you find that the hexdumps do not produce working viruses,
|
||
I want to know. I will gladly supply you with 'working' copies
|
||
if such is ever found to be the case.]
|
||
|
||
And, finally, finally, finally:
|
||
|
||
If you are entertaining the idea of contributing or writing
|
||
nay-saying commentary to the Cryptletter, please feel free,
|
||
but remember to leave a point of contact if you wish
|
||
any chance of feedback on it. However, because I don't run
|
||
the DARK COFFIN BBS, I take no responsibility for electronic
|
||
archives or documents that may ocassionally go astray upon it.
|
||
|
||
I remain your obedient servant,
|
||
|
||
--URNST KOUCH [Aug 92]
|
||
|
||
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
|
||
<20> This V/T info phile brought to you by <20>瘞, <20>
|
||
<20> Makers/Distributors/Archivists of Phine Viruses/Trojans. <20>
|
||
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
<20> Dark Coffin <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> HQ/Main Support <20><><EFBFBD> 215.966.3576 <20>
|
||
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ķ
|
||
<20> VIRUS_MAN <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Member Support <20><><EFBFBD><EFBFBD> ITS.PRI.VATE <20>
|
||
<20> Callahan's Crosstime Saloon <20><><EFBFBD><EFBFBD> Southwest HQ <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 314.939.4113 <20>
|
||
<20> Nuclear Winter <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Member Board <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 215.882.9122 <20>
|
||
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ
|
||
|
||
|