258 lines
14 KiB
Plaintext
258 lines
14 KiB
Plaintext
*******************************************************************************
|
|
** **
|
|
** United Phreaker's Incorporated **
|
|
** **
|
|
** presents.... **
|
|
** **
|
|
** UPi Newsletter Volume #1, Issue #2 **
|
|
** **
|
|
** The Virus/Trojan Horse Guide **
|
|
** **
|
|
** By: Scarlet Spirit (Vice-Prez of UPi) **
|
|
** **
|
|
*******************************************************************************
|
|
|
|
In this article I will present thoughts, ideas and facts about trojans
|
|
and virii. Most of them are very destructive and pack quite a punch to your
|
|
computer (something you don't want to come by in otherwards).
|
|
|
|
First, let us discuss virii since they are quite common and more
|
|
straight forward than trojans to discuss.
|
|
|
|
There are 10 different types of virii which can effect your system:
|
|
1) Virus Infects Fixed Disk Partition Table
|
|
2) Virus Infects Fixed Disk Boot Sector
|
|
3) Virus Infects Floppy Diskette Boot
|
|
4) Virus Infects Overlay Files
|
|
5) Virus Infects EXE Files
|
|
6) Virus Infects COM Files
|
|
7) Virus Infects COMMAND.COM
|
|
8) Virus Installs Itself in Memory
|
|
9) Virus Uses Self-Encryption
|
|
10) Virus Uses STEALTH Techniques
|
|
|
|
There can be any combination of these pretty well. Some of the very
|
|
packed virii are the Whale which have from 4 through 10 and Fish which has
|
|
about the same.
|
|
|
|
Now I will explain each of the above virii types in detail.
|
|
|
|
1) Virus Infects Fixed Disk Partition Table: What happens with this virus
|
|
is quite interesting. What it will do is either screw up your partition
|
|
table (organises the computer's HD) totally by rewriting it or erasing
|
|
it altogether. Some examples are: Azusa, Bloody! and Joshi virii.
|
|
|
|
2) Virus Infects Fixed Disk Boot Sector: This type of virus will erase or
|
|
mess up your boot sector beyond repair. There is quite an easy
|
|
way of protecting yourself from such a virus. All you need to do is get
|
|
a small util which will back your boot sector up on disk and allow you
|
|
to restore it in case trouble strikes. This is better than counting on
|
|
your virus scanner to catch it just in case it misses it. Then you know
|
|
you have a backup of it if need arrives. Some examples are: 1253, Korea
|
|
and Invader virii.
|
|
|
|
3) Virus Infects Floppy Diskette Boot: This type of virus is similar to the
|
|
one which infects Fixed Disk Boot Sector. The only difference is it's
|
|
infecting the diskette boot sector and not the fixed disk's.
|
|
Some examples are: Curse Boot, AirCop and Chaos virii.
|
|
|
|
4) Virus Infects Overlay Files: A virus of this kind will either alter your
|
|
overlay files by changing them usually to a given amount of bytes or
|
|
erasing them totally. I don't know which is worse but they're both quite
|
|
bad. Some examples are: 4096, Virus 101 and Jerusalm 24 virii.
|
|
|
|
5) Virus Infects COM Files: This type of virus is similar to the one which
|
|
infects Overlay files but it infects COM files. It will alter then or
|
|
erase them just like it would do to the overlays. Sometimes you'll find
|
|
this type of virus with the one which effects Overlay files to really fuck
|
|
you up. Some examples are: Mix2, Terror and Brain Slayer virii.
|
|
|
|
6) Virus Infects EXE Files: Exactly the same as COM files but for EXE's.
|
|
Some examples are: Striker, Cancer and V-299 virii.
|
|
|
|
7) Virus Infects COMMAND.COM: This type of virus will alter your COMMAND.COM
|
|
and really mess your hard drive up. Without COMMAND.COM your HD will not
|
|
boot by itself. So to cure yourself you'd have to try and boot off disk
|
|
and restore your HD from there. The odd chance your COMMAND.COM will be
|
|
corrupt when you try and restore and you'll be forced to reformat.
|
|
Some examples are: Ontario, Wolfman and Flip virii.
|
|
|
|
8) Virus Installs Itself in Memory: These types of virii are really a bitch.
|
|
They'll store themselves in memory and will either sit their until a
|
|
certain time then execute and still remain their or execute right away
|
|
begin damaging and every time you try and fix the problem it causes it will
|
|
execute and start damaging again. Some examples are: Dark Avenger, Ping
|
|
Pong-B and Stoned virii.
|
|
|
|
9) Virus Uses Self-Encryption: These virii as soon as they are run will
|
|
encrypt themselves. This will allow you no access to the file without
|
|
a password of some kind. This is done so you don't delete the file that
|
|
the virus is originating from or alter it in any way. Some examples are:
|
|
1260, XA1 and Kennedy virii.
|
|
|
|
10) Virus Uses STEALTH Techniques:
|
|
|
|
That about wraps it up for the different types of virii. Now
|
|
let's find out where virii are made, how they're packaged and how you
|
|
can protect yourself from such danger.
|
|
|
|
Most virii are made by programmers as you might guess in many different
|
|
parts of the world. Some of the best come from Jerusalm, Israel and many other
|
|
exotic places. They are usually made by people who are experimenting with
|
|
different types of programming and want a change from making their normal,
|
|
boring programs. Some are developed in Universities where the programmers
|
|
hate their computer teacher and want to wipe the main HD out. One of the most
|
|
common places that virii are made are in some idiots own home. That person
|
|
feels like getting kicks out of wiping some guys HD out. Oh well, all of us
|
|
get our jollies from something.
|
|
|
|
Virii come in a variety of packages. If you BBS as you most likely do
|
|
since you are reading this, the BBS world is a breeding area for virii. They
|
|
can be hidden in many different ways. For instance if a piece of software
|
|
comes out, this is the chance the programmer of the virus is waiting for. He
|
|
will take that piece of software and replace the executible file with his
|
|
virus. Of course, you thinking "Wow! I've been waiting for this piece of
|
|
software forever you, run it as soon as you get it!" Next thing you know
|
|
your HD is going berserk. There are many other tricky ways people hide virii,
|
|
you never know where they'll be found.
|
|
|
|
You say to yourself "Is there no escape?" Well thank god I can tell
|
|
you there is. Some of the most skilled programmers have come up with programs
|
|
to protect you from virii. Some for instance are Mc'Afees Scan, Cleanup and
|
|
V-Shield. Also Norton's Anti-Virus and Central Point's Anti-Virus. There
|
|
are many more but these as updated most often and easy to come by.to check all
|
|
Mc'Afees scan will tell you which virii were detected, in what files and
|
|
give you a prefix for using with Cleanup. If virii were detected you use
|
|
cleanup to clean them out sometimes some files will be lost. V-Shield
|
|
is just like scan except it's memory resident (TSR) and when loaded it does
|
|
a scan of memory, Command.Com and itself. Then as you run programs if you
|
|
happen to run into a virus it will stop you from doing so and tell you
|
|
what virus you almost ran into. Norton's & Central Point's stuff is similar
|
|
but all compacted into one program. The only problem is they seem slower,
|
|
use more memory and are hard to come by the updates. They are also commercial
|
|
while Mc'Afees stuff is PD. Even with all this protection you can still get
|
|
hit, try and backup as much as possible. Also wait for other people to try
|
|
the piece of software and see if it effected their system. You can also
|
|
try viewing the executable file to see if there is any weird message on it
|
|
such as in the Violator virus it has a message from RABiD near the end of it.
|
|
Small executable files are also a hiding place for virii. If you see a small
|
|
executable file beware, most executable files are quite large.
|
|
|
|
Now let's move on to the other problem, trojans and ANSi bombs.
|
|
These are virtually undetectable in most cases. They are a lot simpler
|
|
and smaller than virii usually. One bang and that's all folks. In other
|
|
words they do one thing and that's it, no memory sticking. There are
|
|
a few different types I have come by:
|
|
|
|
1) Slam Bam See Ya Later, Hard Drive
|
|
2) Now You See It, Now You Don't
|
|
3) Faster than a speeding bullet, then slow as a snail's pace.
|
|
|
|
Now let's explain these funny, but destructive phrases.
|
|
|
|
1) Slam Bam See Ya Later, Hard Drive: This trojan horse when run will wipe
|
|
your hard drive and then die. It can do it in many different ways such as
|
|
destroying your boot sector, overwriting your fat, a simple erasing
|
|
routine or screwing your COMMAND.COM majorly. These are hidden in just
|
|
about anything from DSZ.COM to Norton's Disk Optimizer. Some examples are:
|
|
Giant Killer (By RABiD), EraseBoot, Frogger (Disk Optimizer [Actually
|
|
Formatter]).
|
|
|
|
2) Now You See It, Now You Don't: This is an ANSi Bomb/Trojan. It's very
|
|
easy to make and just about anyone could make one. They use ANSI.SYS's
|
|
keyboard reassignment routines and wipe your HD clean. They usually are
|
|
hidden in text or ansi screens. They can easily be prevented by using
|
|
ZANSI.SYS or another variation of ANSI.SYS. Also there are small TSR's
|
|
that will protect you from such problems. Some examples are: Well
|
|
sorry none for you this time since there are so many variations and no
|
|
names for them.
|
|
|
|
3) Faster than a speeding bullet, then slow as a snail's pace:
|
|
This type of trojan will slow your computer down majorly. You can usually
|
|
set a time for the trojan to go off. After it does then it will slow
|
|
your computer down bits at a time until it takes like 30 minutes to load
|
|
Pac-Man. An example is: SlowDown 1.04.
|
|
|
|
There are many other types of trojans and I could be here all day
|
|
telling you about them. These are the most common ones in order from most
|
|
common to least common. New ones are made just about everyday which do
|
|
different things. There are not very many ways you can protect yourself
|
|
from such trouble yet. FluShot is one of the best ways but it limits your
|
|
computer in many ways. You can use it to write-protect your HD so no writes
|
|
will be made or make it so it asks you before a write is being made so you
|
|
know when an illegal write is being made. There are also programs like
|
|
TrapDisk which stop formats sometimes caused by trojans and it will prompt
|
|
you before a format is done. There are also a variety of others. The best
|
|
way to protect yourself from everything is to keep updated backups. Also
|
|
waiting for other people to try the piece of software before you do and
|
|
finding out how they handled it would be a good way of protection.
|
|
|
|
Trojans and ANSi Bombs come in a variety of different packages. They
|
|
are usually hidden better than virii. Some trojans come in the style of a
|
|
disk optimizer that really wipes your HD or a DSZ update that will wipe you
|
|
out as well. They can be found just about anywhere. ANSi Bombs are usually
|
|
hidden in what seems to be a board add such as README.ROS or something of that
|
|
nature. No piece of software can be trusted. Trojans and ANSi Bombs also
|
|
are hidden in the same method as virii as well. So you can refer back to
|
|
How Virii Are Hidden and Protecting Yourself from Virii paragraphs.
|
|
|
|
This pretty well covers quite a bit about virii and trojans
|
|
always be careful because everything isn't always as it seems to be.
|
|
Never stay off guard because the day you do is the day you get hit.
|
|
Even if you haven't ever come across a virus or trojan before, there's
|
|
a first time for everything.
|
|
|
|
Scarlet Spirit
|
|
Sysop of The Shining Realm
|
|
UPi Vice-President
|
|
|
|
Greetings Go Out To:
|
|
Phantom Prowler, Black Bird, Tyler, Silent Death, Glass Head, Dr. Dread,
|
|
The Hellraiser, The Juggernaut, Galaxy Raider, D.J. Bravestar, Iron Christ,
|
|
Knight Excalibur, Dr. Sysop, Infiltrator, Demon Slayer, Dark Staph,
|
|
Dragon Highlord, Ninja Boy, Platinum, Neural Plexus, Vision Assembler,
|
|
Forensic Forsythia, Destroyer, Snowhawk, Dark Rider, The Jammer, Law N.Order,
|
|
and The Wild Genius.
|
|
|
|
Sorry if I missed your name but I could only include so many. Here are
|
|
some personal greetings for all those people who make great impacts on
|
|
me:
|
|
|
|
Nyarlathotep: Cool it on the quoting. Your words are just as good as others.
|
|
|
|
The Enchanter: How are the women? Sell me your HST!
|
|
|
|
Arc Angel: Ahh That's Too Bad...
|
|
|
|
And in a place all his own the person who was responsible for the destruction
|
|
and take down of Spectrum. Yes, you know him all as that egomaniac from hell,
|
|
he's the one the only: Space Ace! He thought he could run the group but he
|
|
didn't have what it took and ended up GIVING UP and FAILING at what he started
|
|
at. Oh well. No one's perfect.
|
|
|
|
Listing Of Current UPi Members.....
|
|
President: The Lost Avenger (416)
|
|
Vice President: Scarlet Spirit (416)
|
|
Programmers: Damaged Sectorz (602), Mad Hatter (514)
|
|
Couriers: The Serious One (819)
|
|
Other Members: Dantesque (416), Inphiniti (216), MCi Sprinter (216), Rocket
|
|
Richard (313)
|
|
|
|
Call These Other UPi Nodes.....
|
|
-------------------------------------------------------------------------------
|
|
Node BBS Name Area Baud Megs BBS Sysop
|
|
Number Code Rate Program
|
|
-------------------------------------------------------------------------------
|
|
WHQ The Violent Underground 416 2400 85 Pc Board The Lost Avenger
|
|
Node #1 The Shining Realm 416 2400 95 Telegard Scarlet Spirit
|
|
Node #2 Inphiniti's Edge 216 2400 60 Aftershock Inphiniti
|
|
-------------------------------------------------------------------------------
|
|
|
|
If you'll like to join UPi as a member or as a node then please leave me
|
|
mail on any of the numbers listed above. Then I will send you an the
|
|
appropriate application for you to fill out. From there you must either send
|
|
me the complete filled application form to me either by sending it in E-mail to
|
|
me or either by uploading it to any one of the UPi sites.
|
|
|
|
|