ÜÜÜ ÜÜÜÜÜÜÜÜ ÜÜÜ ÜÜÜÜÜÜ ÜÜ ÜÜ ÜÜÜ ÜÜÜÜÜ ÜÜÜÜÜÜÜ ÜÜÜÜÜ Û±±Û Û±±±±±±±Û Û±±Û Û±±±±±Û Û±±Û Û±±Û Û±±Û Û±±±±Û Û±±±±±±Û Û±±±±Û Û±±Û ßßßßßßßß Û±±Û ßßßßÛ±±Û Û±±Û Û±±Û Û±±Û ßßßÛ±±Û ßßßÛ±±Û ßßßßß Û±±Û Û±±Û ÜÜÜÜÛ±±Û Û±±Û Û±±Û Û±±Û ÜÜÜÛ±±Û Û±±Û Û±±Û Û±±Û Û±±±±±Û ßß Û±±Û Û±±Û Û±±±±Û Û±±Û Û±±Û Û±±Û ßßßßÛ±±Û Û±±Û Û±±Û ßßßßß Û±±Û Û±±Û ÜÜÜÜÜÜÜÜ Û±±Û Û±±Û Û±±Û Û±±Û Û±±Û Û±±Û Û±±±±±±±Û Û±±Û Û±±Û Û±±Û Û±±Û Û±±Û ßßß ßßßßßßßß ßßß ßß ßß ßßß ßß NEWSLETTER NUMBER 11 ********************************************************************** Another festive, info-glutted, tongue-in-cheek training manual provided solely for the entertainment of the virus programmer, security specialist, casual bystander or PC hobbyist interested in the particulars - technical or otherwise - of cybernetic data replication and/or mutilation. Jargon free, too. EDITED BY URNST KOUCH, late December 1992 ********************************************************************** TOP QUOTE: "God Bless America and cry 'freedom' as you punch me on the nose." --Harriet Timson in the December 1992 issue of Virus News Intn'l. IN THIS ISSUE: NOOZ . . . product reviews: AVLAB 1.0 and Victor Charlie 5.0 . . . FICTUAL FACT/FACTUAL FICTION . . . IN THE READING ROOM: POPULAR SCIENCE SEARCHES FOR BATCHFILE VIRUSES and "GATES" - A GOOD DOORSTOP . . . Leech-ZModem . . . POPOOLAR SCIENCE virus . . . HITLER virus . . . NECRO virus . . . LITTLE MESS virus . . . Edwin Cleton's software psychobabble . . . DAVE BARRY v. MICHELANGELO virus . . . the usual clever (or dumb - depending how you look at it) wit . . . ************************************************************ NOOZ: OUTGOING PREZ URGED TO LOOK TO INTEGRITY OF WHITE HOUSE DATA ************************************************************ Reuters News Service reports that two U.S. senators, Democrats John Glenn and David Pryor, have urged George Bush to prevent destruction of White House computer records during the transition to the Bill Clinton administration. In a letter to the lame-duck, the senators claimed that sensitive data faces "a significant risk of destruction." The astute reader is encouraged to read between the lines and jump to the conclusion that the Democrats are concerned about the mutilation of electronic files generated by the National Security Council during Iran-Contra. In any case, worried Democrats are advised to be on the lookout for unexplained junkets to Colombia and vieled references to the "Ghost of la Catedral" during the waning days of the Bush presidency. *************************************************************** -*- Page 1 ***************************************************************** CONSECRATED PSYCHOBABBLE: EDWIN CLETON's CODE EXECUTION SIMULATOR, OR: HOW -*NOT*- TO WRITE A SOFTWARE MANUAL! ***************************************************************** Last issue's readers may remember a passing infoblip concerning the naming of one Edwin Cleton as the Fidonet Virus echo moderator. In related news, a dedicated reader dug a Cleton/Saesoft shareware anti-virus program known as the Code Execution Simulator (CES) out of the trash and passed it on to the Crypt Newsletter. From what we could tell, it was "supposed" to be a $40 cash money heuristic scanner. In any case, CES refused to function at the Crypt editorial offices in any logical manner. (Could be someone's pulling our leg! Hah!) And the accompanying documentation was, well . . . you can read it for yourself: -=[ravings starts here]=- CES (Tm) Code Execution Simulator. =*===*===*===*===*===*===*===*===*===*===*===*===*===*===*===*== "Gather enough information and the solution will be obvious." S.B. 1988 "A virus can NOT be detected BEFORE execution, it can only be detected AFTER or WHILE execution, which is at the moment to late, however, to detect anything for that matter, you need to execute it first before there will be *anything* to detect." E.C. 1990 "Mate(s) it simply makes sense, make a backup..." The stages of development; =*===*===*===*===*===*===*===*===*===*===*===*===*===*===*===*== The object is to create rules related behaviour, consistent to such an instruction or event of instructions in order to deter- mine if *something* is happening, the order of what this *some- thing* is, is yet to be defined by the sub-rules who are (to be) generated out of the strain that started the initial behaviour. Consistent rule related behaviour is *never* predefined, thus the object or statement 'will never work well enough' is irre- levant to it's initial base, whether or not *a* rule 'works' is of no concern to the CES model, for the intention is to create such *working* rules related to any behaviour it will derive, if not, the initial rule is dropped and this has yet to happen. To create such rules, there base must be optained at the lowest level and gradualy go upwards to become *ideal*, each rule and the sub-rules related must be dedicated to one single predefined *instuction* or event of such instructions. The lowest level based rule *must* effect it's sub-rules or if and when needed, create such, a sub-rule will and can eventually link with other sub-rules, somewhat like a neural network, once each level expands and thus also there related strains into the *rule network*, some point must be given to hold it at a given time, backtracking each level will then (and only then) result in *a* logical deducting 'intelligent' rule based CES system. Page 2 The CES model is not a debugger, if *a* program executes, it will do the same inside CES's environment, undocumented instruc- tions are of no concern, as they *are* documented somewhere and can be included along the line they appear, if not, CES will simply halt requesting manual instructions, which in turn can be solved on the same line they appear. The *model* should provide in it's own complexity to amphase the creation of direct logic solutions to any given problem, or abort complexity. Scanning for prototype of code is a waste of time, recording and detecting behaviour isn't, yet you have to define normal and abnormal behaviour. -=[ravings end here]=- ---------------------------------------------------------------- Hah??? "Amphase"? How about "aphasic"! Don't be frightened readers! Yes, indeed, you are right! It IS impenetrable crap! As a wise man from Holland once said, "Kannitverstann!" _________________________________________________________________ ***************************************************************** CAIRO RESEARCH'S AVLAB 1.0: A PRODUCT WALKTHROUGH ***************************************************************** Tired of lunatic contributors to Virus-L and the Fido Virus echos sniping at your carefully reasoned analyses like junkyard dogs tearing at pieces of rotten, greasy meat? Then, Cairo Research's AVLab 1.0 is just the thing for you - a program designed to buttress your arguments over the efficacy of anti-virus scanners with the cold, unforgiving steel of statistics. In its broadest function, AVLab works like a shell, automating scan testing of virus-laden directories and tabulating the results. Throw 300 virus samples into a test directory, add a scanner of interest (Cairo has already supplied 5 slots for the more common products: SCAN, TBScan, F-PROT, etc.) and use the drop down menus on the interface to begin testing. AVLab manufactures a result, like so: Product Name: Hits Miss HitVersion ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÂÄÄÄÄÂÄÄÄÄÄÄÂÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄ McAfee Associate's ViruScan ³ 78³ 5³ 93.98³90.99 ³ Best! Solomon Toolkit's FindVirus ³ 70³ 13³ 84.34³4.31 ³ Leprechaun's Doctor ³ 57³ 26³ 69.00³3.76 ³ Worst! ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ³ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÅÄÄÄÄÅÄÄÄÄÄÄÅÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄ Averages ---> ³ 68³ 15³ 82.44³ ³ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÁÄÄÄÄÁÄÄÄÄÄÄÁÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄ 83 samples in 1 directories Page 3 Little could be more straightforward. Of course, you're left to ponder the meaning of it yourself; factors like how random were the choices from your virus library, how reliable the results taken from a scan of less than 2,000 MtE samples, how out-of-date the scanner (Leprechaun 3.76 is over a year old. Not a bad score, wouldn't you say?) - all must be considered. AVlab will get you into the ballpark, though, and keep you waist deep in e-mail from the matrix as long as you let it. The only hard part about using AVLab is initially programming the command line switches to software not already included in the pre-configured slots. And that's trifling. AVlab will also read those VIRSCAN.DAT files that come with a few European a-v scanners, presenting them in a scrollable database far prettier than the straight original text. You can add your own note to each virus in the database, too. Strangely, this was where the only bug in my version cropped up. I added a note to one specimen and it bled through to every virus listing in the database. The program is well-mannered, its documentation brief and to the point. AVLab's an unique example of a "niche" product: Perhaps just the thing to help you persuade a potential client that you're ready to go into the anti-virus scanner certification business. For a fee, of course. ;-) It's $30 cash money as registered shareware from Cairo; the same folks produce a virus-info BBS door and a few direct-action research viruses featuring interesting encrypted messages like "Rock o' the Marne, sir!" AVLab 1.00 is supplied at the Cairo Research support BBS's: Under the Nile! 9600v.32 1:3613/12 Backwoods BBS 9600USR-DS 1:3613/10 *************************************************************** *************************************************************** MORE HACKER CRACKDOWN: THOSE WHO DON'T REMEMBER THE PAST TEND TO REPEAT IT *************************************************************** In a December news piece from the Associated Press, Kevin Poulsen, a former Silicon Valley computer worker, was reported as charged with stealing Air Force secrets that allegedly included a targeting list - a computer tape containing an order for a military exercise code-named Cabre Dragon 88. The 27-year-old Los Angeles resident was named in a 14-count indictment that includes a charge of gathering defense information. The punishment associated with conviction calls for 7 to 10 years in prison. An unnamed colleague faces lesser charges of unlawful use of telephone access devices, illegal wiretapping and conspiracy. Poulsen's lawyer, Paul Meltzer, claims the data secured by his client was not sensitive and that it was reclassified by government officials to secure an easy prosecution. Page 4 Poulsen's prior history, according to AP, included 1989 charges for stealing telephone access codes from a Pacific Bell office, accessing Pacific Bell computers, gathering of unpublished phone numbers for the Soviet Consulate in San Francisco; trade of stolen telephone access codes and eavesdropping. He was free until April 1991, when a tip generated by a TV show led to his arrest. Poulson has not yet been tried for these charges; a court date is set for March. Without knowimg much more about the particulars of this news piece or Poulsen, it is still worth going over the alleged theft of a military targeting list in slightly greater detail. Consider the value of any stolen strategic or tactical (Presumably nuclear: when the Air Force uses the euphemism "targeting list" it is almost always in the context of nuclear war-fighting.) targeting list with these points in mind: 1. The U.S. is not at war and faces no obvious enemy. 2. Familiarity with any number of publications on Air Force tactical and strategic planning leads one to realize that any targeting list generated by military planners tends to contain several hundred to thousands of points. Armed with that knowledge, any citizen equipped with a good tourist map could generate his own plan which would be expected to have considerable overlap with any military list. What "secret" value do any of these lists have? It is tempting to think of Poulsen's stolen list as another probable "E911 BellSouth"-type document. Worth about $20, if anyone would be interested in it. *************************************************************** *************************************************************** REVIEWING VICTOR CHARLIE 5.0 FROM BANGKOK SECURITY ASSOCIATES: NOW, REPEAT AFTER ME, "OWATTA GOO SIAM!" *************************************************************** "The World's First Generic Anti-virus Program!" claim Bangkok Security Associates of Victor Charlie 5.0. While it would never get past the desk of an American adman, it made us smile. Sure, it's a dumb boast. But so what! The PC world is full of 'em. In any case, Victor Charlie works on the premise that all the serious viruses of the future will be memory resident. Fair enough. So it offers its body up as bait to a resident virus, using itself and two "sentry" executables as targets of infection. When infected, Victor Charlie attempts to go on the attack. It grabs a signature from one of its infected files, adds it to a generic scanner/ integrity checker, prompts the user to scan the disk and delete files found to be infected or changed, regenerates itself and then forces a cold reboot. Page 5 It's not a bad approach. Victor Charlie 5.0 detected, disarmed and deleted a raft of resident viruses and files infected by them. Jerusalem variants, Npox variants, the Hitler virus (in this issue), ARCV's Scroll - all fell quickly to VC 5.0. Sandwich, a marginal stealth virus - as were Scroll, Hitler and NPox - was also quickly disposed of. Viruses using advanced encryption were slightly more successful. The polymorphs Pogue Mahone and and Coffeeshop 2 were detected in memory and purged by reboot. Predictably, VC could not generate usable signatures from them. The program's back-up, a VERY SLOW integrity checker, detected files changed by the polymorphs and flagged them. By reading the documentation a more doltish user could, in theory, figure out the proper course of action. Victor Charlie's other major feature was its "protection" of user-selected programs. Essentially, this translates as: let the program make a back-up of your favorites, stash them somewhere else on the disk under different names and restore them when changes are detected in the originals. Not exactly novel, but at least guaranteed an almost 100(null)uccess rate when usable. It provides similar protection for the hard file's system area and a utility seemingly analogous to MS-DOS's FDISK /MBR option. The program's Lao-Tse (I couldn't resist this awful pun!) points: 1. Victor Charlie cedes the playing field to direct action viruses. It relies on it's integrity checker and self-generated audit of infection trails to eliminate them. In light of the speed of the program, this is a tedious, frustrating process all out of proportion to the actual threat. 2. VC 5.0 won't detect companion (spawning) viruses. 3. The program would not generate a "rescue disk" as advertised. It flat-out refused to work for us. 4. And the installation/initialization procedure hinged on extended batchfiles which had to be poked and prodded in ways not obvious to the average PC user. (I.E., only fanatics and programmers - people who don't need this program - would get it to function in real world situations.) Bangkok Security Associates asks for $50 in registry. We don't think this is a good buy . . . unless you crave a challenge. In fact, its ridiculously priced considering the competition. The Crypt recommendations to Bangkok Security Associates (remember, advice is often worth exactly what you pay for it): knock $15 off the fee, make the install program work, lay off the Thai sticks when composing the documentation and see us in 6 months, dudes. ************************************************************** -------------------------------------------------------------- FILE LEECHING MADE EASY: A HALLOWED TRADITION SERVED BY THE PUBLIC DOMAIN TECHNOLOGY OF LEECH-ZMODEM ______________________________________________________________ Until now, you may have been at the mercy of your local "warez dood" - beholden to his every whim for the file points YOU Page 6 NEEDED like life's blood itself for your obsessive-compulsive piracy habit. But now, you can strike back with a tool previously used only by the very "elyte"! In the grass-roots tradition of individual empowerment, Crypt Newsletter supplies YOU with the Leech-Zmodem, a tool designed to optimize your neo-psychotic problem, at the same time creating bookkeeping headaches for pirate BBS's everywhere! LZMCNF.SCR and LZM.SCR will recreate the Leech-Zmodem programs for you. And, with the help of the pre-made batchfiles, QMOD.BAT and PCOMM.BAT (see additional documentation in endnotes), we give you the complete drop-in package of Leech-Zmodem for those using the popular ProComm Plus and Qmodem Pro telecommunications software. Place these files in your telecommunications directory, disable the auto-Zmodem download option if it's turned on, and you're ready to leech by calling the program from your ProComm or Qmodem menu! Configuring Leech-Zmodem couldn't be simpler. Go to your DOS prompt in the Leech-Zmodem directory. Type: LZMCNF. The configuration program will come up and you will answer a few simple questions as to color preference, bps rate and COM port address. When asked about method for "cancellation," choose "s" for single-file download. Now you are ready to go, go, go! How does Leech-Zmodem work? Dial your local "warez board," preferably one where you already have an account but, perhaps, not the file points you think you so richly deserve. Select a "ware." Pick one that will use up almost all your precious file points! Go ahead! Instruct the "warez board" to send it. Activate your Leech-Zmodem (here you should have ALREADY de-activated your auto-Zmodem download). The colorful Leech-Zmodem menu should appear on your monitor, showing you the progress of your transaction. Now watch closely! The file is almost finished. What's that? Leech-Zmodem is springing into action, squaring the file away while sending a bogus error code which instructs the host software that the transfer was "aborted." Now, check your file points. They are untouched! The host software takes nothing away for "aborted" transfers. But you have the file, anyway! Victory is sweet! Logoff at once and find another BBS to try it on, now that you've got the hang of Leech-Zmodem! We are sure you see the potential of Leech-Zmodem! Use it knowing that we've tested it successfully on a number of popular softwares including Telegard, Vision-X, Celerity, PCBoard and WWIV, among others. And after reviewing the documentation of these BBS packages, we can tell you with some assurance that the authors of these programs remain uncognizant of the special challenge posed by Leech-Zmodem. However, a few caveats: 1. Don't be a chump and throw away your winning hand by attempting to download 20 files in one session. Even the densest sysop's will be alarmed when they review their daily log and see that long audit trail with that curious string of "aborted transfer" notations. Spread your attention to many. Use Leech-Zmodem strategically, interspersing parasitic behavior with the occasional "regular" session. Page 7 2. Try to avoid using Leech-Zmodem when you've got a hunch that the sysop is staring directly at his monitor. While some sysops will never grasp what is going on in "real-time," it's unwise to walk in harm's way. 3. If you are confronted by a sysop who has caught on to what you are doing, try buying him off by offering him his own copy of Leech-Zmodem! Often, this tactic will work. 4. Leech-Zmodem works fine on public domain, pornography and virus exchange BBS's, too. It excels on any system dedicated to a "file-server" mentality. 5. If you have your own BBS, you can protect yourself from Leech- Zmodem by using the -S (for SlugBait) command-line switch when calling your Omen Technology DSZ Zmodem program. SlugBait was designed by Chuck Forsberg to trap programs like Leech- Zmodem by putting a notation in the transfer log that the session is "questionable" when aborted with the pattern common to Leech- Zmodem. If your registered version of the program supports this feature, DSZ will tell you when something is rotten in Denmark. 6. Leech-Zmodem is a one-way program. It will only handle Zmodem file transfers from the sending BBS to you. The history of Leech-Zmodem is spare. The program appeared on various underground BBS's about a year ago, so it's not particularly new. However, it works and is likely to remain effective for some time. Even now, we know of BBS'er's who use Leech-Zmodem on an almost daily basis. So, you can thank Leech-Zmodem's anonymous author for this "interesting" and valuable addition to your hard file. ************************************************************** IN THE READING ROOM: POPULAR SCIENCE/POPULAR SCHMIENCE ************************************************************** Dateline: A passing comment carried on the winds of the WWIVnet from alert reader, Mr. Badger: Wh” : Mr. Badger Wh‚¤: Monday, December 21, 1992 2:09 PM Ÿr•m: Dream World BBS [ASV] (South Carolina) FYI, there's a little article in the January 1993 Popular Science on "Stalking Stealth Viruses". Pretty basic, but one quote should win a Sigmund Freud Anal Retentive Award from the Crypt Newsletter: "Viruses threaten to rattle the underlying confidence people now have in computers...And if people stop relying on computers, that's everybody's problem." -Peter Tippett, president, Certus International Sheesh, quotes like that need to be on recruiting posters for future hackers. ----------------------------------------------------------------- Whoah! That got our attention so we rushed out to the nearest newstand for our own copy of January's Popular Science. Sure enough, an article on "stealth viruses" accompanied by a truly Page 8 freaked-out piece of artwork and the subhead: "Forget all the hype over Michelangelo. 1993 may be the year that a new breed of less visible but more sophisticated viruses begin to slip into thousands or even millions of PCs." But you already know the punchline to this story, because you swallowed it in March. It's a hook to catch the general reader - nowhere does Popular Science deliver any support for the claim. And the stealth viruses trotted out? Whale, 4096, Joshi, NoInt (I suppose), DIR-2, Cascade (a stealth virus?); all well characterized programs, all controlled by even the most inept anti-virus software. Of course, reporter Christopher O'Malley never really gets around to hipping the reader to this fact. The "Mutating [sic] Engine" is on hand, too. Even Mrs. Urnst Kouch, an avowed computer-phobe was startled. "Mutating Engine?" she asked. "That's not right, izzit?" To be fair, O'Malley's piece is an earnest, if fumbled, stab at good science reporting for a general readership. It's the kind of technical news we USED to be able to expect occasionally from our better national newspapers rather than the current stream of rah-rah "journal article of the week" swill. And we realize, too, that the level of technical understanding in the average reader of a newstand magazine dictates that he may consider any computer virus close kin to a demon. But even that rationalization pales as an excuse for "dumbed-down" work when the reader finally gets around to examining Popular Science's version of a demo virus, BFV (for "batch file virus"). "INFECTED BATCH FILES WILL INFECT OTHER BATCH FILES WHEN RUN!" warns the magazine ominously. "If an infected batch file were to be passed from one user to another, the new user's batch files would become virus carriers as well," reporter O'Malley writes. We were sure this was unadulterated crap, in light of the rest of the article and, indeed, BFV.BAT was a flop. Its "virus" batch file code, in essence was: FOR %F in (*.BAT) do copy %F + BFV.BAT . Executing this code as the batchfile, BFV.BAT, in a directory full of .BAT files merely mutilates all of them, appending the above line to every one. Executing any of the "infected" files at once locks the machine into an endless, rather obvious, loop as the "infected" .BAT file recursively appends the line in BFV.BAT to itself and its companions. (This is due to the way that DOS processes the FOR command and the "variables" %F in the set, *.BAT. Don't worry about the jargon. Try the experiment and see for yourself.) Further, removing any of the "infected" files to a different directory off the machine's path (or a different machine, as suggested) results in . . . nothing. None of these files can do anything by themselves - hardly virus-like. This leads to the next question: Did the reporter even test his own "batchfile virus"? Apparently not is the logical answer. The science writer, leery of his own batchfile "virus." Well, Page 9 isn't that just special? [In any case, the Crypt Newsletter editors have whipped up a quick .BATfile "virus" of their own, POPSCI.BAT. In actuality, it is a "launcher" for a specially-commissioned-for-this-issue "Popoolar Science" virus. Popoolar Science, unlike BFV.BAT, does work. It will mutilate your .BAT files, your executables and your data in its search for files to infect. And it will spread from infected programs to other uninfected files, just like any normal virus. You can search for it with a real anti-virus program and, in general, watch it do things a number of viruses in the wild can do. (See end notes for further details.)] ***************************************************************** READING ROOM II: "GATES: HOW MICROSOFT'S MOGUL ETC., ETC., BLAH, BLAH, BLAH" by STEPHEN MANES & PAUL ANDREWS (DOUBLEDAY, hardbound, $25 cash money) ***************************************************************** As you might guess, "Gates" is about Chairman Bill, Bill - the brightest man I've ever met, genius Bill, Bill - the master convincer, Billion-Dollar Bill, Supercalifragilisticexpialadocious Bill. In other words, it's a 500-page blowjob. Manes and Andrews insist that Gates exerted no editorial control over their work. After reading "Gates," this is an unbelievable claim. There's one paragraph devoted to Chairman Bill's legendary crummy personal hygiene. Bill can't do more than one thing at a time while washing his hair, say Manes and Andrews, so he doesn't shampoo too often. It's flabbergasting trivia like this that sinks "Gates." In spite of "access" - there's no feeling that these two clowns know anything more about Microsoft's boss than you or me. DESPITE pages and pages worth of Bill coding BASIC, Bill having a screaming fit, Bill buying a Porsche, Bill having a cat fit, Bill getting ticked at Borland's Philippe Kahn, Bill having an apoplectic fit, Bill flying to Armonk, NY; Bill having a shit fit, Bill going to ComDex, Bill making his first million, Bill having a yelling fit, Bill making his first billion (gaaaaaaah!), "Gates" is a dull-to-the-point-of-mind-roasting read filled to the gunwales with sickeningly cutesy, purple prose. If you wanna know about Gates, save $20 and get Robert X. Cringely's "Accidental Empires" (Addison-Wesely). Pass on this dreck. **************************************************************** THIS ISSUE'S SOFTWARE: A CORNUCOPIA OF COMPRESSED ELECTRONIC JOY! **************************************************************** The NECRO (SKULL) virus is included as another example of what can be done with the Virus Creation Laboratory and Phalcon/ SKISM Mass Production Coder. Suprisingly, the most recent version of SCAN does not flag files infected by NECRO - revealing that either McAfee is slipping or there is more to either code set than the mainstream "authorities" would have you believe. We think the latter explanation is closer to the truth. You will also enjoy the novel manner in which NECRO toggles between being a .COMfile appending virus and an .EXE-overwriter: a good example of being creative and imaginative within the constraints of a simple model. Page 10 Since NECRO is a run-time infector, it is rather easily detected by any functional file integrity monitor. To eradicate it, delete all files altered by either form of the virus. The HITLER virus is a product of Demoralized Youth, apparently a Scandinavia-based group. It is a large-ish memory resident .COM infector which is marginally "stealthy," that is the virus subtracts its file size from infected files when the PC user employs the "dir" command. You can execute it safely with this in mind: .COMfiles are infected upon load, the command processor can be successfully infected, and file size changes are invisible when the virus is present in memory. If the user has the presence of mind to record his machine's free memory before the virus is called, a simple MEM /C command will reveal the presence of the program - HITLER creates a quite noticeable 5k drop in available memory. HITLER contains no destructive payloads per se. It does, however, install its own routine which runs off the machine timer tick interrupt. When conditions are right, a vocal effect - some goon shouting "Hitler!" - is sent to the PC internal speaker card. It is quite repetive and annoying. On some machines, all that is heard is speaker buzz. (See the HITLER virus source listing for more notes.) Interestingly, an highly placed source informs the newsletter that the HITLER virus will probably not be called that as it finds its way into many anti-virus programs. Presumably, it will be renamed to avoid offending those with thin skins in Europe, thus keeping it in line with new virus nomenclature rules designed to avoid offensive titles. (Remember the stink generated about CASTLE WOLFENSTEIN.) Aaah, the sociology of computer virology never ceases to fascinate. POPOOLAR SCIENCE is a primitive overwriting virus. It is supplied only in the batchfile, POPSCI.BAT., and its A86 source listing. Experienced Crypt Newsletter readers uncaring of the A86 assembler can strip the DEBUG script from POPSCI.BAT with any minimally functional text editor and create a separate DEBUG script for the virus. POPOOLAR SCIENCE restricts itself to its current directory (unless on the path and called from a different one), displays an endorsement of Popular Science magazine everytime it is executed and overwrites all files in the current directory instantly, ruining them if they are data and making them copies of POPOOLAR SCIENCE if programs. This renders it a nuisance on the same order as the much smaller DEFINE and MINISCULE series of viruses. However, while easily tracked, POPOOLAR SCIENCE can make a shambles of a system quickly and explosively, if stupidly handled. Executing the batchfile POPSCI.BAT will cancel the monitor, assemble and launch POPOOLAR SCIENCE virus in the current directory. All files will be infected in the current directory as soon as the message "Popoolar Science Roolz!" is displayed on the screen and the user is returned to his command prompt. The virus does not check if the file is a program or data; it does not check if the program has already been infected. We feel none of these features are needed in a kamikaze demo program of this nature. [Additionally, the MS-DOS program DEBUG.EXE must be present on the path or in its default location for Page 11 POPSCI.BAT to work.] LITTLE MESS is a bird of a different feather. Produced by the Dutch virus-writing group, TridenT, LITTLE MESS has a specific target: the TELIX telecommunications program. Written in SALT, TELIX's scripting language, LITTLE MESS is a spawning virus attracted to compiled applications scripts in the TELIX directory (of which there are always two-three laying about). LITTLE MESS renames any of these compiled files with an .SLX extension and then makes a duplicate of itself renamed as the script it is replacing. When the infected script is used, LITTLE MESS quickly does its thing and then calls the .SLX script to complete its task. When all the compiled TELIX scripts are infected, further use during a TELIX session will cause LITTLE MESS to flash a "Legalize Marijuana! -TridenT" message on the screen, boxed out in the usual TELIX message form every one in eight executions. Of course, LITTLE MESS cannot spread outside of the TELIX program or find its way onto another machine unless friends exchange compiled scripts. LITTLE MESS is unnoticeable in TELIX sessions; the .SLX files easy to overlook. Some integrity checkers can be set to find LITTLE MESS, but we think this very unlikely in general practice. LITTLE MESS is an extreme, yet intriguing example of a "niche" virus. LITTLE MESS is removed from TELIX directories by deleting all .SLC files which have an .SLX counterpart. The .SLX files are then renamed with .SLC extensions. LITTLE MESS cannot execute outside the TELIX environment. As a compiled "script," it can only operate within the TELIX "Go" command. The TridenT group has also produced the Coffeeshop (Trivia: "Coffeeshop" is a place one goes to purchase dope when in the Netherlands. I wonder if these guys have any David Peel records?) series of viruses, the advanced encryption device called the Trident Polymorphic Engine used in the Coffeeshop 2 and 3 viruses, and a number of other things. The QMOD.BAT and PCOMM.BAT files are "drop-ins" for those wishing to use in Leech-Zmodem with the popular Qmodem or ProComm Plus telecommunications softwares. QMOD presumes a download directory named DL off a QMODEM home directory, but this is easily edited to a user's taste. The key command after calling the Leech-Zmodem program is "c=s", which sets "file cancellation" to single mode. Most every other variable can be set by the Leech-Zmodem configuration program, LZMCNF.EXE. Quite naturally, once the Leech-Zmodem files have been copied into your telecommunications directory you will activate the program through the "external protocols" menu. For example, PCOMM.BAT would be installed by going into ProComm Plus's SETUP (keyboard ALT+S), and highlighting PROTOCOL OPTIONS. After entering that menu, the sub-menu EXTERNAL PROTOCOLS would be chosen. Leech-ZMODEM can be set up in either one of the 3 external protocol slots. In the first slot, setup should look like: Page 12 A - Name...............Leech-Zmodem B - Type...............PROGRAM C - Upload Command.....(leave blank) <--Leech-Zmodem won't u/l D - Download Command...PCOMM.BAT (or whatever) Simple? You bet. ************************************************************ GOSSIP WHICH COMES OUR WAY: FICTUAL FACT/FACTUAL FICTION? ************************************************************ Virus exchange sysop Aristotle, informal head of the Vx echomail network, informs the Crypt Newsletter that he is putting his collection of over 2000 viruses up for sale to interested buyers. Inquiring parties will have the option of downloading the Aristotle collection from The Virus/Black Axis BBS at high speed. Aristotle tells us he has consulted widely with a number of law enforcement agencies on various aspects of the Vx network, conspiracy and the trade of dangerous code and has decided to charge for access to his code library. The independent comic book publishing house, Dark Horse, will produce a 4-book series called "Virus." "Virus" tells the story of an alien computer virus which commandeers a Japanese warship and begins conducting experiments on its crew. More on this when we get copies. More in the weird life of PROTO-T: A momentary fart from from the FidoNet, honest! "It appears as though there are several versions of [PROTO-T] floating around the country. The most notable being the one authored by Edwin Cleton. Yes! The moderator of this here echo. I learned this only recently...Oh well, What's the world coming to? EDWIN LIVES SOMEWHERE IN TIME.... ELToTSiRA" In case you haven't been following the PROTO-T "story," it's too late now to bring you up to date, so just forget it, OK? 40HEX issue #9 available on good newsstands now. The Youngsters Against McAfee Instant Virus Producer is a virus-making tool modelled after the PS-MPC and VCL. The IVP, as it is called, generates TASM-compatible source code for as yet unscanned direct action .COM and .EXE-infecting viruses. Each virus listing generated is peppered with a number of randomly-generated "no op" codes. The demonstration virus included with the IVP tool scans as a Virus Creation Laboratory variant if the garbling "nops" are removed. [If you have something you think is of interest to our readers, pass it on and we will include it in future "FICTUAL FACT/FACTUAL FICTION" columns.] Page 13 ************************************************************* HUMOR BREAK: THREAT OR MENACE? ************************************************************* A look back at March 1992 and the Michelangelo scare: an extract from Pulitzer-winning humorist Dave Barry's annual year end wrap-up (distributed by Knight-Ridder Newspapers). MARCH 1 -- Pat Buchanan wins the Austrian primary. 2 -- Saddam Hussein appears on "Larry King Live." 3 -- Business and academic professionals around the world are gripped by panic following dire warnings from numerous experts that tens of thousands of computers could be infected with the dread Michelangelo virus, set to strike on March 6. 4 -- A grim President Bush places U.S. armed forces on Full Red Alert in preparation for expected onslaught of the dread Michelangelo virus. 5 -- Highways leading from major metropolitan are hopelessly jammed by millions of fear-crazed motorists fleeing from the oncoming Michelangelo virus. 6 -- As predicted, the dread Michelangelo virus erupts, wreaking untold havoc on an estimated one computer belonging to Rose Deegle, of Rochester, N.Y., whose Christmas card list is nearly wiped out. Vice President Quayle jets in to oversee the relief effort. 8 -- Michelangelo appears on "Larry King Live." ************************************************************** ROLL THE END NOTES! Thanks and a tip o' the hat go to alert Crypt Newsletter readers Primal Fury, Captain AeroSmith, Beach and Mr. Badger for their timely contributions to this issue. Software included with the Crypt Newsletter falls under the catch-all term dangerous code. In the hands of incompetents and experienced PC users, many of the programs can and will foul the software resources of of a computer, most times irretrievably. Much of the code supplied is designed solely for this purpose. Why then, the newsletter? There are many reasons, but one which sheds a little light on the matter is illustrated by this brief bit of e-mail from the FidoNet. " ..but, could you provide me with info on how I can get copies of existing viruses for research purposes?" As a new user you will not know that there is a rule here completely forbidding the trade in virus samples. I expect you will already have had a hostile message about baseball bats from kindly Mr Cleton. However, I think I am within my rights to explain. There is an unwritten convention here that dictates that to be come an accepted, respectable virus researcher you must first go to a Virus Exchange bulletin board or other underground outlet and obtain as many live virus samples as you can. Then you can say you already have an extensive virus library and folks on here will take you seriously and swap viruses with you. No Page 14 one will ever admit this but it was the only way I could break into the field.... -------------------------------------------------------------- "I see!" said the blind man as he picked up his hammer and saw. -------------------------------------------------------------- To assemble the software included in this issue of the newsletter, copy the MS-DOS program DEBUG.EXE to your current directory, unzip the newsletter archive into the same directory and type MAKE at the DOS prompt. The included batch file will recreate all the software with the exception of the POPOOLAR SCIENCE virus. DO NOT EXECUTE -=POPSCI.BAT=- IN THE SAME DIRECTORY AS THE REST OF YOUR NEWSLETTER FILES OR THEY STAND A GOOD CHANCE OF ALL BEING INSTANTLY RUINED. Move POPSCI.BAT to a separate directory and read the documentation before you begin to play with it. The A86 source listings to the three viruses are also included for the more experienced readers. If that seems like jargon to you, don't lose any sleep over the .A86 files. This issue of the newsletter should contain the following files: CRPTLT.R11 - this document PCOMM.BAT - ProComm external protocol batch file for Leech-Zmodem QMOD.BAT - Qmodem external protocol batch file for Leech-Zmodem LZMCNF.SCR - Leech-Zmodem CONFIG program scriptfile. LZM.SCR - Leech-Zmodem main executable scriptfile. LTLMESS.SLC - compile form of LITTLE MESS virus LTLMESS.SLT - SALT language source of LITTLE MESS virus. POPSCI.BAT - POPOOLAR SCIENCE batch file virus launcher. POPSCI.A86 - POPOOLAR SCIENCE virus A86 source listing. HITLER.A86 - HITLER virus A86 source listing. HITLER.SCR - HITLER virus scriptfile. NECRO.A86 - NECRO (SKULL) virus A86 source listing. NECRO.SCR - NECRO (SKULL) virus scriptfile. MAKE.BAT - instant "maker" for this issue's software. Ensure that the MS-DOS program DEBUG.EXE is in the machine path or current directory, before typing "MAKE". You can pick up the Crypt Newsletter at these fine BBS's, along with many other nifty, unique things. CRYPT INFOSYSTEMS 1-215-868-1823 Comment: Crypt Corporate East DARK COFFIN 1-215-966-3576 Comment: Crypt Corporate West THE HELL PIT 1-708-459-7267 DRAGON'S DEN 1-215-882-1415 RIPCO ][ 1-312-528-5020 AIS 1-304-420-6083 CYBERNETIC VIOLENCE 1-514-425-4540 THE VIRUS 1-804-599-4152 NUCLEAR WINTER 1-215-882-9122 UNPHAMILIAR TERRITORY 1-602-PRI-VATE THE OTHER SIDE 1-512-618-0154 MICRO INFORMATION SYSTEMS SERVICES 1-805-251-0564 ADAM'S CONNECT POINT 1-210-783-6526 STAIRWAY TO HEAVEN 1-913-235-8936 THE BIT BANK 1-215-966-3812 Page 15 The Crypt Newsletter staff welcomes your comments, anecdotes, thoughtful articles and hate mail. You can contact us at Crypt InfoSystems or at CSERVE#:70743,1711 or Internet: 70743.1711@compuserve.com For those who treasure hardcopy, Crypt Newsletter is available as a FAX subscription: $20 for a ten issue run. It can also be had as one of those corporate-looking papyrus newsletters for the same price. All inquiries should be directed to the Crypt Newsletter e-mail addresses. Page 16