home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Phoenix Rising BBS
/
phoenixrising.zip
/
phoenixrising
/
vir-docs
/
crptlet6.arj
/
CRPTLET.TR6
< prev
next >
Wrap
Text File
|
1992-09-27
|
63KB
|
1,175 lines
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
CRYPT NEWSLETTER #6 (or something like that) - still
another in an occasional series of info-glutted,
humorous monographs solely for the enjoyment of the
virus programming pro or enthusiast interested in the
particulars of cyber-electronic data replication and
corruption.
-Edited by URNST KOUCH. [Oct. 1992]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This issue's top quote:
******************************************************
"Giveitaway, giveitaway, giveitaway now!"
--long-haired, tattoo'd dolt from The
Red Hot Chili Peppers, speaking out about
viral source code at a recent computer
security seminar.
******************************************************
IN THIS ISSUE: Local NEWS...New Section: INCAPABILITIES - exposing the
flaws in various a-v software packages with Urnst Kouch and other
guest 'speakers' like Vesko Bontchev...Charles Bowen: Recipient
of National Dummkopf Award...rehash of US NEWS & WORLD REPORT/IRAQI
COMPUTER VIRUS imbroglio...The INSUFF/MtE spawning viruses...
...COMPUFON trojan...'ARTIFICIAL LIFE' book review...ZCOMM & Hyper-
ACCESS: more term programs (one with a-v scanning), definitely not for
sissies...DIOGENES virus...sarcasm, trenchant wit, etc.
NEWS! NEWS! NEWS! NEWS! NEWS!
IF THE SHOE FITS: Some users of the FidoNet's Virus echo have been seen
referring to moderator Frans Hagelaars as "Dutch" ever since Crypt
Newsletter renamed him back in August.
IN CONTINUING FIDO VIRUS ECHO NEWS, Sara Gordon, the e.e.cummings of
antivirus-dom, has been seen flaming on baseball pro David Justice
who provoked her by impugning her looks. We offer
to settle this dispute at the Crypt Newsletter. If Sara and David
will send cheap portraits of themselves (it must be the kind of photo
obtained from an arcade photo booth - you know, the ones you see
on the boardwalk in Ocean City, NJ.), Crypt Newsletter editors will
judge them on the basis of "looks" and publish the results in a
future issue. The address of the Crypt Newsletter is:
The heehee Desk
Mr. Aggrieved, Assoc. Editor
POB 1234
Nether Poo-Stink, PA 18017
LATE BREAKING GOSSIP: Pro-ballplayer Dave Justice was just seen
cursing Paul Ferguson's name in the Virus echo. This nullifies the
Gordon/Justice 'looks' rate-down. It would have been unfair to
exclude Ferguson from the contest but the editors of the
newsletter are too busy to judge the expanded field of entrants,
so we decided to cancel. Hey, cool it wontcha, guys??
But, on more serious matters, we excerpt a tiny segment of one of
Sara Gordon's mid-September FIDO flames for further comment:
"...if you are interested in keeping information free, then learn
to be responsible with its use. your freedom to information does
not include the right to destroy it. its [sic] MY information too,
and its [sic] not YOUR right to rip it up.
"if you think killing people is cool, and are aware of the
implications of your actions,i.e. knowing that your virus could
wipe out some hospital database in some third world country,
or even in u.s.a. in appalachia, where they cant [sic] afford backups,
and effectively be responsible for the deaths of innocent people,
then write them."
WHoah! Whoah! Whoah! Sara! What a stretch. Let's entertain that
fool claim for a moment. Do you think a backwoods hospital would
have computers, but no hard copy system? (What if a fire broke out
in "RECORDS"?) But even if we let that slide for the
sake of the argument, let's consider a different tool of destruction.
Arms. The U.S. sell arms to lunatics on the left and right in
"Third World Countries." Does anyone who makes them in this country
get held responsible, or even LOSE ANY SLEEP, when civilians get
blown away by the same guns in any number of mindless civil wars?
Of course not, BECAUSE IT'S THE AMERICAN WAY TO BE AN INCONSIDERATE,
HYPOCRITICAL LOUSE.
So, jumping back to computer viruses, which are decidedly more trivial
than the business end of a Claymore mine, it's totally ludicrous to even
presume that virus programmers are "effectively responsible for the
deaths of innocent people." Far better to waste your time, if you must
Sara, arguing with the arms merchants than virus programmers, we think.
In fact, The Crypt Newsletter decided to back this up with a little
research on virus strikes in hospitals. Now keep in mind, although our
skills are much vaunted, we're still a relatively new publication
and your results may differ. Still, this is the best we could come
up with - two small newspieces purloined from CSERVE (who in turn
purloined them from the New England Journal of Medicine) ca. 1989.
What follows is transcript:
---------------------------------
HOSPITAL STRUCK BY COMPUTER VIRUS
---------------------------------
(March 22) - 1989
Data on two Apple Macintoshes used by a Michigan hospital was
altered recently by one or more computer viruses, at least one of
which apparently traveled into the system on a new hard disk that
the institution bought.
In its latest edition, the prestigious New England Journal of
Medicine quotes a letter from a radiologist at William Beaumont
Hospitals in Royal Oak, Mich., that describes what happened when two
viruses infected computers used to store and read nuclear scans that
are taken to diagnose patients' diseases.
The radiologist, Dr. Jack E. Juni, said one of the viruses was
relatively benign, making copies of itself while leaving other data
alone. However, the second virus inserted itself into programs and
directories of patient information and made the machines
malfunction.
"No lasting harm was done by this," Juni wrote, because the
hospital had backups, "but there certainly was the potential."
Science writer Daniel Q. Haney of The Associated Press quoted
Juni's letter as saying about three-quarters of the programs stored
in the two Mac II PCs were infected.
Haney said Juni did not know the origin of the less harmful
virus, "but the more venal of the two apparently was on the hard
disk of one of the computers when the hospital bought it new. ...
The virus spread from one computer to another when a doctor used a
word processing program on both machines while writing a medical
paper."
Juni said the hard disk in question was manufactured by CMS
Enhancements of Tustin, Calif.
CMS spokesman Ted James confirmed for AP that a virus was
inadvertently put on 600 hard disks last October.
Says Haney, "The virus had contaminated a program used to format
the hard disks. ... It apparently got into the company's plant on a
hard disk that had been returned for servicing. James said that of
the 600 virus-tainted disks, 200 were shipped to dealers, and four
were sold to customers."
James also said the virus was "as harmless as it's possible to
be," that it merely inserted a small piece of extra computer code on
hard disks but did not reproduce or tamper with other material on
the disk. James told AP he did not think the Michigan hospital's
problems actually were caused by that virus.
--Charles Bowen [October's Crypt National Dummkopf]
------------------------------
MORE HOSPITALS STRUCK BY VIRUS
------------------------------
(March 23) - 1989
The latest computer virus attack, this one on hospital systems,
apparently was more far- reaching than originally thought.
As reported here, a radiologist wrote a letter to the New England
Journal of Medicine detailing how data on two Apple Macintoshes used
by the William Beaumont Hospital in Royal Oak, Mich., was altered by
one or more computer viruses. At least one of the viruses, he said,
apparently traveled into the system on a new hard disk the
institution bought.
Now Science writer Rob Stein of United Press International says
the virus -- possibly another incarnation of the so-called "nVIR"
virus -- infected computers at three Michigan hospitals last fall.
Besides the Royal Oak facility, computers at another William
Beaumont Hospital in Troy, Mich., were infected as were some desktop
units at the University of Michigan Medical Center in Ann Arbor.
Stein also quoted Paul Pomes, a virus expert at the University of
Illinois in Champaign, as saying this was the first case he had
heard of in which a virus had disrupted a computer used for patient
care or diagnosis in a hospital. However, he added such disruptions
could become more common as personal computers are used more widely
in hospitals.
The virus did not harm any patients but reportedly did delay
diagnoses by shutting down computers, creating files of non-existent
patients and garbling names on patient records, which could have
caused more serious problems.
Dr. Jack Juni, the radiology who reported the problem in the
medical journal, said the virus "definitely did affect care in
delaying things and it could have affected care in terms of losing
this information completely." He added that if patient information
had been lost, the virus could have forced doctors to repeat tests
that involve exposing patients to radiation. Phony and garbled files
could have caused a mix-up in patient diagnosis. "This was
information we were using to base diagnoses on," he said. "We were
lucky and caught it in time."
Juni said the virus surfaced when a computer used to display
images used to diagnose cancer and other diseases began to
malfunction at the 250-bed Troy hospital last August. In October,
Juni discovered a virus in the computer in the Troy hospital. The
next day, he found the same virus in a similar computer in the
1,200-bed Royal Oak facility.
As noted, the virus seems to have gotten into the systems through
a new hard disk the hospitals bought, then spread via floppy disks.
The provider of the disk, CMS Enhancements Inc. of Tustin,
Calif., said it found a virus in a number of disks, removed the
virus from the disks that had not been sent to customers and sent
replacement programs to distributors that had received some 200
similar disks that already had been shipped.
However, CMS spokesman Ted James described the virus his company
found as harmless, adding he doubted it could have caused the
problems Juni described. "It was a simple non-harmful virus," James
told UPI, "that had been created by a software programmer as a
demonstration of how viruses can infect a computer."
Juni, however, maintains the version of the virus he discovered
was a mutant, damaging version of what originally had been written
as a harmless virus known as "nVIR." He added he also found a second
virus that apparently was harmless. He did not know where the second
virus originated.
--Charles Bowen [October's Crypt National Dummkopf]
--------------------------------------------------------------------
Hmmmmm. Pretty slim pickin's, Sara Gordon. No fatalities, no
injuries, no nothing. A lot of 'but if's', though. But at the
Crypt Newsletter we don't count 'but if's'. 'But if's' are the
domain of mediocre bureaucrats, Pentagon nuclear war planners,
corporate stiffs and American double-knit upper management types.
However, here at the editorial bungalow, we know you were riled
on the FidoNet when you e-mailed the now deemed idiot observation
about virus programmers being "effectively responsible for the deaths of
innocent people," so we won't give you this issue's "National Dummkopf"
award. It's Charles Bowen's (for reasons described below). Your
rep remains unblemished.
All readers are invited to e-mail any evidence of "computer virus
induced human death" to the Crypt Newsletter at any time. We'll put it
in a news piece called, appropriately, "Computer Virus Induced Human
Death (or Man Bites Dog)" That has a nice ring, don't you think?
***************************************************************************
PITY CSERVE's CHARLES BOWEN, HE CAN'T TALK AND CHEW GUM AT THE SAME TIME.
AND THAT'S WHY CRYPT NEWSLETTER REPRINTS THIS STORY WITHOUT PERMISSION BUT
WITH A "BOWEN TRANSLATION" SO THAT YOU ALL MIGHT BENEFIT. YOU GOT IT,
CHARLES BOWEN GET'S THIS ISSUE's 'NATIONAL DUMMKOPF' AWARD!! HE CAN SHARE IT
WITH JEFFREY O. KEPHART OF IBM's HIGH INTEGRITY COMPUTING LAB, AS YOU
SHALL SEE.
{Comments in []'s by URNST KOUCH}
**************************************************************************
CSERVE's Online Today, Sept. 8, 1992
SPREAD OF VIRUSES SLOWER THAN SOME THINK, IBM RESEARCH SUGGESTS
(Sept. 8)
A study conducted by an IBM computer scientist at the Thomas J.
Watson Research Center suggests computer viruses may spread more
slowly and less widely than some current estimates project.
IBM said in a statement from Yorktown Heights, N.Y., that an
immediate implication of the work "is that the computer virus
problem will not become explosively rampant as some experts [WHO??] have
predicted on the basis of conventional epidemiological models that
overlook important constraining factors."
IBM said the discrepancy in projections arises from "topology,"
that is, the structure of the connectedness among individuals in the
population through which infection spreads. [You said a
mouthful.]
Jeffrey O. Kephart of IBM's computer sciences department, said the
importance of topology in analyzing the way things like viruses and
rumors [What the Hell is this nonsense? Viruses are related to rumors?]
Mebbe so, mebbe so. But you're gonna have to go back to Michelangelo
for that story.] spread in a population is seldom taken into sufficient
account.
Kephart said most epidemiological projections of the spread of
viral infections -- in people as well as in computers -- are based
upon the assumption of a fully-connected world: in effect, a world
in which everyone is connected to everyone else. [No, not true.
"Epidemiology" generally deals with the spread of disease in living
populations where every member of the affected group is thought to
have some potential for contracting the "bug." This "everyone connected
to everyone else" stuff is bogus.] For example, members the
"homogenous-mixing" topology makes epidemiology easy, he observed,
but is obviously not realistic. [Eh? Good jargon, though. Your guess is
as good as mine and I KNOW something about this stuff.]
Nonetheless, says IBM, Kephart's research "shows that it works
rather well for certain kinds of infectious diseases, particularly
air-borne ones like influenza." [Does it? Evidence? Where is it?]
He says computer-virus infections present quite a different
story, noting that they are usually spread by friends exchanging
disks that contain the virus. [Isn't this rather reminiscent of
the popular description sof how the AIDS virus is transmitted?
So just how is computer virus spread different? It'c certainly
not clear at all here.]
Kephart, a member of IBM's High Integrity Computing Laboratory,
says the kind of connectedness that characterizes the spread of
computer viruses is thus not homogenous but local.
In this topology, "individuals connect not to everyone else but
only to their nearest neighbors who [have compatible computers, and] in
turn, are connected [only] to their neighbors [who have compatible
computers], and so on," says the statement. [I'm sure this is what
Kephart really means.]
"The effects of different topologies on the spread of an infection
becomes striking when the homogenous-mixing and local models are
compared. In a fully-connected, homogenous population, Kephart
explained, an infectious disease spreads exponentially --
explosively -- and all-encompassingly. [Bah. This is unadulterated horse
shit. Most examples of disease never spread in
this manner, but, then, there goes the story! The spread of disease
in human populations is remarkable for its variability, not
homogeneity. If what he says happens were true, we'd all die of
cholera everytime there's an outbreak in Peru.] In a local topology,
he said, infection is transmitted sparsely, from each individual to
just a few others."
--Charles Bowen
[While Kephart's research is doubtless interesting, you'd never know it
from Bowen's short, tangled mess. Full of jargon and bullshit, all
you can get from it is that computer viruses, on the whole, are restricted
to local outbreaks. Big deal, didn't we already know that?
Perhaps a better word for characterizing computer virus infection is the
term "smoldering." While this is only from personal experience, it seems
virus infections "smolder" on a local basis, mostly unseen and untrackable,
but very occasionally erupting into runaway outbreaks which disrupt school
systems, corporate workplaces, and probably most often, the private
home where some chowderhead is engaged in obsessive/compulsive software
piracy. 'Smoldering,' BTW is a term epidemiologists often use to describe
various natural infections.]
-*-
**************************************************************************
AND IN CASE YOU DIDN'T KNOW WHERE WE GOT THE IDEA FOR THE 'NATIONAL
DUMMKOPF' AWARD, THIS REPRINT OF THE US NEWS & WORLD REPORT/IRAQI
COMPUTER VIRUS BOONDOGGLE MAY REFRESH YOUR MEMORY
**************************************************************************
From CSERVE's OnLine Today, Sept 11, 1992 [No, I don't know why
they've chosen to reprint it now.]: Monitor - {comments in [] by URNST}
US HIT IRAQI COMPUTERS WITH VIRUS BEFORE GULF WAR, MAGAZINE SAYS
(Jan. 11)
A weekly news magazine is reporting US intelligence agents
inserted a virus into a network of Iraqi computers tied to that
country's air defense system several weeks before the start of the
Persian Gulf War a year ago.
US News and World Report, citing two unidentified senior US
officials, reports in its issue dated next week the virus was
designed by the supersecret National Security Agency at Fort Meade,
Md., and was intended to disable a mainframe computer. The magazine
says the virus appeared to have worked, but gave no details.
The report is part of a book, based on 12 months of [somewhat
shakey] research by US
News reporters, called "Triumph Without Victory: The Unreported
History of the Persian Gulf War," to be published next month.
The magazine also said the virus operation may have been
irrelevant because of the allies' overwhelming air superiority.
It reported the secret operation began when US intelligence agents
identified a French-made computer printer that was to be smuggled
from Amman, Jordan, to a military facility in Baghdad.
The Associated Press, quoting the magazine report, says, "The
agents in Amman replaced a computer microchip in the printer with
another microchip that contained the virus in its electronic
circuits. By attacking the Iraqi computer through the printer, the
virus was able to avoid detection by normal electronic security
measures, the report said."
The magazine goes on, "Once the virus was in the system, the US
officials explained, each time an Iraqi technician opened a
`window' on his computer screen to access information, the contents
of the screen simply vanished."
--Charles Bowen
WAS REPORT OF US VIRUS ASSAULT ON IRAQI SYSTEM BASED ON A SPOOF?
(Jan. 14)
A 1991 April Fools Day spoof in a computer magazine has writers
and editors at US News and World Report rechecking sources on its
report that the US inserted a virus into a network of Iraqi air
defense computers several weeks before the start of the Persian Gulf
War.
As reported earlier, the news magazine cited two unidentified
senior US officials in reporting the alleged virus was designed by
the supersecret National Security Agency at Fort Meade, Md., and was
transmitted by a printer smuggled into Baghdad. The magazine said
the virus appeared to have worked, but gave no details.
However, Associated Press writer Robert Burns reports today,
"Trouble is, a computer industry publication, InfoWorld, sketched
out a strikingly similar scenario in a column that ran in its April
1, 1991, issue. That article was an April Fool's joke, pure fantasy
dreamed up by writer John Gantz."
This news has the folks at US News and World Report concerned. The
main author of the magazine's report, Brian Duffy, told Burns, "I
have no doubt" US intelligence agents carried out such an
operation, though he acknowledged the similarities with the
InfoWorld article were "obviously troubling."
Duffy said the magazine is rechecking its sources to determine
whether details from InfoWorld's spoof "leeched into our report."
[No news on whether desktop PC's at US NEWS & WORLD REPORT were infected
by a LEECH virus variant.]
As noted, US News said in print it had learned from unidentified
US officials that intelligence agents placed the virus in a computer
printer being smuggled to Baghdad through Amman, Jordan. It said the
printer, described as French made, spread the virus to an Iraqi
mainframe computer that the magazine said was critical to Iraq's air
defense system.
Burns notes the InfoWorld article was not labeled as fiction but
"the last paragraph made clear that it was an April Fool's joke."
[What does this mean: Said [article] was not labeled as fiction
but "the last paragraph made clear it was an April Fool's joke"?
See Orwell's "1984" for other good examples of "newspeak/doublespeak."]
Gantz, the InfoWorld author, told Burns his article was "totally a
spoof," and that he had no knowledge of any such intelligence
operation.
Burns said questions about the accuracy of the US News story arose
yesterday "when a number of readers called The AP to say the virus
account was curiously like the InfoWorld article, which Duffy said
he hadn't previously seen." [And monkeys are flying out my ass.]
The InfoWorld spoof said the virus was designed by the National
Security Agency for use against Iraq's air defense control system,
and that the CIA had inserted the virus into a printer being
smuggled into Iraq through Jordan before the Persian Gulf war began
last January.
The article continued, "Then the virus was on its own, and by
Jan. 8, the allies had confirmation that half the displays and
printers in the Iraqi air defense system were permanently out of
commission."
The US News report also said the virus was developed by the
National Security Agency. Both the publications stressed the reason
for placing the virus in the printer was to circumvent normal
anti-tampering systems in mainframe computers.
AP noted, however, some private computer experts said it seemed
highly unlikely that a virus could be transferred to a mainframe
computer from a printer.
Winn Schwartau, executive director of the International
Partnership Against Computer Terrorism, observed, "A printer is a
receiving device. Data does not transmit from the printer to the
computer." [Winn Schartau, obviously a cool guy, knows
a line when he hears it.]
--Charles Bowen
MAGAZINE STICKS TO ITS GUNS ON ITS PERSIAN GULF WAR VIRUS STORY
(Jan. 17)
Contending it has re-checked its sources, US News & World Report
says it is standing behind its original story that US intelligence
agents tried to disable an Iraqi military network with a computer
virus transported to Baghdad in a printer just before the start of
the Persian Gulf War.
The Associated Press reports the magazine said it had confirmed
the attempt was made, as reported in its Jan. 20 issue, but had not
been able to determine whether the virus attempt was successful.
That original story was called into question when journalists
noted its striking [I saw both articles. "Striking similarity" aren't
the words I would use. How about "so exact it's plagiarism."]
similarity to a 1991 April Fools Day spoof
published in the computer magazine, InfoWorld.
AP quoted US News editors as saying in a statement, "We took
seriously questions which were raised about the accuracy of this
story and have re-reported it. We have confirmed that, as we
reported, a high-level intelligence operation based in Jordan was
targeted at Iraqi air defenses. As we reported, a computer virus was
inserted into a French-made computer printer that was to be smuggled
into Iraq to disable its air defense system. What cannot be
confirmed is whether the operation was ultimately successful." [LIARS.]
Brian Duffy, the magazine's assistant managing editor for
investigative projects, told the wire service the original sources
believed the system must have worked because Iraqi air defense guns
opened up before any US airplanes had appeared. [Liar, liar, pants
on fire. How does that prove anything? Mebbe the Iraqis were jumpy
is a far better explanation.]
Duffy said the magazine checked [Liar, liar, pants on fire.]
with two senior Pentagon officers
who confirmed the planting of the virus in the printer, but said it
was not known whether the printer ever reached Iraq. [Hoho! That's an
interesting way to get off the hook. I'll have to remember it.]
--Charles Bowen
-------------------------------------------------------------------
AND WE'RE STILL KEEPING AN EYE ON THE WORLD OF CORPORATE STIFFS (OR
ANOTHER ONE SOURCE, STRONG BUT VAGUE NEWSPIECE):
-------------------------------------------------------------------
BEWARE OF THE INFESTED UNDERGROUND BBS - from LAN Times, Sept. 14, 1992
Virus-authoring toolkits for creating rogue code are working their way
into the arsenals of the nation's top computer crackers.
The initial distribution point for this new variety of CASE tool is an
underground BBS sponsored by a select fraternity of highly intelligent, but
socially inept, teens.
Some experts fear the toolkits could increase the crackers' productivity
exponentially, enabling them to generate viruses far faster than the security
industry could detect each new strain and come up with antidotes or vaccines.
"The current crop of virus-authoring tools have so far only produced only
mediocre viruses, and some don't work at all," said one security expert who
has examined the code. "However, some of these fledgling viruses could prove
lethal. All the authors would have to do is simply alter one piece of the
instruction code."
The BBS fraternity is thus far confined to about 25 members, with dozens
more "wanna-be's" trying to penetrate the inner circle. To gain acceptance,
newcomers must establish their bona fides.
First, they get the attention of the ringleaders with a creative login
name. This is usually a historical character or an outlandish nickname, such
as "Dr. Doom" or "Master Blaster."
Next comes the initiation rite.
"This usually consists of uploading a new, exotic virus that the crackers
haven't seen or heard of," the security expert told LAN Times. If the new
guys do indeed upload such a virus, the BBS ringleaders will usually let them
download one of the virus writing tools.
"The BBS is really the equivalent of a clubhouse or fraternity for these
kids," said another source.
Electronic bulletin boards are legitimate sources of information accessed
by hundreds of thousands of users each day. And, ironically, the legitimate
BBSes are often the best sources for the cracker network. There is one BBS in
San Francisco whose members are made up almost entirely of security
practitioners.
Among the files it disseminates is 40HEX, which contains disassemblies of
viruses. While the sponsors of this BBS are the good guys, anyone can get
access by paying $45 for a membership in the National Computer Security
Association (NCSA).
The NCSA has about 1,000 members, and all of them - security professionals
and crackers alike - can download virus code from the BBS. --L.D.
[This story was obviously 'leaked' by some holier-than-thou fink in
the anti-virus community who's got a professional axe to grind with the
NCSA. Christ, these people will eat themselves if left alone long
enough.]
****************************************************************************
INCAPABILITIES!! - a new Crypt column discussing plotted weaknesses
INCAPABILITIES!! - in current editions of antivirus software.
INCAPABILITIES!! - This month's kickoff report by Vesko Bontchev,
INCAPABILITIES!! - culled from a Virus Digest/FidoNet transmission.
Software pack (the INSUFF/MtE spawning viruses)
and additional research by URNST KOUCH.
THE MTE, POLYMORPHIC VIRUSES AND SCANNING TECHNOLOGY (OR LACK OF IT)
VIRUS-L Digest Thursday, 10 Sep 1992 Volume 5 : Issue 150
Date: 09 Sep 92 19:31:01 +0000
>From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Scanners and polymorphic viruses (PC)
Hello, everybody!
With the advent of the sophisticated polymorphic viruses like Dark
Avenger's Mutating Engine, it is becoming more and more obvious that
the scanners have really hard time to detect all infections. I have
already posted several times articles about how well (or, more
exactly, how bad) the different scanners detect the MtE-based viruses.
Several people have asked me why I am testing only MtE detection
capabilities, since none of the currently existing MtE-based viruses
is intelligent enough to spread widely and to be a significant danger.
I am doing this because the MtE is one of the most sophisticated tool
for building polymorphic viruses and presents a lot of trouble to the
producers of scanning software. Therefore, the inability to detect the
MtE-based viruses shows very well how limited the scanners are - the
MtE has been available since almost a year, yet only about a dozen
scanners achieve at least some success in detecting it. Of them about
the half are unable to detect it reliably.
However, the MtE-based viruses are not the only polymorphic viruses
which present problems to the scanners... I have tested several
scanners on a lot of examples of some of the most polymorphic viruses.
There is clear need to use a lot of examples, since some scanners are
able to detect only one or two instances of some polymorphic viruses -
the examples that the producer of the scanner has...
I used the following viruses during the tests:
Standard CARO name: Number of different mutants generated:
/------------------- --------------------------------------
Andryushka.A 46
Emmie 16
Haifa.Haifa 105
Haifa.Motzkin 101
Involuntary.A 8
Involuntary.B 89
Maltese_Amoeba 39
MtE_0_90.Dedicated 96
MtE_0_90.Pogue 98
MtE_0_90.Questo 101
MVF 96
Necros 115
PC-Flu_2 35
Silly_Willy 93
Simulate 29
Slovakia.2_02 81
Slovakia.3_00 57
StarShip 148
Tequila 68
Todor 101
V2Px.V2P1 35
V2Px.V2P2 8
V2Px.V2P6 27
V2Px.V2P6Z 61
WordSwap.1391 3
WordSwap.1495 10
Whale 164 (covering mutants #00 to #33)
The following scanners were used during the tests:
Scanner: Version: Producer:
/-------- -------- ---------
FindVirus 4.34 S & S International
F-Prot 2.05 FRISK Software
VIRUSCAN 95 McAfee Associates
HTScan 1.8 Harry Thijssen
VirX 2.4 Microcom
AntiVir IV 4.04 H+BEDV
Anti-Virus+ 4.20.01 IRIS
CPAV 1.0 Central Point Software
Some comments. You all know the first three products; I used the
latest versions available.
HTScan is a user-programmable scanner. It depends on a text file,
containing wildcard scan strings. Since most polymorphic viruses
cannot be detected this way (they need algorithmic approach), I
tested another feature of the scanner - the so-called AVR modules.
They are loadable at runtime small programs, which are executed by
the scanner and are supposed to perform algorithmic detection of
those polymorphic viruses, which cannot be detected with simple or
even with wildcard scan strings. In this particular version, there
are AVR modules for Maltese_Amoeba, MtE-based viruses, and the V2Px.*
series.
VirX I couldn't test. It does something incredibly stupid - tries to
keep the whole report file in memory. Of course, it soon runs out of
memory, so not record is kept about what viruses are detected and
which are not. I did only a partial test - on the MtE-based viruses
only.
We have only a very ancient version of CPAV, so the test results for
it are not up-to-date. That version tried to detect only V2Px.* and
Whale. Unsuccessfully, on the top of that...
Here are the results of the tests. Note that when I say that a scanner
reliably detects a virus, this holds only for these tests. It does not
mean that it will be able to detect all possible instances of the
virus; it just means that I have been unable to find an instance that
it does not detect. However, when I say that a scanner does not detect
a virus reliably, this means that it misses at least one example and I
have proven this.
FindVirus detected all infected files. However, this result is not
very fair towards the other scanners, since Dr. Solomon had access to
the infected samples, before submitting that version of the scanner.
This was not so with the other anti-virus producers.
F-Prot failed to detect at all Necros, Silly_Willy and Todor. It
failed to detect reliably Andryushka.A, Whale (mutant #32), and
V2Px.V2P6Z (only one example missed). It detected reliably all other
viruses.
VIRUSCAN does not detect at all Andryushka.A and StarShip. The latter
is rather strange, since I have submitted examples of this virus to
McAfee Associates months ago. The scanner does not detect reliably
MtE_0_90.Questo, MVF, Slovakia.2_02, Slovakia.3_00, V2Px.V2P6Z (only
one example missed) and Whale (mutant #33 missed). It also sometimes
misidentifies MtE_0_90.Pogue as 7thSon (when the virus is not
encrypted), but SCAN is proverbial with its lack of exact
identification. It succeeded to detect the other viruses reliably.
VirX tested on the MtE-based viruses only still does not recognize
those viruses reliably. It missed 12 of the total 292 examples.
AntiVir IV (a German anti-virus product) does not detect at all
Andryushka.A, Emmie, Haifa.Haifa, Haifa.Motzkin, Involuntary.A,
Involuntary.B, MVF, Necros, PC-Flu_2, StarShip and Todor. It failed to
identify correctly V2Px.V2P2 (one missed example) and Whale (several
mutants). The other viruses were detected reliably - even the
MtE-based one, with the exception that the non-encrypted files
infected with an MtE-based virus were reported to contain two viruses.
HTScan's AVR module for Maltese_Amoeba (IRISH.AVR) doesn't detect the
virus reliably. Surprisingly, the collection of wildcard scan strings
for the same virus, which is present in the text database, -does-
detect this virus reliably. So, my advice to the users of HTScan is to
delete the file IRISH.AVR and to rely on the database of signatures.
The module for Haifa.Haifa detected reliably all instances of the
virus, but didn't detect even one instance of the related virus
Haifa.Motzkin. The module which is supposed to detect MtE-based
viruses (its version is 2.3) failed to detect the non-encrypted
examples, infected with MtE_0_90.Pogue and MtE_0_90.Questo. The module
for the V2Px viruses (called "Washburn") detects reliably V2Px.V2P1,
but missed one instance of V2Px.V2P2, three instances of V2Px.V2P6 and
lots of instances of V2Px.V2P6Z. The Whale virus was detected reliably
by the collection of scan strings in the database.
Anti-Virus+ does not detect at all Andryushka.A, Emmie, MVF, Necros,
Silly_Willy, Necros, Slovakia.2_02, Slovakia.3_00, StarShip, Tequila,
Todor, WordSwap.1391 and WordSwap.1485. It did not detect reliably
Involuntary.A (in SYS files), MtE_0_90.Dedicated, MtE_0_90.Questo,
V2Px.V2P6, V2Px.V2P6Z and Whale (several mutants). The other viruses
were detected reliably.
The above tests clearly show that most of the current scanners are
still unable to cope with the existing polymorphic viruses. Even with
such well known viruses like V2P6 and MtE. At least one scanner was
unable to detect even Tequila! This virus is quite widespread and can
be detected with a few wildcard scan strings (3-4, I believe). And in
the near future we'll see more and more polymorphic viruses...
If some producer of scanning software thinks that his product is able
to show better results but I have missed to test it, s/he is welcome
to contact me and provide me a copy of their product (or tell me where
to get it, if it is available through anonymous ftp). I am ready to
test it and to publish the results, provided that:
1) The scanner is able to run without user intervention. I don't want
to be prompted to "press any key" each time a virus is found.
2) The scanner is able to produce a report file.
3) The scanner is able to output in the report file the names of all
files being scanned, not only those that it considers to be infected.
4) The scanner is requires a reasonable amount of memory. For
instance, Norton Anti-Virus 2.1 refused to run in about 400 Kb free
memory.
A description how to instruct the scanner to conform to the above
requirements (i.e., secret options, etc.) is welcome.
Regards,
Vesselin
Vesselin Vladimirov Bontchev Virus Test Center, University of
Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik -
AGN
** PGP public key available on demand. ** Vogt-Koelln-Strasse 30, rm. 107
C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54,
Germany
-*-
Well, now, if only Vesko would clean up his English skills the report
would have been damn near perfect.
In any case, the report gets right to the heart of this issue's software
offering: the INSUFFICIENT MEMORY (or INSUFF/INSUFFERABLE) viruses.
If you're a virus collector, you know MtE loaded programs are a hot
item. Even though the Engine is a genuine White Elephant (hobbled
by incredibly poor documentation), because of judicious media
attention and perfect p.r. timing by anti-virus software developers,
it remains an object of keen interest to many rather poorly informed
individuals.
So, for your educational pleasure the Crypt Newsletter has worked up a
number of simple MtE-loaded companion viruses, unique if only because
no one but us has come up with the stupid idea of using the MtE in
a spawning program.
In keeping with Vesko's results, these viruses are not detected by
the SCAN 95b, CPAV, VIREX or NAV's most recent roll-outs. In regards,
to the latter I include a press release from SYMANTEC, for your
review:
"Our AntiVirus Labs tested the detection capabilities of The Norton
AntiVirus v2.1 against the Mutation Engine, which created over
900,000 mutations during our test. The Norton AntiVirus v2.1
detected all 900,000, and will detect them on your system too,
before they destroy your data."
Here at the Crypt Newsletter we feel fortunate to have gotten those
900,001st, 900,002nd and 900,003rd MtE mutations that NAV 2.1 cannot
detect. Ruh-hemmmhmmmm. Perhaps SYMANTEC shouldn't be so hasty in
jobbing out these tasks to Gary Watson in the future.
[It's an inside joke.]
In any case, F-PROT 2.05, tbSCAN (ThunderByte) and AVScan v.097 (beta)
(DataTechnik) do detect the MtE variants spawned from the viruses
in this issue. tbSCAN, according to its documentation, disassembles
the virus on the fly. It's easy to see why developer Frans Veldman
may have decided to go this route if you load the INSUFF viruses into
a debugger like ZanySoft's ZD86 and 'proc' step through them. (Or if
you're ballsy, just 'Go.') It takes only an instant for the virus to
'unspool' in memory; a 'step through' through the MtE decryption key
follows a distinct pattern for every 'mutant.' AVScan v. 097 did a
nice job on them, too, even correctly identifying encrypted and
unencrypted forms. However, only the techies will be using tBSCAN and
AVScan. Your average mook lashes himself to SCAN, CPAV, VIRX, or NAV
and these programs remain sadly inadequate when engaging 'new' MtE
viruses. In our benchtop tests, all four failed to detect any mutants
generated by our closely related school of spawning viruses.
And that brings the discussion around to "Why SPAWNING, for crying
out loud?"
We shall tell you. The current edition of CPAV and a number of
other no-name retail a-v packages are COMPLETELY vulnerable to
penetration by companion viruses even with default resident
protection and integrity checking enabled. To understand this,
you must recall the spawning viruses don't actually touch your
files. Instead, the average spawner goes out at infection time,
looks for a target .EXE file and creates a duplicate of itself
as a 'companion' .COM file to the targeted .EXE. Then when you
call that .EXE, DOS looks around, finds a .COM (the virus) with
the same name and loads it instead. Usually, the virus stores
itself as a hidden, read-only, system file to elude casual
observation and this is what the INSUFF programs do.
In bench-top tests, CPAV DID NOT DETECT ANY of our companion
virus infections. In fact, it added the 'companion' files
to its .CPS integrity listings without a squeak.
(CPAV was installed on our test system using the
recommended defaults.) In comparison, Stiller Research's
INTEGRITY MASTER 1.12 easily followed companion infections on
our machine and notified the user with a warning screen which
gave proper advice for removal.
The Crypt Newsletter reader gets a lesson in simple virus
design with the INSUFF programs. Spawning sneaks through a big
back door in CPAV, the MtE polymorphic encryption targets
many scanners directly.
The INSUFF viruses still remain quite simple. The source code
supplied will only give you a virus which searches the
current directory. INSUFF1, then, illustrates the principle
but will hardly get very far - probably not beyond a primary
infection (although I never underestimate viruses). It is not even
particularly dangerous since it doesn't touch your files and is
easily removed by deletion. INSUFF2 is a little more interesting,
for the reader impatient with INSUFF1. INSUFF2 will drop the NOIZ
Trojan onto .EXE's in the current directory anytime after 4:00 pm.
If INSUFF has already created 'companions' for these files,
the user may see nothing initially. The NOIZ Trojan does not
scan. However, when INSUFF2 is removed or eliminated as a 'companion'
for the altered .EXE, the NOIZ Trojan will be unmasked. Calling the
.EXE will install NOIZ in RAM where it takes up about 8k and
compells the PC to make frequent, strange farting noises until
the machine is rebooted. NOIZ will not install itself more than
once in RAM, it is a semi-intelligent 'zombie.' Of course,
it goes without saying that files altered by the NOIZ Trojan
are permanently ruined and must be restored from back-up.
The NOIZ trojan hooks a hardware interrupt when it becomes
resident. We leave it to the reader as an insignificant academic
exercise to find interrupt.
Since INSUFF1 and INSUFF2 are 'direct-action' infectors of
their current directory, they are FAST. If called on a system
they will search and write to the drive in less than a fraction
of a second. In most case, the drive light flicker will be
analogous to what is seen when an "Unknown command or file name"
error is produced. So, when a 'spawn-infected' program misfires
because the virus is doing its business, it's quite possible the
mystified user will repeat the command once or twice before
giving up, putting the viruses well into the directory. [This
is exactly the worst thing to do.] If called from a different
directory in the path, INSUFF can get out of hand. Keep in mind
that if INSUFF2 is on a system and called after 4 in the
afternoon many executables may silently suffer 'zombie-fication.'
This is frustratingly destructive and difficult to overlook.
The newsletter also contains the DEBUG script for INSUFF3. INSUFF3
will jump out of the current directory once it has infected all
files in it. This simple directory span increases its potential
for fast spread considerably. INSUFF3, like INSUFF2, will
trojanize selected .EXE files with the NOIZ 'zombie' in the directory
it is called from anytime after 4:00 pm.
[If the reader needs the source code for INSUFF2 and INSUFF3, both
can be obtained, no-questions-asked, from the DARK COFFIN BBS,
listed at the end of this document. Codes are located in
the Crypt Newsletter directory in the Files section of the BBS.]
Next issue: The poor man's guide to making multi-partite viruses.
Maybe. (I tend to change my mind a lot.)
*****************************************************************************
KRYPT KONSUMER KORNER (Guide to Term addendum):
ZCOMM (Omen Technology) v. HyperACCESS/5 (Hilgraeve) --
ZCOMM, the shareware subset of Chuck Forsberg's Pro-YAM comm tool
ain't for everyone. It doesn't beep and boop, it's got no menus
to speak of; it is spare, spare, spare in 'looks.'
But you, the assertive, manly Crypt newsletter reader don't crave
'looks' now, do you? You want performance - raw, uncompromised power!
ZCOMM has it in spades.
Enter ZCOMM in DOS. Up comes a command prompt. Type
'call koolwarez' and if you've had the wit to add the number of the
KOOLWAREZ BBS to ZCOMM's master script, PHOMAST.T, with a simple
ASCI editor, you're gone. (ZCOMM comes with a public domain editor,
CSE, very similar in function to Semware's QEdit. CSE is from the
Colorado School of Mines. You know they must have real men there!)
For transfers, Forsberg gives you X/Y/ZModems in all their flavors,
KERMIT, Clink, Telink, MODEM7 and WXModem. If that's not good enough,
time to flee to Mars. As for performance, none of the ZModem
implementations in the packages reviewed last issue (PCPlus 2.01,
Telemate, QModem 5.0, COM-AND 2.8) approached that of ZCOMM.
And if you're spying on someone's BBS or just remembered that you want
to save something that scrolled by 5 minutes ago, ZCOMM
will save your butt. Toggle its capture file and ZCOMM will write
everything to disk from its ridiculously oversized
scrollback buffer. Scrutinize a hex/ASCI dump of that raw virus
you just downloaded with ZCOMM's display command! ZCOMM will
remove noxious ESC sequences from screen captures polluted by the
work of brain-damaged FelonyNet ANSI-artists, too, thus saving you
and your printer much grief. Forget these features with ANY
OTHER PACKAGE!
In truth, though, many will not feel up to the ZCOMM/Pro-YAM challenge.
These users will be easily befuddled by ZCOMM's UNIX-like instruction
set and look. They will be bullied into submission by ZCOMM's stark
command line and nettled at the prospect of doing all configuration
from the master script with nothing but a text editor and a meager amount
of cerebrum as safety nets.
They will crash and curse ZCOMM's author savagely when
attempting as simple a task as logging on to a "local" pd BBS.
(Of course, The Crypt Newsletter reader is no such craven swine.)
But such is the ZCOMM/Pro-YAM price of excellence.
Another program vieing for dominance with ZCOMM/Pro-YAM in the
brute power category is Hilgraeve's HyperACCESS/5 3.0. It is of
interest here at the Crypt because it's the first instance of a
comm program which incorporates virus scanning in its file
transfer suite.
That said, we did an off the cuff evaluation of HyperACCESS's anti-
virus ability. The program will unpack .ZIPfiles on the fly and
scan executables archived within them or scan your system
as a stand-alone. A quick test revealed HyperACCESS could detect
common viruses; in fact, it was rather efficient at picking up STONED
'droppers', JERUSALEM strains, numerous wearisome BURGER perversions
and even the odd image file of a TELEFONICA boot infector. On the
other hand, the scanner was sacked repeatedly the common
MtE viruses as well as all Crypt newsletter formulations. It did not
detect MALTESE AMOEBA, STARSHIP, COMMANDER BOMBER, SUOMI (eh?) or any
VCL or PS-MPC creations or derivatives. Our consumer advice: you won't
be buying HyperACCESS as an a-v scanner anytime soon.
This simple a-v utility does suggest itself for one virus-hunting use.
It might be a nice exercise to enable HyperACCESS's 'unzip-on-the-
fly' option when downloading new virus samples from boards you suspect
of having nothing but BURGER, VIENNA and AMSTRAD hacks. HyperACCESS
can flag such archives as they arrive on your end, name the virus,
and log the results to a file for later browsing. Then you have a
nice report verifying the 'quality' of the audited Vx BBS.
But even if we overlook its a-v features, HyperACCESS offers many handy
utilities thought to be almost exclusively the domain of ZCOMM.
It's got a fast, efficient file manager and its DOS gateway is
supremely efficient. The capture buffer is generous and looks deep
into the scrollback if you ask nice. HyperACCESS includes
an extravagant text editor every bit the equal of QEdit with
only a rather crippled spell-checker to mar the picture. (The
first time I used it on the Crypt newsletter it crashed when
confronted by all the 50-buck words.)
In contrast to ZCOMM, HyperACCESS has been designed with an eye
to luring away the average ProComm cripple from his favorite
software. It will convert PCPlus 2.01 .FON directories for its
own use although its documentation sneers at the 'look and feel' of
the Datastorm product. HyperACCESS/5 can also be used by point-and-shoot
premature ejaculators and has slippery-looking sliding menus and
terminal screens which even I enjoyed in a corrupt sort of way.
But Hilgraeve knows its limitations, too. While its ZModem
implementation is adequate, HA/5 includes two macros for utilizing
Omen's DSZ program as an instant drop-in. No figuring out stupid
external batch files, hey, hey! On my disk, it's a toss-up between
HyperACCESS/5 and ZCOMM/Pro-YAM.
---------------------
ZCOMM 17.96 is $45 cash money shareware from Omen Technology. That's
good for a diskette containing the ZCOMM programs and a daunting
manual written in a style opaque to anyone even close to being a
lip-reader. The unregistered ZCOMM is downloadable from just about
everywhere, but I found it in the COMM Programs software library
in CSERVE's IBMCOMM special interest group. (Type 'Go: IBMCOMM').
Hilgraeve's HyperACCESS/5 v. 3.0 is retail only, for a short time
available at $49.95, not including shipping and handling.
You can reach Hilgraeve at: 1-800-826-2760.
*****************************************************************************
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
THE READING ROOM: BOOKS OF INTEREST TO THE VIRUS COMMUNITY
"Artificial Life" by Steven Levy (Pantheon)
"Computer viruses, then, stand on the cusp of life - and soon will
cross over." - Steven Levy in "AL"
And here in Central Schnookville, PA, gravity drops to zero come noon
and all the corporate stiffs lunching on the village common float
through the air plucking startled birds out of the sky with their bare
hands.
A good portion of "Artifical Life" has Levy expounding that computer
viruses fill what is known as the "strong claim" toward artificial life.
It is the very essence of neo-intellectual flatus - the kind of prose
that makes the ocassional reading of Scientific American such an
unpleasant experience.
Levy comes up with interesting descriptive jargon for viruses, too.
"Add-on" which I suppose means "appending"; "shell" for God knows
what. The "diabolical" Brain virus comes in for special attention;
it hides a portion of itself in clusters marked "BAD," "a cluster
stretches over 2 sectors of a 9 sector disk," writes Levy. (Hmmmm.
Doesn't leave too much room for anything else, does it?)
Plenty of minor stupid technical errors of this nature pepper Levy's
book. Of course, they've flown by any number of dumbbell editors
in the publishing business and they'll repeat the job on almost
anyone who reads this book. But don't think that because no one
will know, somehow it's right. It's not and, unfortuately, its
typical of the modern 'science' journalist who thinks that simply
by interviewing experts like Fred Cohen for three hours, he can
magically obtain understanding.
The skeptical Crypt newsletter reader will find "Artificial Life" is
total crap. However, he may be amused by quotes like:
"Machines, being a form of life, are in competition with
carbon-based life. Machines will make carbon-based life extinct."
(page 336)
or
"A rock would certainly be low on any continuum of aliveness . . ."
(page 6).
or
"Steven Levy needs help finding his ass with both hands." (Oops,
how'd that get in here???)
Levy's previous work includes "Hackers," but "AL" WILL only be enjoyed
by those who like the concept of "edu-tainment" or think that a
library full of comic books, cyberpunk novels and cuttings from
OMNI magazine constitute a national resource.
The Crypt Newsletter gives "Artificial Life" a solid thumbs down!
"ACCIDENTAL EMPIRES" by Robert X. Cringely (Addison-Wesley paperback)
After wincing your way through "AL" you may want to head out to the
local mall and pop for Cringely's worldview/thumbnail history of American
computerland, now in paperback. Guaranteed, you'll be on the floor
inside the first six pages when you read "Hate group number three . . .
will just hate [this] book because somewhere I write that object-
oriented programming was invented in Norway in 1967, when they
know it was invented in BERGEN, Norway, on a rainy afternoon
in late 1966. I never have been able to please these folks, who are
mainly programmers and engineers, but I take some consolation in
knowing that there are only a couple hundred thousand of them."
Recognize the type? Yup, Robert, we see 'em every day here at the
newsletter, too. Fuck 'em.
The shrewd Crypt newsletter reader will guess that we give
"Accidental Empires" a solid thumbs up!
***********************************************************************
***********************************************************************
Crypt Newsletter Software: Additional documentation, lamentation and
user notes for the terminally stupid. Why? Because we care!
DIOGENES virus: Enclosed in this archive is a DEBUG script of DIOGENES
virus. Created by Seeker, DIOGENES is a second generation VCL 1.0
derived, appending .COM infector. DIOGENES is encrypted and will do its
virus thing until the 31st of any month. On that day, it will spoil
the data and valuable programming on your hard drive in a quick,
professional manner.
DIOGENES is not scanned by the current editions of F-PROT (2.05),
VIREX-PC, SCAN, CPAV, AVSCAN, NORTON ANTIVIRUS, INTEGRITY MASTER
and tbSCAN. F-PROT 2.05 will flag it as being 'self-modifying'
in heuristic mode, definitely a 'weak' warning.
User documentation for DIOGENES is listed in DIOGENES.DOC; source
code for the virus is archived on the DARK COFFIN BBS.
To produce the software in the Crypt Newsletter, ensure that the DOS
program, DEBUG, is in your path. At the C: prompt, type
DEBUG <*.scr,
where *.scr is the name of the .scr file of interest included with the
newsletter. DEBUG will assemble the program from which the script
is derived and write it to disk in the current directory.
Also included as DEBUG scripts are the INSUFF viruses. INSUFF1's
source listing, INSUFF.ASM, accompanies the archive but it
cannot be assembled directly without possession of the MtE091b
OBJECT files. We assume the average Crypt newsletter reader interested
in the code will have a general idea on how to come by the MtE
archive if he doesn't possess it already.
In our continuing series of public domain and 'porn' trojan programs
is the DEBUG script for COMPUFON, a pop-up auto-dialer and corporate
phonebook complete with the usual utterly convincing yet COMPLETELY
BOGUS documentation. COMPUFON is an assembly coded comms utility that
will store a phone directory for you and will dial the phone. It
will also smash the C; drive just before it dials your selected
number. It is instructive because it demonstrates an easy source
of trojan code: utility listings published and placed into public
circulation by organizations like BYTE, PC MAGAZINE or Ziff-Davis.
COMPUFON can be recognized as a hacked version of PC-DIAL.
***********************************************************************
***********************************************************************
END NOTES: This issue's acknowledgements go to Seeker for tossing
DIOGENES virus our way with nice attention to deadline. And I
can't forget Nowhere Man who patiently answered some stupid
questions on spawning viruses and MtE encryption.
This issue of the Crypt newsletter should come in the archive
CRPTLET6.ZIP. And the archive should contain:
CRPTLET.TR6 - this electronic document
INSUFF.ASM - TASM 2.5 source code for the basic
INSUFF MEMORY viruses.
INSUFF.SCR - DEBUG script for INSUFF virus
INSUFF2.SCR - DEBUG script for INSUFF2 virus
INSUFF3.SCR - DEBUG script for INSUFF3 virus
DIOGENES.SCR - DEBUG script for DIOGENES virus, a
third generation VCL 1.0 designed program
DIOGENES.DOC - additional notes for DIOGENES virus
CMPUFON.SCR - DEBUG script for the COMPUFON trojan
CMPUFON.DOC - BOGUS documentation for COMPUFON
WARNING.TXT - additional documentation for COMPUFON
MAKE.BAT - .BAT file to assist in generation of INSUFF
viruses
If any of these files are missing demand upgrade at any of the BBS's
listed in the tail of this file.
In addition, you should realize that the programming examples in the
Crypt newsletter are quite capable of folding, spindling and mutilating
the valuables on your machine. Handle them stupidly or irresponsibly,
and that's just what they'll do.
Readers should feel free to send e-mail to editor URNST KOUCH
on any of the BBS's listed in this file. On Hell Pit, I can be
reached as COUCH.
To ensure you don't miss an issue of the newsletter, I invite you
to come to DARK COFFIN and e-mail me with a data number of your
favorite BBS. I'll include it in my database and begin delivery if
they'll have it. This guarantees you'll be the first on your block
to get fresh issues.
The Crypt newsletter is distributed first at the following sites:
╔════════════════════════════════════════════════════════════════════╗
║ This V/T info phile brought to you by Çτÿ₧, ║
║ Makers/Archivists/Info Specialists on Viruses/Trojans. ║
╠════════════════════════════════════════════════════════════════════╣
║ Dark Coffin ···················· HQ/Main Support ··· 215.966.3576 ║
╟────────────────────────────────────────────────────────────────────╢
║ VIRUS_MAN ······················ Member Support ···· ITS.PRI.VATE ║
║ Callahan's Crosstime Saloon ···· Southwest HQ ······ 314.939.4113 ║
║ Nuclear Winter ················· Member Board ······ 215.882.9122 ║
╚════════════════════════════════════════════════════════════════════╝