********************************************** The Crypt Newsletter [mid-Sept.'92]: another in an infrequent series of factual, info-glutted, tongue-in-cheek monographs solely for the enjoyment of the virus programming professional or enthusiast interested in the particulars of electronic mayhem. -*- Edited by URNST KOUCH. ********************************************** This issue's quote: "It's a new hobby, folks." --John Dvorak on virus programming, from the 2nd edition of Dvorak's Telecommunications, Dvorak and Anis (McGraw-Hill). ******************************************************************* IN THIS ISSUE: Local news...viruses for sale...condensed results of NCSA scanner evaluation...viruses as tools of civil disobedience... MacMag Peace virus dropper charged with crime...trojan programming and stomping out the pernicious threat of hard core pornography... Hans Von Braun, enlightened fellow...dummkopf of month award... Nowhere Man's CRYPTCOM 2.0...Pallbearer's KONSUMER KORNER... the CASINO virus...NUKEX...BATCOMPI trojan...the PENIS trojan... CORRUPTO 2 and more. NEWS! NEWS! NEWS! NEWS! NEWS! Frans "Dutch" Hagelaars nee SomethingAndersswhateversomething, Poobah of the Virus echo distributed on the FidoNet, clamped down on the public domain Wizard's Retreat BBS in Allentown, PA, for refusing to delete virus exchange sysop Tim Caton (aka Pallbearer) from its caller base. In order to preserve the transmission of the echo, Wizard Retreat sysop Scott Miller has made the echo 'read-only' for all local callers. He declined to delete user Caton. In related news, Phalcon/SKISM's Night Crawler, the other FidoNet virus echo user excommunicated in "Dutch's" late Summer purge, reappeared in the waning days of August to wish Hagelaars well. "You, my good man, can go to HELL!" commented the SKISM member. In unrelated news: We now reprint a fragment of a recent post from FidoNet Virus echo user and 14-year assembly programmer, Gary Watson. In it Watson protested his being labeled a pampered menial by the Crypt Newsletter for constantly being allowed to flame on topics which usually get 'lesser' users barred. "Why would I want to [pass viruses on FidoNet]? "I make a point of *not* collecting them," claimed Mr. Watson. Interested readers will be amused to find that the same "Nixon" Watson was recently spotted uploading an archive containing live samples and source code to BADBOY 2, DIAMOND, DIR-2, OUTLAND, MURPHY, MG, MIX, HORSE, PINGPONG, 4096, LEECH, AMSTRAD, CRAZYEDDIE, etc., to the DARK COFFIN BBS. The Dark Coffin is hosted by the shunned & hated Caton and, incidentally, seems to be the mailing address of this newsletter. Small world, isn't it, Gary? Not a collector? INDEED. ANYWAY, here at the Crypt newsletter, we reckon the Virus echo and its users would be BETTER served if "Dutch" Hagelaars took the following steps: 1. Discourage trivial posts like those generated by Gyuri "George" K. GK's disjointed messages resemble what can only be described as the distracting chatter of a madman. Hey, try and keep it on the subject, eh? [Oops, hope he's not DAV incognito!] 2. Time to consider instituting separate feeds to all nodes where users persist in posting "SEKRIT" messages in Polish, Danish, Slavonic, Chervonsky, Basque, Martian or whatever. As an Ami Schwein, I speak only de Englise, dammit, and see little value in wading through apocryphal messages which appear to be written in ecthje fiudoaw resstetiii. (See what I mean?) It's quite possible users from nether-Poo-Stink, Central Europe, feel the same way about MY lingua franca. Do something about this. 3. Encourage more exchange of detailed, high value info relevant to virus study, i.e., ripped off copies of Virus Bulletin, news briefs, more posting from Virus - L Digest (the Crypt Newsletter, heh). At this point, the echo is about as informative as the QModem users help group. Rob Slade and Paul Ferguson are two who DON'T continually transmit useless, anecdotal, horrifyingly re-quoted replies to the fragmented discussions of others (see #1 for an example). Many could learn from them. Time to tear the lid off the source code ban, too. The cows have left the barn, boys. Until these steps are taken, the Virus echo will remain trivial. "It's no big loss," said Caton. Res Ipso Loquitur. Down on the Gulf of Mexico in Mission, TX, sysop Zendor of the Other Side BBS has taken matters into his own hands and started charging a small fee for bulk mail delivery of viruses, source code, and related files. For $1.00 cash money, Zendor will supply a catalog; for $10.00, a diskette of the software in his archive. Compared to the $15.00 asking price for "The Little Black Book of Computer Viruses" (American Eagle Publishing, Tucson, AZ) companion diskette, Zendor's terms seem quite fair. Mail him at 1807 Cassandra, Mission, TX 78572, or call The Other Side at 512-618-0154. In related news, The Other Side is a member of the WWIV StormLink net and sponsors the "Infected Files" sub nationwide. In its first week, "Infected Files" posts included the source code for the SARA GORDON virus (mistakenly posted at the MtE) and debug scripts for the FELLOWSHIP and MIMIC2 viruses, among others. Sadly, it didn't take long for someone to cry foul and threaten its closure unless all source codes and hex dump transmissions were curtailed. The punitive action achieved little, since virus exchange sysops continued to freely trade advice and phone numbers at will. Now izzit me, or are all net co-ordinators trained to be morons? What difference is there between posting codes or BBS numbers where codes and live viruses can be freely downloaded? A free no-prize to you if you can explain it to me! Just another case of the Emperor's New Clothes. Symantec has taken the step of uploading a freeware version of the Norton Antivirus's scan utility, NAVSCA.ZIP, to the IBMSYS and VIRUSFORUM SIG's on COMPUSERVE. This is not the first time a colorful commercial outfit has attempted to do battle with the shareware market. Back at the time of the Michelangelo scare, XTREE made available a free version of UNVIRUS, the scanning utility from its VIRUSAFE package. About the only remarkable points about XTREE's program where the amusing cheeping noises it made when searching memory for 'stealth' viruses and the hysterically silly virus descriptions: "Fill in your own virus - This virus is very dangerous and will corrupt all the files on your system, eventually totally destroying the disk!" As for NAVSCAN's efficacy as a brute-force scanner against the new crop of viral programs? We took it into the Crypt virus lab and scooped up a handful of VCL 1.0 variants (DIARRHEA 1 & 2, HEEVAHAVA and RED HERRING), a few direct action infectors designed with VCL 1.0 but optimized to avoid detection by SCAN v95B (MIMIC 1 & 2, DIOGENES) and two weirdos - COMMANDER BOMBER and STARSHIP. The score? No hits. Here at the Crypt Newsletter, we deem these results unsuitable for "optimum consumer confidence." Even if it's free. And now for your further infotainment, a newsbrief culled and cribbed without permission from a post by FidoNet virus echo user Paul Ferguson. Take it away (and thanks anyway), Paul! Reprinted without permission from Federal Computer Week, 17 August 1992 - (page 34) 8<-------- Cut Here --------------- MOST VIRUS-DETECTION PRODUCTS SUCCESSFUL by Richard A. Danca Most PC virus-detection products do an excellent job of finding known viruses on a PC, according to tests run by the National Computer Security Association, Carlisle, Pa. In NCSA's tests, 12 of 16 virus-detection products found more than 90 percent of the 848 viruses or virus variants in NCSA's database. Only two of the products found fewer than 80 percent of the files. NCSA tested all the products it received after announcing it would conduct the tests, said membership director Paul R. Gates. The association will run tests every month, and future tests will probably include other virus detectors, he said. Questions remain, however, about the validity of the tests and the hazards viruses pose. Three products found 100 percent of the 848 viruses NCSA used in the test: Virex-PC from Microcom Inc., Norwood, Mass.; Panscan from Panda Systems, Wilmington, Del.; and Findviru from S&S International, Berkhamsted, Hertfordshire, Britain. NCSA uses the term "infected files" to refer to the viruses it tested because many viruses are variants of others and because there are no agreed-upon naming criteria, Gates said, nor did NCSA distinguish between common and unusual viruses. "The common ones are in there with the rare ones." ONLY DETECTION WAS TESTED NCSA tested only virus detection, not removal. Many viruses make it impossible to re-create programs or data they have infected, so detection is more important than removal, Gates said. "Mostly what people do is restore [files] is not to run the remover capability but to reinstall software" and restore data from backups. "That is the correct way of doing it." One company whose product scored low criticized NCSA's tests and objectivity. Commcrypt Inc., Beltsville, Md., said the Scan Plus portion of its Detect Plus software found 73 percent of 2,201 strains of viruses in a February test NCSA ran. "In a nutshell, we're not privy to the library we're tested against," said Warren Wertz, research director at Commcrypt. It is possible that some of the files in the NCSA database are "naked viruses or benign viruses" that cannot damage data. The NCSA database was available only to members of the Anti-Virus Program Developers consortium who paid a membership fee, said Commcrypt president William H. Landgraf. "If you're willing to pay the money - $2,000 or more a quarter - they'll provide you with the list of viruses." In a certificate it issued to Commcrypt in February, NCSA said, "Nearly all of these [2,201] strains have rarely or never been seen 'in the wild.' Scan Plus detected all common viruses." Commcrypt has many customers in the U.S. Postal Service and the federal courts, Wertz said. "They haven't got any viruses - that we know about - that they couldn't get rid of," he said. NCSA and other experts acknowledge that common viruses are far more likely to cause damage. The most common viruses include strains of Jerusalem, Stoned and Michelangelo, according to both NCSA and Commcrypt. In addition, "some people estimate that 90 to 95 percent of the data lost is because of operator error." Gates said. "I have some question about scan tests of viruses that just exist in the laboratories," said Bryan Seborg, PC and local area network security program director at the Federal Deposit Insurance Corp. Seborg is also a virus researcher and instructor at the University of Maryland. Seborg agreed with NCSA's Gates, however, on the limited value of virus removers. "The ones that do a cleanup are not a good idea." FDIC policy requires users to destroy infected files and reinstall software, For viruses that destroy boot records or hidden MS-DOS files, the FDIC solution is to use DOS' FDISK or SYS commands, Seborg said. AUGUST VIRUS SCANNER TEST RESULTS VENDOR PRODUCT VERSION SCORE Central Point CPAV 1.3* 94 Certus NOVI 1.1D 95 Commcrypt Detect Plus 2.10 60 Fifth Generation UTSCAN 24.00 90 Frisk Software F-PROT 2.04 99 IRIS CURE 20.01 93 Leprechaun Software Virus Buster 3.92 98 McAfee Associates SCAN 93 99 Microcom Inc. Virex-PC 2.2 100 Panda Software Panscan 4.05 100 RG Software Vi Spy 9.0 97 S&S International Findviru 5.60 100 Stiller Research Integrity Master 1.23A 88 Symantec NAV 2.0* 70 Trend Micro Devices PCSCAN 2.0 91 Xtree ViruSafe 4.6 86 * Test was run with the August version of the vendors' virus signature definition file, which is available to their installed base. [ Source: National Computer Security Association ] [Readers of this issue of the Crypt newsletter are invited to comment, no holds barred, on this study and Danca's article. Send comments to The Dark Coffin BBS, 1-215-966-3576 or leave mail for Couch on The Hell Pit.] NEXT UP: THE COMPUTER VIRUS AS A TOOL OF INDIVIDUAL EMPOWERMENT by THE FLIM-FLAM MAN It's time to start thinking in real terms about the computer virus as a tool for individual empowerment. To avoid an overly windy essay, I'm going to focus on two REAL human examples. The first deals with a woman in her mid-40's who works for a small specialty book publishing firm in the Lehigh Valley of eastern PA. (I've kept the descriptions of individuals deliberately vague to protect them from inappropriate attention.) In early 1992 she found herself sexually harassed in the workplace by her boss, a man for whom she felt no attraction. Unable to tell him to bug off, and knowing that in a small business there was no place to turn but the street, she became enraged. So she planned a late night smash-and-grab raid into the office to delete certain key files on his personal computer. This she did. The next day her boss was confused, frustrated and angry over the loss of his precious data. He did not hip to the fact that his work had been sabotaged by the woman quietly smiling in the next room. Given the opportunity to use a computer virus for the job, it is not totally unreasonable to assume this woman would have seriously entertained the idea of using it as a tool of redress. In any case, she was a computer vandal. And not the computer vandal most corporate stiffs like to paint: a maladjusted, teen or disgruntled, shirking whiner. Rather, she was somewhere in between; a reasonable worker pushed deep into a corner. As further food for thought: Do you think that the use of a computer virus, IN THIS INSTANCE, would have been BAD? A second example: mid-level staffers at a large metropolitan corporation in eastern Pennsylvania have had to grapple with the installation of a project implemented on a Macintosh desktop system. The junior technical administrator put in charge of bringing the system online has not proven up to the challenge. After two years of work, the system crashes daily, eats work, locks unpredictably and forces continued overtime on staffers who have to work around its shortcomings. The technical administrator is openly hostile to any suggestions from staffers who are compelled to use the system daily. The administrator's supervisor will not listen to suggestions from underlings that more expert technical help is necessary. The project has become a costly, political hot potato; its failure would mean the rep of the management team that committed to it two years previously. At this point the staffers who must work with the non-functional system daily have begun entertaining the idea of inserting a Mac virus into the already deeply screwy system. The rationale for use is that it could force a system crash which the current technical administrator could not quickly remedy. Such a disaster might break the logjam of upper management arrogance and force the consultation of someone better suited to programming of Macintosh's. They also feel that since viruses are anonymous, the blame would most likely fall on the local administrator's head for allowing it to happen. This is another graphic example of reasonable workers who feel they've been backed into a corner by leaders who seem dumb as stumps. The computer virus is viewed by the victimized as their road to empowerment. These workers are smart enough to realize that there is no guarantee that a bad situation will be made better by a virus. But they do think that throwing a monkey wrench into the system, bringing it to a noisy, ugly halt, might buy some breathing room. As told here, I'm sure most readers WILL feel some empathy for the people above. It's not a stretch to think of someone in the same tight spot. And that is why, as the gap between managers and grunts in a our technological society becomes wider, the computer virus or rogue program will be seen more and more as one of THE tools for empowerment. Anyone who works in the corporate security field should be scared white at this prospect. Because the hardest 'virus-droppers' to fight will be the the honest, determined employees, who become progressively alienated by the cynicism and indifference from an organization they work for. *********************************************** NEWS BREAK! NEWS BREAK! NEWS BREAK! NEWS BREAK! *********************************************** NEWS clip from one of COMPUSERVE's free services: Online Today CANADIAN CHARGED WITH PLANTING ALDUS COMPUTER VIRUS (Aug. 20) Former Canadian computer magazine publisher Richard Brandow, 28, has been accused of planting a computer virus that tainted thousands of copies of Aldus Corp. software in 1988. According to The Associated Press, Brandow, who now writes for "Star Trek," has been charged by prosecutors in King County, Washington with malicious mischief and could face up to 10 years in on if he is convicted. Brandow said he finds the charges surprising. "What are they going to do?" he asked, "It happened four years ago, and I am here in Montreal." He told AP that he arranged for a message to flash briefly on computer screens that wished peace "to all Macintosh users around the s were designed to educate the public to the danger of viruses. Brandow included his name in the message so he could be contacted. The virus made its way eventually to Aldus where it infected a master disk for producing copies of Freehand, an illustration program. After the virus was discovered, Aldus recalled 5,000 copies of Freehand and replaced another 5,000 copies it had in its inventory. The incident cost the firm $7,000. Ivan Orton, King County senior deputy prosecuting attorney, told AP it was the first time the state has brought such criminal charges. He also said he believes the incident was the first time a virus had tainted commercial software. For more news from The Associated Press, consult the Executive News Service.(GO APONLINE). --Cathryn Conroy [URNST KOUCH butts in: In this story, reporter Conroy is refering to the MacMag Peace virus, commissioned by Brandau, then the editor of MacMag magazine. Its trigger date of March 2, 1988, was the first anniversary of the Mac II - at which time the virus displayed the universal peace sign, or something to that effect. After Mar 2, the virus erased itself. Why do the authorities always come up with a charge YEARS later; a day late and a dollar short, so to speak? And by the way, it is spelled "Brandau."] IN SEARCH OF TROJAN PROGRAMMING or CRYPT NEWSLETTER's CAMPAIGN AGAINST THE UNRESTRICTED FLOW OF PC PORNOGRAPHY A good deal of this issue is devoted to helping the reader optimize his planned trojan programs for real world success. Let's face it, trojans which blindly sack the fixed disk and contain unencrypted, embedded ASCI strings like "You're fucked now, lamer!! Ahahahahaha!" don't cut it in the real world. Of course, such trojans will always work against the PC initiate. But admit it, that's about as much good sport as shooting fish in a barrel. No challenge, no style. Far better to just put a ballpeen hammer through the monitor and do some real damage. A good trojan should distract the user. It should, perhaps, display a fine graphic, send a cryptic error message to the monitor, or appear to do . . . nothing. Good trojan programmers never stoop to that old bromide, "You're fucked now, lamer!!" So, to start, you will want to subscribe to Lee Jackson's HACK REPORT, available at too many public electronic archives to count. It's a fine guide and tells you just what's out there; it even chronicles the more successful trojans. It is GOOD FOR IDEAS. For example, in the pd world, many were duped by the XTRATANK trojan, a genuinely clever and twisted set of programs that promised to double a user's disk space free of charge. In reality XTRATANK placed Michelangelo and Stoned virus onto the machine in two discrete steps. XTRATANK batted directly to the average user's weakest spot: The desire to gain something for nothing! Upon installation, a portion of Michelangelo's code was copied to the boot block of the disk. This was not enough to trigger any scanner. After the user realized the program was doing nothing for him, he would uninstall it, probably using the de-installation software. The de-installation software copied the remainder of Michelangelo to the boot block and inserted Stoned into memory. At this point, a scan run reveals something seriously wrong. Many were sucked in by XTRATANK. But maybe you don't have the time or the will to come up with an XTRATANK. Consider making trojans out of pornographic files. It's easy, the trojans are simple to put into the wild and serve a purpose: they burn users whose sexual tastes run to the bizaare. For this purpose, I've included the code to a flashy, but crass, display which writes an animated ANSI of a squirting gland directly to the video page. Then it crushes the drive. The ANSI was converted into code suitable for direct video writes by the most recent version of the LAUGHING DOG screen maker. The utility of this code is that ANSI.SYS does not have to be loaded, the graphic effect will take quite nicely without it. (See the appendix file: PENIS.ASM.) A second trojan is an update of CORRUPTO, something I designed using VCL 1.0. CORRUPTO 2 will display the error message "Cannot open lezbosex.dat/Critical errorlevel=25" when executed and then drop a small proprietary Crypt program which can surgically rewrite the partition onto an executable in the current directory. Include CORRUPTO in an archive with at least one other V-loader of wimmen getting it on with each other or something similar. (The idea here is that Lesbian loaders are a hot download. It's true, they just blow right out the door.) The user runs the first loader in the archive and gets an eyeful. He starts polishing his knob and runs CORRUPTO 2. Nothing but the error. Damn! Some cretin took the .DAT file out of the archive, he thinks! Stupid pirates! (Don't forget to include another dummy .DAT file for the real program, to make the sham filth seem even more real.) In reality, a partition bomb is now installed upon CORRUPTO, the other V-loader, and any other executable in the directory. When any one of these is invoked, the partition table on the C drive of any 80286 and up machine will be silently and quickly rewritten. The results will be somewhat disruptive to the days computing activity, UNLESS the user has a back-up image of the partition saved off disk and the wit to reload it. There are other benefits in creating trojans for porn directories. 1] Victims never squeal. Most Americans are far too neurotic to admit something bad happened to them while they were watching "dirty" sex. Its like confessing to your girlfriend you have a problem with horrible anal itching. It's just not done. So they may not even inform the sysop, giving your trojan longer shelf-life. 2] Such trojans are deceptively simple to upload to 'adult' directories, the bigger the better. Large adult directories aren't well-supervised. Let's face it, even the biggest pervert doesn't have enough time in the day to keep track of all the squamous product he stocks. Do you think he's gonna look at yours closely? Bet against. 3] Such trojans will not show up in The Hack Report. Lee Jackson does not cover this angle, for obvious reasons. 4] It puts you on the Republican side in the war on porn. You can be smug, like them, in knowing that YOU ARE DOING THE RIGHT THING when stomping on those presumed vile by the Moral Majority. Heck, you might even strike a few Republicans anonymously in this manner. 5] Think of the kid who's gonna have to explain to his Dad why the PC in the study room just went down. You could be steering the boy in the right direction by discouraging him from tieing up the phone and blowing valuable online time downloading more filth. But pd trojans have their place, too. To that end, Crypt Newsletter has included the DEBUG script to BATCOMPI.COM, a very effective BAT2EXE trojan. BATCOMPI will, indeed, compile your .BAT files into flawless .COM's. However, don't make a mistake when editing your .BATfile!! BATCOMPI will point out the line number and then punish the drive with a heavy stick. Also included are the convincing, BUT COMPLETELY BOGUS, docs for BATCOMPI, written by "Ned Turnquist." Be sure to include these with BATCOMPI, wherever it goes, to further give it that right patina of legitimacy. (Like XTRATANK, BATCOMPI strikes at the greed of users who wish a "free lunch.") And also for your trojan programmer's toolkit, a DEBUG script of NOWHERE MAN's CRYPTCOM utility. CRYPTCOM serves many purposes. Use it to put an encryption shell over your trojan, in the event that someone might look at it with CHK4BOMB. Use it to put an encryption shell on an old virus that you'd like to get past an initial run by an up-to-date scanner. [Also in this issue, a DEBUG scipt of the CASINO virus. The CASINO virus is a very fine program, but, unfortunately, it scans. If you want to get CASINO past the original round of scanning on any machine, CRYPTCOM it.] CRYPTCOM is merely part of Nowhere Man's Nowhere Utilities 2.0 software package. If you find it helpful, you'll want to dash out and obtain the complete package at places like The Hell Pit or the BBS's listed at the end of The Crypt Newsletter. [For assembly, take the DEBUG script for the appropriate trojan, virus, or utility listed in the newsletter appendices and go to the C:\> prompt. Type, DEBUG <*.scr, where the wildcard is the name of the appropriate script. Then . If DEBUG is in your path, the CASINO virus, BATCOMPI, CRYPTCOM, or NUKEX should now be assembled and sitting in the current directory, ready for use. NUKEX? "What's that, URNST?" I hear you screech. NUKEX is a bonus trojan! Invoking NUKEX will immediately abolish the directory structure on the C: drive of any machine and along with it, all the files on the disk. NUKEX is heavily cushioned for error and will gracefully exit to DOS if something unforseen occurs. (However, this is unlikely.) NUKEX is completely silent, too. Recommended uses: as a stand-alone rabbit-punching program or for inclusion as a 'dropped' payload, deposited by virus or trojan. NUKEX can be deployed as a subroutine in any virus, too. [NUKEX can easily be configured to erase any drive, but the copy included with the Crypt Newsletter is good ONLY for the C: drive.] I have passed along the source code to Nowhere Man who is reviewing it for inclusion in the VCL 2.0. NUKEX does not format or overwrite the affected drive. It does however, present the user with the unpalatable job of "unerasing" hundreds, if not thousands, of files and directory entries. NUKEX user note: if invoked from a floppy disk, NUKEX will abolish the directory structure on a fixed disk, leaving itself intact. If invoked from anywhere on the fixed drive, NUKEX will erase itself in the process of deleting the entire disk. So make sure you have a backup.] These programs and utilities should prove helpful if you are considering going into the 'trojanizing' business. Remember: The right tools for the right job!! *********************************************** THE FIRST CRYPT NEWSLETTER NATHAN HALE AWARD!!! *********************************************** Goes to Hans Von Braun, chief sysop for the COMSEC BBS in San Francisco. Our hats off to Von Braun, a member of the National Computer Security Association who seems to firmly believe that bulletins like 40HEX magazine should be made freely available to any interested party. Since 40HEX describes in detail tricks of virus development, Von Braun writes in a recent issue of the NCSA NEWS (a reprint of which was passed along to us here at Crypt's editorial bungalow), "We [have been] told that there are only a handful of people in the world that should have this information; they are antivirus program developers." Von Braun writes earlier, "I believe it is better for you to HAVE the information than not to have the information." Now, please go back to the statement "there are only a handful of people in the world that should have this information." Whew! That's a grand claim! It almost makes virus code sound more dangerous than nuclear secrets. Of course, you, the Crypt reader know this to be patent bullshit. And, apparently, in some manner so does Mr. Von Braun. There are two reasons which come to mind when explaining the a-v developers' dumbo rationale for the "eat-your-peas, we know what's best, no virus code for you" rule. They are: 1]. They really DO believe, in some Luddite way, that letting people onto this stuff instigates virus propagation. They DO believe that the average lumpen prole is too irresponsible to handle code correctly. This is very Republican and corporate, and although extremely deluded, easy to grasp. It is soothing balm to many clients' ears. 2]. And the real kicker: This info falls into the realm of "proprietary" secrets. Giving away proprietary information increases your competition, hurts your market advantage, and is, in general, bad for the pocket book because it will spawn users who don't require you to hold their pecker for them when they encounter a virus. So, kudos to Mr. Hans Van Braun for his "interesting" stand. We include his mailing address here so that you might send your opinion to him on this matter: 123 Townsend Street Suite 555 San Francisco, CA 94107 **************************************************************** AND THE CRYPT NEWSLETTER's US NEWS & WORLD REPORT IRAQI COMPUTER VIRUS PRIZE FOR THIS MONTH . . . **************************************************************** Goes to Michael Callahan (alias Dr. FileFinder), editor of SHAREWARE MAGAZINE. Even after a two issue series interviewing John McAfee, Callahan still believes that viruses can permanently damage the hard disk. (Talk about dense.) Now you can argue with me on this one, but show me a user who claims his machine was irrevocably damaged by a virus and I'll show you a user too embarrassed to admit he "Pepsi syndrome'd" himself. And Patricia Hoffman's virus library IS NOT the national computer virus library, Mike. It may be a big library, but it's not the government's, it's not open to private citizens (like national libraries) and it is not similar to the American Type Culture Collection (ATCC) which is the U.S. clearinghouse for real-live microbes of the natural kind. ******************************************** AND THE CRYPT NEWSLETTER VIRUS OF THE MONTH: ******************************************** The CASINO virus - from the island of Malta. The CASINO virus is a memory resident .COM infector. It will infect COMMAND.COM and will infect .COM files on the internal DIR function, DIR function called by any other program and when clean files are opened for any reason. When CASINO is resident, infected files will show only very small increases in file size, although the virus is not true "stealth." The interesting trait of CASINO is its activation: On any January 15, April 15, and Aug. 15, CASINO will display the following message: "DISK DESTROYER * A SOUVENIR OF MALTA I have just destroyed the FAT on YOUR DISK! However, I have a copy in RAM and I'm giving you one last chance to restore your precious data! WARNING: IF YOU RESET NOW ALL YOUR DATA WILL BE LOST - FOREVER! Your data depends on a game of JACKPOT. CASINO DE MALTE JACKPOT" CASINO will then compel the user to play a game of chance. If he loses, the FAT is destroyed. When I described this to Mrs. URNST KOUCH, she said, "That's evil." A DEBUG script of the CASINO virus is included with this issue of the Crypt Newsletter. Enjoy your copy of CASINO virus. PALLBEARER's KONSUMER KORNER: THE TERM PROGRAM FOR VIRUS COLLECTION /********** FACILITATION OF VIRUS COLLECTION I: THE TERM PROGRAM *************/ The entire focus of this small article is intended to save you and your SysOp time and money in the virus trade. This, num- ber one in the series, is designed to help you find the best terminal program for your needs. It reflects solely my opinion, but I am sure you will find it valuable. In the spirit of 'Consumer Reports' and Ralph Nader, I have parked myself in front of the computer during much of my spare time to compile this report (I know, REAL hard work...). So, without further adieu: -*- PALLBEARER'S GUIDE TO "TERM" (Yeah, I know it's a stupid name, but hey, I'm the author, I'm allowed to do stupid things.) -*- First, my old standby: Procomm Plus 2.01 Well, I have been using a version of Procomm Plus since I started collecting virii, and BBSing, for that matter. Many people find ProComm to be clumsy. I, personally, enjoy it. Overall, it has two major flaws: One - it only supports 3 external protocols; two - it does not support AVATAR. Beyond this, I find it very versatile. It DOES support many internal protocols, including ZMODEM, XMODEM-CRC, 1K, and 1K-G; YMODEM and G, plus a host of other "lesser knowns" such as SEAlink, WXMODEM, IMODEM, and, of course, KERMIT, which is run as an external. I find the internal ZMODEM inadequate, thus I retain DSZ as an external protocol, which I have configured for MobyTurbo. HS/Link and Super-Zmodem are also easily supported. On the plus side, PCPlus provides COMPUSERVE B+, the famous information exchange's protocol of choice. And one BIG feature is the pulldown menus from which everything can be configured. With PCPLUS, the only time one must ever make use of the install program is if you desire an easier way to change modem config and COM ports. PCPLUS also supports a Keyboard file for easy user remap, and has a wonderful internal utility that speeds up the keyboard of an AT or above. The whole ball of wax, including colors, is configurable from the menus. Of course, the internal split-screen chat is also accessed this way. The host mode, for you menu fanatics, leaves much to be desired, but works nonetheless; those of you desirous of running BBS through Procomm Plus Host, however, should remove your collective thumb from your ass and get a life. Last, the big question with many PC users today: the SPACE. Well, Procomm requires over a Meg of space BUT I would allocate 2.5 Megs on my drive for it: this includes constant screen captures and little down- loads here and there that seem to be forgotten about. For me, space is no object, but for many users this problem is one that is paramount. -*- Qmodem 5.0 Ahh, the term software that sounds like a transfer protocol. After testing this package, my only compliment is that it supports plenty of external protocols, shrinks out for a DOS shell, supports AVATAR, and is frugal on my hard drive. But my REAL advice to those of you who have a Qmodem archive? Delete it. This is one of the worst and clunkiest terms I have EVER seen. It displays a nice ANSi at startup, and has a colorful install program (sort of reminded me of that of Windows 3.1), but otherwise bites the big one. I was constantly referring to the help screen, since none of the hotkeys from other terms were represented (save for the standard PAGEUP/PAGEDOWN file xfers). A plus: file transfer data screens are very informative. However, this, too, is tainted by a generally hard-to-navigate interface. I will admit I did not spend a lot of time with Qmodem, time I still regret wasting. A final bonus: Qmodem 5.0 features a superior host mode with great menus, etc, but only 2 security levels. Well, what do you expect from a term program's host, anyway? I repeat myself: If you choose a term for its host mode, your thumb smells strangely of shit. -*- COM-AND 2.8 I am surprised to admit I was pleased with this SHAREWARE program. It incorporated many of the keys of the best of the "off-the-shelf" out there. COM-AND also has a hotkey for ASCII download, which will play your session back to you later just like a tape recorder. Nice. Or it can be speeded up with a simple keystroke to simply scroll across the screen. The dialing directory, always an important part of any term, was limited in size to 100 entries, but, then again, who keeps 100 entries in the dialing directory (before you say 'ME!,' look and see when the last time you called some of those BBSes was...)? The directory gave me a feeling of deja vu, too. It is faintly reminiscent of those early releases by DataStorm. The documentation was thorough, and an EXCELLENT help screen could be accessed by striking F10. One major feature found in COM-AND and in many other "bare-bones" terms, is control and configuration almost exclusively by script. All of the major configuration files were written in plain English, and could be easily modified in the internal editor, reached by simple hotkey. Another thing that caught my attention, and it should've caught yours while reading this report, is that EVERYTHING has a simple hotkey. This can be good or bad. The drawback: While you are learn- ing the software you must constantly refer to the helpscreen. This will cost you time, and time is money (Ma Bell does not come cheap). I suggest picking a group of local BBSes and learning COM-AND on those while sticking with another, more familiar term, for LD. I guarantee, however, as you improve with time, you will notice a marked preference for COM-AND while LD calling; you'll be pleased by the ease of use and timesaving brought to you by the hotkeys. COM-AND also features one more perq: Encryption. All of its user script files (logon/logoff, etc) are saved in the .CMD format, which as the docs say, prohibit "casual perusal" from people looking for passwords, etc. This makes it an excellent candidate for use on a multi-user system. All of these are decrypted in memory and may be easily edited in the internal editor. Macro and other files are not automatically encrypted, but may be garbled manually with a hotkey. As for file transfers, COM-AND features all of the major protocols (XMODEM, YMODEM, YMODEM-G, CIS-B and B+ enhanced, and, of course, ZMODEM), but it leaves much to be desired in the fact that it does not (or so it seems) support external protocols. (COM-AND supports external additions through an "accessories" menu. It works well but is not particularly user-friendly. -Ed.) Now, this is easy enough to fix, write yourself batch files and drop to DOS for your file transfers. For those few who find this too difficult (or time consuming for bad typists), then either live with the internals, or COM-AND is not for you. COM-AND also features an internal Kermit server. Overall, I prefer Procomm Plus, thank you very much, because of the fact that COM-AND implements externals poorly. Other- wise, COM-AND is flawless; a wonder in its configurability. Even the nag screen doesn't bother me, all it wants you to do is hit a key, and I have to do that with Procomm after it initializes the modem. I do consider COM-AND good enough to register! It can be picked up from your local pd BBS. -*- Telemate 3.01 Last but not least is another shareware answer to term, in the spirit of Apogee's Trilogies comes Telemate 3.01, which, like Qmodem 4.5 (I tested the registered version, 5.0) and COM-AND, is shareware. Also, along the Apogee lines, Telemate is a superior term program. It supports multiple externals, multiple common and uncommon protocols, and many different emulations including my 'must have', AVATAR. Telemate has one queer feature - it plays music to you. That's right! I sat down for the first time with Telemate (incidentally, I did not receive the data files for the built-in tutorial, so this critique is limited), and did a file transfer, the point of this report. When it was completed, I knew my computer meant business because it began to play the theme from 'Jeopardy' when I didn't press a key fast enough for Telemate's liking. Later, I discovered this song could be changed during installation. Speaking of which, my biggest complaint with Telemate: all of the major settings had to be changed from the config program, which was not available on the fly. Also, the Pulldown bar is always exposed and includes a status bar at the bottom, giving the user only 23 lines. (As far as I could tell, it was simplest to leave it this way.) One unique plus to Telemate is its split-screen and box effects, as though it's being run under Windows. For instance, it is possible to view a text file or the redisplay buffer in one window and have the term in the main window. It is also possible to edit a text or script file in a window with the term in another. I find this a BIG plus to anyone using a term program; it will greatly facilitate your time online. Last, I must comment on the dialing directory. Frankly, it stunk. The default colors were horrible, and editing the entries was a mess. Also, it requires 3 or 4 keystrokes to dial an entry, rather than one stroke needed for most terms. The dialing directory also had annoying habit of coming up as soon as Telemate was called. Thus, if you simply needed to send a string to your modem, you had to wait until after initialization and then exit from the dialing directory - or start dialing a BBS in Europe and not even realize it (and the author of Telemate refuses to pay phone bills incurred in this manner... sheesh, what a pain...). All in all, I found Telemate to be an acceptable term program and would switch in a second, if the dialing directory were improved. Well, there's always next release, for tomorrow is another day (fiddle-dee-dee). -*- {COMMO} 5.3 For all the manly men in the virus collecting community, Fred Brucker's assembly-coded term program could be for you. COMMO's strong points are its raw, unsurpassed speed of operation, extremely small kernel when shelling to DOS and powerful master macro utility which controls all functions in simple, intuitive one-stroke hotkeys. Alt-D - dial! PageUP - upload! Alt-X: BE GONE! COMMO also takes up almost NO space on a hard drive. Hey, even a steroid-gobbling idiot can use COMMO! COMMO's disadvantage (and it's one that weenies will be leary of): It supports only Xmodem and Ymodem internally. The good news: Zmodem, HS/Link and Compuserve B+ are ready for your use. Just drop the programs into the COMMO directory and they are, almost magically, ready for work WITH NO USER CONFIGURATION REQUIRED. As shareware, COMMO is quite reasonably priced: $25 cash money. Shelling out a little more gains a host of COMMO-ready scripts which activate a mini-host and a number of other somewhat useless utilities. /* * Well, I do hope you enjoyed this small romp through this vail of tears, * er, terms. Be on the lookout for next issue's guide to transfer * protocols: and remember, it's good stuff, because I'm not only a * CryPt SysOp, I'm also a member. Acknowledgements to authors and * ordering info for each reviewed program is found below. * * -Pallbearer [CryPt] * */ PROCOMM PLUS 2.01: Copyright (c)1987, 1991, Datastorm Technologies. QMODEM 5.0: Copyright (c)1992, Mustang Software COM-AND 2.8: Copyright (c)1991 CABER software (R. Scott McGinnis). Available through PLINK, GEnie, UNISON, NWI, Delphi, and CompuServe. TELEMATE 3.01: Copyright (c)1988 - 1992, White River Software. CompuServe in IBMCOM forum Library 3/Comm program. FidoNet requestable from 1:2202/1 as 'telemate'. {COMMO} 5.3: Copyright (c)1989, 1992; Fred P. Brucker On CSERVE, go IBMCOM, Library 3/Comm programs. -Hey, you find this boring, but what if you ever WANT to get a copy of one of these? **************************************************************************** ADDITIONAL USER NOTES ON PROGRAMS INCLUDED WITH THIS ISSUE OF THE CRYPT NEWSLETTER - A SERVICE TO THE TERMINALLY STUPID BECAUSE WE CARE The CORRUPTO script will produce CORRUPTO.COM. In 'heuristic' mode, F-PROT 2.05 flags CORRUPTO as containing routines which search for .COM and .EXE files, possibly indicative of a virus. This is true and gives you a good excuse to run CRYPTCOM on CORRUPTO after manufacture and see how it cleans this problem up. In addition, you might want to consider touching up the size (CORRUPTO is less than 1k, hardly convincing as a simple V-loader.) and date/time stamps on the trojan. For those tasks, you'll need the rest of Nowhere Man's Nowhere Utilities 2.0. I'm sure you'll want to get them and see how easy they make these mundane chores for yourself. [On F-PROT 2.05: Fans of this program, and I am one, are probably somewhat bemused by its increasingly skitzy performance, which Skulason duly notes in F-PROT's expanding 'bug reports.' 2.05 is incrediby slow and sometimes hangs when analyzing files heuristically, destroying much of this feature's utility for the average user. And occasionally 2.05 does not appear to scan memory at all on my machine. Geezus.] You can also "tickle the dragon's tail" with CORRUPTO. Place it in a directory by itself and execute it. CORRUPTO will install a drive bomb on itself in a trice, display an error message, beep once and return you gracefully to the DOS prompt. This is just as things will appear to the pigeon. DO NOT RUN CORRUPTO AGAIN!! (Unless you want to replace the partition on your fixed disk, anyway.) Delete the file and prepare your original copy of CORRUPTO (you did make a backup, didn't you?) for its trojan archive. THE NUKEX script will generate NUKEX.COM. NUKEX.COM can be flagged by F-PROT 2.04 as 'suspicious' because it contains a recursive search mechanism. Don't forget to use CRYPTCOM if you want to avoid all possibility of this. For further info on the Nowhere Utiltities CRYPTCOM, see the accompanying appendix, CRYPTCOM.DOC. Meanwhile, see this final ad: ***************************************************************************** The Nowhere Utilities v2.0 are finally out! v2.0 includes several bug fixes and improvements, in addition to three new utilities: o DECRYPT: Decrypts data encrypted with most 8- and 16-bit encryption schemes, usually in under 10 seconds! o FAKEWARE: In just a few minutes, FAKEWARE will generate a totally bogus ware, right down to the ZIP comment and .NFO file by a famous cracking group. Great for distributing new virii and trojans. o USER2TXT: Converts a Telegard v2.5/v2.7 or X-Ot-Icks v3.8 user list to a readable ASCII file. Useful for on-line reference while hacking... Get the Nowhere Utilities today! A fine set of programs to help the corrupted programmer develop and spread his creations. Useful to just about anyone at one time or another. From the author of Virus Creation Laboratory. [NuKE] Release [NuKE] Release [NuKE] Release [NuKE] Release [NuKE] Release ***************************************************************************** -*- Closing quote for the day: "Remember, boys and girls, to put your roller skates away at the TOP of the stairs." --Soupy Sales -*- This issue of the Crypt Newsletter SHOULD contain the following files: CRYPTLET.TR5 - this document PENIS.ASM - MASM/TASM compatible source listing for the PENIS trojan CORRUPTO.SCR - DEBUG script for the CORRUPTO 2 trojan NUKEX.SCR - DEBUG script for the bonus trojan/util, NUKEX CRYPTCOM.SCR - DEBUG script for Nowhere Man's CRYPTCOM trojan/virus toolkit utility, Nuke International Software, Inc. CRYPTCOM.DOC - documentation and user notes for CRYPTCOM CASINO.SCR - DEBUG script for the CASINO virus BATCOMPI.SCR - DEBUG script for BAT2EXE trojan program BATCOMPI.DOC - 'fake' documentation for BATCOMPI trojan program ASM.BAT - ancillary file to accompany BATCOMPI.DOC If any of these files are missing, demand upgrade! As usual, current and complete issues of the Crypt Newsletter can be obtained at the DARK COFFIN BBS. Here at the newsletter, we welcome your comments and contributions, so, until next time . . . I remain your obedient servant, URNST KOUCH ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º This V/T info phile brought to you by €ç˜ž, º º Makers/Distributors/Info Specialists in Phine Viruses/Trojans. º ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ º Dark Coffin úúúúúúúúúúúúúúúúúúúú HQ/Main Support úúú 215.966.3576 º ÇÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ º VIRUS_MAN úúúúúúúúúúúúúúúúúúúúúú Member Support úúúú ITS.PRI.VATE º º Callahan's Crosstime Saloon úúúú Southwest HQ úúúúúú 314.939.4113 º º Nuclear Winter úúúúúúúúúúúúúúúúú Member Board úúúúúú 215.882.9122 º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ